This document provides a summary of core security requirements for cloud computing. It discusses the need to plan for security in cloud environments given issues like multi-tenancy, availability, confidentiality, and integrity. Specific requirements mentioned include secure access and separation of resources for multi-tenancy, assurances around availability, strong identity management, encryption of data at rest and in motion, and checks to ensure data integrity. The document emphasizes the importance of independent audits of cloud providers and having clear expectations around security requirements and notifications of any failures to meet requirements.
Government cloud deployment lessons learned final (4 4 2013)
110307 cloud security requirements gourley
1. Core Requirements for Security In The Cloud
Bob Gourley March 2011
Find this brief at http://crucialpointllc.com
2. About This Presentation
• A focus on requirements users and CIOs
are placing for cloud security
• Goal: provide help to users who need to
articulate security requirements and
provide help to cloud providers who should
anticipate those requirements
2
3. Context on Secure Cloud Computing
• New Reality: Cloud based continuous services that connect to
us all and appliance-like connected devices enabling us to
interact with these services.
• Including Private Clouds, Public Clouds, Edge Clouds and a
spectrum in between.
• Driven by functionality improvements, but also cost, agility
and security benefits.
• Security benefits will only come with planning and work.
Without planning and work, security becomes a nightmare.
4. Planning for Cloud Computing Security
• Cyber Security includes all steps required to ensure mission
effectiveness- Information confidentiality, integrity, availability.
• These are all made harder in environments that are complex
and rapidly changing.
• Cloud computing introduces even more changes to this
environment. Without planning, the risk will go up.
• However, if done right, with planning, Cloud Computing holds
the potential of dramatically enhancing security.
“Complexity Kills: Complexity sucks the life out of users, developers and IT. Complexity
makes products difficult to plan, build, test and use. Complexity introduces security
challenges. Complexity causes administrator frustration.” – Ray Ozzie at ozzie.net
5. Security Issues with the Cloud
• Moving to cloud gives you the chance to clean up from the past and prep
for the future. So do it! But do it with awareness of security issues
• Security Issues:
• Multi-Tenancy: requires secure access and separation of user
allocated cloud resources
• Availability: If you are using a cloud it better be there
• Confidentiality: Will you be putting all your eggs in one discoverable
basket? Will you protect data in transit? Will you protect data on the
processor?
• Integrity: Will you ensure your data is not changed?
6. Multi Tenancy
• Multi-Tenancy: requires secure access and separation of user allocated
cloud resources
• Clouds have multiple concurrent users from disparate and possibly
competitive organizations.
• Even those from all the same organizations may have a need for tight
separation, for example, HR and Finance have data that must be
protected.
• Development organizations may have software development efforts
that could be impacted if secure boundaries are not in place.
• The lack of secure boundaries is slowing cloud adoption and is a key
missing feature of most cloud offerings.
• Issues to address:
• Assurance of underlying systems comprising the cloud, including
assurance of their proper provisioning and segmentation
• Secure access to and separation of user allocated cloud
resources with sign-on and security provided separate from the
applications hosted in the cloud
7. Availability
• Availability: If you are using a cloud it better be there
• Assured comms
• Assured always up servers
• An ability to reach to users at their place of work.
• For many, an ability to reach to users wherever they are.
• There are tight ties to the requirements of confidentiality
and integrity, but additional planning is required to ensure
always on protected availability in the face of threats and
outages.
• Make availability part of your agreement with your cloud
provider. And have plans for working through outages that
impact your cloud provider.
8. Confidentiality
• Confidentiality: Will you be putting all your eggs in one discoverable
basket? Will you protect data in transit? Will you protect data on the
processor?
• Strong identity management that protects and authorizes.
• Knowledge of who in your cloud provider can access your cloud.
• Comms security not only to and from the cloud but within the cloud
and between virtual machines.
• Accreditation of deployment such that one can assure your cloud is
operating according to business policies and upholding regulated
governance (e.g., SOX, HIPAA, FISMA etc).
• Encryption of data in motion and data at rest
• Consider new means of storing/obfuscating stored data, such as
Cleversafe
• Understand the type of processors that operate on your data and the
mechanisms in place on the servers to ensure no tampering with or
monitoring of data while it is being processed. Make this awareness a
requirement. Understand how your provider watches for malicious
code
9. Integrity
• Integrity: Will you ensure your data is not changed?
• Of course encryption of data at rest and data in motion
• Backups
• Smart use of checks/hashes/backups to ensure data not
tampered with.
• Checks through repeatability: the same operation on the
same data should always produce the same results.
10. Concluding Thoughts
• Seek independent audit of your cloud provider and the many checks they
will have in place to ensure your confidentiality, availability, integrity in the
face of multi-tenancy.
• ISO27001, SAS70 and similar standards might not be keeping up. But
they are a start, since they provide the foundation for third party audit.
• Ask hard questions about all your requirements. What responsibility does
the provider have to notify users when a requirement is not met?
• What guarantees do you have?
• If you are a user, articulate your requirements
• If you are a provider, anticipate your requirements
13. Please help with your thoughts/input/questions
E-mail: bob@crucialpointllc.com
Blog: http://ctovision.com
Twitter: http://www.twitter.com/bobgourley
Facebook, Plaxo, LinkedIn, etc: See the blog.
15. Thesis of this Presentation
• Technology really matters
– People and process are critical too, of course,
but it is criminal to neglect the technical piece
15
16. Goal of this Presentation
• Tell you about technologies you might not
know about yet
– So I’m not going to talk about those great
firms like ArcSight, Netwitness, Symantec.
16
17. Methodologies
Understanding Realities
of Enterprise IT
Winners of:
RSA
CTOVision.com
SINET
Disruptive IT List A list of exemplars in
American Security Security
Challenge (75 Firms)
Tracking R&D of Big IT
firms and investment
from VC
18. • 3VR – Video analytics.
The Candidates • Quantum4D - Advanced visual analysis.
• Akamai – Web acceleration and content delivery across the fabric. • Qynergy – New battery technology.
• AdaptivEnergy – Capture energy from vibrations. • Rapid7 – Automating security testing including vulnerability testing.
• Appistry - Deploy apps across a grid; Computational Storage • Recorded Future – Gain knowledge of the future by looking for events mentioned on the net.
• ArcSight - Network and security management. Bought by HP. Still a player in demand. • SenseNetworks – Dramatic use of location data to create useful information. Consumer apps provide
• Aster Data – Specialized DBMS with built-in MapReduce for high-end analytics. heat maps of cities. Enterprise capabilities provide important analytics.
• Basis Technology - Foreign language document and media exploitation. • StreamBase – Capture and analyze data in stream.
• Bit9 – New models dramatically enhancing security through application whitelisting • Sonitus Medical – hear from your teeth.
• Bluecat Networks – Total management and optimization of all things IP. • SpaceCurve – A new kind of database enabling large scale analytics and effortless indexing (Gourley
• Brightcove – Enhancing, dramatically, how enterprises manage and disseminate video. is on their advisory board).
• Cloudshield – One of only two companies that can protect nets at line rate speeds. • Spotfire - Enterprise analytics for business intelligence. Analytics for every user in the enterprise.
• Cloudera – Providing support to open source and specialized software that makes Hadoop ready for • Splunk – Dramatically enhanced IT search.
the enterprise. • Tableau – Great, fast, interactive visualizations.
• Cleversafe – Smart way to save your data in the cloud. Clever and Safe. • ThingMagic – Advanced RFID solutions.
• Centrifuge Systems – Fast visual analytics via multiple modes. • Thetus - Knowledge modeling and discovery
• Cipheroptics – network and data encryption • Touch Table - Interact with data and visualizations by hand
• Destineer Studios – Advanced immersive environments. • Traction Software - Enterprise hypertext collaboration.
• Endeca - Next-generation information retrieval and analysis through advanced search and guidance • Triumfant - Enterprise class compliance, reporting, remediation (Gourley is on their advisory board).
navigation. • TSRI - Move legacy code to the future fast.
• Endgame Systems – Cloud-based botnet and malware detection. • Twiki – Enterprise agility platform.
• EnterpriseDB - Enterprise Postgres. Leader in open source database products/services/support. • Visible Technologies – Analysis.
• FireEye - Botnet protection. • Zafesoft – Discover, classify and secure enterprise data with ease of control. Prevent data leaks,
• FMS – Analysis. including leaks by malicious insiders.
• Forterra Systems - Distributed virtual world technologies- for the enterprise. • Some capabilities under evaluation in our CTOlabs:
• FortiusOne - Next generation intelligent mapping. • QlikView
• Fortinet - Integration of multiple security technologies. • Decision Lens
• ForgeRock - Full solution stack based on top quality open source software. The IT Powerhouses
• Fusion-IO – Extremely fast and high capacity SSD • There are so many things going on at the big companies it is hard to keep track. Also, they all are
• GainSpan – WiFi enablement. looking for innovation and frequently buy to keep the innovation flowing in. So this is a dynamic area
• Geosemble – Map people, places, things using data from RSS feeds and tweets. to say the least. It is also an area very hard to sum up in a few words. But here goes:
• Greenplum – Massively parallel database. High volume SQL transactions for MapReduce • Adobe - Adobe Acrobat Connect and many related collaborative tools.
• Global Velocity – Hardware based DLP • Cisco - Far more than networking gear, now a collaboration powerhouse. IRIS.
• Hardcore Computer – Blade server with total liquid submersion technology. • Citrix - On demand computing, including virtualization of desktops and servers.
• iMove - Imaging and immersive video for wide area and geospatial surveillance. • EMC - Growing through acquisition and internal innovation. Real powerhouse in grid computing and
• Infinite Power Solutions – Thin-film batteries to power RFID. end to end enterprise solutions. No longer just a storage company.
• Image Tree Corp – Figure out what is growing on the earth. • HP – Also growing through acquisition and internal R&D/innovation. End to end enterprise solutions
• Invincea – Device protection by wrapping the browser. including automation. Networking. Recently bought ArchSight.
• Janya – Multilingual Semantic Analysis. • IBM - Continuing to modernize. Will move into the mashup space. Continuing to innovate internally
• Koolspan – High quality mobile voice encryption. and through acquisition. BigFix is a key example.
• KNO – They assert they are for education, but CTOs in enterprises everywhere should watch this • Intel – The primary business is producing chips (silicon innovation) but they field solutions for many
one. other parts of the ecosystem. Recently bought McAfee.
• Liquid Machines - Primarily Enterprise Rights Management. Key product is “Document Control 6.0″ • Microsoft - Large investments in R&D. Beginning to move to open standards/open source. Win 7 will
Others in this area include IBM, EMC, Adobe. Member of SISA alliance. be a huge hit, with enhancements to functionality and security. Now a player in Mobile with Windows
• LensVector – Taking moving parts out of cameras. 7 for Mobile.
• Looxie – Bluetooth Camcorder. Imagine the impact on enterprise business models (and IT). • Oracle - Innovating by buying the best. Stand by for disruptions by forced integrations resulting in
• Malden Labs – Fast/smart/modern delivery of content and apps to any device. positive forward movement. Services for open source. Currently supporting Solaris and MySQL, but
• MarkLogic – New, smarter ways of storing, searching, acting on and displaying information. many wonder about their commitment to those.
• MetaCarta - Geospatial data extraction and transformation • SAP (and Business Objects and Inxight) Business intelligence. SAP has not stopped re-inventing
• Network Integrity Systems – Protected Distribution Systems itself and is a SOA leader.
• Nexenta – Open Solaris power and the usability of Linux.Enterprise class storage (ZFS based) • Symantec - Their core business is security but this is broadly defined as ensuring enterprise
• Narus – Unified IP Management and Security. Bought by Boeing. Still a player. functionality.
• Nicira – Could be the future of network virtualization. • VMware - Virtualization leader.
• Object Video - Business intelligence from video. • These companies are also tracked on the CTOvision.com Tech Titan List
• Oculis Labs – Data obfuscation at the user’s screen. Some Open Source Disruptors
• piXlogic - Image segmentation and search. Visual Search Engine. • Red Hat - with commercially supported Linux
• Perceptive Pixel - Multi-touch interaction with data visualizations. • Alfresco - Enterprise content management in an open source framework.
• Permabit – Embedded high performance OEM data optimization software. • Talend – Open Source ETL and data integration.
• Polychromix - Miniature analysis tools for mobile labs. • Cloudera – Open Source around Hadoop, as well as some key licensable IP.
• Previstar - An Intelligent Resource and Information Management system designed to automate • ForgeRock - Full solution stack based on top quality open source software. Pure play open source.
National Incident Management guidelines for preparedness, response and recovery. • Nexenta – Open Solaris power and the usability of Linux.Enterprise class storage (ZFS based)
• Proofpoint – Enhanced email security, email archiving and DLP for enteprises.
20. Disruptive Security Exemplars
Stopping Malware
• Invincea: Winner of RSA security innovator award
• Bit9: New methods of application white listing
• FireEye: Botnet protection
Hardware Based IT Security
• Intel vPro: Immediately enhances manageability/security
OS Based IT Security
• Windows 7: Upgrade now and enable bit-locker
Network Based Security
• Cloudshield: DPI and action over net traffic
Other Hot Ones:
• RedSeal
Discovering Bad Actors • Cleversafe
• Endeca: Discovery and iterative examination • GlobalIDs
• Hadoop: Facebook-scale analytics • Silvertail
• Veracode