Secure your cloud applications by building solid foundations with enterprise (security) architecture
1. Jirasek Consulting Services
Classification: Public 1
Supporting Business Agility
Secure your cloud applications by building
solid foundations with enterprise (security
) architecture
Vladimir Jirasek, Managing director
Jirasek Consulting Services
&
Research Director, Cloud Security Alliance, UK chapter
2. Jirasek Consulting Services
Classification: Public 2
About me
• MBA (MSc) degree
• 20 years experience in IT
• 13 years experience in InfoSec
• Worked in various companies in diverse
sectors
• Engaged in security organisations as projects
such as CAMM, CSA
• Technical editor of a cloud security book
• Present at security and IT conferences
3. Jirasek Consulting Services
Classification: Public 3
Agenda
• Enterprise architecture crash course
• Security architecture overview
• Cloud security models
• Governance in Cloud
• Data security in Cloud
• Identity and Access in Cloud
5. Jirasek Consulting Services
Classification: Public 5
What is Enterprise Architecture
Enterprise architecture (EA) is the
process of translating business vision
and strategy into effective enterprise
change by creating, communicating
and improving the key requirements,
principles and models that describe
the enterprise's future state and
enable its evolution.
Wikipedia
Common sense to ensure everyone in
a company is pulling in one direction,
maximising ROI, reducing waste,
increasing efficiency, effectiveness,
agility, maintaining strategic focus and
delivering tactical solutions.
Vladimir Jirasek
Enterprise architecture is about strategy, not
about engineering.
Gartner
10. Jirasek Consulting Services
Classification: Public 10
Security model – business drives security
Information
Security
policies
Input
Business
objectives
Compliance
requirements
Laws &
Regulations
Business
impact
Business &
information
risks
Defin
e
Defin
e
Defin
e
Security
threats
International
security
standards
Information
Security
standards
Information
Security
guidelines
Security
intelligence
Input
Line
Management
Auditors
Security
management
Risk &
Compliance
Governance
Product
Management
Program
Management
Assurance
Security
Services
Security
Professionals
IT GRC
Inform
Information
Security
Processes
Technology
Policy framework
Security management
People
Services
Define security
controls
Execute security
controls
Information
Security
Metrics
objectives
Metrics framework
Measure security
maturity
External
security
metrics
Mandate Measured
by
Input
Correction of security processes
Feedback: update business requirements
Process framework
11. Jirasek Consulting Services
Classification: Public 11
Security architecture domains
• Security architect
work across all
domains
• Stakeholder in EA
• Works with domain
architects (depends
on the size of an
organisation)
13. Jirasek Consulting Services
Classification: Public 13
Responsibilities for areas in security
model compared to delivery models
Physical security
Network security
Host security
Application sec.
Data security
SIEM
Identity, Access
Cryptography
Business continuity
GRC
Provider responsible Customer responsible
IaaS PaaS SaaS IaaS PaaS SaaS
14. Jirasek Consulting Services
Classification: Public 14
Present
time
Future
Should data security be on CIOs
agendas? Why only CIO?
Not many security breaches
so far. Why?
Will become targeted as more enterprises rely on
public Cloud computing
Mandatory reading!
Cloud provider
reputation/costs
Your company
reputation/costs Consolidation of
Cloud providers
Cost savings in
Enterprises
PaaS/SaaS
SaaS
SaaS
16. Jirasek Consulting Services
Classification: Public 16
Governance related to Cloud
• Setting company policy
for Cloud computing
• Risk based decision
which Cloud provider, if
any, to engage
• Assigning
responsibilities for
enforcing and monitoring
of the policy compliance
• Set corrective actions for
non-compliance
17. Jirasek Consulting Services
Classification: Public 17
Cloud governance::Policy
• Cloud adopted typically by
a) IT directors – managed relatively consistently and
mostly [I|P]aaS
b) Business managers – less governance; typically
SaaS
• Policy should state: It is a policy of …. to manage
the usage of external Cloud computing services,
taking into account risks to business processes,
legal and regulatory compliance when using
external services Cloud services. CIO is
responsible for creating and communicating
external Cloud computing strategy and
standards.
18. Jirasek Consulting Services
Classification: Public 18
Cloud standard structure
• General statements
– Governance requirements for Cloud
– Enterprise architecture to be ready for
Cloud and Cloud services to plug-in
(IAM, SIEM, Data architecture,
Forensic)
– Discovery of Cloud service use
• Before Cloud project
– Cloud service to comply with data
classification
– Encrypting all sensitive data in Cloud
– Identity and Access management
(AAA) link to Cloud service
• During Cloud project
– Due diligence to be performed
– Do not forget “right to audit”
– Know locations of PII
• During Cloud project (cont)
– Assess availability (SLA and DR) of
Cloud provider
– Assess Cloud provider security controls
– Assess potential for forensic
investigation by company’s team
• Running a Cloud service
– Limit use of live data for development
and testing
– Monitor cloud provider’s security
controls
– Link Company’s SIEM with Cloud
provider and monitor for incidents
• Moving out of Cloud
– Data cleansing
– Data portability
19. Jirasek Consulting Services
Classification: Public 19
Examples:
I have 1TB of CSV files, now what?
• Customer uses well know CRM in Cloud
• SaaS designed to immerse clients into well
defined, bespoke CRM
• No known data mode
• Export of data in CSV.
Tip: Portability is the key in SaaS applications.
Think about leaving the Cloud provider upfront.
How will you take your data?
20. Jirasek Consulting Services
Classification: Public 20
Example:
Scaling up/down development
• Large manufacture and service company
• Requirement to support development
needs with seasonal demands – ideal
case for [I|P]aaS
• Security team approached up-front to
perform review
• “Live” data not uploaded to the provider
before on-site sanitising
22. Jirasek Consulting Services
Classification: Public 22
Cloud provider: “AES-128 so it
must be secure! Trust me!”
PDFSecret
PDFSecret
0101000
1101010
1010110
1010100
1010101
0101100
110101
Cloud service
user
Just because it is encrypted does not
make it secure… Look end to end.
Cloud
Service
Provider
25. Jirasek Consulting Services
Classification: Public 25
Data protection options in cloud
models
Infrastructure as a
Service
Platform as a Service Software as a Service
Encryption appliance
(e.g. Safe-Net ProtectV)
Application encryption (customer retains keys)
Network
Network VPN (could extend to SaaS)
Web TLS (for IaaS operated by customer)
Hos
t
Provider dependent and operated host encryption
Application
Tokenisation and anonymisation
Data
Extend company file or object
encryption
Encrypting/tokenising reverse
proxy engines (e.g. CipherCloud)
SIEM
Extend company SIEM Plug-in to Provider’s SIEM
Extend DLP or eDRM Provider operated data/database encryption
26. Jirasek Consulting Services
Classification: Public 26
Example of SaaS – Use of Gmail
inside and outside an organisation
• SaaS web based
application. Other standard
interfaces – IMAP, POP3,
SMTP, Web API
• Data in Gmail available to
anyone with proper
authentication
• TLS used on transport layer
• Consider using CipherCloud
like product but be mindful
of traffic flows with external
customers
Sender
Recipient
Intra company
Recipient
Proxy
Sender
27. Jirasek Consulting Services
Classification: Public 27
Example of IaaS – Cloud provider offers virtual
computing resources for Internal apps deployment
• Cloud provider can
theoretically access all
data, if decryption
happens on the virtual
machine! But would they?
• Use two possible models:
Local crypto operations
with remote key
management. Consider
SafeNet ProtectV
Remote crypto operations
over VPN – speed penalty
Internal
user
Administrator
Intra company
VPN
Virtual servers
Travelling user
Key management
Data encrypted
Local encryption
operations
Data encrypted
Remote
encryption
operations
HSM
29. Jirasek Consulting Services
Classification: Public 29
IAM is a complex domain::closer to
information management then security!
Identity
management
Access
management
Federation Entitlements
These capabilities can be and are mixed between on-site managed by organisations
or provided as a service by Cloud providers.
30. Jirasek Consulting Services
Classification: Public 30
Identity management::mostly
information management
• Principal management
• Credential management
• Attribute management
• Group memberships
• Business and IT roles
• Directory
• Link to HR data
Provision and de-provision
users from cloud services
automatically
31. Jirasek Consulting Services
Classification: Public 31
Entitlements and Access
management
Entitlements
• Managing access policies
• XACML policies –
(Subject, Rule, Resource)
• Bespoke policies
• Based on attributes or
groups
Connects subjects and
resources
Access management
• Uses identity information,
entitlement policies and
context to make access
decisions:
– Grant
– Deny
– Grant but limit
Decision closer to resource
32. Jirasek Consulting Services
Classification: Public 32
Identity Federation::Let’s trust identity
providers
• Not everyone wants
to have thousands of
username/passwords
• Cloud services are
ideal for identity
federation
• SAML 2.0
• OAUTH 2.0 (do not
confuse with OATH)
33. Jirasek Consulting Services
Classification: Public 33
Summary
• Create Enterprise Architecture function with dotted line to
CEO
• Appoint Security Architect as part of Enterprise architecture
function
• Have a Cloud policy/standard and update risk management
classification
• Always think of exit from Cloud first!
• Discover usage of Cloud services
• Prepare you enterprise architecture to plug Cloud services in
IAM, SIEM, Key management
• Build IAM that supports changing business. Federate and
Federate…
• Do not fear Cloud – sophisticated form of outsourcing: use
supplier management techniques.
34. Jirasek Consulting Services
Classification: Public 34
Links
• A Comparison of the Top Four Enterprise-
Architecture Methodologies -
http://msdn.microsoft.com/en-
us/library/bb466232.aspx
• TOGAF 9 - http://www.opengroup.org/togaf/
• CipherCloud - http://www.ciphercloud.com/
• Amazon AWS Security -
https://aws.amazon.com/security/
• Dropbox security incidents -
http://www.zdnet.com/dropbox-gets-hacked-again-
7000001928/
35. Jirasek Consulting Services
Classification: Public 35
Contact
• Vladimir Jirasek
• vladimir@jirasekconsulting.com
• www.jirasekconsulting.com
• @vjirasek
• About.me/Jirasek
Editor's Notes
Question: how many CIOs are in the room. How many have regular (at least monthly) 1 to 1s with CEO or CFO?
Working on a project – project managers says we have a VPN tunnel for data transfer so that is enough for security
Talk about data classification. We will talk about dropbox later
Apply encryption only where needed and make sure that the key management is done properly. NIST document http://csrc.nist.gov/groups/ST/toolkit/key_management.html