This document discusses cloud security from the perspectives of both cloud service consumers and providers. For consumers, it examines questions around the security of the cloud provider, assurances and transparency, resilience of services, and compliance. For providers, it considers how to deliver security across infrastructure, platform and software as a service models, provide assurance to customers, determine appropriate security measures, manage liabilities and risks, and address compliance needs. The document also notes challenges that are keeping some enterprises from fully adopting cloud services such as immature security models, migration difficulties, lack of transparency, absence of compliance mechanisms, and fear of vendor lock-in.
2. Defining Cloud Security
Cloud Security is about your perspective.
Are you a consumer of cloud services?
or
Are you provider of cloud services?
2 HP Software - For Limited Public Distribution
3. “Cloud Security” is about perspective
As a consumer As a provider
• What security is my cloud providing? • How do I deliver security for my cloud?
– What mechanisms does my provider operate? – IaaS, PaaS, SaaS –each has different security
– How am I protected from hackers, other tenants?
– How is secure multi-tenancy enforced?
• What security assurances do I have?
• How do I deliver assurance?
– Is there service transparency?
– How do I provide trust in my cloud’s security?
– What are my liabilities? Is my provider liable?
• Is my service resilient and consistent? • What is appropriate security?
– Does my service survive attacks, patching, etc? – What is “baseline” vs. “base plus”?
– Who handles incident response, forensics?
• What are my liabilities and risks?
• Is my cloud service compliant? – Liabilities for security incidents, breaches
– Can I offload compliance responsibility to my – What compliance risks am I assuming?
provider?
3 HP Software - For Limited Public Distribution
4. Understanding Responsibility for Cloud Security
IaaS
Consumer Responsibility
PaaS
SaaS
Provider
4 HP Software - For Limited Public Distribution Responsibility
5. Enterprises hesitate to embrace “cloud”
Challenges keeping customers from adoption
immature application
security migration
models challenges
lack of
transparency
lack of
compliance fear of vendor
mechanisms lock-in
5 HP Software - For Limited Public Distribution
6. Follow me…
Following the White Rabbit blog:
HP.com/go/white-rabbit
The business side of security
podcast:
podcast.wh1t3rabbit.net
Twitter:
@Wh1t3Rabbit
Notas del editor
When we talk about “Cloud Security” we must first identify the perspective we’re seeking – from consumer or provider?As a consumer…What security is my cloud (provider) providing?As a consumer you want to know that your data and applications are secure – but you don’t always want (or will understand) the detailsConsumers just want to know “is my stuff in the cloud secure?”Consumers need to be protected from hackers as well as other tenants, which they don’t always realizeAs consumer place data and their critical IP in the cloud, protection of those mixed and varied assets is absolutely criticalWhat security assurances do I have?Do you guarantee security? Is not, why? Is so, how?Consumers want to see security in action, which means transparency in many cases…but transparency walks a fine line between giving up too much, and too little – consumers demand more than they often want…but transparency is critical to creating a customer base that trusts their cloud, especially when things go wrongConsumers need to understand that they’re not liable (or that they are) for issues, and what the limitations areThe consumer vs. provider relationship is complicated by liabilities; if the services are down, or an incident occurs – where is the line of responsibility/liability drawn?Who takes the financial hit, and does your provider compensate you with more than just a “we’re sorry”?As a provider…Consumers and Enterprises have vastly different security tolerences, budgets and risk profilesProviders must tailor the security of the cloud service to the intended use-caseBuilding and maintaining a ‘low risk’ cloud environment needs to have definition, and align to consumer expectations‘Security’ from a provider perspective deals with provisioning, orchestration and ongoing management of a cloud environment and its many virtual machinesSecurity deals with authentication, authorization of the front-end environment as well as the management, storage and content manipulation of the cloud applicationsSecurity and compliance profiles greatly differ based on whether IaaS, PaaS, or SaaS is being provided to the consumerEach has an acceptable level of risk inherentlyEach service type presents challenges for security “higher up the technology stack”Providers must balance cloud costs against security needsWhat are the expectations of ‘built-in’ security, versus what are customers willing to purchase as add-ons?How much cost does security add-in?How can security become transparent and useful at the same time?Vendor must deal with an environment where a massive influx of attack data is common, and must be heavily manipulated to produce actionable intelligenceVendors must protect their cloud framework from attack and compromise, but also their customers from each other, themselves, and Internet-borne attackersHow can the vendor ease customer migration, support hybrid delivery profilesWhat standards, APIs are adhered to and built around security? WS-Security? SAML?How is security policy inside the cloud maintained with mobility of the VMs?Who is responsible for intra-cloud (tenant) security, and how does that manifest?Is there transparency of service, incidents, events?Who bears responsibility for VM patching, upgrades and uptime?
“As thecloud service being considered increases in complexity, the responsibility shifts over to the provider” …Critical: Responsibility != Liability (responsibility is not equal to liability) …so who is liable for a security failure?IaaSProvider is responsible for the infrastructure and ‘virtual bare-metal’ security paradigmMost of provider responsibility falls to access (administration), and network-level security (IPS, firewalls, policy-based routing)PaaSCustomer shares responsibility with providerWho carries more responsibility is largely determined by contract, and acceptance of responsibility by vendor/customer negotiationVendor is responsible for access (administration) and network-level security (IPS, etc) on through the platform (OS) or middleware tier (App Server, etc)Customer maintains responsibility for the security of their application (critical to remember)SaaSResponsibility largely falls on provider, as end-to-end security is the responsibility of the software provider (SaaS vendor)Incident response and liability is still largely contested and should be determined by contract through the customer/vendor relationship
Immature security modelsProviders must have appropriate security models built for their specific provider profile, comparable to “industry standards” (such as Cloud Security Alliance controls)Customers want to have a la carte security controls such as access policies, firewall and various network-based protectionsCustomers range from ‘give me a complete environment’ to ‘let me pick a la carte’ …but ‘no security’ is never a requirementApplication migration challengesMigrating applications to the cloud isn’t just a ‘forklift move’Simply moving an application to a cloud environment neglects most advantages of cloud computing – applications must be re-designedCustomers need guidance on building, migrating and re-architecting their business-critical applications to reap cloud computing benefitsLack of TransparencyVendors rarely disclose their inner controls for the cloud infrastructureCustomers want to know who has access to their infrastructure, applications, data and see audit trailsCustomers want to see back-end details of their tenant instanceFear of vendor lock-inClosed platforms lock customers into their deployment method, virtual architectureCustomers want to be able to migrate, and burst from private > hybrid > public cloud without worry of being locked inCustomers prefer open standards, protocolsLack of compliance mechanismsPublic, Hybrid and Private clouds all carry compliance complications – vendors don’t address this properlyCustomers want clear answers on compliance (PCI, HIPAA, etc) with industry requirementsCustomers want clear delineations of responsibility, and attestations/verifications of compliance from vendors