Ambiguity and uncertainty are synonymous when cloud security is discussed. As organizations transition to the cloud, security must be prepared to handle the new and evolving threats impacting cloud resources. Additional business changes affecting the cloud transition; legal, privacy, mobility, etc must also be considered when developing your overall security strategy. This talk will do a quick breakdown on defining the cloud as it stands today, along with security’s role in the cloud, and how security will evolve in a world that is ‘cloud-centric’ and where the cloud strategy will lead us within the next ten years. The talk will also provide a plan of action for building a cloud security strategy and key considerations when preparing your roadmap in a secure cloud-centric future.
2. MIKE SPAULDING - DOGFOODCON - 2016
DISCLAIMER
My opinions, commentary, and discussion today are my own, not
my employer(s)
My tweets are my own. If they offend you, then you probably
shouldn’t follow me.
I will not discuss anything about my employer(s) in any detail or
extent
3. MIKE SPAULDING - DOGFOODCON - 2016
HOW THE CLOUD WORKS
It’s simple: It really is someone else’s hard drive.
The hard drive sits in multiple countries and is shared by lots
of people
You are placing your trust in the third party to do its job: keep
your data separate from other people’s data.
Security is either sold softly (ie. ‘we’ve got you covered’) or it is a
hard sale (ie. ‘buy this feature and this to feel safe’)
4. MIKE SPAULDING - DOGFOODCON - 2016
UNDERSTANDING YOUR CLOUD
• SalesForce
• ServiceNow
• Office365
• Kronos
It is estimated that most large companies are leveraging between 600 - 1000
SaaS Applications on a daily basis.
• Rackspace
• MSFT Azure
• IBM SmartCloud
• SoftLayer
• Amazon AWS
• MSFT Azure
• IBM BlueMix
• Cloud Foundry
• Google AppEngine
Cloud AppsCloud Infrastructure Platforms
(SaaS)(IaaS) (PaaS)
Owner: Business Relationship
Manager
Owner: Historically Legacy
Infrastructure Teams
Owner: Sometimes Developers, other
times it is Infrastructure
• SalesForce
• ServiceNow
• Office365
• Kronos
5. MIKE SPAULDING - DOGFOODCON - 2016
CLOUD SECURITY RESPONSIBILITY
Applications
Data
Runtime
Middleware
O/S
Virtualization
Servers
Storage
Networking
Local/On Premise
(Your Data Center)
Applications
Data
Runtime
Middleware
O/S
Virtualization
Storage
Networking
Infrastructure
(IaaS)
Applications
Data
Runtime
Middleware
O/S
Virtualization
Servers
Storage
Networking
Platform Apps
(PaaS)
Servers
Applications
Data
Runtime
Middleware
O/S
Virtualization
Servers
Storage
Networking
Cloud Apps
(SaaS)
Your Co.
Vendor
SharedResponsible Party &
Accountability
6. MIKE SPAULDING - DOGFOODCON - 2016
EXAMPLE: COMPARING YOUR CLOUD WITH PIZZA
7. MIKE SPAULDING - DOGFOODCON - 2016
UNDERSTANDING YOUR DATA IN THE CLOUD
• DropBox
• Box
• iCloud
• Facebook
Information Sharing
(SaaS)
Owner:Business Relationship Mgr.
Security Requirements
Authentication
Authorization
Confidentiality
Audit
Non-Repudiation
Solutions
Company Modified PaaS
Company Modified SaaS
Hybrid Cloud
Accountability
Business Owner
Technical Owner
Process Owner
Technical Requirements
Two-Factor Authentication
Business Intelligence
Encryption
Data Loss Prevention
Verification Services
Business Requirements
Rights Management:
Expiration Dates
Limited Distribution
Ability to limit Users
Ability to Audit Activities
Stakeholders
Legal & Procurement
Information Security
Architecture
Infrastructure
Data Types
• PII
• PHI
• PCI
• IP
8. MIKE SPAULDING - DOGFOODCON - 2016
SAAS RESPONSIBILITY CLARIFICATION
Applications
Data
Runtime
Middleware
O/S
Virtualization
Servers
Storage
Networking
Cloud Apps
(SaaS)Cloud Apps have a shared
responsibility at the
Application layer:
You are accountable for the
user access functions, but
overall app support (dev, MX,
and MGMT) resides with the
provider.
Administrative Tasks:
• User Management
• SOX
• User Behavior
Monitoring
Authentication
Authorization
Audit
Technical Tasks:
• Application Development
• Application Upgrades
• Application Management
Support
Your Co.
Vendor
SharedResponsible Party &
Accountability
9. MIKE SPAULDING - DOGFOODCON - 2016
MULTITENANCY: HOW THEY MAKE THE CLOUD CHEAPER
A software architecture in which a single instance of software runs on a server and
serves multiple tenants (or the sharing of a common cloud resource in our situation).
Risks:
Data Leakage
Insecure Configuration
Crossover from other Tenants
Benefits:
Lower Costs
Mitigation Strategy:
Isolated Resources
Security as a Foundation
10. MIKE SPAULDING - DOGFOODCON - 2016
API SECURITY (OR HOW MOST LARGE CLOUD HACKS HAPPEN)
These are application programming interfaces (APIs) used to build applications in the cloud computing market.
Cloud APIs allow software to request data and computations from one or more services through a direct or indirect
interface.
Risks
Account or Service HiJacking
Insecure APIs
Known Vulnerabilities
Lack of Control
Benefits
Customizable Services
Integration with Internal Systems
Mitigation Strategies
Evaluate the type and strength of the API Security Features.
Security as a foundation
11. MIKE SPAULDING - DOGFOODCON - 2016
CLOUD PORTABILITY
Cloud Portability and Continuity of Operations is a set of policies and procedures that help to assure that
your services continue.
Risks
Denial of Service
Vendor Lock-In
Un-Exportable Services
Benefits
Peace of Mind
Structured Approach to BCP/DR
Mitigation Strategies
Develop Business Continuity Plan
Develop an Exit Strategy
12. MIKE SPAULDING - DOGFOODCON - 2016
CLOUD RELIABILITY
Cloud Architecture is more complex and abstract than traditional on-premise
computing architectures.
Risks
Denial of Service
Risk is outside of your control
Skills Atrophy
Benefits
Higher Level of Service at a Lower Cost
Redundancy, Load Balancing, Network Security
Mitigation Strategies
Hybrid Cloud Option
Documentation
13. MIKE SPAULDING - DOGFOODCON - 2016
DATA ENCRYPTION
Protecting your data both at rest and in-transit.
Risks
Vendor Lock-In
Un-Retrievable Data
Proprietary Tooling
Benefits
Minimized Potential for Data Loss
Structured Approach for Data Management
Mitigation Strategies
Establish an Independent Key Management Service
Develop a Data Security Strategy/Standard
14. MIKE SPAULDING - DOGFOODCON - 2016
SECURITY AS A SERVICE (CASB)
Cloud providers are beginning to offer Security capabilities as a service. These services
are both traditional (AAA) and non-traditional (cloud to cloud security)
Risks
Improperly Positioned Services
Skills Atrophy
Proprietary Tooling
Benefits
Higher Security Capability with lower barrier
Ability to have a single security context across multiple vendors
Mitigation Strategies
Security as a Foundation
Security Auditing
15. MIKE SPAULDING - DOGFOODCON - 2016
TRADITIONAL SECURITY MIGRATED TO THE CLOUD
Leveraging Virtualized Software, many traditional security vendors have created cloud-
based firewalls, IPS, reverse proxies, web application firewalls, and malware detection
tools into many of the most popular cloud services.
Risks
Improperly Positioned Services
False Sense of Security
Benefits
Easier transition to cloud services for current staff
Ability to understand/visualize security posture
Mitigation Strategies
Security as a Foundation
Security Fundamentals
16. MIKE SPAULDING - DOGFOODCON - 2016
INTERNATIONAL PRIVACY/COMPLIANCE RISKS
The Data in the cloud is still YOUR DATA. Liability of the data is not transferred away,
ultimately, YOU ARE responsible for how the data is handled.
Risks
EU, Non-US resident data co-mingled
Data residing within countries which do not have treaties with EU, Canada, etc.
Mitigation Strategies
Ensure that Location specific services are enabled and that specific data centers are used for
meeting international privacy compliance (make sure that German data stays on German
servers)
Leverage data centers that can handle both US and EU Data Privacy requirements, such as
Canadian servers.
17. MIKE SPAULDING - DOGFOODCON - 2016
LEGALLY YOURS
REMEMBER: It is your data, how you use it is at your discretion.
No cloud provider will ever sign on as being 100% liable for your data and you must prove
how they failed.
You will only get your portion of your money back (think of something like tires or a
mattress). The warranty is limited to unused services only.
The model of the cloud is on shared services, so no respecting cloud provider will sign
away their rights to you. Liability is limited and at most they go out of business and walk
away from the mess. You will own the mess, not them.
YOUR DATA IS YOUR RESPONSIBILITY!
18. MIKE SPAULDING - DOGFOODCON - 2016
SO WHERE DO WE GO FROM HERE?
Everything is moving to the cloud - it is really hard to find an industry that has no cloud
presence. Don’t fight the kool aid now!
Containerization and portability will be the next big wave for enterprises in the cloud.
Although infrastructure in the cloud is becoming very mainstream, we have yet to see
the cloud ‘killer’ app. If we look at things like Facebook, SalesForce, or Box what we
find is that we made it easier for a large number of people to do something that would
previously be more complex or cumbersome.
Automation is already hitting the cloud, but we have not truly embraced it.
Machine learning will make coding in the cloud even easier for the less technical and
sharing data will be almost too easy or simple.
19. MIKE SPAULDING - DOGFOODCON - 2016
THE SINGLE, BIGGEST QUESTION TO ASK YOUR CLOUD VENDOR
Where does your
security end and my
security begin?
20. MIKE SPAULDING - DOGFOODCON - 2016
THANK YOU
I appreciate your time today during this session.
If you need to reach me, try here:
https://www.linkedin.com/in/therealfatherofmaddog
@fatherofmaddog
Columbus BSides Security Conference - January 16th, 2017
Due to my work/personal schedule, I cannot work for you (at least right now). Maybe some
time down the road. Who knows.
I need to thank - John Sanders (Ent. Architect/CIO), the guys at Secure Idea, and the
person that created Pizza as a Service - Albert Barron.