Security considerations for the cloud

www.skyviewpartners.com 6/7/2012

Carol Woodbury, President
SkyView Partners, Inc.
www.skyviewpartners.com
@carolwoodbury

(c) SkyView Partners, Inc, 2012.
All Rights Reserved. 1


(c) SkyView Partners, Inc, 2012. All Rights Reserved. 1


Benefits: However:
 Hardware  Must meet
 Support of the requirements of
hardware security policy
 Software licensing  Legal requirements

 Software maintenance  Compliance
requirements


 Depends on the type of data




 EU Data Protection Laws
◦ Currently being revised


Determines
 Default access
 Encryption requirements
 Retention requirements
 Storage requirements
 Disposal method (both printed and online)

While considering
 Compliance requirements
 Legal considerations




 Data classification requirements don’t change just
because the data is now in the cloud


 Carefully plan the security and privacy aspects of cloud
computing solutions before engaging them (a cloud
provider.)
 Understand the public cloud computing environment
offered by the cloud provider.
 Ensure that a cloud computing solution satisfies
organizational security and privacy requirements.
 Ensure that the client-side computing environment meets
organizational security and privacy requirements for cloud
computing.
 Maintain accountability over the privacy and security of
data and applications implemented and deployed in public
cloud computing environments.




 Encryption
 Auditing (logging)
 No passwords in cleartext
 Access controls
 Reporting
 Incident response handling

 What will a QSA or auditor say …?


 Where is the data physically located
 Incident response handling
◦ Do you and provider have the same definition of a breach?
 Can your SLAs be fulfilled?
◦ (think disaster-recovery)

 As well as compliance requirements




 Questions for providers’ security practices:
◦ Is admin (root) power limited to only those users needing it?
◦ Who/What is logged?
◦ Do administrators access systems via encrypted sessions?
◦ What is the patch management strategy?
◦ What anti-virus / anti-malware software is used?
◦ Are the servers in compliance with
 PCI
 SOX
 HIPAA
◦ Who are you audited by and can we see the results?


 User management:
◦ Process to integrate with HR to remove access?
 What about immediate removal for terminated
employees/contractors?
◦ Password composition rules?
◦ Password change rules?




 Logging:
◦ Invalid sign on attempts
 Lock-out for excess attempts
◦ Reads and changes to HIPAA or PCI data
◦ Access attempts to data
◦ Retention of the logs
◦ Review of the logs

 Network logging:
◦ Connections
◦ Data movement – what about DLP?


 Because the service provider holds so much data, they
may become a victim of a targeted attack

 However … provider likely has
◦ Network monitoring
◦ Trained personnel to recognize and respond to the attack
◦ Knowledge / Hardware to prevent or limit the attack




 Business level objectives
 Responsibilities of both parties
 Business continuity/disaster recovery
 Redundancy
 Maintenance
 Data location
 Data seizure
 Provider failure
 Jurisdiction
 Brokers and resellers

http://www.ibm.com/developerworks/cloud/library/cl-
rev2sla.html?ca=drs-


 Security  Incident response
 Data encryption  Transparency
 Privacy  Certification
 Data retention and  Performance definitions
deletion  Monitoring
 Hardware erasure,  Auditability
destruction  Metrics
 Regulatory compliance  Human interaction

(c) SkyView Partners, Inc, 2012. All
Rights Reserved. 16



 Determine your organization’s security and compliance
requirements for the type of data going to the cloud
 Put the appropriate SLA in place
◦ Terminology / Communication is key – make sure you agree to
each others’ definitions
 Monitor the results to determine if SLA is being met


 Find your private and confidential data

 Do not assume it doesn’t exist just because it’s not
supposed to be a on specific server or in a specific
database!




 Many organizations are realizing the benefits of
“private” clouds
◦ Reduced hardware / software costs
◦ Quicker patching
◦ Consolidated security expertise
 Monitoring (NOC)
 Recognition and response to incidents
◦ Consolidated logging (correlated events)
◦ More layers of security (depending on the data requirements)


 Clouds specializing in meeting compliance needs:
◦ PCI
◦ HIPAA

 Significantly more expensive but consider that with
public clouds you ‘get what you pay for.’




 Service providers have been providing “cloud” services
for many years
◦ Private / Specialized cloud – typically without the dynamic
allocation of new resources
 Security/Compliance/Legal requirements you make of
them are the same as what we’ve been discussing.


Best practices and Certifications for Cloud Security
 https://cloudsecurityalliance.org/

Guidelines on Security and Privacy in Public Cloud Computing – National Institute of
Standards and Technology (NIST) SP 800-144
 http://csrc.nist.gov/publications/nistpubs/800-144/SP800-144.pdf

Cloud Computing Synopsis and Recommendations - – National Institute of Standards and
Technology (NIST) SP 800-146 – DRAFT
 http://csrc.nist.gov/publications/drafts/800-146/Draft-NIST-SP800-146.pdf

Articles:
 www.sans.org
 www.isaca.org
 Search ‘European cloud Computing Strategy’

Contact us at: info@skyviewpartners.com
@carolwoodbury



Security considerations for the cloud

Recomendados

Recomendados

Más contenido relacionado

Destacado

Destacado (7)

Similar a Security considerations for the cloud

Similar a Security considerations for the cloud (20)

Más de COMMON Europe

Más de COMMON Europe (20)

Último

Último (20)

Security considerations for the cloud