What is the minimum security due diligence that a company needs to do before putting it's data in the cloud?
Since 2007, Amazon has been telling us they are ".. working with a public accounting firm to ... attain certifications such as SAS70 Type II" but these have not happened in 2+ years.
On one side of the cloud security issue we have the marketing people, who hype up the existing security and gloss over the non-existing. On the other side we have security services vendors, who hawk their wares by hyping up the lack of security. The truth is, there is a class of data for every cloud out there, and there is also someone who will suffer a data breach because they did not secure it properly.
We look at Amazon's EC2, risk tolerance, and how to secure the data in the cloud.
2. About zSquad
• Information Security Consulting Practice
• Focus areas are:
– Policy review/development
– IT Governance
– Security Architecture
– Application Security
– PCI, SAS 70 and ISO 27001 audit prep
– 3rd party due diligence audits
• Customers are financial services, insurances and
state / city agencies
• We also founded The Layoff Support Network
(www.layoffsupportnetwork.com)
2
3. Agenda
• Too many “cloud” offerings = confused market
• Pay-as-you-go vs. always on
• Cloud (in)security
• Hype: Security vendors
• Hype: Cloud providers
• Enterprise Cloud Computing
• Know your information
• Minimum due diligence
– questions to ask your cloud provider
• If you are a cloud (or related service) provider
– questions you better have answers for
• If you develop, things to do
• QA 3
4. “Cloud:” Buzzword 2.0
• Gmail and Hotmail are clouds, too
• So are SalesForce.com and Google Apps
• What about timesharing mainframes of old?
• Or the $5/month shared web-hosting?
So is the cloud concept decades old?
4
5. So what exactly is a “cloud”?
… Massively scalable IT-enabled
capabilities delivered 'as a service' to
external customers using Internet
technologies.
-- Gartner
5
6. Cumulous, Stratus, Nimbus…
• SaaS: SalesForce, GoogleMail, Google
Apps…
• Utility Computing: Amazon EC2, IBM,
Unisys…
• Web Services (API): Google Maps, ADP
Payroll processing…
• Platform As A Service: Force.com, Google
App Engine, Azure
• Managed Service Providers: Hosted anti-
spam services
• Infrastructure as a Service: Amazon, 3Tera
6
7. Characteristics:
• Elasticity: provisioning and deprovisioning
resources in real time to meet workload
demands
• Utility: providing resources on a 'pay-as-
you-go' basis
• Ubiquity: providing services available from
anywhere to anywhere
7
8. Cloud (in)Security Characteristics
• Outside customers’ physical security
perimeter
• Unknown (untrusted?) personnel
• Unenforceable regulatory compliance
• Unpredictable jurisdiction over data
• Unknown disaster recovery
• You may very well be locked-in
• Zero support for forensics / investigations
But:
Trust us, we are doing the right things
8
9. Every RSA Conference has a buzzword
This year it was "the cloud."
In one way or another, vendors were pushing their answer
to handling security in the cloud. Cisco unveiled a number
of tools and services in the cloud April 21, even though a
day later Cisco CEO John Chambers described the idea of
securing a virtual cloud network as “a security nightmare.”
IBM pulled the covers off a new arsenal of products
designed to protect cloud computing environments as well,
while McAfee CEO Dave DeWalt used his keynote to talk
about using the cloud in the context of what he called
“predictive security,” his vision of how McAfee will share
threat intelligence in the cloud to better protect end users.
eWeek.com - 4/24/2009 9
10. Customers Worry
• 90% of cloud application users say they would be very
concerned if the company at which their data were
stored sold it to another party.
• 80% say they would be very concerned if companies
used their photos or other data in marketing
campaigns.
• 68% of users of at least one of the six cloud
applications say they would be very concerned if
companies who provided these services analyzed their
information and then displayed ads to them based on
their actions.
Cloud Computing Gains in Currency
Pew Internet and American Life Project
10
11. Vendors Respond:
• Since 2007, Amazon has been telling us they are: "..
working with a public accounting firm to ... attain
certifications such as SAS70 Type II" but these have
not happened in 2+ years.
11
13. Reality
• March 7, 2009 from the WSJ:
Google disclosed Saturday that it shared a very small number
of online documents with users who weren’t authorized to
see them.
The privacy glitch, caused by a software bug, affected just a
tiny fraction of documents — an estimated less than .05%
http://blogs.wsj.com/digits/2009/03/08/1214/
• September 18, 2009 from the NY Times:
A recent bug in Google Apps allowed students at several
colleges to read each other's email messages and some
were even able to see another student's entire inbox. The
issue occurred at a small handful of colleges…
http://www.nytimes.com/external/readwriteweb/2009/09/18/18readwriteweb-
whoops-students-going-google-get-to-read-ea-12995.html
13
15. Amazon EC2/S3
http://developer.amazonwebservices.com/connect/thread.jspa?threadID=34960
We are not responsible for any unauthorized access to,
alteration of, or the deletion, destruction, damage, loss or failure
to store any of, Your Content (as defined in Section 10.2), your
Applications, or other data which you submit or use in
connection with your account or the Services.
http://aws.amazon.com/agreement/
15
16. No Customer Audit Allowed
http://www.v3.co.uk/v3/analysis/2246616/q-google-apps-director-security
…It is possible for you to build a PCI level 2 compliant app in our AWS cloud using EC2
and S3, but you cannot achieve level 1 compliance. And you have to provide the
appropriate encryption mechanisms and key management processes. If you have a data
breach, you automatically need to become level 1 compliant which requires on-site
auditing; that is something we cannot extend to our customers. … I recommend
businesses always plan for level 1 compliance. So, from a compliance and risk
management perspective, we recommend that you do not store sensitive credit card
payment information in our EC2/S3 system because it is not inherently PCI level 1
compliant. It is quite feasible for you to run your entire app in our cloud but keep the
credit card data stored on your own local servers which are available for auditing,
scanning, and on-site review at any time. 16
http://developer.amazonwebservices.com/connect/thread.jspa?threadID=34960
17. Detour: SAS 70 type II
• Concept: ISO 9000 certified Concrete Life Jackets
• manufactured according to the documented procedures
• instructions on how to complain about defects
• SAS 70: Company management defines controls to be
evaluated
Management: We have a guard at the front door. That
is the sole control we want evaluated
Auditor: And he checked my ID. The control works as
claimed. Here is your SAS 70 type II certification
Unless you can see which controls were evaluated,
SAS 70 type II reports are not meaningful
17
18. Can you move your enterprise
to the cloud?
Or,
If you are a cloud vendor, how
do you convince your
customers to move?
18
19. Case Study
• Business: Automatic discount at retail stores
• Customer identified by Credit Card used
• Currently 1 million transactions/day
• PCI-certified stores have demanded PCI
certification
• Client stress test: 1 million transactions/hour
• Amazon Extra-Large Instance
• Cost: ~ $200
• They can not get PCI certified on Amazon
• Any other platform is unaffordable
19
21. Customer: Data Classification
• Some parts of the enterprise can go to the cloud
• The trick is in understanding that:
• All data is not created equal
• Some entirely fit to be in/on a cloud
• But if data is valuable enough that someone
might bring out a gun, cloud is not the right
place to be.
• If you need PCI certification, excellent advice from
AWS rep:
… keep the credit card data stored on your own
local servers which are available for auditing,
scanning, and on-site review at any time
21
22. Off-premise has different security
problems and requirements
Understand them, and you can
secure them
or
Make an informed decision to
Stay Away
22
23. Customer Due Diligence
• Centralization of data makes insider threats from
within the cloud provider a bigger risk
• Customers should perform onsite inspections of cloud
provider facilities whenever possible
• Customers should inspect cloud provider disaster
recovery and business continuity plans.
• Customers should identify physical interdependencies
in provider infrastructure.
• For IaaS, deploy applications in runtime in a way that
is abstracted from the machine image. Backups
should also be machine independent.
• Understand who your provider’s competitors are. Plan
for a migration
http://www.cloudsecurityalliance.org/
23
24. Considering a SaaS provider?
• If you have the resources, do an audit yourself
• If your data requires that level of assurance
• If the provider allows
• Ask the vendor for 3rd party audit reports
• SAS 70 audit reports: better than nothing
• Barely
• Ask them about:
• Employee background check
• Secure development process
• Trust, but verify
24
25. Multi-tenant SaaS Security Issues
• Not net-new vulnerabilities
• But suddenly you are hosting data on servers
managed by people who don't work for you
• And you are not the only user of the server
• Can someone do an off-by-one attack?
• By mistake?
• Denial of service attack against another
customer?
25
26. Providers:
• Know what you will host
• Spell out policies and procedures
• Employees are background-checked?
• Are they bonded?
• How would you stop someone from backing up a
VM and taking it home?
• Be clear about what you will NOT support
• It took Amazon AWS 2 years to provide an
answer
• Some things are still unclear
• The Google / AWS disclaimers are excellent models
• Unisys has ISO 27001-certified data centers.
• Think before investing that much time, effort and
money 26
27. Providers (cont.)
• Cloud providers should adopt as a security baseline
the most stringent requirements of any customer.
• Or make clear to the customer where they stand
• Providers should have robust compartmentalization
of job duties and limit knowledge of customers to
that which is absolutely needed to perform job
duties.
• Understand that you may be subject to a legal /
regulatory discovery because of a customer
27
28. Creating Secure Software
• Developers care about deadlines and meeting the
requirements
• If security is not in the requirements, it will not get
done
• If developers don't know how to code securely, it
will not get done right
• If at all
28
29. Building a SaaS offering?
• Train your developers and architects
• A single-day training will probably eliminate
90% future security issues
• Build Security into your life-cycle
• Let security people, not developers, write the
security requirements
• Security Code review sounds nice, but is expensive
• Do an application audit before going live
• Allow time for it in the project plan
29
30. Final Thoughts
IaaS
Customer Extensibility
PaaS
SaaS
Provider Security Responsibility
Where are you?
What are you doing about it?
30