Security and Privacy Mechanisms: An Analysis of Cloud Service Providers for the US Government

Size: px

Start display at page:

Download "Security and Privacy Mechanisms: An Analysis of Cloud Service Providers for the US Government"

Marshall McGee
5 years ago
Views:

1 Security and Privacy Mechanisms: An Analysis of Cloud Service Providers for the US Government April 13, 2016 Presenter: Carlo Di Giulio Advisor: Dr. Masooda Bashir

2 Focus of the Research Security and privacy risks and pitfalls in commercial cloud services Help the US Airforce to identify the most secure and convenient Cloud Service Providers (CSPs) to the US Government among the selected ones Spot possible market trends How service providers are addressing government needs

3 Focus of the Research The research currently focuses on 5 major CSPs

4 Structure The research is organized in three pillars Norms, regulations, and guidelines Products and services General privacy and security policies

5 Pillar I: Norms and Guidelines Different level of security, different controls and authorizations

6 Pillar I: Norms and Guidelines The authorization process to provide a service to the DoD is rather complex Image: The FedRAMP and CC SRG Roadmap (1)

7 Pillar II: Offering Each CSP offers a number of services that may be classified and compared to others We classified products and services of each service provider into 3 main categories (NIST ): IaaS PaaS SaaS

8 Pillar II: Offering A few examples CSP Service AWS Microsoft (Azure) Google CS IBM Softlayer VMWare Data Analytics Event Hubs BigQuery vrealize Operations Manager Cloud Monitoring Amazon CloudWatch Cloud Monitoring Monitoring & Reporting Compute Amazon EC2 Cloud Services App Engine Virtual Servers Compute Relational Database Redshift SQL Database Cloud SQL Continuent Identity Management AWS IAM Active Directory Cloud IAM Identity Manager

required NIST 800 53 FedRAMP Baseline medium - high

9 Pillar III: Policies In order to classify the policies, standardization and classification are required NIST FedRAMP Baseline medium - high Frameworks issued by credible NGOs AICPA (SOC 2 criteria) CSA (CCM 3.0.1)

Pillar III: Policies - Examples Do you allow tenants/customers to define password and account lockout policies for their accounts? (IAM 12.9 Indicator, CCM 3.0.

10 Pillar III: Policies - Examples Do you allow tenants/customers to define password and account lockout policies for their accounts? (IAM 12.9 Indicator, CCM 3.0.1) AWS Identity and Access Management (IAM) lets [the tenant] manage several types of long-term security credentials for IAM users (2) ( ) must at a minimum meet Microsoft internal IT requirements, but an internal organization can increase the strength past this standard (3) Not at this time (4)

11 Pillar III: Policies - Examples Do you leverage encryption to protect data and virtual machine images during transport across and between networks and hypervisor instances? (EKM Indicator, CCM 3.0.1) ( ) option of encrypting customer data transmitted to and from Microsoft datacenters over public networks. ( ) private networks with encryption for replication of non-public customer data between Microsoft datacenters (3) "Yes. ( ) uses AES-256 encryption to encapsulate in-transit workloads. For in-cloud vmotion activities, a dedicated, secure and encrypted network is used exclusively for this purpose ( ) (4) Tenant Control Consideration (5)

12 Next Steps Conclude the policy analysis Select relevant policy indicators Cross reference policies and services Explore features and differences among services more in detail Collaborate with a Technical SME (CS Grad Student) to specify security criterias for the analysis

13 Thanks for your Attention! For more information: Carlo Di Giulio: Dr. Masooda Bashir

14 References (1) Bockelman, P. and McDermott, A. (2015). DoD-Compliant Implementations in the AWS Cloud. Reference Architectures. Amazon Web Services, April Retrieved from (2) Amazon WS (2016). Amazon Web Services: Risk and Compliance. White Paper. Retrieved from (3) Microsoft (2015). Standard Response to Request for Information Microsoft Azure Security, Privacy, and Compliance. White Paper. Retrieved from (4) Vmware (2015). VMware vcloud Air IaaS CAIQ v1.0 - Consensus Assessments Initiative Questionnaire v Retrieved from (5) Softlayer (2016) CAIQ V1.0 - Consensus Assessments Initiative Questionnaire V Retrieved from

Auditing the Cloud. Paul Engle CISA, CIA

Auditing the Cloud. Paul Engle CISA, CIA Auditing the Cloud Paul Engle CISA, CIA About the Speaker Paul Engle CISA, CIA o Fifteen years performing internal audit, IT internal audit, and consulting projects o Internal audit clients include ADP,