The Business of Security in the Cloud Dr. Pamela Fusco Vice President Industry Solutions Solutionary Inc. CISSP, CISM, CHSIII, IAM, NSA/CSS Adjunct Faculty
Promises Promises The promise of cloud computing is arguably revolutionizing the IT services world by transforming computing into a ubiquitous utility, leveraging on attributes such as increased agility, elasticity, storage capacity and redundancy to manage information assets
Defining Cloud On demand provisioning Elasticity Multi-tenancy Key types Infrastructure as a Service (IaaS): basic O/S & storage Platform as a Service (PaaS): IaaS + rapid dev Software as a Service (SaaS): complete application Public, Private, Community & Hybrid Cloud deployments
Cloud AAS IaaS Infrastructure as a Service PaaS Platform as a Service SaaS Software as a Service
Top Threats to Cloud Computing Cloud Security Risks / Threats Shared Technology Vulnerabilities Data Loss/Data Leakage Malicious Insiders Account Service or Hijacking of Traffic Insecure APIs Nefarious Use of Service Unknown Risk Profile
Enterprise CIO Strategies 6
Enterprise CIO Technology Priorities 7
Survey Results 2009 Top Ranked Threats RANK PERCENT 1) Data Loss/Leakage 28.8% 2) Abuse and Nefarious use of Cloud Computing 17.8% 3) Insecure API s 15.1% 4) Malicious Insiders 11.0% 5) Account/Service and Traffic Hijacking 9.6% 6) Unknown Risk Profile 9.6% 7) Shared Technology Vulnerabilities 8.2%
Top Threats to Cloud Computing Report 2010 Cloud services are clearly the next generation of IT to be mastered We have a shared responsibility to understand the security threats that accompany the cloud and apply the necessary best practices to mitigate them, said Jim Reavis, founder of the Cloud Security Alliance. The objective of this report was to not only identify those threats which are most germane to IT organizations but also help organizations understand how to proactively protect
Together These Threats Magnify Abuse and nefarious use of cloud computing: Includes exploits such as Zeus botnet, Trojans (info gathering), Mal formed software All threats are NOT rooted in/with Mal intent Social Networking sites require multiple API s Together, these threats comprise a combination of existing vulnerabilities that are magnified in severity in cloud environments as well as new, cloudspecific techniques that put data and systems at risk. Additional threats outlined in the research include: Malicious Insiders Shared Technology Vulnerabilities Data Loss/Leakage Account/Service and Traffic Hijacking
P2 Point in time is non-existent Real time and continuous diligence Everything is an asset If your HOT you re a target, if your new your vulnerable, if your old your vulnerable You can no longer drive a standard you must have an automatic 1- to many is a must have Collaboration is key My 70 yr. old mother is addicted to Facebook: She is a weak link Identity management will become DNA No more wire hangers MDM is a challenge
Summary Cloud Computing is real and transformational Challenges for People, Process, Technology, Organizations and Countries Broad governance approach needed Tactical fixes needed Combination of updating existing best practices and creating completely new best practices Common sense not optional
Always Use Protection Thank you!
About the Cloud Security Alliance Global, not-for-profit organization, Inclusive membership, supporting broad spectrum of subject matter expertise: cloud experts, security, legal, compliance, virtualization, and on and on We believe Cloud Computing has a robust future, we want to make it better To promote the use of best practices for providing security assurance within Cloud Computing, and provide education on the uses of Cloud Computing to help secure all other forms of computing.
Membership 50 Corporate Members 14 non-profit affiliations Over 90,000 individual members + by 200/week Broad Geographical Distribution Working Group activities performed through individual membership class
Cloud Controls Matrix Tool Controls derived from guidance Rated as applicable to S-P-I Customer vs Provider role Mapped to ISO 27001, COBIT, PCI, HIPAA Help bridge the gap for IT & IT auditors www.cloudsecurity.org/cm.html
Trusted Cloud Initiative Getting SaaS, PaaS to be Relying Parties for corporate directories Scalable federation Outline responsibilities for Identity Providers Assemble with existing standards Proof of concept Certification criteria and seal www.cloudsecurity.org/trustedcloud.html
Consensus Assessments Initiative New CSA project Initial chair, Jason Witty, Bank of America Research tools and processes to perform shared assessments of cloud providers Lightweight common criteria concept Kickoff meeting and working session in Chicago May 12 Focused on leverage existing tools and projects
Cloud Metrics Research Identifying CSA guidance we can build metrics for Initially developing metrics for GRC, encryption, key mgt & IdM Survey industry on maturity Create baseline capability Deliverable timeline not set
Key cloud assurance issues Must adapt security controls to all virtual world Challenges with geographical location and jurisdiction Challenges with provider transparency Tools, research and standards evolving to assist effort Best opportunity to secure cloud engagement is before procurement contracts, SLAs, architecture