Security, Privacy and the Cloud
Connecticut Community Providers’ Association
June 20, 2014
Steven R Bulmer, VP of Professional Services
Agenda
• Introduction to Cloud Computing Models
• Top Threats
• Categorical Approach to Cloud Security
• Technology Areas of Focus
• Encryption
2
Definitions – Cloud Computing
Cloud Computing is:
A model for enabling convenient, on-demand network access to a shared
pool of configurable computing resources (e.g. networks, servers, storage,
applications & services) that can be rapidly provisioned and released with
minimal management effort or service provider interaction.
This cloud model promotes availability and is composed of:
 5 essential characteristics
 3 service models
 4 deployment models
- National Institute of Standards and Technology
http://csrc.nist.gov/groups/SNS/cloud-computing
3
Cloud Definitions Cont’d
Cloud Characteristics
1. On-demand Self-Service – User provisions their services
2. Ubiquitous Network Access – Standard network or mobile access
3. Resource Pooling – Shared resources and location independence
4. Elasticity – Capabilities scaled or released “rapidly”
5. Measured Service – Metered, monitored and billed as utility
4
Cloud Definitions Cont’d
Cloud Service Models
1. Software as a Service (SaaS) – User access to the application
layer
2. Platform as a Service – User deployment using providers’ tools
3. Infrastructure as a Service (IaaS)– User access to IT
infrastructure
5
Cloud Definitions Cont’d
Cloud Deployment Models
1. Private Cloud – Deployed for a single organization or company
2. Community Cloud – Shared by organizations with similar needs
3. Public Cloud – Cloud services available to all and shared
4. Hybrid Cloud – Two or more clouds with operational relationship
6
Business Services
Application Logic
SaaS
Middleware/DB
PaaS
Infrastructure
IaaS
Cloud Provided
Customer Provided
Cloud Layers
7
Top Cloud Security Threats
1. Data Breaches
6.
2. Data Loss
7. Abuse of Cloud Services
3. Account or Service Traffic Hijacking
8. Insufficient Due Diligence
4. Insecure Interfaces and API
9. Shared Technology
5. Denial of Service Attacks
Source: Cloud Security Alliance
cloudsecurityalliance.org
Malicious Insiders
Vulnerabilities
Approach to Security in the Cloud
Governance
• Assessing the Risk
• Managing and Measuring Posture and Response
Compliance
• Direct policy and technology requirements to meet regulations
Architecture
• The technical components and their inherent strength and weaknesses
Resiliency
• The ability to withstand and/or recover from an incident
Process
• Established, regular, IT practices that ensure policy adherence
Access
• Identity and authentication
9
Security in the Cloud
Category
Focus Areas
Tasks
Applicability
Governance
•
•
•
•
• Risk Assessment / Analysis
• Audit Controls
• Audits
• PCI 5, 6, 11
• HIPAA (C) 164.308, 312, 314
Compliance
• Data Location
• eDiscovery
• Device & Media Control
• Policy Development
• Policy Enforcement
• eMail Archiving
• PCI DSS, PA-DSS
• HIPAA 160.203, 164.308,
• SEC Rule 17a-3,4
Architecture
• Attack Surface
• Isolation/Separation
• Network Security
• Systems and Application
Configuration Policy
• PCI 1,2
• PA-DSS
• HIPAA 164.312
Resiliency
• Availability
• Data Protection
• Disaster Recovery
• Contingency Planning
• Encryption
• Media Management
• PCI 3,4
• FISMA
• HIPAA 164.308, 310
Process
• Incident / Change Mgmt
• Security Mgmt /
• Monitoring
• Response Reporting
• Proactive Monitoring
• PCI 10,11
• HIPAA 164.316
Access
• Identity / Authentication
• Access Controls
• Unique User ID
• Access Policies
• Remote Access Policy
• PCI 7, 8 , 9
• HIPAA 164.308
Regulations
Data Location
eDiscovery
Evaluation
10
Technical Focus
Architecture
• Provisioning Process and Capability
•
•
•
•
•
Software / Network Isolation
Multi-tenancy vs Dedicated
Hypervisor structure
Network structure
Security Infrastructure
Resiliency/Availability
• Business Continuity and Disaster Recovery
• Data Integrity
Identity and Access Management
• Authentication tie-ins to customer, stand alone
Data Protection
• Backups and Recovery
• Data Location and Encryption
• Physical Security
11
A Few Words On Encryption
Encryption Built into Cloud Service vs Encrypting at the Source
• SaaS and PaaS:
• SSL based transfer prior to encryption in the cloud
• Read and Understand the Privacy Policy
• Cloud Storage
• Encrypt locally, then store in the cloud (e.g. DropBox)
o
Viivo, Sookasa, BoxCryptor, CloudFogger
• Use an integrated hybrid cloud storage solution
o
Wualu, SpiderOak, Tresorit
• Use Appliance Based Backups & BC
o
Walker/Datto
12
Encryption (cont’d)
Cloud Storage features to Look for:
• Granularity: File vs Container vs Volume
• Key Management
• Administrative Features to meet your needs (e.g. compliance)
• Does it work with the service(s) you use?
• Dropbox, Box.com, Google Drive, Microsoft SkyDrive, Amazon S3
13
Sources
Cloud Security Alliance
http://cloudsecurityalliance.org
NIST Cloud Computing Definition
http://csrc.nist.gov/groups/SNS/cloud-computing
CSA Top Nine Cloud Computing Threats White Paper
https://downloads.cloudsecurityalliance.org/initiatives/top_threats/The_Notorious_Nine_Cloud_Computing_Top_Threats
_in_2013.pdf
HIPAA Guidelines Simplified from HHS
http://www.hhs.gov/ocr/privacy/hipaa/administrative/combined/hipaa-simplification-201303.pdf
NIST Cloud Security for Federal Agencies White Paper
http://www.nist.gov/customcf/get_pdf.cfm?pub_id=909494
14
Thank You.
860.678.3530 | TheWalkerGroup.com | info@thewalkergroup.com
15