Cloud Customer Architecture for Securing Workloads .Cloud Customer Architecture for Securing ... Cloud Customer Architecture for Securing Workloads on Cloud Services ... enterprise

  • View
    216

  • Download
    0

Embed Size (px)

Text of Cloud Customer Architecture for Securing Workloads .Cloud Customer Architecture for Securing ......

  • Cloud Customer Architecture for Securing Workloads on Cloud Services

    April, 2017

  • Copyright 2017 Cloud Standards Customer Council Page 2

    Contents Acknowledgements ....................................................................................................................................... 3

    Executive Overview ....................................................................................................................................... 4

    Cloud Computing Architecture for Security .................................................................................................. 4

    Key Aspects of Security ................................................................................................................................. 6

    The Impact of Cloud Service Categories on Workload Security ................................................................... 6

    Security for Different Cloud Deployment Models ........................................................................................ 7

    Roles and Responsibilities ............................................................................................................................. 7

    The Importance of Standards for Workload Security ................................................................................... 8

    Security Architecture for Workloads ............................................................................................................ 8

    Component 1: Identity and Access Management..................................................................................... 8

    Component 2: Infrastructure Security .................................................................................................... 14

    Component 3: Application Security ........................................................................................................ 15

    Component 4: Data Security ................................................................................................................... 20

    Component 5: Secure DevOps ................................................................................................................ 24

    Component 6: Security Monitoring & Vulnerability Management ........................................................ 26

    Component 7: Security Governance, Risk, and Compliance ................................................................... 30

    Keys to Success when Implementing Security Architecture ....................................................................... 33

    Works Cited ................................................................................................................................................. 34

    Additional References ................................................................................................................................. 35

  • Copyright 2017 Cloud Standards Customer Council Page 3

    2017 Cloud Standards Customer Council.

    All rights reserved. You may download, store, display on your computer, view, print, and link to the Cloud Customer Architecture for Securing Workloads on Cloud Services at the Cloud Standards Customer Council Web site subject to the following: (a) the Guidance may be used solely for your personal, informational, non-commercial use; (b) the Guidance may not be modified or altered in any way; (c) the Guidance may not be redistributed; and (d) the trademark, copyright or other notices may not be removed. You may quote portions of the Guidance as permitted by the Fair Use provisions of the United States Copyright Act, provided that you attribute the portions to the Cloud Standards Customer Council Cloud Customer Architecture for Securing Workloads on Cloud Services (2017).

    Acknowledgements Cloud Customer Architecture for Securing Workloads on Cloud Services is a collaborative effort that brings together diverse customer-focused experiences and perspectives into a single guide for IT and business leaders who are considering cloud adoption and necessary security measures. The following participants have provided their expertise and time to this effort: Chris Dotson (IBM), Mike Edwards (IBM), John Meegan (IBM), Nya Murray (Trac-Car), Osakpamwan Osaigbovo (IBM), Yaron Raps (IBM), Karl Scott (Satori Consulting), Wisnu Tejasukmana (Schlumberger), Puneet Thapliyal (Trusted Passage), Alexander Tumashov (Schlumberger) and William Tworek (IBM).

  • Copyright 2017 Cloud Standards Customer Council Page 4

    Executive Overview The aim of this guide is to provide a practical reference to help IT architects and IT security professionals architect, install, and operate the information security components of solutions built using cloud services.

    This guide is intended as an in-depth extension of the high level advice offered in the CSCC white paper Security for Cloud Computing: Ten Steps to Ensure Success V2.0 [1] and the CSCC white paper Cloud Security Standards: What to Expect & What to Negotiate V2.0 [2].

    Cloud Computing Architecture for Security Many cloud services are now available, covering infrastructure, platform and application capabilities. Building business solutions using these cloud services requires a clear understanding of the available security services, components and options, allied to a clear architecture which provides for the complete lifecycle of the solutions, covering development, deployment and operations.

    Figure 1: Architecture for Security of Cloud Service Solutions

  • Copyright 2017 Cloud Standards Customer Council Page 5

    Figure 1 provides a high level architecture for the roles and components involved in the security architecture for cloud service solutions. This architecture divides the solutions into three domains, based on the networks being used, which are usually separately secured: the public network, the cloud network, and the enterprise network.

    The public network (typically the internet) contains the various parties who interact with the cloud solution, along with their end-user devices and the applications that run on those devices. Figure 1 shows three main roles: application users, cloud administrators, and cloud developers.

    The enterprise network contains the existing (non-cloud) enterprise components that usually need to be used by the cloud solution namely, the enterprise user directory, the enterprise applications and the enterprise data systems.

    The cloud network contains the major components of the cloud-based solution, running in cloud services the cloud applications, the data services, the runtime services and the infrastructure services. Associated with these components are the security services which are a focus of this document (the numbers in this list correspond to the numbers displayed in Figure 1):

    1. Identity and Access Management Manage identity and access for your cloud administrators, application developers and application users.

    2. Infrastructure Security Handles network security, secure connectivity and secure compute infrastructure.

    3. Application Security Address application threats, security measures and vulnerabilities.

    4. Data Security Discover, categorize and protect data and information assets including protection of data at rest and in transit.

    5. Secure DevOps Securely acquire, develop, deploy and maintain cloud services, applications and infrastructure.

    6. Security Monitoring and Vulnerability Provide visibility into cloud infrastructure, data and applications in real time and manage security incidents.

    7. Security Governance, Risk and Compliance Maintain security policy, audit and compliance measures, meeting corporate policies, solution-specific regulations and governing laws.

  • Copyright 2017 Cloud Standards Customer Council Page 6

    Key Aspects of Security The following are the key aspects that should be included when designing a secure cloud solution:

    1. Manage identity and access: Consistent way to manage identities and access for platform and application users.

    2. Protect infrastructure, data, and application: Ensure tenant isolation and protection for compute, data and networking. Safeguard against application and network threats, exploits, and vulnerabilities. Provide secure connectivity to data at the enterprise and protect sensitive data both in transit and at rest on the cloud.

    3. Security monitoring and intelligence: Gain visibility into virtual infrastructures by collecting and analyzing data in real time across the various cloud components and cloud services.

    4. Optimize cloud security operations: Optimizing the processes, methods, and tools for running security operations is key to keeping the overall cost low. Consistently assess security practices, plans, and designs and evolve them in a timely manner to stay ahead of threats.

    The Impact of Cloud Service Categories on Workload Security The broad categories of cloud services are Infrastructure as a Service (IaaS), Platform as a Service (PaaS) and Software as a Service (SaaS). Each category has its own set of security requirements and set of security responsibilities that are split between the cloud service provider and the cloud service customer. It is necessary to understand these requirements and responsibilities when considering a solution that involves one or more cloud services.

    Generally, IaaS cloud services involve the cloud service customer taking a substantial amount of responsibility for the security of data, applications, systems, and networks. The capabilities supplied by the cloud service are low-level infrastructure resources. The customer is typically respon