Extending Security in the Cloud

Steven WolfordDirector, Information Security

6fusion

Chad WalterDirector, Channel Development

Network Box USA

Today’s Agenda

• Introduction• IT Infrastructure Models • Common Cloud Security Myths• Cloud Security Basics• Cloud Security Challenges

• Access• Protection• Segregation• Recovery

• Cloud Security Best Practices

Who We Are

Network Box USA

This is the first in a series of webinars on cloud security. We will let you shape the content of the next webinar at the end of this webinar.

6fusion provides a utility-metered cloud platform that enables global workload distribution by turning public, private and hybrid clouds into pay-per-use billable utilities. The unique metering algorithm, Workload Allocation Cube (WAC), creates a commercial standard to quantify supply and demand for compute resources.

6fusion

Network Box USA provides comprehensive, fully managed perimeter internet security solutions. The Network Box Unified Threat Management (UTM) solution combines numerous applications such as firewall, intrusion prevention and detection, anti-virus, content filtering, anti-span, anti-phishing, anti-spyware and VPN into one single, sophisticated mix of hardware and software. Network Box USA enables businesses of all sizes to secure their networks easily and cost effectively.

IT Infrastructure Models

Cloud Security Myths

• Cloud cannot be secure• All Cloud models are not created equal

- Private, Hybrid, Public- IaaS, PaaS, SaaS

• All Cloud providers are not created equal- Look for independent audit reports

• Cloud security is new• The security concepts remain unchanged• Unfortunately many used network defenses to compensate for

weak application security

• Cloud requires more effort or tools to be as secure• NIST used the existing SP 800-53 and SP 800-37 to develop FedRAMP• Oh by the way, Department of Homeland Security recently announced it is moving services

to a cloud provider that has been reviewed under FedRAMP

• The only reason enterprises move to the cloud is cost reduction, reallocation, etc.• Security can also be enhanced if you incorporate the following in your migration

- Security by Design, Active Monitoring, Incident Response Plan

A Quick Cloud Analogy

Your data happily in the cloud

PIIProcurement

FinancialEmail

HRPayroll

An incident beyond your

control occursYour data no longer just in the cloud

PII

Procurement FinancialEmail

HR

Payroll

Data Loss in Summary

• Trade Secrets• Account

Numbers• Social Security

Numbers• Intellectual

Property• Health

Records• Other

Personal Information

Data

• Stored on the network or shared drives

• Copied on removable media

• Transferred electronically

Can Leak

• Thieves, mobsters, other nefarious characters

• Competitors• Regulators• Unauthorized

Internal Users• Press/Media

To an Outsider

• Company defamation

• Monetary expense per record lost

• Loss of assets• Breach of

customer trust

Resulting in Breach

Top Reasons for Data Loss

Hardware Failure

35%Human Error 28%

Theft/Malicious Employee

Action17%

Software Failure

14%

Virus 6%

Cloud Security Challenges

Main areas of concern specific to data security include:

There are a number of security issues associated with cloud computing, but data security is arguably the biggest issue.

Access Protection Segregation Recovery

Access

• What type and level of security checks are enforced on those individuals?

• How are those checks enforced? • What policies are in place to ensure roles and

privileges are enforced?

Access

Data placed in the cloud are accessed and managed by persons other than privileged users within the customer’s organization.

Protection

• Apart from some cloud service providers such as Amazon who offers their customers the option of choosing between different zones in which to store their data, it is uncommon to see a cloud computing service contract where the customer is guaranteed that their data would not be transferred outside a specified region.

• Customers need to be aware that local laws may apply to data held on servers within the cloud, and that it is their responsibility to comply with data protection laws under various jurisdictions worldwide where their data is held.

The nature of cloud computing means data can be stored at any geographical location at any given time.

Protection

Segregation

• While it is difficult to assure data segregation, customers should review the cloud vendor’s architecture to ensure proper data segregation is available and that data leak prevention (DLP) measures are in place.

Data in the cloud is typically stored in a shared environment whereby one customer’s data is stored alongside another customer’s data.

Segregation

Recovery

• What plan is in place to recover customer’s data in event of a disaster, how long will data restoration take and the impact on business continuity?

As with traditional IT systems, unexpected problems can and will occur with cloud computing.

Recovery

Cloud Security Best Practices

• Ask where data will be kept and enquire the details of data protection laws in the relevant jurisdictions.

• Include clauses in the cloud service contract that your data always belong to you, that you can reclaim your data at any time and that your data shall not be disclosed to any third party.

• Make it as hard as possible to gain access to your systems and then to your data by implementing two-factor user authentication.

• Ensure that data is encrypted both ways across the Internet by using, for example, mutual SSL. Ensure that data is encrypted when at rest, as well as when in motion from one location to another. You, the customer, should have control of key materials used for encrypting and decrypting data.

• Develop good password policies – how they’re created, changed and protected.

• Seek an independent security audit of the cloud vendor.

Where do you go from here?

Risk-based Framework

Iden

tify

Asse

ss

Esta

blis

h

Gov

ern

Loosely based on NIST RMF

Security by DESIGN

• Understand your security philosophy• Know all of the

components for each information system• Implement the

controls that bring risk down to the level acceptable to your organization

Implement Active MONITORING

• Customers would rather hear bad news from you than from the media• Mitigation cannot

happen if you do not know adverse events are occurring• What, How, Who

Develop a RESPONSE Team and Plan

• Security is not a guarantee• Most events can be

categorized with operational, technical, and legal responses planned • Training and

awareness are key

Questions?

Thank You!

2nd Webinar in the Series• Timing: Early March• Topic: How to advance your

organizational security• Details: You tell us…

What do you want to hear about in the next webinar?

Email us at marketing@6fusion.com with your ideas!

FedRAMP

http://www.gsa.gov/portal/category/102371

Cloud Security Alliancehttps://cloudsecurityalliance.org/

FFIEC (not really cloud but outsourced providers)

http://ithandbook.ffiec.gov/it-booklets/outsourcing-technology-services/appendix-d-managed-security-service-providers.aspx

NIST (SP800-144)

http://www.nist.gov/customcf/get_pdf.cfm?pub_id=909494

Resources What’s next?