33
Securing the Cloud: Masterclass 2 Lee Newcombe ([email protected]) Infrastructure Services April 2013

Securing the Cloud: Masterclass 2 Lee Newcombe ([email protected]) Infrastructure Services April 2013

Embed Size (px)

Citation preview

Page 1: Securing the Cloud: Masterclass 2 Lee Newcombe (lee.newcombe@capgemini.com) Infrastructure Services April 2013

Securing the Cloud: Masterclass 2

Lee Newcombe ([email protected])

Infrastructure ServicesApril 2013

Page 2: Securing the Cloud: Masterclass 2 Lee Newcombe (lee.newcombe@capgemini.com) Infrastructure Services April 2013

2Copyright © Capgemini 2012. All Rights Reserved

Managing Security in the Cloud 2

Agenda

The Future Cloud?

The Perfect Storm – BYOD, Social Media, Big Data, Cloud

Identity in the Cloud

Introduction

Conclusions

Service Management -> Service Orchestration?

Page 3: Securing the Cloud: Masterclass 2 Lee Newcombe (lee.newcombe@capgemini.com) Infrastructure Services April 2013

4Copyright © Capgemini 2012. All Rights Reserved

Managing Security in the Cloud 2

Agenda

Introduction

The Perfect Storm – BYOD, Social Media, Big Data, Cloud

Identity in the Cloud

The Future Cloud?

Conclusions

Service Management -> Service Orchestration?

Page 4: Securing the Cloud: Masterclass 2 Lee Newcombe (lee.newcombe@capgemini.com) Infrastructure Services April 2013

5Copyright © Capgemini 2012. All Rights Reserved

Managing Security in the Cloud 2

The Future Cloud

Public Cloud Providers likely to continue to be subject to rapid amalgamation Terremark – bought by Verizon Savvis – bought by Century Link Heroku – bought by Salesforce.com Nimbula – bought by Oracle

Amalgamation will lead to a smaller set of major public cloud providers Smaller players will exist to serve niche markets (e.g. HMG)

Big Outsourcing firms will continue to offer “enterprise” cloud services Likely to continue to struggle to justify premiums over the likes of AWS

Page 5: Securing the Cloud: Masterclass 2 Lee Newcombe (lee.newcombe@capgemini.com) Infrastructure Services April 2013

6Copyright © Capgemini 2012. All Rights Reserved

Managing Security in the Cloud 2

Interoperability will remain problematic Niche vendors will continue to exist enable cross-cloud operations Rising importance of service brokers and SIAM capabilities

“Cloud First" attitude will become standard – not just in Government

Compromises will occur. The sky will fall… but the cloud paradigm will survive.

The Future Cloud

Page 6: Securing the Cloud: Masterclass 2 Lee Newcombe (lee.newcombe@capgemini.com) Infrastructure Services April 2013

7Copyright © Capgemini 2012. All Rights Reserved

Managing Security in the Cloud 2

Evolving Compliance Requirements

The DPA requires the data controller to have a written contract … requiring that the “data processor is to act only on instructions from the data controller” and “the data processor will comply with security obligations equivalent to those imposed on the data controller itself.”

Cloud customers should take care if a cloud provider offers a ‘take it or leave it’ set of terms and conditions without the opportunity for negotiation. Such contracts may not allow the cloud customer to retain sufficient control over the data in order to fulfil their data protection obligations. Cloud customers must therefore check the terms of service a cloud provider may offer to ensure that they adequately address the risks discussed in this guidance

Page 7: Securing the Cloud: Masterclass 2 Lee Newcombe (lee.newcombe@capgemini.com) Infrastructure Services April 2013

8Copyright © Capgemini 2012. All Rights Reserved

Managing Security in the Cloud 2

Evolving Compliance Requirements

It’s important to note that all cloud services are not created equal. Clear policies and procedures should be agreed between client and cloud provider for all security requirements, and responsibilities for operation, management and reporting should be clearly defined and understood for each requirement

Without adequate segmentation, all clients of the shared infrastructure, as well as the CSP, would need to be verified as being PCI DSS compliant in order for any one client to be assured of the compliance of the environment. This will likely make compliance validation unachievable for the CSP or any of their clients

Page 8: Securing the Cloud: Masterclass 2 Lee Newcombe (lee.newcombe@capgemini.com) Infrastructure Services April 2013

9Copyright © Capgemini 2012. All Rights Reserved

Managing Security in the Cloud 2

Requires details of the “system” – not just the controlsRequires a written statement of assertion

Assurance – new Standards

SAS70

SSAE16

Page 9: Securing the Cloud: Masterclass 2 Lee Newcombe (lee.newcombe@capgemini.com) Infrastructure Services April 2013

10Copyright © Capgemini 2012. All Rights Reserved

Managing Security in the Cloud 2

Cloud Security Alliance OCF

https://cloudsecurityalliance.org/research/ocf/

Page 10: Securing the Cloud: Masterclass 2 Lee Newcombe (lee.newcombe@capgemini.com) Infrastructure Services April 2013

12Copyright © Capgemini 2012. All Rights Reserved

Managing Security in the Cloud 2

AWS Changes – Evolving Security

Release: Amazon EC2 on 2013-03-11 http://aws.amazon.com/releasenotes/4286407650196705

Page 11: Securing the Cloud: Masterclass 2 Lee Newcombe (lee.newcombe@capgemini.com) Infrastructure Services April 2013

14Copyright © Capgemini 2012. All Rights Reserved

Managing Security in the Cloud 2

Agenda

Introduction

The Future Cloud?

Identity in the Cloud

The Perfect Storm – BYOD, Social Media, Big Data, Cloud

Conclusions

Service Management -> Service Orchestration?

Page 12: Securing the Cloud: Masterclass 2 Lee Newcombe (lee.newcombe@capgemini.com) Infrastructure Services April 2013

15Copyright © Capgemini 2012. All Rights Reserved

Managing Security in the Cloud 2

The Perfect Storm - BYOD

Bring Your Own Disaster Device (BYOD)

BYOD or CYOD? Business driven desire for mobile working End point protection

• Entry point to your trusted domain• Holds your data• Duress?

Data Protection • Better in the cloud?• Encrypted on device?• Remote wipe? Of my device?!

Mobile Device Management

Page 13: Securing the Cloud: Masterclass 2 Lee Newcombe (lee.newcombe@capgemini.com) Infrastructure Services April 2013

16Copyright © Capgemini 2012. All Rights Reserved

Managing Security in the Cloud 2

The Perfect Storm - Social Media

Twitter, LinkedIn, Facebook, Google+, etc the “Consumer Cloud”

Reputation Management Damaging Tweets by employees Damaging comments from customers Hacked accounts: Burger King, BBC…

Personal vs Business. Identity in the cloud? More later

Data exfiltration Are you monitoring the data your users send via these

channels?

Page 14: Securing the Cloud: Masterclass 2 Lee Newcombe (lee.newcombe@capgemini.com) Infrastructure Services April 2013

17Copyright © Capgemini 2012. All Rights Reserved

Managing Security in the Cloud 2

The Perfect Storm – Big Data

Big Data

How Big is Big? NoSQL? Pseudonymisation… Anonymisation…

• Fine so long as you know nothing about your target• Fine so long as compute resource remains expensive and exclusive

- https://downloads.cloudsecurityalliance.org/initiatives/bdwg/Big_Data_Top_Ten_v1.pdf

Page 15: Securing the Cloud: Masterclass 2 Lee Newcombe (lee.newcombe@capgemini.com) Infrastructure Services April 2013

18Copyright © Capgemini 2012. All Rights Reserved

Managing Security in the Cloud 2

Big Data (continued)

Where is the data coming from?• Trust?• Validation?

Where are you going to put it?• NoSQL vs RDBMS?• Cloud or on-premise?

How are you going to control access to it? Compliance

• How much anonymisation is enough?

http://www.ico.gov.uk/for_organisations/data_protection/topic_guides/~/media/documents/library/Data_Protection/Practical_application/anonymisation_code.ashx

Page 16: Securing the Cloud: Masterclass 2 Lee Newcombe (lee.newcombe@capgemini.com) Infrastructure Services April 2013

19Copyright © Capgemini 2012. All Rights Reserved

Managing Security in the Cloud 2

The Perfect Storm - Cloud

Cloud is the ANSWER!

But what was the question

Page 17: Securing the Cloud: Masterclass 2 Lee Newcombe (lee.newcombe@capgemini.com) Infrastructure Services April 2013

20Copyright © Capgemini 2012. All Rights Reserved

Managing Security in the Cloud 2

Putting it all together…

Big Data Social Media usage Research and Development Modelling Device and Data usage (SIEM)

Stored and processed in the cloud NoSQL. Not much security either

Accessed from users personal devices

Anybody see any security issues here?

Page 18: Securing the Cloud: Masterclass 2 Lee Newcombe (lee.newcombe@capgemini.com) Infrastructure Services April 2013

21Copyright © Capgemini 2012. All Rights Reserved

Managing Security in the Cloud 2

Putting it all together… to fix it

Mobile Device Management DRM? Big Data security… See CSA Paper Anonymisation Security Architecture

Page 19: Securing the Cloud: Masterclass 2 Lee Newcombe (lee.newcombe@capgemini.com) Infrastructure Services April 2013

22Copyright © Capgemini 2012. All Rights Reserved

Managing Security in the Cloud 2

Agenda

Introduction

The Future Cloud?

Identity in the Cloud

Service Management -> Service Orchestration

Conclusions

The Perfect Storm – BYOD, Social Media, Big Data, Cloud

?

Page 20: Securing the Cloud: Masterclass 2 Lee Newcombe (lee.newcombe@capgemini.com) Infrastructure Services April 2013

23Copyright © Capgemini 2012. All Rights Reserved

Managing Security in the Cloud 2

• Management of Infrastructure -owned or client assets

• Management of Infrastructure -owned or client assets

Systems Integrators Service Integrators

• Service consolidation

• Opportunity to leverage service desk and management assets

• Service consolidation

• Opportunity to leverage service desk and management assets

• “Service Broker”

• Enabler of Cloud propositions

• “Service Broker”

• Enabler of Cloud propositions

• Aggregation and orchestration of many cloud-based services

• Aggregation and orchestration of many cloud-based services

Service Orchestration

Service Aggregation

Service Integration

Service Management

Service Integration and Management - SIAMService Integration and Management - SIAM

Page 21: Securing the Cloud: Masterclass 2 Lee Newcombe (lee.newcombe@capgemini.com) Infrastructure Services April 2013

24Copyright © Capgemini 2012. All Rights Reserved

Managing Security in the Cloud 2

SIAM and Security

Sits across the top of the cloud services Responsible for ensuring consistent service levels to the customer across their

cloud services Harmonisation/orchestration of disparate SLAs

But also a good place to incorporate central set of security capabilities: Security Monitoring Identity and Access Management Certificate Authority Service Monitoring and Management Security Management

• Consistent content filtering?• Consistent network access controls?

Potentially a cloud service itself

Page 22: Securing the Cloud: Masterclass 2 Lee Newcombe (lee.newcombe@capgemini.com) Infrastructure Services April 2013

25Copyright © Capgemini 2012. All Rights Reserved

Managing Security in the Cloud 2

Agenda

Introduction

The Future Cloud?

The Perfect Storm – BYOD, Social Media, Big Data, Cloud

Identity in the Cloud

Conclusions

Service Management -> Service Orchestration?

Page 23: Securing the Cloud: Masterclass 2 Lee Newcombe (lee.newcombe@capgemini.com) Infrastructure Services April 2013

26Copyright © Capgemini 2012. All Rights Reserved

Managing Security in the Cloud 2

Identity in the Cloud

Digital Identity: “a set of claims made by one digital subject about itself or another digital subject.”

- Kim Cameron’s Laws of Identity http://www.identityblog.com/?p=354

Jericho Forum Identity Commandments https://collaboration.opengroup.org/jericho/Jericho%20Forum%20Identity%20Commandments%20v1.0.pdf

Physical entities can have more than one persona…• Employee• Husband• Father• Elven Wizard• Citizen• Customer• Shadowy criminal mastermind

Page 24: Securing the Cloud: Masterclass 2 Lee Newcombe (lee.newcombe@capgemini.com) Infrastructure Services April 2013

27Copyright © Capgemini 2012. All Rights Reserved

Managing Security in the Cloud 2

Identity in the Cloud

Identities are necessary to: Establish relationships

• Especially commercial relationships • But also citizen and HMG interactions

It is not necessary for EVERY relationship I have to know EVERYTHING about all of my identities

Identity Providers• More like Persona Providers. But IdP is the standard term…

Attribute Providers• Is my driving licence valid?• Is my CLAS membership valid?• Am I really tall, dark, handsome and incredibly wealthy?

– You also need to trust your Attribute Providers.

Page 25: Securing the Cloud: Masterclass 2 Lee Newcombe (lee.newcombe@capgemini.com) Infrastructure Services April 2013

28Copyright © Capgemini 2012. All Rights Reserved

Managing Security in the Cloud 2

Federated Identity Management

Page 26: Securing the Cloud: Masterclass 2 Lee Newcombe (lee.newcombe@capgemini.com) Infrastructure Services April 2013

29Copyright © Capgemini 2012. All Rights Reserved

Managing Security in the Cloud 2

Cabinet Office Citizen Identity Assurance Model

“Our preferred solution suggests the use of ‘hubs’ (technical intersections) which allow identities to be authenticated by contracted private sector organisations without an individual’s data being centrally stored or privacy being breached by unnecessary data and details of the user being openly ‘shared’ with either transacting party.”

Page 27: Securing the Cloud: Masterclass 2 Lee Newcombe (lee.newcombe@capgemini.com) Infrastructure Services April 2013

30Copyright © Capgemini 2012. All Rights Reserved

Managing Security in the Cloud 2

Cabinet Office Citizen Identity Assurance Model

Page 28: Securing the Cloud: Masterclass 2 Lee Newcombe (lee.newcombe@capgemini.com) Infrastructure Services April 2013

31Copyright © Capgemini 2012. All Rights Reserved

Managing Security in the Cloud 2

Federated Identity Management

Better for your organisations Establish a single identity repository and federate out across your cloud services Manage identity and provisioning in one place Easier to plug’n’play cloud services through identity re-use Less management overhead – federate with your trusted partners

Better for your customers Less of their data will be compromised in a single event Fewer passwords to remember Consider integration with the consumer cloud via OAuth, OpenID, Facebook Connect etc

Page 29: Securing the Cloud: Masterclass 2 Lee Newcombe (lee.newcombe@capgemini.com) Infrastructure Services April 2013

33Copyright © Capgemini 2012. All Rights Reserved

Managing Security in the Cloud 2

Agenda

Introduction

The Future Cloud?

The Perfect Storm – BYOD, Social Media, Big Data, Cloud

Conclusions

Identity in the Cloud

Service Management -> Service Orchestration?

Page 30: Securing the Cloud: Masterclass 2 Lee Newcombe (lee.newcombe@capgemini.com) Infrastructure Services April 2013

34Copyright © Capgemini 2012. All Rights Reserved

Managing Security in the Cloud 2

Conclusions

• The Cloud market will change rapidly over the next few years

• More accepted

• Fewer players

• Cloud risks stay much the same

• Same threat actors

• Same vulnerabilities

• Potentially greater impacts as usage increases

• The “Perfect Storm” will begin to worry end users

• Humans don’t like to be watched

• Anonymisation doesn’t often really work for both data controller and data subject

• Federated identity management will be the way ahead

• Getting your SIAM right is key to successful operation in the Cloud

Page 31: Securing the Cloud: Masterclass 2 Lee Newcombe (lee.newcombe@capgemini.com) Infrastructure Services April 2013

35Copyright © Capgemini 2012. All Rights Reserved

Managing Security in the Cloud 2

Q&A

Page 32: Securing the Cloud: Masterclass 2 Lee Newcombe (lee.newcombe@capgemini.com) Infrastructure Services April 2013

36Copyright © Capgemini 2012. All Rights Reserved

Managing Security in the Cloud 2

Moving HR to the cloud

Securing the Cloud: More Workshops!

Moving R&D services to the cloud

Retiring and replacing your collaboration platform

John Martinez John Arnold Lee Newcombe

Page 33: Securing the Cloud: Masterclass 2 Lee Newcombe (lee.newcombe@capgemini.com) Infrastructure Services April 2013

The information contained in this presentation is proprietary.Rightshore® is a trademark belonging to Capgemini

© 2012 Capgemini. All rights reserved.

www.capgemini.com

About Capgemini

With more than 120,000 people in 40 countries, Capgemini is one of the world's foremost providers of consulting, technology and outsourcing services. The Group reported 2011 global revenues of EUR 9.7 billion.Together with its clients, Capgemini creates and delivers business and technology solutions that fit their needs and drive the results they want. A deeply multicultural organization, Capgemini has developed its own way of working, the Collaborative Business ExperienceTM, and draws on Rightshore ®, its worldwide delivery model.