Embed Size (px)
DESCRIPTION
Whose cloud is it anyway? Exploring data security, ownership and control as presented at ISSE EU 2014 Forget the geeky analysis of cloud security; risk is driven by people involved and the approach to adoption. Cloud security conversations often focus on technical risk from other users of the cloud’s pooled resources, or vulnerabilities in the application and virtualization layers. The more important conversation is likely around data control, ownership, and identity management as the resource pooling and abstraction to address risks from cloud users, cloud administrators, law enforcement, intelligence agencies and a pantheon of adversaries. In all these organizations there is an increase in the latest technologies that could possibly jeopardize security. There are trends with using unsecure cloud services and bring your own devices that often make these organizations vulnerable to risks. In today’s technological world it is not a matter of if the data will be compromised but when it will be compromised and what these groups can do to protect the data when this happens. This discussion will tackle the complex issues around data ownership and control. If data is destiny, then too many people are in charge of your fate. We discuss how to get it back.
Citation preview
Whose Cloud Is It Anyway? Exploring Data Security, Ownership and Control
David Etue VP, Corporate Development Strategy
SafeNet, Inc.
Cloud and VirtualizaFon Are Changing the Way IT is Managed and Consumed
Agile. Now.
On demand. Simple. Secure?
Cloud Benefits Are Being Realized… • 80% of mature cloud
adopters are seeing:1 – Faster access to infrastructure
– Greater Scalability – Faster Time to Market for Applica=ons
• 50% of cloud users report benefits including:1 – BeAer applica=on performance
– Expanded geographic reach – Increased IT staff efficiency
1-‐ RightScale State of the Cloud Report 2014
…But Cloud Benefits Are Driven by Sharing
And Security and Compliance Are Not the Biggest Fans of Sharing…
Leading Inhibitors to Cloud AdopFon
451 TheInfoPro 2013 Cloud Compu7ng Outlook – Cloud Compu7ng Wave 5
Security and Compliance Concerns With Shared Clouds
How Do You Maintain Ownership and Control Of Your Informa7on In A Mul7-‐Tenant Environment?
Data Governance Lack of Visibility
• Can you track all of my data instances? Backups? Snapshots?
• Am I aware of government requests/discovery? • Do you new when data is copied?
Data Compliance Lack of Data Control
• Who is accessing my data? • Can I illustrate compliance with internal and
external mandates? • Is there an audit trail of access to my data?
Data ProtecFon Risk of Breach and Data
Loss
• Are all my data instances secure? • Can I assure only authorized access to my data? • Can I “pull the plug” on data that’s at risk of exposure or who’s lifecycle has expired?
New Risks Driving Cloud Security Challenges
• Increased AAack Surface • Privileged Users • Ability to Apply Security
Controls • Control (or there lack of)
New Risk: Increased ASack Surface
New Risk: New DefiniFon of Privilege
New Risk: Ability to Apply Security Controls
Security Management & GRC
IdenFty/EnFty Security
Data Security
App Sec
CSA Cloud Model
Host
Network Infrastructure Security
Security Controls Mapping and Sized by Budget
Source: Control Quo;ent: Adap;ve Strategies For Gracefully Losing Control (RSA US 2013) by Josh Corman and David Etue.
New Risk: Ability to Apply Security Controls
Most organiza7ons are trying to deploy
“tradi7onal” security controls in cloud and virtual environments…but were the controls even effec7ve then?
Amazon EC2 - IaaS
The lower down the stack the Cloud provider stops, the more security you are tactically responsible for implementing & managing yourself.
Salesforce - SaaS
Google AppEngine - PaaS
New Risk: Control (or there lack of)
Source: Control Quo;ent: Adap;ve Strategies For Gracefully Losing Control (RSA US 2013) by Josh Corman and David Etue. “Stack” by Chris Hoff -‐> CSA
And Not Just The TradiFonal “Bad Guys"
Sensi=ve Data in
the Cloud
Adversaries
Government Discovery
Cloud Administrators
Auditors / Regulators
So, Whose Cloud Is It Anyway? Model Private Cloud IaaS
in Hybrid / Community / Public Cloud
PaaS/SaaS
Whose Privilege Users? Customer Provider Provider
Whose Infrastructure? Customer Provider Provider
Whose VM / Instance? Customer Customer Provider
Whose ApplicaFon? Customer Customer Provider
Government Discovery Contact? Customer Provider Provider
Geographical ConsideraFons?
16
Cloud Region Loca=on
Cloud Provider
Headquaters
-‐ US Court Decision with Serious ImplicaFons: IN THE MATTER OF A WARRANT TO SEARCH A CERTAIN E-‐MAIL ACCOUNT CONTROLLED AND MAINTAINED BY MICROSOFT CORPORATION, 13 Mag. 2814 -‐ A Sober Look at NaFonal Security Access to Data in the Cloud -‐ A Hogan Lovells White Paper (covers US, EU, and EU member country legislaFon and case law)
Making it Your Cloud: Key Enablers to Cloud Security
Encryp=on (and Key Management)
Iden=ty and Access Management with Strong Authen=ca=on
Segmenta=on
Privilege User Management
Detec=on and Response Capabili=es
System Hardening
Asset, Configura=on, and Change Management
EncrypFon: Un-‐Sharing in a Shared Environment
Clouds Love Crypto!!!*
*with good key management…
Cloud EncrypFon Models Type of EncrypFon DefiniFon Also Called:
Service Provider EncrypFon with Provider Managed Keys
Encryp=on performed by the cloud service provider using encryp=on keys owned and managed by the cloud service provider
• Server Side Encryp=on • SSE
Service Provider EncrypFon with Customer Managed Keys
Encryp=on performed by the cloud service provider using encryp=on keys owned and managed by the customer
• “Customer provided keys”
• SSE-‐CPK
Customer Managed EncrypFon with Customer Managed Keys
Encryp=on performed by the customer using encryp=on keys owned and managed by the customer
• “Client side encryp=on” (for object storage and client-‐server environments)
How Do You Apply Security Controls?
Security Management & GRC
IdenFty/EnFty Security
Data Security App Sec
CSA Cloud Model
Host
Network Infrastructure Security
Security Controls Mapping and Sized by Budget
Source: Control Quo;ent: Adap;ve Strategies For Gracefully Losing Control (RSA US 2013) by Josh Corman and David Etue.
Need to Focus “Up The Stack”
Security Management & GRC
IdenFty/EnFty Security
Data Security App Sec
CSA Cloud Model
Host
Network Infrastructure Security
Virtualization, Software Defined Networks, and Public/Hybrid/Community Cloud Forces
a Change in How Security Controls Are Evaluated and Deployed
Data Centric Security = Agility!
Security Management & GRC
IdenFty/EnFty Security
Data Security App Sec
CSA Cloud Model
Host
Network Infrastructure Security
