Security architecture and Cloud computing, are these

mutually exclusive?(Introduction to Cloud Security Guidance)

Vladimir JirasekDirector of Research, CSA UK

11 December 2012

https://cloudsecurityalliance.org.ukCopyright © 2012 Cloud Security Alliance

Agenda

Cloud risk assessment x compared to traditional risk assessments

Cloud security architectures x compared to security architectures

CSA domains

https://cloudsecurityalliance.org.ukCopyright © 2012 Cloud Security Alliance

Cloud risk assessment

Identify assets

Evaluate assets

Map to Cloud

deployments models

Evaluate Cloud

models and

Providers

Map the data flows

Context establishmen

t

Risk assessment

Risk treatment

Risk communicati

on

https://cloudsecurityalliance.org.ukCopyright © 2012 Cloud Security Alliance

Cloud model

Public

Private

Hybrid Community

Software as a Service (SaaS)

Platform as a Service (SaaS)

Infrastructure as a Service

(SaaS)

Broad network access

Rapid elasticity

Measured service

On-demand service

Resource pooling

https://cloudsecurityalliance.org.ukCopyright © 2012 Cloud Security Alliance

Cloud computing deployment models

Infrastructure managed

by

Infrastructure owned by

Infrastructure located

Accessible and

consumed by

Public Third party provider

Third party provider

Off-premise Untrusted

Private/Community

or

Organisation Organisation On-premiseTrusted

3rd party provider

3rd party provider

Off-Premise

Hybrid

Both Organisation &

Third party provider

Both Organisation &

Third party provider

Both On-Premise & Off-Premise

Trusted & Untrusted

https://cloudsecurityalliance.org.ukCopyright © 2012 Cloud Security Alliance

Cloud model maps to Security model

Cloud model

Physical security

Network security

Host security

Application sec.

Data security

SIEM

Iden

tity

, A

ccess

Cry

pto

gra

phy

Business continuity

GRC

Direct map

https://cloudsecurityalliance.org.ukCopyright © 2012 Cloud Security Alliance

Responsibilities for areas in security model compared to delivery models

Physical security

Network security

Host security

Application sec.

Data security

SIEM

Identity, Access

Cryptography

Business continuity

GRC

Provider responsible Customer responsible

IaaS PaaS SaaS IaaS PaaS SaaS

https://cloudsecurityalliance.org.ukCopyright © 2012 Cloud Security Alliance

Cloud Security DomainsGovernance

Governance and Enterprise Risk Management

Legal Issues: Contracts and Electronic Discovery

Compliance and Audit

Information Management and Data Security

Portability and Interoperability

Operational

Traditional Security, Business Continuity and Disaster Recovery

Data Center Operations

Incident Response, Notification and Remediation

Application Security

Encryption and Key Management

Identity and Access Management

Virtualization

Security as a Service

https://cloudsecurityalliance.org.ukCopyright © 2012 Cloud Security Alliance

Cloud Security Alliance supports number of projects related to cloud

Get involved at https://cloudsecurityalliance.org/

research/

https://cloudsecurityalliance.org.ukCopyright © 2012 Cloud Security Alliance

How to manage cloud security• Have a cloud security standard

• What to do on an Enterprise level

• Before your Cloud project

• During your Cloud project

• BAU

• Exit from the Cloud provider

• Risks cannot be outsourced

• Manage lock-in and exit up-front – especially in SaaS

How to drive out the 'seven deadly sins' of cloud computing - new Information Security Forum report

https://cloudsecurityalliance.org.ukCopyright © 2012 Cloud Security Alliance

Contact

Help us secure cloud computing – Get involved

• http://cloudsecurityalliance.org.uk

• info@cloudsecurityalliance.org.uk

• LinkedIn: http://www.linkedin.com/groups/Cloud-Security-Alliance-UK-Chapter-3745837

• Twitter: @CSAUKResearch

www.cloudsecurityalliance.org

Thank you!