SlideShare a Scribd company logo

Cloud Security Alliance Q2-2012 Atlanta Meeting

Taylor Banks
Taylor Banks

Cloud Computing, Virtualization & Data Security (and the Occasional Intersection of the Three)

TechnologyNews & Politics
1 of 42
Download to read offline
virtualization, cloud & data security and the occasional intersection of the three Friday, April 6, 2012
Hi, I’m Taylor. @taylorbanks ‣ I’m a control freak. ‣ I do #security. I advocate for #privacy. ‣ I build virtual datacenters and cloud infrastructure. ‣ I keep my data in the cloud. 2 Friday, April 6, 2012
"Cloud computing is about gracefully losing control while maintaining accountability even if the!operational responsibility falls upon one or more third parties. " From the CSA’s Security Guidance for Critical Areas of Focus in Cloud Computing Copyright © 2010 by L. Taylor Banks 3 Friday, April March Wednesday, 6, 201210, 2010
*These statements have not been evaluated by the CSA. This presentation is not designed to diagnose, prevent, treat or cure any cloud security problems or conditions. 4 Friday, April 6, 2012
CloudSec 5 Friday, April 6, 2012
Fundamentals Cloud security doesn’t happen in a vacuum 1 Secure Virtualization Unique architectures present unique challenges 2 Data in the Cloud Public or private, understanding your data is the key to securing it 3 6 Friday, April 6, 2012
Cloud May Magnify Risk Simply put, if you’re not securing your data effectively before moving it into the cloud, you’re in for a rude awakening when you do. 7 Friday, April 6, 2012
I hate to disappoint you, really I do. But most of what I’m about to tell you, you should already know. 8 Friday, April 6, 2012
Access Control A mechanism which enables an authority to control access to data in a given information system 9 Friday, April 6, 2012
AAA: Authentication Authorization Accounting 10 Friday, April 6, 2012
Hello, my name is: RBAC 11 Friday, April 6, 2012
Data Considerations • Data classification • Data sensitivity • Data at rest • Data in motion • On-premise • Off-premise Friday, April 6, 2012
Categorization vs. Sensitivity Classification has become synonymous with ‘censored for,’ arguably to the detriment of effective categorization. Classification Classification (Categorization) (Sensitivity) The purpose of classification is to protect Simply possessing a clearance should not information from being used to damage or automatically authorize an individual to endanger organizational security. view all data classified at or below that level. 13 Friday, April 6, 2012
From Understanding Data Classification Based on Business and Security Requirements By Rafael Etges, CISA, CISSP, and Karen McNeil from ISACA Journal Online 14 Friday, April 6, 2012
Data Classification Example Properties ‣ Relative importance ‣ Frequency of use ‣ Topical content ‣ File type ‣ Operating platform ‣ Average file size ‣ MAC times ‣ Departmental ownership 15 Friday, April 6, 2012
RTO-based Classification Example Data by Fred G. Moore of HorISon Information Strategies Mission- Attributes Vital Sensitive Non-Critical Critical RTO Immediate Seconds Minutes Hours, days Availability 99.999+ 99.99 99.9 <99 Retention Hours Days Years Infinite 16 Friday, April 6, 2012
Data at Rest vs. Data in Motion Both important yet distinct considerations Data at Rest Data in Motion “On the Internet, communications security However, anyone can read what’s going is much less important than the security of across the wire when it is sent unencrypted. the endpoints.” - Bruce Schneier 17 Friday, April 6, 2012
CA Office of HIPAA Implementation Requires encryption to protect any data containing electronic protected health information (EPHI). ‣ DATA AT REST • Data at rest should be protected by one of the following: - Encryption, or - Firewalls with strict access controls that authenticate the identity of those individuals accessing _____ [system/data]. • The use of password protection instead of encryption is not an acceptable alternative to protecting EPHI. • Systems that store or transmit personal information must have proper security protection, such as antivirus software, with unneeded services or ports turned off and subject to needed applications being properly configured. 18 Friday, April 6, 2012
CA Office of HIPAA Implementation Requires encryption to protect any data containing electronic protected health information (EPHI). ‣ TRANSMISSION SECURITY • All emails with EPHI transmitted outside of State (or county) departments’ networks must be encrypted. • Any EPHI transmitted through a public network to and from vendors, customers, or entities doing business with ___ [name of the org in the State of California, or a county] must be encrypted or be transmitted through an encrypted tunnel. EPHI must be transmitted through a tunnel encrypted with ___ [specify type of encryption to be used, such as virtual private networks (VPN) or point-to-point tunnel protocols (PPTP) like Secure Shells (SSH) and secure socket layers (SSL)]. • Transmitting EPHI through the use of web email programs is not allowed. • Using chat programs or peer-to-peer file sharing programs is not allowed. • Wireless (Wi-fi) transmissions must be encrypted using ___. 19 Friday, April 6, 2012
On-premise vs. Off-premise New trust models will likely have a direct impact on the effectiveness of pre-existing security policies. On-premise Off-premise You need only trust those vetted, hired and Trust model now includes external entities, managed by your organization, and plus potential additional considerations according to your own security policies. around governance, regulations and compliance. 20 Friday, April 6, 2012
Fundamentals Cloud security doesn’t happen in a vacuum 1 Secure Virtualization Unique architectures present unique challenges 2 Data in the Cloud Public or private, understanding your data is the key to securing it 3 21 Friday, April 6, 2012
Virtualization is ...a broad term with many uses ‣ Abstraction of the characteristics of physical compute resources from systems, users, applications ‣ Typically, one of: • Resource (virtual memory, RAID, SAN) • Platform (virtual machines, instances) 22 Friday, April 6, 2012
VirtSec ‣ Security of virtual infrastructure and the virtual machines running therein. ‣ While many security considerations are the same within physical and virtual, ... ‣ Virtualization does introduce unique architectures & a few unique challenges 23 Friday, April 6, 2012
Unique Challenges, you say? ‣ VMs are highly-mobile & often short-lived ‣ VM sprawl vs. VM stall ‣ Most orgs have poor change control & patch management systems for virtual ‣ Introspection mechanisms available, but not widely deployed 24 Friday, April 6, 2012
Compute resources 1 Virtual machines 5 Network resources 2 Management console 6 Storage resources 3 Networking layer 7 Hypervisor 4 Administrators 8 25 Friday, April 6, 2012
Simpler is Better • Keep It Simple, Stupid (KISS) • Make Your Architecture Simpler to Secure! (MYASS) • More moving pieces means more time, effort and money required to implement security completely and effectively • Don’t let the capabilities of your platform fool you into believing you need all of them Copyright © 2010 by L. Taylor Banks 26 Friday, April March Wednesday, 6, 201210, 2010
Secure Your Resources • Your virtual infrastructure is only as secure as the resources that comprise it! • Securing your compute, network and storage infrastructure is as important as securing the hypervisor and guests Copyright © 2010 by L. Taylor Banks 27 Friday, April March Wednesday, 6, 201210, 2010
The Malignant OS • Needs to be hardened / secured just like on physical machines • Principles of minimization will lead to smaller, faster, more secure vm’s Copyright © 2010 by L. Taylor Banks 28 Friday, April March Wednesday, 6, 201210, 2010
Guest OS Hardening • Consider automated assessment tools, checklists and/or hardening scripts • nmap, Nessus, Metasploit, CANVAS • “15 Steps to Hardening WS2003” • Microsoft Baseline Security Analyzer • Bastille Linux Copyright © 2010 by L. Taylor Banks 29 Friday, April March Wednesday, 6, 201210, 2010
VM Introspection Inspecting a virtual machine from the outside (typically by way of the hypervisor) for the purpose of analyzing [its behavior] ‣ Introspective firewalling ‣ Introspective malware detection ‣ Introspective DLP ‣ Traditionally, distinct products • Catbird, Hytrust, Juniper, Reflex Systems,Trend Micro, VMware, etc. 30 Friday, April 6, 2012
Fundamentals Cloud security doesn’t happen in a vacuum 1 Secure Virtualization Unique architectures present unique challenges 2 Data in the Cloud Public or private, understanding your data is the key to securing it 3 31 Friday, April 6, 2012
What is “Cloud Security?” Without context, cloud security is undefined. ‣ Network security? ‣ Virtualization security? ‣ Application security? ‣ Governance, Risk & Compliance? ‣ YesPls! • Depends on service and deployment models • Determined mostly by your DATA! 32 Friday, April 6, 2012
4 8 15 16 23 42 • Five characteristics • On-demand self-service, Broad network access, Resource pooling, Rapid elasticity, Measured service • Three service models • SaaS, PaaS, IaaS • Four deployment models • Public, Community, Private, Hybrid Copyright © 2010 by L. Taylor Banks 33 Friday, April March Wednesday, 6, 201210, 2010
Private IaaS? Public IaaS? It matters! In public IaaS, the likelihood of having control over virtual infrastructure comprising ‘your cloud’ is slim. 34 Friday, April 6, 2012
Cloud Security Fundamentals ‣ See: K.I.S.S. M.Y.A.S.S. ‣ Classify your data; consider trust models ‣ Understanding what your org means by ‘cloud’ is key to securing data in the cloud: • 5 characteristics • 3 service models • 4 deployment models 35 Friday, April 6, 2012
Cloud Security Risks CSA’s Top Threats to Cloud Computing v1.0 ‣ Abuse and Nefarious Use of Cloud Computing ‣ Insecure Interfaces and APIs ‣ Malicious Insiders ‣ Shared Technology Issues ‣ Data Loss or Leakage ‣ Account or Service Hijacking ‣ Unknown Risk Profile 36 Friday, April 6, 2012
Mitigation • Encrypt locally before storing in the cloud • Ensure external key storage and management • Keep private data out of cloud • Build protection mechanisms directly into your resources in the cloud • Host private cloud Copyright © 2010 by L. Taylor Banks 37 Friday, April March Wednesday, 6, 201210, 2010
Cloud Security Fundamentals ‣ Network, infrastructure, virtual and application security are no less important than before ‣ Compliance is important, but useless taken out of context (SAS 70 TII, but with which controls?) ‣ Compliance doesn’t fully address governance, residency or access 38 Friday, April 6, 2012
Understand your Data How will your data be used, accessed and modified? How and when will it be removed? By whom? 39 Friday, April 6, 2012
Avoiding the Data Tornado (...in which your data is a vortex of bits across multiple jurisdictions, tossing data around like a doublewide.) ‣ Deep knowledge of your data ‣ Data flow and threat modeling ‣ AAA, IAM & RBAC FTW ‣ Effective security policies ‣ Tested security procedures ‣ Proven security controls 40 Friday, April 6, 2012
Required Reading ‣ CSA’s Secure Guidance for Critical Areas of Focus in Cloud Computing ‣ ENISA’s Cloud Computing: Benefits, Risks and Recommendations for Information Security ‣ CSA’s Cloud Controls Matrix ‣ ENISA’s Procure Secure: A guide to monitoring of security service levels in cloud contracts ‣ NIST SP 800-145 Definition of Cloud Computing and 800-137 on Information Security Continuous Monitoring 41 Friday, April 6, 2012
Taylor @ Cloud in 48.com http://www.linkedin.com/in/taylorbanks 42 Friday, April 6, 2012

Recommended

Electronic Data Discovery
Electronic Data DiscoveryElectronic Data Discovery
Electronic Data DiscoveryCarahsoft
 
Varonis - DSS @VILNIUS 2010
Varonis - DSS @VILNIUS 2010Varonis - DSS @VILNIUS 2010
Varonis - DSS @VILNIUS 2010Andris Soroka
 
apsec 7 Golden Rules Data Leakage Prevention / DLP
apsec 7 Golden Rules Data Leakage Prevention / DLPapsec 7 Golden Rules Data Leakage Prevention / DLP
apsec 7 Golden Rules Data Leakage Prevention / DLPandreasschuster
 
Data Leakage Prevention (DLP)
Data Leakage Prevention (DLP)Data Leakage Prevention (DLP)
Data Leakage Prevention (DLP)Network Intelligence India
 
DSS ITSEC Conference 2012 - Varonis Eliminating Data Security Threats
DSS ITSEC Conference 2012 - Varonis Eliminating Data Security ThreatsDSS ITSEC Conference 2012 - Varonis Eliminating Data Security Threats
DSS ITSEC Conference 2012 - Varonis Eliminating Data Security ThreatsAndris Soroka
 
DLP Executive Overview
DLP Executive OverviewDLP Executive Overview
DLP Executive OverviewKim Jensen
 
Corporate Data: A Protected Asset or a Ticking Time Bomb?
Corporate Data: A Protected Asset or a Ticking Time Bomb? Corporate Data: A Protected Asset or a Ticking Time Bomb?
Corporate Data: A Protected Asset or a Ticking Time Bomb? Varonis
 
Protecting Intellectual Property and Data Loss Prevention (DLP)
Protecting Intellectual Property and Data Loss Prevention (DLP)Protecting Intellectual Property and Data Loss Prevention (DLP)
Protecting Intellectual Property and Data Loss Prevention (DLP)Arpin Consulting
 

Recommended

Electronic Data Discovery
Electronic Data DiscoveryElectronic Data Discovery
Electronic Data DiscoveryCarahsoft
 
Varonis - DSS @VILNIUS 2010
Varonis - DSS @VILNIUS 2010Varonis - DSS @VILNIUS 2010
Varonis - DSS @VILNIUS 2010Andris Soroka
 
apsec 7 Golden Rules Data Leakage Prevention / DLP
apsec 7 Golden Rules Data Leakage Prevention / DLPapsec 7 Golden Rules Data Leakage Prevention / DLP
apsec 7 Golden Rules Data Leakage Prevention / DLPandreasschuster
 
Data Leakage Prevention (DLP)
Data Leakage Prevention (DLP)Data Leakage Prevention (DLP)
Data Leakage Prevention (DLP)Network Intelligence India
 
DSS ITSEC Conference 2012 - Varonis Eliminating Data Security Threats
DSS ITSEC Conference 2012 - Varonis Eliminating Data Security ThreatsDSS ITSEC Conference 2012 - Varonis Eliminating Data Security Threats
DSS ITSEC Conference 2012 - Varonis Eliminating Data Security ThreatsAndris Soroka
 
DLP Executive Overview
DLP Executive OverviewDLP Executive Overview
DLP Executive OverviewKim Jensen
 
Corporate Data: A Protected Asset or a Ticking Time Bomb?
Corporate Data: A Protected Asset or a Ticking Time Bomb? Corporate Data: A Protected Asset or a Ticking Time Bomb?
Corporate Data: A Protected Asset or a Ticking Time Bomb? Varonis
 
Protecting Intellectual Property and Data Loss Prevention (DLP)
Protecting Intellectual Property and Data Loss Prevention (DLP)Protecting Intellectual Property and Data Loss Prevention (DLP)
Protecting Intellectual Property and Data Loss Prevention (DLP)Arpin Consulting
 
Information Leakage & DLP
Information Leakage & DLPInformation Leakage & DLP
Information Leakage & DLPYun Lu
 
Shariyaz abdeen data leakage prevention presentation
Shariyaz abdeen data leakage prevention presentationShariyaz abdeen data leakage prevention presentation
Shariyaz abdeen data leakage prevention presentationShariyaz Abdeen
 
Where Data Security and Value of Data Meet in the Cloud
Where Data Security and Value of Data Meet in the CloudWhere Data Security and Value of Data Meet in the Cloud
Where Data Security and Value of Data Meet in the CloudUlf Mattsson
 
White paper-diligent-cybersecurity
White paper-diligent-cybersecurityWhite paper-diligent-cybersecurity
White paper-diligent-cybersecurityjames morris
 
ISACA NA CACS 2012 Orlando session 414 Ulf Mattsson
ISACA NA CACS 2012 Orlando session 414 Ulf MattssonISACA NA CACS 2012 Orlando session 414 Ulf Mattsson
ISACA NA CACS 2012 Orlando session 414 Ulf MattssonUlf Mattsson
 
Cyber Resilience white paper 20160401_sd
Cyber Resilience white paper 20160401_sdCyber Resilience white paper 20160401_sd
Cyber Resilience white paper 20160401_sdSusan Darby
 
Data Loss Prevention: Challenges, Impacts & Effective Strategies
Data Loss Prevention: Challenges, Impacts & Effective StrategiesData Loss Prevention: Challenges, Impacts & Effective Strategies
Data Loss Prevention: Challenges, Impacts & Effective StrategiesSeccuris Inc.
 
ISACA Houston Texas Chapter 2010
ISACA Houston Texas Chapter 2010ISACA Houston Texas Chapter 2010
ISACA Houston Texas Chapter 2010Ulf Mattsson
 
br-security-connected-top-5-trends
br-security-connected-top-5-trendsbr-security-connected-top-5-trends
br-security-connected-top-5-trendsChristopher Bennett
 
Atlanta ISSA 2010 Enterprise Data Protection Ulf Mattsson
Atlanta ISSA 2010 Enterprise Data Protection Ulf MattssonAtlanta ISSA 2010 Enterprise Data Protection Ulf Mattsson
Atlanta ISSA 2010 Enterprise Data Protection Ulf MattssonUlf Mattsson
 
Information and Identity Protection - Data Loss Prevention, Encryption, User ...
Information and Identity Protection - Data Loss Prevention, Encryption, User ...Information and Identity Protection - Data Loss Prevention, Encryption, User ...
Information and Identity Protection - Data Loss Prevention, Encryption, User ...Symantec APJ
 
Risk Management Practices for PCI DSS 2.0
Risk Management Practices for PCI DSS 2.0Risk Management Practices for PCI DSS 2.0
Risk Management Practices for PCI DSS 2.0Ulf Mattsson
 
Data Loss Prevention
Data Loss PreventionData Loss Prevention
Data Loss PreventionReza Kopaee
 
Beyond top secret
Beyond top secretBeyond top secret
Beyond top secretgorin2008
 
Six Irrefutable Laws of Information Security
Six Irrefutable Laws of Information SecuritySix Irrefutable Laws of Information Security
Six Irrefutable Laws of Information SecurityIT@Intel
 
Cloud Security
Cloud SecurityCloud Security
Cloud SecurityTerell Jones
 
Data Loss Prevention from Symantec
Data Loss Prevention from SymantecData Loss Prevention from Symantec
Data Loss Prevention from SymantecArrow ECS UK
 
The CISO’s Guide to Data Loss Prevention
The CISO’s Guide to Data Loss PreventionThe CISO’s Guide to Data Loss Prevention
The CISO’s Guide to Data Loss PreventionDigital Guardian
 
Dlp notes
Dlp notesDlp notes
Dlp notesanuepcet
 
Big Data Dectives
Big Data DectivesBig Data Dectives
Big Data Dectives- Mark - Fullbright
 
Meetup presenation 06192013
Meetup presenation 06192013 Meetup presenation 06192013
Meetup presenation 06192013 Sqrrl
 
Data leakage prevention EN Final
Data leakage prevention EN FinalData leakage prevention EN Final
Data leakage prevention EN FinalZdravko Stoychev, CISM, CRISC
 

More Related Content

What's hot

Information Leakage & DLP
Information Leakage & DLPInformation Leakage & DLP
Information Leakage & DLPYun Lu
 
Shariyaz abdeen data leakage prevention presentation
Shariyaz abdeen data leakage prevention presentationShariyaz abdeen data leakage prevention presentation
Shariyaz abdeen data leakage prevention presentationShariyaz Abdeen
 
Where Data Security and Value of Data Meet in the Cloud
Where Data Security and Value of Data Meet in the CloudWhere Data Security and Value of Data Meet in the Cloud
Where Data Security and Value of Data Meet in the CloudUlf Mattsson
 
White paper-diligent-cybersecurity
White paper-diligent-cybersecurityWhite paper-diligent-cybersecurity
White paper-diligent-cybersecurityjames morris
 
ISACA NA CACS 2012 Orlando session 414 Ulf Mattsson
ISACA NA CACS 2012 Orlando session 414 Ulf MattssonISACA NA CACS 2012 Orlando session 414 Ulf Mattsson
ISACA NA CACS 2012 Orlando session 414 Ulf MattssonUlf Mattsson
 
Cyber Resilience white paper 20160401_sd
Cyber Resilience white paper 20160401_sdCyber Resilience white paper 20160401_sd
Cyber Resilience white paper 20160401_sdSusan Darby
 
Data Loss Prevention: Challenges, Impacts & Effective Strategies
Data Loss Prevention: Challenges, Impacts & Effective StrategiesData Loss Prevention: Challenges, Impacts & Effective Strategies
Data Loss Prevention: Challenges, Impacts & Effective StrategiesSeccuris Inc.
 
ISACA Houston Texas Chapter 2010
ISACA Houston Texas Chapter 2010ISACA Houston Texas Chapter 2010
ISACA Houston Texas Chapter 2010Ulf Mattsson
 
br-security-connected-top-5-trends
br-security-connected-top-5-trendsbr-security-connected-top-5-trends
br-security-connected-top-5-trendsChristopher Bennett
 
Atlanta ISSA 2010 Enterprise Data Protection Ulf Mattsson
Atlanta ISSA 2010 Enterprise Data Protection Ulf MattssonAtlanta ISSA 2010 Enterprise Data Protection Ulf Mattsson
Atlanta ISSA 2010 Enterprise Data Protection Ulf MattssonUlf Mattsson
 
Information and Identity Protection - Data Loss Prevention, Encryption, User ...
Information and Identity Protection - Data Loss Prevention, Encryption, User ...Information and Identity Protection - Data Loss Prevention, Encryption, User ...
Information and Identity Protection - Data Loss Prevention, Encryption, User ...Symantec APJ
 
Risk Management Practices for PCI DSS 2.0
Risk Management Practices for PCI DSS 2.0Risk Management Practices for PCI DSS 2.0
Risk Management Practices for PCI DSS 2.0Ulf Mattsson
 
Data Loss Prevention
Data Loss PreventionData Loss Prevention
Data Loss PreventionReza Kopaee
 
Beyond top secret
Beyond top secretBeyond top secret
Beyond top secretgorin2008
 
Six Irrefutable Laws of Information Security
Six Irrefutable Laws of Information SecuritySix Irrefutable Laws of Information Security
Six Irrefutable Laws of Information SecurityIT@Intel
 
Data Loss Prevention from Symantec
Data Loss Prevention from SymantecData Loss Prevention from Symantec
Data Loss Prevention from SymantecArrow ECS UK
 
The CISO’s Guide to Data Loss Prevention
The CISO’s Guide to Data Loss PreventionThe CISO’s Guide to Data Loss Prevention
The CISO’s Guide to Data Loss PreventionDigital Guardian
 

What's hot (20)

Information Leakage & DLP
Information Leakage & DLPInformation Leakage & DLP
Information Leakage & DLP
 
Shariyaz abdeen data leakage prevention presentation
Shariyaz abdeen data leakage prevention presentationShariyaz abdeen data leakage prevention presentation
Shariyaz abdeen data leakage prevention presentation
 
Where Data Security and Value of Data Meet in the Cloud
Where Data Security and Value of Data Meet in the CloudWhere Data Security and Value of Data Meet in the Cloud
Where Data Security and Value of Data Meet in the Cloud
 
White paper-diligent-cybersecurity
White paper-diligent-cybersecurityWhite paper-diligent-cybersecurity
White paper-diligent-cybersecurity
 
ISACA NA CACS 2012 Orlando session 414 Ulf Mattsson
ISACA NA CACS 2012 Orlando session 414 Ulf MattssonISACA NA CACS 2012 Orlando session 414 Ulf Mattsson
ISACA NA CACS 2012 Orlando session 414 Ulf Mattsson
 
Cyber Resilience white paper 20160401_sd
Cyber Resilience white paper 20160401_sdCyber Resilience white paper 20160401_sd
Cyber Resilience white paper 20160401_sd
 
Data Loss Prevention: Challenges, Impacts & Effective Strategies
Data Loss Prevention: Challenges, Impacts & Effective StrategiesData Loss Prevention: Challenges, Impacts & Effective Strategies
Data Loss Prevention: Challenges, Impacts & Effective Strategies
 
ISACA Houston Texas Chapter 2010
ISACA Houston Texas Chapter 2010ISACA Houston Texas Chapter 2010
ISACA Houston Texas Chapter 2010
 
br-security-connected-top-5-trends
br-security-connected-top-5-trendsbr-security-connected-top-5-trends
br-security-connected-top-5-trends
 
Atlanta ISSA 2010 Enterprise Data Protection Ulf Mattsson
Atlanta ISSA 2010 Enterprise Data Protection Ulf MattssonAtlanta ISSA 2010 Enterprise Data Protection Ulf Mattsson
Atlanta ISSA 2010 Enterprise Data Protection Ulf Mattsson
 
Information and Identity Protection - Data Loss Prevention, Encryption, User ...
Information and Identity Protection - Data Loss Prevention, Encryption, User ...Information and Identity Protection - Data Loss Prevention, Encryption, User ...
Information and Identity Protection - Data Loss Prevention, Encryption, User ...
 
Risk Management Practices for PCI DSS 2.0
Risk Management Practices for PCI DSS 2.0Risk Management Practices for PCI DSS 2.0
Risk Management Practices for PCI DSS 2.0
 
Data Loss Prevention
Data Loss PreventionData Loss Prevention
Data Loss Prevention
 
Beyond top secret
Beyond top secretBeyond top secret
Beyond top secret
 
Six Irrefutable Laws of Information Security
Six Irrefutable Laws of Information SecuritySix Irrefutable Laws of Information Security
Six Irrefutable Laws of Information Security
 
Cloud Security
Cloud SecurityCloud Security
Cloud Security
 
Data Loss Prevention from Symantec
Data Loss Prevention from SymantecData Loss Prevention from Symantec
Data Loss Prevention from Symantec
 
The CISO’s Guide to Data Loss Prevention
The CISO’s Guide to Data Loss PreventionThe CISO’s Guide to Data Loss Prevention
The CISO’s Guide to Data Loss Prevention
 
Dlp notes
Dlp notesDlp notes
Dlp notes
 
Big Data Dectives
Big Data DectivesBig Data Dectives
Big Data Dectives
 

Similar to Cloud Security Alliance Q2-2012 Atlanta Meeting

Meetup presenation 06192013
Meetup presenation 06192013 Meetup presenation 06192013
Meetup presenation 06192013 Sqrrl
 
Is The Cloud Secure Enough For Your Data?
Is The Cloud Secure Enough For Your Data?Is The Cloud Secure Enough For Your Data?
Is The Cloud Secure Enough For Your Data?OSIbeyond
 
Physician Office Presentation
Physician Office PresentationPhysician Office Presentation
Physician Office Presentationfranbodh
 
Altourage presents: Cloud Security
Altourage presents: Cloud SecurityAltourage presents: Cloud Security
Altourage presents: Cloud SecurityAltourage
 
How Organizations can Secure Their Database From External Attacks
How Organizations can Secure Their Database From External AttacksHow Organizations can Secure Their Database From External Attacks
How Organizations can Secure Their Database From External AttacksEmmanuel Oshogwe Akpeokhai
 
Why Data-Centric Security Needs to be a Top Priority for Enterprises.pdf
Why Data-Centric Security Needs to be a Top Priority for Enterprises.pdfWhy Data-Centric Security Needs to be a Top Priority for Enterprises.pdf
Why Data-Centric Security Needs to be a Top Priority for Enterprises.pdfEnterprise Insider
 
Bridging the Data Security Gap
Bridging the Data Security GapBridging the Data Security Gap
Bridging the Data Security Gapxband
 
CYBER SECURITY WHAT IS IT AND WHAT YOU NEED TO KNOW.pdf
CYBER SECURITY WHAT IS IT AND WHAT YOU NEED TO KNOW.pdfCYBER SECURITY WHAT IS IT AND WHAT YOU NEED TO KNOW.pdf
CYBER SECURITY WHAT IS IT AND WHAT YOU NEED TO KNOW.pdfJenna Murray
 
Cloud Security: Trust and Transformation
Cloud Security: Trust and TransformationCloud Security: Trust and Transformation
Cloud Security: Trust and TransformationPeter Coffee
 
Ciso Platform Webcast: Shadow Data Exposed
Ciso Platform Webcast: Shadow Data ExposedCiso Platform Webcast: Shadow Data Exposed
Ciso Platform Webcast: Shadow Data ExposedElastica Inc.
 
PROJECT DRAFTINTRODUCTIONINTRODUCE COMPANY – WHAT IS THE COM.docx
PROJECT DRAFTINTRODUCTIONINTRODUCE COMPANY – WHAT IS THE COM.docxPROJECT DRAFTINTRODUCTIONINTRODUCE COMPANY – WHAT IS THE COM.docx
PROJECT DRAFTINTRODUCTIONINTRODUCE COMPANY – WHAT IS THE COM.docxwoodruffeloisa
 
Mobile Workplace Risks
Mobile Workplace RisksMobile Workplace Risks
Mobile Workplace RisksParag Deodhar
 
The Cloud Beckons, But is it Safe?
The Cloud Beckons, But is it Safe?The Cloud Beckons, But is it Safe?
The Cloud Beckons, But is it Safe?NTEN
 
Data-centric Security: Using Information Protection and Control (IPC) Tools t...
Data-centric Security: Using Information Protection and Control (IPC) Tools t...Data-centric Security: Using Information Protection and Control (IPC) Tools t...
Data-centric Security: Using Information Protection and Control (IPC) Tools t...Chris Ross
 
Information security group presentation
Information security group presentationInformation security group presentation
Information security group presentationvaishalshah01
 
Choosing Encryption for Microsoft SQL Server
Choosing Encryption for Microsoft SQL ServerChoosing Encryption for Microsoft SQL Server
Choosing Encryption for Microsoft SQL ServerJerome J. Penna
 

Similar to Cloud Security Alliance Q2-2012 Atlanta Meeting (20)

Meetup presenation 06192013
Meetup presenation 06192013 Meetup presenation 06192013
Meetup presenation 06192013
 
Data leakage prevention EN Final
Data leakage prevention EN FinalData leakage prevention EN Final
Data leakage prevention EN Final
 
Is The Cloud Secure Enough For Your Data?
Is The Cloud Secure Enough For Your Data?Is The Cloud Secure Enough For Your Data?
Is The Cloud Secure Enough For Your Data?
 
Physician Office Presentation
Physician Office PresentationPhysician Office Presentation
Physician Office Presentation
 
Wp security-data-safe
Wp security-data-safeWp security-data-safe
Wp security-data-safe
 
Encrypt-Everything-eB.pdf
Encrypt-Everything-eB.pdfEncrypt-Everything-eB.pdf
Encrypt-Everything-eB.pdf
 
Altourage presents: Cloud Security
Altourage presents: Cloud SecurityAltourage presents: Cloud Security
Altourage presents: Cloud Security
 
How Organizations can Secure Their Database From External Attacks
How Organizations can Secure Their Database From External AttacksHow Organizations can Secure Their Database From External Attacks
How Organizations can Secure Their Database From External Attacks
 
Why Data-Centric Security Needs to be a Top Priority for Enterprises.pdf
Why Data-Centric Security Needs to be a Top Priority for Enterprises.pdfWhy Data-Centric Security Needs to be a Top Priority for Enterprises.pdf
Why Data-Centric Security Needs to be a Top Priority for Enterprises.pdf
 
Bridging the Data Security Gap
Bridging the Data Security GapBridging the Data Security Gap
Bridging the Data Security Gap
 
CYBER SECURITY WHAT IS IT AND WHAT YOU NEED TO KNOW.pdf
CYBER SECURITY WHAT IS IT AND WHAT YOU NEED TO KNOW.pdfCYBER SECURITY WHAT IS IT AND WHAT YOU NEED TO KNOW.pdf
CYBER SECURITY WHAT IS IT AND WHAT YOU NEED TO KNOW.pdf
 
Cloud Security: Trust and Transformation
Cloud Security: Trust and TransformationCloud Security: Trust and Transformation
Cloud Security: Trust and Transformation
 
Ciso Platform Webcast: Shadow Data Exposed
Ciso Platform Webcast: Shadow Data ExposedCiso Platform Webcast: Shadow Data Exposed
Ciso Platform Webcast: Shadow Data Exposed
 
The Cloud Beckons, But is it Safe?
The Cloud Beckons, But is it Safe?The Cloud Beckons, But is it Safe?
The Cloud Beckons, But is it Safe?
 
PROJECT DRAFTINTRODUCTIONINTRODUCE COMPANY – WHAT IS THE COM.docx
PROJECT DRAFTINTRODUCTIONINTRODUCE COMPANY – WHAT IS THE COM.docxPROJECT DRAFTINTRODUCTIONINTRODUCE COMPANY – WHAT IS THE COM.docx
PROJECT DRAFTINTRODUCTIONINTRODUCE COMPANY – WHAT IS THE COM.docx
 
Mobile Workplace Risks
Mobile Workplace RisksMobile Workplace Risks
Mobile Workplace Risks
 
The Cloud Beckons, But is it Safe?
The Cloud Beckons, But is it Safe?The Cloud Beckons, But is it Safe?
The Cloud Beckons, But is it Safe?
 
Data-centric Security: Using Information Protection and Control (IPC) Tools t...
Data-centric Security: Using Information Protection and Control (IPC) Tools t...Data-centric Security: Using Information Protection and Control (IPC) Tools t...
Data-centric Security: Using Information Protection and Control (IPC) Tools t...
 
Information security group presentation
Information security group presentationInformation security group presentation
Information security group presentation
 
Choosing Encryption for Microsoft SQL Server
Choosing Encryption for Microsoft SQL ServerChoosing Encryption for Microsoft SQL Server
Choosing Encryption for Microsoft SQL Server
 

Recently uploaded

Zeshan Sattar- Assessing the skill requirements and industry expectations for...
Zeshan Sattar- Assessing the skill requirements and industry expectations for...Zeshan Sattar- Assessing the skill requirements and industry expectations for...
Zeshan Sattar- Assessing the skill requirements and industry expectations for...itnewsafrica
 
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotesMuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotesManik S Magar
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity PlanDatabarracks
 
UiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPathCommunity
 
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfSo einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfpanagenda
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.Curtis Poe
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxLoriGlavin3
 
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...itnewsafrica
 
Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Farhan Tariq
 
Data governance with Unity Catalog Presentation
Data governance with Unity Catalog PresentationData governance with Unity Catalog Presentation
Data governance with Unity Catalog PresentationKnoldus Inc.
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxLoriGlavin3
 
Top 10 Hubspot Development Companies in 2024
Top 10 Hubspot Development Companies in 2024Top 10 Hubspot Development Companies in 2024
Top 10 Hubspot Development Companies in 2024TopCSSGallery
 
Time Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsTime Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsNathaniel Shimoni
 
Bridging Between CAD & GIS: 6 Ways to Automate Your Data Integration
Bridging Between CAD & GIS: 6 Ways to Automate Your Data IntegrationBridging Between CAD & GIS: 6 Ways to Automate Your Data Integration
Bridging Between CAD & GIS: 6 Ways to Automate Your Data Integrationmarketing932765
 
Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better StrongerModern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better Strongerpanagenda
 
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Mark Goldstein
 
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Alkin Tezuysal
 
Decarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityDecarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityIES VE
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxLoriGlavin3
 

Recently uploaded (20)

Zeshan Sattar- Assessing the skill requirements and industry expectations for...
Zeshan Sattar- Assessing the skill requirements and industry expectations for...Zeshan Sattar- Assessing the skill requirements and industry expectations for...
Zeshan Sattar- Assessing the skill requirements and industry expectations for...
 
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotesMuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity Plan
 
UiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to Hero
 
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfSo einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
 
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
 
Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...
 
Data governance with Unity Catalog Presentation
Data governance with Unity Catalog PresentationData governance with Unity Catalog Presentation
Data governance with Unity Catalog Presentation
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
 
Top 10 Hubspot Development Companies in 2024
Top 10 Hubspot Development Companies in 2024Top 10 Hubspot Development Companies in 2024
Top 10 Hubspot Development Companies in 2024
 
Time Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsTime Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directions
 
Bridging Between CAD & GIS: 6 Ways to Automate Your Data Integration
Bridging Between CAD & GIS: 6 Ways to Automate Your Data IntegrationBridging Between CAD & GIS: 6 Ways to Automate Your Data Integration
Bridging Between CAD & GIS: 6 Ways to Automate Your Data Integration
 
Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better StrongerModern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
 
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
 
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
 
Decarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityDecarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a reality
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
 

Cloud Security Alliance Q2-2012 Atlanta Meeting

  • 1. virtualization, cloud & data security and the occasional intersection of the three Friday, April 6, 2012
  • 2. Hi, I’m Taylor. @taylorbanks ‣ I’m a control freak. ‣ I do #security. I advocate for #privacy. ‣ I build virtual datacenters and cloud infrastructure. ‣ I keep my data in the cloud. 2 Friday, April 6, 2012
  • 3. "Cloud computing is about gracefully losing control while maintaining accountability even if the!operational responsibility falls upon one or more third parties. " From the CSA’s Security Guidance for Critical Areas of Focus in Cloud Computing Copyright © 2010 by L. Taylor Banks 3 Friday, April March Wednesday, 6, 201210, 2010
  • 4. *These statements have not been evaluated by the CSA. This presentation is not designed to diagnose, prevent, treat or cure any cloud security problems or conditions. 4 Friday, April 6, 2012
  • 5. CloudSec 5 Friday, April 6, 2012
  • 6. Fundamentals Cloud security doesn’t happen in a vacuum 1 Secure Virtualization Unique architectures present unique challenges 2 Data in the Cloud Public or private, understanding your data is the key to securing it 3 6 Friday, April 6, 2012
  • 7. Cloud May Magnify Risk Simply put, if you’re not securing your data effectively before moving it into the cloud, you’re in for a rude awakening when you do. 7 Friday, April 6, 2012
  • 8. I hate to disappoint you, really I do. But most of what I’m about to tell you, you should already know. 8 Friday, April 6, 2012
  • 9. Access Control A mechanism which enables an authority to control access to data in a given information system 9 Friday, April 6, 2012
  • 10. AAA: Authentication Authorization Accounting 10 Friday, April 6, 2012
  • 11. Hello, my name is: RBAC 11 Friday, April 6, 2012
  • 12. Data Considerations • Data classification • Data sensitivity • Data at rest • Data in motion • On-premise • Off-premise Friday, April 6, 2012
  • 13. Categorization vs. Sensitivity Classification has become synonymous with ‘censored for,’ arguably to the detriment of effective categorization. Classification Classification (Categorization) (Sensitivity) The purpose of classification is to protect Simply possessing a clearance should not information from being used to damage or automatically authorize an individual to endanger organizational security. view all data classified at or below that level. 13 Friday, April 6, 2012
  • 14. From Understanding Data Classification Based on Business and Security Requirements By Rafael Etges, CISA, CISSP, and Karen McNeil from ISACA Journal Online 14 Friday, April 6, 2012
  • 15. Data Classification Example Properties ‣ Relative importance ‣ Frequency of use ‣ Topical content ‣ File type ‣ Operating platform ‣ Average file size ‣ MAC times ‣ Departmental ownership 15 Friday, April 6, 2012
  • 16. RTO-based Classification Example Data by Fred G. Moore of HorISon Information Strategies Mission- Attributes Vital Sensitive Non-Critical Critical RTO Immediate Seconds Minutes Hours, days Availability 99.999+ 99.99 99.9 <99 Retention Hours Days Years Infinite 16 Friday, April 6, 2012
  • 17. Data at Rest vs. Data in Motion Both important yet distinct considerations Data at Rest Data in Motion “On the Internet, communications security However, anyone can read what’s going is much less important than the security of across the wire when it is sent unencrypted. the endpoints.” - Bruce Schneier 17 Friday, April 6, 2012
  • 18. CA Office of HIPAA Implementation Requires encryption to protect any data containing electronic protected health information (EPHI). ‣ DATA AT REST • Data at rest should be protected by one of the following: - Encryption, or - Firewalls with strict access controls that authenticate the identity of those individuals accessing _____ [system/data]. • The use of password protection instead of encryption is not an acceptable alternative to protecting EPHI. • Systems that store or transmit personal information must have proper security protection, such as antivirus software, with unneeded services or ports turned off and subject to needed applications being properly configured. 18 Friday, April 6, 2012
  • 19. CA Office of HIPAA Implementation Requires encryption to protect any data containing electronic protected health information (EPHI). ‣ TRANSMISSION SECURITY • All emails with EPHI transmitted outside of State (or county) departments’ networks must be encrypted. • Any EPHI transmitted through a public network to and from vendors, customers, or entities doing business with ___ [name of the org in the State of California, or a county] must be encrypted or be transmitted through an encrypted tunnel. EPHI must be transmitted through a tunnel encrypted with ___ [specify type of encryption to be used, such as virtual private networks (VPN) or point-to-point tunnel protocols (PPTP) like Secure Shells (SSH) and secure socket layers (SSL)]. • Transmitting EPHI through the use of web email programs is not allowed. • Using chat programs or peer-to-peer file sharing programs is not allowed. • Wireless (Wi-fi) transmissions must be encrypted using ___. 19 Friday, April 6, 2012
  • 20. On-premise vs. Off-premise New trust models will likely have a direct impact on the effectiveness of pre-existing security policies. On-premise Off-premise You need only trust those vetted, hired and Trust model now includes external entities, managed by your organization, and plus potential additional considerations according to your own security policies. around governance, regulations and compliance. 20 Friday, April 6, 2012
  • 21. Fundamentals Cloud security doesn’t happen in a vacuum 1 Secure Virtualization Unique architectures present unique challenges 2 Data in the Cloud Public or private, understanding your data is the key to securing it 3 21 Friday, April 6, 2012
  • 22. Virtualization is ...a broad term with many uses ‣ Abstraction of the characteristics of physical compute resources from systems, users, applications ‣ Typically, one of: • Resource (virtual memory, RAID, SAN) • Platform (virtual machines, instances) 22 Friday, April 6, 2012
  • 23. VirtSec ‣ Security of virtual infrastructure and the virtual machines running therein. ‣ While many security considerations are the same within physical and virtual, ... ‣ Virtualization does introduce unique architectures & a few unique challenges 23 Friday, April 6, 2012
  • 24. Unique Challenges, you say? ‣ VMs are highly-mobile & often short-lived ‣ VM sprawl vs. VM stall ‣ Most orgs have poor change control & patch management systems for virtual ‣ Introspection mechanisms available, but not widely deployed 24 Friday, April 6, 2012
  • 25. Compute resources 1 Virtual machines 5 Network resources 2 Management console 6 Storage resources 3 Networking layer 7 Hypervisor 4 Administrators 8 25 Friday, April 6, 2012
  • 26. Simpler is Better • Keep It Simple, Stupid (KISS) • Make Your Architecture Simpler to Secure! (MYASS) • More moving pieces means more time, effort and money required to implement security completely and effectively • Don’t let the capabilities of your platform fool you into believing you need all of them Copyright © 2010 by L. Taylor Banks 26 Friday, April March Wednesday, 6, 201210, 2010
  • 27. Secure Your Resources • Your virtual infrastructure is only as secure as the resources that comprise it! • Securing your compute, network and storage infrastructure is as important as securing the hypervisor and guests Copyright © 2010 by L. Taylor Banks 27 Friday, April March Wednesday, 6, 201210, 2010
  • 28. The Malignant OS • Needs to be hardened / secured just like on physical machines • Principles of minimization will lead to smaller, faster, more secure vm’s Copyright © 2010 by L. Taylor Banks 28 Friday, April March Wednesday, 6, 201210, 2010
  • 29. Guest OS Hardening • Consider automated assessment tools, checklists and/or hardening scripts • nmap, Nessus, Metasploit, CANVAS • “15 Steps to Hardening WS2003” • Microsoft Baseline Security Analyzer • Bastille Linux Copyright © 2010 by L. Taylor Banks 29 Friday, April March Wednesday, 6, 201210, 2010
  • 30. VM Introspection Inspecting a virtual machine from the outside (typically by way of the hypervisor) for the purpose of analyzing [its behavior] ‣ Introspective firewalling ‣ Introspective malware detection ‣ Introspective DLP ‣ Traditionally, distinct products • Catbird, Hytrust, Juniper, Reflex Systems,Trend Micro, VMware, etc. 30 Friday, April 6, 2012
  • 31. Fundamentals Cloud security doesn’t happen in a vacuum 1 Secure Virtualization Unique architectures present unique challenges 2 Data in the Cloud Public or private, understanding your data is the key to securing it 3 31 Friday, April 6, 2012
  • 32. What is “Cloud Security?” Without context, cloud security is undefined. ‣ Network security? ‣ Virtualization security? ‣ Application security? ‣ Governance, Risk & Compliance? ‣ YesPls! • Depends on service and deployment models • Determined mostly by your DATA! 32 Friday, April 6, 2012
  • 33. 4 8 15 16 23 42 • Five characteristics • On-demand self-service, Broad network access, Resource pooling, Rapid elasticity, Measured service • Three service models • SaaS, PaaS, IaaS • Four deployment models • Public, Community, Private, Hybrid Copyright © 2010 by L. Taylor Banks 33 Friday, April March Wednesday, 6, 201210, 2010
  • 34. Private IaaS? Public IaaS? It matters! In public IaaS, the likelihood of having control over virtual infrastructure comprising ‘your cloud’ is slim. 34 Friday, April 6, 2012
  • 35. Cloud Security Fundamentals ‣ See: K.I.S.S. M.Y.A.S.S. ‣ Classify your data; consider trust models ‣ Understanding what your org means by ‘cloud’ is key to securing data in the cloud: • 5 characteristics • 3 service models • 4 deployment models 35 Friday, April 6, 2012
  • 36. Cloud Security Risks CSA’s Top Threats to Cloud Computing v1.0 ‣ Abuse and Nefarious Use of Cloud Computing ‣ Insecure Interfaces and APIs ‣ Malicious Insiders ‣ Shared Technology Issues ‣ Data Loss or Leakage ‣ Account or Service Hijacking ‣ Unknown Risk Profile 36 Friday, April 6, 2012
  • 37. Mitigation • Encrypt locally before storing in the cloud • Ensure external key storage and management • Keep private data out of cloud • Build protection mechanisms directly into your resources in the cloud • Host private cloud Copyright © 2010 by L. Taylor Banks 37 Friday, April March Wednesday, 6, 201210, 2010
  • 38. Cloud Security Fundamentals ‣ Network, infrastructure, virtual and application security are no less important than before ‣ Compliance is important, but useless taken out of context (SAS 70 TII, but with which controls?) ‣ Compliance doesn’t fully address governance, residency or access 38 Friday, April 6, 2012
  • 39. Understand your Data How will your data be used, accessed and modified? How and when will it be removed? By whom? 39 Friday, April 6, 2012
  • 40. Avoiding the Data Tornado (...in which your data is a vortex of bits across multiple jurisdictions, tossing data around like a doublewide.) ‣ Deep knowledge of your data ‣ Data flow and threat modeling ‣ AAA, IAM & RBAC FTW ‣ Effective security policies ‣ Tested security procedures ‣ Proven security controls 40 Friday, April 6, 2012
  • 41. Required Reading ‣ CSA’s Secure Guidance for Critical Areas of Focus in Cloud Computing ‣ ENISA’s Cloud Computing: Benefits, Risks and Recommendations for Information Security ‣ CSA’s Cloud Controls Matrix ‣ ENISA’s Procure Secure: A guide to monitoring of security service levels in cloud contracts ‣ NIST SP 800-145 Definition of Cloud Computing and 800-137 on Information Security Continuous Monitoring 41 Friday, April 6, 2012
  • 42. Taylor @ Cloud in 48.com http://www.linkedin.com/in/taylorbanks 42 Friday, April 6, 2012