Embed Size (px)
Citation preview
How to Gain Comfort in Losing Control to the Cloud
Randolph Barr
CSO - Qualys, Inc
SourceBoston, 23. April 2010
At a Glance
NIST Definition Cloud Challenge Cloud Concern Added Security Concerns Security Transition Is Cloud ready for you Available Resources Where to start
NIST Definition Cloud
http://csrc.nist.gov/groups/SNS/cloud-computing/
4
Cloud Challenge
“In our February 2010 survey of 518 business technology pros, security concerns again led the
list of reasons not to use cloud services, while on the roster of drivers, 77% cited cost savings.”
-- Information Week
http://www.informationweek.com/news/security/management/showArticle.jhtml?articleID=224202319
Cloud Security Incident
“In mid-December, we detected a highly sophisticated and targeted attack on our corporate infrastructure originating from China that resulted in the theft of intellectual property from Google.”
• Attackers are ignoring the front door• Current Anti-Virus Solutions are not
working• Patching sometimes is not enough• You might be playing in the big leagues
• http://googleblog.blogspot.com/2010/01/new-approach-to-china.html• http://www.qualys.com/aurora
Added Security Concerns
Business Unit bypass IT and Security Individuals using cloud How can IT / Security get in front of decisions
to use cloud Must do a better job managing risk
Cloud Security Shift
Customer Options Security is a business
enabler Raise cloud user
comfort Provide transparency Collaboration
Focus on business and not security
Business disabler Cloud Provider knows
how to implement security
Not transparent
Security Transition
Lessons Learned Customer Concerns Security Questionnaires
Response to questions varied Increased of questionnaires Request of evidence
Critical Challenges for Cloud Security
Security Program
Questionnaires
Follow up Reviews
Regulatory Compliance
Customer Reviews
External and Internal Reviews
10
Security Budgets
Staffing/ Resources
Reduce Confusion
Enterprise CIO Strategies — IT Security Needs to be Aligned
11
(February 2010)
• Link Business and IT strategies and plans
• Deliver projects and enable business growth
• Cloud Computing• Web 2.0• Virtulization
Is Cloud Ready for You
Determine business need Will the Cloud Provider be around What data will be stored Where will it be stored What is your classification and control
requirements for that data
Is Cloud Ready for You
What controls does the provider implement
Who is responsible for security Are there third party validations Right to Audit Process for removing data Incident Response How often do you need to review?
Resources Available to Cloud Users
Cloud Security Alliance CSA Guide (guide your approach internal legal /
business UNIT) also recommendations for users and providers
Top Threats to Cloud Security (underwritten by HP) ENISA
Security Benefits of Cloud and Risks Make recommendations on risks and maximize the
benefits
Resources Available to Cloud Users Shared Assessments
Target Data Tracker Self Information Gathering (SIG) – Level I, Level II AUP Business Continuity Questions, Privacy Questions,
Other tools Jericho Forum
Cloud Cube Model Self-Assessment
What Will Be Stored
Know your provider Ask them what data is
required to be stored Verify with your
internal business team
Where Will it be Stored
Request for their locations
Validate that all locations are accounted for
Request they describe the types of controls in place
How to Verify
Target your questionnaire
Questions should clearly identify internal versus production questions
No and N/A should have comments section completed
Other Options Security Questionnaires OnSite Review ISO 27002 SAS-70 Type II ISAE 3402 SysTrust PCI Third Party Penetration Test Emerging Cloud Certifications / Assessments
Moving Forward
Provider security maturing Continuous Assessment Transparency Vendor Cooperation Collaboration Community
Available to Cloud Users Qualys
http://www.qualys.com/products/qg_suite/malware_detection/ http://www.qualys.com/aurora
Cloud Security Alliance http://www.cloudsecurityalliance.org/
JERICHO Forum http://www.opengroup.org/jericho/
Shared Assessments http://www.sharedassessments.org/
ISAE 3402 http://www.ifac.org/MediaCenter/?q=node/view/687
Thank [email protected]
