Securing the Cloud: Masterclass 1 Lee Newcombe ([email protected]) Infrastructure Services April 2013

Securing the Cloud: Masterclass 1

Lee Newcombe ([email protected])

Infrastructure ServicesApril 2013

2Copyright © Capgemini 2012. All Rights Reserved

Managing Security in the Cloud 1

Agenda

Establishing a common point of view

Cloud Threats – who may attack your services?

An approach to secure adoption of cloud services

Introduction

Conclusions

Cloud Risks. And Benefits??



Introduction

• Capgemini’s lead on Cloud Security since 2009

• Named contributor to versions 2 and 3 of the Cloud Security Alliance Security Guidance on Critical Areas of Focus in Cloud Computing

• Member of the Editorial Board of the Springer Journal of Cloud Computing

• Member of the Program Committee for the CLOSER academic conference

• Author of numerous articles: Computer Weekly, SC Magazine, Data Centre Solutions, Computing…

• Regular speaker, e.g. CloudCamp, Cloud Circle Forum, sponsored Breakfast Briefings etc

• Sole industry security SME on the HMG Data Centre Consolidation Strategy project – which gave rise to the G-cloud

• Extensive shared services background – e.g. security lead for the Police National Database (PND) from inception to operation



Agenda

Introduction




Conclusions




Cloud Computing – NIST

Cloud Computing: “…a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g. networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction…”

• On-demand self-service• Broad network access • Resource pooling• Rapid elasticity; and• Measured service.

Essential Characteristics of Cloud Computing

csrc.nist.gov/publications/nistpubs/800-145/SP800-145.pdf



Service Models

Software as a ServiceSoftware as a Service

Cloud Software as a Service (SaaS). The capability provided to the consumer is to use the provider’s applications running on a cloud infrastructure. The applications are accessible from various client devices through either a thin client interface, such as a web browser (e.g. web-based e-mail), or a program interface…

Cloud Software as a Service (SaaS). The capability provided to the consumer is to use the provider’s applications running on a cloud infrastructure. The applications are accessible from various client devices through either a thin client interface, such as a web browser (e.g. web-based e-mail), or a program interface…

Infrastructure as a ServiceInfrastructure as a Service

Cloud Infrastructure as a Service (IaaS). The capability provided to the consumer is to provision processing, storage, networks, and other fundamental computing resources where the consumer is able to deploy and run arbitrary software, which can include operating systems and applications…

Cloud Infrastructure as a Service (IaaS). The capability provided to the consumer is to provision processing, storage, networks, and other fundamental computing resources where the consumer is able to deploy and run arbitrary software, which can include operating systems and applications…

Platform as a ServicePlatform as a Service

Cloud Platform as a Service (PaaS). The capability provided to the consumer is to deploy onto the cloud infrastructure consumer-created or acquired applications created using programming languages, libraries, services, and tools supported by the provider…

Cloud Platform as a Service (PaaS). The capability provided to the consumer is to deploy onto the cloud infrastructure consumer-created or acquired applications created using programming languages, libraries, services, and tools supported by the provider…



NIST Deployment Models and Jericho Cloud Cube

Model Strengths WeaknessesPublic Agile, cost-effective,

“Illusion of infinite resource”

Multi-tenantData residencyAssuranceStandard contracts

Private Dedicated useAssuranceScope to negotiate SLAs etc

Expensive cf PublicNo “illusion of infinite resource”

Community Designed for a specific, shared, set of security requirements

Difficult to govern; need to manage all stakeholders

Hybrid “Best of breed” suppliers can be switched in and out.

“Weakest link”Must cater for security issues across ALL suppliers

The Jericho Forum® Cloud Model represents an alternative mechanism to represent deployment models.

http://www.opengroup.org/jericho/cloud_cube_model_v1.0.pdf



A little about you…

1. Are you are currently using cloud-based services within your organisation?2. Are you currently using cloud-based services for production?

IaaS? PaaS? SaaS? Combination of the above?

3. How many of you have tried the cloud but reverted to a more traditional approach?



Agenda

Introduction




Conclusions




Cloud Threats



National Security Letters (NSL) - Microsoft

However… Judge Susan Illston of the US District Court in San Francisco found that the "gag order" provision of the NSL law violates the First Amendment protections on freedom of speech

https://www.eff.org/document/nsl-ruling-march-14-2013

http://www.microsoft.com/about/corporatecitizenship/en-us/reporting/transparency/



CSA “Notorious Nine”

http://www.cloudsecurityalliance.org/topthreats/



Agenda

Introduction



Cloud Risks. And Benefits?

Conclusions


?



Cloud Risks

Multi-tenancy

Compliance

Lock-in

Standard Terms and Conditions

Supply chain – cloud, on cloud, on cloud, on…?

Assurance



PCI-DSS (Payment Card Industry – Data Security Standard)

Penalties $25 for each account reissued $5 for each account monitored but not reissued Severity of fine will depend upon Acquirer / Merchant progress, co-operation, number of accounts at risk,

what sensitive data has been stored i.e. CSC, Track 2 Failure by Acquirer to comply with ‘Acquirer Responsibilities’ defined in the Rules can incur a further $25k per

day until compliant. The assessments for Wrongful Disclosure and Failure to Secure Data are up to USD 100,000 per violation. The assessments for Retention of Prohibited Data (mag stripe, CVC 2) are up to USD 100,000 per violation.

http://ask.barclaycard.co.uk/business/allfaqs/1_fraud_security/fines_2

“A sports apparel retailer is fighting back against the arbitrary multi-million-dollar penalties that credit card companies impose on banks and merchants for data breaches by filing a first-of-its-kind $13 million lawsuit against Visa.

… Visa is not the only card company to go after Genesco and its banks. MasterCard did as well. The two companies combined imposed $15.6 million in fines and assessments, but Genesco has so far only sued Visa.”

http://www.wired.com/threatlevel/2013/03/genesco-sues-visa



Compliance Process

Include stamp of approval from Legal here…



Cloud Risks

Multi-tenancy

Compliance

Lock-in

Standard Terms and Conditions

Supply chain – cloud, on cloud, on cloud, on…?

Assurance



Cloud Benefits?

Improved resilience

Cost-effective datacentre security

Cloud data storage and sharing vs removable media

Encourages adoption of Jericho principles

Improved security expertise, including application-specific expertise, at the centre?

More efficient security patching



Agenda

Introduction




Conclusions




Example Security Architecture



Example Security Architecture

X



Security Architecture

“The fundamental security organization of a system, embodied in its components, their relationships to each other and the environment, and the security principles governing its design and evolution”Adapted from: ISO/IEC 42010:2007



Security Reference Model



Modelling Different Delivery Responsibilities

The delivery responsibilities for the security services shifts from the consumer to the provider as you move from IaaS to SaaS.

Interfaces between consumer and provider present a risk of gaps in capability and poor/no/mis-communication between provider and consumer.



Real World Usage (1 of 2)



Real World Usage (2 of 2)

Validate [Authenticate]

Responsible for checking that the

presented credentials match those associated

with the claimed identity.

Intra

IaaS

Applications must authenticate their users via IdM (SAMLv2.0, fall-back via SAMLv1.1) where possible.

Web services must authenticate via username and password as a minimum (subject to *client* standards on password construction etc).

Systems administrators should authenticate using 2 factor authentication.

Web services may authenticate using x509 certificates where required

Self-signed certificates may be used within a domain

SaaS

Applications should authenticate their users via IdM (SAMLv2.0 where possible, fall-back to SAMLv1.1)

Application administrators should authenticate using 2 factor authentication.

Inter

IaaS

Interdomain authentication of individuals should be via IdM, using federated authentication.

Interdomain authentication of services should be implemented via IdM using WS-Federation where possible.

Self-signed certificates may not be used to authenticate across domains.

Interdomain authentication of services may be achieved using x509 certificate based authentication.

SaaS

Interdomain authentication of individuals should be via IdM, using federated authentication.



Agenda

Introduction



Conclusions





Conclusions

• All delivery models are unique. Cloud computing models have unique security challenges. So do other delivery models including on-premise and traditional outsourcing.

• Cloud is an evolution not a revolution.

• The threat actors remain mostly the same, cloud or on-premise

• The risks remain mostly the same, whether your applications are hosted on-premise or on-cloud, however

• increased sharing of resources due to multi-tenancy introduces new attack surfaces

• assurance difficulties can cause compliance issues (data residency, data deletion, segregation etc)



Conclusions

The security architecture approach can help to enable cloud adoption:

• Architecture methodologies help to enforce consistency across an enterprise, no matter the IT delivery model.

• Architecture methodologies help to identify the security services required from a Provider

• Architecture helps to identify areas of overlap or interface (or confusion or omission) between Provider and Consumer

• Architecture helps to inform service procurement



Security preparation:

Getting ready for cloud adoption

Securing the Cloud: Workshops!

Security planning:

Architecting for cloud services

Security in practice:

Operating in the cloud

John Martinez John Arnold Lee Newcombe

The information contained in this presentation is proprietary.Rightshore® is a trademark belonging to Capgemini

© 2012 Capgemini. All rights reserved.

www.capgemini.com

About Capgemini

With more than 120,000 people in 40 countries, Capgemini is one of the world's foremost providers of consulting, technology and outsourcing services. The Group reported 2011 global revenues of EUR 9.7 billion.Together with its clients, Capgemini creates and delivers business and technology solutions that fit their needs and drive the results they want. A deeply multicultural organization, Capgemini has developed its own way of working, the Collaborative Business ExperienceTM, and draws on Rightshore ®, its worldwide delivery model.

http://www.facebook.com/Capgemini

http://www.linkedin.com/company/capgemini

http://www.twitter.com/capgemini

http://www.youtube.com/capgemini

http://www.slideshare.net/capgemini

http://www.facebook.com/Capgemini

http://www.linkedin.com/company/capgemini

http://www.twitter.com/capgemini

http://www.youtube.com/capgemini

http://www.slideshare.net/capgemini

Documents

Securing the Cloud: Masterclass 1 Lee Newcombe ([email protected]) Infrastructure Services April 2013