Avoiding a mushroom cloud

© 2011 Network Computing Architects, all rights reserved

How to Avoid Becoming the

Victim of a “Mushroom” Cloud

Assessing the Security Ecosystem

of Your Cloud Service Provider

Presented by Brad Bemis

Introduction

• Rehashing the Basics

• Are You Ready for the Cloud?

• Is the Cloud Ready for You?

• Evaluating Service Providers

• Moving to the Cloud

• Contingency Planning

• Resources


Rehashing the Basics

• What is the cloud?


Essential Characteristics • On-demand Self-service • Broad Network Access • Resource Pooling • Rapid Elasticity • Measured Service Service Models • Software as a Service • Platform as a Service • Infrastructure as a Service • Security as a Service

Deployment Models • Private Cloud • Public Cloud • Hybrid Cloud • Community Cloud • Vertical Cloud



• What are the benefits?




Value Added Through • Focus on Core Business • Functional Alignment • Competitive Advantage • Scales of Economy • Universal Access • Standardization Reductions In • Cost • Complexity • Resource Overhead • Compliancy Issues Increases In • Operational Efficiency • Resource Availability • General Adaptability • Organizational Responsiveness




• What are the risks?





Risks • Contractual Limitations • Asset Management • Loss of Control • Limited Visibility • Portability of Assets • Isolation Failures • Data Leakage • Data Persistence • Interface Compromises • Service Engine Compromises • Crypto Management Failures • Software Licensing Confusion • Configuration Conflicts • Economic DOS • Network Interception • Malicious Insiders • Resource Exhaustion • Poor Performance • Service Degradation • Outages and Downtime • Jurisdictional Concerns • E-Discovery Issues • Incident Handling Methods • Law Enforcement Involvement • Legal/Regulatory Compliance • Provider Failure/Service Termination




• What are the risks?






This is just a partial list!

Are You Ready for the Cloud?

• Have you thought about your data?

What data is going into the cloud?

What is the value/sensitivity of the data?

Who will interact with the data?

How will the data be accessed?

How will the data be used?



• Have you thought about your data?

What data is going into the cloud?

What is the value/sensitivity of the data?

Who will interact with the data?

How will the data be accessed?

How will the data be used?

• Have you defined your requirements?

Business requirements

Technology requirements

Compliance Requirements

Security Requirements

Operational Requirements



• Have you considered the risks?







WAIT!





WAIT! How mature is your current

security program?





WAIT! How mature is your current

security program?

≠

Is the Cloud Ready for You?


• Lots of things are happening!

Increased industry recognition

Better understanding of the issues

New ideas and approaches daily

CSA and others are leading the way!!!








• We still have a long road to travel though!

Increased vigilance and accountability is a must!

Cloud providers have a clear responsibility here!

The market will ultimately determine what's right!








• We still have a long road to travel though!

Increased vigilance and accountability is a must!

Cloud providers have a clear responsibility here!

The market will ultimately determine what's right!

• Security is STILL the #1 barrier to cloud adoption

How do we move from barrier to enabler?

Are there any security models that can help?



Version 3.0 Under Development



Version 3.0 Under Development

The GRC Stack • Cloud Audit (A6) • Cloud Controls Matrix • Assessment Questionnaire • Cloud Trust Protocol

Evaluating Service Providers


• For this presentation:

It‟s not about public vs. private vs. hybrid

It‟s not about SaaS, PaaS, IaaS

It‟s not about the technologies involved

It‟s not about using the cloud to “get out of jail for free”

You can‟t afford to fall for clever marketing schemes

Sending out a general questionnaire isn‟t going to cut it

Especially if you‟re just filing the responses away

You have to do your homework

IT’S ABOUT DUE DILLIGENCE!!!



• Let‟s frame the discussion in terms of risk management

• The “gap” approach to assessments is insufficient

• Many of our tools are gap based, not risk based

• Even many of our risk-based tools are highly flawed

• Applying flawed methods to unknowns is dangerous

• The real question for cloud service providers is:

HOW DO WE FIND THE ANSWER?

“Can you provide me with an adequate degree of protection that is consistent with

my established risk tolerance thresholds”



• The true goal of a risk assessment is to help business

leaders make informed/better decisions!!!

• To meet this goal you need to assess the security

ecosystem of your cloud service provider and deliver

findings/recommendations that are:

– Clear

– Concise

– Meaningful

– Actionable

There’s a complication though… Providers are unlikely to let you peek behind the curtain.



• The true goal of a risk assessment is to help business

leaders make informed/better decisions!!!

• To meet this goal you need to assess the security

ecosystem of your cloud service provider and deliver

findings/recommendations that are:

– Clear

– Concise

– Meaningful

– Actionable

There’s a complication though… Providers are unlikely to let you peek behind the curtain.

or

How would you know the difference?



No Understanding of Security At All!

0 5

Acknowledgement Of Security Issues

Verbal Security Assurances Made

Basic Contractual Language In Place

Controls Statement Made Available

General 3rd Party Assessment Done

SAS 70/SSAE 16 Audit Performed

Full ISO 27001 Cert Achieved

You can learn a lot about a provider just by their response to the question “What security controls do you have in place?”

THIS MAY BE ALL YOU HAVE TO WORK WITH!

The Maturity Continuum



The Tools We’ll Use:

• First of all, there‟s this great organization called the

Cloud Security Alliance (CSA)

– You may have heard of them!

– They‟ve built a “GRC Stack” of resources

• Cloud Audit Toolset

• Cloud Controls Matrix

• Consensus Assessment Initiative Questionnaire

• Next we‟ll add in resources from NIST and ENISA

• Finally, we‟ll draw from FAIR and more from NIST

• At the end we‟ll use a scorecard for comparison



Fully Qualified Business Needs

Fully Informed Business Decision

Description Framework Data Collection Risk Catalogue

Supplement as Needed Supplement as Needed

Reporting Format Risk Analysis

Slightly Modified

Inputs

Output

Service Provider’s Security Assertions

CSA Guidance

Controls Matrix

Consensus Questions

NIST 800-144/ ENISA Report

FAIR NIST 800-30

Your Reqs

Assessment Process Flow


Business Needs (+Requirements):


• What‟s “Fully Qualified” mean in a cloud context?

– Let‟s point back to your requirements for reference:

• Why are you moving to the cloud?

• Do you understand what the cloud is?

• How you thought about the data?

• Are you ready for the cloud? Is your house in order?

– What business needs will you be satisfying?

– Where are your risk tolerance thresholds set?

– How will this align with your governance efforts?

– …and lots more!



Provider Assertions:

• Where is the provider on the maturity scale?

• What type of assertions do you have to work with?

• Did you send survey questions and get responses?

• What else do you need for the assessment?



CSA Guidance:

• Grab a copy of the Cloud Security Alliance‟s

“Security Guidance for Critical Areas of Focus in Cloud

Computing” (v 2.1)

– Describes 13 domains relevant to cloud security

– Offers a structure and advice for tackling cloud security

challenges

– Provides a level of detail that you won‟t find anywhere

else – and it‟s part of the GRC Stack!

– Should serve as an authoritative resource

• Version 3.0 in development – watch for it!



Cloud Controls Matrix:

• This is where “the rubber meets the road”

• A complete mapping of the cloud security domains as

presented by the CSA

• Includes applicability columns for SaaS, PaaS, IaaS

based services – and provider vs. tenant responsibilities

• Most importantly, it offers a direct mapping across

every major security best practice in the industry

– COBIT, HIPAA/HITECH, ISO 27001, NIST 800-53, PCI DSS 2.0, BITS,

GAPP, etc.

– Version 1.2 is out now – I added in the Jericho Forum Piece!



Consensus Questionnaire:

• Yet another component of the GRC Stack – the

questionnaire is an invaluable data gathering tool

– Directly aligned with the Controls Matrix

– Asks very cloud specific questions

– Can be used to guide the assessment effort

• Supplementation is recommended though

– Look at the BITS Shared Assessment Program

– Leverage the BITS Questionnaire (there‟s even a lite version)

– Remember, BITS is already mapped to the Controls Matrix

• Many other great resources out there…



NIST and ENISA Materials:

• The CSA materials are great, but we also need a “Risk

Catalogue” to help us go from a gap-based approach

to a risk-based one

• The CSA Guidance document is a great start, but

there‟s more information needed

• NIST 800-144 steps through a number of key issues and

places them into a risk-based context

• The ENISA Cloud Computing Assessment is an

absolutely fantastic risk resource – a „must have‟



The FAIR Assessment Method:

• Now we need to use a risk analysis process to create a

list of comparative, contextual results

• Factor Analysis of Information Risk, by Jack Jones is a

REALISTIC approach to risk assessment/analysis

• It provides a model for risk measurement that goes far

beyond the traditional “threat + vulnerability = risk”

• It takes into account things like: Loss Event Frequency,

Threat Event Frequency, Contact (opportunity), Action

(motive), Vulnerability, Threat Capability, Control

Strength, Probable Loss Magnitudes, and more…



NIST 800-30:

• Ultimately this contains a „traditional‟ (insufficient)

methodology for risk assessments

• However, it does include a few things that FAIR only

hints at (like System Characterization)

• Appendix B offers a simple reporting outline that‟s

actually quite useful when coupled with FAIR outputs

• Using this as a tool to assist in shaping the final findings

and recommendations report is invaluable

• FAIR displaces most of the methodology though

• 800-30 is due for an update – so keep an eye out



The *INFORMED* Business Decision:

• With a clear, concise, meaningful, and actionable

report in hand, business leaders can make much better

management decisions about their cloud security risks

• These business decisions may have a major influence

on the future of the organization – moving to the cloud

is no small undertaking, even at a micro level

• Keep in mind that the report will only be as good as

the quality of the information and level of effort that

went into it though



Fully Qualified Business Needs

Fully Informed Business Decision

Description Framework Data Collection Risk Catalogue

Supplement as Needed Supplement as Needed

Reporting Format Risk Analysis

Slightly Modified

Inputs

Output

Service Provider’s Security Assertions

CSA Guidance

Controls Matrix

Consensus Questions

NIST 800-144/ ENISA Report

FAIR NIST 800-30

Your Reqs

Assessment Process Flow



• Now granted – this is a pretty involved process




• Take what you need and do what makes sense





• Just remember how important this could be to the

future of your business







• Don‟t forget the basic due diligence/due care

mandate








mandate

• You have a duty to protect your customers, partners,

brand, etc.








mandate

• You have a duty to protect your customers, partners,

brand, etc.

• No matter how much data you collect though, it‟s

good to rate your top 2 or 3 providers against one

another – a scorecard could be helpful



Leveraging a “Score Card” Approach

• YOUR Requirements • Choosing the Right Team • Objective Scoring Criteria • Clearly Defined Rating System • ‘Tie-Breaker’ Rules Just in Case



Leveraging a “Score Card” Approach

• YOUR Requirements • Choosing the Right Team • Objective Scoring Criteria • Clearly Defined Rating System • ‘Tie-Breaker’ Rules Just in Case

Don’t Forget: This is what you are trying to avoid!

Moving to the Cloud


• Make sure that you have a clear plan in place, that

you know what you‟re getting yourself into, and that

you‟re truly ready to make the leap

Moving to the Cloud





• Start small and build upwards/outwards; there‟s no

need to push everything into the cloud all at once –

this will keep your scope and risks more manageable!

Moving to the Cloud








• Leverage the resources available – a lot of work has

already gone into defining this space and creating

models to support it

Moving to the Cloud








• Leverage the resources available – a lot of work has

already gone into defining this space and creating

models to support it

• Don‟t let the nature of the cloud invalidate best

practices that are known to work – in many cases it‟s

just a matter of tweaking the context

Contingency Planning


• As you are getting INTO the cloud arena – think about

how you‟re going to get back OUT again if something

goes wrong





goes wrong

• Pay attention to warning signs indicating issues or

problems with your service provider – don‟t be afraid

to go elsewhere if your security needs aren‟t being met





goes wrong




• Really start thinking in terms of a „Zero Trust‟ model –

the less trust you place in service providers the better

protected you will be no matter what happens





goes wrong




• Really start thinking in terms of a „Zero Trust‟ model –

the less trust you place in service providers the better

protected you will be no matter what happens

• Update all of your business continuity, disaster

recovery, and incident response processes to reflect

your cloud relationships – BE PREPARED!

Resources


• Check out the Cloud Security Alliance web site

Resources



• Join the local CSA Chapter and participate

Resources



• Join the local CSA Chapter and participate

• And of course – ENGAGE NCA TO HELP!

NCA‟s Information Security Practice is an ISO 27001 Certified Professional Security Services Consultancy with offices in Bellevue WA, Portland OR, and Las Gatos CA. We offer a wide range of professional security services that can be scaled and customized to meet the business needs of any organization. Our major core competencies include:

• Program Management: Building and managing holistic information security programs.

• Governance: Incorporating security into enterprise or IT governance frameworks.

• Risk Management: Measuring and managing information security and other related risks.

• Compliance: Ensuring that all internal and external requirements are being met.

• Identity & Access Management: Managing identities and permissions for systems and users.

• Perimeter Defense & Firewall Management: Defending the borders between networks.

• Traditional & Mobile End-Point Protection: Securing fixed and mobile end-point devices.

• Virtualization & Cloud Security: Safeguarding the latest virtualized and cloud-based technologies.

• Event Management & Incident Response: Detecting and responding to security incidents.

• Awareness & Training: Engaging people in the process of security on a daily basis. Through a number of strategic partnerships we can also deliver additional services in the areas of:

• Managed Services: Managing the day-to-day operational security of information systems.

• Application Security & Penetration Testing: Validating controls for business applications.

• Business Continuity & Disaster Recovery: Sustaining the business during emergencies.


Questions???

Send Additional Follow-up Questions to [email protected] Or Call Us at 1-877-566-9622

Follow Me: @SecureITExpert

mailto:[email protected]


Brad Bemis is the CISO, Security Practice Manager, and Principle Security Consultant for Network Computing Architects (NCA) in Bellevue WA, and has over 20 years of practical experience in IT and information security. He is also a Certified Information Systems Security Professional (CISSP), Certified Information Systems Auditor (CISA), Associate Business Continuity Planner (ABCP), and Lean Six Sigma Greenbelt; with several additional technology-centric certifications from Cisco, Microsoft, and CompTIA. Brad holds associate degrees in both Personnel Management and in Information Systems Technology, a Bachelors of Science in

Information Technology, and is currently pursuing a Masters of Science in Education. He has also engaged in graduate level course-work towards a Masters of Business Administration and a Masters of Science in Clinical Psychology. Brad has worked with multiple Fortune 500 companies, military organizations, and government agencies around the world; in roles ranging from Systems Security Administrator to Chief Information Security Officer (and everything in-between). Although highly skilled across multiple security disciplines, his main passion is information security awareness and training – evangelizing the message and engaging others. He is also very active in the security community, including: contributions to the Cloud Security Alliance (CSA), board positions with the Greater Seattle Area Chapter of the Cloud Security Alliance and the Pacific Northwest Chapter of the Information Systems Security Association (ISSA), participation in several other professional associations, sharing insights and experience across a number of on-line security forums, and much much more. Additional information can be found on Brad's professional blog at www.secureitexpert.com.

About the Author:

http://www.secureitexpert.com/