Building Enterprise Security in Hybrid Cloud

Lenin Aboagye - Principal Security Architect, Apollo GroupKartik Trivedi – Co-Founder, Symosis

2

The Road Ahead…

The Power of Cloud Computing• Business Agility• Cost efficiencies• Enhanced Innovation• Improved IT services

However , security remains the roadblock• Data loss• Authentication,

Authorization and Audit• Information governance• Data control

The power of Cloud Computing Rapid business agility Reduced costs Heightened Innovation Improved IT Services

However, Security remains roadblock

Data loss prevention & protection

Authentication, Authorization & Audit

Security governance Data Profiling Compliance

3

Implementation on Cloud ?

Identity & Access

Management

Compliance, Governance

and Risk

Data Lifecycle Management

Infrastructure Protection

Services

Monitoring & Operational

Risk Management

Threats & Vulnerability Management

Info Sec Management

4

Cloud Security Reference Architecture

5

Responsibility Model

SaaS PaaS IaaSCompliance & Auditing X X X

Governance/Risk Mgmt. X X X

Legal and Electronics Discovery X X X

Operations Security X X -X

Incident Management X X

Application Security X -X

Encryption & Key Management X -X

Identity & Access Management -X -X

Virtualization Security X

DR/BCP X

Legend : X: Provider Responsibility -X: Provider partially responsible

6

Achieving Effective Shared Responsibility Model

Cloud Provider

Cloud Broker

Cloud Tenant

Cloud Auditor

7

Identity & Access Management

Identity & Access Management How do you securely maintain and govern identities in cloud

― Identity provisioning/de-provisioning into cloud should be tied to internal identity management systems

―All access requests for cloud goes through centralized internal service. {cloud is only seen as an extension of internal environment}

―Federated Provisioning /de-provisioning for Cloud apps ―No direct access to cloud provider interface for access requests ―Policy management ( authz, role and compliance)―Tenant applications utilize SSO Federation into SaaS application―Maintain single system to manage user identity lifecycle for IaaS,

PaaS and SaaS―Apply location-based and data context rules to ensure that user-

access can be properly controlled

8

Data Loss Prevention

Data Loss Prevention How can you protect profile the data you have in the cloud,

data you send to the cloud and securely protect the data based on classification and data protection policies ?―Discover and classify data before you ship it into cloud

―Apply policies and preventative controls based on organization policies and data classification

―Understand data flow profiles between public and private clouds , data flow profiles between public cloud and internet

―Deploy host-based DLP tools as agents on public cloud VMs

―*Use tools with geo-tagging capabilities to ensure data location can always be tracked

―Apply Egress & Ingress filtering for cloud data

―Ensure sensitive data does not leak from private cloud to public cloud

9

Web and Application Security

Web and Application Security How can you secure your applications in the cloud ?

―Security Development practices need to be extended to cloud

―Build applications in to account for common cloud models―E.g Abstract encryption of data to application level as opposed to

Infra/DB levels

―Utilize service automation to address performance and scalability of app. security tools

―Embed source code analysis as part of CI(Continuous Integration) process{code scanned when checked in}

―Apply Web Application/ XML firewalls to mitigate web application and web services security threats

―Apply Web Filtering

―Ensure that security tests are run under the permission of cloud service provider

10

Databases Protection

Databases How can you secure data in cloud databases ?

― Secure databases and encrypt all sensitive/regulated data―Consolidate all sensitive data into central table and schema to

simplify encryption , auditing and monitoring of sensitive data. {Applications access databases through a common web service}

―Deploy Database Security Activity Monitoring on host systems to monitor for malicious database activities and attacks as well as abstract auditing and logging functions

― Utilize networking segmentation controls and integrated IAM to deal with access management concerns with NOSQL databases

―Avoid Database services that do not meet your security needs―Data encrypted at rest in databases need to be encrypted as well

as backups/snapshots

11

SIEM

SIEM How can you monitor, detect and respond to attacks to your

cloud systems ?―Push/forward logs from

Application/Middleware/Database/Network/Infrastructure tiers into the SIEM

―Ensure SIEM is configured to handle multi-tenancy for SaaS tenants

―Apply App-level & System/Device level tagging to segregate feeds and properly apply incidence response

―All Cloud logs should be accessible, needs to be in easy to convert format and be integrated into Enterprise SIEM

―Incident response capabilities should involve the ability to quarantine affected instances , move them into private cloud while new instances are spurn up to avoid service interruption

12

Encryption & Key Management

Encryption & Key Management With data being moved in and out of the cloud, how do you

encrypt data at rest and in transit ?―Encrypt any sensitive data in cloud in: Databases, VMs, Virtual

Storage, Communications data, VPN and Application data―Apply application-level if possible to abstract encryption from

servers and databases―Backup encryption keys in the private cloud―Do not store keys of cloud instances, abstract to a secure third

party service and retrieve keys only if and when needed―Implement key rotation and replacement―Tokenize public cloud data and perform key management in

private cloud―Encrypt sensitive data both in transit, processing, and at rest―Avoid performance overheads by encrypting only sensitive data

13

Patch Management

Patch Management How do you ensure your applications and systems are

patched and up to date in the cloud ?―Perform vulnerability scanning of

OS/Appserver/Database/Application―Utilize Cloud provider auto-patching services for OS―Update certified images and deploy during patch cycles―Ensure patching is embedded in all full-stack deployments

―If using third party/vendor images, have a mechanism via

repositories to be provided with updated images{always deploy latest images}

―Monthly cloud scanning to resolve security issues

14

Legal & E-discovery

Legal & E-discovery If data breaches occur in cloud, how can you perform

forensics and e-discovery in your cloud environment?―Install Forensic software agents so that remote E-discovery

can be performed―Quarantine affected instances and ship images to private

cloud for further investigation―Partner with Cloud Provider for forensic and legal request

of this nature―Ensure there is no limitations to an organizations ability to

perform such functions during contract negotiations with cloud provider

15

Vulnerability Management & Assessment

Vulnerability Management & Assessment How can you perform vulnerability management in an

effective manner in the cloud ?―Get Cloud provider approval prior to running such

assessments and ensure that limitations are understood―Check with cloud provider if there are other contracted

service providers who can provide such limited functions for your organization(e.g penetration testing, Hypervisor testing)

―Perform Assessment of Application/Infrastructure/Database/Network/Infrastructure

―Integrate and run vulnerability assessment tools from cloud environment to limit bandwidth costs

―Ensure remediation scans after vulnerabilities are resolved

16

Intrusion Detection/Prevention

Intrusion Detection/Prevention How can you monitor, detect and prevent intrusions in

your cloud environment ?―Deploy host-based IDS/IPS―Install software NIDS using soft-taps in cloud―Automatically detect and remediate policy violations ―Scale appropriately to account for increase demand―Ensure all feeds flow into SIEM

17

Network Security

Network Security How can your network be configured to prevent

malicious attacks and unauthorized attackers ?―Deploy Web Gateways to monitor and inspect traffic for

any malware or malicious attacks―Utilize NIDS―Create and maintain Security groups to restrict network

access―Restrict Subnets and apply proper Network ACL’s―Use VPN from private cloud to public cloud so that all

Network firewalls, NIDS could simply be run from private cloud. This way public cloud can be turned into a secure extension of private cloud

―Configure iptables to provide extra security to virtual instances

18

Conclusion/Lessons Learned

Know and understand your data before you move to the cloud Cloud has unique challenges that still need to be addressed Cloud can be a riskier extension of your environment if you don’t

understand what you are doing No two clouds are the same due to lack of standardized approaches

and vendor tie-ins Utilize tools with geo-tagging and location-based capabilities when

securing data Ensure you drive strong security SLAs during contract time Long term strategic partnerships, research, customization and

continuous adaption are the key to meet security standards and to protect with evolving security threats in cloud

19

Thank you & References:

Lenin Aboagye / Kartik Trivedi

Referenced Material:“SecaaS Working Group: Defined Categories of Service 2011”https://cloudsecurityalliance.org/wp-content/uploads/2011/09/SecaaS_V1_0.pdf

“AWS Best Practices: AWS Security Best Practices”http://d36cz9buwru1tt.cloudfront.net/Whitepaper_Security_Best_Practices_2010.pdf

“NIST guideline for security and privacy in cloud”

http://www.nist.gov/customcf/get_pdf.cfm?pub_id=909494

“Cloud Security Alliance: Security Guidance, TCI Reference Architecture, Cloud Controls Matrix”

https://cloudsecurityalliance.org/