Enterprise Strategy for Cloud Security

<Insert Picture Here>

Enterprise Strategy for Cloud Security Oracle Architect Day May 16, 2012

Dave Chappelle

Agenda

• Cloud Security Considerations

• Consumer Strategies

• Provider Strategies

A Few General Considerations…

• Multi-tenancy

• Varying degrees of isolation (how thick are the walls?)

• Unpredictable cohabitation (do you really know your neighbors?)

• Isolation Barriers

• Physical vs. logical

• Several vs. few

• Data (Operational, Metadata, Log Data, Backups, etc.)

• Ownership

• Dispersal, Privacy, and Retention Laws

• Complexity

• Technical: technologies, integration, domain federation

• Business: policies, procedures, continuity

• Auditing and Compliance

• Capabilities and support

Security Principles & Cloud

• Least Privilege

• Restricting administrative privileges

• Segregation of Duties

• Consumer privileges vs. provider privileges

• Compartmentalization

• Controlling resource allocation/ utilization in a shared

environment

• Defense in Depth

• Discontinuity…

Identity & Access Management

Security Governance,

Risk Management,

& Compliance

Security

Management

& Monitoring Data

Defense in Depth: Layers

Application

Host

Internal Network

Perimeter

Physical

Policies, Procedures, & Awareness

OTN Architect Day 2011

Fences, walls, guards, locks, keys, badges, …

Firewalls, network address translation, denial of service prevention, message parsing and validation, ...

Transport Layer Security (encryption, identity)

Platform O/S, Vulnerability Mgmt (patches), Desktop (malware protection),…

Security Assurance (coding practices)

Authentication, Authorization, Auditing (AAA)

Federation (SSO, Identity Propagation, Trust, …)

Message Level Security

Content Security, Information Rights Management

Database Security (online storage & backups)

Data Classification, Password Strengths, Code Reviews, Usage Policies, …

SGRC

Id & Access Mgmt

Policies & Procedures

Physical

Perimeter

Internal Network

Host

Application / Service

Data

Security Management & Monitoring

Security Layering and Cloud

Technology Integration

Private

Cloud

Cloud

Provider

Public

Cloud

IaaS

PaaS

SaaS

VMs

Planning & Reconciliation

Private

Cloud

Your

Organization

Control Frameworks

• ISO/IEC 27001:5

• NIST Recommended Security Controls for Federal

Information Systems and Organizations (Pub 800-53)

• COBIT

• SANS 20 Critical Security Controls

• Cloud Security Alliance Cloud Controls Matrix

NIST Security Controls

Technical

• Access Control

• Audit & Accountability

• Identification & Authentication

• System & Communications

Protection

Operational

• Awareness & Training

• Configuration Management

• Contingency Planning

• Incident Response

• Maintenance

• Media Protection

• Physical & Environmental

Protection

• Personnel Security

• System & Information

Integrity

Management

• Security Assessment &

Authorization

• Planning

• Risk Assessment

• System & Services

Acquisition

• Program Management

Exposure, Control, & Risk

• Exposure

• Public access to applications, services, platforms, & data

• Administrative access

• Data traversing unprotected networks

• Reliance on isolation implementation(s)

• Control (or delegation thereof)

• Physical, managerial, operational

• Functional and non-functional capabilities

• Compliance

• Search and seizure

• Quantitative Risk = threat probability * magnitude of loss

• Relative risk = RiskIT / RiskCloud

Th

rea

t C

ate

go

rie

s

Service & Deployment Models

Service Models

• IaaS

• PaaS

• SaaS

Deployment Models

• Private operated, &

managed

• Private, partner-operated &

managed

• Private, partner-located,

operated & managed

• Remote dedicated / leased

• Public, shared

Exp

osu

re

Co

ntr

ol

Dependent upon Cloud

provider and internal

compensating controls

Dependent upon

internal controls

Agenda




o Security Governance, Risk Management, & Compliance (SGRC)

o Usage Strategies

o Identity & Access Management (IAM)

SGRC Strategy

• How will Cloud providers be assessed for risk?

• Who will evaluate assessments and have authority to grant approvals?

• What compliance issues are pertinent to the use of Cloud? (Compliance

with all government, industry, and internal policies and regulations.)

• Who will review issues related to compliance and have authority to grant

approvals?

• Under what circumstances might a Cloud be used without a formal

assessment and compliance review?

• What governance processes will be established/used to properly

evaluate a Cloud provider for all aspects of security (including business

continuity)?

• What governance processes will be established/used to actively monitor

and audit access to, and usage of, company assets in a Cloud

environment?

• …

Usage Strategy

• How the cloud will be used

• Development & test vs. production

• Internet access vs. private / VPN

• Public content vs. sensitive information

• …

Public Cloud, Public Access Point

Internal IT / Private Cloud

Intranet

Users

Public Cloud (PaaS, IaaS)

Internet

Users

(Employees)

Business-Critical

Systems &

Sensitive Data

Intranet-Based

Web Apps

(Internal DMZ)

Non-Critical

Systems,

Public-Facing

Content

Public-Facing

Web Apps

(Cloud DMZ)

Internet

Users

(General Public)

VPN

IAM

• Cloud is used to serve up public content

• Sensitive data and monetized transactions are handled internally

Dedicated Datacenter Extension


Intranet

Users

Dedicated Cloud (PaaS, IaaS)

Company-Owned

Infrastructure,

Platforms & Software

Intranet-Based

Web Apps

(DMZ)

VPN

IAM

Provider-Owned

IaaS/PaaS with

Company Software

Internet

Users

• Cloud is used to extend the capacity of IT

• Private access to dedicated resources

Public Cloud for Commodity Computing


Intranet

Users

Public Cloud (SaaS)

Internet

Users

Custom-Built,

Business-

Differentiating

Systems

Custom Web Apps,

Company Portals

(Internal DMZ)

Commodity

Applications

& Services

Commodity

Web Apps

(Cloud DMZ)

IAM IAM

• SaaS providers used for commodity computing needs

• Access most often via common Internet connectivity

Private Cloud, Standardization &

Consolidation

Internal IT Private Cloud Migration Finance

Sales

Support IT-Managed

IaaS/PaaS

Private Cloud

Public Cloud (XaaS)

• Private cloud offers an efficient alternative

• Migration to cloud based on evaluation of projects in pipeline

• Decision on public or private based on evaluation criteria

Identity and Access Management

Strategy

• How will management be accomplished without

compromising existing IAM capabilities

(standardized provisioning, approval, integration,

audit, attestation, and analysis)

• Centralized

• Distributed

• Federated

• Synchronized

• Replicated

• …

Anonymous & Personalized Public Cloud

Internal IT / Private Cloud Public Cloud

Secure

Systems &

Sensitive Data

Personalized

Applications

and Content

Users

Credentials, Roles,

Attributes, Policies

AuthN AuthZ


Login

User Id

Anonymous

Applications,

Public Content

Redirect

/ Login

• Nothing in the cloud performs access control

• Identity is used for non-security purposes (personalization, etc.)

Centralized IAM

Public Cloud

Network-Isolated

IaaS/PaaS

Public Cloud Internal IT / Private Cloud

Internal Applications,

Private Clouds

Users

Credentials, Roles,


AuthN AuthZ


Login,

Access

VPN

VPN

• Identity management and security services are centrally deployed

• Cloud applications access centralized security services

Network-Isolated

IaaS/PaaS

Access Control with Vouched Identity


SSO & Internal

Applications

Standalone

Applications

w/ RBAC, ABAC

Users

Credentials, Roles,


AuthN AuthZ


Login

Application

Access Policies

AuthZ

Access Policy Management

SAML,

OpenID

Access

• Users are authenticated by internal authentication services

• Identity is securely propagated to enable authorization decisions in the cloud

Standalone Synchronized IAM


Internal

Applications

Standalone

Cloud-based

Applications

Users

Credentials, Roles,


AuthN AuthZ


Login

Credentials, Roles,


AuthN AuthZ

Identity & Access Management sync

Login

• Users are authenticated in multiple places

• Identity data is synchronized across multiple locations via manual or automated processes

Federated IAM


Internal

Applications

Standalone

Cloud-based

Applications

Users

Login

Credentials, Roles,


AuthN AuthZ

Identity & Access Management sync

Access

Credentials, Roles,


AuthN AuthZ


STS

Id Prov

Svc Prov

WS-Trust,

WS-Fed

SAML

HTTP,

SOAP

STS

• Federated identities may be mapped to cloud-based groups or roles

• Synchronization becomes less critical due to abstraction

Brokered Identity Management

3rd Party Identity Provider

Users

Register

& Manage Access

Credentials,

Attributes

Brokered Identity

Management System


Customer-facing

Applications

Id Prov OpenID

Public Cloud

Cloud-based

Applications

Login

• Brokered identity management relies on a trusted 3rd party to manage identities

• Clouds, and optionally internal IT, may elect not to manage identities at all

Agenda




Provider Strategy

• Velocity & Scale: Standardization & Governance

• Minimal process deviation; enables automation

• Default secure configurations

• Common security services

• Processes that automate the proper behavior

• Domain Strategy

• Group resources together appropriately and consistently

apply the proper degree of security controls

• Multi-tenancy Strategy

• Defines how tenants will share resources securely

• Cohabitation Strategy

• Which tenants “belong together”

Service Model Domains

Public Cloud

SaaS

Cloud Domain

Cloud Security

& Management

IaaS

Cloud Domain PaaS

Cloud Domain

All

Users

• Group tenants by service model

• Rationale: similar services have similar configurations and security requirements

• Similar services share the same access patterns

Network Tier Cloud Domains

Production Environment Cloud

Dev / Test

Environments

Dev / Test

Private

Cloud

Dev / Test

Public

Cloud

Data Tier

Cloud Domain

Web Tier

Cloud Domain

Apps & Services

Cloud Domain

Partner Apps

Cloud Domain

BI / DW

Cloud Domain

• Group tenants by network tier

• Rationale: maintain network-level security controls using existing network infrastructure

Tenant Group-Based Domains

Public Cloud

Group 2

Cloud Domain

Group n

Cloud Domain

Cloud Security

& Management

Group 1

Cloud Domain

…

All

Users

• Each group has dedicated resources with network isolation

• Groups may reflect common data sensitivity, compliance, SLA requirements, etc.

Dedicated Access Domains

Public Cloud

Tenant 2

Cloud Domain

Tenant n

Cloud Domain

Cloud Security

& Management

Tenant 1

Cloud Domain

…

Tenant 1

Private Network

Tenant 2

Private Network

Tenant n

Private Network

VPN VPN VPN

• Tenant-based domains with VPN access

• Share-nothing, greatest isolation, greatest cost

Multi-Tenancy Strategy

• Shared everything

• Shared Infrastructure

• Virtual Machines

• O/S virtualization

• Shared Nothing

Shared Everything

Shared

Application Shared

Schema

Shared Security Services & IAM

Tenant A

Tenant B

Tenant C

• Common SaaS model for maximum economy of scale

• Application must provide isolation

• Data from multiple tenants is stored in the same database tables

• Highest (relative) risk due to least control, greatest exposure

Shared Infrastructure: Virtual Machines


Shared Infrastructure

Virtual Environment A Tenant A Data Apps

Virtual Environment B Tenant B Data Apps

Virtual Environment C Tenant C Data Apps

Hyp

erv

iso

r

• Each tenant has their own virtual environment

• Isolation provided by hypervisor

• Resource contention depends on VM capability and configuration

• Adds an additional layer and processes to run and manage

Shared Infrastructure: OS Virtualization


Shared Infrastructure

Op

era

tin

g S

yste

m

Zone 2 Tenant B

Zone 3 Tenant C

Zone 1 Tenant A Resources

• Processes & Memory

• Disks & Filesystems

• NICs & IP Addresses

• …

Controls • Max share of CPU

• Max memory usage

• Max network bandwidth

• …

• Each tenant has their own processing zone

• Isolation provided by the operating system

• Resource contention depends on zone configuration

• No VMs to run and manage, no abstraction layer between app & OS

Shared Nothing

Tenant A

Resource Pool A

Application

Cluster A Schema

A

IAM Partition A

Resource Pool B

Application

Cluster B Schema

B

IAM Partition B

Resource Pool C

Application

Cluster C Schema

C

IAM Partition C

Routing

Shared Security Services

Tenant B

Tenant C

• Greatest degree of isolation, least economical

Final Thoughts

• Define and execute on a strategy

• Codify your appetite for risk; CYA

• Consider all aspects of security

• Use a framework

• Not all clouds are the same

• Be aware of the risks as well as the rewards

• You can delegate responsibility but you can’t delegate

accountability

• Visit us online at http://www.oracle.com/goto/itstrategies

37