Upload
leebiggenden
View
185
Download
0
Tags:
Embed Size (px)
DESCRIPTION
This presentation was given by Lee Biggenden at CloudExpo 2013 in London, discussing what you should look for in a Cloud Services Provider and what you need to consider as part your security model when you do migrate to the Cloud. You can get more information from us be Emailing [email protected] and don't forget to follow us on Twitter @NephosTech
Citation preview
Extending Security To The Cloud !30th January 2013 – Cloud Expo Europe!!Lee Biggenden!
NEPHOS TECHNOLOGIES Cloud Services Broker!
1. Realistic Expectations!2. Identifying Risks!3. Considerations & Steps To Take!4. Where Can We Get Some Help?!5. Q & A !!!
EXTENDING SECURITY TO THE CLOUD!
02/01/2013! Nephos Technologies Ltd.! 2!
+ -‐
EXPECT DON’T EXPECT YOUR CSP
To Be Given Informa=on Your CSP should share informa3on on their accredita3ons, geographies' and security measures
Blurred Boundaries The “network perimeter” is blurred in the Cloud so be prepared for it
A Different Approach to Security For example, typically CSPs won’t provide security measures like Firewalls as standard
To Have To Do Your Homework! You need to research your providers, and to understand the impact of one over another
Image Valida=on Typically CSP’s will not validate server images, the
responsibility will be on you
Perimeter Security or Tiered Security CSP’s don’t normally provide a perimeter Firewall, or services like IPS as standard
Dedicated Infrastructure Typically dedicated Cloud services are not the standard but they are available at extra cost
The CSP To Take Ownership Public CSPs typically don’t offer complex solu3ons –
YOUR DATA IS YOUR RESPONSIBILITY!
JUST BECAUSE THEY DON’T PROVIDE IT DIRECTLY DOESN’T MEAN ITS NOT POSSIBLE!
02/01/2013! Nephos Technologies Ltd.! 3!
WHAT SHOULD YOU EXPECT FROM YOUR CSP?!
• Unknown risk!– What standards do your providers follow (if any) !
!• Abuse & nefarious use of Cloud services!
– Consumable in nature !– Weak validation of user credentials !
• Insecure interfaces, API’s & open perimeters!– Important application layer control point between systems !– Lack of perimeter security = open target for professional hackers!
• Multitenancy and shared technology!– Understand shared infrastructure and the potential risk!– Limited isolation methods as standard!
• Data loss and leakage !– Who has access to what data and where is it?!– Malicious corruption of data !
• Account or service hijacking !– Data access to account information !– Weak portal authentication !
CLOUD: WHERE ARE THE POTENTIAL RISKS?!
02/01/2013! Nephos Technologies Ltd.! 4!
Pre-Deployment!
Post-Deployment!
02/01/2013! Nephos Technologies Ltd.! 5!
Ask Yourself!
Ask Your CSP!
1. Why are we moving?!
2. Who does have access?!
3. Who should have access?!
4. Data sovereignty?!
5. Regulatory compliance?!
6. What’s the application flow?!
1. Accreditations?!
2. Customer segregation?!
3. Perimeter security?!
4. Known partners?!
5. Monitoring/audit capabilities?!
6. Failover scenarios?!
WHAT QUESTIONS SHOULD YOU ASK OF CSP’S AND YOURSELF?!
02/01/2013! Nephos Technologies Ltd.! 6!
INCLUDE SECURITY AS PART OF YOUR PLANNING PROCESS (EARLY)!
1. Identify!• Business Priorities!
• Workloads!
• Regulatory Requirements!
2. Evaluate!• Sensitivity of assets !
• Provider services!3. Map!• Security workload to Cloud delivery model!
• Data flow between tiers!4. Analyse!• Dataflows, security and delivery models against
requirements!
• Gap analysis !5. Investigate !• User behaviours and access requirements!• Data classification requirements!
!Example text
PLANNING
Identify!
Evaluate!
Map!Analyse!
Investigate!
• Physical & Operating System!– Build trusted compute pools & create secure connections!– Enable service and security monitoring / auditing !– Patch management process needs to be applied !
• Data!– Classify your data (and what risks you can afford to take with it)!– Move your security closer to your data !– Encrypt your data – in motion and at rest !– Compliance and regulatory requirements!
• Users!– Create strong access policy – you still need to control data access !
– Understand the access risks and the devices that you’re exposing to your data!
02/01/2013! Nephos Technologies Ltd.! 7!
WHAT SECURITY STEPS SHOULD YOU CONSIDER?!
Independent Advice and Service Is a Must When You Choose to Deploy…
02/01/2013! Nephos Technologies Ltd.! 8!
WHO CAN OFFER INDEPENDENT ADVICE?!
Cloud Security Alliance!Independent consortium that identifies and promotes the use of cloud security assurance best practices.!
DMTF!Working on cloud infrastructure management interface specifications to improve management interoperability. !
ODCA!Independent consortium of Global IT leaders from over 300 companies working on a unified customer vision for deployments.!
TCG!Independent consortium developing, defining, and promoting open, vendor-neutral industry standards for interoperable trusted computing platforms!
Cloud Industry Forum!Established to provide transparency through certification to a Code of Practice and to assist end users in gaining access to core information .!
Cloud Brokers / Aggregators!Independent advisors for Cloud, providing advice and value added services!
02/01/2013! Nephos Technologies Ltd.! 9!
THE CLOUD SERVICES BROKER MODEL!
02/01/2013! Nephos Technologies Ltd.! 10!
HOW DO NEPHOS TECHNOLOGIES DELIVER SERVICE !
4
3
2
1
CLOUD FUNDAMENTALS
Support & Management • SLA management • Service restora3on • Managed service • Infrastructure monitoring • Capacity planning • Cost certainty
Strategy & Planning • The right provider • The right services • The business opportunity • How do you measure success • The business case
Cloud Migra=on • P-‐to-‐V, V-‐to-‐C • Applica3on/Data Migra3on • Tes3ng • Project Management • Service Transi3on Management
Architectural Design • Public, Private or Hybrid • Security considera3ons • Performance certainty • Architect for the Cloud, not the DC
• 1,500 Users across 8 European datacenter locations !• Circa $1bn turnover 2012 (Europe)!• Under UK, European and US regulations (SOX, PCIDSS)!
02/01/2013! Nephos Technologies Ltd.! 11!
CUSTOMER USE CASE: UK BASED B2B RETAILER!
Phase 1:!
• Engaged QSA!
• Gap Analysis of existing infrastructure Vs. requirements!
• Identified Cloud provider!
• Identfied Gaps and overlay technologies !
Phase 2:!
• Solution deployment!
• SA and OHO!
!
SOLUTION
• Weak and antiquated security mechanisms !
• No consistant security models across Europe!
• Not currently meeting PCIDSS requirements !
• No Cloud experience in-house!
• Limited security expertise in-house!
• Tight timescales (< 6 months)!
PROBLEM
• Initial feaisbility work!
• Benefits of Cloud identified!
• Inconsistant European delivery of service!
• Develop a strategy/solution to enable a PCIDSS compliant migration to a Hybrid Cloud environment!
!
SCENARIO
Encrypted network extension to public Cloud, data encryption, NGFW, key management, AAA, a compliant provider!
THANK YOU!
LinkedIn: http://linkd.in/TKYmyR!Twitter: @NephosTech / @LeeBiggenden!Online: www.nephostechnologies.com !Email: [email protected] !
!WE’RE ALSO AVAILABLE AT STAND 719!