Power Struggle: Balancing Relationships & Responsibility in the Cloud

Power StruggleBalancing Relationships & Responsibility in the Cloud

@marknca

My service provider handles security. I don’t need to worry about it.

Mark Nunnikhoven Vice President, Cloud & Emerging Technologies Trend Micro @marknca

Moving IT infrastructure to AWS creates a shared responsibility model between the customer and AWS.

Amazon Web Services: Overview of Security Processes by AWS, Jun/2014

…a cloud platform like Azure requires shared responsibility between the customer and Microsoﬞ

Microsoﬞ Azure Trust Center by Microsoﬞ, Feb/2015

Cloud security is a shared responsibility between the cloud service provider (CSP) and its clients.

Cloud Special Interest Group by PCI Security Standard Council, Feb/2013

The Model

Responsible means daily management of security controls

In the context of a provider/client relationship

6 CRITICAL AREAS OF ResponsibilitYDataApplicationOperating SystemVirtualizationInfrastructurePhysical


IaaS


IaaS

PaaS


IaaS

PaaS

SaaS

IaaSGoogle Compute Engine Azure Virtual Machines Amazon EC2

PaaSSalesforce.com Engine Yard Heroku

SaaSGoogle Apps Basecamp Workday

Data

Commonalities

Always

Virtualization Infrastructure Physical

Never

We own everything. We control everything. We are responsible for security.

D.I.Y.

Relationships are all internal

D.I.Y.

We own a rack at X We control everything on the rack. We are responsible for security.

CO-LOCATION

Minor outside involvement

CO-LOCATION

We run N servers on X We control the OS. We are responsible for part of security.

CLOUD

Substantial outside involvement

CLOUD

% o

f Res

pons

ibili

ty

0

25

50

75

100

Service TypeD.I.Y Co-Location IaaS PaaS SaaS

Science-y CHART

% o

f Res

pons

ibili

ty

0

25

50

75

100


Science-y CHART

Gap of Discomfort

PERSPECTIVES

Shellshock

10/10 vulnerability. Widespread & easy to exploit

(){}; attacka:() { b; } | aּמack;

ACTIONS TO TAKE

Update bash Use an intrusion prevent system

For IaaS

ACTIONS TO TAKE

Manage availability Follow provider communications

For PaaS & SaaS

REALITY

Just because you don’t see the threats doesn’t mean they don’t exist

PROVIDER Perspective


CLIENT Perspective

CLIENT Perspective

ControlS

REPUTATION

CERTIFICATIONS

AWS

More details at hּמp://aws.amazon.com/compliance/

PCI DSS Level 1 SOC 1/ISAE 3402 SOC 2 SOC 3 ISO 9001 IRAP (.au) FIPS 140-2

Current certificationsCJIS CSA FERPA HIPAA FedRAMP (SM) DoD CSM 1-2, 3-5 DIACAP

ISO 27001 MTCS 3 ITAR MPAA G-Cloud Section 508/VPAT FISMA

http://aws.amazon.com/compliance/

Azure

More details at hּמp://azure.microsoﬞ.com/en-us/support/trust-center/compliance/

PCI DSS Level 1 SOC 1/ISAE 3402 SOC 2 SOC 3 ISO 9001 IRAP (.au) FIPS 140-2 ISO 27002 CCCPPF

Current certificationsCJIS CSA FERPA HIPAA FedRAMP (SM) DoD CSM 1-2, 3-5 DIACAP EU Model Clauses MLPS (.cn)

ISO 27001 MTCS 1 ITAR MPAA G-Cloud Section 508/VPAT FISMA FDA 21 CFR

http://azure.microsoft.com/en-us/support/trust-center/compliance/

FOCUS

PCI DSS Level 1 SOC 2/3 SOC 1/ISAE 3402

Certifications

Auditsphoto by Heather

DEFENCE

(c) NHL

RISKS

photo by Ben Stephenson

KEYS



IaaS


IaaS

PaaS


IaaS

PaaS

SaaS

% o

f Res

pons

ibili

ty

0

25

50

75

100


Science-y CHART

% o

f Res

pons

ibili

ty

0

25

50

75

100


Science-y CHART

Gap of Discomfort



CLIENT Perspective

CLIENT Perspective

THANK YOU@marknca

Technology

Power Struggle: Balancing Relationships & Responsibility in the Cloud