1. Jirasek Consulting ServicesClassification: Public 1Supporting Business AgilitySecure your cloud applications by buildingsolid foundations with enterprise (security) architectureVladimir Jirasek, Managing directorJirasek Consulting Services&Research Director, Cloud Security Alliance, UK chapter

2. Jirasek Consulting ServicesClassification: Public 2About me MBA (MSc) degree 20 years experience in IT 13 years experience in InfoSec Worked in various companies in diversesectors Engaged in security organisations as projectssuch as CAMM, CSA Technical editor of a cloud security book Present at security and IT conferences 3. Jirasek Consulting ServicesClassification: Public 3Agenda Enterprise architecture crash course Security architecture overview Cloud security models Governance in Cloud Data security in Cloud Identity and Access in Cloud 4. Supporting Business AgilityJirasek Consulting ServicesClassification: Public 4ENTERPRISE ARCHITECTURE 5. Jirasek Consulting ServicesClassification: Public 5What is Enterprise ArchitectureEnterprise architecture (EA) is theprocess of translating business visionand strategy into effective enterprisechange by creating, communicatingand improving the key requirements,principles and models that describethe enterprises future state andenable its evolution.WikipediaCommon sense to ensure everyone ina company is pulling in one direction,maximising ROI, reducing waste,increasing efficiency, effectiveness,agility, maintaining strategic focus anddelivering tactical solutions.Vladimir JirasekEnterprise architecture is about strategy, notabout engineering.Gartner 6. Jirasek Consulting ServicesClassification: Public 6EA is a business support functionShould be discussed here Is commonly discussed here 7. Jirasek Consulting ServicesClassification: Public 7EA frameworksSource: http://msdn.microsoft.com/en-us/library/bb466232.aspx 8. Jirasek Consulting ServicesClassification: Public 8One of the most used architectureframeworks: TOGAF 9. Supporting Business AgilityJirasek Consulting ServicesClassification: Public 9ENTERPRISE SECURITYARCHITECTURE 10. Jirasek Consulting ServicesClassification: Public 10Security model business drives securityInformationSecuritypoliciesInputBusinessobjectivesCompliancerequirementsLaws &RegulationsBusinessimpactBusiness &informationrisksDefineDefineDefineSecuritythreatsInternationalsecuritystandardsInformationSecuritystandardsInformationSecurityguidelinesSecurityintelligenceInputLineManagementAuditorsSecuritymanagementRisk &ComplianceGovernanceProductManagementProgramManagementAssuranceSecurityServicesSecurityProfessionalsIT GRCInformInformationSecurityProcessesTechnologyPolicy frameworkSecurity managementPeopleServicesDefine securitycontrolsExecute securitycontrolsInformationSecurityMetricsobjectivesMetrics frameworkMeasure securitymaturityExternalsecuritymetricsMandate MeasuredbyInputCorrection of security processesFeedback: update business requirementsProcess framework 11. Jirasek Consulting ServicesClassification: Public 11Security architecture domains Security architectwork across alldomains Stakeholder in EA Works with domainarchitects (dependson the size of anorganisation) 12. Jirasek Consulting ServicesClassification: Public 12Cloud model maps to Security modelCloud modelDirect map 13. Jirasek Consulting ServicesClassification: Public 13Responsibilities for areas in securitymodel compared to delivery modelsPhysical securityNetwork securityHost securityApplication sec.Data securitySIEMIdentity, AccessCryptographyBusiness continuityGRCProvider responsible Customer responsibleIaaS PaaS SaaS IaaS PaaS SaaS 14. Jirasek Consulting ServicesClassification: Public 14PresenttimeFutureShould data security be on CIOsagendas? Why only CIO?Not many security breachesso far. Why?Will become targeted as more enterprises rely onpublic Cloud computingMandatory reading!Cloud providerreputation/costsYour companyreputation/costs Consolidation ofCloud providersCost savings inEnterprisesPaaS/SaaSSaaSSaaS 15. Supporting Business AgilityJirasek Consulting ServicesClassification: Public 15CLOUD DEPLOYMENTGOVERNANCE 16. Jirasek Consulting ServicesClassification: Public 16Governance related to Cloud Setting company policyfor Cloud computing Risk based decisionwhich Cloud provider, ifany, to engage Assigningresponsibilities forenforcing and monitoringof the policy compliance Set corrective actions fornon-compliance 17. Jirasek Consulting ServicesClassification: Public 17Cloud governance::Policy Cloud adopted typically bya) IT directors managed relatively consistently andmostly [I|P]aaSb) Business managers less governance; typicallySaaS Policy should state: It is a policy of . to managethe usage of external Cloud computing services,taking into account risks to business processes,legal and regulatory compliance when usingexternal services Cloud services. CIO isresponsible for creating and communicatingexternal Cloud computing strategy andstandards. 18. Jirasek Consulting ServicesClassification: Public 18Cloud standard structure General statements Governance requirements for Cloud Enterprise architecture to be ready forCloud and Cloud services to plug-in(IAM, SIEM, Data architecture,Forensic) Discovery of Cloud service use Before Cloud project Cloud service to comply with dataclassification Encrypting all sensitive data in Cloud Identity and Access management(AAA) link to Cloud service During Cloud project Due diligence to be performed Do not forget right to audit Know locations of PII During Cloud project (cont) Assess availability (SLA and DR) ofCloud provider Assess Cloud provider security controls Assess potential for forensicinvestigation by companys team Running a Cloud service Limit use of live data for developmentand testing Monitor cloud providers securitycontrols Link Companys SIEM with Cloudprovider and monitor for incidents Moving out of Cloud Data cleansing Data portability 19. Jirasek Consulting ServicesClassification: Public 19Examples:I have 1TB of CSV files, now what? Customer uses well know CRM in Cloud SaaS designed to immerse clients into welldefined, bespoke CRM No known data mode Export of data in CSV.Tip: Portability is the key in SaaS applications.Think about leaving the Cloud provider upfront.How will you take your data? 20. Jirasek Consulting ServicesClassification: Public 20Example:Scaling up/down development Large manufacture and service company Requirement to support developmentneeds with seasonal demands idealcase for [I|P]aaS Security team approached up-front toperform review Live data not uploaded to the providerbefore on-site sanitising 21. Supporting Business AgilityJirasek Consulting ServicesClassification: Public 21DATA SECURITY IN CLOUD 22. Jirasek Consulting ServicesClassification: Public 22Cloud provider: AES-128 so itmust be secure! Trust me!PDFSecretPDFSecret010100011010101010110101010010101010101100110101Cloud serviceuserJust because it is encrypted does notmake it secure Look end to end.CloudServiceProvider 23. Jirasek Consulting ServicesClassification: Public 23However not all data in the cloudare secret! 24. Jirasek Consulting ServicesClassification: Public 24Sometimes too much encryption isbad though.Who holds encryption keys? Are they available? 25. Jirasek Consulting ServicesClassification: Public 25Data protection options in cloudmodelsInfrastructure as aServicePlatform as a Service Software as a ServiceEncryption appliance(e.g. Safe-Net ProtectV)Application encryption (customer retains keys)NetworkNetwork VPN (could extend to SaaS)Web TLS (for IaaS operated by customer)HostProvider dependent and operated host encryptionApplicationTokenisation and anonymisationDataExtend company file or objectencryptionEncrypting/tokenising reverseproxy engines (e.g. CipherCloud)SIEMExtend company SIEM Plug-in to Providers SIEMExtend DLP or eDRM Provider operated data/database encryption 26. Jirasek Consulting ServicesClassification: Public 26Example of SaaS Use of Gmailinside and outside an organisation SaaS web basedapplication. Other standardinterfaces IMAP, POP3,SMTP, Web API Data in Gmail available toanyone with properauthentication TLS used on transport layer Consider using CipherCloudlike product but be mindfulof traffic flows with externalcustomersSenderRecipientIntra companyRecipientProxySender 27. Jirasek Consulting ServicesClassification: Public 27Example of IaaS Cloud provider offers virtualcomputing resources for Internal apps deployment Cloud provider cantheoretically access alldata, if decryptionhappens on the virtualmachine! But would they? Use two possible models: Local crypto operationswith remote keymanagement. ConsiderSafeNet ProtectV Remote crypto operationsover VPN speed penaltyInternaluserAdministratorIntra companyVPNVirtual serversTravelling userKey managementData encryptedLocal encryptionoperationsData encryptedRemoteencryptionoperationsHSM 28. Supporting Business AgilityJirasek Consulting ServicesClassification: Public 28IDENTITY AND ACCESSMANAGEMENT IN CLOUD 29. Jirasek Consulting ServicesClassification: Public 29IAM is a complex domain::closer toinformation management then security!IdentitymanagementAccessmanagementFederation EntitlementsThese capabilities can be and are mixed between on-site managed by organisationsor provided as a service by Cloud providers. 30. Jirasek Consulting ServicesClassification: Public 30Identity management::mostlyinformation management Principal management Credential management Attribute management Group memberships Business and IT roles Directory Link to HR dataProvision and de-provisionusers from cloud servicesautomatically 31. Jirasek Consulting ServicesClassification: Public 31Entitlements and AccessmanagementEntitlements Managing access policies XACML policies (Subject, Rule, Resource) Bespoke policies Based on attributes orgroupsConnects subjects andresourcesAccess management Uses identity information,entitlement policies andcontext to make accessdecisions: Grant Deny Grant but limitDecision closer to resource 32. Jirasek Consulting ServicesClassification: Public 32Identity Federation::Lets trust identityproviders Not everyone wantsto have thousands ofusername/passwords Cloud services areideal for identityfederation SAML 2.0 OAUTH 2.0 (do notconfuse with OATH) 33. Jirasek Consulting ServicesClassification: Public 33Summary Create Enterprise Architecture function with dotted line toCEO Appoint Security Architect as part of Enterprise architecturefunction Have a Cloud policy/standard and update risk managementclassification Always think of exit from Cloud first! Discover usage of Cloud services Prepare you enterprise architecture to plug Cloud services inIAM, SIEM, Key management Build IAM that supports changing business. Federate andFederate Do not fear Cloud sophisticated form of outsourcing: usesupplier management techniques. 34. Jirasek Consulting ServicesClassification: Public 34Links A Comparison of the Top Four Enterprise-Architecture Methodologies -http://msdn.microsoft.com/en-us/library/bb466232.aspx TOGAF 9 - http://www.opengroup.org/togaf/ CipherCloud - http://www.ciphercloud.com/ Amazon AWS Security -https://aws.amazon.com/security/ Dropbox security incidents -http://www.zdnet.com/dropbox-gets-hacked-again-7000001928/ 35. Jirasek Consulting ServicesClassification: Public 35Contact Vladimir Jirasek vladimir@jirasekconsulting.com www.jirasekconsulting.com @vjirasek About.me/Jirasek