Cloud Contract - PowerPoint

Document Sample
Cloud Contract - PowerPoint Powered By Docstoc
					            Cloud Computing
             Critical Areas of Focus
                 To Manage Risk

                  Tom Witwicki CIPP
                INFOSEC Jan 13, 2010

1/13/2010           Tom Witwicki CIPP   1
Needing careful consideration of the risks
to be managed:
Acknowlegement: Cloud Security Alliance
•   Cloud Architecture and Delivery Models
•   Risk Management
•   Legal
•   Compliance and Audit
•   Information Lifecycle Management
•   Portability and Interoperability
•   Incident Response
•   Business Continuity
•   Data Center Operations
•   Encryption and Key Management
•   Identity and Access Management
•   Storage
•   Virtualization.

1/18/2011                    Tom Witwicki CIPP   2
   Control Disconnect

   • The rules for managing risk still apply, but
      the game has changed

Enterprise                                Cloud Vendor
Security Policy                           Control Design &
Enterprise Control
Requirements                              Control Monitoring

   1/18/2011          Tom Witwicki CIPP                  3
Characteristics of Cloud Computing

• Abstraction of Infrastructure
     – Opaque from the application’s perspective
     – High levels of Virtualization (OS, File Systems)
• Democratization of Resources
     – Pooled resources (shared, dedicated)
• Services Oriented Architecture
     – Focus on delivery of services, not management
• Elasticity/Dynamism
     – rapidly expand or contract resource utilization
• Utility Consumption Model
     – “all-you-can-eat” but “pay-by-the-bite”

1/18/2011                     Tom Witwicki CIPP           4
Service Delivery Models

• SaaS (Software as a Service)
     – least extensibility and greatest amount of security responsibility
       taken on by the cloud provider
• PaaS (Platform as a Service)
     – lies somewhere in the middle, with extensibility and security
       features which must be leveraged by the customer
• IaaS (Infrastructure as a Service)
     – greatest extensibility and least amount of security responsibility
       taken on by the cloud provider
• “Classify” the service to determine security
   responsibilities of the customer

1/18/2011                     Tom Witwicki CIPP                             5
Deployment Modalities
• Private
     – Single tenant operating environment
     – On or off premises
     – “Trusted” consumers
• Public
     – Single or multi-tenant environment
     – Infrastructure owned and managed by service provider
     – Consumers considered “untrusted”
• Managed
     – Single or multi-tenant
     – Infrastructure on premises managed and controlled by service provider
     – Consumers trusted or untrusted
• Hybrid
     – Combination of public and private offerings
     – Application portability
     – Information exchange across disparate cloud offerings

1/18/2011                          Tom Witwicki CIPP                           6
Cloud Reference Model


1/18/2011                        Tom Witwicki CIPP   7
       Mapping the Cloud to the Security

                                             SDLC, App Firewalls

                                             Data Classification, DLP, Audit
                                             Logging, encryption

                                            Config and Patch Mgt, Pen Testing

                                             Firewall rules, QoS, Anti-DDos

                                             Multi-level Security, Certificates and Key

                                             HIDS/HIPS, Log Mgt, Encryption

                                             Data Center Security, Redundancy,

       1/18/2011        Tom Witwicki CIPP                                            8
1/18/2011   Tom Witwicki CIPP   9
Risk Management
• Issues
     – Ability of the user organization to assess risk
     – Limited usefulness of certifications (e.g. SAS 70,
     – Many cloud services providers accept no responsibility
       for data stored (no risk transference)
     – User has no view of provider procedures governed by
       regulation or statute
        • Access and identity mgt, segregation of duties
     – Lack of clarity on data controls
        • Data backup and recovery, offsite storage, virtual
            provisioning (where is the data?), data removal

1/18/2011                     Tom Witwicki CIPP               10
Risk Management
• Guidance
     – In depth due diligence prior to executing contractual terms, SLA
     – Examine creating Private or Hybrid Cloud that provides
       appropriate level of controls
     – Comprehensive due diligence before using Public Cloud for
       mission critical components of business
     – Request documentation on how the service is assessed for risk
       and audited for control weaknesses and if results are available to
     – Listing of all 3rd party providers
     – What regulations and statutes govern site and how compliance
       is achieved

1/18/2011                     Tom Witwicki CIPP                        11
• Compliance Liabilities
     – Organizations are custodians of the personal data entrusted to
       them (in-cloud or off-cloud)
     – State (data breach), Federal (FTC act), international (EU Data
       Protection) scope
     – Mandates that organization impose appropriate security
       measures on it’s service providers (HIPAA, GLBA, MA 201 CMR
       17.00, PCI)
     – Company relinquishes most controls over data in the cloud
     – Contract may be in the form of a “click-wrap” agreement which
       is not negotiated
     – Data encryption requirements!!!

1/18/2011                    Tom Witwicki CIPP                          12
• Location diligence
     – Understand in which country it’s data will be hosted (local laws
       have jurisdiction) – EU data transfer provisions
     – Contractually limit the service provider to subcontract
     – May want to ensure against data comingling
     – Technical/logistical limits to all of the above
• Ensuring Privacy Protection
     –   Align with Privacy Notices
     –   Data not used for secondary purposes
     –   Not disclosed to 3rd parties
     –   Comply with individual Opt-in/Opt choices
     –   Disclosure of security breach
     –   May not be mature enough for regulated information!

1/18/2011                     Tom Witwicki CIPP                           13
• Responding to Litigation requests
     – Identify compliance with E-discovery provisions –
       routinely not included in cloud service contracts
     – 3rd party subpoena request notification
• Monitoring
     – Ability to conduct compliance monitoring and testing
       for vulnerabilities
• Termination
     – Must retrieve the data or ensure it’s destruction

1/18/2011                 Tom Witwicki CIPP                   14
EPIC – Electronic Privacy
Information Center
• March 09 – filed a complaint with FTC
     – Urged investigation into Cloud Computing Services
       such as Google Docs
     – Determine adequacy of Privacy and Security
• Computer researchers sent letter to Google CEO
     – Uphold privacy promises
     – HTTPS not default security setting
     – Forces users to “opt-in” for security

1/18/2011                 Tom Witwicki CIPP                15
• Data Classification a must
     – Identify and segregate that data which needs the
       most stringent controls (based on impact assessment)
     – Match controls to data classification (not all data is
       created equal)
        • Protected (regulated)
        • Confidential (need to know)
        • Public (approval to make public)
     – Recommended control: Encrypt all regulated data
        • In transit and at rest
        • Network segregation seldom feasible

1/18/2011                Tom Witwicki CIPP                 16
Portability and Interoperability

• What happens when the cloud provider
   isn’t good enough?
     – Unacceptable cost increase
     – Provide goes out of business
     – One or more cloud services discontinued
     – Service quality degraded
     – Onus on customer to have portability as a
       design goal

1/18/2011             Tom Witwicki CIPP            17
Portability and Interoperability
• Saas
     – Ensure easy access to data in a format that is documented
     – Keep regular backups outside the cloud
     – Consider best-of-breed providers whose competitors have capabilities to
       migrate data
• IaaS
     – Application deployment on top of the virtual machine image
     – Backups kept in a cloud-independent format (e.g. independent of the
       machine image)
     – Copies of backups moved out of the cloud regularly
• PaaS
     – Application development architecture employed to create an abstraction
     – Also data backups off-cloud

1/18/2011                       Tom Witwicki CIPP                            18
Business Continuity
• Obtain specific written commitments from the provider
   on recovery objectives
     – Understand your data and it’s recovery objectives (RTO, RPO)
• Identify interdependencies in the provider’s
     – Site risk (earthquake, flood, airport)
     – Infrastructure risk (redundancy of utilities, communication lines)
• Onsite inspections
• Integrate provider DR plans into your organization’s BCP

1/18/2011                     Tom Witwicki CIPP                         19
Data Center Operations
• You have neighbors! Who are they?
     – Potential to consume inordinate amount of resources which impacts
       your performance?
     – Providers seek to maximize resource utilization
• For IaaS and PaaS
     – Understand providers patch mgt policies (notification, rollbacks, testing)
• Compartmentalization of resources (Data mixing) and segregation of
• Logging practices (what, how long?)
• Test customer service function regularly
• Indicator for operational quality – presence of staging facilities for
  both provider and customer

1/18/2011                        Tom Witwicki CIPP                             20
Incident Response
• Cloud Computing Community incident database:
     –   Malware infection
     –   Data Breach
     –   Man-in-the-middle discovery
     –   User impersonation
• Detection
     – Application firewalls, proxies and logging tools are key
     – no standard application level logging framework
• Notification
     – Requires a registry of Application owners by interface
• Application shutdown is normally first act taken
     – appropriate remediation?
     – Provider and customers need defined process to collaborate on decisions
• Criminal investigation – evidence capture?

1/18/2011                           Tom Witwicki CIPP                            21
Application Security
• What security controls must the application
    provide over and above inherent cloud controls?
•   How must an enterprise SDLC change to
    accommodate cloud computing?
•   Issues:
     –   Multi-tenant environment
     –   Lack of direct control over environment
     –   Access to data by cloud vendor
     –   Managing application “secret keys” which identify
         valid accounts

1/18/2011                  Tom Witwicki CIPP                 22
Application Security
Iaas model
• Virtual image
     – should undergo security verification and hardening
     – Confirm to enterprise trusted host baselines
     – Alternative to use trusted 3rd party for virtual image
• Inter-host communication
     – Assume an untrusted network
     – Authentication and encryption
• Codify trust with SLA
     – Security measures
     – Security testing

1/18/2011                  Tom Witwicki CIPP                    23
Application Security
Paas model
• Enterprise Service Bus (ESB)
     – Asynchronous messaging
     – Message routing
     – Where multi-tenanted, the ESB will be shared
     – Segmenting based on classifications not
     – Securing messages the responsibility of the

1/18/2011             Tom Witwicki CIPP           24
Application Security
SaaS model
     – Verify/audit the maturity of the vendor’s SDLC
• Custom code extensions
• Data exchange via APIs

1/18/2011             Tom Witwicki CIPP             25
Encryption and Key Management

• Encryption for Confidentiality and Integrity
     – Data at rest (IaaS, PaaS, SaaS)
     – Data in transit (within the provider’s network)
     – On backup media
• Key Management
     –   Secure key stores
     –   Access to key stores
     –   Key backup and recoverability
     –   OASIS Key Management Interoperability Protocol
         (KMIP) – emerging standard

1/18/2011                 Tom Witwicki CIPP               26
Encryption and Key Management
• Assure regulated and/or sensitive customer data is encrypted in
  transit over the cloud provider’s internal network, in addition to
  being encrypted at rest
• Segregate the key management from the cloud provider hosting the
  data, creating a chain of separation
     – Protects both when compelled by legal mandate
• Contractual assurance that encryption adheres to industry or
  government standards
• Understand how cloud providers provide role management and
  separation of duties (key mgt)
• In IaaS environments, understand how sensitive information and
  key material otherwise protected by traditional encryption may be
  exposed during usage.
     – E.g. virtual machine swap files and other temporary data storage
       locations may also need to be encrypted

1/18/2011                       Tom Witwicki CIPP                         27
Encryption and Key Management
Recommendations continued
• If cloud provider must perform key
     – the provider has defined processes for a key
       management lifecycle: how keys are
       generated, used, stored, backed up,
       recovered, rotated, and deleted.
• Key sets should be unique per customer

1/18/2011             Tom Witwicki CIPP               28
Identity Management

• Federated Identity Management
     – needed to leverage the Enterprise IM and
     – SAML the leading standard
     – Many Cloud vendors are immature in adoption
       of federation standards
     – With Iaas and Paas, integration will have to
       be built

1/18/2011             Tom Witwicki CIPP          29
Identity Management
• User Management
     – Understand cloud provider’s capabilities
     – Provisioning
     – De-Provisioning
• Authentication
     – Password controls
     – Password strength
• Authorization
     – Usually proprietary
     – Urge XACML compliant entitlement
• Consider “Identity as a Service”

1/18/2011                     Tom Witwicki CIPP   30
Some Parting Thoughts
• New Technology, old vulnerabilities remain and new
    ones arise
•   Loss of security by “default” – trust boundaries
•   Commingling challenges integrity and confidentiality
•   Jurisdiction control and regulatory issues
•   Virtualization
     – Security through isolation but..
     – Virtual infrastructure increases the risk
• Assesses risk, mitigate, formally accept

1/18/2011                      Tom Witwicki CIPP           31

Description: Cloud Contract document sample