Cloud Security Guidance Tania Martin Smals Research February 2015 www.smalsresearch.be
Overview of the cloud Intro – Model – Govern – IAM – IT Sec – Oper Sec – Dropbox – Choose – Conclu 2/66
What about the security of the cloud? • Not 100% garanteed by the cloud services • Problematic for sensitive data Especially in our context « social security and eHealth» Assess the security of a cloud service before using it Intro – Model – Govern – IAM – IT Sec – Oper Sec – Dropbox – Choose – Conclu 3/66
During this presentation… Look through the key-points of cloud security __________ Common thread Security assessment model of cloud services + Dropbox for Business Intro – Model – Govern – IAM – IT Sec – Oper Sec – Dropbox – Choose – Conclu 4/66
Agenda 1 2 Example: Security assessment model Dropbox for Business Governance Identity and access management 3 IT security How to choose Operational security a cloud service 4 Conclusion Intro – Model – Govern – IAM – IT Sec – Oper Sec – Dropbox – Choose – Conclu 5/66
Security assessment model
Goal of the model Help for Practical security model experts « Which cloud service can I use if I want to send there a given type X of data? » Intro – Model – Govern – IAM – IT Sec – Oper Sec – Dropbox – Choose – Conclu 7/66
Goal of the model Eliminate/filter non fruitful Help for Pratical security model tracks experts « Which cloud service can I use if I want to send there a given type X of data? » Select potential candidates Intro – Model – Govern – IAM – IT Sec – Oper Sec – Dropbox – Choose – Conclu 8/66
Components of the model • Governance • Identity and Access Management 4 major criteria • IT Security • Operational Security Cloud Policy of the Type of data Belgian social security 2 evaluation • Assess the security level of a cloud service forms • Assess the possibility of using a cloud service Intro – Model – Govern – IAM – IT Sec – Oper Sec – Dropbox – Choose – Conclu 9/66
Components of the model • Governance • Identity and Access Management 4 major criteria • IT Security • Operational Security Cloud Policy of the Type of data Belgian social security 2 evaluation • Assess the security level of a cloud service forms • Assess the possibility of using a cloud service Intro – Model – Govern – IAM – IT Sec – Oper Sec – Dropbox – Choose – Conclu 10/66
What looks like the model? Dropbox for Business Intro – Model – Govern – IAM – IT Sec – Oper Sec – Dropbox – Choose – Conclu 11/66
Governance
Legal implications Which laws apply to the data? REF Not OK!!! Voc: CSP (Cloud Service Provider) Intro – Model – Govern – IAM – IT Sec – Oper Sec – Dropbox – Choose – Conclu 13/66
Supply chain management CSP always responsible for its contractual commitments? ! Intro – Model – Govern – IAM – IT Sec – Oper Sec – Dropbox – Choose – Conclu 14/66
Audit Every 6 months Every year 10 /10 Intro – Model – Govern – IAM – IT Sec – Oper Sec – Dropbox – Choose – Conclu 15/66
Meta-data extracts? Meta-data only used for ! the cloud service? Intro – Model – Govern – IAM – IT Sec – Oper Sec – Dropbox – Choose – Conclu 16/66
Quality of the service Plan of business continuity SLA Reversibility of the service Intro – Model – Govern – IAM – IT Sec – Oper Sec – Dropbox – Choose – Conclu 17/66
Governance: to remember Reliable Regular Which laws? supply chain? audit? No misuse of Good quality meta-data? of service? Intro – Model – Govern – IAM – IT Sec – Oper Sec – Dropbox – Choose – Conclu 18/66
Identity and Access Management
Authentication level ! Username + Password Username + Password + Token Username + Password + Certificat Username + Password + Certificat/Token + Location 10 /10 Intro – Model – Govern – IAM – IT Sec – Oper Sec – Dropbox – Choose – Conclu 20/66
Authentication level « 2-factor » authentication Username + Password + Token Username + Password + Certificat Username + Password + Certificat/Token + Location 10 /10 Intro – Model – Govern – IAM – IT Sec – Oper Sec – Dropbox – Choose – Conclu 21/66
User management ! 10 /10 trusted Intro – Model – Govern – IAM – IT Sec – Oper Sec – Dropbox – Choose – Conclu 22/66
Access management Well defined Forbidden Intro – Model – Govern – IAM – IT Sec – Oper Sec – Dropbox – Choose – Conclu 23/66
IAM: to remember 2-factor Controlled user authentication? management? Well-defined access management? Intro – Model – Govern – IAM – IT Sec – Oper Sec – Dropbox – Choose – Conclu 24/66
IT Security
Security standards • Anti-virus, anti-malwares OS • Patch management process • Acceptance environments Physical • Network security: firewall, APT detection tools REF + • Monitoring: IDS/IPS, file integrity Virtual • Data leak detection: DLP tools • Protection of hypervisors and admin consoles • Secure data deletion: crypto wiping, demagnetization Infra • Data integrity and security in input and output Interface • API developed according to standards (e.g. OWASP) REF Intro – Model – Govern – IAM – IT Sec – Oper Sec – Dropbox – Choose – Conclu 26/66
Segregation of data Private Community Off-premises/On-premises Off-premises/On-premises ! Very important point BUT often not documented Intro – Model – Govern – IAM – IT Sec – Oper Sec – Dropbox – Choose – Conclu 27/66
Cryptography Confidentiality towards the CSP encryption Strong crypto ??? Outils: REF Confidentiality Integrity hash, digital signature encryption ??? ??? Intro – Model – Govern – IAM – IT Sec – Oper Sec – Dropbox – Choose – Conclu 28/66
Key management ! At the CSP’s At the user’s + = J’ai oublié/perdu ma . Mes données sont irrécupérables !!! At the sysadmin’s or TTP’s ??? ??? Intro – Model – Govern – IAM – IT Sec – Oper Sec – Dropbox – Choose – Conclu 29/66
IT security: to remember Security Segregation of Cryptography standards in data? standards used? place? Data Key confidentiality management at and integrity? the sysadmin’s? Intro – Model – Govern – IAM – IT Sec – Oper Sec – Dropbox – Choose – Conclu 30/66
Operational Security
Backup and disaster recovery Adaptable plan of backup Plan of disaster recovery No No panic!!! problem! Hey I want We have: We have: some backups • Plan A for my data! • Plan B • Plan C Some values on the RTO and RPO ≈ 1 hour 10 /10 ≈ 1 day ! ≈ 1 week Voc: RTO (Recovery Time Objective), RPO (Recovery Point Objective) Intro – Model – Govern – IAM – IT Sec – Oper Sec – Dropbox – Choose – Conclu 32/66
Incident management Appropriate incident management User activity Log collection monitoring Preparation Log forensics Log retention SIEM Mitigation Response File integrity IT compliance monitoring Event Recovery Dashboards correlation REF Security training of employees REF Intro – Model – Govern – IAM – IT Sec – Oper Sec – Dropbox – Choose – Conclu 33/66
Operational security: to remember Adaptable RTO and RPO plan of SIEM? < 1 day? backup? Appropriate Security incident training of management? employees? Intro – Model – Govern – IAM – IT Sec – Oper Sec – Dropbox – Choose – Conclu 34/66
Example: Dropbox for Business
How works the model? Intro – Model – Govern – IAM – IT Sec – Oper Sec – Dropbox – Choose – Conclu 36/66
Recommend
More recommend