SlideShare a Scribd company logo

Taiye Lambo - Auditing the cloud

N
nooralmousa

The document summarizes key points from a presentation on cloud computing security best practices. It discusses auditing practices from several organizations, including ENISA, CSA, and Microsoft. ENISA recommendations include personnel security practices, supply chain assurance, operational security controls like change management and logging, and software integrity protections. The presentation provides an overview of cloud computing concepts and case studies on government and commercial cloud users.

1 of 75
Downloaded 59 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
Kuwait Info Security Conference Auditing the Cloud
About Me Taiye L b CISSP, CISA, CISM, HISP, T i Lambo CISSP CISA CISM HISP ISO 27001 Auditor A dit President & Founder, eFortresses, Inc. Author Holistic Information Security Practitioner ( y (HISP) Certification Course ) Founder Holistic Information Security Practitioner (HISP) Institute – www.hispi.org Founder UK Honeynet Project – www honeynet org uk www.honeynet.org.uk Hybrid technical and business information security practitioner, with 14 years Information Security experience, including: Delivered critical BS 7799, ISO 17799, ISO 27002 & ISO 27001 consulting engagements to various clients in the Manufacturing, Government, Financial Services and Healthcare sectors in the UK and US. Presented at security events including conferences organized by organized by ISSA, InfraGard, ISACA, CPM, HITRUST and SOFE. 2
Caveats and Disclaimers • This presentation provides education on cloud technology and its benefits to set up a discussion of cloud security • It is NOT intended to provide official eFortresses and/or NIST guidance and NIST does not make policy • A mention of a vendor or product is NOT Any ti f d d ti an endorsement or recommendation Citation Note: Most sources for the material in this presentation are included within the PowerPoint “ slides 3
Cloud Computing Quotes from Vivek Kundra (Federal CIO): "The cloud will do for government what the Internet did in the '90s " he said. "We're 90s, said We re interested in consumer technology for the enterprise, enterprise " Kundra added "It's a fundamental added. It s change to the way our government operates by moving to the cloud Rather than owning the cloud. infrastructure, we can save millions." http://www.nextgov.com/nextgov/ng 20081126_1117.php p g g g_ p p 4
Part I: Effective and Secure Use Understanding Cloud Computing Cloud Computing Clo d Comp ting Case St dies Studies Part II: Cl d A diti B t P P t II Cloud Auditing Best Practices ti ENISA AGENDA CSA Microsoft CloudeAssurance 5
Part I: Effective and Secure Use 6
Understanding Cloud Computing Origin of the term “Cloud Computing Cloud Computing” • “Comes from the early days of the Internet where we drew y y the network as a cloud… we didn’t care where the messages went… the cloud hid it from us” – Kevin Marks, Google • First cloud around networking (TCP/IP abstraction) • Second cloud around documents (WWW data abstraction) • The emerging cloud abstracts infrastructure complexities of servers, applications, data, and heterogeneous platforms – (“muck” as Amazon’s CEO Jeff Bezos calls it) Jeff Bezos’ quote: http://news cnet com/8301-13953 3-9977100-80 html?tag=mncol Bezos http://news.cnet.com/8301 13953_3 9977100 80.html?tag mncol Kevin Marks quote: http://news.cnet.com/8301-13953_3-9938949-80.html?tag=mncol video interview 7
A Working Definition of Cloud Computing • Cl d computing i a model f enabling Cloud ti is d l for bli convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. • This cloud model promotes availability and is composed of five essential characteristics, three service models, and four deployment models. models 8
Five Essential Cloud Characteristics 9
Three Cloud Service Models • Cloud Software as a Service (SaaS) – Use provider’s applications over a network • Cloud Platform as a Service (PaaS) ( ) – Deploy customer-created applications to a cloud • Cloud Infrastructure as a Service (IaaS) – R t processing, storage, network capacity, and other Rent i t t k it d th fundamental computing resources • To be considered “cloud” they must be deployed on top of cloud infrastructure that has the key characteristics 10
Service Model Architectures Cloud Infrastructure Cloud Infrastructure Cloud Infrastructure IaaS Software as a Service PaaS PaaS (SaaS) SaaS SaaS SaaS Architectures Cloud Infrastructure Cloud Infrastructure IaaS Platform as a Service (PaaS) ( ) PaaS PaaS Architectures Cloud Infrastructure IaaS Infrastructure as a Service (IaaS) Architectures 11
NIST Four Cloud Deployment Models • Private cloud – enterprise owned or leased • Community cloud – shared infrastructure for specific community • Public cloud – Sold to the public, mega-scale infrastructure • Hybrid cloud – composition of two or more clouds 12
The NIST Cloud Definition Framework Hybrid Clouds Deployment Models Private Community C it Public Cloud Cloud Cloud Service Software as a Platform as a Infrastructure as a Models Service (SaaS) Service (PaaS) Service (IaaS) On Demand Self-Service Essential Broad Network A B dN k Access Rapid Elasticity R id El i i Characteristics Resource Pooling Measured Service Massive Scale Resilient Computing Common Homogeneity Geographic Distribution Characteristics Virtualization Service Orientation Low Cost Software Advanced Security 13
Jericho Forum’s Cloud Cube Deployment Model 14
General Security Advantages • Shifting public data to a external cloud reduces the exposure of the internal sensitive data • Cloud homogeneity makes security auditing/testing simpler • Clouds enable automated security management t • Redundancy / Disaster Recovery 15
Cloud Computing Case Studies and Security Models 16
Google Cloud User: City of Washington D.C. DC • Vivek Kundra, Former CTO for the DC (now Federal CIO) • Migrating 38,000 employees to Google Apps • Replace office software – Gmail – Google Docs (word processing and spreadsheets) – Google video for business – Google sites (intranet sites and wikis) • “It's a fundamental change to the way our government It s operates by moving to the cloud. Rather than owning the infrastructure, we can save millions.”, Mr. Kundra • 500 000+ organizations use Google Apps 500,000+ 17
Case Study: Facebook’s Use of Open Source and Commodity Hardware (8/08) • Jonathan Heiliger Facebook's vice president of technical operations Heiliger, Facebook s • 80 million users + 250,000 new users per day • 50,000 transactions per second, 10,000+ servers • Built on open source software – Web and App tier: Apache, PHP, AJAX – Middleware tier: Memcached (Open source caching) – Data tier: MySQL (Open source DB) y ( p ) • Thousands of DB instances store data in distributed fashion (avoids collisions of many users accessing the same DB) • “We don't need fancy graphics chips and PCI cards," he said. “We need one USB port and optimized power and airflow Give me one airflow. CPU, a little memory and one power supply. If it fails, I don't care. We are solving the redundancy problem in software.” Data taken from CNET news article and interview 8/18/08 http://news.cnet.com/8301-13953_3-10027064-80.html?tag=mncol 18
Amazon Cloud Users: New York Times and Nasdaq (4/08) • Both companies used Amazon’s cloud offering • New York Times – Didn’t coordinate with Amazon, used a credit card! – Used EC2 and S3 to convert 15 million scanned news articles to PDF (4TB data) – Took 100 Linux computers 24 hours (would have taken months on NYT computers – “It was cheap experimentation, and the learning curve isn't steep.” – Derrick Gottfrid, New York Times • Nasdaq – Uses S3 to deliver historic stock and fund information – Millions of files showing price changes of entities over 10 minute segments – “The expenses of keeping all that data online [in Nasdaq servers] was too high.” – Claude Courbois, Nasdaq VP – Created lightweight Adobe AIR application to let users view data Source: Infoworld article (availability zones and elastic IP) IP), http://www.infoworld.com/article/08/03/27/Amazon-adds-resilience-to-cloud- computing_1.html 19
Case Study: Salesforce.com Salesforce com in Government • 5,000+ Public Sector and Nonprofit Customers use Salesforce Cloud Computing Solutions • President Obama’s Citizen’s Briefing Book Based on Salesforce.com Ideas application – Concept to Live in Three Weeks – 134,077 Registered Users – 1.4 M Votes – 52,015 Ideas – Peak traffic of 149 hits per second • US Census Bureau Uses Salesforce.com Cloud Application – Project implemented in under 12 weeks j p – 2,500+ partnership agents use Salesforce.com for 2010 decennial census – Allows projects to scale from 200 to 2,000 users overnight to meet peak periods with no capital expenditure Source: http://arstechnica.com/software/news/2008/10/washington-dc-latest-to-drop- p g p microsoft-for-web-apps.ars Quote is from http://www.nextgov.com/nextgov/ng_20081126_1117.php 20
Case Study: Salesforce.com Salesforce com in Government • New Jersey Transit Wins InfoWorld 100 Award for its Cloud Computing Project – Use Salesforce.com to run their call center, incident management, complaint tracking, and service portal – 600% More Inquiries Handled – 0 New Agents Required – 36% Improved Response Time • U S Army uses Salesforce CRM for Cloud-based U.S. Recruiting – U.S. Army needed a new tool to track potential recruits who visited its Army Experience Center Center. – Use Salesforce.com to track all core recruitment functions and allows the Army to save time and resources. Source: http://arstechnica.com/software/news/2008/10/washington-dc-latest-to-drop- microsoft-for-web-apps.ars Quote is from http://www.nextgov.com/nextgov/ng_20081126_1117.php 21
Part II: Cloud Audit Best Practices 22
ENISA 23
ENISA INFORMATION ASSURANCE REQUIREMENTS PERSONNEL SECURITY The majority of questions relating to personnel will be similar to those you would ask your own IT personnel or other personnel who are dealing with your IT. As with most assessments, there is a balance between the risks and the cost. What policies and procedures do you have in place when hiring your IT administrators or others with system access? Th th ith t ? These should i l d h ld include: o pre-employment checks (identity, nationality or status, employment history and references, criminal convictions, and vetting (for senior personnel in high privilege roles)). Are there diff A th different policies d t li i depending on where th d t i stored or applications are run? di h the data is t d li ti ? o For example, hiring policies in one region may be different from those in another. o Practices need to be consistent across regions. o It may be that sensitive data is stored in one particular region with appropriate personnel. What security education program do you run for all staff? Is there a process of continuous evaluation? o How often does this occur? o Further interviews o Security access and privilege reviews o Policy and procedure reviews. 24
ENISA SUPPLY-CHAIN ASSURANCE The following questions apply where the cloud provider subcontracts some operations that are key to the security of the operation to third parties (e.g., a SaaS provider outsourcing the underling platform to a third party provider, a cloud provider outsourcing the security services to a managed security services provider, use of an external provider for identity management of operating systems, etc). It also includes third parties with physical or remote access to the systems etc) cloud provider infrastructure. It is assumed that this entire questionnaire may be applied recursively to third (or nth) party cloud service providers. Define those services that are outsourced or subcontracted in your service delivery supply chain which are key to the security (including availability) of your operations. Detail the procedures used to assure third parties accessing your infrastructure (physical and/or logical). o Do you audit your outsourcers and subcontractors and how often? Are any SLA provisions guaranteed by outsourcers lower than the SLAs you offer to your customers? If not, do you have supplier redundancy in place? What Wh t measures are t k t ensure thi d party service levels are met and maintained? taken to third t i l l t d i t i d? Can the cloud provider confirm that security policy and controls are applied (contractually) to their third party providers? 25
ENISA OPERATIONAL SECURITY It is expected that any commercial agreement with external providers will include service levels for all network services. However, in addition to the defined agreements, the end customer should still ensure that the provider employs appropriate controls to mitigate unauthorized disclosure. Detail your change control procedure and policy. This should also include the process used to re- assess risks as a result of changes and clarify whether the outputs are available to end customers. c stomers Define the remote access policy. Does the provider maintain documented operating procedures for information systems? Is there a staged environment to reduce risk, e.g., development, test and operational environments, and are they separated? Define the host and network controls employed to protect the systems hosting the applications and information for the end customer. These should include details of certification against external standards (e.g., ISO 27001/2). Specify the controls used to protect against malicious code. S f Are secure configurations deployed to only allow the execution of authorized mobile code and authorized functionality (e.g., only execute specific commands)? Detail policies and procedures for backup. This should include procedures for the management of removable media and methods f securely d f bl di d h d for l destroying media no l i di longer required. (D i d (Depending di on his business requirements, the customer may wish to put in place an independent backup strategy. This is particularly relevant where time-critical access to back-up is required.) 26
ENISA OPERATIONAL SECURITY Audit logs are used in the event of an incident requiring investigation; they can also be used for troubleshooting. For these purposes, the end customer will need assurance that such information is available: Can the provider detail what information is recorded within audit logs? o For what period is this data retained? o Is it possible to segment data within audit logs so they can be made available to the end customer and/or law enforcement without compromising other customers and still be admissible in court? o What controls are employed to protect logs from unauthorized access or tampering? o What method is used to check and protect the integrity of audit logs? How are audit logs reviewed? What recorded events result in action being taken? What time source is used to synchronize systems and provide accurate audit log time stamping? 27
ENISA SOFTWARE ASSURANCE Define controls used to protect the integrity of the operating system and applications software used. Include any standards that are followed, e.g., OWASP (46), SANS Checklist (47), SAFECode (48). How do you validate that new releases are fit-for-purpose or do not have risks (backdoors, Trojans, etc)? Are these reviewed before use? What practices are followed to keep the applications safe? Is a software release penetration tested to ensure it does not contain vulnerabilities? If vulnerabilities are discovered, what is the process for remedying these? PATCH MANAGEMENT Provide details of the patch management procedure followed. Can you ensure that the patch management process covers all layers of the cloud delivery technologies – i.e., network (infrastructure components, routers and switches, etc), server g , ( p , , ), operating systems, virtualization software, applications and security subsystems (firewalls, antivirus gateways, intrusion detection systems, etc)? 28
ENISA NETWORK ARCHITECTURE CONTROLS Define the controls used to mitigate DDoS (distributed denial–of-service) attacks. o Defense in depth (deep packet analysis, traffic throttling, packet black-holing, etc) o Do you have defenses against ‘internal’ ( g y g (originating from the cloud p g providers networks) ) attacks as well as external (originating from the Internet or customer networks) attacks? What levels of isolation are used? o for virtual machines physical machines network storage (e g storage area networks) machines, machines, network, (e.g., networks), management networks and management support systems, etc. Does the architecture support continued operation from the cloud when the company is separated from the service provider and vice versa (e g is there a critical dependency on (e.g., the customer LDAP system)? Is the virtual network infrastructure used by cloud providers (in PVLANs and VLAN tagging 802.1q 802 1q (49) architecture) secured to vendor and/or best practice specific standards (e.g., are (e g MAC spoofing, ARP poisoning attacks, etc, prevented via a specific security configuration)? 29
ENISA HOST ARCHITECTURE Does the provider ensure virtual images are hardened by default? Is the hardened virtual image p g protected from unauthorized access? Can the provider confirm that the virtualized image does not contain the authentication credentials? Is the host firewall run with only the minimum ports necessary to support the services within the virtual instance? Can a host based intrusion prevention service (IPS) be run in the virtual instance? host-based 30
ENISA PAAS – APPLICATION SECURITY Generally speaking, P S service providers are responsible f th security of th platform G ll ki PaaS i id ibl for the it f the l tf software stack, and the recommendations throughout this document are a good foundation for ensuring a PaaS provider has considered security principles when designing and managing their PaaS platform. It is often difficult to obtain detailed information from PaaS providers on exactly how they secure their platforms – however the following questions questions, along with other sections within this document, should be of assistance in assessing their offerings. Request information on how multi-tenanted applications are isolated from each other – a high multi tenanted level description of containment and isolation measures is required. What assurance can the PaaS provider give that access to your data is restricted to your enterprise users and to the applications you own? The platform architecture should be classic ‘sandbox’ – does the provider ensure that the PaaS platform sandbox is monitored for new bugs and vulnerabilities? PaaS providers should be able to offer a set of security features (re-useable amongst their (re useable clients) – do these include user authentication, single sign on, authorization (privilege management), and SSL/TLS (made available via an API)? 31
ENISA SAAS – APPLICATION SECURITY The SaaS model dictates that the provider manages the entire suite of applications delivered to p g pp end-users. Therefore SaaS providers are mainly responsible for securing these applications. Customers are normally responsible for operational security processes (user and access management). However the following questions, along with other sections within this document, should assist in assessing their offerings: What d i i Wh administration controls are provided and can these b used to assign read and write i l id d d h be d i d d i privileges to other users? Is the SaaS access control fine grained and can it be customized to your organizations policy? RESOURCE PROVISIONING In the event of resource overload (processing, memory, storage, network)? o What information is given about the relative priority assigned to my request in the event of a failure in provisioning? o Is there a lead time on service levels and changes in requirements? How much can you scale up? Does the provider offer guarantees on maximum available resources within a minimum period? How fast can you scale up? Does the p y p provider offer g guarantees on the availability of y supplementary resources within a minimum period? What processes are in place for handling large-scale trends in resource usage (e.g., seasonal effects)? 32
ENISA IDENTITY AND ACCESS MANAGEMENT The following controls apply to the cloud p g pp y provider’s identity and access management systems y g y (those under their control): AUTHORIZATION Do any accounts have system wide privileges for the entire cloud system and if so for what system-wide and, so, operations (read/write/delete)? How are the accounts with the highest level of privilege authenticated and managed? How are the most critical decisions (e g simultaneous de provisioning of large resource (e.g., de-provisioning blocks) authorized (single or dual, and by which roles within the organization)? Are any high-privilege roles allocated to the same person? Does this allocation break the segregation of duties or least privilege rules? Do you use role-based access control (RBAC)? Is the principle of least privilege followed? What changes, if any, are made to administrator privileges and roles to allow for extraordinary access in the event of an emergency? Is there an ‘administrator’ role for the c stomer? For e ample does the c stomer customer? example, customer administrator have a role in adding new users (but without allowing him to change the underlying storage!)? 33
ENISA IDENTITY PROVISIONING What h k Wh t checks are made on th id tit of user accounts at registration? Are any standards d the identity f t t i t ti ? A t d d followed? For example, the e-Government Interoperability Framework? Are there different levels of identity checks based on the resources required? What processes are in place for de-provisioning credentials? Are credentials provisioned and de-provisioned simultaneously throughout the cloud system, or are there any risks in de-provisioning them across multiple geographically distributed locations? MANAGEMENT OF PERSONAL DATA What data storage and protection controls apply to the user directory (e.g., AD, LDAP) and access to it? Is user directory data exportable in an interoperable format? Is need-to-know the basis for access to customer data within the cloud provider? 34
ENISA KEY MANAGEMENT For keys under the control of the cloud provider: Are security controls in place for reading and writing those keys? For example, strong password policies, keys stored in a separate system, hardware security modules (HSM) for root certificate keys, smart card based authentication, direct shielded access to storage, short key lifetime, etc. Are A security controls in place f using th it t l i l for i those k keys t sign and encrypt d t ? to i d t data? Are procedures in place in the event of a key compromise? For example, key revocation lists. Is key revocation able to deal with simultaneity issues for multiple sites? Are customer system images protected or encrypted? ENCRYPTION Encryption can be used in multiple places − where is it used? o data in transit o data at rest o data in processor or memory? Usernames and passwords? Is there a well-defined policy for what should be encrypted and what should not be encrypted? Who holds the access keys? How are the keys protected? 35
ENISA AUTHENTICATION What forms of authentication are used for operations requiring high assurance? This may include login to management interfaces, key creation, access to multiple-user accounts, firewall configuration, remote access, etc. Is two-factor authentication used to manage critical components within the infrastructure, such two factor infrastructure as firewalls, etc? CREDENTIAL COMPROMISE OR THEFT Do D you provide anomaly d t ti (th ability t spot unusual and potentially malicious IP id l detection (the bilit to t l d t ti ll li i traffic and user or support team behavior)? For example, analysis of failed and successful logins, unusual time of day, and multiple logins, etc. What provisions exist in the event of the theft of a customer’s credentials (detection, revocation, revocation evidence for actions)? IDENTITY AND ACCESS MANAGEMENT SYSTEMS OFFERED TO THE CLOUD CUSTOMER The following questions apply to the identity and access management systems which are offered by the l d b th cloud provider f use and control b th cloud customer: id for d t l by the l d t 36
ENISA IDENTITY MANAGEMENT FRAMEWORKS Does the system allow for a federated IDM infrastructure which is interoperable both for high assurance (OTP systems, where required) and low assurance (e.g.. username and password)? Is the cloud provider interoperable with third party identity providers? Is there the ability to incorporate single sign-on? ACCESS CONTROL Does the client credential system allow for the separation of roles and responsibilities and for y p p multiple domains (or a single key for multiple domains, roles and responsibilities)? How do you manage access to customer system images – and ensure that the authentication and cryptographic keys are not contained within in them? AUTHENTICATION How does the cloud provider identify itself to the customer (i.e., is there mutual authentication)? o when the customer sends API commands? o when the customer logs into the management interface? Do you support a federated mechanism for authentication? 37
ENISA ASSET MANAGEMENT It is important to ensure the provider maintains a current list of hardware and software (applications) assets under the cloud providers control. This enables checks that all systems have appropriate controls employed, and that systems cannot be used as a backdoor into pp p p y y the infrastructure. Does the provider have an automated means to inventory all assets, which facilitates their appropriate management? pp p g Is there a list of assets that the customer has used over a specific period of time? The following questions are to be used where the end customer is deploying data that would require additional protection (i.e.. deemed as sensitive). Are assets classified in terms of sensitivity and criticality? o If so, does the provider employ appropriate segregation between systems with different classifications and for a single customer who has systems with different security classifications? 38
ENISA DATA AND SERVICES PORTABILITY This set of questions should be considered in order to understand the risks related to vendor lock-in. Are there d A th documented procedures and API f exporting d t f t d d d APIs for ti data from th cloud? the l d? Does the vendor provide interoperable export formats for all data stored within the cloud? In the case of SaaS, are the API interfaces used standardized? Are there any provisions for exporting user-created applications in a standard format? Are there processes for testing that data can be exported to another cloud provider – should the client wish to change provider, for example? Can the client perform their own data extraction to verify that the format is universal and is capable of being migrated to another cloud provider? 39
ENISA BUSINESS CONTINUITY MANAGEMENT Providing continuity is important to an organization. Although it is possible to set service level agreements detailing the minimum amount of time systems are available, there remain a number of additional considerations. Does the provider maintain a documented method that details the impact of a disruption? o What are the RPO (recovery point objective) and RTO (recovery time objective) for services? Detail according to the criticality of the service. o Are information security activities appropriately addressed in the restoration process? o What are the lines of communication to end customers in the event of a disruption? o Are the roles and responsibilities of teams clearly identified when dealing with a disruption? Has the provider categorized the priority for recovery, and what would be our relative priority (the end customer) to be restored? Note: this may be a category (HIGH/MED/LOW). What dependencies relevant to the restoration process exist? Include suppliers and outsource partners. partners In the event of the primary site being made unavailable, what is the minimum separation for the location of the secondary site? 40
ENISA INCIDENT MANAGEMENT AND RESPONSE Incident I id t management and response is a part of business continuity management. The goal of t d i t fb i ti it t Th l f this process is to contain the impact of unexpected and potentially disrupting events to an acceptable level for an organization. To evaluate the capacity of an organization to minimize the probability of occurrence or reduce the negative impact of an information security incident the following questions should be incident, asked to a cloud provider: Does the provider have a formal process in place for detecting, identifying, analyzing and responding to incidents? Is this process rehearsed to check that incident handling processes are effective? Does the provider also ensure, during the rehearsal, that everyone within the cloud provider’s support organization is aware of the processes and of their roles during incident handling (both during the incident and post analysis)? How are the detection capabilities structured? o How can the cloud customer report anomalies and security events to the provider? o What facilities does the provider allow for customer-selected third party RTSM services to intervene in their systems (where appropriate) or to co-ordinate incident response capabilities with the cloud provider? o Is there a real time security monitoring (RTSM) service in place? Is the service outsourced? What kind of parameters and services are monitored? o Do you provide (upon request) a periodical report on security incidents (e.g.,. according to the ITIL definition)? o For how long are the security logs retained? Are those logs securely stored? Who has access to the logs? o Is it possible for the customer to build a HIPS/HIDS in the virtual machine image? Is it possible to integrate the information collected by the intrusion detection and prevention systems of the customer into the RTSM service of the cloud provider or that of a third party? 41
ENISA INCIDENT MANAGEMENT AND RESPONSE How are severity levels defined? How are escalation procedures defined? When (if ever) is the cloud customer involved? How are incidents documented and evidence collected? Besides a thentication accounting and a dit what other controls are in place to pre ent (or authentication, acco nting audit, hat prevent minimize the impact of) malicious activities by insiders? Does the provider offer the customer (upon request) a forensic image of the virtual machine? Does the provider collect incident metrics and indicators (i.e.,. number of detected or reported incidents per months number of incidents caused by the cloud provider’s subcontractors and months, the total number of such incidents, average time to respond and to resolve, etc)?). o Which of these does the provider make publicly available (NB not all incident reporting data can be made public since it may compromise customer confidentiality and reveal security critical information)??) How often does the provider test disaster recovery and business continuity plans? Does the provider collect data on the levels of satisfaction with SLAs? Does the provider carry out help desk tests? For example: oIImpersonation tests (is the person at the end of the phone requesting a password reset, i (i h h d f h h i d really who they say they are?) or so called ‘social engineering’ attacks. 42
ENISA INCIDENT MANAGEMENT AND RESPONSE Does the provider carry out penetration testing? How often? What are actually tested during the penetration test – for example, do they test the security isolation of each image to ensure it is not possible to ‘break out’ of one image into another and also g p g gain access to the host infrastructure?. The tests should also check to see if it is possible to gain access, via the virtual image, to the cloud providers management and support systems (e.g., example the provisioning and admin access control systems). Does the provider carry out vulnerability testing? How often? What is the process for rectifying vulnerabilities (hot fixes, re-configuration, uplift to later ) versions of software, etc)? 43
ENISA PHYSICAL SECURITY As with personnel security, many of the potential issues arise because the IT infrastructure is under the control of a third party – like traditional outsourcing, the effect of a physical security breach can have an impact on multiple customers ( g p p (organizations). ) What assurance can you provide to the customer regarding the physical security of the location? Please provide examples, and any standards that are adhered to, e.g.,. Section 9 of ISO 27001/2. o Who, other than authorized IT personnel, has unescorted (physical) access to IT infrastructure? For example, cleaners, managers, ‘physical security’ staff, contractors, consultants, physical security vendors, etc. o How often are access rights reviewed? How quickly can access rights be revoked? o Do you assess security risks and evaluate perimeters on a regular basis? How frequently? 44
ENISA PHYSICAL SECURITY o Do you assess security risks and evaluate perimeters on a regular basis? How frequently? o Do you carry out regular risk assessments which include things such as neighboring buildings? o D you control or monitor personnel (i l di thi d parties) who access secure areas? Do t l it l (including third ti ) h ? o What policies or procedures do you have for loading, unloading and installing equipment? o Are deliveries inspected for risks before installation? o Is there an up-to-date physical inventory of items in the data centre? o Do network cables run through public access areas? Do you use armored cabling or conduits? o Do you regularly survey premises to look for unauthorized equipment? o Is there any off-site equipment? How is this protected? 45
ENISA PHYSICAL SECURITY o Do your personnel use portable equipment (e.g.,. laptops, smart phones) which can give access to the data centre? How are these protected? o What measures are in place to control access cards? o What processes or procedures are in place to destroy old media or systems when required to do so? data overwritten? physical destruction? o What authorization processes are in place for the movement of equipment from one site to another? How do you identify staff (or contractors) who are authorized to do this? o How often are equipment audits carried out to monitor for unauthorized equipment removal? o How often are checks made to ensure that the environment complies with the appropriate legal and regulatory requirements? 46
ENISA ENVIRONMENTAL CONTROLS What procedures or policies are in place to ensure that environmental issues do not cause an interruption to service? What methods do you use to prevent damage from a fire, flood, earthquake, etc? o In the event of a disaster what additional security measures are put in place to protect disaster, physical access? o Both at the primary as well as at the secondary sites? Do you monitor the temperature and humidity in the data centre? o Air conditioning considerations or monitoring? Air-conditioning Do you protect your buildings from lightening strikes? o Including electrical and communication lines? Do you have stand-alone generators in the event of a power failure? o For how long can they run? o Are there adequate fuel supplies? o Are there failover generators? o How often do you check UPS equipment? o How often do you check your generators? o Do you have multiple power suppliers? 47
ENISA ENVIRONMENTAL CONTROLS Are all utilities (electricity, water, etc) capable of supporting your environment? How often is this re-evaluated and tested? Is your air-conditioning capable of supporting your environment? o How often is it tested? Do you follow manufacturers recommended maintenance schedules? Do you only allow authorized maintenance or repair staff onto the site? o How do you check their identity? When equipment is sent away for repair, is the data cleaned from it first? o How is this done? 48
ENISA LEGAL REQUIREMENTS Customers and potential customers of cloud provider services should have regard to their respective national and supra-national obligations for compliance with regulatory frameworks and ensure that any such obligations are appropriately complied with. The key legal questions the customer should ask the cloud provider are: In what country is the cloud provider located? Is the cloud provider’s infrastructure located in the same country or in different countries? Will the cloud provider use other companies whose infrastructure is located outside that of the cloud provider? Where will the data be physically located? Will jurisdiction over the contract terms and over the data be divided? Will any of the cloud provider’s services be subcontracted out? Will any of the cloud provider’s services be outsourced? How will the data provided by the customer and the customer’s customers, be collected, processed and transferred? What happens to the data sent to the cloud provider upon termination of the contract? 49
Cloud Security Alliance ( y (CSA) ) 50
Cloud Security Alliance (CSA) Taxonomy 51
Cloud Security Alliance (CSA) Mapping 52
Cloud Security Alliance ( y (CSA) ) Domain 4: Compliance and Audit With Cloud Computing developing as a viable and cost effective means to outsource entire systems or even entire business processes, maintaining compliance with your security policy And the various regulatory and legislative requirements to which your organization is subject can become more difficult to achieve and even harder to demonstrate to auditors and assessors. Of the many regulations touching upon information technology with which organizations must comply, few were written with Cloud Computing in mind. Auditors and assessors may not be familiar with Cloud Computing generally or with a given cloud service in particular. That being the case, it falls upon the cloud customer to understand: case • Regulatory applicability for the use of a given cloud service • Division of compliance responsibilities between cloud provider and cloud customer •CCloud provider’s ability to produce evidence needed f compliance ’ for • Cloud customer’s role in bridging the gap between cloud provider and auditor/assessor 53
Cloud Security Alliance ( y (CSA) ) Recommendations √ Involve Legal and Contracts Teams. The cloud provider’s standard terms of service may not address your compliance needs; therefore it is beneficial to have both legal and contracts personnel involved early to ensure that cloud services contract provisions are adequate for compliance and audit obligations. √ Right to Audit Clause. Customers will often need the ability to audit the cloud provider, given the dynamic natures of both the cloud and the regulatory environment. A right to audit contract clause should be obtained whenever possible, particularly when using the cloud provider for a service for which the customer has regulatory compliance responsibilities. Over time, the need for this right should be reduced and in many cases replaced by appropriate cloud provider certifications related to our certifications, recommendation for ISO/IEC 27001 certification scoping later in this section. √ Analyze Compliance Scope. Determining whether the compliance regulations which the organization is subject to will be impacted by the use of cloud services, for a given set of applications and data. 54
Cloud Security Alliance ( y (CSA) ) Recommendations √ Analyze Impact of Regulations on Data Security. Potential end users of Cloud Computing services should consider which applications and data they are considering moving to cloud services, and the extent to which they are subject to compliance g , y j p regulations. √ Review Relevant Partners and Services Providers. This is general guidance for ensuring that service provider relationships do not negatively impact compliance compliance. Assessing which service providers are processing data that is subject to compliance regulations, and then assessing the security controls provided by those service providers, is fundamental. Several compliance regulations have specific language about assessing and managing third party vendor risk. As with non-cloud IT and business services, organizations need to understand which of their cloud business partners are processing data subject to compliance regulations. 55
Cloud Security Alliance ( y (CSA) ) Recommendations Understand Contractual Data Protection Responsibilities and Related Contracts. The cloud service model to an extent dictates whether the customer or the cloud service p provider is responsible for deploying security controls. In an IaaS deployment scenario, p p y g y p y , the customer has a greater degree of control and responsibility than in a SaaS scenario. From a security control standpoint, this means that IaaS customers will have to deploy many of the security controls for regulatory compliance. In a SaaS scenario, the cloud service provider must provide the necessary controls From a contractual perspective controls. perspective, understanding the specific requirements, and ensuring that the cloud services contract and service level agreements adequately address them, are key. √ Analyze Impact of Regulations on Provider Infrastructure. In the area of infrastructure, moving to cloud services requires careful analysis as well. Some regulatory requirements specify controls that are difficult or impossible to achieve in certain cloud service types. 56
Cloud Security Alliance ( y (CSA) ) √ Analyze Impact of Regulations on Policies and Procedures. Moving data and applications to cloud services will likely have an impact on policies and procedures. Customers should assess which policies and procedures related to regulations will have to change. Examples of impacted policies and procedures include activity reporting, logging, logging data retention, incident response, controls testing, and privacy policies retention response testing policies. √ Prepare Evidence of How Each Requirement Is Being Met. Collecting evidence of compliance across the multitude of compliance regulations and requirements is a challenge. Customers of cloud services should develop p g p processes to collect and store compliance evidence including audit logs and activity reports, copies of system configurations, change management reports, and other test procedure output. Depending on the cloud service model, the cloud provider may need to provide much of this information. information √ Auditor Qualification and Selection. In many cases the organization has no say in selecting auditors or security assessors. If an organization does have selection input, it is highly advisable to pick a “cloud aware” auditor since many might not be familiar cloud aware with cloud and virtualization challenges. Asking their familiarity with the IaaS, PaaS, and SaaS nomenclature is a good starting point. 57
Cloud Security Alliance ( y (CSA) ) √ Cloud Provider’s SAS 70 Type II Providers should have this audit statement at a Provider s II. minimum, as it will provide a recognizable point of reference for auditors and assessors. Since a SAS 70 Type II audit only assures that controls are implemented as documented, it is equally important to understand the scope of the SAS 70 audit, and whether these controls meet your requirements. √ Cloud Provider’s ISO/IEC 27001/27002 Roadmap. Cloud providers seeking to provide mission critical services should embrace the ISO/IEC 27001 standard for information security management systems. If the provider has not achieved ISO/IEC 27001 certification, they should demonstrate alignment with ISO 27002 practices. √ ISO/IEC 27001/27002 Scoping. The Cloud Security Alliance is issuing an industry call Scoping to action to align cloud providers behind the ISO/IEC 27001 certification, to assure that scoping does not omit critical certification criteria. Contributors: Nadeem Bukhari, Anton Chuvakin, Peter Gregory, Jim Hietala, Greg Kane, Patrick Sullivan 58
MICROSOFT 59
Microsoft Azure Services Source: Microsoft Presentation, A Lap Around Windows Azure, Manuvir Das 60
Windows Azure Applications, Storage, Storage and Roles n m LB Web Role Worker Role Cloud Storage (blob, table, queue) Source: Microsoft Presentation, A Lap Around Windows Azure, Manuvir Das 61
MICROSOFT Microsoft provides a t t Mi ft id trustworthy cloud th th l d through f h focus on th three areas: Utilizing a risk-based information security program that assesses and prioritizes security and operational th t t th b i i iti it d ti l threats to the business Maintaining and updating a detailed set of security controls that mitigate risk Operating a compliance framework that ensures controls are designed appropriately and are operating effectively Microsoft is able to obtain key certifications such as International Organization for Standardization / International Society of Electrochemistry 27001:2005 (ISO/IEC 27001:2005) and Statement of Auditing Standard (SAS) 70 Type I and Type II attestations, and to more efficiently pass attestations regular audits from independent third parties. 62
MICROSOFT 63
MICROSOFT 64
MICROSOFT 65
MICROSOFT 66
MICROSOFT 67
MICROSOFT Microsoft Trustworthy Computing, home page: http://www.microsoft.com/twc Microsoft Online Privacy Notice Highlights: http://www.microsoft.com/privacy The ISO 27001:2005 certificate for the Global Foundation Services group at Microsoft: http://www.bsi global.com/en/Assessment and certification services/Client http://www.bsi-global.com/en/Assessment-and-certification-services/Client- directory/CertificateClient-Directory-Search- Results/?pg=1&licencenumber=IS+533913&searchkey=companyXeqXmicrosoft Microsoft Global Foundation Services, home page: http://www.globalfoundationservices.com The Microsoft Security Development Lifecycle (SDL): http://msdn.microsoft.com/en- http://msdn.microsoft.com/en us/security/cc448177.aspx Microsoft Security Development Lifecycle (SDL) – version 3.2, process guidance: http://msdn.microsoft.com/en-us/library/cc307748.aspx Microsoft Security Response Center: http://www.microsoft.com/security/msrc The Microsoft SDL Threat Modeling Tool: http://msdn.microsoft.com/en- us/security/dd206731.aspx Microsoft Online Services: http://www.microsoft.com/online 68
CloudeAssurance.com 69
CloudeAssurance.com 70
CloudeAssurance.com 71
CloudeAssurance.com 72
CloudeAssurance.com 73
CloudeAssurance.com 74
Questions? • Thank-you! Email questions to tlambo@eFortresses.com Requests for materials, slides etc materials slides, etc. Keep in touch 75

More Related Content

PPT
IAPP Atlanta Chapter Meeting 2013 February
Phil Agcaoili
 
PDF
Hybrid cloud computing explained
PMOfficers PMOAcademy
 
PPT
Cloud computing
saralaanuj
 
PDF
Hybrid Cloud Computing (IBM System z)
IBM Danmark
 
PPTX
What is cloud computing
Dan Morrill
 
PDF
Cloud Computing - Challenges and Opportunities - Jens Nimis
JensNimis
 
PDF
Cloud Computing: On the Air or Down to Earth - Beneficios para la Empresa
Software Guru
 
PDF
Impact of busines model elements on cloud computing adoption
Andreja Pucihar
 
IAPP Atlanta Chapter Meeting 2013 February
Phil Agcaoili
 
Hybrid cloud computing explained
PMOfficers PMOAcademy
 
Cloud computing
saralaanuj
 
Hybrid Cloud Computing (IBM System z)
IBM Danmark
 
What is cloud computing
Dan Morrill
 
Cloud Computing - Challenges and Opportunities - Jens Nimis
JensNimis
 
Cloud Computing: On the Air or Down to Earth - Beneficios para la Empresa
Software Guru
 
Impact of busines model elements on cloud computing adoption
Andreja Pucihar
 

What's hot (20)

PPT
cloud computing
Krishna Kumar
 
PDF
SoftwareGuru 2009 - Cloud Computing
Jose Tam
 
PDF
MISA Cloud workshop - Cloud 101
MISA Ontario Cloud SIG
 
PPTX
Cloud computing – An Overview
Kannan Subbiah
 
PDF
Cloud computing standards
Seungyun Lee
 
PPTX
Back that *aa s up – bridging multiple clouds for bursting and redundancy
RightScale
 
PPTX
Servizi Cloud Computing: Scenario, Strategia e Mercato Nicoletta Maggiore
Apulian ICT Living Labs
 
PDF
Appistry Cloud Computing for Government Featuring FedEx
Appistry
 
PDF
Opportunites and Challenges in Cloud COmputing
ACMBangalore
 
PDF
Windows Azure Platfrom App Fabric
Wes Yanaga
 
PDF
Asyma E3 2014 The Impact of Cloud Computing on SME's
asyma
 
PDF
Cloud Computing
NAILBITER
 
PDF
Community cloud
SNKN-CloudComputing
 
PDF
Cloud computing 2011 call for papers
psundarau
 
PDF
Cloud 9: Nine Reasons to Take the Cloud Seriously_White Paper
Newton Day Uploads
 
PDF
Innovation in cloud computing architectures with open nebula
Ignacio M. Llorente
 
PDF
OpenNASA v2.0 Slideshare Large File
Megan Eskey
 
PDF
Cloud Computing Business Models
Mourad ZEROUKHI
 
PDF
Gis In The Cloud
fn028791
 
PPSX
Vendor classification & rating
Amit Puri
 
cloud computing
Krishna Kumar
 
SoftwareGuru 2009 - Cloud Computing
Jose Tam
 
MISA Cloud workshop - Cloud 101
MISA Ontario Cloud SIG
 
Cloud computing – An Overview
Kannan Subbiah
 
Cloud computing standards
Seungyun Lee
 
Back that *aa s up – bridging multiple clouds for bursting and redundancy
RightScale
 
Servizi Cloud Computing: Scenario, Strategia e Mercato Nicoletta Maggiore
Apulian ICT Living Labs
 
Appistry Cloud Computing for Government Featuring FedEx
Appistry
 
Opportunites and Challenges in Cloud COmputing
ACMBangalore
 
Windows Azure Platfrom App Fabric
Wes Yanaga
 
Asyma E3 2014 The Impact of Cloud Computing on SME's
asyma
 
Cloud Computing
NAILBITER
 
Community cloud
SNKN-CloudComputing
 
Cloud computing 2011 call for papers
psundarau
 
Cloud 9: Nine Reasons to Take the Cloud Seriously_White Paper
Newton Day Uploads
 
Innovation in cloud computing architectures with open nebula
Ignacio M. Llorente
 
OpenNASA v2.0 Slideshare Large File
Megan Eskey
 
Cloud Computing Business Models
Mourad ZEROUKHI
 
Gis In The Cloud
fn028791
 
Vendor classification & rating
Amit Puri
 
Ad

Viewers also liked (6)

PPTX
Designing a Taxonomy For a Company's Website
Aravind Sesagiri Raamkumar
 
PDF
Federal Risk and Authorization Management Program (FedRAMP)
GovCloud Network
 
PPTX
Mobility and federation of Cloud computing
David Wallom
 
PPT
Presentation on Effectively and Securely Using the Cloud Computing Paradigm v26
Bill Annibell
 
PDF
Taxonomy Is User Experience
Dave Cooksey
 
PDF
Enterprise Knowledge - Taxonomy Design Best Practices and Methodology
Enterprise Knowledge
 
Designing a Taxonomy For a Company's Website
Aravind Sesagiri Raamkumar
 
Federal Risk and Authorization Management Program (FedRAMP)
GovCloud Network
 
Mobility and federation of Cloud computing
David Wallom
 
Presentation on Effectively and Securely Using the Cloud Computing Paradigm v26
Bill Annibell
 
Taxonomy Is User Experience
Dave Cooksey
 
Enterprise Knowledge - Taxonomy Design Best Practices and Methodology
Enterprise Knowledge
 
Ad

Similar to Taiye Lambo - Auditing the cloud (20)

PPT
Cloudcomputingoct2009 100301142544-phpapp02
abhisheknayak29
 
PDF
Dr. Michael Valivullah, NASS/USDA - Cloud Computing
ikanow
 
PPT
Cloud Computing Webinar
Saif Ahmad
 
PDF
Info Sec 2010 Possibilities And Security Challenges Of Cloud Computing (Han...
ptaglephd
 
PPT
Cloud computing by Bharat Bodage
Bharat Bodage
 
PPT
Cloud computing 2
Shyam Kona
 
PPTX
Cloud Computing with InduSoft
AVEVA
 
PPTX
Cloud computing by Luqman
Luqman Shareef
 
PDF
Cloud Computing Contracts and Services: What’s Really Happening Out There?
Cloud Legal Project
 
PDF
Application of Cloud Computing
Boonlert Aroonpiboon
 
PDF
The Myths And Magic Of Cloud Computing
jayroy
 
PDF
Cloud computing white paper
Vaneesh Bahl
 
PPTX
Executive Briefing: Strategic Issues Surrounding Cloud Services
WhitmeyerTuffin
 
PDF
Clearing the air on Cloud Computing
Karthik Sankar
 
PDF
Trend and Future of Cloud Computing
hybrid cloud
 
PPTX
NSUT_Lecture1_cloud computing[1].pptx
UtkarshKumar608655
 
PPTX
Cloud Computing 101
Kamal Arora
 
PPTX
Introduction To Cloud Computing
kevnikool
 
PDF
Cloud Computing Overview And Predictions May 2009
Brent Jackson
 
PPTX
Cloud Computing : Revised Presentation
Mayank Aggarwal
 
Cloudcomputingoct2009 100301142544-phpapp02
abhisheknayak29
 
Dr. Michael Valivullah, NASS/USDA - Cloud Computing
ikanow
 
Cloud Computing Webinar
Saif Ahmad
 
Info Sec 2010 Possibilities And Security Challenges Of Cloud Computing (Han...
ptaglephd
 
Cloud computing by Bharat Bodage
Bharat Bodage
 
Cloud computing 2
Shyam Kona
 
Cloud Computing with InduSoft
AVEVA
 
Cloud computing by Luqman
Luqman Shareef
 
Cloud Computing Contracts and Services: What’s Really Happening Out There?
Cloud Legal Project
 
Application of Cloud Computing
Boonlert Aroonpiboon
 
The Myths And Magic Of Cloud Computing
jayroy
 
Cloud computing white paper
Vaneesh Bahl
 
Executive Briefing: Strategic Issues Surrounding Cloud Services
WhitmeyerTuffin
 
Clearing the air on Cloud Computing
Karthik Sankar
 
Trend and Future of Cloud Computing
hybrid cloud
 
NSUT_Lecture1_cloud computing[1].pptx
UtkarshKumar608655
 
Cloud Computing 101
Kamal Arora
 
Introduction To Cloud Computing
kevnikool
 
Cloud Computing Overview And Predictions May 2009
Brent Jackson
 
Cloud Computing : Revised Presentation
Mayank Aggarwal
 

More from nooralmousa (17)

PDF
Mr. Vivek Ramachandran - Advanced Wi-­Fi Security Penetration Testing
nooralmousa
 
PPTX
Mr. Bulent Teksoz - Security trends and innovations
nooralmousa
 
PPTX
Mr. Mohammed Aldoub - A case study of django web applications that are secur...
nooralmousa
 
PPT
Mr. Khalid Shaikh - emerging trends in managing it security
nooralmousa
 
PDF
Mr. Andrey Belenko - secure password managers and military-grade encryption o...
nooralmousa
 
PDF
Mr. Burhan Khalid - secure dev.
nooralmousa
 
PPT
Sudarsan Jayaraman - Open information security management maturity model
nooralmousa
 
PPSX
Meraj Ahmad - Information security in a borderless world
nooralmousa
 
PPT
Renaud Bido & Mohammad Shams - Hijacking web servers & clients
nooralmousa
 
PDF
Ahmed Al Barrak - Staff information security practices - a latent threat
nooralmousa
 
PDF
Fadi Mutlak - Information security governance
nooralmousa
 
PPTX
Mohammed Al Mulla - Best practices to secure working environments
nooralmousa
 
PPTX
Pradeep menon how to influence people and win top management buy0in for ciso
nooralmousa
 
PPTX
Nabil Malik - Security performance metrics
nooralmousa
 
PPTX
Khaled al amri using fingerprints as private and public keys
nooralmousa
 
PDF
Hisham Dalle - Zero client computing - taking the desktop into the cloud
nooralmousa
 
PPTX
Ghassan farra it security a cio perspective
nooralmousa
 
Mr. Vivek Ramachandran - Advanced Wi-­Fi Security Penetration Testing
nooralmousa
 
Mr. Bulent Teksoz - Security trends and innovations
nooralmousa
 
Mr. Mohammed Aldoub - A case study of django web applications that are secur...
nooralmousa
 
Mr. Khalid Shaikh - emerging trends in managing it security
nooralmousa
 
Mr. Andrey Belenko - secure password managers and military-grade encryption o...
nooralmousa
 
Mr. Burhan Khalid - secure dev.
nooralmousa
 
Sudarsan Jayaraman - Open information security management maturity model
nooralmousa
 
Meraj Ahmad - Information security in a borderless world
nooralmousa
 
Renaud Bido & Mohammad Shams - Hijacking web servers & clients
nooralmousa
 
Ahmed Al Barrak - Staff information security practices - a latent threat
nooralmousa
 
Fadi Mutlak - Information security governance
nooralmousa
 
Mohammed Al Mulla - Best practices to secure working environments
nooralmousa
 
Pradeep menon how to influence people and win top management buy0in for ciso
nooralmousa
 
Nabil Malik - Security performance metrics
nooralmousa
 
Khaled al amri using fingerprints as private and public keys
nooralmousa
 
Hisham Dalle - Zero client computing - taking the desktop into the cloud
nooralmousa
 
Ghassan farra it security a cio perspective
nooralmousa
 

Taiye Lambo - Auditing the cloud

  • 1. Kuwait Info Security Conference Auditing the Cloud
  • 2. About Me Taiye L b CISSP, CISA, CISM, HISP, T i Lambo CISSP CISA CISM HISP ISO 27001 Auditor A dit President & Founder, eFortresses, Inc. Author Holistic Information Security Practitioner ( y (HISP) Certification Course ) Founder Holistic Information Security Practitioner (HISP) Institute – www.hispi.org Founder UK Honeynet Project – www honeynet org uk www.honeynet.org.uk Hybrid technical and business information security practitioner, with 14 years Information Security experience, including: Delivered critical BS 7799, ISO 17799, ISO 27002 & ISO 27001 consulting engagements to various clients in the Manufacturing, Government, Financial Services and Healthcare sectors in the UK and US. Presented at security events including conferences organized by organized by ISSA, InfraGard, ISACA, CPM, HITRUST and SOFE. 2
  • 3. Caveats and Disclaimers • This presentation provides education on cloud technology and its benefits to set up a discussion of cloud security • It is NOT intended to provide official eFortresses and/or NIST guidance and NIST does not make policy • A mention of a vendor or product is NOT Any ti f d d ti an endorsement or recommendation Citation Note: Most sources for the material in this presentation are included within the PowerPoint “ slides 3
  • 4. Cloud Computing Quotes from Vivek Kundra (Federal CIO): "The cloud will do for government what the Internet did in the '90s " he said. "We're 90s, said We re interested in consumer technology for the enterprise, enterprise " Kundra added "It's a fundamental added. It s change to the way our government operates by moving to the cloud Rather than owning the cloud. infrastructure, we can save millions." http://www.nextgov.com/nextgov/ng 20081126_1117.php p g g g_ p p 4
  • 5. Part I: Effective and Secure Use Understanding Cloud Computing Cloud Computing Clo d Comp ting Case St dies Studies Part II: Cl d A diti B t P P t II Cloud Auditing Best Practices ti ENISA AGENDA CSA Microsoft CloudeAssurance 5
  • 6. Part I: Effective and Secure Use 6
  • 7. Understanding Cloud Computing Origin of the term “Cloud Computing Cloud Computing” • “Comes from the early days of the Internet where we drew y y the network as a cloud… we didn’t care where the messages went… the cloud hid it from us” – Kevin Marks, Google • First cloud around networking (TCP/IP abstraction) • Second cloud around documents (WWW data abstraction) • The emerging cloud abstracts infrastructure complexities of servers, applications, data, and heterogeneous platforms – (“muck” as Amazon’s CEO Jeff Bezos calls it) Jeff Bezos’ quote: http://news cnet com/8301-13953 3-9977100-80 html?tag=mncol Bezos http://news.cnet.com/8301 13953_3 9977100 80.html?tag mncol Kevin Marks quote: http://news.cnet.com/8301-13953_3-9938949-80.html?tag=mncol video interview 7
  • 8. A Working Definition of Cloud Computing • Cl d computing i a model f enabling Cloud ti is d l for bli convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. • This cloud model promotes availability and is composed of five essential characteristics, three service models, and four deployment models. models 8
  • 9. Five Essential Cloud Characteristics 9
  • 10. Three Cloud Service Models • Cloud Software as a Service (SaaS) – Use provider’s applications over a network • Cloud Platform as a Service (PaaS) ( ) – Deploy customer-created applications to a cloud • Cloud Infrastructure as a Service (IaaS) – R t processing, storage, network capacity, and other Rent i t t k it d th fundamental computing resources • To be considered “cloud” they must be deployed on top of cloud infrastructure that has the key characteristics 10
  • 11. Service Model Architectures Cloud Infrastructure Cloud Infrastructure Cloud Infrastructure IaaS Software as a Service PaaS PaaS (SaaS) SaaS SaaS SaaS Architectures Cloud Infrastructure Cloud Infrastructure IaaS Platform as a Service (PaaS) ( ) PaaS PaaS Architectures Cloud Infrastructure IaaS Infrastructure as a Service (IaaS) Architectures 11
  • 12. NIST Four Cloud Deployment Models • Private cloud – enterprise owned or leased • Community cloud – shared infrastructure for specific community • Public cloud – Sold to the public, mega-scale infrastructure • Hybrid cloud – composition of two or more clouds 12
  • 13. The NIST Cloud Definition Framework Hybrid Clouds Deployment Models Private Community C it Public Cloud Cloud Cloud Service Software as a Platform as a Infrastructure as a Models Service (SaaS) Service (PaaS) Service (IaaS) On Demand Self-Service Essential Broad Network A B dN k Access Rapid Elasticity R id El i i Characteristics Resource Pooling Measured Service Massive Scale Resilient Computing Common Homogeneity Geographic Distribution Characteristics Virtualization Service Orientation Low Cost Software Advanced Security 13
  • 14. Jericho Forum’s Cloud Cube Deployment Model 14
  • 15. General Security Advantages • Shifting public data to a external cloud reduces the exposure of the internal sensitive data • Cloud homogeneity makes security auditing/testing simpler • Clouds enable automated security management t • Redundancy / Disaster Recovery 15
  • 16. Cloud Computing Case Studies and Security Models 16
  • 17. Google Cloud User: City of Washington D.C. DC • Vivek Kundra, Former CTO for the DC (now Federal CIO) • Migrating 38,000 employees to Google Apps • Replace office software – Gmail – Google Docs (word processing and spreadsheets) – Google video for business – Google sites (intranet sites and wikis) • “It's a fundamental change to the way our government It s operates by moving to the cloud. Rather than owning the infrastructure, we can save millions.”, Mr. Kundra • 500 000+ organizations use Google Apps 500,000+ 17
  • 18. Case Study: Facebook’s Use of Open Source and Commodity Hardware (8/08) • Jonathan Heiliger Facebook's vice president of technical operations Heiliger, Facebook s • 80 million users + 250,000 new users per day • 50,000 transactions per second, 10,000+ servers • Built on open source software – Web and App tier: Apache, PHP, AJAX – Middleware tier: Memcached (Open source caching) – Data tier: MySQL (Open source DB) y ( p ) • Thousands of DB instances store data in distributed fashion (avoids collisions of many users accessing the same DB) • “We don't need fancy graphics chips and PCI cards," he said. “We need one USB port and optimized power and airflow Give me one airflow. CPU, a little memory and one power supply. If it fails, I don't care. We are solving the redundancy problem in software.” Data taken from CNET news article and interview 8/18/08 http://news.cnet.com/8301-13953_3-10027064-80.html?tag=mncol 18
  • 19. Amazon Cloud Users: New York Times and Nasdaq (4/08) • Both companies used Amazon’s cloud offering • New York Times – Didn’t coordinate with Amazon, used a credit card! – Used EC2 and S3 to convert 15 million scanned news articles to PDF (4TB data) – Took 100 Linux computers 24 hours (would have taken months on NYT computers – “It was cheap experimentation, and the learning curve isn't steep.” – Derrick Gottfrid, New York Times • Nasdaq – Uses S3 to deliver historic stock and fund information – Millions of files showing price changes of entities over 10 minute segments – “The expenses of keeping all that data online [in Nasdaq servers] was too high.” – Claude Courbois, Nasdaq VP – Created lightweight Adobe AIR application to let users view data Source: Infoworld article (availability zones and elastic IP) IP), http://www.infoworld.com/article/08/03/27/Amazon-adds-resilience-to-cloud- computing_1.html 19
  • 20. Case Study: Salesforce.com Salesforce com in Government • 5,000+ Public Sector and Nonprofit Customers use Salesforce Cloud Computing Solutions • President Obama’s Citizen’s Briefing Book Based on Salesforce.com Ideas application – Concept to Live in Three Weeks – 134,077 Registered Users – 1.4 M Votes – 52,015 Ideas – Peak traffic of 149 hits per second • US Census Bureau Uses Salesforce.com Cloud Application – Project implemented in under 12 weeks j p – 2,500+ partnership agents use Salesforce.com for 2010 decennial census – Allows projects to scale from 200 to 2,000 users overnight to meet peak periods with no capital expenditure Source: http://arstechnica.com/software/news/2008/10/washington-dc-latest-to-drop- p g p microsoft-for-web-apps.ars Quote is from http://www.nextgov.com/nextgov/ng_20081126_1117.php 20
  • 21. Case Study: Salesforce.com Salesforce com in Government • New Jersey Transit Wins InfoWorld 100 Award for its Cloud Computing Project – Use Salesforce.com to run their call center, incident management, complaint tracking, and service portal – 600% More Inquiries Handled – 0 New Agents Required – 36% Improved Response Time • U S Army uses Salesforce CRM for Cloud-based U.S. Recruiting – U.S. Army needed a new tool to track potential recruits who visited its Army Experience Center Center. – Use Salesforce.com to track all core recruitment functions and allows the Army to save time and resources. Source: http://arstechnica.com/software/news/2008/10/washington-dc-latest-to-drop- microsoft-for-web-apps.ars Quote is from http://www.nextgov.com/nextgov/ng_20081126_1117.php 21
  • 22. Part II: Cloud Audit Best Practices 22
  • 23. ENISA 23
  • 24. ENISA INFORMATION ASSURANCE REQUIREMENTS PERSONNEL SECURITY The majority of questions relating to personnel will be similar to those you would ask your own IT personnel or other personnel who are dealing with your IT. As with most assessments, there is a balance between the risks and the cost. What policies and procedures do you have in place when hiring your IT administrators or others with system access? Th th ith t ? These should i l d h ld include: o pre-employment checks (identity, nationality or status, employment history and references, criminal convictions, and vetting (for senior personnel in high privilege roles)). Are there diff A th different policies d t li i depending on where th d t i stored or applications are run? di h the data is t d li ti ? o For example, hiring policies in one region may be different from those in another. o Practices need to be consistent across regions. o It may be that sensitive data is stored in one particular region with appropriate personnel. What security education program do you run for all staff? Is there a process of continuous evaluation? o How often does this occur? o Further interviews o Security access and privilege reviews o Policy and procedure reviews. 24
  • 25. ENISA SUPPLY-CHAIN ASSURANCE The following questions apply where the cloud provider subcontracts some operations that are key to the security of the operation to third parties (e.g., a SaaS provider outsourcing the underling platform to a third party provider, a cloud provider outsourcing the security services to a managed security services provider, use of an external provider for identity management of operating systems, etc). It also includes third parties with physical or remote access to the systems etc) cloud provider infrastructure. It is assumed that this entire questionnaire may be applied recursively to third (or nth) party cloud service providers. Define those services that are outsourced or subcontracted in your service delivery supply chain which are key to the security (including availability) of your operations. Detail the procedures used to assure third parties accessing your infrastructure (physical and/or logical). o Do you audit your outsourcers and subcontractors and how often? Are any SLA provisions guaranteed by outsourcers lower than the SLAs you offer to your customers? If not, do you have supplier redundancy in place? What Wh t measures are t k t ensure thi d party service levels are met and maintained? taken to third t i l l t d i t i d? Can the cloud provider confirm that security policy and controls are applied (contractually) to their third party providers? 25
  • 26. ENISA OPERATIONAL SECURITY It is expected that any commercial agreement with external providers will include service levels for all network services. However, in addition to the defined agreements, the end customer should still ensure that the provider employs appropriate controls to mitigate unauthorized disclosure. Detail your change control procedure and policy. This should also include the process used to re- assess risks as a result of changes and clarify whether the outputs are available to end customers. c stomers Define the remote access policy. Does the provider maintain documented operating procedures for information systems? Is there a staged environment to reduce risk, e.g., development, test and operational environments, and are they separated? Define the host and network controls employed to protect the systems hosting the applications and information for the end customer. These should include details of certification against external standards (e.g., ISO 27001/2). Specify the controls used to protect against malicious code. S f Are secure configurations deployed to only allow the execution of authorized mobile code and authorized functionality (e.g., only execute specific commands)? Detail policies and procedures for backup. This should include procedures for the management of removable media and methods f securely d f bl di d h d for l destroying media no l i di longer required. (D i d (Depending di on his business requirements, the customer may wish to put in place an independent backup strategy. This is particularly relevant where time-critical access to back-up is required.) 26
  • 27. ENISA OPERATIONAL SECURITY Audit logs are used in the event of an incident requiring investigation; they can also be used for troubleshooting. For these purposes, the end customer will need assurance that such information is available: Can the provider detail what information is recorded within audit logs? o For what period is this data retained? o Is it possible to segment data within audit logs so they can be made available to the end customer and/or law enforcement without compromising other customers and still be admissible in court? o What controls are employed to protect logs from unauthorized access or tampering? o What method is used to check and protect the integrity of audit logs? How are audit logs reviewed? What recorded events result in action being taken? What time source is used to synchronize systems and provide accurate audit log time stamping? 27
  • 28. ENISA SOFTWARE ASSURANCE Define controls used to protect the integrity of the operating system and applications software used. Include any standards that are followed, e.g., OWASP (46), SANS Checklist (47), SAFECode (48). How do you validate that new releases are fit-for-purpose or do not have risks (backdoors, Trojans, etc)? Are these reviewed before use? What practices are followed to keep the applications safe? Is a software release penetration tested to ensure it does not contain vulnerabilities? If vulnerabilities are discovered, what is the process for remedying these? PATCH MANAGEMENT Provide details of the patch management procedure followed. Can you ensure that the patch management process covers all layers of the cloud delivery technologies – i.e., network (infrastructure components, routers and switches, etc), server g , ( p , , ), operating systems, virtualization software, applications and security subsystems (firewalls, antivirus gateways, intrusion detection systems, etc)? 28
  • 29. ENISA NETWORK ARCHITECTURE CONTROLS Define the controls used to mitigate DDoS (distributed denial–of-service) attacks. o Defense in depth (deep packet analysis, traffic throttling, packet black-holing, etc) o Do you have defenses against ‘internal’ ( g y g (originating from the cloud p g providers networks) ) attacks as well as external (originating from the Internet or customer networks) attacks? What levels of isolation are used? o for virtual machines physical machines network storage (e g storage area networks) machines, machines, network, (e.g., networks), management networks and management support systems, etc. Does the architecture support continued operation from the cloud when the company is separated from the service provider and vice versa (e g is there a critical dependency on (e.g., the customer LDAP system)? Is the virtual network infrastructure used by cloud providers (in PVLANs and VLAN tagging 802.1q 802 1q (49) architecture) secured to vendor and/or best practice specific standards (e.g., are (e g MAC spoofing, ARP poisoning attacks, etc, prevented via a specific security configuration)? 29
  • 30. ENISA HOST ARCHITECTURE Does the provider ensure virtual images are hardened by default? Is the hardened virtual image p g protected from unauthorized access? Can the provider confirm that the virtualized image does not contain the authentication credentials? Is the host firewall run with only the minimum ports necessary to support the services within the virtual instance? Can a host based intrusion prevention service (IPS) be run in the virtual instance? host-based 30
  • 31. ENISA PAAS – APPLICATION SECURITY Generally speaking, P S service providers are responsible f th security of th platform G ll ki PaaS i id ibl for the it f the l tf software stack, and the recommendations throughout this document are a good foundation for ensuring a PaaS provider has considered security principles when designing and managing their PaaS platform. It is often difficult to obtain detailed information from PaaS providers on exactly how they secure their platforms – however the following questions questions, along with other sections within this document, should be of assistance in assessing their offerings. Request information on how multi-tenanted applications are isolated from each other – a high multi tenanted level description of containment and isolation measures is required. What assurance can the PaaS provider give that access to your data is restricted to your enterprise users and to the applications you own? The platform architecture should be classic ‘sandbox’ – does the provider ensure that the PaaS platform sandbox is monitored for new bugs and vulnerabilities? PaaS providers should be able to offer a set of security features (re-useable amongst their (re useable clients) – do these include user authentication, single sign on, authorization (privilege management), and SSL/TLS (made available via an API)? 31
  • 32. ENISA SAAS – APPLICATION SECURITY The SaaS model dictates that the provider manages the entire suite of applications delivered to p g pp end-users. Therefore SaaS providers are mainly responsible for securing these applications. Customers are normally responsible for operational security processes (user and access management). However the following questions, along with other sections within this document, should assist in assessing their offerings: What d i i Wh administration controls are provided and can these b used to assign read and write i l id d d h be d i d d i privileges to other users? Is the SaaS access control fine grained and can it be customized to your organizations policy? RESOURCE PROVISIONING In the event of resource overload (processing, memory, storage, network)? o What information is given about the relative priority assigned to my request in the event of a failure in provisioning? o Is there a lead time on service levels and changes in requirements? How much can you scale up? Does the provider offer guarantees on maximum available resources within a minimum period? How fast can you scale up? Does the p y p provider offer g guarantees on the availability of y supplementary resources within a minimum period? What processes are in place for handling large-scale trends in resource usage (e.g., seasonal effects)? 32
  • 33. ENISA IDENTITY AND ACCESS MANAGEMENT The following controls apply to the cloud p g pp y provider’s identity and access management systems y g y (those under their control): AUTHORIZATION Do any accounts have system wide privileges for the entire cloud system and if so for what system-wide and, so, operations (read/write/delete)? How are the accounts with the highest level of privilege authenticated and managed? How are the most critical decisions (e g simultaneous de provisioning of large resource (e.g., de-provisioning blocks) authorized (single or dual, and by which roles within the organization)? Are any high-privilege roles allocated to the same person? Does this allocation break the segregation of duties or least privilege rules? Do you use role-based access control (RBAC)? Is the principle of least privilege followed? What changes, if any, are made to administrator privileges and roles to allow for extraordinary access in the event of an emergency? Is there an ‘administrator’ role for the c stomer? For e ample does the c stomer customer? example, customer administrator have a role in adding new users (but without allowing him to change the underlying storage!)? 33
  • 34. ENISA IDENTITY PROVISIONING What h k Wh t checks are made on th id tit of user accounts at registration? Are any standards d the identity f t t i t ti ? A t d d followed? For example, the e-Government Interoperability Framework? Are there different levels of identity checks based on the resources required? What processes are in place for de-provisioning credentials? Are credentials provisioned and de-provisioned simultaneously throughout the cloud system, or are there any risks in de-provisioning them across multiple geographically distributed locations? MANAGEMENT OF PERSONAL DATA What data storage and protection controls apply to the user directory (e.g., AD, LDAP) and access to it? Is user directory data exportable in an interoperable format? Is need-to-know the basis for access to customer data within the cloud provider? 34
  • 35. ENISA KEY MANAGEMENT For keys under the control of the cloud provider: Are security controls in place for reading and writing those keys? For example, strong password policies, keys stored in a separate system, hardware security modules (HSM) for root certificate keys, smart card based authentication, direct shielded access to storage, short key lifetime, etc. Are A security controls in place f using th it t l i l for i those k keys t sign and encrypt d t ? to i d t data? Are procedures in place in the event of a key compromise? For example, key revocation lists. Is key revocation able to deal with simultaneity issues for multiple sites? Are customer system images protected or encrypted? ENCRYPTION Encryption can be used in multiple places − where is it used? o data in transit o data at rest o data in processor or memory? Usernames and passwords? Is there a well-defined policy for what should be encrypted and what should not be encrypted? Who holds the access keys? How are the keys protected? 35
  • 36. ENISA AUTHENTICATION What forms of authentication are used for operations requiring high assurance? This may include login to management interfaces, key creation, access to multiple-user accounts, firewall configuration, remote access, etc. Is two-factor authentication used to manage critical components within the infrastructure, such two factor infrastructure as firewalls, etc? CREDENTIAL COMPROMISE OR THEFT Do D you provide anomaly d t ti (th ability t spot unusual and potentially malicious IP id l detection (the bilit to t l d t ti ll li i traffic and user or support team behavior)? For example, analysis of failed and successful logins, unusual time of day, and multiple logins, etc. What provisions exist in the event of the theft of a customer’s credentials (detection, revocation, revocation evidence for actions)? IDENTITY AND ACCESS MANAGEMENT SYSTEMS OFFERED TO THE CLOUD CUSTOMER The following questions apply to the identity and access management systems which are offered by the l d b th cloud provider f use and control b th cloud customer: id for d t l by the l d t 36
  • 37. ENISA IDENTITY MANAGEMENT FRAMEWORKS Does the system allow for a federated IDM infrastructure which is interoperable both for high assurance (OTP systems, where required) and low assurance (e.g.. username and password)? Is the cloud provider interoperable with third party identity providers? Is there the ability to incorporate single sign-on? ACCESS CONTROL Does the client credential system allow for the separation of roles and responsibilities and for y p p multiple domains (or a single key for multiple domains, roles and responsibilities)? How do you manage access to customer system images – and ensure that the authentication and cryptographic keys are not contained within in them? AUTHENTICATION How does the cloud provider identify itself to the customer (i.e., is there mutual authentication)? o when the customer sends API commands? o when the customer logs into the management interface? Do you support a federated mechanism for authentication? 37
  • 38. ENISA ASSET MANAGEMENT It is important to ensure the provider maintains a current list of hardware and software (applications) assets under the cloud providers control. This enables checks that all systems have appropriate controls employed, and that systems cannot be used as a backdoor into pp p p y y the infrastructure. Does the provider have an automated means to inventory all assets, which facilitates their appropriate management? pp p g Is there a list of assets that the customer has used over a specific period of time? The following questions are to be used where the end customer is deploying data that would require additional protection (i.e.. deemed as sensitive). Are assets classified in terms of sensitivity and criticality? o If so, does the provider employ appropriate segregation between systems with different classifications and for a single customer who has systems with different security classifications? 38
  • 39. ENISA DATA AND SERVICES PORTABILITY This set of questions should be considered in order to understand the risks related to vendor lock-in. Are there d A th documented procedures and API f exporting d t f t d d d APIs for ti data from th cloud? the l d? Does the vendor provide interoperable export formats for all data stored within the cloud? In the case of SaaS, are the API interfaces used standardized? Are there any provisions for exporting user-created applications in a standard format? Are there processes for testing that data can be exported to another cloud provider – should the client wish to change provider, for example? Can the client perform their own data extraction to verify that the format is universal and is capable of being migrated to another cloud provider? 39
  • 40. ENISA BUSINESS CONTINUITY MANAGEMENT Providing continuity is important to an organization. Although it is possible to set service level agreements detailing the minimum amount of time systems are available, there remain a number of additional considerations. Does the provider maintain a documented method that details the impact of a disruption? o What are the RPO (recovery point objective) and RTO (recovery time objective) for services? Detail according to the criticality of the service. o Are information security activities appropriately addressed in the restoration process? o What are the lines of communication to end customers in the event of a disruption? o Are the roles and responsibilities of teams clearly identified when dealing with a disruption? Has the provider categorized the priority for recovery, and what would be our relative priority (the end customer) to be restored? Note: this may be a category (HIGH/MED/LOW). What dependencies relevant to the restoration process exist? Include suppliers and outsource partners. partners In the event of the primary site being made unavailable, what is the minimum separation for the location of the secondary site? 40
  • 41. ENISA INCIDENT MANAGEMENT AND RESPONSE Incident I id t management and response is a part of business continuity management. The goal of t d i t fb i ti it t Th l f this process is to contain the impact of unexpected and potentially disrupting events to an acceptable level for an organization. To evaluate the capacity of an organization to minimize the probability of occurrence or reduce the negative impact of an information security incident the following questions should be incident, asked to a cloud provider: Does the provider have a formal process in place for detecting, identifying, analyzing and responding to incidents? Is this process rehearsed to check that incident handling processes are effective? Does the provider also ensure, during the rehearsal, that everyone within the cloud provider’s support organization is aware of the processes and of their roles during incident handling (both during the incident and post analysis)? How are the detection capabilities structured? o How can the cloud customer report anomalies and security events to the provider? o What facilities does the provider allow for customer-selected third party RTSM services to intervene in their systems (where appropriate) or to co-ordinate incident response capabilities with the cloud provider? o Is there a real time security monitoring (RTSM) service in place? Is the service outsourced? What kind of parameters and services are monitored? o Do you provide (upon request) a periodical report on security incidents (e.g.,. according to the ITIL definition)? o For how long are the security logs retained? Are those logs securely stored? Who has access to the logs? o Is it possible for the customer to build a HIPS/HIDS in the virtual machine image? Is it possible to integrate the information collected by the intrusion detection and prevention systems of the customer into the RTSM service of the cloud provider or that of a third party? 41
  • 42. ENISA INCIDENT MANAGEMENT AND RESPONSE How are severity levels defined? How are escalation procedures defined? When (if ever) is the cloud customer involved? How are incidents documented and evidence collected? Besides a thentication accounting and a dit what other controls are in place to pre ent (or authentication, acco nting audit, hat prevent minimize the impact of) malicious activities by insiders? Does the provider offer the customer (upon request) a forensic image of the virtual machine? Does the provider collect incident metrics and indicators (i.e.,. number of detected or reported incidents per months number of incidents caused by the cloud provider’s subcontractors and months, the total number of such incidents, average time to respond and to resolve, etc)?). o Which of these does the provider make publicly available (NB not all incident reporting data can be made public since it may compromise customer confidentiality and reveal security critical information)??) How often does the provider test disaster recovery and business continuity plans? Does the provider collect data on the levels of satisfaction with SLAs? Does the provider carry out help desk tests? For example: oIImpersonation tests (is the person at the end of the phone requesting a password reset, i (i h h d f h h i d really who they say they are?) or so called ‘social engineering’ attacks. 42
  • 43. ENISA INCIDENT MANAGEMENT AND RESPONSE Does the provider carry out penetration testing? How often? What are actually tested during the penetration test – for example, do they test the security isolation of each image to ensure it is not possible to ‘break out’ of one image into another and also g p g gain access to the host infrastructure?. The tests should also check to see if it is possible to gain access, via the virtual image, to the cloud providers management and support systems (e.g., example the provisioning and admin access control systems). Does the provider carry out vulnerability testing? How often? What is the process for rectifying vulnerabilities (hot fixes, re-configuration, uplift to later ) versions of software, etc)? 43
  • 44. ENISA PHYSICAL SECURITY As with personnel security, many of the potential issues arise because the IT infrastructure is under the control of a third party – like traditional outsourcing, the effect of a physical security breach can have an impact on multiple customers ( g p p (organizations). ) What assurance can you provide to the customer regarding the physical security of the location? Please provide examples, and any standards that are adhered to, e.g.,. Section 9 of ISO 27001/2. o Who, other than authorized IT personnel, has unescorted (physical) access to IT infrastructure? For example, cleaners, managers, ‘physical security’ staff, contractors, consultants, physical security vendors, etc. o How often are access rights reviewed? How quickly can access rights be revoked? o Do you assess security risks and evaluate perimeters on a regular basis? How frequently? 44
  • 45. ENISA PHYSICAL SECURITY o Do you assess security risks and evaluate perimeters on a regular basis? How frequently? o Do you carry out regular risk assessments which include things such as neighboring buildings? o D you control or monitor personnel (i l di thi d parties) who access secure areas? Do t l it l (including third ti ) h ? o What policies or procedures do you have for loading, unloading and installing equipment? o Are deliveries inspected for risks before installation? o Is there an up-to-date physical inventory of items in the data centre? o Do network cables run through public access areas? Do you use armored cabling or conduits? o Do you regularly survey premises to look for unauthorized equipment? o Is there any off-site equipment? How is this protected? 45
  • 46. ENISA PHYSICAL SECURITY o Do your personnel use portable equipment (e.g.,. laptops, smart phones) which can give access to the data centre? How are these protected? o What measures are in place to control access cards? o What processes or procedures are in place to destroy old media or systems when required to do so? data overwritten? physical destruction? o What authorization processes are in place for the movement of equipment from one site to another? How do you identify staff (or contractors) who are authorized to do this? o How often are equipment audits carried out to monitor for unauthorized equipment removal? o How often are checks made to ensure that the environment complies with the appropriate legal and regulatory requirements? 46
  • 47. ENISA ENVIRONMENTAL CONTROLS What procedures or policies are in place to ensure that environmental issues do not cause an interruption to service? What methods do you use to prevent damage from a fire, flood, earthquake, etc? o In the event of a disaster what additional security measures are put in place to protect disaster, physical access? o Both at the primary as well as at the secondary sites? Do you monitor the temperature and humidity in the data centre? o Air conditioning considerations or monitoring? Air-conditioning Do you protect your buildings from lightening strikes? o Including electrical and communication lines? Do you have stand-alone generators in the event of a power failure? o For how long can they run? o Are there adequate fuel supplies? o Are there failover generators? o How often do you check UPS equipment? o How often do you check your generators? o Do you have multiple power suppliers? 47
  • 48. ENISA ENVIRONMENTAL CONTROLS Are all utilities (electricity, water, etc) capable of supporting your environment? How often is this re-evaluated and tested? Is your air-conditioning capable of supporting your environment? o How often is it tested? Do you follow manufacturers recommended maintenance schedules? Do you only allow authorized maintenance or repair staff onto the site? o How do you check their identity? When equipment is sent away for repair, is the data cleaned from it first? o How is this done? 48
  • 49. ENISA LEGAL REQUIREMENTS Customers and potential customers of cloud provider services should have regard to their respective national and supra-national obligations for compliance with regulatory frameworks and ensure that any such obligations are appropriately complied with. The key legal questions the customer should ask the cloud provider are: In what country is the cloud provider located? Is the cloud provider’s infrastructure located in the same country or in different countries? Will the cloud provider use other companies whose infrastructure is located outside that of the cloud provider? Where will the data be physically located? Will jurisdiction over the contract terms and over the data be divided? Will any of the cloud provider’s services be subcontracted out? Will any of the cloud provider’s services be outsourced? How will the data provided by the customer and the customer’s customers, be collected, processed and transferred? What happens to the data sent to the cloud provider upon termination of the contract? 49
  • 50. Cloud Security Alliance ( y (CSA) ) 50
  • 51. Cloud Security Alliance (CSA) Taxonomy 51
  • 52. Cloud Security Alliance (CSA) Mapping 52
  • 53. Cloud Security Alliance ( y (CSA) ) Domain 4: Compliance and Audit With Cloud Computing developing as a viable and cost effective means to outsource entire systems or even entire business processes, maintaining compliance with your security policy And the various regulatory and legislative requirements to which your organization is subject can become more difficult to achieve and even harder to demonstrate to auditors and assessors. Of the many regulations touching upon information technology with which organizations must comply, few were written with Cloud Computing in mind. Auditors and assessors may not be familiar with Cloud Computing generally or with a given cloud service in particular. That being the case, it falls upon the cloud customer to understand: case • Regulatory applicability for the use of a given cloud service • Division of compliance responsibilities between cloud provider and cloud customer •CCloud provider’s ability to produce evidence needed f compliance ’ for • Cloud customer’s role in bridging the gap between cloud provider and auditor/assessor 53
  • 54. Cloud Security Alliance ( y (CSA) ) Recommendations √ Involve Legal and Contracts Teams. The cloud provider’s standard terms of service may not address your compliance needs; therefore it is beneficial to have both legal and contracts personnel involved early to ensure that cloud services contract provisions are adequate for compliance and audit obligations. √ Right to Audit Clause. Customers will often need the ability to audit the cloud provider, given the dynamic natures of both the cloud and the regulatory environment. A right to audit contract clause should be obtained whenever possible, particularly when using the cloud provider for a service for which the customer has regulatory compliance responsibilities. Over time, the need for this right should be reduced and in many cases replaced by appropriate cloud provider certifications related to our certifications, recommendation for ISO/IEC 27001 certification scoping later in this section. √ Analyze Compliance Scope. Determining whether the compliance regulations which the organization is subject to will be impacted by the use of cloud services, for a given set of applications and data. 54
  • 55. Cloud Security Alliance ( y (CSA) ) Recommendations √ Analyze Impact of Regulations on Data Security. Potential end users of Cloud Computing services should consider which applications and data they are considering moving to cloud services, and the extent to which they are subject to compliance g , y j p regulations. √ Review Relevant Partners and Services Providers. This is general guidance for ensuring that service provider relationships do not negatively impact compliance compliance. Assessing which service providers are processing data that is subject to compliance regulations, and then assessing the security controls provided by those service providers, is fundamental. Several compliance regulations have specific language about assessing and managing third party vendor risk. As with non-cloud IT and business services, organizations need to understand which of their cloud business partners are processing data subject to compliance regulations. 55
  • 56. Cloud Security Alliance ( y (CSA) ) Recommendations Understand Contractual Data Protection Responsibilities and Related Contracts. The cloud service model to an extent dictates whether the customer or the cloud service p provider is responsible for deploying security controls. In an IaaS deployment scenario, p p y g y p y , the customer has a greater degree of control and responsibility than in a SaaS scenario. From a security control standpoint, this means that IaaS customers will have to deploy many of the security controls for regulatory compliance. In a SaaS scenario, the cloud service provider must provide the necessary controls From a contractual perspective controls. perspective, understanding the specific requirements, and ensuring that the cloud services contract and service level agreements adequately address them, are key. √ Analyze Impact of Regulations on Provider Infrastructure. In the area of infrastructure, moving to cloud services requires careful analysis as well. Some regulatory requirements specify controls that are difficult or impossible to achieve in certain cloud service types. 56
  • 57. Cloud Security Alliance ( y (CSA) ) √ Analyze Impact of Regulations on Policies and Procedures. Moving data and applications to cloud services will likely have an impact on policies and procedures. Customers should assess which policies and procedures related to regulations will have to change. Examples of impacted policies and procedures include activity reporting, logging, logging data retention, incident response, controls testing, and privacy policies retention response testing policies. √ Prepare Evidence of How Each Requirement Is Being Met. Collecting evidence of compliance across the multitude of compliance regulations and requirements is a challenge. Customers of cloud services should develop p g p processes to collect and store compliance evidence including audit logs and activity reports, copies of system configurations, change management reports, and other test procedure output. Depending on the cloud service model, the cloud provider may need to provide much of this information. information √ Auditor Qualification and Selection. In many cases the organization has no say in selecting auditors or security assessors. If an organization does have selection input, it is highly advisable to pick a “cloud aware” auditor since many might not be familiar cloud aware with cloud and virtualization challenges. Asking their familiarity with the IaaS, PaaS, and SaaS nomenclature is a good starting point. 57
  • 58. Cloud Security Alliance ( y (CSA) ) √ Cloud Provider’s SAS 70 Type II Providers should have this audit statement at a Provider s II. minimum, as it will provide a recognizable point of reference for auditors and assessors. Since a SAS 70 Type II audit only assures that controls are implemented as documented, it is equally important to understand the scope of the SAS 70 audit, and whether these controls meet your requirements. √ Cloud Provider’s ISO/IEC 27001/27002 Roadmap. Cloud providers seeking to provide mission critical services should embrace the ISO/IEC 27001 standard for information security management systems. If the provider has not achieved ISO/IEC 27001 certification, they should demonstrate alignment with ISO 27002 practices. √ ISO/IEC 27001/27002 Scoping. The Cloud Security Alliance is issuing an industry call Scoping to action to align cloud providers behind the ISO/IEC 27001 certification, to assure that scoping does not omit critical certification criteria. Contributors: Nadeem Bukhari, Anton Chuvakin, Peter Gregory, Jim Hietala, Greg Kane, Patrick Sullivan 58
  • 59. MICROSOFT 59
  • 60. Microsoft Azure Services Source: Microsoft Presentation, A Lap Around Windows Azure, Manuvir Das 60
  • 61. Windows Azure Applications, Storage, Storage and Roles n m LB Web Role Worker Role Cloud Storage (blob, table, queue) Source: Microsoft Presentation, A Lap Around Windows Azure, Manuvir Das 61
  • 62. MICROSOFT Microsoft provides a t t Mi ft id trustworthy cloud th th l d through f h focus on th three areas: Utilizing a risk-based information security program that assesses and prioritizes security and operational th t t th b i i iti it d ti l threats to the business Maintaining and updating a detailed set of security controls that mitigate risk Operating a compliance framework that ensures controls are designed appropriately and are operating effectively Microsoft is able to obtain key certifications such as International Organization for Standardization / International Society of Electrochemistry 27001:2005 (ISO/IEC 27001:2005) and Statement of Auditing Standard (SAS) 70 Type I and Type II attestations, and to more efficiently pass attestations regular audits from independent third parties. 62
  • 63. MICROSOFT 63
  • 64. MICROSOFT 64
  • 65. MICROSOFT 65
  • 66. MICROSOFT 66
  • 67. MICROSOFT 67
  • 68. MICROSOFT Microsoft Trustworthy Computing, home page: http://www.microsoft.com/twc Microsoft Online Privacy Notice Highlights: http://www.microsoft.com/privacy The ISO 27001:2005 certificate for the Global Foundation Services group at Microsoft: http://www.bsi global.com/en/Assessment and certification services/Client http://www.bsi-global.com/en/Assessment-and-certification-services/Client- directory/CertificateClient-Directory-Search- Results/?pg=1&licencenumber=IS+533913&searchkey=companyXeqXmicrosoft Microsoft Global Foundation Services, home page: http://www.globalfoundationservices.com The Microsoft Security Development Lifecycle (SDL): http://msdn.microsoft.com/en- http://msdn.microsoft.com/en us/security/cc448177.aspx Microsoft Security Development Lifecycle (SDL) – version 3.2, process guidance: http://msdn.microsoft.com/en-us/library/cc307748.aspx Microsoft Security Response Center: http://www.microsoft.com/security/msrc The Microsoft SDL Threat Modeling Tool: http://msdn.microsoft.com/en- us/security/dd206731.aspx Microsoft Online Services: http://www.microsoft.com/online 68
  • 75. Questions? • Thank-you! Email questions to [email protected] Requests for materials, slides etc materials slides, etc. Keep in touch 75