Security is high on the list of concerns for many organizations as they evaluate their cloud computing options. This session will examine security in the context of the various forms of cloud computing. We'll consider technical and non-technical aspects of security, and discuss several strategies for cloud computing, from both the consumer and producer perspectives.
3. A Few General ConsiderationsâŚ
⢠Multi-tenancy
⢠Varying degrees of isolation (how thick are the walls?)
⢠Unpredictable cohabitation (do you really know your neighbors?)
⢠Isolation Barriers
⢠Physical vs. logical
⢠Several vs. few
⢠Data (Operational, Metadata, Log Data, Backups, etc.)
⢠Ownership
⢠Dispersal, Privacy, and Retention Laws
⢠Complexity
⢠Technical: technologies, integration, domain federation
⢠Business: policies, procedures, continuity
⢠Auditing and Compliance
⢠Capabilities and support
4. Security Principles & Cloud
⢠Least Privilege
⢠Restricting administrative privileges
⢠Segregation of Duties
⢠Consumer privileges vs. provider privileges
⢠Compartmentalization
⢠Controlling resource allocation/ utilization in a shared
environment
⢠Defense in Depth
⢠DiscontinuityâŚ
6. Security Layering and Cloud
Technology Integration
Private Private Public
Id & Access Mgmt
Cloud Cloud Cloud
Data
SaaS
Application / Service PaaS
VMs
Host IaaS
Internal Network
Perimeter
Physical Your Cloud
Organization Provider
Policies & Procedures
SGRC
Security Management & Monitoring
Planning & Reconciliation
7. Control Frameworks
⢠ISO/IEC 27001:5
⢠NIST Recommended Security Controls for Federal
Information Systems and Organizations (Pub 800-53)
⢠COBIT
⢠SANS 20 Critical Security Controls
⢠Cloud Security Alliance Cloud Controls Matrix
8. NIST Security Controls
Technical Operational Management
⢠Access Control ⢠Awareness & Training ⢠Security Assessment &
⢠Audit & Accountability ⢠Configuration Management Authorization
⢠Identification & Authentication ⢠Contingency Planning ⢠Planning
⢠System & Communications ⢠Incident Response ⢠Risk Assessment
Protection ⢠Maintenance ⢠System & Services
⢠Media Protection Acquisition
⢠Physical & Environmental ⢠Program Management
Protection
⢠Personnel Security
⢠System & Information
Integrity
9. Exposure, Control, & Risk
⢠Exposure
⢠Public access to applications, services, platforms, & data
⢠Administrative access
Threat Categories
⢠Data traversing unprotected networks
⢠Reliance on isolation implementation(s)
⢠Control (or delegation thereof)
⢠Physical, managerial, operational
⢠Functional and non-functional capabilities
⢠Compliance
⢠Search and seizure
⢠Quantitative Risk = threat probability * magnitude of loss
⢠Relative risk = RiskIT / RiskCloud
10. Service & Deployment Models
Dependent upon
Service Models internal controls Deployment Models
⢠IaaS ⢠Private operated, &
managed
⢠PaaS ⢠Private, partner-operated &
Exposure
Control
managed
⢠SaaS ⢠Private, partner-located,
operated & managed
⢠Remote dedicated / leased
⢠Public, shared
Dependent upon Cloud
provider and internal
compensating controls
11. Agenda
⢠Cloud Security Considerations
⢠Consumer Strategies
o Security Governance, Risk Management,
⢠Provider Strategies & Compliance (SGRC)
o Usage Strategies
o Identity & Access Management (IAM)
12. SGRC Strategy
⢠How will Cloud providers be assessed for risk?
⢠Who will evaluate assessments and have authority to grant approvals?
⢠What compliance issues are pertinent to the use of Cloud? (Compliance
with all government, industry, and internal policies and regulations.)
⢠Who will review issues related to compliance and have authority to grant
approvals?
⢠Under what circumstances might a Cloud be used without a formal
assessment and compliance review?
⢠What governance processes will be established/used to properly
evaluate a Cloud provider for all aspects of security (including business
continuity)?
⢠What governance processes will be established/used to actively monitor
and audit access to, and usage of, company assets in a Cloud
environment?
⢠âŚ
13. Usage Strategy
⢠How the cloud will be used
⢠Development & test vs. production
⢠Internet access vs. private / VPN
⢠Public content vs. sensitive information
⢠âŚ
14. Public Cloud, Public Access Point
Internet Internet
Users Users
(Employees) (General Public)
Intranet
Users
Intranet-Based Public-Facing
Web Apps Web Apps
(Internal DMZ) (Cloud DMZ)
Non-Critical
Business-Critical
Systems,
Systems &
Public-Facing
Sensitive Data VPN Content
IAM
Internal IT / Private Cloud Public Cloud (PaaS, IaaS)
⢠Cloud is used to serve up public content
⢠Sensitive data and monetized transactions are handled internally
15. Dedicated Datacenter Extension
Internet
Users
Intranet
Users
Intranet-Based
Web Apps
(DMZ)
Company-Owned Provider-Owned
Infrastructure, IaaS/PaaS with
Platforms & Software VPN Company Software
IAM
Internal IT / Private Cloud Dedicated Cloud (PaaS, IaaS)
⢠Cloud is used to extend the capacity of IT
⢠Private access to dedicated resources
16. Public Cloud for Commodity Computing
Internet
Users
Intranet
Users
Custom Web Apps, Commodity
Company Portals Web Apps
(Internal DMZ) (Cloud DMZ)
Custom-Built, Commodity
Business- Applications
Differentiating & Services
Systems
IAM IAM
Internal IT / Private Cloud Public Cloud (SaaS)
⢠SaaS providers used for commodity computing needs
⢠Access most often via common Internet connectivity
17. Private Cloud, Standardization &
Consolidation
Support IT-Managed
IaaS/PaaS
Sales Private Cloud
Finance
Internal IT Private Cloud Migration
Public Cloud (XaaS)
⢠Private cloud offers an efficient alternative
⢠Migration to cloud based on evaluation of projects in pipeline
⢠Decision on public or private based on evaluation criteria
18. Identity and Access Management
Strategy
⢠How will management be accomplished without
compromising existing IAM capabilities
(standardized provisioning, approval, integration,
audit, attestation, and analysis)
⢠Centralized
⢠Distributed
⢠Federated
⢠Synchronized
⢠Replicated
⢠âŚ
19. Anonymous & Personalized Public Cloud
Users
Login
Redirect
/ Login
Secure Anonymous
Systems & Applications,
Sensitive Data Public Content
Personalized
AuthN AuthZ User Id Applications
and Content
Credentials, Roles,
Attributes, Policies
Identity & Access Management
Internal IT / Private Cloud Public Cloud
⢠Nothing in the cloud performs access control
⢠Identity is used for non-security purposes (personalization, etc.)
20. Centralized IAM
Users
Login,
Access
Internal Applications,
Private Clouds
Network-Isolated
IaaS/PaaS
VPN
AuthN AuthZ Public Cloud
Credentials, Roles,
Attributes, Policies
Network-Isolated
VPN
Identity & Access Management IaaS/PaaS
Internal IT / Private Cloud Public Cloud
⢠Identity management and security services are centrally deployed
⢠Cloud applications access centralized security services
21. Access Control with Vouched Identity
Users
Login Access
SAML,
OpenID Standalone
SSO & Internal
Applications
Applications
w/ RBAC, ABAC
AuthN AuthZ AuthZ
Credentials, Roles, Application
Attributes, Policies Access Policies
Identity & Access Management Access Policy Management
Internal IT / Private Cloud Public Cloud
⢠Users are authenticated by internal authentication services
⢠Identity is securely propagated to enable authorization decisions in the cloud
22. Standalone Synchronized IAM
Users
Login Login
Standalone
Internal
Cloud-based
Applications
Applications
AuthN AuthZ AuthN AuthZ
Credentials, Roles, Credentials, Roles,
Attributes, Policies Attributes, Policies
Identity & Access Management sync Identity & Access Management
Internal IT / Private Cloud Public Cloud
⢠Users are authenticated in multiple places
⢠Identity data is synchronized across multiple locations via manual or automated processes
23. Federated IAM
Users
Login Access
HTTP,
SOAP Standalone
Internal
Cloud-based
Applications
Applications
WS-Trust,
WS-Fed
AuthN AuthZ STS STS AuthN AuthZ
Credentials, Roles, Id SAML Svc Credentials, Roles,
Attributes, Policies Prov Prov Attributes, Policies
Identity & Access Management sync Identity & Access Management
Internal IT / Private Cloud Public Cloud
⢠Federated identities may be mapped to cloud-based groups or roles
⢠Synchronization becomes less critical due to abstraction
24. Brokered Identity Management
Users
Register
& Manage Login Access
Brokered Identity Customer-facing
Management System Applications
Internal IT / Private Cloud
Credentials, Id
Prov OpenID
Attributes
3rd Party Identity Provider
Cloud-based
Applications
Public Cloud
⢠Brokered identity management relies on a trusted 3rd party to manage identities
⢠Clouds, and optionally internal IT, may elect not to manage identities at all
26. Provider Strategy
⢠Velocity & Scale: Standardization & Governance
⢠Minimal process deviation; enables automation
⢠Default secure configurations
⢠Common security services
⢠Processes that automate the proper behavior
⢠Domain Strategy
⢠Group resources together appropriately and consistently
apply the proper degree of security controls
⢠Multi-tenancy Strategy
⢠Defines how tenants will share resources securely
⢠Cohabitation Strategy
⢠Which tenants âbelong togetherâ
27. Service Model Domains
All
Users
IaaS PaaS SaaS
Cloud Domain Cloud Domain Cloud Domain
Cloud Security
& Management
Public Cloud
⢠Group tenants by service model
⢠Rationale: similar services have similar configurations and security requirements
⢠Similar services share the same access patterns
28. Network Tier Cloud Domains
Web Tier
Cloud Domain
Dev / Test
Private
Cloud
Apps & Services Partner Apps
Cloud Domain Cloud Domain
Dev / Test
Public
Cloud
Data Tier BI / DW
Cloud Domain Cloud Domain
Dev / Test
Environments
Production Environment Cloud
⢠Group tenants by network tier
⢠Rationale: maintain network-level security controls using existing network infrastructure
29. Tenant Group-Based Domains
All
Users
Group 1 Group 2 Group n
Cloud Domain Cloud Domain Cloud Domain
âŚ
Cloud Security
& Management
Public Cloud
⢠Each group has dedicated resources with network isolation
⢠Groups may reflect common data sensitivity, compliance, SLA requirements, etc.
32. Shared Everything
Tenant A
Shared
Tenant B
Application
Shared
Tenant C
Schema
Shared Security Services & IAM
⢠Common SaaS model for maximum economy of scale
⢠Application must provide isolation
⢠Data from multiple tenants is stored in the same database tables
⢠Highest (relative) risk due to least control, greatest exposure
33. Shared Infrastructure: Virtual Machines
Tenant A Virtual Environment A Apps Data
Hypervisor
Tenant B Virtual Environment B Apps Data
Tenant C Virtual Environment C Apps Data
Shared Infrastructure
Shared Security Services & IAM
⢠Each tenant has their own virtual environment
⢠Isolation provided by hypervisor
⢠Resource contention depends on VM capability and configuration
⢠Adds an additional layer and processes to run and manage
34. Shared Infrastructure: OS Virtualization
Resources
Tenant A Zone 1
Operating System
⢠Processes & Memory
⢠Disks & Filesystems
⢠NICs & IP Addresses
⢠âŚ
Tenant B Zone 2
Controls
⢠Max share of CPU
⢠Max memory usage
⢠Max network bandwidth
Tenant C Zone 3 ⢠âŚ
Shared Infrastructure
Shared Security Services & IAM
⢠Each tenant has their own processing zone
⢠Isolation provided by the operating system
⢠Resource contention depends on zone configuration
⢠No VMs to run and manage, no abstraction layer between app & OS
35. Shared Nothing
Tenant A
Tenant B
Tenant C
Routing
Application Schema Application Schema Application Schema
Cluster A A Cluster B B Cluster C C
IAM Partition A IAM Partition B IAM Partition C
Resource Pool A Resource Pool B Resource Pool C
Shared Security Services
⢠Greatest degree of isolation, least economical
36. Final Thoughts
⢠Define and execute on a strategy
⢠Codify your appetite for risk; CYA
⢠Consider all aspects of security
⢠Use a framework
⢠Not all clouds are the same
⢠Be aware of the risks as well as the rewards
⢠You can delegate responsibility but you canât delegate
accountability
⢠Visit us online at http://www.oracle.com/goto/itstrategies