2. Cloud Security
Agenda
- Security Framework
- What Vendors Should do
- What Customers Should do
From: www.rackspace.com/cloud/cloudu
3. Cloud Security
A Security Framework for the Cloud
The Cloud Security Alliance (CSA) is a non-profit
organization formed to promote the use of best practices for
providing security assurance within Cloud Computing, and
provide education on the uses of Cloud Computing to help
secure all other forms of computing.
Objectives:
Promote a common level of understanding between the
consumers and providers
Promote independent research into best practices.
Create consensus lists of issues and guidance for cloud
security assurance
4. Cloud Security
What Vendors Should Do (1/7)
1. Physical Data Center Security
2. Security of Host Machine Operating System
3. Control of Hypervisor
4. Network Security
5. Virtual Machine Security
5. Cloud Security
What Vendors Should Do (2/7)
1. Physical Data Center Security:
Security of the Building: Keycard protocols, biometric
scanning protocols and round-the-clock interior and
exterior surveillance
Authorization of Personnel: Only authorized data
center personnel should be granted access
Employee Background checking: Before they’re hired
6. Cloud Security
What Vendors Should Do (3/7)
2. Security of Host Machine Operating System:
The operating system within which virtual machines are
hosted requires extra scrutiny as it is the manager for
guest virtual machines.
Intrusiondetection system
The minimum number of users accounts possible
Limited administrator access to named accounts
No publicly accessible network accessible services
Vulnerabilities in the base OS
can have impacts on the individual Virtual Machines.
7. Cloud Security
What Vendors Should Do (4/7)
3. Control of the Hypervisor:
While, in most cases, control of individual virtual machines
is the responsibility for the customer, vendors need to
ensure robust security of the hypervisor itself, the tool
which keeps the individual virtual machines separate.
Hypervisor or virtual machine monitor (VMM) is a piece of computer
software, firmware or hardware that creates and runs virtual
machines.
9. Cloud Security
What Vendors Should Do (6/7)
4. Network Security: (Cont.)
Consists of the policies and procedures adopted by the
network administrator to prevent and monitor
unauthorized access, misuse, modification or denial of the
computer network and network-accessible resources.
Includes:
Perimeter Controls
Network access
Regulate access control
10. Cloud Security
What Vendors Should Do (7/7)
5. Virtual Machine Security
Virtual machines share
the same security
vulnerabilities as
physical machines and
should be protected from
the same problems:
hardware
failures, viruses, hacking
, data corruption.
11. Cloud Security
What Customers Should Do
Customers too have an important part to play in ensuring
the security of the solutions they utilize.
1. Firewall
2. Patches and Backups
3. Passwords
4. Controlling Access to Devices Connected to the
Cloud
5. Ensuring the Security of Staff
12. Cloud Security
What Customers Should Do
The Whispered Truth - Your Data, Your Responsibility
In Infrastructure as a Service (IaaS) and Platform as a
Service (PaaS) clouds, protecting data at rest is Customer
responsibility not the Providers.
To meet privacy obligations to the company customers and employees,
and to comply with regulatory standards such as PCI DSS and SOX, is a
must to securely encrypt cloud-based data, while keeping operational
overhead to a minimum.
PCI DSS: Payment Card Industry Data Security Standard
SOX:Sarbanes-Oxley Act of 2002