As an industry, we’ve mostly moved on from naive notions about cloud computing being inherently “safe” or “risky.” However, more sophisticated discussions require both greater nuance and greater rigor. This presentation takes attendees through frameworks for evaluating and mitigating potential issues in hybrid cloud environments, discusses key risk factors to consider, and describes some of the relevant standards and provider certifications. This is a broad and sometimes complex topic. However, it’s very manageable if individual risk factors are considered systematically and specifically. This session will give IT professionals tools and knowledge to help them make informed decisions.
2. ABOUT ME
Red Hat Cloud Evangelist
Twitter: @ghaff
Google+: Gordon Haff
Email: ghaff@redhat.com
Blog: http://bitmason.blogspot.com
Flickr: http://www.flickr.com/photos/bitmason/
Formerly: Illuminata (industry analyst), Data
General (minicomputers/Unix/NUMA/etc.),
shareware developer
10. ABSTRACTIONS HIDE (BY DESIGN)
IaaS
PaaS
SaaS
APPLICATION
APPLICATION PLATFORM
(JBOSS, PHP, RUBY, ETC)
OPERATING SYSTEM
(RHEL)
VIRTUALIZATION
(RHEV)
HARDWARE
(x86)
STORAGE
(RHS)
Managed and
Controlled by Customer
(IT, Dev, or User)
Automated and
Managed by the Public
or Private Cloud
Offering
Increased Control
Increased Automation
12. BROADLY: CLOUD IS SHIFT TO DELIVERY OF
SERVICES RATHER THAN INFRASTRUCTURE
13. BUT MUCH DOESN’T CHANGE
If your security practices
suck in the physical realm,
you’ll be delighted by the
surprising lack of change
when you move to cloud.
Chris Hoff
Credit: Michael Rosenstein, cc/flickr
http://www.flickr.com/photos/michaelcr/1508784073/
14. ITIL BEST PRACTICES HIGHLY
RELEVANT TO SERVICE
DELIVERY THROUGH CLOUD
ITIL Service Strategy provides guidance on
generating a strategy for a major shift in service
delivery
ITIL practices can help design cloud computing as
appropriate end-to-end services
17. THE NICE THING ABOUT CERTIFICATIONS
IS THAT THERE ARE SO MANY OF THEM
SAS 70
Specifically created for financial auditors of service
organizations
ISO/IEC 27001
Information security management system standard
published in 2005
PCI DSS
For organizations processing credit card transactions
FedRAMP Security Controls
Framework for US Federal agencies
HIPAA
US healthcare
18. SOC 2 AND 3
Report can be issued on one or more Trust
Services Principles
Security
Availability
Processing integrity
Confidentiality
Privacy
Type 1: Suitability of design
See www.webtrust.org
Type 2: Suitability of design and effectiveness
SOC 3 is a condensed public version of SOC 2
Mostly in the US today
19. CSA CLOUD CONTROLS MATRIX
98 “control areas” in 11 categories
Example: Security Architecture - Production / NonProduction Environments
Each mapped to areas of relevance
Examples: IaaS, PaaS, SaaS, corporate governance,
and supplier relationships
Each mapped to relevant regulations and
certifications
Examples: NIST, PCI DSS
20. 11 DOMAINS
Compliance (CO)
Operations Management (OM)
Data Governance (DG)
Risk Management (RI)
Facility Security (FS)
Release Management (RM)
Human Resources (HR)
Resiliency (RS)
Information Security (IS)
Security Architecture (SA)
Legal (LG)
Some examples…
21. COMPLIANCE
Audit controls
Limitations of third-party
auditability can be a
concern for public cloud
users
Regulatory mapping
Can be especially
important to understand
where data resides
CreditEvan Long, cc/flickr
http://www.flickr.com/photos/clover_1/1178035169/
22. DATA GOVERNANCE
Controls to prevent data
leaks in a multi-tenant
environment
Red Hat uses SELinux as
part of Red Hat
Enterprise Linux and
OpenShift security
measures
Support for Virtual Private
Clouds (VPC) on Amazon
Web Services
23. INFORMATION SECURITY
Identity and Access Control
Store and manage timely
identity information about
every person who accesses
the cloud resources and
determine their level of
access
Still evolving for cloud use
cases, but critical to get it
right
25. SECURITY ARCHITECTURE
Segmentation and restricted
connections in network
environments
“Networks shared with external
entities shall have a
documented plan detailing the
compensating controls used to
separate network traffic
between organizations”
One of the reasons VPCs are
interesting to many
organizations
26. BUT IT’S NOT ABOUT BEING AN INHIBITOR
Remember the cost/benefit
tradeoff
Your organization is (almost
certainly) using public
clouds
A private cloud that doesn’t
provide cloud agility isn’t a
cloud
Automation, streamlined
process, clearly-defined
policy help users and
reduce risk
27. SOURCES FOR A BROADER CLOUD
GOVERNANCE VIEW
Deloitte Cloud Computing Risk Intelligence Map
Cloud Computing Security Risk Assessment
CSIS 20 Critical Security Controls
Cloud Security Alliance STAR and Cloud Controls
Matrix
Links:
http://www.isaca.org/Groups/Professional-English/cloudcomputing/GroupDocuments/Deloitte%20Risk%20Map%20for%20Cloud%20Computing.pdf
http://www.enisa.europa.eu/activities/risk-management/files/deliverables/cloud-computing-risk-assessment
http://www.cloudsecurityallia nce.org
http://www.sans.org/critical-security-controls/guidelines.php
28. FOR A GOOD VIEW OF
INFOSEC IN A DEVOPS AGE
The DevOps revolution is
the moment that every
information security
practitioner has been
waiting for. The death spiral
can be broken, and this
book shows you how.
JOSHUA CORMAN