Cloud Security And Privacy

Cloud Security and Privacy:
An Enterprise Perspective on Risks and Compliance

Tim Mather
Subra Kumaraswamy, Sun
Shahed Latif, KPMG

© 2009 Tim Mather, Subra Kumaraswamy, Shahed Latif

What We Do Not Discuss

• Existing aspects of information security
which are not impacted by ‘cloud computing’

• Consumer aspects of cloud computing

2


What We Do Discuss
• Infrastructure Security
• Network-level
• Host-level
• Application-level
• Data Security
• Identity and Access Management (IAM)
• Privacy Considerations
• Audit & Compliance Considerations
• Security-as-a- [Cloud] Service (SaaS)
• Impact on the Role of Corporate IT
Where Risk Has Changed: ± 3


Components of Information Security

Security Management Services
Management – ACL, hygiene, patching, VA, incident response

Identity services – AAA, federation, provisioning

Information Security – Data
Encryption (transit, rest, processing), lineage, provenance, remanence

Information Security – Infrastructure
Application-level
Host-level
Network-level

4


Cloud Computing: Evolution

5


Cloud Pyramid of Flexibility

6


Infrastructure Security – currently
• Trust boundaries have moved
• Specifically, customers are unsure where those
trust boundaries have moved to
• Established model of network tiers or zones no
longer exists
• Domain model does not fully replicate previous
model
• No viable, scalable model for host-to-host trust
• Data labeling / tagging required at application-
level
• Data separation is logical not physical

7


Infrastructure Security – going forward
• Need for greater transparency regarding
which party (CSP or customer) provides
which security capability

• Inter-relationships between systems,
services, and people needs to be addressed
by identity management

8


Data Security – currently
• Provider’s data collection efforts and
monitoring of such (e.g., IPS, NBA)
• Use of encryption
• Point-to-multipoint data-in-transit an issue
• Data-at-rest possibly not encrypted
• Data being processed definitely not encrypted
• Key management is a significant issue
• Advocated alternative methods (e.g., obfuscation,
redaction, truncation) are nonsense
• Data lineage
• Data provenance
• Data remanence
9


Data Security – going forward
Large-scale multi-entity key management
• Must scale past multi-enterprise to inter-cloud
• Not just hundreds of thousands of systems or even millions of
virtual machine images, but billions of files or objects
• Must not only handle key management lifecycle (per NIST
SP 800-57, Recommendation for Key Management), but also
• Key recovery
• Key archiving
• Key hierarchies / chaining for legal entities

• Fully homomorphic encryption
• Potentially huge boon to cloud computing
• Will increase need for better key management
10


IAM – currently
• Generally speaking, poor situation today:

• Federated identity widely not available
• Strong authentication available only through
delegation
• Provisioning of user access is proprietary to
provider
• User profiles are limited to “administrator” and
“user”
• Privilege management is coarse, not granular
11


IAM – going forward
• Emerging identity-as-a-service (IDaaS)
needs to evolve beyond authentication

• SAML, SPML and XACML (especially) need
to be more fully leveraged

• Increasing need for user-to-service and
service-to-service authentication and
authorization (OAuth)

12


Privacy – currently
• Transborder data issues may be exacerbated
• Specifically, where are cloud computing activities
occurring?

• Data governance is weak
• Encryption is not pervasive
• Data remanence receives inadequate attention
• Cusps absolve themselves of privacy concerns:
‘We don’t look at your data’
13


Privacy – going forward
• Privacy laws are inconsistent across
jurisdictions; need global standard

• Need specific requirements for auditing (e.g.,
AICPA/CICA Generally Accepted Privacy Principles
– GAPP)

14


Audit & Compliance – currently

• Effectiveness of current audit frameworks
questionable (e.g., SAS 70 Type II)

• CSP users need to define:
• their control requirements
• understand their CSP’s internal control monitor-
ing processes
• analyze relevant external audit reports

• Issue is assurance of compliance
15


Audit & Compliance – going forward

• Inter-cloud (i.e., cross-CSP) solutions will
demand unified compliance framework

• Volume, multi-tenancy of cloud computing,
demand that CSP compliance programs be
more real-time and have greater coverage
than most traditional compliance programs

16


Security-as-a-Service – currently
• Some offerings mature
• E-mail filtering, archiving
• Web content filtering
• Some offerings still emerging
• (E-mail) eDiscovery
• Identity-as-a-Service (IDaaS)
• Encryption, key management
• Today’s security-as-a-service providers sell
to CSP customers, not CSPs
• None of today’s CSPs offer security-as-a-
service as integrated offering
17


Security-as-a-Service – going forward
• Horizontal integration
• Pure play SaaS providers will broaden offerings
beyond e-mail + Web content filtering
• Vertical integration
• CSPs will offer SaaS as integrated offering
• IDaaS has to scale effectively for cloud
computing to truly take off
• Complexity of key management screams for
SaaS offering

18


Impact on Role of Corporate IT – currently
• Governance issue as internal IT becomes
“consultants” and business analysts to
business units
• Delineation of responsibilities between
providers and customers much more
nebulous than between customers and
outsourcers, collocation facilities, or ASPs
• Cloud computing likely to involve much more
direct business unit interaction with CSPs
than with other providers previously
19


Impact on Role of Corporate IT – going forward
• Relationship between business units and corporate
IT departments vis-à-vis CSPs will shift greater
power to business units from IT
• Number of functions performed today by corporate
IT departments will shift to CSPs, along with
corresponding job positions
• Functions performed by corporate IT departments
will shift from those who do (i.e., practitioners who
build or operate) to those who define and manage
• IT itself will become more of a commodity as
practices and skills are standardized and
automated
20


Conclusions
• Part of customers’ infrastructure security
moves beyond their control
• Provider’s infrastructure security may
(enterprise) or may not (SMB) be less robust
than customers’ expectations
• Data security becomes significantly more
important – yet provider capabilities are
inadequate (except for simple storage which
can be encrypted, and processing of non-
sensitive (unregulated and unclassified) data
21


Conclusions (continued)
• IAM is less than adequate for enterprises –
weak authentication unless delegated back
to customers or federated, weak authoriza-
tion, proprietary provisioning

• Because of above, expect significant
business unit pressure to desensitize or
anonymize data; expect this to become a
chokepoint
• No established standards for obfuscation,
redaction, or truncation
22


What’s Good about the Cloud?
• A lot! Both for enterprises and SMBs – for
handling of non-sensitive (unregulated and
unclassified) data

• Cost
• Flexibility
• Scalability
• Speed

23


Developments to Watch
• VMware’s vCloud API − submitted to DMTF
• Amazon’s Virtual Private Cloud − hybrid
cloud that extends private cloud through
“cloud bursting”
• Security-as-a-Service offered by CSPs (e.g.,
Amazon’s Multi-Factor Authentication)
• Cloud Security Alliance v2 white paper
• Slow transparency and assurance from CSP
(e.g., ISO 27002-based assurance)
• IT governance framework that blends ITIL,
ISO 27002, CObIT 24


Cloud Security and Privacy:
An Enterprise Perspective on Risks and Compliance

Continue the discussion on-line at: cloudsecurityandprivacy.com
25

Cloud Security And Privacy

More Related Content

What's hot (20)

Viewers also liked (16)

Similar to Cloud Security And Privacy (20)

Cloud Security And Privacy