Cloud Security

Editor's Notes

• #7: Extensible Markup Language – Service Oriented Architecture – The basic tools for web-based applications- XML is the basic language for specifying data or documents into web apps. -SOA describes the method of interconnecting various pre-designed applets or application building blocks into one contiguous programHypervisor - A software/hardware platform virtualization system that allows multiple operating systems to run on a host computer concurrently.Dynamic Partitioning - In a symmetric multiprocessing (SMP) system, the ability to reassign processors , memory and I/O to specific applications on the fly without shutting down the machine Application Programming Interface - is an interface in computer science that defines the ways by which an application program may request services from libraries and/or operating systems part of the Service Oriented Architecture
• #8: Extensible Markup Language – Service Oriented Architecture – The basic tools for web-based applications- XML is the basic language for specifying data or documents into web apps. -SOA describes the method of interconnecting various pre-designed applets or application building blocks into one contiguous programHypervisor - A software/hardware platform virtualization system that allows multiple operating systems to run on a host computer concurrently.Dynamic Partitioning - In a symmetric multiprocessing (SMP) system, the ability to reassign processors , memory and I/O to specific applications on the fly without shutting down the machine Application Programming Interface - is an interface in computer science that defines the ways by which an application program may request services from libraries and/or operating systems part of the Service Oriented Architecture
• #10: Cloud Computing and Cloud Service Providers (CSPs) are recognized as logical extensions of the Internet Service Providers (ISPs) ISP1.0 – ISPs provided internet access to individuals and organizations via dial up or dedicated lines early 1990’sISP2.0 – ISPs provided email, and connectivity to early clients’ web sight servers, primarily promotional information early-mid 1990’sISP3.0 – Cohosting – multiple clients’ webservers connected to broadband access at one facility late-mid1990’sISP 4.0 – the birth of ASPs. Dedicated instances of applications on dedicated servers for each customer. 2000ISP 5.0 ASPs evolved into SaaSs, which are applications based on IaaSs, which are based on PaaSs
• #11: ASP applications are traditional, single-tenant applications, but are hosted by a third party. They are client/server applications with HTML front ends added to allow remote access to the application. They do not make use of SOA-applets. Their user interface may be crude, often slow and upgrades are often no better than what an end user could provide for themselves.SaaS applications are multitenant applications that are hosted by a vendor with expertise in the applications and that have been designed as Net-native applications, employing SOA’ applets and are updated on an ongoing basis.
• #12: PaaS is a variation of SaaS whereby the development environment is offered as a service. The developers use the building blocks (e.g., predefined blocks of code) of the vendor’s development environment to create their own applications.In a platform-as-a-service (PaaS) model, the vendor offers a development environment to application developers, who develop applications and offer those services through the provider’s platform. The provider typically develops toolkits and standards for development, and channels for distribution and payment. The provider typically receives a payment for providing the platform and the sales and distribution services. This enables rapid propagation of software applications, given the low cost of entry and the leveraging of established channels for customer acquisition.The benefits of PaaS lie in greatly increasing the number of people who can develop, maintain, and deploy web applications. In short, PaaS offers to democratize the development of web applications, allowing many developers a chance to enter the SW apps market.
• #14: In a platform-as-a-service (PaaS) model, the vendor offers a development environment toapplication developers, who develop applications and offer those services through theprovider’s platform. The provider typically develops toolkits and standards for development,and channels for distribution and payment. The provider typically receives a payment forproviding the platform and the sales and distribution services. This enables rapid propagationof software applications, given the low cost of entry and the leveraging of established channelsfor customer acquisition.
• #15: A public cloud is hosted, operated, and managed by a third-party vendor from one or moredata centers. The service is offered to multiple customers (the cloud is offered to multipletenants) over a common infrastructurePrivate clouds differ from public clouds in that the network, computing, and storageinfrastructure associated with private clouds is dedicated to a single organization and is notshared with any other organizations (i.e., the cloud is dedicated to a single organizationaltenant). As such, a variety of private cloud patterns have emerged:
• #19: According to a May 2008 forecast by Merrill Lynch, the volume of the cloud computing marketopportunity will amount to $160 billion by 2011, including $95 billion in business andproductivity applications and $65 billion in online advertising.†According to a March 2009 forecast by Gartner, worldwide cloud services are on pace to surpass$56.3 billion in 2009, a 21.3% increase from 2008 revenues of $46.4 billion. The market isexpected to reach $150.1 billion in 2013.‡
• #21: In 2008-2009NASDQ and NYT made use of public cloud processing to digitize their entire printer history.Salesforce w/o question the most successful ASP, transitioned to SaaS to better optimize performance and cost savings.Signiant – takes informational data and configures it for delivery to various end-viewer outlets , ie TV, PCs, smart phones, PDA’s with the correct format, correct language dialogue, and targeted advertizing in near real time. They process data in huge bursts.ThinLaunch (partnered with CITRIX) directs users at signon to the determined web browser only – intranet based. Users are able only to view the desktop provided to them. MS Office, email, then applications assigned, and what ever websites assigned.Intuit is a internally hosted excel/access like application.Webroot is one of many web based email security providers
• #32: IAM – most current SaaS have fairly simplistic, non-granular access-privileges program, perhaps three levels (viewer only, user, & admin). Most Cloud offerings include lack of support for federation (single sign-on or SSO), integration with corporate directories, risk-based authentication, scalable identity services, and the extension of clients’ enterprise IAM practices to the CSPMicrosoft’s Azure support basic federation from Active Directory to Microsoft’s cloud services and facilitate user SSO from on-premises Active Directory to Microsoft’s cloud services. Although these cloud-based identity services are lowering the barriers to entry for SMBs, theyare deemed inadequate to meet most enterprise requirements such as custom reporting and compliance management.Encryption - Effectively managing data that is encrypted is extremely complex and troublesome due to the current inadequate capabilities of key management products. For SaaS customers this is within an application-administering-many clients concurrently. Encryption is possible for data in transit, for that at rest, but not during actual processing. Key management in an intra-organizational context is difficult enough; trying to do effective key management in the cloud is frankly beyond current capabilities and will require significant advances in both encryption and key management capabilities to be viable.Data Location – can be anywhere in the world – opens a Pandora’s box of conflicting national laws, regarding
• #33: IAM – most current SaaS have fairly simplistic, non-granular access-privileges program, perhaps three levels (viewer only, user, & admin). Most Cloud offerings include lack of support for federation (single sign-on or SSO), integration with corporate directories, risk-based authentication, scalable identity services, and the extension of clients’ enterprise IAM practices to the CSPMicrosoft’s Azure support basic federation from Active Directory to Microsoft’s cloud services and facilitate user SSO from on-premises Active Directory to Microsoft’s cloud services. Although these cloud-based identity services are lowering the barriers to entry for SMBs, theyare deemed inadequate to meet most enterprise requirements such as custom reporting and compliance management.Encryption - Effectively managing data that is encrypted is extremely complex and troublesome due to the current inadequate capabilities of key management products. For SaaS customers this is within an application-administering-many clients concurrently. Encryption is possible for data in transit, for that at rest, but not during actual processing. Key management in an intra-organizational context is difficult enough; trying to do effective key management in the cloud is frankly beyond current capabilities and will require significant advances in both encryption and key management capabilities to be viable.Data Location – can be anywhere in the world – opens a Pandora’s box of conflicting national laws, regarding
• #34: IAM – most current SaaS have fairly simplistic, non-granular access-privileges program, perhaps three levels (viewer only, user, & admin). Most Cloud offerings include lack of support for federation (single sign-on or SSO), integration with corporate directories, risk-based authentication, scalable identity services, and the extension of clients’ enterprise IAM practices to the CSPMicrosoft’s Azure support basic federation from Active Directory to Microsoft’s cloud services and facilitate user SSO from on-premises Active Directory to Microsoft’s cloud services. Although these cloud-based identity services are lowering the barriers to entry for SMBs, theyare deemed inadequate to meet most enterprise requirements such as custom reporting and compliance management.Encryption - Effectively managing data that is encrypted is extremely complex and troublesome due to the current inadequate capabilities of key management products. For SaaS customers this is within an application-administering-many clients concurrently. Encryption is possible for data in transit, for that at rest, but not during actual processing. Key management in an intra-organizational context is difficult enough; trying to do effective key management in the cloud is frankly beyond current capabilities and will require significant advances in both encryption and key management capabilities to be viable.Data Location – can be anywhere in the world – opens a Pandora’s box of conflicting national laws, regarding
• #35: IAM – most current SaaS have fairly simplistic, non-granular access-privileges program, perhaps three levels (viewer only, user, & admin). Most Cloud offerings include lack of support for federation (single sign-on or SSO), integration with corporate directories, risk-based authentication, scalable identity services, and the extension of clients’ enterprise IAM practices to the CSPMicrosoft’s Azure support basic federation from Active Directory to Microsoft’s cloud services and facilitate user SSO from on-premises Active Directory to Microsoft’s cloud services. Although these cloud-based identity services are lowering the barriers to entry for SMBs, theyare deemed inadequate to meet most enterprise requirements such as custom reporting and compliance management.Encryption - Effectively managing data that is encrypted is extremely complex and troublesome due to the current inadequate capabilities of key management products. For SaaS customers this is within an application-administering-many clients concurrently. Encryption is possible for data in transit, for that at rest, but not during actual processing. Key management in an intra-organizational context is difficult enough; trying to do effective key management in the cloud is frankly beyond current capabilities and will require significant advances in both encryption and key management capabilities to be viable.Data Location – can be anywhere in the world – opens a Pandora’s box of conflicting national laws, regarding
• #36: IAM – most current SaaS have fairly simplistic, non-granular access-privileges program, perhaps three levels (viewer only, user, & admin). Most Cloud offerings include lack of support for federation (single sign-on or SSO), integration with corporate directories, risk-based authentication, scalable identity services, and the extension of clients’ enterprise IAM practices to the CSPMicrosoft’s Azure support basic federation from Active Directory to Microsoft’s cloud services and facilitate user SSO from on-premises Active Directory to Microsoft’s cloud services. Although these cloud-based identity services are lowering the barriers to entry for SMBs, theyare deemed inadequate to meet most enterprise requirements such as custom reporting and compliance management.Encryption - Effectively managing data that is encrypted is extremely complex and troublesome due to the current inadequate capabilities of key management products. For SaaS customers this is within an application-administering-many clients concurrently. Encryption is possible for data in transit, for that at rest, but not during actual processing. Key management in an intra-organizational context is difficult enough; trying to do effective key management in the cloud is frankly beyond current capabilities and will require significant advances in both encryption and key management capabilities to be viable.Data Location – can be anywhere in the world – opens a Pandora’s box of conflicting national laws, regarding
• #39: The cloud oppty is for us to undo the Rodney Dangerfield opinion enterprises typically afford us.The cloud offers ISACA members an unprecedented oppty to positively impact your employer organization. Typically most ISACA members I have met are not “A” type personas. Now you need to become one.We are and could be facing something similar to what our peers at Enron / Worldcom / Tyco were seeing in 2001. Initially the threat will not be from internal to the organization, but will be from a too rapid adoption of cloud technologies. However, if clouds become imbedded into your enterprise without adequate controls, then the internal threats are more likely than ever before. Which will likely then have external threats following.Now is the time to earn your organizational respect. From my research there are many currently-considered best practice IT controls just not in place with CSPs. This is the area and time where you can make a significant impact inot the success of cloud engagements.You can lead two goals – adequate security and audit-ability of the program as well as an avoidance in the use of proprietary tey technologies.chIAM – Research New Best of Breed IAM programs such as Symplified, Ping Identity, Conformity, and TriCipher. For large organizations, with much interdependencies in data /application access between disparate groups, evolve IAM towards the Federation model. Organizations need to implement robust fundamental technologies
• #40: Key Players – If you or your manager is not a strong “A” type player, find one or several who are. You can assume the position of a knowledge / strategy resource for this new front person(s). Get them up to date on the cloud technologies and current limitations. Corporate lawyers (Liability issues 201CMR17.0, PCI, HIPIAA), CIOs/CFOs for SOX certification liability and Model Audit Rule, business application owners for data loss. Negative PR liability.Organizations need to implement robust fundamental technologies internally . Especially in the area of IAM. “All clouds are not created equal,” so enterprises need to have a strategy for employing risk-based IAM methods, including strong authentication, automated provisioning, deprovisioning, auditing, and monitoring to address risks that are specific to a CSP.
• #41: There are many A types, who enjoy learning new business technologies especially if it is perceived to be an aid in their career goals. Let them take ownership of this issue. You can be the behind-the-scenes information source advisory. Work with them from the get-go.Feed them information at a level they will understand, perhaps in WSJ-speak. The Cloud Security Alliance is a great source at this level. Bring in an outside Cloud Security authority.You will likely move to the clouds – in time. But attempt to develop a uniformly agreed-upon list of requirements between the company champion/players for the CSP before jumping on. Look to possible leverage the cloud to improve the internal enterprise. Look to require best practice security controls which are now just evolving ieexternalization of authentication and authorization components from applications (loosely coupled) as this can aid in the rapid adoption of cloud-based services including cloud identity services, policy-based authentication, centralized logging, and auditing (e.g., OpenSSO from Sun Microsystems and Microsoft’s Geneva claimsbased authentication framework can help externalize authentication).
• #42: REVERT to BEST PRACTICE IT Audit PracticesThe first order of business is an internal audit of all the data and applications being considered for Cloud Computing. What data, with what internal security levels are being considered for the Cloud?What are the compliance implications?Who are the data owners?Will these data owners accept these new risks? All this needs to be documented
• #43: Try to find the CSP who will meet your company’s established Enterprise Security level. Do not lower your established security standards.Ask to review the CSPs written internal security policies. Are they current? Are they updated & reviewed annually. They should be tighter than yours. And once gaining a comprehension of the CSP’s agreed-to responsibilities, you will then come to understand the scope of IT system management and monitoring responsibilities that fall on you the customer’s shoulders, including access, change, configuration, patch, and vulnerability management.
• #44: Organizations need to implement robust fundamental technologies in the IAM space - Thru use of SAML, SPML and XACML, achieve Federated user access priviledges across multiple web based and internally hosted applications with SSOs.Most cloud services support at least dual roles (privileges): administrator and end user. It is a normal practice among CSPs to provision the administrator role with administrative privileges. These privileges allow administrators to provision and deprovision identities, basic attributeprofiles, and, in some cases, to set access control policies such as password strength and trusted networks from which connections are accepted.IAM (user access management) is a key control group for many compliance requirements (SOX, HIPIAA, PII etc). For both the customer and CSP, IAM integration considerations at the early stage of service design will help avoid costly retrofitsEnterprise IAM requirements include:• Provisioning of cloud service accounts to users, including administrators.• Provisioning of cloud services for service-to-service integration (e.g., private [internal]cloud integration with a public cloud).• SSO support for users based on federation standards (e.g., SAML supportSupport for internal- and regulatory-policy compliance requirements, includingsegregation of duties using RBAC, rules, or claims-based authentication methodology.RBAC features promote a least-privilege-based access model where a user is granted theright number of privileges required to perform the job. Claims-based methodology enablessome important privacy use cases because it allows for only the user’s entitlements, nother actual identity, to flow with messages, which allows for fine-grained authorizationwithout the requirement to actually embed the user’s identity into messages.• User activity monitoring, logging, and reporting dictated by internal policies andregulatory compliance, such as SOX, PCI, and HIPAA.You should strive for CSP to provide XACML-compliant entitlement management even if thishas not been implemented internally. In your own enterprise. XACML programs will be readily adopted.CSPs should communicate the account management policies including account lock-outs(after many login failures), account provisioning methods, and privilege accountmanagement roles.Enterprises need to have a strategy for employing risk-based IAM methodsincluding strong authentication, automated provisioning, deprovisioning, auditing, andmonitoring to address risks specific to a CSP.If IAM controls can only be provided by the CSP and they are determined to be inadequate for your determined risk and compliance requirements, then your applications and data containing this critical information has no business in the clouds.
• #45: Organizations need to implement robust fundamental technologies - Thru use of SAML, SPML and XACML, achieve Federated user access priviledges across multiple web based and internally hosted applications with SSOs.Most cloud services support at least dual roles (privileges): administrator and end user. It is a normal practice among CSPs to provision the administrator role with administrative privileges. These privileges allow administrators to provision and deprovision identities, basic attributeprofiles, and, in some cases, to set access control policies such as password strength and trusted networks from which connections are accepted.IAM (user access management) is a key control group for many compliance requirements (SOX, HIPIAA, PII etc). For both the customer and CSP, IAM integration considerations at the early stage of service design will help avoid costly retrofitsEnterprise IAM requirements include:• Provisioning of cloud service accounts to users, including administrators.• Provisioning of cloud services for service-to-service integration (e.g., private [internal]cloud integration with a public cloud).• SSO support for users based on federation standards (e.g., SAML supportSupport for internal- and regulatory-policy compliance requirements, includingsegregation of duties using RBAC, rules, or claims-based authentication methodology.RBAC features promote a least-privilege-based access model where a user is granted theright number of privileges required to perform the job. Claims-based methodology enablessome important privacy use cases because it allows for only the user’s entitlements, nother actual identity, to flow with messages, which allows for fine-grained authorizationwithout the requirement to actually embed the user’s identity into messages.• User activity monitoring, logging, and reporting dictated by internal policies andregulatory compliance, such as SOX, PCI, and HIPAA.You should strive for CSP to provide XACML-compliant entitlement management even if thishas not been implemented internally. In your own enterprise. XACML programs will be readily adopted.CSPs should communicate the account management policies including account lock-outs(after many login failures), account provisioning methods, and privilege accountmanagement roles.Enterprises need to have a strategy for employing risk-based IAM methodsincluding strong authentication, automated provisioning, deprovisioning, auditing, andmonitoring to address risks specific to a CSP.If IAM controls can only be provided by the CSP and they are determined to be inadequate for your determined risk and compliance requirements, then your applications and data containing this critical information has no business in the clouds.
• #48: Key Players – If you or your manager is not a strong “A” type player, find one or several who are. You can assume the position of a knowledge / strategy resource for this new front person(s). Get them up to date on the cloud technologies and current limitations. Corporate lawyers (Liability issues 201CMR17.0, PCI, HIPIAA), CIOs/CFOs for SOX certification liability and Model Audit Rule, business application owners for data loss. Negative PR liability.Organizations need to implement robust fundamental technologies internally . Especially in the area of IAM. “All clouds are not created equal,” so enterprises need to have a strategy for employing risk-based IAM methods, including strong authentication, automated provisioning, deprovisioning, auditing, and monitoring to address risks that are specific to a CSP.
• #49: Key Players – If you or your manager is not a strong “A” type player, find one or several who are. You can assume the position of a knowledge / strategy resource for this new front person(s). Get them up to date on the cloud technologies and current limitations. Corporate lawyers (Liability issues 201CMR17.0, PCI, HIPIAA), CIOs/CFOs for SOX certification liability and Model Audit Rule, business application owners for data loss. Negative PR liability.Organizations need to implement robust fundamental technologies internally . Especially in the area of IAM. “All clouds are not created equal,” so enterprises need to have a strategy for employing risk-based IAM methods, including strong authentication, automated provisioning, deprovisioning, auditing, and monitoring to address risks that are specific to a CSP.
• #50: Key Players – If you or your manager is not a strong “A” type player, find one or several who are. You can assume the position of a knowledge / strategy resource for this new front person(s). Get them up to date on the cloud technologies and current limitations. Corporate lawyers (Liability issues 201CMR17.0, PCI, HIPIAA), CIOs/CFOs for SOX certification liability and Model Audit Rule, business application owners for data loss. Negative PR liability.Organizations need to implement robust fundamental technologies internally . Especially in the area of IAM. “All clouds are not created equal,” so enterprises need to have a strategy for employing risk-based IAM methods, including strong authentication, automated provisioning, deprovisioning, auditing, and monitoring to address risks that are specific to a CSP.
• #51: Organizations need to implement robust fundamental technologies In summary – with an understanding of what applications and data are going to the clouds, what are the responsibilities of the CSP and what will be the home enterprise responsibilities, You will be able to develop a comprehensive risk / reward analysis –We are being promised to be saving X amt of dollars taking application A and the xxxxx data to the cloud.IT Security / Audit and the application business managers have determined a likely business impact analysis of Y amount of lillikely business loss, and increase of Z times what we currently except. To reduce the likelihood of this much risk, the cloud security committee has determined A amount to be needed for enhanced cloud security controls within the current enterprise, as well as additional service charges of B amount per processing unit charged.Customers of cloud services should note that a multitenant service delivery model is usually designed with a “one size fits a l” operating principle, which means CSPs typically offer a standard SLA for all customers. Thus, CSPs may not be amenable to providing custom SLAs ifthe standard SLA does not meet your service-level requirements. However, if you are a medium or large enterprise with a sizable budget, a custom SLA may still be feasible.
• #52: Organizations need to implement robust fundamental technologies In summary – with an understanding of what applications and data are going to the clouds, what are the responsibilities of the CSP and what will be the home enterprise responsibilities, You will be able to develop a comprehensive risk / reward analysis –We are being promised to be saving X amt of dollars taking application A and the xxxxx data to the cloud.IT Security / Audit and the application business managers have determined a likely business impact analysis of Y amount of lillikely business loss, and increase of Z times what we currently except. To reduce the likelihood of this much risk, the cloud security committee has determined A amount to be needed for enhanced cloud security controls within the current enterprise, as well as additional service charges of B amount per processing unit charged.Customers of cloud services should note that a multitenant service delivery model is usually designed with a “one size fits a l” operating principle, which means CSPs typically offer a standard SLA for all customers. Thus, CSPs may not be amenable to providing custom SLAs ifthe standard SLA does not meet your service-level requirements. However, if you are a medium or large enterprise with a sizable budget, a custom SLA may still be feasible.
• #53: Organizations need to implement robust fundamental technologies In summary – with an understanding of what applications and data are going to the clouds, what are the responsibilities of the CSP and what will be the home enterprise responsibilities, You will be able to develop a comprehensive risk / reward analysis –We are being promised to be saving X amt of dollars taking application A and the xxxxx data to the cloud.IT Security / Audit and the application business managers have determined a likely business impact analysis of Y amount of lillikely business loss, and increase of Z times what we currently except. To reduce the likelihood of this much risk, the cloud security committee has determined A amount to be needed for enhanced cloud security controls within the current enterprise, as well as additional service charges of B amount per processing unit charged.Customers of cloud services should note that a multitenant service delivery model is usually designed with a “one size fits a l” operating principle, which means CSPs typically offer a standard SLA for all customers. Thus, CSPs may not be amenable to providing custom SLAs ifthe standard SLA does not meet your service-level requirements. However, if you are a medium or large enterprise with a sizable budget, a custom SLA may still be feasible.
• #54: Organizations need to implement robust fundamental technologies In summary – with an understanding of what applications and data are going to the clouds, what are the responsibilities of the CSP and what will be the home enterprise responsibilities, You will be able to develop a comprehensive risk / reward analysis –We are being promised to be saving X amt of dollars taking application A and the xxxxx data to the cloud.IT Security / Audit and the application business managers have determined a likely business impact analysis of Y amount of lillikely business loss, and increase of Z times what we currently except. To reduce the likelihood of this much risk, the cloud security committee has determined A amount to be needed for enhanced cloud security controls within the current enterprise, as well as additional service charges of B amount per processing unit charged.Customers of cloud services should note that a multitenant service delivery model is usually designed with a “one size fits a l” operating principle, which means CSPs typically offer a standard SLA for all customers. Thus, CSPs may not be amenable to providing custom SLAs ifthe standard SLA does not meet your service-level requirements. However, if you are a medium or large enterprise with a sizable budget, a custom SLA may still be feasible.
• #55: Organizations need to implement robust fundamental technologies In summary – with an understanding of what applications and data are going to the clouds, what are the responsibilities of the CSP and what will be the home enterprise responsibilities, You will be able to develop a comprehensive risk / reward analysis –We are being promised to be saving X amt of dollars taking application A and the xxxxx data to the cloud.IT Security / Audit and the application business managers have determined a likely business impact analysis of Y amount of lillikely business loss, and increase of Z times what we currently except. To reduce the likelihood of this much risk, the cloud security committee has determined A amount to be needed for enhanced cloud security controls within the current enterprise, as well as additional service charges of B amount per processing unit charged.Customers of cloud services should note that a multitenant service delivery model is usually designed with a “one size fits a l” operating principle, which means CSPs typically offer a standard SLA for all customers. Thus, CSPs may not be amenable to providing custom SLAs ifthe standard SLA does not meet your service-level requirements. However, if you are a medium or large enterprise with a sizable budget, a custom SLA may still be feasible.