Cloud01: Best Practices for Virtual Cloud Security - H. Del Castillo, AIPMM

Hector Del Castillo
AIPMM
linkd.in/hdelcastillo

What We Will Discuss
1. What is cloud security
2. Current situation
3. Dimensions of cloud security
4. Security risks
5. Critical areas
6. Approaches to reduce risk
7. Key takeaways

What is Cloud Security?
• An evolving sub-domain of computer security
• A broad set of policies, technologies, and
controls deployed to protect data,
applications, and the associated infrastructure
of cloud computing
• Should not be confused with ‘cloud-based’
security software offerings
• Many commercial software vendors have
cloud-based offerings such as anti-virus or
vulnerability management

Current Situation
• Analysts estimate that cloud computing
adoption will continue to rapidly increase
• A single, massive cloud data center contains
more computers than were on the entire
internet just a few years ago
• Security experts agree that the number of
attacks and their level of sophistication will
continue to grow

Source: NIST Special Publication 800-144, Jan 2011

Service Models
Software Platform Infrastructure
Deployment Models

as a Service as a Service as a Service
(SaaS) (PaaS) (IaaS)
Private X X
Hybrid X X X
Public X X X
Community X X X

Source: NIST Special Publication 800-144, Jan 2011

“Cloud Services
market to grow to
$42B by 2012.”
- IDC

Source: ZDNet Blogs

Cloud Security Reference Model

Source: Cloud Security Alliance

Dimensions of Cloud Security
• Security and Privacy
– Data protection
– Identity management
– Physical and personnel security
– Availability
– Application security
– Privacy

Source: "Cloud Security Front and Center,” Forrester Research, 2009.

• Compliance
– Business continuity and data recovery
– Logs and audit trails
– Unique compliance requirements


• Legal or Contractual Issues
– Public records


Security Risks
1. Privileged user access
2. Regulatory compliance
3. Data location
4. Data segregation
5. Recovery
6. Investigative support
7. Long-term viability
Source: “Assessing the Security Risks of Cloud Computing,” Gartner, 2008.

Critical Areas
• Cloud Architecture
– Cloud Computing Architectural Framework

Source: "Security Guidance for Critical Areas of Focus in Cloud Computing V2.1,” CSA, 2009.

Critical Areas
• Governing in the Cloud
– Governance and Enterprise Risk Management
– Legal and Electronic Discovery
– Compliance and Audit
– Information Lifecycle Management
– Portability and Interoperability


Critical Areas
• Operating in the Cloud
– Traditional Security, Business Continuity, and Disaster
Recovery
– Data Center Operations
– Incident Response, Notification, and Remediation
– Application Security
– Encryption and Key Management
– Identity and Access Management
– Virtualization

Recommendations
 Trust (4)
 Transnational Data Flows (4)
 Transparency (2)
 Transformation (4)

Source: “CLOUD2 Summary Report,” TechAmerica, 2011.

Approaches to Reduce Risk
Trust
1. (Security & Assurance Frameworks): Industry
and government should support and participate
in the development and implementation of
international, standardized frameworks for
securing, assessing, certifying and accrediting
cloud solutions.


Trust
2. (Identity Management): Should accelerate the
development of a private sector-led identity
management ecosystem as envisioned by the
National Strategy for Trusted Identities in
Cyberspace (NSTIC) to facilitate the adoption of
strong authentication technologies and enable
users to gain secure access to cloud services and
websites.

Trust
3. (Responses to Data Breaches): Government
should enact a national data breach law to
clarify breach notification responsibilities and
commitments of companies to their customers,
and also update and strengthen criminal laws
against those who attack computer systems and
networks, including cloud computing services.

Trust
4. (Research): Government, industry, and
academia should develop and execute a joint
cloud computing research agenda.


Transnational Data Flows
5. (Privacy): The U.S. government and industry
should promote a comprehensive,
technology-neutral privacy framework,
consistent with commonly accepted privacy
and data protection principles-based
frameworks such as the OECD principles
and/or APEC privacy frameworks.

6. (Government/Law Enforcement Access to
Data): The U.S. government should
demonstrate leadership in identifying and
implementing mechanisms for lawful access
by law enforcement or government to data
stored in the cloud.


7. (E-Discovery and Forensics): Government
and industry should enable effective
practices for collecting information from the
cloud to meet forensic or e-discovery needs
in ways that fully support legal due process
while minimizing impact on cloud provider
operations.

8. (Lead by Example): The U.S. government
should demonstrate its willingness to trust
cloud computing environments in other
countries for appropriate government
workloads.


Transparency
9. (Transparency): Industry should publicly
disclose information about relevant
operational aspects of their cloud services,
including portability, interoperability,
security, certifications, performance and
reliability.


Transparency
10. (Data Portability): Cloud providers should
enable portability of user data through
documents, tools, and support for agreed-
upon industry standards and best practices.


Transformation
11. (Federal Acquisition and Budgeting):
Agencies should demonstrate flexibility in
adapting existing procurement models to
facilitate acquisition of cloud services and
solutions. Congress and OMB should
demonstrate flexibility in changing budget
models to help agencies acquire cloud
services and solutions.

Transformation
12. (Incentives): Government should establish
policies and processes for providing fiscal
incentives, rewards and support for agencies
as they take steps towards implementing
cloud deployments.


Transformation
13. (Improve Infrastructure): Government and
industry should embrace the modernization
of broadband infrastructure and the current
move to IPv6 to improve the bandwidth and
reliable connectivity necessary for the
growth of cloud services.


Transformation
14. (Education/Training): Government, industry,
and academia should develop and
disseminate resources for major stakeholder
communities to be educated on the
technical, business, and policy issues around
acquisition, deployment and operation of
cloud services.

Key Takeaways
1 • Cloud security continues to evolve

• Security issues are global and impact providers
2 and customers
• Cloud security requires action for government,
3 industry and academia
• Data owner must implement traditional layered
4 security approach
• Data owner must segregate data from
5 application

Recommended AFCOM Sessions
1. "DCM18: Securing the Virtualized Environment,”
Robert Klotz, Akibia, 2011.
2. "DCP10: How Social Media and the Cloud Impact
Data Center Security,” James Danburg, SA2, 2011.
3. "Cloud07: Managing the Transition Cloud,” Brent
Eubanks, Latisys, 2011.
4. "Cloud04: The Ins and Outs of Virtual Private
Clouds,” Sundar Raghavan, Skytap, 2011.

Recommended Reading
1. “Assessing the Security Risks of Cloud Computing,”
Gartner, 3 June 2008.
2. "Cloud Security Front and Center,” Forrester Research,
18 Nov 2009.
3. "Security Guidance for Critical Areas of Focus in Cloud
Computing V2.1,” Cloud Security Alliance, 2009.
4. “Guidelines on Security and Privacy in Public Cloud
Computing, NIST Special Publication 800-144, Jan 2011.
5. “Summary Report of the Commission on the Leadership
Opportunity in U.S. Deployment of the Cloud,”
TechAmerica Foundation, July 2011.

Join My Professional Network!

Hector Del Castillo, PMP, CPM, CPMM
linkd.in/hdelcastillo
hmdelcastillo@aipmm.com

Cloud01: Best Practices for Virtual Cloud Security - H. Del Castillo, AIPMM

More Related Content

What's hot (20)

Similar to Cloud01: Best Practices for Virtual Cloud Security - H. Del Castillo, AIPMM (20)

More from Hector Del Castillo, CPM, CPMM (20)

Recently uploaded (20)

Cloud01: Best Practices for Virtual Cloud Security - H. Del Castillo, AIPMM