SlideShare a Scribd company logo
Building Enterprise Security in Hybrid Cloud


Lenin Aboagye - Principal Security Architect, Apollo Group
Kartik Trivedi – Co-Founder, Symosis
The Road Ahead…

The power of Cloud          However, Security
Computing                    remains roadblock
The Power of Cloud
 Rapid business agility       However , security remains
                            Data loss prevention &
Computing                      the roadblock
                             protection
 Reduced costs
• Business Agility            • Data loss
 Cost efficiencies
• Heightened Innovation     Authentication, Authorization
                               • Authentication,
• Enhanced Innovation        & Audit
                                 Authorization and Audit
 Improved IT Services
• Improved IT services      Security governance
                               • Information governance
                              • Data control
                            Data Profiling
                            Compliance




                                                             2
Implementation on Cloud ?

  Monitoring &      Infrastructure
                                           Identity &
  Operational         Protection
                                             Access
     Risk              Services
                                          Management
  Management




 Threats &                                   Compliance,
Vulnerability                                Governance
Management                                     and Risk




         Info Sec
                                     Data Lifecycle
       Management
                                     Management

                                                           3
Cloud Security Reference Architecture




                                    4
Responsibility Model

                                      SaaS             PaaS              IaaS
Compliance & Auditing                   X                X                X
Governance/Risk Mgmt.                   X                X                X
Legal and Electronics Discovery         X                X                X
Operations Security                     X                X                -X
Incident Management                     X                X
Application Security                    X               -X
Encryption & Key Management             X               -X
Identity & Access Management            -X              -X
Virtualization Security                                                   X
DR/BCP                                                                    X

       Legend :
       X: Provider Responsibility   -X: Provider partially responsible
                                                                                5
Achieving Effective Shared Responsibility Model




     Cloud            Cloud
    Provider         Tenant

      Cloud          Cloud
     Auditor         Broker


                                              6
Identity & Access Management
Identity & Access Management
 How do you securely maintain and govern identities in cloud
    ― Identity provisioning/de-provisioning into cloud should be tied to internal
     identity management systems
    ―All access requests for cloud goes through centralized internal
     service. {cloud is only seen as an extension of internal
     environment}
    ―Federated Provisioning /de-provisioning for Cloud apps
    ―No direct access to cloud provider interface for access requests
    ―Policy management ( authz, role and compliance)
    ―Tenant applications utilize SSO Federation into SaaS application
    ―Maintain single system to manage user identity lifecycle for IaaS,
     PaaS and SaaS
    ―Apply location-based and data context rules to ensure that user-
     access can be properly controlled



                                                                              7
Data Loss Prevention

Data Loss Prevention
 How can you protect profile the data you have in the cloud,
  data you send to the cloud and securely protect the data
  based on classification and data protection policies ?
    ―Discover and classify data before you ship it into cloud
    ―Apply policies and preventative controls based on
     organization policies and data classification
    ―Understand data flow profiles between public and private
     clouds , data flow profiles between public cloud and
     internet
    ―Deploy host-based DLP tools as agents on public cloud
     VMs
    ―*Use tools with geo-tagging capabilities to ensure data
     location can always be tracked
    ―Apply Egress & Ingress filtering for cloud data
    ―Ensure sensitive data does not leak from private cloud to
     public cloud


                                                                 8
Web and Application Security

Web and Application Security
 How can you secure your applications in the cloud ?
    ―Security Development practices need to be extended to
     cloud
    ―Build applications in to account for common cloud models
        ―E.g Abstract encryption of data to application level as opposed to
         Infra/DB levels
        ―Utilize service automation to address performance and scalability of
         app. security tools
    ―Embed source code analysis as part of CI(Continuous
     Integration) process{code scanned when checked in}
    ―Apply Web Application/ XML firewalls to mitigate web
     application and web services security threats
    ―Apply Web Filtering
    ―Ensure that security tests are run under the permission of
     cloud service provider

                                                                              9
Databases Protection
Databases
 How can you secure data in cloud databases ?
    ― Secure databases and encrypt all sensitive/regulated data
    ―Consolidate all sensitive data into central table and schema
     to simplify encryption , auditing and monitoring of sensitive
     data. {Applications access databases through a common web
     service}
    ―Deploy Database Security Activity Monitoring on host
     systems to monitor for malicious database activities and
     attacks as well as abstract auditing and logging functions
    ― Utilize networking segmentation controls and integrated
     IAM to deal with access management concerns with NOSQL
     databases
    ―Avoid Database services that do not meet your security
     needs
    ―Data encrypted at rest in databases need to be encrypted as
     well as backups/snapshots



                                                                     10
SIEM

SIEM
 How can you monitor, detect and respond to attacks to
  your cloud systems ?
   ―Push/forward logs from
    Application/Middleware/Database/Network/Infrastructure
    tiers into the SIEM
   ―Ensure SIEM is configured to handle multi-tenancy for SaaS
    tenants
   ―Apply App-level & System/Device level tagging to segregate
    feeds and properly apply incidence response
   ―All Cloud logs should be accessible, needs to be in easy to
    convert format and be integrated into Enterprise SIEM
   ―Incident response capabilities should involve the ability to
    quarantine affected instances , move them into private cloud
    while new instances are spurn up to avoid service
    interruption

                                                               11
Encryption & Key Management
Encryption & Key Management
 With data being moved in and out of the cloud, how do you
  encrypt data at rest and in transit ?
    ―Encrypt any sensitive data in cloud in: Databases, VMs,
     Virtual Storage, Communications data, VPN and Application
     data
    ―Apply application-level if possible to abstract encryption
     from servers and databases
    ―Backup encryption keys in the private cloud
    ―Do not store keys of cloud instances, abstract to a secure
     third party service and retrieve keys only if and when needed
    ―Implement key rotation and replacement
    ―Tokenize public cloud data and perform key management in
     private cloud
    ―Encrypt sensitive data both in transit, processing, and at rest
    ―Avoid performance overheads by encrypting only sensitive
     data


                                                                 12
Patch Management

Patch Management
 How do you ensure your applications and systems are
  patched and up to date in the cloud ?
   ―Perform vulnerability scanning of
    OS/Appserver/Database/Application
   ―Utilize Cloud provider auto-patching services for OS
   ―Update certified images and deploy during patch cycles
   ―Ensure patching is embedded in all full-stack deployments
   ―If using third party/vendor images, have a mechanism via
    repositories to be provided with updated images{always
    deploy latest images}
   ―Monthly cloud scanning to resolve security issues



                                                               13
Legal & E-discovery

Legal & E-discovery
 If data breaches occur in cloud, how can you perform
  forensics and e-discovery in your cloud environment?
   ―Install Forensic software agents so that remote E-discovery
    can be performed
   ―Quarantine affected instances and ship images to private
    cloud for further investigation
   ―Partner with Cloud Provider for forensic and legal request
    of this nature
   ―Ensure there is no limitations to an organizations ability to
    perform such functions during contract negotiations with
    cloud provider



                                                                14
Vulnerability Management & Assessment
      Vulnerability Management & Assessment
       How can you perform vulnerability management in an
        effective manner in the cloud ?
         ―Get Cloud provider approval prior to running such
          assessments and ensure that limitations are
          understood
         ―Check with cloud provider if there are other
          contracted service providers who can provide such
          limited functions for your organization(e.g penetration
          testing, Hypervisor testing)
         ―Perform Assessment of
          Application/Infrastructure/Database/Network/Infrastru
          cture
         ―Integrate and run vulnerability assessment tools from
          cloud environment to limit bandwidth costs
         ―Ensure remediation scans after vulnerabilities are
          resolved

                                                              15
Intrusion Detection/Prevention

Intrusion Detection/Prevention
 How can you monitor, detect and prevent intrusions in
  your cloud environment ?
   ―Deploy host-based IDS/IPS
   ―Install software NIDS using soft-taps in cloud
   ―Automatically detect and remediate policy violations
   ―Scale appropriately to account for increase demand
   ―Ensure all feeds flow into SIEM




                                                           16
Network Security

Network Security
 How can your network be configured to prevent malicious
  attacks and unauthorized attackers ?
   ―Deploy Web Gateways to monitor and inspect traffic for
    any malware or malicious attacks
   ―Utilize NIDS
   ―Create and maintain Security groups to restrict network
    access
   ―Restrict Subnets and apply proper Network ACL’s
   ―Use VPN from private cloud to public cloud so that all
    Network firewalls, NIDS could simply be run from private
    cloud. This way public cloud can be turned into a secure
    extension of private cloud
   ―Configure iptables to provide extra security to virtual
    instances


                                                               17
Conclusion/Lessons Learned


 Know and understand your data before you move to the cloud
 Cloud has unique challenges that still need to be addressed
 Cloud can be a riskier extension of your environment if you don’t
  understand what you are doing
 No two clouds are the same due to lack of standardized
  approaches and vendor tie-ins
 Utilize tools with geo-tagging and location-based capabilities when
  securing data
 Ensure you drive strong security SLAs during contract time
 Long term strategic partnerships, research, customization and
  continuous adaption are the key to meet security standards and to
  protect with evolving security threats in cloud

                                                                        18
Thank you & References:

Lenin Aboagye / Kartik Trivedi

Referenced Material:
“SecaaS Working Group: Defined Categories of Service 2011”
https://cloudsecurityalliance.org/wp-content/uploads/2011/09/SecaaS_V1_0.pdf
“AWS Best Practices: AWS Security Best Practices”
http://d36cz9buwru1tt.cloudfront.net/Whitepaper_Security_Best_Practices_2010.
pdf
“NIST guideline for security and privacy in cloud”
http://www.nist.gov/customcf/get_pdf.cfm?pub_id=909494
“Cloud Security Alliance: Security Guidance, TCI Reference Architecture, Cloud
Controls Matrix”
https://cloudsecurityalliance.org/

                                                                                 19

More Related Content

PPTX
Enterprise Security in Hybrid Cloud ISACA-SV 2012
PPTX
Cloud Security for U.S. Military Agencies
PPTX
Managing Cloud Security Risks in Your Organization
PDF
Sukumar Nayak-Detailed-Cloud Risk Management and Audit
PPTX
Cloud security (domain11 14)
PPTX
Where to Store the Cloud Encryption Keys - InterOp 2012
PPT
Infrastructure Security by Sivamurthy Hiremath
PDF
secureit-cloudsecurity-151130141528-lva1-app6892.pdf
Enterprise Security in Hybrid Cloud ISACA-SV 2012
Cloud Security for U.S. Military Agencies
Managing Cloud Security Risks in Your Organization
Sukumar Nayak-Detailed-Cloud Risk Management and Audit
Cloud security (domain11 14)
Where to Store the Cloud Encryption Keys - InterOp 2012
Infrastructure Security by Sivamurthy Hiremath
secureit-cloudsecurity-151130141528-lva1-app6892.pdf

What's hot (20)

PDF
The Cloud Crossover
PDF
Cloud Security - Made simple
PDF
Cloud Computing Risk Management (IIA Webinar)
PPTX
security and compliance in the cloud
PDF
2022 Q1 Webinar Securite du Cloud public (1).pdf
PDF
Cloud Security Governance
PDF
Cloud summit demystifying cloud security
PPTX
Microsoft Platform Security Briefing
PPTX
Best Data Center Physical Security using Cloud-Based AI Devices: Gain Total N...
PDF
Mindtree distributed agile journey and guiding principles
PDF
Cloud Security - Security Aspects of Cloud Computing
PDF
Building a Security Architecture
PPTX
Cloud Access Security Brokers - CASB
PDF
Cloud Security & Cloud Encryption Explained
PPTX
(ISC)2 CCSP - Certified Cloud Security Professional
PPTX
Cloud security, Cloud security Access broker, CSAB's 4 pillar, deployment mode
PPTX
Security concerns with SaaS layer of cloud computing
PPTX
ProtectV - Data Security for the Cloud
PDF
White Paper: Protecting Your Cloud
PDF
SAP Security
The Cloud Crossover
Cloud Security - Made simple
Cloud Computing Risk Management (IIA Webinar)
security and compliance in the cloud
2022 Q1 Webinar Securite du Cloud public (1).pdf
Cloud Security Governance
Cloud summit demystifying cloud security
Microsoft Platform Security Briefing
Best Data Center Physical Security using Cloud-Based AI Devices: Gain Total N...
Mindtree distributed agile journey and guiding principles
Cloud Security - Security Aspects of Cloud Computing
Building a Security Architecture
Cloud Access Security Brokers - CASB
Cloud Security & Cloud Encryption Explained
(ISC)2 CCSP - Certified Cloud Security Professional
Cloud security, Cloud security Access broker, CSAB's 4 pillar, deployment mode
Security concerns with SaaS layer of cloud computing
ProtectV - Data Security for the Cloud
White Paper: Protecting Your Cloud
SAP Security
Ad

Similar to Enterprise Security in Cloud (20)

PDF
Integrated Cloud Framework: Security, Governance, Compliance, Content Applica...
PPTX
Lss implementing cyber security in the cloud, and from the cloud-feb14
PDF
Symantec Best Practices for Cloud Security: Insights from the Front Lines
PDF
Securing Your Cloud Applications
PDF
Cloud Security: Perception Vs. Reality
PDF
null Bangalore meet - Cloud Computing and Security
PDF
Cloud Security: What you need to know about IBM SmartCloud Security
PDF
Cloud Security Checklist and Planning Guide Summary
PDF
The Share Responsibility Model of Cloud Computing - ILTA NYC
PPTX
The Share Responsibility Model of Cloud Computing - ILTA Philadelphia
PPTX
Rik Ferguson
PPTX
Chap 6 cloud security
PPTX
Safe Net: Cloud Security Solutions
PPTX
talk6securingcloudamarprusty-191030091632.pptx
PPTX
Practical Security for the Cloud
PDF
Cyxtera - Operational Complexity: The Biggest Security Threat to Your AWS Env...
PDF
Get ahead of cloud network security trends and practices in 2020
PPTX
Cloud Security_ Unit 4
PPTX
KEC CCS 362 KEC CCS 362 KEC CCS 362 KEC CCS 362
PDF
Key Features of Advanced Cloud Security Services.pdf
Integrated Cloud Framework: Security, Governance, Compliance, Content Applica...
Lss implementing cyber security in the cloud, and from the cloud-feb14
Symantec Best Practices for Cloud Security: Insights from the Front Lines
Securing Your Cloud Applications
Cloud Security: Perception Vs. Reality
null Bangalore meet - Cloud Computing and Security
Cloud Security: What you need to know about IBM SmartCloud Security
Cloud Security Checklist and Planning Guide Summary
The Share Responsibility Model of Cloud Computing - ILTA NYC
The Share Responsibility Model of Cloud Computing - ILTA Philadelphia
Rik Ferguson
Chap 6 cloud security
Safe Net: Cloud Security Solutions
talk6securingcloudamarprusty-191030091632.pptx
Practical Security for the Cloud
Cyxtera - Operational Complexity: The Biggest Security Threat to Your AWS Env...
Get ahead of cloud network security trends and practices in 2020
Cloud Security_ Unit 4
KEC CCS 362 KEC CCS 362 KEC CCS 362 KEC CCS 362
Key Features of Advanced Cloud Security Services.pdf
Ad

Recently uploaded (20)

PDF
Electronic commerce courselecture one. Pdf
PDF
CIFDAQ's Market Insight: SEC Turns Pro Crypto
PPT
Teaching material agriculture food technology
PDF
Reach Out and Touch Someone: Haptics and Empathic Computing
PPTX
20250228 LYD VKU AI Blended-Learning.pptx
DOCX
The AUB Centre for AI in Media Proposal.docx
PPTX
Detection-First SIEM: Rule Types, Dashboards, and Threat-Informed Strategy
PDF
Per capita expenditure prediction using model stacking based on satellite ima...
PPT
“AI and Expert System Decision Support & Business Intelligence Systems”
PDF
How UI/UX Design Impacts User Retention in Mobile Apps.pdf
PDF
Advanced methodologies resolving dimensionality complications for autism neur...
PDF
Review of recent advances in non-invasive hemoglobin estimation
PDF
Empathic Computing: Creating Shared Understanding
PPTX
Effective Security Operations Center (SOC) A Modern, Strategic, and Threat-In...
PDF
NewMind AI Weekly Chronicles - August'25 Week I
PDF
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
PDF
TokAI - TikTok AI Agent : The First AI Application That Analyzes 10,000+ Vira...
PDF
GDG Cloud Iasi [PUBLIC] Florian Blaga - Unveiling the Evolution of Cybersecur...
PDF
Optimiser vos workloads AI/ML sur Amazon EC2 et AWS Graviton
PDF
Spectral efficient network and resource selection model in 5G networks
Electronic commerce courselecture one. Pdf
CIFDAQ's Market Insight: SEC Turns Pro Crypto
Teaching material agriculture food technology
Reach Out and Touch Someone: Haptics and Empathic Computing
20250228 LYD VKU AI Blended-Learning.pptx
The AUB Centre for AI in Media Proposal.docx
Detection-First SIEM: Rule Types, Dashboards, and Threat-Informed Strategy
Per capita expenditure prediction using model stacking based on satellite ima...
“AI and Expert System Decision Support & Business Intelligence Systems”
How UI/UX Design Impacts User Retention in Mobile Apps.pdf
Advanced methodologies resolving dimensionality complications for autism neur...
Review of recent advances in non-invasive hemoglobin estimation
Empathic Computing: Creating Shared Understanding
Effective Security Operations Center (SOC) A Modern, Strategic, and Threat-In...
NewMind AI Weekly Chronicles - August'25 Week I
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
TokAI - TikTok AI Agent : The First AI Application That Analyzes 10,000+ Vira...
GDG Cloud Iasi [PUBLIC] Florian Blaga - Unveiling the Evolution of Cybersecur...
Optimiser vos workloads AI/ML sur Amazon EC2 et AWS Graviton
Spectral efficient network and resource selection model in 5G networks

Enterprise Security in Cloud

  • 1. Building Enterprise Security in Hybrid Cloud Lenin Aboagye - Principal Security Architect, Apollo Group Kartik Trivedi – Co-Founder, Symosis
  • 2. The Road Ahead… The power of Cloud  However, Security Computing remains roadblock The Power of Cloud  Rapid business agility However , security remains  Data loss prevention & Computing the roadblock protection  Reduced costs • Business Agility • Data loss  Cost efficiencies • Heightened Innovation  Authentication, Authorization • Authentication, • Enhanced Innovation & Audit Authorization and Audit  Improved IT Services • Improved IT services  Security governance • Information governance • Data control  Data Profiling  Compliance 2
  • 3. Implementation on Cloud ? Monitoring & Infrastructure Identity & Operational Protection Access Risk Services Management Management Threats & Compliance, Vulnerability Governance Management and Risk Info Sec Data Lifecycle Management Management 3
  • 4. Cloud Security Reference Architecture 4
  • 5. Responsibility Model SaaS PaaS IaaS Compliance & Auditing X X X Governance/Risk Mgmt. X X X Legal and Electronics Discovery X X X Operations Security X X -X Incident Management X X Application Security X -X Encryption & Key Management X -X Identity & Access Management -X -X Virtualization Security X DR/BCP X Legend : X: Provider Responsibility -X: Provider partially responsible 5
  • 6. Achieving Effective Shared Responsibility Model Cloud Cloud Provider Tenant Cloud Cloud Auditor Broker 6
  • 7. Identity & Access Management Identity & Access Management  How do you securely maintain and govern identities in cloud ― Identity provisioning/de-provisioning into cloud should be tied to internal identity management systems ―All access requests for cloud goes through centralized internal service. {cloud is only seen as an extension of internal environment} ―Federated Provisioning /de-provisioning for Cloud apps ―No direct access to cloud provider interface for access requests ―Policy management ( authz, role and compliance) ―Tenant applications utilize SSO Federation into SaaS application ―Maintain single system to manage user identity lifecycle for IaaS, PaaS and SaaS ―Apply location-based and data context rules to ensure that user- access can be properly controlled 7
  • 8. Data Loss Prevention Data Loss Prevention  How can you protect profile the data you have in the cloud, data you send to the cloud and securely protect the data based on classification and data protection policies ? ―Discover and classify data before you ship it into cloud ―Apply policies and preventative controls based on organization policies and data classification ―Understand data flow profiles between public and private clouds , data flow profiles between public cloud and internet ―Deploy host-based DLP tools as agents on public cloud VMs ―*Use tools with geo-tagging capabilities to ensure data location can always be tracked ―Apply Egress & Ingress filtering for cloud data ―Ensure sensitive data does not leak from private cloud to public cloud 8
  • 9. Web and Application Security Web and Application Security  How can you secure your applications in the cloud ? ―Security Development practices need to be extended to cloud ―Build applications in to account for common cloud models ―E.g Abstract encryption of data to application level as opposed to Infra/DB levels ―Utilize service automation to address performance and scalability of app. security tools ―Embed source code analysis as part of CI(Continuous Integration) process{code scanned when checked in} ―Apply Web Application/ XML firewalls to mitigate web application and web services security threats ―Apply Web Filtering ―Ensure that security tests are run under the permission of cloud service provider 9
  • 10. Databases Protection Databases  How can you secure data in cloud databases ? ― Secure databases and encrypt all sensitive/regulated data ―Consolidate all sensitive data into central table and schema to simplify encryption , auditing and monitoring of sensitive data. {Applications access databases through a common web service} ―Deploy Database Security Activity Monitoring on host systems to monitor for malicious database activities and attacks as well as abstract auditing and logging functions ― Utilize networking segmentation controls and integrated IAM to deal with access management concerns with NOSQL databases ―Avoid Database services that do not meet your security needs ―Data encrypted at rest in databases need to be encrypted as well as backups/snapshots 10
  • 11. SIEM SIEM  How can you monitor, detect and respond to attacks to your cloud systems ? ―Push/forward logs from Application/Middleware/Database/Network/Infrastructure tiers into the SIEM ―Ensure SIEM is configured to handle multi-tenancy for SaaS tenants ―Apply App-level & System/Device level tagging to segregate feeds and properly apply incidence response ―All Cloud logs should be accessible, needs to be in easy to convert format and be integrated into Enterprise SIEM ―Incident response capabilities should involve the ability to quarantine affected instances , move them into private cloud while new instances are spurn up to avoid service interruption 11
  • 12. Encryption & Key Management Encryption & Key Management  With data being moved in and out of the cloud, how do you encrypt data at rest and in transit ? ―Encrypt any sensitive data in cloud in: Databases, VMs, Virtual Storage, Communications data, VPN and Application data ―Apply application-level if possible to abstract encryption from servers and databases ―Backup encryption keys in the private cloud ―Do not store keys of cloud instances, abstract to a secure third party service and retrieve keys only if and when needed ―Implement key rotation and replacement ―Tokenize public cloud data and perform key management in private cloud ―Encrypt sensitive data both in transit, processing, and at rest ―Avoid performance overheads by encrypting only sensitive data 12
  • 13. Patch Management Patch Management  How do you ensure your applications and systems are patched and up to date in the cloud ? ―Perform vulnerability scanning of OS/Appserver/Database/Application ―Utilize Cloud provider auto-patching services for OS ―Update certified images and deploy during patch cycles ―Ensure patching is embedded in all full-stack deployments ―If using third party/vendor images, have a mechanism via repositories to be provided with updated images{always deploy latest images} ―Monthly cloud scanning to resolve security issues 13
  • 14. Legal & E-discovery Legal & E-discovery  If data breaches occur in cloud, how can you perform forensics and e-discovery in your cloud environment? ―Install Forensic software agents so that remote E-discovery can be performed ―Quarantine affected instances and ship images to private cloud for further investigation ―Partner with Cloud Provider for forensic and legal request of this nature ―Ensure there is no limitations to an organizations ability to perform such functions during contract negotiations with cloud provider 14
  • 15. Vulnerability Management & Assessment Vulnerability Management & Assessment  How can you perform vulnerability management in an effective manner in the cloud ? ―Get Cloud provider approval prior to running such assessments and ensure that limitations are understood ―Check with cloud provider if there are other contracted service providers who can provide such limited functions for your organization(e.g penetration testing, Hypervisor testing) ―Perform Assessment of Application/Infrastructure/Database/Network/Infrastru cture ―Integrate and run vulnerability assessment tools from cloud environment to limit bandwidth costs ―Ensure remediation scans after vulnerabilities are resolved 15
  • 16. Intrusion Detection/Prevention Intrusion Detection/Prevention  How can you monitor, detect and prevent intrusions in your cloud environment ? ―Deploy host-based IDS/IPS ―Install software NIDS using soft-taps in cloud ―Automatically detect and remediate policy violations ―Scale appropriately to account for increase demand ―Ensure all feeds flow into SIEM 16
  • 17. Network Security Network Security  How can your network be configured to prevent malicious attacks and unauthorized attackers ? ―Deploy Web Gateways to monitor and inspect traffic for any malware or malicious attacks ―Utilize NIDS ―Create and maintain Security groups to restrict network access ―Restrict Subnets and apply proper Network ACL’s ―Use VPN from private cloud to public cloud so that all Network firewalls, NIDS could simply be run from private cloud. This way public cloud can be turned into a secure extension of private cloud ―Configure iptables to provide extra security to virtual instances 17
  • 18. Conclusion/Lessons Learned  Know and understand your data before you move to the cloud  Cloud has unique challenges that still need to be addressed  Cloud can be a riskier extension of your environment if you don’t understand what you are doing  No two clouds are the same due to lack of standardized approaches and vendor tie-ins  Utilize tools with geo-tagging and location-based capabilities when securing data  Ensure you drive strong security SLAs during contract time  Long term strategic partnerships, research, customization and continuous adaption are the key to meet security standards and to protect with evolving security threats in cloud 18
  • 19. Thank you & References: Lenin Aboagye / Kartik Trivedi Referenced Material: “SecaaS Working Group: Defined Categories of Service 2011” https://cloudsecurityalliance.org/wp-content/uploads/2011/09/SecaaS_V1_0.pdf “AWS Best Practices: AWS Security Best Practices” http://d36cz9buwru1tt.cloudfront.net/Whitepaper_Security_Best_Practices_2010. pdf “NIST guideline for security and privacy in cloud” http://www.nist.gov/customcf/get_pdf.cfm?pub_id=909494 “Cloud Security Alliance: Security Guidance, TCI Reference Architecture, Cloud Controls Matrix” https://cloudsecurityalliance.org/ 19

Editor's Notes

  • #7: To achieve effective shared responsibility model , separation and teaming of various duties are critical  Cloud Provider Role Infrastructure and Cloud service providerResponsibilities Access and identity management for infrastructureAuthentication servicesMonitoring servicesInfrastructure protection servicesData management and backup services   Cloud Broker RoleProvides software and integration services through applications hosted on cloud ResponsibilitiesProvide the following services to Tenant Customize access and identity management Authentication and Authorization services for tenant users Information security management Compliance and risk managementData protection, leakage prevention and governance Infrastructure protection services Threats and Vulnerabilities management  Tenant RoleConsumer of services offered by Cloud broker and integrates with in-house applications. ResponsibilitiesPolicies and Standards implementation set by Cloud brokerOperational Risk Management Complliance , Governance and Risk management for Services integrated with Cloud broker