Scribd Logo
Carica

Benvenuto in Scribd!

  • Track 3 Session 5 Security Report Out

    Caricato da

    Kay Doh
    21 visualizzazioni10 pagine
    Cloud Security Report Out 4 subgroups. Focus on low hanging fruit may prevent us from getting where we need to be. Can highly sensitive data and applications be supported in cloud processing? cloud data centers appear to be physically well guarded.

    Descrizione originale:

    Copyright

    © Attribution Non-Commercial (BY-NC)

    Formati disponibili

    PDF, TXT o leggi online da Scribd

    Hai trovato utile questo documento?

    Questo contenuto è inappropriato?

    Segnala questo documento
    Cloud Security Report Out 4 subgroups. Focus on low hanging fruit may prevent us from getting where we need to be. Can highly sensitive data and applications be supported in cloud processing? cloud data centers appear to be physically well guarded.

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Scarica in formato PDF, TXT o leggi online su Scribd
    Segnala contenuti inappropriati
    21 visualizzazioni10 pagine

    Track 3 Session 5 Security Report Out

    Caricato da

    Kay Doh
    Cloud Security Report Out 4 subgroups. Focus on low hanging fruit may prevent us from getting where we need to be. Can highly sensitive data and applications be supported in cloud processing? cloud data centers appear to be physically well guarded.

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Scarica in formato PDF, TXT o leggi online su Scribd
    Segnala contenuti inappropriati
    di 10

    Cloud Security Report Out

    4 subgroups

    Visibility Isolation vs Network Exposures Loss of Customer


    Concerns Cost and Dependence Control

    Ron Knode

    (and everyone in track 3)

    Information Technology Laboratory NIST


    Computer Security Division
    cloudcomputing@nist.gov National Institute of
    Standards and Technology
    General
    • We need to include attack modeling in our
    system descriptions.
    • Operational monitoring/checking is important as
    well as static evaluations.
    • A focus on low hanging fruit only may prevent us
    from getting where we need to be: principled
    protection of data, security
    engineered/evaluated systems.
    • Can highly sensitive data and applications be
    supported in cloud processing?
    • Cloud data centers appear to be physically well
    guarded.
    Information Technology Laboratory NIST
    Computer Security Division
    cloudcomputing@nist.gov National Institute of
    Standards and Technology
    Visibility Concerns

    • Visibility objective is verifiable transparency


    – Is whatever is claimed be happening really happening
    ... and nothing else
    • What are the elements of information that need
    to be made “visible” (i.e., “transparent)
    – technical (e.g., configuration, architecture, ...)
    – operational
    – others ??
    – are there “families” or “templates” of such items
    • What granularity and timeliness needed
    Information Technology Laboratory NIST
    Computer Security Division
    cloudcomputing@nist.gov National Institute of
    Standards and Technology
    Visibility (continued)
    • What’s the relationship between the elements
    needed for visibility/transparency and control
    frameworks (e.g., FISMA, SAS70, ...)
    • How do we benchmark the initial status of
    elements we care about?
    • Is there any difference in the needs for
    transparency (visibility) between
    – IaaS, PaaS, SaaS
    – public, private, community, hybrid
    • What is the linkage between
    transparency/visibility and contract terms and
    SLA’s?
    • Enforcement mechanisms
    Information Technology Laboratory

    Computer Security Division


    on visibility?
    cloudcomputing@nist.gov
    NIST
    National Institute of
    Standards and Technology
    Isolation vs Cost

    • We are back to the future


    – Utility computing model, time sharing
    • True segmentation is pseudo-science
    • However low and moderate systems are the
    target of evaluation
    • Subversion is not truly mitigatable in a cloud
    – too man unknowns
    • Risk acceptance versus cost, not isolation
    versus cost
    • SLAs are critical for cloud service
    Information Technology Laboratory NIST
    Computer Security Division
    cloudcomputing@nist.gov National Institute of
    Standards and Technology
    Isolation versus Cost

    It comes down to “trying” the low hanging fruit and


    seeing what the realities are for security
    Last consideration was the idea of evaluating the
    implementation of the cloud itself, not just the
    “software, platform, or Infrastructure”. The
    “cloud control system” must be A&A (deep
    technical analysis, ongoing visibility, etc)

    Information Technology Laboratory NIST


    Computer Security Division
    cloudcomputing@nist.gov National Institute of
    Standards and Technology
    Network Exposures and Dependencies
    • Border has changed from perimeter to requiring
    internal protection
    – Cloud systems amplify this issue
    • Adversaries: Need to model the adversaries and
    include internal and external threats
    • Operational: Logic behind the network.
    – Exposing configuration of network to tenants
    • Greater dependency on network resiliance
    – Cloud systems by design rely on networked
    resources
    • Security Controls: Need to be closer to the data
    Information Technology Laboratory NIST
    Computer Security Division
    cloudcomputing@nist.gov National Institute of
    Standards and Technology
    Network Exposures and Dependencies

    • Legacy System Access


    – User access protected by two factor authentication,
    – but legacy system access interfaces single factor
    • Benefits
    – Centralized patch administration
    – SAAS configured by vendor to be secure and protect
    against misconfigurations causing vulnerablities

    Information Technology Laboratory NIST


    Computer Security Division
    cloudcomputing@nist.gov National Institute of
    Standards and Technology
    Loss of Customer Control
    • New consumer security oblgiations
    – e.g., need for a change in Data Labelling/marking
    • privileged access to the data
    • access by foreign nationals
    • ensure data deletion is real
    • if you encrypt, then the keys should be in the
    customers control
    • the key generation process shoudl be driven by
    some trusted third party
    • how to ensrue compliance of regulated data
    Information Technology Laboratory NIST
    Computer Security Division
    cloudcomputing@nist.gov National Institute of
    Standards and Technology
    Loss of Customer Control

    • does the service provider support muti-tenant


    audit logging
    • vulnerability of other tenants data or applications
    • doing dynamic real-time continuous monitoring
    • data location
    • malicious insiders from service providers
    • need for legal and acquisition partners in writing
    SLAs
    • capability of doing data segmentation
    Information Technology Laboratory NIST
    Computer Security Division
    cloudcomputing@nist.gov National Institute of
    Standards and Technology

    Potrebbero piacerti anche