Cloud Security Pain Points And How To Overcome Them

Cloud Security Pain Points And How To Overcome Them

Eric Lundquist Vice-President, Editorial William Malik President, Malik Consulting

Cloud Security Pain Points And How To Overcome Them

Interactivity Tips
-Ask a question -Download PDF copy of slides -Visit show floor/booths/chat areas

Cloud Security Pain Points And How To Overcome Them

Security Today
The whitelist, blacklist, non-spoofed, non-spam, encrypted, secure, authenticated solution 1. whitelist, just let your friends into the club 2. blacklist, keep your enemies at bay 3. non-spoofed, URL who you trust 4. non-spam, prevent overload 5. encrypted, no fear messaging 6. secure, no fear computing 7. authenticated, Whom do you trust?

Cloud Security Pain Points And How To Overcome Them

Cloud Computing Today

1. Private, semi-private and public cloud mashup 2. Resources on demand 3. Not more or less secure than traditional computing 4. Security is not built in, but layered on 5. Mobile, IPv6, New business apps

Cloud Security Pain Points And How To Overcome Them

Security Meets The Cloud

1. Security by design not happenstance 2. Security as a service 3. Encryption as a service 4. Authentication as a service (the social service) 5. Protect your assets with rings of security

Cloud Security Pain Points And How To Overcome Them

Cloud information security

Coping with risk, reaping reward

Cloud Security Pain Points And How To Overcome Them

History of Computing Security

Acceptable level of security

Mainframe

PC

LAN

Internet

Open Source

Java

Cloud

NBT

Cloud Security Pain Points And How To Overcome Them

How is Cloud Different?

Internet-delivered Capacity on demand Pay-as-you-go Profoundly different economic model:
Monetize excess capacity

Nobody knows how to audit cloud, yet

Cloud Security Pain Points And How To Overcome Them

Unique Issues in Cloud Security

No border No foundation No secure kernel No persistence or repeatability beyond generic delivery

Cloud Security Pain Points And How To Overcome Them

Public Cloud
Provided by an external, third party Typically many other users Minimal guarantees of availability, QoS BYO Storage, DR, and Security

Cloud Security Pain Points And How To Overcome Them

Private Cloud
When your enterprise creates its own cloud Typically much more customized Built within your enterprise baseline security Deliver enterprise SLA/QoS Charged back as other IT

Cloud Security Pain Points And How To Overcome Them

Hybrid Cloud
Private Cloud augmented with Public cloud Cloudbursting for sudden increases in demand Transient to short-term Is Increase Real or Just a Blip? Economic alternative to capacity planning (perhaps)

Cloud Security Pain Points And How To Overcome Them

The Answer:
ISO 7498-2
Who are you? (Identification and Authentication) What can you do? (Access control, Authorization) Keep secrets secret (Data Confidentiality) Keep data correct (Data Integrity) Know your correspondent (Non-repudiation)

(1989)

Cloud Security Pain Points And How To Overcome Them

Identification and Authentication

In the words of Peter Townsend: Who are you? Need varying levels of confidence in ID/Auth Something you know, something you have, something you are
Or, something you forgot, something you lost, and something you once were

Cloud Security Pain Points And How To Overcome Them

Access Control
What can you do? Role-based only works in broad terms
No successful comprehensive RBAC solutions MIT: 14,000 people, 35,000 roles, average user had eight roles DuPont: 20,000 employees, defined roles for about half, reached 45,000 roles, quit GM: IDM Leader at Catalyst Number of roles approaches number of individuals

Cloud Security Pain Points And How To Overcome Them

Data Confidentiality
How much encryption is enough?
Avoid cost/benefit analysis Very large estimate * very small likelihood = Undefined result (Numerical analysis)

If the value of the data exceeds the cost of obtaining it, the data is not secure.

Cloud Security Pain Points And How To Overcome Them

Data Integrity
Note that once you have encrypted the information, you have protected its integrity Data integrity without encryption the checksum on a download
Is this install safe? Has it been altered?

Cloud Security Pain Points And How To Overcome Them

Non-Repudiation
A concept from law, not from information security Can we prove either
A) Are you the author of this message? B) Did you receive this message?

Achieved by public key cryptography

Cloud Security Pain Points And How To Overcome Them

Clueful Solutions
PKI, SSH, SSL Kerberos (how to authenticate when the network is not trusted?) Sentinel (good-looking but fake data) Code and Other Laws of Cyberspace (Lessig)
Law, Economics, Social Pressure, Architecture

Cloud Security Pain Points And How To Overcome Them

Next Steps
Audit Your Environment (Use ISO 7498-2) Think Like a Crook Expose Security Presumptions Principle of Least Privilege Avoid Role-Based Security Avoid Risk Quantification

Cloud Security Pain Points And How To Overcome Them

Todays Agenda
2:00-2:30 ET eWEEK Labs Workshop 2: Identity Management in the Cloud 3:00-3:45 ET Industry Roundtable: Preparing For the Application Adoption Revolution Be sure to visit our sponsor spaces and network in our lounge area