Data Security in the Cloud
Chris Richter, CISSP, CISM, VP Security Services, Savvis
Brian Contos, CISSP, Chief Security Strategist, Imperva
Agenda
1.
Background2.
Data Security– Threatscape
Evolution
– Data: The New‐new Target– The Industrialization of Hacking
3.
The Cloud – a Primer4.
Eight Steps to Securing Data in the Cloud
5.
Q&A
Savvis Background
• Headquartered in St. Louis, Missouri
• FY 2009 Revenue of $874 million
• 28 Data Centers extending reach to US, Europe and Asia• Tier 1 Internet backbone—ranked #4 globally (more than 20%
of the IP traffic traverses our network)*
• 1.4 million square feet of raised floor space
• ~2,200 Employees
• ~2,500 unique Global Enterprise and Government Agencies
*Source: Renesys
Blog, http://www.renesys.com/blog/2009/12/a‐bakers‐dozen‐in‐2009.shtml, December 31, 2009
Savvis Background
• Savvis has more than 2,500 unique customers worldwide including:
– 30 of Fortune’s top 100 companies – 9 of Fortune’s top 15 commercial banks (including all 5 of
the top 5)– 9 of Fortune’s top 20 telecommunications firms– 7 of Fortune’s top 10 software companies – 8 of Fortune’s top 14 securities firms
Who is Imperva?
• A Data Security Company
• Founded in 2002 by Check Point Founder
• Headquartered in Redwood Shores CA
• Growing in R&D, Support, Sales/Channel, & PS
• Installed in 50+ Countries
• 5,000+ direct and cloud‐protected customers– 3 of the top 5 US banks– 3 of the top 5 Telecoms
– 3 of the top 5 specialty retailers– 2 of the top 5 food & drug stores
Imperva
Solutions
ASSESSMENT AND
MONITORING
REAL‐TIME
PROTECTION
PCICOMPLIANCE
DATABASE
AUDITING
WEB APPLICATION
SECURITY
ENTERPRISE
APPLICATION
SECURITY
AUTOMATED
COMPLIANCE
REPORTING
DATABASE
SECURITY
PCI
DATABASE
VULNERABILITY
ASSESSMENT
DATA RISK
MANAGEMENT!
Threatscape Evolution Circa 1805
Threatscape Evolution Late 1960s and Early 1970s
Threatscape Evolution 1988
Threatscape Evolution 2001‐2003
Threatscape Evolution Recent Activity
Threatscape Evolution Recent Activity
Threatscape Evolution Solution Delivery Has Changed
Local Resources ‐
Local Management
Local Resources ‐
Remote Management
Remote Resources ‐
Local Management
Remote Resources ‐
Remote Management
Hybrid
Information Digitization
Information Sharing
The Good Changes in How We Work, Communicate & Live
The Bad Cyber Attacks
The Ugly We Are Not Prepared
With Great Power Comes Great Responsibility ‐
Stan Lee (Spider‐man )
AS
Easier access to multiple targets for attackers
A successful attack can bring down an entire service
and can
impact many
Risks around financially motivated attacks are amplified
– i.e.
extort many instead of few
More: Digitization | Access | Utility | Locations | Value | Complexity
The Industrialization of Hacking: Lay of the Land
The Industrialization of Hacking: Maturity
Hacking is a Profitable IndustryRoles
Optimization Automation
The Industrialization of Hacking: Competition
The Industrialization of Hacking: Enhanced ROI
Goods, Services, eGold Size, Duration, Task Updates, Support Templates, Kits
Industrialized Attack Mitigation Automated Attacks
Non‐browser, Non‐ human Activity Detected
(Automation)
Humans and Bots are Separated
Human Impact: MinimalBot Impact: Failure
Industrialized Attack Mitigation Adaptive Reputation‐based Defense
Global Information Feeds
Feeds are Translated
into Security Policies for
Adaptive Defense
Block Re‐directMulti‐factor Authentication Challenge‐response ‐
Captcha
Industrialized Attack Mitigation Virtual Patching Part I
• Ideally
– Custom code is immediately fixed by programmers and application is redeployed
– Patches for 3rd
party components are immediately installed
– Fixes can be applied anywhere at anytime (no freeze period)
– There are never business operations that get in the way of security; the business case
is
always clear
• The above is of course a very romantic and unrealistic view of application
development
Industrialized Attack Mitigation Virtual Patching Part II
SQL injectionXSS
Directory Traversal
Vulnerability Information In
Security Controls Out
In‐line Protection
Application
SQL InjectionDirectory
Traversal
XSS
Five Cloud Value Points for Data Security
1.
Reputation done better
2.
Virtual patching done better
3.
Data‐centric and network‐centric
controls unified
4.
Rapid and exacting response
procedures
5.
Talent: data security + network
security expertise
“Be Careful Up There!”
The Fear of Cloud Computing:
•
“Privacy, security issues darken cloud computing plans.”
–
IDG
•
“It is a security nightmare and it can't be handled in
traditional ways."
– John Chambers, CEO, Cisco
•
“Analysts warn that the cloud is becoming particularly
attractive to cyber crooks.”
–
ComputerWeekly
•
“Corporate use of cloud services slowed by concerns
about data security, reliability.”
–
Computerworld
Security Tops Cloud Concerns
Source: IDC eXchange, New IDC IT Cloud Services Survey: Top Benefits and Challenges, (http://blogs.idc.com/ie/?p=730) December 2009
87.5%
83.3%
82.9%
81.0%
80.2%
79.8%
76.8%
76.0%
Q: Rate the challenges/issues of the ‘cloud’/on‐demand model
Security
Availability
Performance
On‐demand paym’t model may cost more
Lack of interoperability standards
Bringing back in‐house may be difficult
Hard to integrate within‐house IT
Not enough ability to customize
(Scale: 1 = Not at all concerned; 5 = Very concerned)
(% responding 3, 4, or 5)
What is the Biggest Barrier to Adoption of Cloud Services?
497 responses
Cost/benefit unclear (23.69%)
Unknown management headaches (21.89%)
Lack of security (17.07%)
Lack of reliability (6.03%)
No standard way to switch providers (6.43%)
Limited reference cases (6.02%)
Disruption to IT org chart/politics (4.22%)
Other (13.85%)
Source: Tech Target: Cloud Computing Readership Survey, 2009
Not All Clouds Are The Same
Multiple models. Multiple vendors. Multiple policies.
• Each cloud provider takes a different approach to security
• No official security industry‐standard has been ratified
• Some cloud providers do not allow vulnerability scanning
• Some cloud providers are not forthcoming about their
security architectures and policies
• Compliance auditors are wary of the cloud, and are
awaiting guidelines on audit testing procedures
What the Industry is Doing
Several initiatives are underwayCloud Security Alliance• A non‐profit organization formed to promote the use of standardized practices for
providing security assurance within cloud computing
Center for Internet Security• A non‐profit enterprise whose mission is to help organizations reduce risk resulting from
inadequate technical security controls
PCI Security Standards Council• Has created a special interest group (SIG) to help shape requirements for
virtual‐
and cloud‐based cardholder‐data environments
NIST• The National Institute of Standards and Technology has created a new team to determine
the best way to provide security for agencies that want to adopt
cloud computing.
VMware• Has issued guidelines for secure VM configurations and hardening.
Cloud Architectures and Models
ESSENTIAL CHARACTERISTICS
ARCHITECTURES
DEPLOYMENT MODELS
Broad Network
AccessRapid
ElasticityMeasured
ServiceOn‐Demand
Self‐Service
Resource Pooling
Software‐
as‐a‐Service (SaaS)Platform‐
as‐a‐Service (PaaS)Infrastructure‐
as‐a‐Service (IaaS)
Public Private Hybrid Community
Challenges In Bridging Security Requirements to the Cloud
• Dedicated Compute, Storage & Network Infrastructure
• Defined Locations for Data Storage & Backup
• Proprietary Security Controls & Policies
• Compliance Standards Designed For Traditional IT
• Complex, Shared Deployment Models
• Data Location Varies
• Security Controls & Policies Defined by Service Provider
• Compliance Standards Must Be Interpreted
Traditional IT Cloud Computing
1
Corporate
Systemse‐CommerceTest &
Development
ERP CRMPayment
Processing
Company Web Site
An Eight‐Step Journey To A Secure Cloud
Contemplate Your Application’s Suitability For The Cloud
? ??
??
Marketing
Financial
Government
Newsfeeds/Blogs
EU Citizens
Customer Records
Healthcare/PHI
An Eight‐Step Journey To A Secure Cloud
Classify Your Data2
An Eight‐Step Journey To A Secure Cloud
Software‐as‐a‐Service (SaaS)
Determine Cloud Type (Think about applications)3
Infrastructure‐as‐a‐Service (IaaS)
Platform‐as‐a‐Service (PaaS)
• Self‐Managed• Outsourced
• Commodity• Enterprise
• Private + Public• Private + Exchange• Private + Customer• Cloud Bursting
An Eight‐Step Journey To A Secure Cloud
Private:
Select a Delivery Model (Think about data classification)4
Public:
Hybrid:
Storage & Backup
Network & Routing
Virtualization vs.
Dedicated
Data Center Ethernet
Fabric
API/System Call
System Device
Drivers
An Eight‐Step Journey To A Secure Cloud
Compute
Specify Platform Architecture5Cloud
Automation
Application
Customer
ApplicationCustomer
Application
VPDC VPDC
Compute
Security
Network Storage
Cloud OS (ex. IaaS)
An Eight‐Step Journey To A Secure Cloud
Intrusion Detection/Prevention
Firewall
Specify Security Controls6
Log Management
Application Protection
Database Protection
Identity & Access ManagementEncryption
Vulnerability Scanning
Policy Creation and Enforcement• What are my service provider’s policies?
Can I specify my own? How do they handle
critical events?
Policy “Bursting”• If I choose a cloud‐bursting model, will my
policies “burst”
along with my VMs?
Policy Migration• If I contract for cloud‐based DR, will my
polices migrate with my VMs?
An Eight‐Step Journey To A Secure Cloud
Determine Policy Requirements7
An Eight‐Step Journey To A Secure Cloud
AutomationDelivery‐Model Integration
Determine Service Provider Requirements8
ScalabilityMonitoringSLAsServicesSecurity ControlsStabilityTermsCompliance
• Will a “compliant service provider”
make me compliant?
• What will most auditors look for?
• How does making the move
to a hosted cloud‐computing
environment change the way
audits will occur?
Compliance & Outsourced Cloud‐Computing
Journey to The Cloud: Key Considerations
Determine service provider requirements
Determine policy requirements
Specify security controls
Specify platform architecture
Select delivery model
Determine type of cloud
Classify data
Understand your application’s applicability to the cloud
Reference Sites
www.cloudsecurityalliance.org
www.cloudsecurity.org
www.cisecurity.org
csrc.nist.gov/groups/SNS/cloud‐computing/
www.vmware.com/pdf/vi3_security_hardening_wp.pdf
www.dmtf.org/about/cloud‐incubator
More Information: Imperva.comMore Information on Savvis
www.savvis.net
www.savvis.net/cloudcompute
blog.savvis.net
More Information: Imperva.comMore Imperva Information
Imperva
Questions & Answers