35
www.enisa.europa.eu www.enisa.europa.eu How to procure a secure cloud service Dr Giles Hogben European Network and Information Security Agency
www.enisa.europa.euwww.enisa.europa.eu
How to procure a secure cloud service
Dr Giles HogbenEuropean Network and Information Security Agency
www.enisa.europa.eu
Can cloud meet your security requirements
Choose the provider that meets security requirements
Set up the contract/SLA
Fulfilling your responsibilities for security
Managing the contract
Security in the cloud contracting lifecycle
www.enisa.europa.eu
2010 2011 2012 2013 2014 2015 2016 2017 2018 2019
Investment in Infrastructure
Demand for infrastructure
Resources
used/purchased
Traditional IT investment
Wasted investment
www.enisa.europa.eu
2010 2011 2012 2013 2014 2015 2016 2017 2018 2019
Investment in Infrastructure
Demand for infrastructure
Resources
used/purchased
Cloud IT investment
www.enisa.europa.eu
2010 2011 2012 2013 2014 2015 2016 2017 2018 2019
Investment in Infrastructure
Demand for infrastructure
Resources
used/purchased
Cloud IT investment
www.enisa.europa.eu
=> Shared Resources
• Hardware, database, memory, etc... – like buying a hotel room or booking an aircraft.
www.enisa.europa.eu
Implications for security
www.enisa.europa.eu
=> Economies of scale and security • All kinds of security measures, are cheaper when implemented on a larger scale.– (e.g. filtering, patch management, hardening of virtual machine instances and hypervisors, etc)
• The same amount of investment in security buys better protection.
• Key Question: Is your current setup really better from a security standpoint?
www.enisa.europa.eu
But….
www.enisa.europa.eu
=> Very high value assets• Most risks are not new, but they are amplified by
resource concentration – the asset values arehigh.o Trustworthiness of insiders.o Hypervisors- hypervisor layer attacks on
virtual machines are very attractive.o More Data in transit (Without encryption?)o Management interfaces – big juicy targets
www.enisa.europa.eu
=> Co‐tenancy and Isolation failureo Like a Hotel– you may be able to hear your neighbours if the walls are not well insulated
Storage (e.g. Side channel attacks) see http://bit.ly/12h5YhVirtual machinesEntropy pools (http://bit.ly/41sIiN)Resource use (e.g. Bandwidth)
www.enisa.europa.eu
=> Lock in
• Few tools, procedures or standard formats for data and service portability.
• Difficult to migrate from one provider to another (or take your data back home).
• You went into cloud to store massive amounts of data cheaply – keeping a copy at home defeats the object?
www.enisa.europa.eu
=> Loss of Governance• The client cedes control to the provider – Security measures (crocodiles vselectric fences)
– Limited information available about incidents
– Outsource or sub‐contract services to third‐parties (fourth parties?)
www.enisa.europa.eu
Just encrypt your data in the cloud and you don’t have to worry about a thing?
Unfortunately not.... Practical processing operations on encrypted data are not possible
www.enisa.europa.eu
Legal and contractual risks• Lack of compliance with EU Data Protection Directive
– Difficult for the customer (data controller) to check the security of data handling practices of the provider
• Subpoena and e‐discovery• Risk allocation and limitation of liability• Intellectual Property
www.enisa.europa.eu
Can cloud meet your security requirements
Choosing the provider that meets security requirements
Setting up the contract/SLA
Fulfilling the customer’s
responsibilities for security
Managing the contract
Security in the cloud contracting lifecycle
www.enisa.europa.eu
www.enisa.europa.eu
ENISA Cloud Assurance Framework
A minimum baseline for:• Comparing cloud offers• Assessing the risk to go Cloud
• Includes legal and contractual considerations
(also to reduce audit burden on cloud providers)
http://is.gd/pTIyit
www.enisa.europa.eu
CSA Controls Matrix
• http://is.gd/8cGwwn
www.enisa.europa.eu
Can cloud meet your security requirements
Choosing the provider that meets security requirements
Setting up the contract/SLA
Fulfilling the customer’s
responsibilities for security
Managing the contract
Security in the cloud contracting lifecycle
www.enisa.europa.eu
Contract hints
• Get a security expert to review the contract terms
• Check existing certifications (ISO, PCI, etc…)• If you have enough bargaining muscle, get some security clauses in the contract/SLA –otherwise choose the contract which is most secure
www.enisa.europa.eu
Contract hints
• Availability– Well‐defined (reachability, response time, functional)
– Defined over shorter period (per week)• Scalability (e.g. max number of instances available per customer per day)
• Time‐to‐provision• Authentication levels (e.g. NIST levels)• CSA/ENISA controls
www.enisa.europa.eu
Can cloud meet your security requirements
Choosing the provider that meets security requirements
Setting up the contract/SLA
Fulfilling the customer’s
responsibilities for security
Managing the contract
Security in the cloud contracting lifecycle
www.enisa.europa.eu
Somebody else’s problem (SEP) syndrome
“Appirio Cloud Storage fully encrypts each piece ofdata as it passes from your computer to theAmazon S3 store. Once there, it is protected bythe same strong security mechanisms thatprotect thousands of customers using Amazon’sservices”
www.enisa.europa.eu
Amazon AWS ToS
o “YOU ARE SOLELY RESPONSIBLE FOR APPLYINGAPPROPRIATE SECURITY MEASURES TO YOURDATA, INCLUDING ENCRYPTING SENSITIVEDATA.”
o “You are personally responsible for allApplications running on and traffic originatingfrom the instances you initiate within AmazonEC2. As such, you should protect yourauthentication keys and security credentials.Actions taken using your credentials shall bedeemed to be actions taken by you.”
www.enisa.europa.eu
Customer side of the bargain
• IaaS– Encrypt
• At rest and in motion
– Look after your keys and credentials– Identity management– Guest security platform– Compliance with data protection law
www.enisa.europa.eu
Customer side of the bargain IaaS
– Design for failure• Redundant implementation
– Geographical
• Performance and incident monitoring• Decouple
– Parallelise– Use distributed queues etc…– Use REST
www.enisa.europa.eu
How smugmug survived the Amazon outage
• Redundancy: Multiple availability zones• Design for failure – any instance can fail• Design for the reliability of individual components – e.g. don’t use temporary storage methods for permanent storage
• Not completely cloud• http://don.blogs.smugmug.com/2011/04/24/how‐smugmug‐survived‐the‐amazonpocalypse/
www.enisa.europa.eu
www.enisa.europa.eu
Customer side of the bargain• PaaS
– Credential management– Encryption– System staging– Compliance with data protection law
• SaaS– Credential management– Encryption and key management for selected data– Compliance with data protection law
www.enisa.europa.eu
Can cloud meet your security requirements
Choosing the provider that meets security requirements
Setting up the contract/SLA
Fulfilling the customer’s
responsibilities for security
Managing the contract
Security in the cloud contracting lifecycle
www.enisa.europa.eu
Monitoring and Enforcement
• Penalties• SLRs – you need something to monitor• => SP should ideally report
– Availability– Incidents (reported within a defined time‐frame)– Recovery time– Security metrics (e.g. intrusions blocked)
www.enisa.europa.eu
Monitoring and Enforcement
• Testing– Availability (using probes and samples for instance)
– Penetration tests– Failover and backup tests– Data portability– Load testing– Unit tests
www.enisa.europa.eu
ENISA Deliverables and Ongoing Activities
34
• Cloud Computing: Benefits, Risks and Recommendations for Information security 2009 http://is.gd/cem9H
• Assurance framework http://is.gd/cnp9V02009
• Gov-Cloud security and resilience analysis http://is.gd/0m4Pfi (2010)
www.enisa.europa.eu
Giles Hogben (giles.hogbenQenisa.europa.eu)
Secure applications and services, ENISAhttps://www.enisa.europa.eu/act/application‐security
Questions?
35
