Date post: | 21-Apr-2018 |
Category: |
Documents |
Upload: | truongngoc |
View: | 221 times |
Download: | 5 times |
SESSION ID:SESSION ID:
#RSAC
Moshe Ferber
Balancing Innovation and Security—Cloud Adoption at Governments
PGR-R02
Chairman, Cloud Security Alliance, Israel@Ferbermoshe
#RSAC
Moshe Ferber
✓ Information security professional for over 20 years
✓ Founder, partner and investor at various initiatives and startups
✓ Popular industry speaker & lecturer (DEFCON, BlackHat, Infosec and more)
✓ Top contributer to ISC2 CCSP & CSA CCSK certifications.
✓ CCSK Certification lecturer for the Cloud Security Alliance.
✓ Member of the board at Macshava Tova – Narrowing societal gaps
✓ Chairman of the Board, Cloud Security Alliance, Israeli Chapter
#RSAC
Our journey begins…
Government decision #2097 (2014)
“Promoting innovation at the public sector by appointing the ICT Authority to define the
government cloud computing strategy”
http://www.pmo.gov.il/Secretary/GovDecisions/2014/Pages/dec2097.aspx
#RSAC
Government as regulator
Critical Infrastructure Financial Sector
Health Services Military & HLS
#RSAC
Government as regulator
Government as promotor
Should government promote cloud computing (at private sector)?
Or let the forces of the free market decide…
Increase resilience
• Mostly important for Small Medium Businesses
Increase innovation
• Datacenters are like roads and public transportation.
#RSAC
Government as provider
Government cloud strategy (2015)
“Enhance information technology in the government by promoting central cloud infrastructure for governments offices“
https://govshare.gov.il/he/node/1624
Private cloud
•Focused on IaaS/PaaS
•Operated by the ICT authority
•Tender in process
Public cloud
•SaaS but also IaaS/PaaS
•Supplementary for the private cloud
•Responsibility of the governments offices
#RSAC
Government as consumer
Government public cloud policy (01.2016)
“Define which workloads could move to public cloud environment and the process to insure responsible
adoption”
The topic for today discussion
#RSAC
The challenges
Just like any other organization…
Lose of control
Lose of availability
Lose of visibility and flexibility
#RSAC
Unique challenges
No tier 1 providers with local datacenter
Reputation considerations are considerable
Ability to conduct low level forensics on events is crucial
Tenders laws limits ability to control the identity of provider
Needed to move fast before the horses will be gone….
#RSAC
Step 2: Learn from others
Interesting concepts out there:
Thank you ENISA for this:Security Framework for Governmental Clouds
https://www.enisa.europa.eu/publications/security-framework-for-govenmental-clouds
Estonia: Using data embassies
UK: building services catalog
USA: pre-authorizing providers
#RSAC
Important concepts
Chances for a hack are the same on or off the
cloud
Risk management of Cloud migration is the responsibility of the
office
The cloud adoption committee will
recommend, not decide
A white list of provider exits, but each
ministry can evaluate new providers
Not going to invent the wheel – relay on
others
#RSAC
Apps with data exposed to public
Test/Dev environments (masked / anonymized data)
High performance / Short life span applications
Tenders / calculators
Government symbols
Critical applications
Sensitive or classified information
Step 3: Workloads that can migrate to public cloud
#RSAC
Step 4: ICT guidelines
In order to help the different ministries to evaluate the risk and create controls, the committee created:
Threat framework to address
• Our version of the CSA notorious 9.
• Thank you CSA
Controls mitigation
• A checklist for evaluating the controls
• Our own mix & match
• Thank you NIST, ENISA, ISO & more
Providers requirements
• Minimal requirements (certification, location of data centers)
• Used to create standard for authorized providers
#RSAC
Step 5: process for cloud migration
Examine
• App adheres to criteria for migration to cloud
Map
• Data types & classification
• Interfaces
• Users
• Laws, regulations
Evaluate
• Risks to the application
• Relevant providers
Create
• Cloud migration strategy
• List of controls based on shared responsibility model
#RSAC
The ICT role in the process
Manage the pool of authorized
vendors
Lead the public cloud committee
Provide continues knowledge on
threats and controls
Perform periodic audits on cloud
deployments
#RSAC
Insights
And this is our challenges:
Gain the expertise for building secure applications
Evaluate our providers correctly
Very hard to provide best practices
SaaS
PaaSIaaS
#RSAC
Insights
But you can not built cloud policy based on the SPI model:
The borders are overlapping
IaaS PaaS SaaS
#RSAC
Insights
Setting mandatory requirements are important!
(i.e. ISO27K mandatory for all providers)
But does not always make sense!
Sometimes you want to maintain flexibility
#RSAC
Insights
Controlling your own encryption keys is important.
But, very challenging in most scenarios!
And hackers don’t really care who stores the keys
#RSAC
Insights
Compensating controls works best in cloud computing
Invest more in backups, audits and reviews!
Luckily, most providers getting better in supporting that
#RSAC
Insights
And sometimes the best compensating control is:
To be able to pack your data and leave!
Take care of lock-in risks
#RSAC
To wrap this up
Government got various roles in cloud computing
Make sure to balance the need for innovation with the global risks