Securing the Cloud: Masterclass 2

basheddockΛογισμικό & κατασκευή λογ/κού

21 Φεβ 2014 (πριν από 3 χρόνια και 5 μήνες)

68 εμφανίσεις

Securing the Cloud:
Masterclass 2

Lee Newcombe (lee.newcombe@capgemini.com)


Infrastructure Services

April 2013

2

Copyright © Capgemini 2012. All Rights Reserved

Managing Security in the Cloud 2

Agenda

The Future Cloud?

The Perfect Storm


BYOD, Social Media, Big Data, Cloud

Identity in the Cloud

Introduction

Conclusions

Service Management
-
> Service Orchestration

?

4

Copyright © Capgemini 2012. All Rights Reserved

Managing Security in the Cloud 2

Agenda

Introduction

The Perfect Storm


BYOD, Social Media, Big Data, Cloud

Identity in the Cloud

The Future Cloud?

Conclusions

Service Management
-
> Service Orchestration

?

5

Copyright © Capgemini 2012. All Rights Reserved

Managing Security in the Cloud 2

The Future Cloud


Public Cloud Providers likely to continue to be subject to rapid amalgamation


Terremark


bought by Verizon


Savvis


bought by Century Link


Heroku


bought by Salesforce.com


Nimbula


bought by Oracle




Amalgamation will lead to a smaller set of major public cloud providers


Smaller players will exist to serve niche markets (e.g. HMG)







Big Outsourcing firms will continue to offer “enterprise” cloud services


Likely to continue to struggle to justify premiums over the likes of AWS

6

Copyright © Capgemini 2012. All Rights Reserved

Managing Security in the Cloud 2



Interoperability will remain problematic


Niche vendors will continue to exist enable cross
-
cloud operations


Rising importance of service brokers and SIAM capabilities



“Cloud First" attitude will become standard


not just in Government



Compromises will occur. The sky will fall… but the cloud paradigm will survive.

The Future Cloud

7

Copyright © Capgemini 2012. All Rights Reserved

Managing Security in the Cloud 2

Evolving Compliance Requirements

The DPA requires the data controller to have a written contract
… requiring that the “data processor is to act only on
instructions from the data controller” and “the data processor
will comply with security obligations equivalent to those
imposed on the data controller itself.”

Cloud customers should take care if a cloud provider offers a
‘take it or leave it’ set of terms and conditions without the
opportunity for negotiation. Such contracts may not allow the
cloud customer to retain sufficient control over the data in
order to fulfil their data protection obligations. Cloud customers
must therefore check the terms of service a cloud provider may
offer to ensure that they adequately address the risks discussed
in this guidance

8

Copyright © Capgemini 2012. All Rights Reserved

Managing Security in the Cloud 2

Evolving Compliance Requirements

It’s important to note that all cloud services are not created
equal. Clear policies and procedures should be agreed between
client and cloud provider for all security requirements, and
responsibilities for operation, management and reporting
should be clearly defined and understood for each requirement

Without adequate segmentation, all clients of the shared
infrastructure, as well as the CSP, would need to be verified as
being PCI DSS compliant in order for any one client to be
assured of the compliance of the environment.
This will likely
make compliance validation unachievable for the CSP or any
of their clients

9

Copyright © Capgemini 2012. All Rights Reserved

Managing Security in the Cloud 2

Requires details of the “system”



not just the controls

Requires a written statement of assertion

Assurance


new Standards

SAS70

SSAE16

10

Copyright © Capgemini 2012. All Rights Reserved

Managing Security in the Cloud 2

Cloud Security Alliance OCF

https://cloudsecurityalliance.org/research/ocf/


12

Copyright © Capgemini 2012. All Rights Reserved

Managing Security in the Cloud 2

AWS Changes


Evolving Security

Release: Amazon EC2 on 2013
-
03
-
11

http://aws.amazon.com/releasenotes/4286407650196705

14

Copyright © Capgemini 2012. All Rights Reserved

Managing Security in the Cloud 2

Agenda

Introduction

The Future Cloud?


Identity in the Cloud


The Perfect Storm


BYOD, Social Media, Big Data, Cloud

Conclusions

Service Management
-
> Service Orchestration

?

15

Copyright © Capgemini 2012. All Rights Reserved

Managing Security in the Cloud 2

The Perfect Storm
-

BYOD


Bring Your Own Disaster Device (BYOD)



BYOD or CYOD?


Business driven desire for mobile working


End point protection


Entry point to your trusted domain


Holds your data


Duress?


Data Protection


Better in the cloud?


Encrypted on device?


Remote wipe? Of
my

device?!



Mobile Device Management


16

Copyright © Capgemini 2012. All Rights Reserved

Managing Security in the Cloud 2

The Perfect Storm
-

Social Media



Twitter, LinkedIn, Facebook, Google+, etc



the “Consumer Cloud”




Reputation Management


Damaging Tweets by employees


Damaging comments from customers


Hacked accounts: Burger King, BBC…




Personal vs Business. Identity in the cloud?


More later




Data exfiltration


Are you monitoring the data your users send via these
channels?


17

Copyright © Capgemini 2012. All Rights Reserved

Managing Security in the Cloud 2

The Perfect Storm


Big Data



Big Data



How Big is Big?


NoSQL?


Pseudonymisation…


Anonymisation…


Fine so long as you know nothing about your target


Fine so long as compute resource remains expensive and exclusive




-

https://downloads.cloudsecurityalliance.org/initiatives/bdwg/Big_Data_Top_Ten_v1.pdf

18

Copyright © Capgemini 2012. All Rights Reserved

Managing Security in the Cloud 2

Big Data (continued)



Where is the data coming from?


Trust?


Validation?


Where are you going to put it?


NoSQL vs RDBMS?


Cloud or on
-
premise?


How are you going to control access to it?


Compliance


How much anonymisation is enough?



http://www.ico.gov.uk/for_organisations/data_protection/topic_guides/~/m
edia/documents/library/Data_Protection/Practical_application/anonymisatio
n_code.ashx

19

Copyright © Capgemini 2012. All Rights Reserved

Managing Security in the Cloud 2

The Perfect Storm
-

Cloud

Cloud is the ANSWER!

But what was the question

20

Copyright © Capgemini 2012. All Rights Reserved

Managing Security in the Cloud 2

Putting it all together…


Big Data


Social Media usage


Research and Development


Modelling


Device and Data usage (SIEM)



Stored and processed in the cloud


NoSQL. Not much security either



Accessed from users personal devices








Anybody see any security issues here?

21

Copyright © Capgemini 2012. All Rights Reserved

Managing Security in the Cloud 2

Putting it all together…

to fix it



Mobile Device Management



DRM?



Big Data security…
See CSA Paper



Anonymisation



Security Architecture








22

Copyright © Capgemini 2012. All Rights Reserved

Managing Security in the Cloud 2

Agenda

Introduction

The Future Cloud?


Identity in the Cloud


Service Management
-
> Service Orchestration

Conclusions

The Perfect Storm


BYOD, Social Media, Big Data, Cloud

?

23

Copyright © Capgemini 2012. All Rights Reserved

Managing Security in the Cloud 2


Management of
Infrastructure
-
owned
or client assets



Systems Integrators Service Integrators


Service consolidation


Opportunity to
leverage service desk
and management
assets



“Service Broker”


Enabler of Cloud
propositions



Aggregation and
orchestration of
many cloud
-
based
services



Service

Orchestration

Service

Aggregation

Service

Integration

Service

Management

Service Integration and Management
-

SIAM

24

Copyright © Capgemini 2012. All Rights Reserved

Managing Security in the Cloud 2

SIAM and Security



Sits across the top of the cloud services



Responsible for ensuring consistent service levels to the customer across their
cloud services



Harmonisation/orchestration of disparate SLAs



But also a good place to incorporate central set of security capabilities:


Security Monitoring


Identity and Access Management


Certificate Authority


Service Monitoring and Management


Security Management


Consistent content filtering?


Consistent network access controls?



Potentially a cloud service itself


25

Copyright © Capgemini 2012. All Rights Reserved

Managing Security in the Cloud 2

Agenda

Introduction

The Future Cloud?

The Perfect Storm


BYOD, Social Media, Big Data, Cloud

Identity in the Cloud

Conclusions

Service Management
-
> Service Orchestration

?

26

Copyright © Capgemini 2012. All Rights Reserved

Managing Security in the Cloud 2

Identity in the Cloud

Digital Identity: “
a set of claims made by one digital subject about itself or another
digital subject.”



-

Kim Cameron’s Laws of Identity
http://www.identityblog.com/?p=354




Jericho Forum Identity Commandments
https://collaboration.opengroup.org/jericho/Jericho%20Forum%20Identity%20Commandments%20v1.0.pdf



Physical entities can have more than one persona…


Employee


Husband


Father


Elven Wizard


Citizen


Customer


Shadowy criminal mastermind


27

Copyright © Capgemini 2012. All Rights Reserved

Managing Security in the Cloud 2

Identity in the Cloud


Identities are necessary to:


Establish relationships


Especially commercial relationships


But also citizen and HMG interactions




It is not necessary for EVERY relationship I have to know EVERYTHING about all of
my identities



Identity Providers


More like Persona Providers. But IdP is the standard term…



Attribute Providers


Is my driving licence valid?


Is my CLAS membership valid?


Am I really tall, dark, handsome and incredibly wealthy?


You also need to trust your Attribute Providers.

28

Copyright © Capgemini 2012. All Rights Reserved

Managing Security in the Cloud 2

Federated Identity Management

29

Copyright © Capgemini 2012. All Rights Reserved

Managing Security in the Cloud 2

Cabinet Office Citizen Identity Assurance Model

“Our preferred solution
suggests the use of ‘hubs’
(technical intersections)
which allow identities to be
authenticated by contracted
private sector organisations
without an individual’s data
being centrally stored or
privacy being breached by
unnecessary data and
details of the user being
openly ‘shared’ with either
transacting party.”

30

Copyright © Capgemini 2012. All Rights Reserved

Managing Security in the Cloud 2

Cabinet Office Citizen Identity Assurance Model

31

Copyright © Capgemini 2012. All Rights Reserved

Managing Security in the Cloud 2

Federated Identity Management



Better for your organisations


Establish a single identity repository and federate out across your cloud services


Manage identity and provisioning in one place


Easier to plug’n’play cloud services through identity re
-
use


Less management overhead


federate with your trusted partners









Better for your customers


Less of their data will be compromised in a single event


Fewer passwords to remember


Consider integration with the consumer cloud via OAuth, OpenID, Facebook Connect etc


33

Copyright © Capgemini 2012. All Rights Reserved

Managing Security in the Cloud 2

Agenda

Introduction

The Future Cloud?


The Perfect Storm


BYOD, Social Media, Big Data, Cloud


Conclusions

Identity in the Cloud

Service Management
-
> Service Orchestration

?

34

Copyright © Capgemini 2012. All Rights Reserved

Managing Security in the Cloud 2

Conclusions



The Cloud market will change rapidly over the next few years


More accepted


Fewer players



Cloud risks stay much the same


Same threat actors


Same vulnerabilities


Potentially greater impacts as usage increases



The “Perfect Storm” will begin to worry end users


Humans don’t like to be watched


Anonymisation doesn’t often really work for both data controller and data subject



Federated identity management will be the way ahead



Getting your SIAM right is key to successful operation in the Cloud




35

Copyright © Capgemini 2012. All Rights Reserved

Managing Security in the Cloud 2

Q&A



36

Copyright © Capgemini 2012. All Rights Reserved

Managing Security in the Cloud 2

Moving HR to the cloud



Securing the Cloud: More Workshops!

Moving R&D services
to the cloud



Retiring and replacing
your collaboration
platform

John Martinez

John Arnold

Lee Newcombe

The information contained in this presentation is proprietary.

Rightshore
® is a trademark belonging to Capgemini

© 2012 Capgemini. All rights reserved.

www.capgemini.com

About

Capgemini


With

more

than

120
,
000

people

in

40

countries,

Capgemini

is

one

of

the

world's

foremost

providers

of

consulting,

technology

and

outsourcing

services
.

The

Group

reported

2011

global

revenues

of

EUR

9
.
7

billion
.

Together

with

its

clients,

Capgemini

creates

and

delivers

business

and

technology

solutions

that

fit

their

needs

and

drive

the

results

they

want
.

A

deeply

multicultural

organization,

Capgemini

has

developed

its

own

way

of

working,

the

Collaborative

Business

Experience
TM
,

and

draws

on

Rightshore

®
,

its

worldwide

delivery

model
.