Discussed the three deployment models, and service models for cloud computing, commonly recognized.
The main security risks are blasted through in the presentation from infrastructure to governance and compliance,
The model illustrated is that you build security in IaaS, but make it part of the RFP in SaaS, with PaaS somewhere in the middle.
infrastructure security adds a new item of virtualization layer security in addition to storage, application, host, and network and as your architecture moves from on premise private to SaaS the responsibility of these for the vendor increase.
With network security in a cloud situation, ensure data confidentiality and integrity HTTPs suggested. Revision of security zoning is recommended, with a look at defining security domains.
In the host level, new challenges include a new approach to patch management and vulnerability management. The velocity of attack factor is much higher in a cloud architecture. Validate CSP security controls against ISO 27002 framework and similar standards when using a solution beyond IaaS.
The Browser is the highestbrisk point from an application security perspective. Security must become part of the SDLC. Beware DOS attacks from dark clouds, and economic denial of sustainability attacks. Firewalls, IDS, virtualization layer security, logging and monitoring, and vulnerability scanning are the key skills and technologies to invest in. We should also focus on ensuring browser patching and security are fore-front.
We moved to the topic of security management, with focus areas in availability, access, and vulnerability.
As a customer, key challenges are in defining security controls, and how to leverage the sec management tools in place today. Getting started we must understand our IT layers and data management and flows. When managing availability, understand the CSP methods for communication of outages, and the allocation of resources the CSP has in the event of a failure, so that you don't lose your critical resources for someone else.
Consider the who, why, and how of accessing the resources, and how you will audit that access over time. While aspects can be moved to the responsibility of the vendor or CSP, ultimately you are responsible.
The access device becomes the primary point of patch and security remediation management in a mobile cloud centric computing architecture.
The biggest challenge of IDM in the cloud is that the trust boundary has moved. Federated IDM helps this, as does better access controls, governance, and auditing.
To get your IDM ready for the cloud, consider standards such as SAML 2.0, SPML for automated provisioning, XACML for accounts rights management, and OAuth for cross CSP identify data access. But first it is vital to clean up your internal directories, and consider a multiple protocol identity management platform. It is reasonable to consider identity service provisioning as a cloud based service. Amazon EC2 is an example to consider.
For data protection and privacy in the cloud, understand your data classes, and states. Encryption is important but may be challenging for application specific stores, so it's vital to include this in the cloud app architecture and design. Additionally, ensure you have a plan to monitor and test data removal processes with your cloud service provider, and test it regularly.
The way you are protecting your data today likely doesn't translate to the cloud. Access, compliance, storage, retention, destruction, audit, and how to handle breaches are shift in paradigm. Subjects have the right to know what PII is stored and request you stop keeping or processing it, and you need to be aware of how to make this information available.
Governance, risk, and compliance should be the first things you think about. Start with risk assessment, understand that delegation does not allow you to abdicate responsibility.
There are a multitude of compliance standards, you need to know what is applicable to your business and how to assess your environment against the. You need to know how to monitor and report on your controls and adjust as required.
IT and business both need to move together to a service oriented model before you can move to the cloud. Again, we hear the message of starting your cloud journey with non sensitive data and establish god governance there before even considering anything else.
CSA, ENISA, are both referenced as good places to start to understand aspects of governance around your journey to move apps and data to the cloud.
- Posted using BlogPress from my iPad
Location:Las Vegas, NV