ArcelorMittal University

IT Academy

Providing Cloud Security

ArcelorMittal University
Campus XXXX

AGENDA

01

Securing the
Cloud

IT ACADEMY

02

Recognizing
security risks

03

Securing IT
infrastructure

04

Securing Data

AGENDA

01

Securing the
Cloud

IT ACADEMY

Security principles and

challenges
Enterprise and cloud
solutions

Security Standards

Summary

Security principles and challenges

Cloud security challenges for an organization

Organizations using cloud computing need assurance that their data will remain secure
They also need to meet existing data data life cycle regulations which has unique challenges in the
case of cloud computing
Additionally, security is a concern because of the risks involved in entrusting hardware resources to
third parties and sharing cloud platforms with other companies - some of which may be competitors.
Data is often mixed with that of other customers both in transit and storage. This raises specific security
challenges
The network hardware and software in a cloud is geographically distributed, raises a concern because
different legislation governs data security and privacy in different jurisdictions.
Trust is a difficult issue because both the customer and CSP need to clarify who will be responsible for
data security,and which aspect of data security each partner needs to control .Additionally ,it has to be
clear who's responsible for audit and compliance issue ,and which regulatory requirement apply.
Configuration management is difficult because of the virtual nature of cloud computing and because of
the tendency of CSPs to commingle data from different customers, both in transit and on data servers.

To ensure that a cloud solution provides the security your company requires, you and your company's or CSP,
need to negotiate and agree on how to handle the followings :
Confidentiality
It's important that you and your company's CSP discuss how confidential data will be transported and stored and
how your data will be segregated from data belonging to other companies. You also need to clarify who can view
and access the data while it's stored in the cloud.
Integrity
To ensure the integrity of data , both the customers and CSP's need to determine and apply permissions
restrictions who 's able to modify data when it resides in the cloud. It is also recommended that you ask for
specific information and how the CSP's hire and monitor its own administrators
Availability
In terms of availability, agreements need to be made to cover what happens to data if a CSP goes out of
business, and whether data and applications will be accessible at all times. You also need to find out what
disaster recovery protocols the CSP has in place .
Authorization
Companies need to know how access control will be handled and what measures are in place to ensure that
only those with the required permissions and authorization can access data and applications stored in the cloud.
Continued on next slide...

Authentication
Companies need to understand what authentication measures are in place to ensure that only legitimate users
are granted access to their data and applications.
Auditing
To meet regulatory requirements and verify that the correct security measures are in place, you need to know
whether and how it will be possible to audit the CSPs security measures.

Enterprise and cloud solutions

A CSP and a customer can use one of the three basic model to determine their respective responsibility for
security

If CSPs are responsible for managing security, they need to match, or be compatible with, your company's
security controls, and meet legislative and company requirements. These controls are likely to include
mechanisms for identity and access control management.

Customers may be responsible for providing key security control such as access management tools,
automated provisioning and single sign-on or- SSO capabilities for cloud application. This model relies on
the customer providing key security controls and ensuring that local controls can interact with cloud-based
controls via standards-based interfaces.

The CSP may be responsible for creating and managing the local security services used by a customer, on the
customer's local network. lf the CSP provides security to local client systems, customers contract with the CSP
and clarify what the CSP's responsibilities are. Often these include log management, authentication, and other
security services for protecting local data.

Security Standards

The frameworks for accessing traditional IT security developed by International Organization for standardization
are

ISO 27001 is a certifiable standard that defines the requirements for an information security management
system, or ISMS. ISO 27001 controls are measurable, so companies can be audited to ensure that they have
sufficient overarching management controls and protocols in place to ensure ongoing security. The ISO 27001
framework can be used to assess the broader security programs adopted by a CSP

ISO 27002 provides a code of practice and guidelines that can be used as a reference to achieve ISO 27001
certification. It separates information security controls into separate categories and details recommended
objectives for each of these. Categories include compliance, asset management, access control, and business
continuity management.

To gain certification, organizations are required systematically to review and address information
security risks using a comprehensive suite of security controls and risk management strategies.
To monitor security measures and compliance, CSPs can make use of the SysTrust audit
framework, which was developed by the American Institute of certified Public Accountants and the
Canadian Institute of Chartered Accountants.

Some businesses now use the cloud in a Security-as-a-Service offering for the below mentioned reasons

This type of service arose largely as an extension of outsourcing services designed to manage e- mail
spam or network security devices, such as intrusion detection systems and firewalls.
Another factor contributing to its development is the difficulty involved in implementing end-point
security for mobile devices.
SaaS ensures that security services are available to endpoints on demand. lt can also save local
processing power, by detecting and analyzing malware in the cloud.

The offerings that SaaS provides for organizations include

Email management
Using SaaS, CSPs can run anti-malware in the cloud to scan for and remove viruses, phishing
attempts, and spam from companies incoming and outgoing email. They may also enforce encryption
of outgoing e-mail,in accordance with an organization's protocol.
Potential benets of this service include more comprehensive ltering of e-mail with no loss in
performance on client machines. Additionally, malware doesn't reach end devices or the Internal
network.
Web Content Filtering
SaaS can divert Incoming and outgoing web traffic and filter it to protect against malware and leakage
of confidential information. Filtering Systems examine HTTP headers embedded links and web site
content. SaaS can also be used to block traffic to reduce bandwidth use in line with a customers web
contents policies.
Vulnerability Management
Because organizations increasingly rely on the Internet, may need to ensure the secure operation and
configuration or systems that use the Internet.SaaS can be used in these cases to identify system
vulnerabilities and to provide patches and solutions to address vulnerabilities. Organizations can use
the information gathered by SaaS to show compliance with regulatory requirements governing
confidential or protected data , as well as to improve security.

SUMMARY

When providing security in a cloud computing environment, you need to clarify areas of responsibility
surrounding confidentiality, authentication, and authorization.
A CSP may be responsible for managing security controls to secure data on the cloud, the customer
may be responsible for providing security controls, or the CSP may provide security for the
customer's local system.
To help ensure that CSPs implement and maintain adequate security protocols and controls, you can
determine if they are certied under ISO 27001 and follow the best practices outlined in ISO 27002.

AGENDA

Risk Areas

Challanges and best practices

Secure Software Development

Summary

02
Recognising
Security Risks

IT ACADEMY

Risk Areas
Key security areas to address with prospective CSPs, especially if your organization has to comply with
regulations surrounding data security are :
Data location
With some CSPs, your data could be stored literally anywhere. This has implications because different
regulations govern data security in different jurisdictions and it may be illegal to move certain types of data
across national borders.
So when considering a CSP, you need to find out where the data will be stored, and if the provider can commit
to using a specific location or set of locations. You should also find out if the CSP will contract to maintain
local privacy and other requirements for your company.
Regulatory compliance
Ultimately your organization is responsible for the security and integrity of its data, even if that data is stored
or managed by a CSP. This makes it important to find out if prospective CSPs are already subject to
compliance audits and security certification. lf they arent, you should find out whether they will be willing to
undergo audits and gain certification to provide assurance that the security measures they take are adequate.

Continued on next slide.....

Privileged users access is a security risk that should be addressed in initial conversation with prospective
CSP's.
To understand the level of risk a CSP's offering poses, you need to find out how the CSP hires employees
who'll have privileged access to data and what oversight measures are in place.
You also need to find out what security access controls the CSP uses to limit risk from privileged
administrators.
The privacy of your data in a cloud will depend partly on whether data from own company is segregated
from that of other companies.
You need to find out what prospective CSPs do to segregate data that's stored, even temporarily, on their
servers.
You should also find out what other security measures like encryption they use to protect data.
In addition , you need to know what recovery plans the Csp's has for your data if a disaster occurs. To be
effective,the recovery plan should include the replication of data and application infrastructure across
multiple sites.

You also need to know how long restoration of data and application infrastructure across multiple sites.

You also need to know how long restoration of data will take in event of a disaster.

Before you sign on with a CSP, it's a good idea to know how your company can retrieve its data and what form
the data will be in if the CSP goes out of business.

Challanges and Best Practices

Security challenges and risks associated with using SaaS relate to
Data level security
To ensure data-level security, a CSP needs to have clear encryption management strategies in place for both
static data and data in transit. This involves encrypting incoming and outgoing data across secure layer protocols
physical asset control.
With SaaS, companies lose direct control over the security of certain physical assets. Invariably, CSPs outsource
certain services to vendor organizations. Ease organizations security measures might not comply with the
rigorous systems employed by CSPs to protect onsite hardware, services, and personnel.
Virtualization risks
With virtualization, there may be a risk of your company's data being seized if another company sharing a CSP's
hardware is under investigation. Commingling of data by the CSP may also pose integrity and privacy challenges.
Mobile device security, and
Mobile users can access data without first logging into a company network. So security controls have to be put in
place between mobile users and the cloud so that these users dont gain inappropriate access to sensitive data.
Compliance standards
There aren't yet standards specifically for cloud environments. However, some of the existing IT security
standards and audit mechanisms can be used to mitigate risks. Ensuring compliance when using SaaS is
complex because it's not necessarily clear where data is stored, who's responsible for the data, or what
regulations apply. Also, many regulations prohibit the commingling of data, which is common in a cloud
environment.

A range of basic security practices should be implemented in an SaaS environment

Physical Datacenter security
Physical datacenter security at CSP locations should be multilevel, and include a range of physical access
control mechanisms such as biometrics, constant visual monitoring, alarms, and so on. Environmental
controls should also be in place to control issues such as temperature, airflow, fire suppression, and
constant electricity supply. All these measures should be backed up with comprehensive policies, processes,
and procedures.
Application Security
To secure web connections between companies and SaaS providers, web applications should be developed
following Open Web Application Security Project, or OWASP, guidelines. Applications should also lock down
pons and unnecessary commands on Linux, Apache, MYSQL, and PHP stacks in the cloud. Security and
application development teams need to collaborate on security processes, coding guidelines, tools, script
testing, and training. Attack and penetration tests should also be carried out to review code.
Virtual Machine Security
To ensure virtual machine security, data security teams need to deploy software security controls that
replicate traditional hardware controls. These controls include integrity monitoring, intrusion detection or
prevention systems, and log inspection controls.It's recommended that CSPs use bi-directional stateful
firewalls on virtual machines, and enable centralized management of server firewall policies.
Continued on next slide....

Risk Management
To manage risk effectively, companies need to identify their technology assets and data links with business
processes and applications. Both they and their CSPs also need to be clear about their respective roles and
responsibilities. Owners have authority and accountability for protection requirements and information assets.
CSPs are responsible and accountable for implementing integrity, availability, and confidentiality and privacy
controls.
Trainings
Without a security awareness and training program, people can prove to be one of the biggest
vulnerabilities for systems and networks. It's important that a security and training program be
implemented at CSP datacenter locations and that the training is tailored to each employee's role in
the Organization.
Training programs need to cover security fundamentals and should assess and align the necessary
skill sets to increase and maintain security. Mentorship should also be used to support employees in
gaining confidence and skill in maintaining secure practices and procedures.
Data Security
A formal data-governance framework should clarify responsibility and accountability of various
stakeholders and clarify permissions and limits for each role player. The data governance framework
should include the following categories:

Data inventory
Data classification
Data analysis
Data protection, retention, and recovery
Data privacy, and
Protocols for destroying data

Continued on next slide........

Access Management
Effective identity and access management relies on the principle ofleast privilege, with the lowest possible
access granted to those working with data. CSPs need to monitor and improve end-to-end identity and trust
from the cloud to the enterprise.This protection needs to balance security and ease of access.

Secure Software Development

As the popularity of cloud computing increases and businesses rely more heavily on the Internet, the need for
secure software increases. Secure software development is a relevant consideration for all CSPs, regardless
whether your cloud builds software applications from scratch or customizes existing software to meet specific
customer needs.
Your organization and your CSP should use the secure software development life cycle or, SecSDLC to identify
and assess security risk when developing software to interact with the cloud.

Continued on next slide.....

1. Investigation
During the investigation phase, processes and ' Investigation goals are recorded in a security policy
document .controls, and risks are assessed.
2.Analysis
In the analysis phase,existing policies,threats,controls and risks are assessed
3.Logical design
In the logical design phase, a team develops a investigation security blueprint, tests solution feasibility and
plans incident and disaster responses
4.Physical Design
The physical design phase involves selecting supportive technologies, designing physical security
measures, and reviewing plans. During this phase, a team also defines criteria against which the success
of applications can be measured.
5.Implementation
During the implementation phase, a team Invest develops or buys security solutions and tests them before
handing them over to management for approval.
6.Maintenance
The final phase is maintenance. During this phase, a team tests, monitors, updates, and when necessary
repairs security solutions, taking changes in the threat environment into account.

SUMMARY

Key security issues it's important to address with a CSP include data location, regulatory compliance,
investigative support, data segregation, privileged user access, disaster recovery,and what will occur if the
CSP goes out of business,
Basic security practices you should ensure are implemented in an SaaS environment relate to physical
data center security, application security, virtual machine security, risk management, training, data
security, and , access management
To help ensure secure software development, you can use the SecSDLC process, which includes six
phases investigation, analysis, logical design, physical design, implementation, and maintenance.

AGENDA

03

Securing IT infrastructure

IT ACADEMY

Securing Network Infrastructure

Host level Responsibilities
Application Security
Summary

Securing Network Infrastructure

Although security is particularly important with an Infrastructure-as-a Service, or laaS, model of cloud computing,
properly protecting the core IT environment should be of high importance regardless of the service used.
To help organizations evaluate the risks and opportunities inherent in cloud computing, the Jericho Forum
created the Cloud Cube Model, which helps define where the boundary between the clients network and the
cloud begins and ends. It consists of four dimensions
Internal or External
The internal versus external dimension defines the physical location of your data.
In-house or Outsourced
The in-house outsourced dimension focuses on whether the service is provided by the customer or the service
provider. What this means to your network depends on the resources you have available to manage your
services. With sufficient resources, you could provide greater security with in-house solutions. However, if you
don't have the resources, outsourced network services may provide -greater security.
Proprietary / Open cloud
Proprietary clouds are ones in which the CSP owns the services, interfaces, and technology.
The benefit of this is that they often have innovative software, the down side is that it's difficult to move to another
provider and may be difficult to collaborate with others in the cloud. Open clouds use open source applications,
the benefit of which is that it's simple to collaborate or to move to another provider.
Continued on next slide.......

Perimeterized or Deperimeterized
Perimeterized architectures rely on the notion of boundaries between network segments. This approach
may provide some security, but doesn't lend itself well to collaboration. Deperimeterized architecture relies
instead on division at a more micro-level This set up potentially provides greater flexibility in terms of cloud
use and greater collaboration opportunities.

Continued on next slide....

Factors to consider before connecting to the cloud

Lack of network level auditing and monitoring
When using a public cloud, you'll have limited access to network logs and wont have free reign to gather
forensic data for investigation. You can gain some access by contracting with the CSP, but this doesn't provide
the in-depth access that's available in private networks.
Loss of traditional tiers and segregation
In traditional models, network segments and tiers were both logically and physically separated. Most forms of
cloud computing rely instead on security groups, domains, and virtual data centers that provide logical
separation at the host level for addressing purposes only. However, if a deperimeterized approach is used, this
loss may not pose as great a security risk as previously suspected.
Higher incidence of Domain Name Service, or DNS, attacks, and
Although both traditional and cloud networks are vulnerable to DNS attacks, the risk increases when using cloud
computing. This happens because there is a higher level of dependency on DNS to access external resources.
Increase in Denial-of-Service, or DoS, attacks
Both traditional and cloud networks are vulnerable to DOS attacks. However, cloud networks may be more
vulnerable, with company resources stored externally and accessed via the Internet.
Additionally, if you use the IaaS model, a rogue customer sharing the CSP may launch DoS attacks from within
the cloud network.

Host Level Responsibilities

Responsibilities for host security differ depending on which of the three deployment models you use:
Infrastructure-as-a-Service IaaS
lf your company is looking for an laaS solution, it's responsible for maintaining the security of its own virtual
machines. The CSP is responsible for virtualization security, which encompasses the layer between the host
hardware and virtual servers. All other aspects should be secured by the customer.
Platformas-a-Service, or PaaS, and
lf you're looking at a PaaS solution, the CSP is responsible for host security, As a customer, the host system is
hidden from you, but you'll have indirect access to the host subsystem through the use of application programming
interfaces or APIS. It's also recommended that you find out if the CSP security is regularly assessed through ISO
27002 guidelines or SysTrust audits.
Software-as-a-Service, or SaaS
With SaaS deployment, the CSP is responsible for securing the hosts. So it's useful to find out if the CSP has
security certification or regular security audits such as with SysTrust.

Continued on next slide..........

Hypervisor logically separates customers virtual machines and to restrict unauthorized access to the
hypervisor , CSPS need to provide both physical and logical access controls, however, a CSP is unlikely to
share what security controls it has to protect the hypervisor because making these public could impair
security.
Security threats that an IaaS customer may face when using a public cloud include

Hackers listening on standard ports and attacking vulnerable services

Theft of security keys used to access and manage hosts

Hijacking of accounts that dont have adequate authentication measures

Deployment of Trojans embedded in a virtual machine

Continued on next slide..........

Protecting against the threats

Customers can secure the virtual host by creating host firewalls, using strong access controls,
hardening the virtual systems , and using strong encryption and key management protocols.
Recommended strategies include using secure-by-default configuration guarding private keys, not
allowing password based authentication for shell access, and disabling services that aren't used.
To monitor system safety, you can use host-based intrusion detection systems and ensure log
files are stored in an isolated and well-protected location.

Application Security

Criminals looking for financial gain and unauthorized access to information are increasingly targeting
vulnerabilities in web applications.
To protect against this

Companies need to bolster their application security measures.

Common application security measures for web application include perimeter security controls and
network and host-based access controls.
It is also important to harden browser to ensure better end-to-end security for connections.
To reduce application vulnerability ,you can embed security in the software development process
through the use of secure software development lifecycle, or SecSDLC.
Risks to application security often arises from programming errors and design flaws ,so the tighter an
application is coded the less vulnerable it is.
Attacks may include cross-site scripting,known as XSS,SQL injections,and malware attacks.
Compromised computer systems that are linked to the Internet may also be the target for applicationlevel Denial-of-Service or DoS - and distributed D0S or DDoS attacks.

Continued on next slide..........

Cloud customers are also responsible for end- user security. To provide this layer of protection for
applications, you need to protect PCs connected to the internet and ensure employees use safe
practices while online.
Iaas
Customers have full responsibility for securing applications when using an IaaS model. In this type of
deployment, CSPs don't access or review customer applications.
With LaaS, customers are responsible for end- point security such as anti-virus applications, account and
identity management, and browser hardening. You also need to embed counter measures against
common web vulnerabilities within the applications.
The CSP should he asked to provide log-in history reports to facilitate investigations.
PaaS
In PaaS offerings, CSPs manage the customers platforms and runtime engines, but the customer is
responsible for securing its own applications on the platform. The CSP is responsible for the security
model of the PaaS platform.
The customer developers should he aware of the platform-species security objects available in them to
configure authentication and authorization within their applications

Continued on next slide..........

SaaS
With SaaS, the CSP is responsible for and manages the entire suite of applications provided to the
customer. So CSPs are largely responsible for providing security.
However, customers are typically responsible for operational security functions, such as user
account management and access management

SUMMARY

When securing network infrastructure in a cloud environment, you need to consider the potential lack
of network-level auditing and monitoring, the loss of traditional network tiers and segregation, and an
increase in vulnerability to DNS and DoS attacks.
When securing hosts in a cloud environment, the type of offering you use determines who's
responsible for security at the host level with laaS, the customer is responsible for its virtual machines.
With PaaS and SaaS, the CSP is largely responsible.

AGENDA

IT ACADEMY

04

Securing data in the cloud

Securing Data

Risk Assessment

Summary

Securing data in the cloud

Regardless of the cloud service offerings your organization is considering, it's important to evaluate
associated risks to the security of the organization's data.

Data-at-rest refers to data stored permanently or temporary within the cloud.

With Platform-as-a-Service, or PaaS, and Software-as-a Service, or SaaS, solutions, data that's to be
used by applications and processes usually cant be encrypted. Also, data within the cloud is often
commingled and compartmentalized only through the use of tags.
New homomorphic encryption technology may resolve this security issue by allowing data to be
processed while it's encrypted. However, this solution requires vast processing resources and at the
moment is too inefficient for wide spread use.

Data-in-transit refers to data moving between your organization's network and the cloud. It's
important to consider the security of this data no matter what type of cloud offering you use.

To protect data-in-transit, strong encryption algorithms are required. You should also use protocols that
can provide both confidentiality and integrity.

Continued on next slide......

Other issues associated with data security that you should consider before moving to a cloud solution
relate to
Data provenance
Data provenance takes data integrity one step further. Like data integrity, it requires assurance that data
hasnt been changed by an unauthorized person or changed in an unauthorized manner.
However, it also requires assurances that the data is calculated accurately. This requirement may be
necessary if data must be calculated using differing variables. Proving data provenance in a cloud
computing environment is very difficult because resources aren't directly under an organization's
physical or logical control.
Data lineage
Data lineage is the tracing of data locations over time. Having access to data lineage is often a
requirement for auditing and compliance. With cloud computing, accurate reporting on data lineage is
impractical. So if this is a requirement for your data, it may be better to keep the data in-house.
Data remanence
Data remanence refers to traces of data once information has been deleted, or connections and
hardware have been discarded. lf data remanence is high, there is increased risk of unauthorized
access. CSP's should address this aspect of data security by following the guidelines for media
sanitation set out by the National Institute of Standards and Technology, or NIST, or the guidelines set
out by a standard such as ISO 27001.

Risk Assessment

It's important to determine whether a CSP will encrypt your data and whether you'll also need to apply
encryption. CSPs dont typically provide encryption in PaaS and SaaS models.

If the CSP does provide encryption, you need to determine whether it uses formally approved
encryption algorithms and suitable encryption key lengths. Keys should be at least 112 bits for
Triple Data Encryption Standard, or DES, and 128 bits for Advanced Encryption Standard, or AES.
Finally you should determine who's responsible for key management, who'll be able to decrypt the
data, and under what circumstances they may do so. Key management is particularly complex for
CSPs, and they may take shortcuts to simplify it.
Authentication based only on a user's user name and password is weak. Access controls need to
be very specific based on roles and responsibilities, and provide the lowest possible privileges
rather than simply assigning administrative or end-user privilege levels to accounts.
Integrity requires message authentication codes or MACs in conjunction with data encryption , ask
whether it will also include some use of MAC's for data integrity.
If you have to provide this layer of security yourself, it's recommended that you block symmetric in
cipher block chaining
If you intend using the cloud for bulk storage , it can be hard to test integrity because you don't
know how or where the data is stored. Its useful to determine whether you need to validate the
integrity of data on the cloud without having to download and upload data to do so.

Continued on next page......

When accessing availability risks , you need to consider

The threat posed by the network attacks

The capacity of the CSP as a business and

Whether the CSP offers redundancy through data backup within the cloud.

To access the risks associated with storing data on a cloud questions should be asked such as

What function does the organization expect the CSP to provide?

What data in the organization intending to include in the cloud?

How critical is the data or function to the organization?

What cloud options is appropriate?

What are potential points of exposure as data enters and leaves the cloud?

How much control does the organization have in mitigating risks?

SUMMARY

When securing data in cloud deployments, you need to consider security controls for data, both when it's in
transit and when it's in storage.
Other key data security issues include data provenance, lineage, and data remanence. When assessing the
risks associated with cloud-based data storage, you need to determine how critical and how sensitive the
data is.
You also need to determine which type of cloud deployment is most suitable, where potential vulnerabilities
lie,and how much control your organization will have in terms of risk mitigation.