IT Academy
ArcelorMittal University
Campus XXXX
AGENDA
01
Securing the
Cloud
IT ACADEMY
02
Recognizing
security risks
03
Securing IT
infrastructure
04
Securing Data
AGENDA
01
Securing the
Cloud
IT ACADEMY
Security Standards
Summary
Organizations using cloud computing need assurance that their data will remain secure
They also need to meet existing data data life cycle regulations which has unique challenges in the
case of cloud computing
Additionally, security is a concern because of the risks involved in entrusting hardware resources to
third parties and sharing cloud platforms with other companies - some of which may be competitors.
Data is often mixed with that of other customers both in transit and storage. This raises specific security
challenges
The network hardware and software in a cloud is geographically distributed, raises a concern because
different legislation governs data security and privacy in different jurisdictions.
Trust is a difficult issue because both the customer and CSP need to clarify who will be responsible for
data security,and which aspect of data security each partner needs to control .Additionally ,it has to be
clear who's responsible for audit and compliance issue ,and which regulatory requirement apply.
Configuration management is difficult because of the virtual nature of cloud computing and because of
the tendency of CSPs to commingle data from different customers, both in transit and on data servers.
To ensure that a cloud solution provides the security your company requires, you and your company's or CSP,
need to negotiate and agree on how to handle the followings :
Confidentiality
It's important that you and your company's CSP discuss how confidential data will be transported and stored and
how your data will be segregated from data belonging to other companies. You also need to clarify who can view
and access the data while it's stored in the cloud.
Integrity
To ensure the integrity of data , both the customers and CSP's need to determine and apply permissions
restrictions who 's able to modify data when it resides in the cloud. It is also recommended that you ask for
specific information and how the CSP's hire and monitor its own administrators
Availability
In terms of availability, agreements need to be made to cover what happens to data if a CSP goes out of
business, and whether data and applications will be accessible at all times. You also need to find out what
disaster recovery protocols the CSP has in place .
Authorization
Companies need to know how access control will be handled and what measures are in place to ensure that
only those with the required permissions and authorization can access data and applications stored in the cloud.
Continued on next slide...
Authentication
Companies need to understand what authentication measures are in place to ensure that only legitimate users
are granted access to their data and applications.
Auditing
To meet regulatory requirements and verify that the correct security measures are in place, you need to know
whether and how it will be possible to audit the CSPs security measures.
A CSP and a customer can use one of the three basic model to determine their respective responsibility for
security
If CSPs are responsible for managing security, they need to match, or be compatible with, your company's
security controls, and meet legislative and company requirements. These controls are likely to include
mechanisms for identity and access control management.
Customers may be responsible for providing key security control such as access management tools,
automated provisioning and single sign-on or- SSO capabilities for cloud application. This model relies on
the customer providing key security controls and ensuring that local controls can interact with cloud-based
controls via standards-based interfaces.
The CSP may be responsible for creating and managing the local security services used by a customer, on the
customer's local network. lf the CSP provides security to local client systems, customers contract with the CSP
and clarify what the CSP's responsibilities are. Often these include log management, authentication, and other
security services for protecting local data.
Security Standards
The frameworks for accessing traditional IT security developed by International Organization for standardization
are
ISO 27001 is a certifiable standard that defines the requirements for an information security management
system, or ISMS. ISO 27001 controls are measurable, so companies can be audited to ensure that they have
sufficient overarching management controls and protocols in place to ensure ongoing security. The ISO 27001
framework can be used to assess the broader security programs adopted by a CSP
ISO 27002 provides a code of practice and guidelines that can be used as a reference to achieve ISO 27001
certification. It separates information security controls into separate categories and details recommended
objectives for each of these. Categories include compliance, asset management, access control, and business
continuity management.
To gain certification, organizations are required systematically to review and address information
security risks using a comprehensive suite of security controls and risk management strategies.
To monitor security measures and compliance, CSPs can make use of the SysTrust audit
framework, which was developed by the American Institute of certified Public Accountants and the
Canadian Institute of Chartered Accountants.
Some businesses now use the cloud in a Security-as-a-Service offering for the below mentioned reasons
This type of service arose largely as an extension of outsourcing services designed to manage e- mail
spam or network security devices, such as intrusion detection systems and firewalls.
Another factor contributing to its development is the difficulty involved in implementing end-point
security for mobile devices.
SaaS ensures that security services are available to endpoints on demand. lt can also save local
processing power, by detecting and analyzing malware in the cloud.
SUMMARY
When providing security in a cloud computing environment, you need to clarify areas of responsibility
surrounding confidentiality, authentication, and authorization.
A CSP may be responsible for managing security controls to secure data on the cloud, the customer
may be responsible for providing security controls, or the CSP may provide security for the
customer's local system.
To help ensure that CSPs implement and maintain adequate security protocols and controls, you can
determine if they are certied under ISO 27001 and follow the best practices outlined in ISO 27002.
AGENDA
Risk Areas
Summary
02
Recognising
Security Risks
IT ACADEMY
Risk Areas
Key security areas to address with prospective CSPs, especially if your organization has to comply with
regulations surrounding data security are :
Data location
With some CSPs, your data could be stored literally anywhere. This has implications because different
regulations govern data security in different jurisdictions and it may be illegal to move certain types of data
across national borders.
So when considering a CSP, you need to find out where the data will be stored, and if the provider can commit
to using a specific location or set of locations. You should also find out if the CSP will contract to maintain
local privacy and other requirements for your company.
Regulatory compliance
Ultimately your organization is responsible for the security and integrity of its data, even if that data is stored
or managed by a CSP. This makes it important to find out if prospective CSPs are already subject to
compliance audits and security certification. lf they arent, you should find out whether they will be willing to
undergo audits and gain certification to provide assurance that the security measures they take are adequate.
Privileged users access is a security risk that should be addressed in initial conversation with prospective
CSP's.
To understand the level of risk a CSP's offering poses, you need to find out how the CSP hires employees
who'll have privileged access to data and what oversight measures are in place.
You also need to find out what security access controls the CSP uses to limit risk from privileged
administrators.
The privacy of your data in a cloud will depend partly on whether data from own company is segregated
from that of other companies.
You need to find out what prospective CSPs do to segregate data that's stored, even temporarily, on their
servers.
You should also find out what other security measures like encryption they use to protect data.
In addition , you need to know what recovery plans the Csp's has for your data if a disaster occurs. To be
effective,the recovery plan should include the replication of data and application infrastructure across
multiple sites.
You also need to know how long restoration of data and application infrastructure across multiple sites.
You also need to know how long restoration of data will take in event of a disaster.
Before you sign on with a CSP, it's a good idea to know how your company can retrieve its data and what form
the data will be in if the CSP goes out of business.
Risk Management
To manage risk effectively, companies need to identify their technology assets and data links with business
processes and applications. Both they and their CSPs also need to be clear about their respective roles and
responsibilities. Owners have authority and accountability for protection requirements and information assets.
CSPs are responsible and accountable for implementing integrity, availability, and confidentiality and privacy
controls.
Trainings
Without a security awareness and training program, people can prove to be one of the biggest
vulnerabilities for systems and networks. It's important that a security and training program be
implemented at CSP datacenter locations and that the training is tailored to each employee's role in
the Organization.
Training programs need to cover security fundamentals and should assess and align the necessary
skill sets to increase and maintain security. Mentorship should also be used to support employees in
gaining confidence and skill in maintaining secure practices and procedures.
Data Security
A formal data-governance framework should clarify responsibility and accountability of various
stakeholders and clarify permissions and limits for each role player. The data governance framework
should include the following categories:
Data inventory
Data classification
Data analysis
Data protection, retention, and recovery
Data privacy, and
Protocols for destroying data
Access Management
Effective identity and access management relies on the principle ofleast privilege, with the lowest possible
access granted to those working with data. CSPs need to monitor and improve end-to-end identity and trust
from the cloud to the enterprise.This protection needs to balance security and ease of access.
As the popularity of cloud computing increases and businesses rely more heavily on the Internet, the need for
secure software increases. Secure software development is a relevant consideration for all CSPs, regardless
whether your cloud builds software applications from scratch or customizes existing software to meet specific
customer needs.
Your organization and your CSP should use the secure software development life cycle or, SecSDLC to identify
and assess security risk when developing software to interact with the cloud.
1. Investigation
During the investigation phase, processes and ' Investigation goals are recorded in a security policy
document .controls, and risks are assessed.
2.Analysis
In the analysis phase,existing policies,threats,controls and risks are assessed
3.Logical design
In the logical design phase, a team develops a investigation security blueprint, tests solution feasibility and
plans incident and disaster responses
4.Physical Design
The physical design phase involves selecting supportive technologies, designing physical security
measures, and reviewing plans. During this phase, a team also defines criteria against which the success
of applications can be measured.
5.Implementation
During the implementation phase, a team Invest develops or buys security solutions and tests them before
handing them over to management for approval.
6.Maintenance
The final phase is maintenance. During this phase, a team tests, monitors, updates, and when necessary
repairs security solutions, taking changes in the threat environment into account.
SUMMARY
Key security issues it's important to address with a CSP include data location, regulatory compliance,
investigative support, data segregation, privileged user access, disaster recovery,and what will occur if the
CSP goes out of business,
Basic security practices you should ensure are implemented in an SaaS environment relate to physical
data center security, application security, virtual machine security, risk management, training, data
security, and , access management
To help ensure secure software development, you can use the SecSDLC process, which includes six
phases investigation, analysis, logical design, physical design, implementation, and maintenance.
AGENDA
03
Securing IT infrastructure
IT ACADEMY
Perimeterized or Deperimeterized
Perimeterized architectures rely on the notion of boundaries between network segments. This approach
may provide some security, but doesn't lend itself well to collaboration. Deperimeterized architecture relies
instead on division at a more micro-level This set up potentially provides greater flexibility in terms of cloud
use and greater collaboration opportunities.
Hypervisor logically separates customers virtual machines and to restrict unauthorized access to the
hypervisor , CSPS need to provide both physical and logical access controls, however, a CSP is unlikely to
share what security controls it has to protect the hypervisor because making these public could impair
security.
Security threats that an IaaS customer may face when using a public cloud include
Customers can secure the virtual host by creating host firewalls, using strong access controls,
hardening the virtual systems , and using strong encryption and key management protocols.
Recommended strategies include using secure-by-default configuration guarding private keys, not
allowing password based authentication for shell access, and disabling services that aren't used.
To monitor system safety, you can use host-based intrusion detection systems and ensure log
files are stored in an isolated and well-protected location.
Application Security
Criminals looking for financial gain and unauthorized access to information are increasingly targeting
vulnerabilities in web applications.
To protect against this
Cloud customers are also responsible for end- user security. To provide this layer of protection for
applications, you need to protect PCs connected to the internet and ensure employees use safe
practices while online.
Iaas
Customers have full responsibility for securing applications when using an IaaS model. In this type of
deployment, CSPs don't access or review customer applications.
With LaaS, customers are responsible for end- point security such as anti-virus applications, account and
identity management, and browser hardening. You also need to embed counter measures against
common web vulnerabilities within the applications.
The CSP should he asked to provide log-in history reports to facilitate investigations.
PaaS
In PaaS offerings, CSPs manage the customers platforms and runtime engines, but the customer is
responsible for securing its own applications on the platform. The CSP is responsible for the security
model of the PaaS platform.
The customer developers should he aware of the platform-species security objects available in them to
configure authentication and authorization within their applications
SaaS
With SaaS, the CSP is responsible for and manages the entire suite of applications provided to the
customer. So CSPs are largely responsible for providing security.
However, customers are typically responsible for operational security functions, such as user
account management and access management
SUMMARY
When securing network infrastructure in a cloud environment, you need to consider the potential lack
of network-level auditing and monitoring, the loss of traditional network tiers and segregation, and an
increase in vulnerability to DNS and DoS attacks.
When securing hosts in a cloud environment, the type of offering you use determines who's
responsible for security at the host level with laaS, the customer is responsible for its virtual machines.
With PaaS and SaaS, the CSP is largely responsible.
AGENDA
IT ACADEMY
04
Securing Data
Risk Assessment
Summary
With Platform-as-a-Service, or PaaS, and Software-as-a Service, or SaaS, solutions, data that's to be
used by applications and processes usually cant be encrypted. Also, data within the cloud is often
commingled and compartmentalized only through the use of tags.
New homomorphic encryption technology may resolve this security issue by allowing data to be
processed while it's encrypted. However, this solution requires vast processing resources and at the
moment is too inefficient for wide spread use.
Data-in-transit refers to data moving between your organization's network and the cloud. It's
important to consider the security of this data no matter what type of cloud offering you use.
To protect data-in-transit, strong encryption algorithms are required. You should also use protocols that
can provide both confidentiality and integrity.
Other issues associated with data security that you should consider before moving to a cloud solution
relate to
Data provenance
Data provenance takes data integrity one step further. Like data integrity, it requires assurance that data
hasnt been changed by an unauthorized person or changed in an unauthorized manner.
However, it also requires assurances that the data is calculated accurately. This requirement may be
necessary if data must be calculated using differing variables. Proving data provenance in a cloud
computing environment is very difficult because resources aren't directly under an organization's
physical or logical control.
Data lineage
Data lineage is the tracing of data locations over time. Having access to data lineage is often a
requirement for auditing and compliance. With cloud computing, accurate reporting on data lineage is
impractical. So if this is a requirement for your data, it may be better to keep the data in-house.
Data remanence
Data remanence refers to traces of data once information has been deleted, or connections and
hardware have been discarded. lf data remanence is high, there is increased risk of unauthorized
access. CSP's should address this aspect of data security by following the guidelines for media
sanitation set out by the National Institute of Standards and Technology, or NIST, or the guidelines set
out by a standard such as ISO 27001.
Risk Assessment
It's important to determine whether a CSP will encrypt your data and whether you'll also need to apply
encryption. CSPs dont typically provide encryption in PaaS and SaaS models.
If the CSP does provide encryption, you need to determine whether it uses formally approved
encryption algorithms and suitable encryption key lengths. Keys should be at least 112 bits for
Triple Data Encryption Standard, or DES, and 128 bits for Advanced Encryption Standard, or AES.
Finally you should determine who's responsible for key management, who'll be able to decrypt the
data, and under what circumstances they may do so. Key management is particularly complex for
CSPs, and they may take shortcuts to simplify it.
Authentication based only on a user's user name and password is weak. Access controls need to
be very specific based on roles and responsibilities, and provide the lowest possible privileges
rather than simply assigning administrative or end-user privilege levels to accounts.
Integrity requires message authentication codes or MACs in conjunction with data encryption , ask
whether it will also include some use of MAC's for data integrity.
If you have to provide this layer of security yourself, it's recommended that you block symmetric in
cipher block chaining
If you intend using the cloud for bulk storage , it can be hard to test integrity because you don't
know how or where the data is stored. Its useful to determine whether you need to validate the
integrity of data on the cloud without having to download and upload data to do so.
Whether the CSP offers redundancy through data backup within the cloud.
To access the risks associated with storing data on a cloud questions should be asked such as
What are potential points of exposure as data enters and leaves the cloud?
SUMMARY
When securing data in cloud deployments, you need to consider security controls for data, both when it's in
transit and when it's in storage.
Other key data security issues include data provenance, lineage, and data remanence. When assessing the
risks associated with cloud-based data storage, you need to determine how critical and how sensitive the
data is.
You also need to determine which type of cloud deployment is most suitable, where potential vulnerabilities
lie,and how much control your organization will have in terms of risk mitigation.