Whose Cloud Is It Anyway? Exploring Data Security, Ownership and Control
- 1. Whose
Cloud
Is
It
Anyway?
Exploring
Data
Security,
Ownership
and
Control
David
Etue
VP,
Corporate
Development
Strategy
SafeNet,
Inc.
- 3. Cloud
Benefits
Are
Being
Realized…
• 80%
of
mature
cloud
adopters
are
seeing:1
– Faster
access
to
infrastructure
– Greater
Scalability
– Faster
Time
to
Market
for
Applica=ons
• 50%
of
cloud
users
report
benefits
including:1
– BeAer
applica=on
performance
– Expanded
geographic
reach
– Increased
IT
staff
efficiency
1-‐
RightScale
State
of
the
Cloud
Report
2014
- 6. Leading
Inhibitors
to
Cloud
AdopFon
451
TheInfoPro
2013
Cloud
Compu7ng
Outlook
–
Cloud
Compu7ng
Wave
5
- 7. Security
and
Compliance
Concerns
With
Shared
Clouds
Data
Governance
Lack
of
Visibility
• Can
you
track
all
of
my
data
instances?
Backups?
Snapshots?
• Am
I
aware
of
government
requests/discovery?
• Do
you
new
when
data
is
copied?
Data
Compliance
Lack
of
Data
Control
• Who
is
accessing
my
data?
• Can
I
illustrate
compliance
with
internal
and
external
mandates?
• Is
there
an
audit
trail
of
access
to
my
data?
Data
ProtecFon
Risk
of
Breach
and
Data
How
Do
You
Maintain
Ownership
and
Control
Of
Your
Informa7on
In
A
Mul7-‐Tenant
Environment?
Loss
• Are
all
my
data
instances
secure?
• Can
I
assure
only
authorized
access
to
my
data?
• Can
I
“pull
the
plug”
on
data
that’s
at
risk
of
exposure
or
who’s
lifecycle
has
expired?
- 8. New
Risks
Driving
Cloud
Security
Challenges
• Increased
AAack
Surface
• Privileged
Users
• Ability
to
Apply
Security
Controls
• Control
(or
there
lack
of)
- 11. New
Risk:
Ability
to
Apply
Security
Controls
Security
Controls
Mapping
and
Sized
by
Budget
Security
Management
&
GRC
IdenFty/EnFty
Security
Data
Security
App
Sec
CSA Cloud Model
Host
Network
Infrastructure
Security
Source:
Control
Quo;ent:
Adap;ve
Strategies
For
Gracefully
Losing
Control
(RSA
US
2013)
by
Josh
Corman
and
David
Etue.
- 12. New
Risk:
Ability
to
Apply
Security
Controls
Most
organiza7ons
are
trying
to
deploy
“tradi7onal”
security
controls
in
cloud
and
virtual
environments…
but
were
the
controls
even
effec7ve
then?
- 13. New
Risk:
Control
(or
there
lack
of)
The lower down the stack the Cloud
provider stops, the more security you
are tactically responsible for
implementing & managing yourself.
Amazon EC2 - IaaS
Salesforce - SaaS
Google AppEngine - PaaS
Source:
Control
Quo;ent:
Adap;ve
Strategies
For
Gracefully
Losing
Control
(RSA
US
2013)
by
Josh
Corman
and
David
Etue.
“Stack”
by
Chris
Hoff
-‐>
CSA
- 14. And
Not
Just
The
TradiFonal
“Bad
Guys"
Sensi=ve
Data
in
the
Cloud
Adversaries
Government
Discovery
Cloud
Administrators
Auditors
/
Regulators
- 15. So,
Whose
Cloud
Is
It
Anyway?
Model
Private
Cloud
IaaS
in
Hybrid
/
Community
/
Public
Cloud
PaaS/SaaS
Whose
Privilege
Users?
Customer
Provider
Provider
Whose
Infrastructure?
Customer
Provider
Provider
Whose
VM
/
Instance?
Customer
Customer
Provider
Whose
ApplicaFon?
Customer
Customer
Provider
Government
Discovery
Contact?
Customer
Provider
Provider
- 16. Geographical
ConsideraFons?
16
Cloud
Region
Loca=on
Cloud
Provider
Headquaters
-‐
US
Court
Decision
with
Serious
ImplicaFons:
IN
THE
MATTER
OF
A
WARRANT
TO
SEARCH
A
CERTAIN
E-‐MAIL
ACCOUNT
CONTROLLED
AND
MAINTAINED
BY
MICROSOFT
CORPORATION,
13
Mag.
2814
-‐
A
Sober
Look
at
NaFonal
Security
Access
to
Data
in
the
Cloud
-‐
A
Hogan
Lovells
White
Paper
(covers
US,
EU,
and
EU
member
country
legislaFon
and
case
law)
- 17. Making
it
Your
Cloud:
Key
Enablers
to
Cloud
Security
Encryp=on
(and
Key
Management)
Iden=ty
and
Access
Management
with
Strong
Authen=ca=on
Segmenta=on
Privilege
User
Management
Detec=on
and
Response
Capabili=es
System
Hardening
Asset,
Configura=on,
and
Change
Management
- 20. Cloud
EncrypFon
Models
Type
of
EncrypFon
DefiniFon
Also
Called:
Service
Provider
EncrypFon
with
Provider
Managed
Keys
Encryp=on
performed
by
the
cloud
service
provider
using
encryp=on
keys
owned
and
managed
by
the
cloud
service
provider
• Server
Side
Encryp=on
• SSE
Service
Provider
EncrypFon
with
Customer
Managed
Keys
Encryp=on
performed
by
the
cloud
service
provider
using
encryp=on
keys
owned
and
managed
by
the
customer
• “Customer
provided
keys”
• SSE-‐CPK
Customer
Managed
EncrypFon
with
Customer
Managed
Keys
Encryp=on
performed
by
the
customer
using
encryp=on
keys
owned
and
managed
by
the
customer
• “Client
side
encryp=on”
(for
object
storage
and
client-‐
server
environments)
- 21. How
Do
You
Apply
Security
Controls?
Security
Controls
Mapping
and
Sized
by
Budget
Security
Management
&
GRC
IdenFty/EnFty
Security
Data
Security
App
Sec
CSA Cloud Model
Host
Network
Infrastructure
Security
Source:
Control
Quo;ent:
Adap;ve
Strategies
For
Gracefully
Losing
Control
(RSA
US
2013)
by
Josh
Corman
and
David
Etue.
- 22. Need
to
Focus
“Up
The
Stack”
Security
Management
&
GRC
IdenFty/EnFty
Security
Data
Security
App
Sec
CSA Cloud Model
Host
Virtualization, Software Defined Networks,
and Network
Public/Hybrid/Community Cloud Forces
Infrastructure
a Change Security
in How Security Controls Are
Evaluated and Deployed
- 23. Data
Centric
Security
=
Agility!
Security
Management
&
GRC
IdenFty/EnFty
Security
Data
Security
App
Sec
CSA Cloud Model
Host
Network
Infrastructure
Security