Don’t Just Trust Cloud Providers - How To Audit Cloud Providers
•
2 gostaram•1,094 visualizações
How to Audit Cloud Providers
Recomendados
Recomendados
Mais conteúdo relacionado
Mais procurados
Mais procurados (19)
Destaque
Destaque (12)
Semelhante a Don’t Just Trust Cloud Providers - How To Audit Cloud Providers
Semelhante a Don’t Just Trust Cloud Providers - How To Audit Cloud Providers (20)
Mais de Michael Davis
Mais de Michael Davis (8)
Último
Último (20)
Don’t Just Trust Cloud Providers - How To Audit Cloud Providers
- 1. Copyright ©2011 Savid Technologies, Inc. All Rights Reserved Don’t Just Trust Cloud Providers Verify! How To Audit Cloud Providers Michael A. Davis Chief Executive Officer Savid Technologies, Inc. http://www.savidtech.com
- 2. Agenda • What Makes This So Difficult? • What a SSAE16 Is and Is Not • What to audit • Tips and Techniques • Questions
- 4. Who am I? • Michael A. Davis – CEO of Savid Technologies – Speaker • Blackhat, Defcon, CanSecWest, Toorcon, Hack In The Box – Open Source Software Developer • Snort • Nmap • Dsniff • Savid Technologies – Risk Assessments, IT Security Consulting, Audit and Compliance
- 5. Author
- 7. Where we got our data » June 2012 Survey » Over 300 Security & Audit Professionals » Follow-up Interviews » Wide Variety Of Industries – Financial – Healthcare – Legal – Actual Cloud Users!
- 8. What Are Your Concerns?
- 10. Key Trust Issues •Transparency & visibility from providers •Compatible laws across jurisdictions •Data sovereignty •Incomplete standards •True multi-tenant technologies & architecture •Incomplete Identity Mgt implementations •Consumer awareness & engagement How do you gracefully “lose control” of IT and have greater confidence in its security?
- 11. Vendor Management Isn’t Enough » IT is predominately the one performing the reviews » Security Team doesn’t get involved till after integration » Vendor Management isn’t technical enough » Legal doesn’t know what to include in contracts » IT is also reviewing contracts 31% of respondents have no idea if their controls are effective compared to the cloud
- 12. SSAE16 What? • Replaces SAS70 • Attestation based • SOC 1 vs SOC 2/Type I and Type II – SOC1 Is just financial controls • SOC 2 Requires Coverage in 5 Key Areas – Security – Availability – Processing integrity – Confidentiality – Privacy of personal information • Omission is ok if it “Is Not Applicable” – System Description is Key • You Have to read these!
- 13. What about these certifications?
- 14. Migrating to the Cloud • Shared Responsibility • Strategy • Education • Architecture / Framework • Due Diligence
- 15. Vulnerability Scans and Pen Tests • Commonly confused terms • Only 35% of respondents perform them • Not applicable in many cases • Most providers don’t allow it – Or require scheduling of it • What if it is a private network or behind an application? • Do you assess the application or the infrastructure?
- 16. What about Encryption? • Data Encryption is YOUR responsibility • Many PaaS and IaaS Providers can’t support it/don’t • What is the real benefit? • Whole Disk Encryption is useful if theft of VM is concern • Data In transit and rest is vital (not the OS) • SaaS apps need customer support • Ask for our report on Cloud Encryption
- 17. About the Cloud Security Alliance • Global, not-for-profit organization • Over 33,000 individual members, 150 corporate members, 60 chapters • Building best practices and a trusted cloud ecosystem – Research – Education – Certification – Advocacy of prudent public policy • Innovation, Transparency, GRC, Identity “To promote the use of best practices for providing security assurance within Cloud Computing, and provide education on the uses of Cloud Computing to help secure all other forms of computing.”
- 18. Global Efforts • Europe – Proposed EU Data Privacy Regulation – EC European Cloud Partnership • US Federal government – NIST – FedRAMP • APAC • Standards bodies – ISO SC 27 – ITU-T FG 17 – DMTF, PCI Standards Council
- 19. CSA STAR Registry • CSA STAR (Security, Trust and Assurance Registry) • Public Registry of Cloud Provider self assessments • Based on Consensus Assessments Initiative Questionnaire – Provider may substitute documented Cloud Controls Matrix compliance • Voluntary industry action promoting transparency • Security as a market differentiator • www.cloudsecurityalliance.org/star
- 20. Follow the Data!
- 21. One Size Doesn’t Fit All Minimum Moderate Ideal Review SSAE16 Everything in previous category Everything in previous category Ask for proof (patch verification, av update, etc) Security Questionnaire (CSA’s or your own) Technical audit after major app refresh or infrastructure change Review Legal Contracts (Notification clauses, breach disclosures, etc) Speak to customers Annual Pen Test Quarterly Vuln Scans for IaaS and PaaS Speak to providers’ engineers or security team Annual Technical Audit by internal or 3rd party Quarterly app vuln scans for SaaS and PaaS
- 22. Conclusion Contact Information Michael A. Davis mdavis@savidtech.com 708-532-2843 Twitter: @mdavisceo
Notas do Editor
- Will my provider be transparent about how they manage their systems, organization governance, etc?Will I be considered compliant?Do I know where my data is?Will a lack of standards drive unexpected obsolescence? Is my provider really better at security than me?Are the hackers waiting for me in the cloud?Will I get fired?How can we gracefully “lose control” of IT
- Understand the Shared Responsibility between provider and customerHave a Strategy to say yes to cloud for business units, find the “low hanging fruit” for cloud adoptionEducate yourself and your teams on what cloud isHave Architecture/Frameworks that enable flexibility in adding, changingDue Diligence – know your provider, your provider’s providers
- We are the leading vendor neutral organization focused on solving the trust issues with cloud computing. We have dozens of active research projects, training, the world’s only user certification for cloud security and a public repository of provider security assessments. Like the cloud itself, we are agile, and are seeking to drive innovation, industry transparency, GRC and a more advanced & holistic view of identities in the cloud.
- In Europe, a new data privacy regulation is being proposed to replace the patchwork of laws created by the 1995 directive. This will drive greater uniformity. The EC ECP is planning to harmonize requirements from member governments as cloud consumersIn the US gov’t, NIST has taken the lead in developing federal cloud requirements, which are being implemented within FedRAMP, which allows agencies to share risk assessments rather than doing their own redundant assessmentsAPAC is taking the lead in the investment into data center and cloud infrastructureMany SDOs have a cloud security roadmap, we have a mentioned a few of the most relevant and impactfulISO SC 27 has 2 standardsITU-T has an ambitious roadmap to implement automated cloud securityDMTF – OVF Open Virtualization FormatPCI now has a cloud working group
- The CSA Security, Trust & Assurance Registry (STAR) is a free, publicly accessible registry that documents the security controls provided by various cloud computing offerings, thereby helping users assess the security of cloud providers they currently use or are considering contracting with.CSA STAR is open to all cloud providers, and allows them to submit self assessment reports that document compliance to CSA published best practices. The searchable registry will allow potential cloud customers to review the security practices of providers, accelerating their due diligence and leading to higher quality procurement experiences. CSA STAR represents a major leap forward in industry transparency, encouraging providers to make security capabilities a market differentiator.