Monday, February 18, 2013

CISSP CPE Cloud Security


length: 01:00:00

Presenter: Dave Shackleford

1. It is outsourcing, really
- someone else has your stuff
- someone else can cause harm

2. virtualization security is critical
2008-20120: vulnerabilities doubled
2011-2013: nasty vulnerabilities

Amazon: Zen
VM lost some code last year (3 days ago)

Virtual machine escape – guess
VMtool binary planting


3. Pay attention to human side
OS /Virt/Net/system Admin
No control
Priviledge uses Monitoring (CPU monitoring)
CSP process
Termination procedure
Security clearance

4. Not all Close are created equal

Amazon AWS: pen-test, IAM, FW (stateless), multi factor authentication
MZ Azure: little no network security, detailed SDLC program

Host close security 
Rackspace vs terremark


5. Standard?

Zero standard  - no format standard
CSA: Cloud Security Alliance
ODCA Open Data Center Alliance
Fed RAMP
ENISA
No “time” compliance standard

6 Interoperability  = Nightmare
Standard does not always means interoperability
Identity and Access Management
SAML or Not
VM format?
FW rule
Most CSP application
SDLS – SaaS / PaaS
API – notoriously insecure

7 Do not Fear the unknown

Scary cloud
What is in there
Question: CSA Consensus Assessment Initiatives
 CSA Cloud Control Matrix

SSAE IG SOC, SOC2, SOC3
How to audit? Mostly don’t allow
CTP Cloud Trust Protocol

8. Liability & Risk Transfer

This is impossible
Contract are important than ever
SLA do not begin to cover holes for:
-          Location of data representation
-          Verification & cross provision
-          Choice of law & venue
-          Ability to change term
-          Dispute resolution procedure
-           
9 Data understanding is the key

How long data is retained?  
Data import/export
Data format
Data location
Data persistence
Case for law enforcement
Encrypted?

10. You cant have it your way

Most large cloud provider will not make exception: security

Need to examine the company/service


Security does not control your operate
Business does not control your operate


--
Last note: if you think you don’t do cloud – you do cloud!!!

Google standard contract: if we have data bearch max reimbursement 10’000 $

TO DO: read the contract c a r e f u l l y



Conclusion:

Good news: new option

Cloud Passage:
Akamai
zScaler
okta


Questions:
1.       Can I trust the provider?
2.       How can I use the cloud?
3.       What are its unique capabilities?

Step1:
Determine the needs Why?
Determine type of provider?

Step2:
Determine the Security needs?
No DLP?

Step 3:
Investigate the provider(s)



Don’t fear the cloud
There are very good clouds out there
Live vite
Legal
Data interception.

Labels: ,

posted by omarg at 8:00 PM

0 Comments:

Post a Comment

Subscribe to Post Comments [Atom]

<< Home