Presentation is loading. Please wait.

Presentation is loading. Please wait.

Security, Privacy and the Cloud Connecticut Community Providers’ Association June 20, 2014 Steven R Bulmer, VP of Professional Services.

Similar presentations


Presentation on theme: "Security, Privacy and the Cloud Connecticut Community Providers’ Association June 20, 2014 Steven R Bulmer, VP of Professional Services."— Presentation transcript:

1 Security, Privacy and the Cloud Connecticut Community Providers’ Association June 20, 2014 Steven R Bulmer, VP of Professional Services

2 Agenda Introduction to Cloud Computing Models Top Threats Categorical Approach to Cloud Security Technology Areas of Focus Encryption 2

3 Definitions – Cloud Computing Cloud Computing is: A model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g. networks, servers, storage, applications & services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. This cloud model promotes availability and is composed of:  5 essential characteristics  3 service models  4 deployment models -National Institute of Standards and Technology http://csrc.nist.gov/groups/SNS/cloud-computing 3

4 Cloud Definitions Cont’d Cloud Characteristics 1.On-demand Self-Service – User provisions their services 2.Ubiquitous Network Access – Standard network or mobile access 3.Resource Pooling – Shared resources and location independence 4.Elasticity – Capabilities scaled or released “rapidly” 5.Measured Service – Metered, monitored and billed as utility 4

5 Cloud Definitions Cont’d Cloud Service Models 1.Software as a Service (SaaS) – User access to the application layer 2. Platform as a Service – User deployment using providers’ tools 3. Infrastructure as a Service (IaaS)– User access to IT infrastructure 5

6 Cloud Definitions Cont’d Cloud Deployment Models 1.Private Cloud – Deployed for a single organization or company 2.Community Cloud – Shared by organizations with similar needs 3.Public Cloud – Cloud services available to all and shared 4.Hybrid Cloud – Two or more clouds with operational relationship 6

7 Business Services Customer Provided Cloud Provided Application Logic Middleware/DB Infrastructure Cloud Layers 7 SaaS PaaS IaaS

8 Top Cloud Security Threats 1.Data Breaches 2.Data Loss 3.Account or Service Traffic Hijacking 4.Insecure Interfaces and API 5.Denial of Service Attacks 6. Malicious Insiders 7. Abuse of Cloud Services 8. Insufficient Due Diligence 9. Shared Technology Vulnerabilities Source: Cloud Security Alliance cloudsecurityalliance.org

9 Approach to Security in the Cloud Governance Assessing the Risk Managing and Measuring Posture and Response Compliance Direct policy and technology requirements to meet regulations Architecture The technical components and their inherent strength and weaknesses Resiliency The ability to withstand and/or recover from an incident Process Established, regular, IT practices that ensure policy adherence Access Identity and authentication 9

10 Security in the Cloud CategoryFocus AreasTasksApplicability Governance Regulations Data Location eDiscovery Evaluation Risk Assessment / Analysis Audit Controls Audits PCI 5, 6, 11 HIPAA (C) 164.308, 312, 314 Compliance Data Location eDiscovery Device & Media Control Policy Development Policy Enforcement eMail Archiving PCI DSS, PA-DSS HIPAA 160.203, 164.308, SEC Rule 17a-3,4 Architecture Attack Surface Isolation/Separation Network Security Systems and Application Configuration Policy PCI 1,2 PA-DSS HIPAA 164.312 Resiliency Availability Data Protection Disaster Recovery Contingency Planning Encryption Media Management PCI 3,4 FISMA HIPAA 164.308, 310 Process Incident / Change Mgmt Security Mgmt / Monitoring Response Reporting Proactive Monitoring PCI 10,11 HIPAA 164.316 Access Identity / Authentication Access Controls Unique User ID Access Policies Remote Access Policy PCI 7, 8, 9 HIPAA 164.308 10

11 Technical Focus Architecture Provisioning Process and Capability Software / Network Isolation Multi-tenancy vs Dedicated Hypervisor structure Network structure Security Infrastructure Resiliency/Availability Business Continuity and Disaster Recovery Data Integrity Identity and Access Management Authentication tie-ins to customer, stand alone Data Protection Backups and Recovery Data Location and Encryption Physical Security 11

12 A Few Words On Encryption Encryption Built into Cloud Service vs Encrypting at the Source SaaS and PaaS: SSL based transfer prior to encryption in the cloud Read and Understand the Privacy Policy Cloud Storage Encrypt locally, then store in the cloud (e.g. DropBox) o Viivo, Sookasa, BoxCryptor, CloudFogger Use an integrated hybrid cloud storage solution o Wualu, SpiderOak, Tresorit Use Appliance Based Backups & BC o Walker/Datto 12

13 Encryption (cont’d) Cloud Storage features to Look for: Granularity: File vs Container vs Volume Key Management Administrative Features to meet your needs (e.g. compliance) Does it work with the service(s) you use? Dropbox, Box.com, Google Drive, Microsoft SkyDrive, Amazon S3 13

14 Sources Cloud Security Alliance http://cloudsecurityalliance.org NIST Cloud Computing Definition http://csrc.nist.gov/groups/SNS/cloud-computing CSA Top Nine Cloud Computing Threats White Paper https://downloads.cloudsecurityalliance.org/initiatives/top_threats/The_Notorious_Nine_Cloud_Computing_Top_Threats _in_2013.pdf HIPAA Guidelines Simplified from HHS http://www.hhs.gov/ocr/privacy/hipaa/administrative/combined/hipaa-simplification-201303.pdf NIST Cloud Security for Federal Agencies White Paper http://www.nist.gov/customcf/get_pdf.cfm?pub_id=909494 14

15 15 860.678.3530 | TheWalkerGroup.com | info@thewalkergroup.com Thank You.


Download ppt "Security, Privacy and the Cloud Connecticut Community Providers’ Association June 20, 2014 Steven R Bulmer, VP of Professional Services."

Similar presentations


Ads by Google