Secure Cloud Hosting: Real Requirements to Protect your Data

Chris Hinkley Senior Security Architect

Great Wide Open – Atlanta, GA

April 2 – 3, 2014

Locking Down the Cloud – A Holistic View

Agenda

•  The Specialization of IT

•  Challenges Facing Cloud Consumers and Providers

•  A To-Do List for Cloud Consumers and Providers

•  The Secure Cloud is Not a Myth

•  Physical Security

•  Perimeter Security

•  Virtual Server Security

•  Supporting Security Services

•  Secure Administrative Access

•  Business Continuity and DR

•  Compliance for Cloud

The Specialization of IT •  Complexities of IT has meant more specialists than generalists,

each responsible for a small piece of the puzzle

•  New tools and technologies has led to increased staffing levels, with specific experience on implementation and management

•  Rapid change in technology means nearly continuous training for specialists

•  High cost to implement and maintain IT infrastructure have many companies looking for ways to offload as much as possible

Locking Down the Cloud – A Holistic View

Challenges Facing Cloud Consumers and Providers

•  Consumers want to outsource both technology and compliance responsibilities

•  Consumers cannot abdicate their compliance responsibility 

•  Providers do not adequately define the division of responsibilities between themselves and customers

•  Providers often do not clearly articulate how they can help customers meet compliance requirements

•  All can lead to confusion in the purchasing decision and create conflicts during an audit

Locking Down the Cloud – A Holistic View

A To-Do List For Cloud Consumers and Providers •  Consumers need to fully understand all of their security and

compliance responsibilities

•  Consumers need to effectively evaluate and understand the various cloud provider models

•  Consumers need to ask for clear definition of all services, the division of their responsibilities and those of their providers

•  Consumers must put programs in place to ensure that their providers are meeting their responsibilities.

•  Providers must become transparent about their security programs and deliver adequate details about offered services

•  Providers must clearly articulate the delineation of responsibilities between themselves and customers

•  Providers must be clear about how their offered services can assist consumers in meeting compliance requirements

Locking Down the Cloud – A Holistic View

The Secure Cloud is Not a Myth

•  Build for security not compliance

•  Follow security best practices vs. chasing compliance guidelines

•  Use a common controls approach

•  Deploy multiple security countermeasures using a layered approach

Locking Down the Cloud – A Holistic View

Physical Security

•  Locate data center in area at low risk to natural disasters

•  No identifying signage

•  24X7 manned security, roving patrols

•  Multi-factor authentication for entry

•  Comprehensive CCTV coverage

•  Log all entries, monitor systems, securely store logs and video

Locking Down the Cloud – A Holistic View

Attackers need Targets

Verizon DBR Data •  92% of breaches were perpetrated by outsiders

•  78% of initial intrusions rated as low difficulty

•  Attack Targeting

•  Opportunistic – 75%

•  Targeted – 25%

FireHost Superfecta •  47,917,145 of IPRM blocks in 2013

•  14,057,093 of blocked attacks via WAF

Locking Down the Cloud – A Holistic View

•  Cross-Site Request Forgery – 3,347,515

•  Cross-Site Scripting – 4,904,651

Broken  down  into  the  4  categories    

•  Directory Traversal – 3,269,680

•  SQL Injection – 2,535,247

Vulnerability Trends

Locking Down the Cloud – A Holistic View

Source:  Secunia  Vulnerability  Review  2014  

Vulnerability Trends

Locking Down the Cloud – A Holistic View

Source:  Secunia  Vulnerability  Review  2014  

Locking Down the Cloud – A Holistic View

Routers w/IP Reputation FilteringRedundant

DoS/DDoS MitigationRedundant

Web Application FirewallsRedundant

Public Traffic

Intrusion Detection

Perimeter Security

Locking Down the Cloud – A Holistic View

SECURITY ZONE

ApplicationServers

DatabaseServers

LoadBalancers

VMware Hypervisor (Hardened)Blade/SAN ArchitectureHigh Availability Architecture20 Gbps Network (Public & Private)Per VM Firewall PoliciesUnlimited Security Zones

Web Servers

SECURITY ZONE

Secure SAN StoragePhysically Isolated Secure Storage Area Network Secure Data Deletion and Destruction Complete Data Obfuscation

VM

VM VM VM VM

LB LB

VM VM VM VM VM

SAN

Virtual Server Security

Locking Down the Cloud – A Holistic View

Data Leakage Protection

Antimalware/Antivirus

File IntegrityMonitoring

VulnerabilityManagement

LogManagement

PatchManagement

ConfigurationManagement

Supporting Security Services

Locking Down the Cloud – A Holistic View

Protecting from the Outside In

Locking Down the Cloud – A Holistic View

Secure Administrative AccessPhysically Isolated Network Secure Jump HostsPrivileged Access Management Full Session Recording

Multi-Factor Authentication

SSLVPN/L2LVPN Secure Access

MPLS Termination

Secure Customer Access

Secure Administrative Access

Locking Down the Cloud – A Holistic View

Putting It All Together

Locking Down the Cloud – A Holistic View

Isol

ated

Cus

tom

er E

nviro

nmen

t Isolated Customer Environm

ent

Data Leakage Protection

Antimalware/Antivirus

File IntegrityMonitoring

VulnerabilityManagement

LogManagement

PatchManagement

ConfigurationManagement

Secure Administrative AccessPhysically Isolated Network Secure Jump HostsPrivileged Access Management Full Session Recording

SECURITY ZONE

ApplicationServers

DatabaseServers

LoadBalancers

VMware Hypervisor (Hardened)Blade/SAN ArchitectureHigh Availability Architecture20 Gbps Network (Public & Private)Per VM Firewall PoliciesUnlimited Security Zones

Web Servers

SECURITY ZONE

Secure SAN StoragePhysically Isolated Secure Storage Area Network Secure Data Deletion and Destruction Complete Data Obfuscation

VM

VM VM VM VM

LB LB

VM VM VM VM VM

SAN

Multi-Factor Authentication

SSLVPN/L2LVPN Secure Access

MPLS Termination

Secure Customer Access

Routers w/IP Reputation FilteringRedundant

DoS/DDoS MitigationRedundant

Web Application FirewallsRedundant

Public Traffic

Intrusion Detection

Business Continuity & DR

•  Lessons (supposedly) learned from Katrina and other recent disasters

•  Did we really learn? What about Sandy and Nemo? •  Location of data centers, loss of transportation, large scale power and other critical

service outage, employees worrying more about personal and family safety

•  Didn’t fully learn from the past

•  BCDR Solutions

•  Focus on business continuity part of BCDR

•  Build for high availability

•  Implement redundant sites with geographic load balancing

•  At minimum replicate data to another location

Full Infrastructure Geographic Location 1

Full Infrastructure Geographic Location 2

Primary Infrastructure

File/Database Backups

Regular Backups

Real-Time Replication

Locking Down the Cloud – A Holistic View

Managing Compliance for Cloud

•  Treat all data as sensitive (after all, it’s just 1’s and 0’s to the systems)

•  Develop a common controls framework (CCF) of controls based on industry standard frameworks; enabling efficient compliance adoption and validation reporting

•  Use existing industry standards like ISO 27001 and NIST 800-53 as a baseline and add specific requirements based on your needs (PCI, HIPAA, GLBA, etc.)

•  Future proof compliance iterations by keeping your CCF updated

•  Implement a continuous monitoring and audit program

Locking Down the Cloud – A Holistic View

Continuous Monitoring for Compliance

•  Confusing term and application depending on who you talk to

•  What is the definition of “real-time?”

•  Define the appropriate monitoring interval for each control

•  Patching – 30 days upon release

•  Log reviews - daily

•  Malware scans – real-time alerting and reporting

•  Access reviews – privileged accounts monthly, others quarterly

•  Implement tools to monitor the controls at the defined interval

•  Centralize all monitoring results in a secure system

•  Build dashboard to track compliance based on results

Locking Down the Cloud – A Holistic View

What about data sovereignty and regional regulation?

•  Ensure you understand what regulations apply to your business

•  Engage with your customers to understand their requirements

•  Take these regulations and customer requirements into account within your CCF

•  Architect your cloud to enable data sovereignty and allow customers to select the location(s) for their servers and data

•  Provide monitoring/reporting that allows customers to validate where their data is at any time

•  Keep up with changes to the regulations

Locking Down the Cloud – A Holistic View

Thank You

Email

Phone

Chris Hinkley Senior Security Architect

chris.hinkley@firehost.com

1-877-262-3473 x8032

Questions?

Locking Down the Cloud – A Holistic View