Post on 13-Dec-2014
description
SIKKERHET I SKYEN
Ole Tom SeierstadChief Security AdvisorMicrosoft Norge ASoles@microsoft.com
Trender
Hva er “The Cloud”?
Muligheter og utfordringer
5 betraktninger
Anbefallinger
HVA ER CLOUD?
Komplette IT løsninger kan kjøres på én sentral tjener og at de tilgjengeliggjøres via internett på
en rekke ulike enheter. Dette er hva vi kaller “Cloud Computing”.
CLOUD COMPUTING ER EN DEL AV LØSNIGENSkybaserte løsninger gir IT-ressurser, som en tjeneste, på en dynamisk og skalerbar måte over et nettverk.
Fem viktige egenskaperTjenester tilgjenglig for selvbetjeningGod tilgang til nettetDeling av ressurser (Resource pool)Raske muligheter for endringerMåling av resultater
4
Web Apps
TILBAKEMELDINGER FRA BRUKERE
6
Redusere kostnader
Økt effektivitet og Grønn IT
Økt kunde og partner kontakt samt bedre
kundeopplevelse
TRENDER - FLEKSIBILITET
TRENDER - FLEKSIBILITET
TRENDER – NYE MÅTER Å ARBEIDE PÅ – REGELVERK
KRIMINELLE FRA “COOL...”
TIL “CASH”
TILPASSNING AV NETTVERKET
TILPASSNING AV NETTVERKET
TILPASSNING AV NETTVERKET
SIKKERHET ER EN NØDVENDIGHET
SIKKERHET ER EN NØDVENDIGHET
Lagring av data i skyen
Kjør deler av programmvaren i skyen
Flytt hele løsningen til skyen
Utvikle helt nye skybaserte løsninger
Lag nye løsninger ved å kombinere ulke Cloud Services
ULIKE IMPLEMENTERINGER FOR CLOUD COMPUTING
ULIKE MODELLER – FRA OFFENTLIG TIL PRIVATE SKYLØSNINGER
Tilgjenglighet på ulike enheter
På lokale servere Privat sky Offentlig sky
Informasjon er under leverandørens kontrollIkke begrenset av geografi og plassering
Endringer i IT prosesserLeverandøren kan ha bedre sikkerhets prosesser og rutinerFysisk sikkerhet vil bli administrert av sky-leverandørenUtfordringer med juridisk suverenitet
Sentralisert lagring av dataØkonomisk skalerbarhetAttraktiv for kriminelle
Personvern utfordringerForensics/etterforskning
MULIGHETER OG UTFORDRINGER
VURDERINGER AV SIKKERHET I SKYEN
Compliance and Risk Management
Identity and Access Management
Service Integrity
Endpoint Integrity
Information Protection
Compliance is still the duty of the CustomerSound Risk Management encompassing the Cloud is neededCollaboration between Customer and Provider is essential
Need of a certain level of Process Transparency
Strong Internal Team neededContract NegotiationDefinition of Controls and MetricsIntegration of Controls into own processes
COMPLIANCE AND RISK MANAGEMENT
Compliance requirements can be fulfilled by a skilled internal team and a certain level of process transparency by the cloud provider(s).
Cross-Domain Collaboration requires secure identitiesPeople and Devices
Based on In-Person Proofing or similarClaims-BasedBased on interoperable standardsPrivacy vs. Authentication has to be balancedProcesses have to be able to include several providers
IDENTITY AND ACCESS MANAGEMENT
Any digital identity system for the cloud has to be interoperable across different organisations and cloud providers and based on strong processes.
Service Engineering and DevelopmentStrong and Transparent Engineering Processes Needed
RequirementsDesignImplementationVerificationReleaseResponse
ProofedBased on Threat Models or similar
SERVICE INTEGRITY
The provider should follow a clear, defined, and provable process to integrate security and privacy in the service from the beginning and for the whole lifecycle.
Service DeliveryInternal processes have to be able to cover multiple provider
Security MonitoringAuditingForensicsIncident responseBusiness ContinuityEtc.
Requirements depend on application and information needs
SERVICE INTEGRITY
The service delivery capabilities of the provider and the security management and auditing needs of the customer must be aligned.
Is part of the delivery chainOften subject to social engineering attacks (and similar)Review today’s processes and policies
ENDPOINT INTEGRITY
It is very important to include the end point in any security consideration for cloud-based services.
Data Classification is the foundationRequirementsLegal Needs
Persistent Data Protection neededEncryption/Rights Management
Has to cover the whole transactionData in transit
«New» ChallengesData SovereigntyAccess to InformationData Partitioning and Processing
INFORMATION PROTECTION
Implemented Data Classification helps to decide which data is ready for the cloud, under which circumstances, and with which controls.
Well-Functioning Risk and Compliance Programs are a mustData classification is the baseChoose the right Deployment Model (Private, Community, or Public)Strong, cloud trained, Internal Team still neededProcess Transparency, Compliance Controls, and Auditability by the ProviderImplement a Secure Development Lifecycle and evaluate the Provider and their vendors as wellStronger federated identity and access controls Information Lifecycle ControlsAccess controls to operate across organisational boundaries without surrendering identity ownership
RECOMMENDATIONS
© 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to
be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.