Cloud Security Assessment

2 CoE IT Leadership.- Progress report Introduction »Cloud computing is an approach in which infrastructure and software resources are provided by an external vendor or by your internal IT department over the Internet. These resources are highly scalable and at competitive costs, which make Cloud services highly attractive in a business environment in which organisations are trying to reduce their IT capital expenditure and costs and improve the flexibility of their IT services delivery. The Cloud, a revolution on several levels…

3 CoE IT Leadership.- Progress report Reasons for using Cloud Computing Source: Flying Blind in the Cloud, Ponemon Institute, April 2010 Introduction

4 CoE IT Leadership.- Progress report Adopting Cloud computing can bring significant benefits and challenges for organisations in building trust and confidence in Cloud Computing services, including: Benefits and risks Benefits significantly lower application service costs – currently as low as $20/month for entry level web applications; dramatically reduced capital expenditure funding, with services charged for mainly by use; improved service agility, where requirements for IT services can be much more quickly met; improved productivity through cost- effective business-wide collaboration applications; and new opportunities for exploiting and sharing information, in support of business model innovation Risks concern over maintaining data privacy and security; unproven service level agreements; the difficulty of integration of existing applications and data. Introduction

5 CoE IT Leadership.- Progress report Atos Sphere Advisory Services SAP Regressio n Testing (SaaS) Product Lifecycle Mgmt.(PL M) on Demand Data Mgmt. on demand (PaaS) Atos in a box Workplace (DaaS) Infra- structure Services (IaaS) Atos Worldline (BPaaS) Introduction Atos Sphere™ Security and Compliance Opportunity Assessment Awareness Workshop Security and Compliance Business Case Pilot Project Governance Business Innovation Transition

6 CoE IT Leadership.- Progress report Cloud Services as a mix of consumer commodities and enterprise applications have to meet costumer needs for confidentiality and compliance to legal directives. This package provides: Set of core security principals to assure users and customers of a trustworthy cloud computing environment Increased level of security to support sensible enterprise applications and data in a cloud environment Customer adopted best practice rules to handle ignorance of data, processing and application location Cloud Services as a mix of consumer commodities and enterprise applications have to meet costumer needs for confidentiality and compliance to legal directives. This package provides: Set of core security principals to assure users and customers of a trustworthy cloud computing environment Increased level of security to support sensible enterprise applications and data in a cloud environment Customer adopted best practice rules to handle ignorance of data, processing and application location Introduction

7 CoE IT Leadership.- Progress report Legal Recommendations »European Commission »Data Protect Directive (Article 29) »Customer notification of data security breaches »eCommerce Directive (Article 12-15) »Minimum data protection standards and privacy certification schemes common across all stated »Country local directives »Germany: TKG, Datenschutzgesetz »Areas of attention 1.Data Security, Protection and Transfer 2.Law Enforcement Access 3.Confidentiality and non-disclosure 4.Intellectual property 5.Risk allocation and limitation of liability 6.Change of control Business issues

8 CoE IT Leadership.- Progress report Security Benefits Security and the benefits of scale »All security measures are cheaper when implemented in a large scale »Same amount of investment in security buys better protection for all kinds of defensive measures e.g. »Filtering »Patch management »Hardening of virtual machines and hypervisors »Multiple locations »Edge networks » timeliness of response to incidents, treat management »Standardized interface for managed security services (open and readily available market) »Dynamic reallocation of filtering, traffic shaping, authentication, encryption, etc. »Audit and evidence gathering (less downtime for forensic analysis, lower log storage cost) »More timely effective and efficient updates and default »Benefits of resource concentration, beside the risk security is cheaper Business issues

9 CoE IT Leadership.- Progress report Protection of sensitive information in the Cloud »Only a few organizations have taken proactive steps to protect sensitive information Source: Flying Blind in the Cloud, Ponemon Institute, April 2010 Business issues

10 CoE IT Leadership.- Progress report Security Risks Top Risks »Loss of Governance »Lock-In »Isolation Failure »Compliance Risk »Management interface compromise »Data protection »Insecure or incomplete data deletion »Malicious insider Business issues

11 CoE IT Leadership.- Progress report Security Risks by category Lock-in Loss of governance Compliance Challenges No evidence for provider compliance Provider do not permit audits Loss of business reputation due to co-tenant activities Cloud Service Termination Or Failure Cloud Provider Acquisition Supply chain failure Policy and Organizational Subpoena and e-discovery Changing jurisdiction Data protection licensing Legal Resource exhaustion (over/under provisioning Isolation failure Provider malicious insider – abuse of high privileges Management interface compromise Intercepting data in transfer Technical Data leakage on/upload intra-cloud Insecure and inefficient deletion of data Distributed denial of service attack (DDoS) Economic denial of service (EDoS) Loss of encryption keys Undertaking malicious probes and scans Compromise service engine Conflicts between customers hardening procedures Technical Network breaks Modifying network traffic Privilege escalation Social engineering attacks Loss or compromise of operation and security logs Backup lost Unauthorized access to premises Theft of Computer equipment Natural disaster Not Cloud specific Business issues

12 CoE IT Leadership.- Progress report Areas of Vulnerabilities Cloud relevant AAAUser de/provisioning Remote access to management interface Hypervisor Resource & Reputation Isolation Communication Encryption Weak encryption of archives and data transit Impossibility to process encrypted data Poor key management Key generation random number generation Lack of standard technology and solutions No source escrow agreement Inaccurate modeling of resource usage No control on vulnerability assessment process Co-Residence checks might be performed Lack of forensic readiness Sensitive media sanitization Synchronizing Responsibilities or contractual obligations external to cloud Cross cloud applications create hidden dependencies SLA Clauses with conflicting promises to different stakeholders SLA Clauses containing excessive business risk Audit or certification not available for the customer Certification schemes not adapted to cloud infrastructure Inadequate resource provisioning and investments in infrastructure No policies for resource capping (Quotas) Storage of data in multiple jurisdiction and lack of transparency Lack on information on Jurisdictions Lack of completeness and transparency in terms of use Business issues

13 CoE IT Leadership.- Progress report 7. Research Recommendations Categories »Building trust in the cloud »Effects on different forms of breach reporting on security »End-to-end data confidentiality in the cloud and beyond »Higher assurance clouds, virtual private clouds etc. »Data protection in large scale cross-organizational systems »Forensics and evidence gathering mechanisms »Incident handling, monitoring and traceability »International differences in relevant regulations including data protection and privacy »Large scale computer engineering »Resource isolation mechanisms – data, processing, logs, etc »Interoperability between cloud providers »Resilience of cloud computing How can cloud improve resilience. Business issues

14 CoE IT Leadership.- Progress report Compliance and Certifications Standards ISO (IT service management) ISO (IT security ) Sox TBC Certification methods CoBit (Control Objectives for Information and related Technology) CMMI (Capability Maturity Model Integration ) ITIL (IT infrastructure library) Business issues

15 CoE IT Leadership.- Progress report Our Approach Cloud Security services

16 CoE IT Leadership.- Progress report Customer benefits and business outcomes Customer benefits Knowledge of what your digital security weaknesses really are Knowledge of the legislative and regulatory requirements you really face Clarity on your cost v risk balance Our Approach

17 CoE IT Leadership.- Progress report fig 2 Our Approach

18 CoE IT Leadership.- Progress report Interviews Interviews with CIO/CISO/Sysadmins Document the findings using the Cloud Security Maturity Assessment Tool Vulnerability Assessment Assess the technical vulnerabilities using scanning tools Analysis Analysis of feedback Defining security controls that do not meet the required maturity level Risk modeling using the Cloud Security Assessment Tool Reporting Draft report and roadmap writing Workshop Business Risks v Costs Workshop Final Report Finalization of report and delivery of report and roadmap Our Approach