Security, Privacy and the Cloud Connecticut Community Providers’ Association June 20, 2014 Steven R Bulmer, VP of Professional Services

Agenda Introduction to Cloud Computing Models Top Threats Categorical Approach to Cloud Security Technology Areas of Focus Encryption 2

Definitions – Cloud Computing Cloud Computing is: A model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g. networks, servers, storage, applications & services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. This cloud model promotes availability and is composed of:  5 essential characteristics  3 service models  4 deployment models -National Institute of Standards and Technology 3

Cloud Definitions Cont’d Cloud Characteristics 1.On-demand Self-Service – User provisions their services 2.Ubiquitous Network Access – Standard network or mobile access 3.Resource Pooling – Shared resources and location independence 4.Elasticity – Capabilities scaled or released “rapidly” 5.Measured Service – Metered, monitored and billed as utility 4

Cloud Definitions Cont’d Cloud Service Models 1.Software as a Service (SaaS) – User access to the application layer 2. Platform as a Service – User deployment using providers’ tools 3. Infrastructure as a Service (IaaS)– User access to IT infrastructure 5

Cloud Definitions Cont’d Cloud Deployment Models 1.Private Cloud – Deployed for a single organization or company 2.Community Cloud – Shared by organizations with similar needs 3.Public Cloud – Cloud services available to all and shared 4.Hybrid Cloud – Two or more clouds with operational relationship 6

Business Services Customer Provided Cloud Provided Application Logic Middleware/DB Infrastructure Cloud Layers 7 SaaS PaaS IaaS

Top Cloud Security Threats 1.Data Breaches 2.Data Loss 3.Account or Service Traffic Hijacking 4.Insecure Interfaces and API 5.Denial of Service Attacks 6. Malicious Insiders 7. Abuse of Cloud Services 8. Insufficient Due Diligence 9. Shared Technology Vulnerabilities Source: Cloud Security Alliance cloudsecurityalliance.org

Approach to Security in the Cloud Governance Assessing the Risk Managing and Measuring Posture and Response Compliance Direct policy and technology requirements to meet regulations Architecture The technical components and their inherent strength and weaknesses Resiliency The ability to withstand and/or recover from an incident Process Established, regular, IT practices that ensure policy adherence Access Identity and authentication 9

Security in the Cloud CategoryFocus AreasTasksApplicability Governance Regulations Data Location eDiscovery Evaluation Risk Assessment / Analysis Audit Controls Audits PCI 5, 6, 11 HIPAA (C) , 312, 314 Compliance Data Location eDiscovery Device & Media Control Policy Development Policy Enforcement Archiving PCI DSS, PA-DSS HIPAA , , SEC Rule 17a-3,4 Architecture Attack Surface Isolation/Separation Network Security Systems and Application Configuration Policy PCI 1,2 PA-DSS HIPAA Resiliency Availability Data Protection Disaster Recovery Contingency Planning Encryption Media Management PCI 3,4 FISMA HIPAA , 310 Process Incident / Change Mgmt Security Mgmt / Monitoring Response Reporting Proactive Monitoring PCI 10,11 HIPAA Access Identity / Authentication Access Controls Unique User ID Access Policies Remote Access Policy PCI 7, 8, 9 HIPAA

Technical Focus Architecture Provisioning Process and Capability Software / Network Isolation Multi-tenancy vs Dedicated Hypervisor structure Network structure Security Infrastructure Resiliency/Availability Business Continuity and Disaster Recovery Data Integrity Identity and Access Management Authentication tie-ins to customer, stand alone Data Protection Backups and Recovery Data Location and Encryption Physical Security 11

A Few Words On Encryption Encryption Built into Cloud Service vs Encrypting at the Source SaaS and PaaS: SSL based transfer prior to encryption in the cloud Read and Understand the Privacy Policy Cloud Storage Encrypt locally, then store in the cloud (e.g. DropBox) o Viivo, Sookasa, BoxCryptor, CloudFogger Use an integrated hybrid cloud storage solution o Wualu, SpiderOak, Tresorit Use Appliance Based Backups & BC o Walker/Datto 12

Encryption (cont’d) Cloud Storage features to Look for: Granularity: File vs Container vs Volume Key Management Administrative Features to meet your needs (e.g. compliance) Does it work with the service(s) you use? Dropbox, Box.com, Google Drive, Microsoft SkyDrive, Amazon S3 13

Sources Cloud Security Alliance NIST Cloud Computing Definition CSA Top Nine Cloud Computing Threats White Paper _in_2013.pdf HIPAA Guidelines Simplified from HHS NIST Cloud Security for Federal Agencies White Paper 14

| TheWalkerGroup.com | Thank You.