The last presentation of the day was by Rich Mogull on "Everything you need to know about cloud security in 30 minutes or less". It all started with all of the presentations and diagrams having pictures of clouds so some guy decides to sell that. Makes security practitioners sad.
Why the cloud is a problem for security
- Poor understanding of cloud taxonomies and definitions
- A generic term, frequently misused to refer to anything on the Internet
- Lack of visibility into cloud deployments
- Organic consumption
Couldn't have talked about this stuff 6 months ago because nobody knew about it and it wasn't discussed.
Security Implications
- Variable control
- Variable visibility
- Variable simplicity/complexity
- Variable resources
Control, visibility, and resources goes down as simplicity and management goes up
Is the cloud more or less secure than we are now? It depends. Something are more secure and some things are less secure because of all of the variability.
Saas
- Most constrained
- Most security managed by your provider
- Least flexible
PaaS
- Less constrained
- Security varies tremendously based on provider and application-shared responsibility
- Security responsibility
IaaS
- Most flexible
- Most security managed by your developers
Specific Issues
- Spillage and data security
- Reliability/availability
- Capability to apply traditional security controls in a dynamic environment
- Lack of visibility into cloud usage
- Changing development patterns/cycles
How do you use your static and dynamic analysis testing tools in the cloud?
Where do you roll your cloud when it fails?
Your Top 2 Cloud Security Defenses
- SLA
- Contracts
Understand Your SLAs
- Are there security-specific SLAs?
- Can you audit against those SLAs?
- Are there contractual penalties for non-compliance?
- Do your SLAs meet your risk tolerance requirements?
Suggested SLAs
- Availability
- Security audits - including third party
- Data security/encryption
- Personal security
- Security controls (depend based on service)
- User account management
- Infrastructure changes
Understand Your Cloud
- What security controls are in your cloud?
- How can you manage and integrate with the controls?
- What security documentation is available?
- What contingency plans are available?
Cloud Security Controls to Look For
- Data encryption/security (key management)
- Perimeter defenses
- Auditing/logging
- Authentication
- Segregation
- Compliance
Cloud Security Macro Layers
- Network
- Service
- User
- Transaction
- Data
Don't Trust
- SAS70 Audits
- Documentation without verification
- Non-contractual SLAs
What to Do
- Educate yourself
- Engage with developers
- Develop cloud security requirements
