Cloud Security Myths Legends and Reality Cloud Security

  • Slides: 22
Download presentation
Cloud Security Myths, Legends and Reality Cloud Security Paul Schopis CTO OARnet Joint Techs

Cloud Security Myths, Legends and Reality Cloud Security Paul Schopis CTO OARnet Joint Techs

What this presentation is and is not • It is an over view of

What this presentation is and is not • It is an over view of ideas and strategies regarding cloud based systems • The goal is to stimulate conversation and get us thinking about the emerging realities of the current environment • It is not particularly technical because the issues are social, behavioral and governance • I encourage audience participation 2

What is a cloud? • Cloud computing is Internet based computing, whereby shared resources,

What is a cloud? • Cloud computing is Internet based computing, whereby shared resources, software, and information are provided to computers and other devices on demand, like the electricity grid. – Wikipedia • Cloud computing is a style of computing using scalability, elasticity and Internet technologies. – Gartner 3

Concerns depend on who you are • Consumers of a service – What is

Concerns depend on who you are • Consumers of a service – What is my provider doing to ensure my data is not compromise – For users of public cloud services what can/must I do to ensure security and data integrity? • Providers of a service – What assurances and services can I provide? – What assurances and services should I provide and what are the liabilities associated with both? – How do I know who you are? 4

Concerns depend on who you are • For both consumers and providers – What

Concerns depend on who you are • For both consumers and providers – What is it I’m trying to protect? – Does the level of data importance justify the expense? – In other words, does my institution/organizations have metrics, methods and policies to map data types on regular basis and assign risk and mitigation strategies etc? (more on this shortly) 5

Question • Based on the offered definitions what is the most popular cloud solution/device

Question • Based on the offered definitions what is the most popular cloud solution/device ? 6

7

7

What’s this mean? • Nothing new really • Historically technology has moved at a

What’s this mean? • Nothing new really • Historically technology has moved at a faster pace than security concerns • BTW the i. Phone/i. Pad i. OS does – Have key based encryption – Ties key generation to the hardware making it uniquely identifiable (banks like that idea) – However only Apple’s email takes advantage of it and since it decrypts on access anyone with a USB cable can defeat it 8

What’s this mean? • We now live in a world where consumer devices are

What’s this mean? • We now live in a world where consumer devices are used increasingly to access institutional data • Most institutions do not have policies surrounding use of privately owned smart phones having sensitive data on them • The old model of tight security around the perimeter is dying • The notion of only “certified and supported” devices is dead 9

What’s this mean? • We need to get smart about how to control data

What’s this mean? • We need to get smart about how to control data • We need to get smart about how to assign risk • We need to get smart about how to create decision rights and accountability • The good news is the “standard” IT governance models address most of these issues • The bad news is ~80% of organizations have no governance or immature governance 10

Oh No! He’s become one of the suits…… • First steps are – Make

Oh No! He’s become one of the suits…… • First steps are – Make a conscious decision to take a data inventory – Use that information to assign risk, the idea being match the effort to secure data against its value – Keep it simple there are only 3 kinds in most security models • Public – No restrictions • Limited – Not legally protected but may be proprietary and requires documented process to obtain • Restricted – Legally protected such as PII or critical operational information that could compromise security of made public • Make sure there is a data lifecycle plan 11

Oh No! He’s become one of the suits…… • Assign roles and responsibilities –

Oh No! He’s become one of the suits…… • Assign roles and responsibilities – Data Stewart – ultimately responsible for creating local policy or carrying out organizational policy. Final authority on access on data in their charge – Data Custodian – Systems or administrative personnel charged with enforcing standards on a daily basis – Data User – Users of data that are charged with applicable non-disclosure and adhering to acceptable use 12

Identity Management • Make ID management an integral l part of data governance •

Identity Management • Make ID management an integral l part of data governance • Become familiar with the standards such as NIST SP 800 -63 and OMB M-04 -04 • In that context rationalize Level of Assurance (LOA) with access privilege and credentials 13

OMB M-04 -04 • Defines 4 levels of LOA – – little or no

OMB M-04 -04 • Defines 4 levels of LOA – – little or no assurance Some confidence High confidence Very high confidence 14

NIST SP 800 -63 • Maps 4 levels of LOA to required proof 1.

NIST SP 800 -63 • Maps 4 levels of LOA to required proof 1. 2. 3. 4. little or no assurance – None i. e. Facebook Some confidence – Document Presentation High confidence – Document verification Very high confidence – Appear in person, two govt’ IDs, verified and capture biometric reference 15

Putting it together Risk Reputation Low Mod Hi Financial Low Mod Hi Mission Info

Putting it together Risk Reputation Low Mod Hi Financial Low Mod Hi Mission Info Disclosure Safety Low Mod/Hi Legal Low Mod Hi 2 3 4 Required LOA 1 16

Certifying Body for IDP • ICAN – Identity Credential and Access Management Subcommittee •

Certifying Body for IDP • ICAN – Identity Credential and Access Management Subcommittee • Three entities – Kantara – Open ID Exchange – In. Common 17

If you are a consumer • What assurances does your provider accept? • What

If you are a consumer • What assurances does your provider accept? • What certifications does he process? • What contractual obligations for management and security does vendor offer? • What are disentanglement provisions for nonperformance? • Will they allow you test? • Who owns the data? 18

If you are a consumer - OARnet example • What certs does your provider

If you are a consumer - OARnet example • What certs does your provider accept? – OARnet must provide LDAP • What certifications does he process? – HIPPA compliant • What contractual obligations for management and security does vendor offer? – Full • What are disentanglement provisions for non-performance? – Termination without penalty • Will they allow you test? – yes • Who owns the data? – OARnet 19

If you are provider • What level of services do you offer? • Client

If you are provider • What level of services do you offer? • Client manage which services? • What liabilities are you willing to accept? • Do you have well documented procedures and processes appropriate for the service level? 20

If you are provider OARnet example • What level of services do you offer?

If you are provider OARnet example • What level of services do you offer? – Gold (fully managed), Silver (Amazon like) and Bronze (Resource pools) • Client manage which services? – Depends on which service • What liabilities are you willing to accept? – Insist that client follow all state & university policies • Do you have well documented procedures and processes appropriate for the service level? – Gold (yes), Silver (working on it), Bronze (NA) 21

Questions? Paul Schopis pschopis@oar. net 22

Questions? Paul Schopis pschopis@oar. net 22

OFFICIATING MYTHS URBAN LEGENDS MYTHS LEGENDS MYTHS LEGENDSOFFICIATING MYTHS URBAN LEGENDS MYTHS LEGENDS MYTHS LEGENDS
OFFICIATING MYTHS URBAN LEGENDS MYTHS LEGENDS MYTHS LEGENDSOFFICIATING MYTHS URBAN LEGENDS MYTHS LEGENDS MYTHS LEGENDS
Folklore Narratives Myths and Legends Myths and LegendsFolklore Narratives Myths and Legends Myths and Legends
Myths Legends and Folktales What are myths legendsMyths Legends and Folktales What are myths legends
Myths and Legends Be an Expert Legends AlwaysMyths and Legends Be an Expert Legends Always
AUGMENTED REALITY AUGMENTED REALITY AUGMENTED REALITY AUGMENTED REALITYAUGMENTED REALITY AUGMENTED REALITY AUGMENTED REALITY AUGMENTED REALITY
MYTHS AND LEGENDS ORIGIN STORIES CREATION MYTHS CreationMYTHS AND LEGENDS ORIGIN STORIES CREATION MYTHS Creation
Myths Legends Fables and Fairy Tales Myths madeMyths Legends Fables and Fairy Tales Myths made
MYTHS AND LEGENDS FICTIONAL GENRES MYTHS Characters FantasticMYTHS AND LEGENDS FICTIONAL GENRES MYTHS Characters Fantastic
Monday 22 nd February 2021 Myths Legends MythsMonday 22 nd February 2021 Myths Legends Myths
mythology Creation Myths Hero Myths Identifying Myths traditionalmythology Creation Myths Hero Myths Identifying Myths traditional
TALES AND LEGENDS Tales and legends are oldTALES AND LEGENDS Tales and legends are old
The Arthurian Legends A look at legends andThe Arthurian Legends A look at legends and
The Arthurian Legends A look at legends andThe Arthurian Legends A look at legends and
Legends Customs and Writers LEGENDS Legend related toLegends Customs and Writers LEGENDS Legend related to
Arthurian Legends by Juliette Evans Arthurian Legends TakeArthurian Legends by Juliette Evans Arthurian Legends Take
Legends of knights By me What are legendsLegends of knights By me What are legends
WHY DO URBAN LEGENDS Urban Legends are veryWHY DO URBAN LEGENDS Urban Legends are very
Slovenian legends of water Lets see some legendsSlovenian legends of water Lets see some legends
Chapter TwentyTwo Lecture One Legends of Aeneas LegendsChapter TwentyTwo Lecture One Legends of Aeneas Legends
Arthurian Legends by Juliette Evans Arthurian Legends TakeArthurian Legends by Juliette Evans Arthurian Legends Take