Keynote day 2 – panel discussion around ‘Critical Infrastructure, National Security and the Cloud.
Discussions around the role of ISPs in protecting the US from attacks, e.g. by dropping / blocking IP addresses / blocks of IP addresses from which attacks such as DDoS are originating from.
Should they be looking more deeply into packets in order to prevent attacks? What does this mean for net neutrality and freedom?
How does this apply to Cloud service providers (CSPs)? What happens when the CSP is subpoenaed by the courts / government to hand over data? This is another reason why you should encrypt your data in the cloud and ensure you manage the keys. This means the court / government has to directly subpoena you as the data owner and give you the opportunity to argue your case if they want access to your data.
Should the cloud be defined as critical infrastructure, if so which parts, which providers etc. Will need to clearly define what means critical infrastructure when discussing the cloud.
Next discussion point was China; Continuous economic growth means we are more and more involved in trade with China, however they are also stealing huge amounts of proprietary data across multiple industries and literally stealing all of their manufacturing data to copy what is made and how. According to some vendor reports 95% of all internet based theft of intellectual property comes from China. This is both from Chinese governmental bodies, and Chinese corporations.
Look up Internet Security Alliance documentation around securing, monitoring and understanding your global manufacturing supply chain. This document has been strongly resisted by both Chinese Government and companies. There is a clear need to protect sensitive information and work to reduce global supply chain risk. Us Government working on constant monitoring capabilities to help corporations monitor their global supply chains.
Proposed that IP theft should be on the agenda for the G20 next year. Also proposed the US and other countries should have an industrial policy, if they don’t already, that allows the military and intelligence communities to defend corporations and systems that are deemed part of the critical infrastructures.
Counterfeiting is also moving into cyberspace, what do we do with counterfeit infrastructure or counterfeit clouds?
A practical, step by step approach to implementing a private cloud
Preliminary points – have you ever decommissioned a security product? How many components / agents does the “AV” software on your laptop now have?
Why is security not the default?
Why would you not just put everything in the public cloud? – Risk, Compliance – you cannot outsource responsibility!
This is where ‘private cloud’ options come into play. Could also consider ‘Virtual private cloud’ – this is where VPN technology is used to create what is effectively a private cloud on public cloud infrastructure..
Many organisations have huge spare server capacity – typical results find 80% of servers only used at 20% capacity. You can create internal elasticity by making this spare capacity part of an internal, private cloud.
5 steps to a private cloud;
- Identify a business need– what is your cloud driver? What will benefit from;
- Greater agility
- Increased speed to develop and release,
- Elastic processes that vary greatly over time such as peak shopping days, or month end processing etc.
- Rapid prototyping
2. Assess your current infrastructure – is there excess capacity? Is the hardware virtualisation ready? Can your existing infrastructure scale? (Note that a cloud can be physical, not virtual if this is required). Is new cloud infrastructure needed? What are your storage requirements? What are your data recovery and portability requirements? How will you support a private cloud with your existing security tools and processes (e.g. where do you plug in your IPS?) – are your processes robust and scalable? – can you monitor at scale? Can you manage change at scale?
3. Define your delivery strategy – who are your consumers? Developers. Administrators. General employees. Other? Competency level of consumers defines the delivery means. (e.g. developers and admins may get CLI, General employees may get the ‘one click’ web portal). Delivery mechanism matters! Create a service catalogue. Ensure ‘Back end services’ are in place
4. Transformation – You cannot forklift into the cloud – legacy applications that do not scale horizontally will not work. More resources != greater performance. Need to design in scale and security. Modernise code and frameworks. Re-test – simulate cloud scale and failures. Re-think automation, scale.
5. Operationalize – Think about complete service life-cycle – deployment to destruction. Resilience. Where does security fit into this? – Everywhere! – whether applications or services. Secure design from the ground up – embed into architecture and design – then security no longer on the critical path to deployment!
Overall this was an entertainingly presented talk that was a little light on detail / content, but I thing the 5 points are worth bearing in mind if you are thinking or implementing a private cloud in your organisation.
Cloud security standards;
Talk over-viewing some of the current standards relating to cloud security. Below is a list of some of the cloud security standards / controls / architectures / guidance that you should aware of if you are working with or planning to work with any sort of public cloud solution.
- Cloud Security Reference Architecture
- Cloud security framework
- Guidelines for operational security
- Identity management of Cloud computing
- 27017 – guidelines on information security controls for the use of cloud computing services based on ISO/IEC 27002 2
- 27036-4 – Supply chain security: Cloud
- 27040 – Storage security
- 27018 – Code of practice for data protection controls for public cloud computing services
- SC7 – Cloud governance
- Controls for cloud computing security
- Additional controls for 27001 compliance in the cloud
- Implementation guidance for controls
- Data protection implementation guidance
- Supply chain guidance
- 800-125 – Guide to security for full virtualisation technologies
- 800-144 – Guidelines on security and privacy in public cloud computing
- NIST cloud reference architecture
- Identity in the Cloud
ODCA (Open Data Center Alliance) -
- Provider assurance usage model
- Security monitoring usage model
- RFP requirements
- Cloud Controls matrix
- Trusted cloud infrastructure
- Security as a Service
- Cloud trust protocol
- Guidance document
The CSA Cloud Controls Matrix maps many of these standards to cloud control areas with details of the specification and the standard components each specification meets / relates to.
While a pretty dry topic, this is a useful reference list if you are looking for more information on cloud / cloud security related standards and guidance.