Privacy, security and ethical reflection
Sangeeth08
ITC568_201860_Wk8_MultiTieredSecurityModel.pptxITC568 Cloud Privacy and Security
The Multi-Tiered Cloud Security Model
Week 8
Dr Peter White
Examine the legal, business and privacy requirements for a cloud deployment model
Evaluate the risk management requirements for a cloud deployment model
Critically analyse the legal, ethical and privacy concerns for the privacy and security of data deployed to the cloud
Develop a series of security controls to manage the security and privacy of data deployed to the cloud
Agenda
© Peter White, 2017
2
Lee & Tao propose a holistic approach to cloud security with Trust as the outcome of good security in the cloud
Trust is built from:
Awareness
Classification
Technology
Policy & Regulation
Certification
Standards
© Peter White, 2017
3
Multi-Tiered Security
Lee & Tao propose a three-tier approach to security
Industry specific standards, regulations, controls, etc.;
Multi-tier cloud security standards – ISO 27017;
Base standards – ISO 27001
© Peter White, 2017
4
Multi-Tiered Security
| Level | Overview | Control focus | Typical users | Typical usage |
| 1 | Designed to be low cost with a minimum of controls | Baseline security focus – “security 101” | SME | Web site hosting Test & development Simulation Non-critical business apps |
| 2 | Designed to address most security needs | More stringent controls to address security threats & risks | Enterprises | Cloud usage LoB applications |
| 3 | Designed for regulated organisations with specific security requirements | Additional set of security controls to supplement & address security risks & threats to sensitive data | Enterprises & regulated organisations | Hosting applications with sensitive data & regulated systems |
© Peter White, 2017
5
Multi-Tiered Security
Design principles:
Defence in depth
Use firewalls & other security controls on all resources (servers, load balancers, subnets, storage, etc.)
Enable traceability
Log & audit all actions & changes to the environment
Implement least privilege rules
Ensure that authorisation is appropriate for each interaction with your resources
Implement strong logical access controls directly on resources
Secure the system with the Shared Responsibility model
Focus on securing your applications, data & operating systems
Always run them on CSP’s secure infrastructure & services
Automate security
Create patched & hardened server images for subsequent use
Create trust zone architecture that is defined & managed by a template
Automate response to routine & anomalous security events
© Peter White, 2017
6
Multi-Tiered Security approaches
Cloud security is composed of:
Identity and Access management
Detective controls
Infrastructure protection
Data protection
Incident response
© Peter White, 2017
7
Multi-Tiered Security approaches
Identity and Access management
Protecting credentials:
Create users, groups & roles that are monitored & constrained in operations
Use password & MFA policies
Use temporary credentials for CLI, API, SDK and service to service access
Consider federation with existing identity providers
Fine grained authorisation
Use principle of least privilege – minimal permissions granted to fulfil role
Detective controls
Capture & analyse logs
Configuration management & inspection
Build security events into a workflow for reporting
Rollback unauthorised configuration changes
© Peter White, 2017
8
Multi-Tiered Security approaches
Infrastructure protection
Protect network & host level boundaries
Use appropriate network topologies: VPCs, sub nets, load balancers, gateways, routing tables, security groups, IP ranges, etc.
System security configuration and maintenance
CSP security tools: WAF, Edge-based tools AWS Shield, CloudFront, Route 53, auto-scaling, etc.
Enterprise controls: OS based firewalls, CVE scanners, anti-malware, configuration management tools, etc.
Service level protection
Service endpoints – access control, access policies, service policies, IAM policies,
© Peter White, 2017
9
Multi-Tiered Security approaches
Data protection
Data classification
What data types are available
Where is the data located
What access levels and protection is required
Encryption & Tokenisation
Encryption renders the data unreadable without the key to decrypt it
It protects data against unauthorised access & unnecessary exposure to authorised users
Consider the use of a Key Management Service
Tokenisation allows you to define a token to represent an otherwise sensitive piece of information, such as a credit card number
Tokens must be meaningless on their own & require a key to decrypt them
Consider enterprise goals & requirements as well as any regulatory & compliance requirements
© Peter White, 2017
10
Multi-Tiered Security approaches
Data protection
Data protection at rest
Data at rest is any data that persists for any duration, including block storage, object storage, databases, backups, archives, or any other storage medium
Encryption prevents unauthorised access or disclosure
Two encryption choices:
Encrypt locally & upload already encrypted content
Upload & then encrypt
Data protection in transit
Data in transit is any content that is transmitted from one system to another, including between servers, other services and users
Use protocols that implement Transport Layer Security (TLS), such as HTTPS.
Consider VPN connectivity into, or across VPCs
© Peter White, 2017
11
Multi-Tiered Security approaches
Data protection
Data backup/replication/recovery
Data backup is a key protection against data loss or destruction and is critical to business continuity
Do you know the Recovery Point Objective (RPO) and Recovery Time Objective (RTO) for your enterprise?
Can you automate the backup & archive operations?
Most CSPs provide cross-regional backup of object storage & databases – consider how this fits with your regulatory environment
Consider using a separate account to store archives and logs in case of account compromise
© Peter White, 2017
12
Multi-Tiered Security approaches
Incident response
Determine:
Who forms the incident response team?
What tools do they need?
When are they activated?
What is your recovery plan?
Plan:
Tag resources with system, data classification, and criticality tags
Incident plan:
Do you isolate an instance or resource by:
Removing it from an ELB group?
Changing the security groups that can access it?
Capture the “as-is” configuration using snapshots and save to an S3 bucket for investigation
Create a new, trusted environment to conduct deeper investigation – Clean room approach
Do you create a new production environment from a CloudFormation template?
© Peter White, 2017
13
Multi-Tiered Security approaches
© Peter White, 2017
14
Defence in Depth
Start at the perimeter
Use services such as CloudFront, Lambda, Functions, etc. as your entry point
Use CSP managed DNS, such as Route 53 to mitigation of DNS attacks,
Use AWS Advanced Shield for DDOS attack mitigation
Use ELB for managed load balancing and autoscaling
© Peter White, 2017
15
Defence in Depth
Network level
Use Security Groups to manage access to all resources
Use both public and private VPCs to ensure public access to only the correct resources
Access to private VPCs only from designated resources
Use Web Application firewalls on all instances
Use bastion hosts for connections
Use VPNs where possible
Always encrypt data in transit
© Peter White, 2017
16
Defence in Depth
System level
Use hardened AMIs
Ensure OS and application patch management
Use IAM roles for EC2 access
Use IAM credentials
Consider using MFA for additional security
© Peter White, 2017
17
Defence in Depth
Data level
Use logical access controls
User authentication and role access to data
Use encryption at rest
© Peter White, 2017
18
Defence in depth
Read
Lee, H., Tao, Y. (2015). Multitiered cloud security model. In Ko, R., & Choo, K.(Eds.). (2015). The Cloud Security Ecosystem: Technical, Legal, Business and Management Issues. Waltham, MA: Syngress.
Cloud Security Aliance. (2011). Security Guidance for Critical Areas of Focus in Cloud Computing V3.0. Retrieved from https://downloads.cloudsecurityalliance.org/initiatives/guidance/csaguide.v3.0.pdf
Australian Signals Directorate. (2017). Cloud Computing Security Considerations. Canberra: Department of Defence Retrieved from https://www.asd.gov.au/publications/protect/Cloud_Computing_Security_Considerations.pdf.
White, P. (2017), Transformational Security: The enterprise security posture and the rise of the public cloud. DFSI Spatial Services, Bathurst. Available in ICT568 Resources
Amazon Web Services (2014). "Using AWS in the context of Australian Privacy Considerations." Retrieved 28 November 2014, from http://d0.awsstatic.com/whitepapers/compliance/Using_AWS_in_the_context_of_Australian_Privacy_Considerations.pdf.
Amazon Web Services (2017). "Security Pillar: AWS Well Architected Framework." Retrieved 28 August 2017, from https://d0.awsstatic.com/whitepapers/architecture/AWS-Security-Pillar.pdf .
Watch
Video on DevSecOps at https:// youtu.be/V9IuDB8ICJM
Software defined perimeters at https :// youtu.be/ysi_9c5fmBg
© Peter White, 2017
19
Tasks
