SIKKERHET I SKYEN

Ole Tom SeierstadChief Security AdvisorMicrosoft Norge ASoles@microsoft.com

Trender

Hva er “The Cloud”?

Muligheter og utfordringer

5 betraktninger

Anbefallinger

HVA ER CLOUD?

Komplette IT løsninger kan kjøres på én sentral tjener og at de tilgjengeliggjøres via internett på

en rekke ulike enheter. Dette er hva vi kaller “Cloud Computing”.

CLOUD COMPUTING ER EN DEL AV LØSNIGENSkybaserte løsninger gir IT-ressurser, som en tjeneste, på en dynamisk og skalerbar måte over et nettverk.

Fem viktige egenskaperTjenester tilgjenglig for selvbetjeningGod tilgang til nettetDeling av ressurser (Resource pool)Raske muligheter for endringerMåling av resultater

4

Web Apps

TILBAKEMELDINGER FRA BRUKERE

6

Redusere kostnader

Økt effektivitet og Grønn IT

Økt kunde og partner kontakt samt bedre

kundeopplevelse

TRENDER - FLEKSIBILITET

TRENDER - FLEKSIBILITET

TRENDER – NYE MÅTER Å ARBEIDE PÅ – REGELVERK

KRIMINELLE FRA “COOL...”

TIL “CASH”

TILPASSNING AV NETTVERKET

TILPASSNING AV NETTVERKET

TILPASSNING AV NETTVERKET

SIKKERHET ER EN NØDVENDIGHET

SIKKERHET ER EN NØDVENDIGHET

Lagring av data i skyen

Kjør deler av programmvaren i skyen

Flytt hele løsningen til skyen

Utvikle helt nye skybaserte løsninger

Lag nye løsninger ved å kombinere ulke Cloud Services

ULIKE IMPLEMENTERINGER FOR CLOUD COMPUTING

ULIKE MODELLER – FRA OFFENTLIG TIL PRIVATE SKYLØSNINGER

Tilgjenglighet på ulike enheter

På lokale servere Privat sky Offentlig sky

Informasjon er under leverandørens kontrollIkke begrenset av geografi og plassering

Endringer i IT prosesserLeverandøren kan ha bedre sikkerhets prosesser og rutinerFysisk sikkerhet vil bli administrert av sky-leverandørenUtfordringer med juridisk suverenitet

Sentralisert lagring av dataØkonomisk skalerbarhetAttraktiv for kriminelle

Personvern utfordringerForensics/etterforskning

MULIGHETER OG UTFORDRINGER

VURDERINGER AV SIKKERHET I SKYEN

Compliance and Risk Management

Identity and Access Management

Service Integrity

Endpoint Integrity

Information Protection

Compliance is still the duty of the CustomerSound Risk Management encompassing the Cloud is neededCollaboration between Customer and Provider is essential

Need of a certain level of Process Transparency

Strong Internal Team neededContract NegotiationDefinition of Controls and MetricsIntegration of Controls into own processes

COMPLIANCE AND RISK MANAGEMENT

Compliance requirements can be fulfilled by a skilled internal team and a certain level of process transparency by the cloud provider(s).

Cross-Domain Collaboration requires secure identitiesPeople and Devices

Based on In-Person Proofing or similarClaims-BasedBased on interoperable standardsPrivacy vs. Authentication has to be balancedProcesses have to be able to include several providers

IDENTITY AND ACCESS MANAGEMENT

Any digital identity system for the cloud has to be interoperable across different organisations and cloud providers and based on strong processes.

Service Engineering and DevelopmentStrong and Transparent Engineering Processes Needed

RequirementsDesignImplementationVerificationReleaseResponse

ProofedBased on Threat Models or similar

SERVICE INTEGRITY

The provider should follow a clear, defined, and provable process to integrate security and privacy in the service from the beginning and for the whole lifecycle.

Service DeliveryInternal processes have to be able to cover multiple provider

Security MonitoringAuditingForensicsIncident responseBusiness ContinuityEtc.

Requirements depend on application and information needs

SERVICE INTEGRITY

The service delivery capabilities of the provider and the security management and auditing needs of the customer must be aligned.

Is part of the delivery chainOften subject to social engineering attacks (and similar)Review today’s processes and policies

ENDPOINT INTEGRITY

It is very important to include the end point in any security consideration for cloud-based services.

Data Classification is the foundationRequirementsLegal Needs

Persistent Data Protection neededEncryption/Rights Management

Has to cover the whole transactionData in transit

«New» ChallengesData SovereigntyAccess to InformationData Partitioning and Processing

INFORMATION PROTECTION

Implemented Data Classification helps to decide which data is ready for the cloud, under which circumstances, and with which controls.

Well-Functioning Risk and Compliance Programs are a mustData classification is the baseChoose the right Deployment Model (Private, Community, or Public)Strong, cloud trained, Internal Team still neededProcess Transparency, Compliance Controls, and Auditability by the ProviderImplement a Secure Development Lifecycle and evaluate the Provider and their vendors as wellStronger federated identity and access controls Information Lifecycle ControlsAccess controls to operate across organisational boundaries without surrendering identity ownership

RECOMMENDATIONS

© 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to

be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.