Defined Categories of Service 2011 - Cloud Security Alliance

More documents

Recommendations

Info

CLOUD SECURITY ALLIANCE SecaaS | DEFINED CATEGORIES OF SERVICE 2011 Category #6: Intrusion Management Description: Intrusion Management is the process of using pattern recognition to detect and react to statistically unusual events. This may include reconfiguring system components in real time to stop / prevent an intrusion. The methods of intrusion detection, prevention, and response in physical environments are mature; however, the growth of virtualization and massive multi-tenancy is creating new targets for intrusion and raises many questions about the implementation of the same protection in cloud environments. Examples of how cloud-based Intrusion Management could be offered include: • Provided by the Cloud Service Provider • Provided by a third-party (routing traffic through a SecaaS) • Hybrid SaaS with third-party management and host-based or virtual appliances running in the cloud consumer's context Class: Detective, protective, reactive General CORE FUNCTIONALITIES Identification of intrusions and policy violations Automatic or manual remediation actions Coverage for: Workloads Virtualization Layer (VMM/Hypervisor) Management Plane Cloud and other APIs Updates to address new vulnerabilities, exploits and policies Network Security (NBA, NIPS/NIDS or HIPS/HIDS using network) Deep Packet Inspection using one or more of the following techniques: statistical, behavioral, signature, heuristic System/Behavioral One or more of: System Call Monitoring System/Application Log Inspection Integrity Monitoring OS (Files, Registry, Ports, Processes, Installed Software, etc) Integrity Monitoring VMM/Hypervisor VM Image Repository Monitoring Continued on the following page… SERVICES Includes: Packet Inspection, Detection, Prevention, IR Related Services: Web Security, Secure Cloud & Virtualization Security Related Technologies and Standards: DPI, Event correlation and pattern recognition Service Model: SaaS, PaaS, IaaS CSA Domains (v2.1): 13 THREATS ADDRESSED Intrusion Malware REFERENCE EXAMPLES (Products and vendors. Non-exhaustive list) Cloud Alert Logic Threat Manager Arbor Peakflow X Check Point - Security Gateway Virtual Edition Cloudleverage Cloud IPS/firewall Copyright © 2011 Cloud Security Alliance 18
Continued from the previous page… CLOUD SECURITY ALLIANCE SecaaS | DEFINED CATEGORIES OF SERVICE 2011 OPTIONAL FEATURES Central Reporting SIEM Integration Administrator Notification Customization of policy (automatic or manual) Mapping to cloud-layer tenancy Cloud sourcing information to reduce false positives and improve coverage Remote storage or transmission of integrity information, to prevent local evasion General Challenges: CHALLENGES Proliferation of SSL required by deployment in public clouds adds complexity or blocks visibility to network-based IDS/IPS Complexity and immaturity of Intrusion Management for APIs Lack of tools to manage instance-to-instance relationships Wire speed with full malware / attack coverage performance not meeting expectations Specific to Cloud Consumers: Current lack of virtual SPAN ports in public cloud providers for typical deployment of NIDS or NBA Current lack of network-edge TAP interfaces for public cloud and virtual private cloud for typical deployment of NIPS Inability to utilize hypervisor (vSwitch/vNIC) introspection Latency, resiliency and bandwidth concerns with proxying network traffic through virtual appliances or 3rd party services Privacy concerns of service-based security Short lived instances (HIDS/HIPS logs can be lost) Performance limitations with network traffic in a shared environment Ownership / managing access to monitoring equipment and data Specific to Cloud Service Providers: Policy management in a multi-tenant environment Policy management for application-layer multi-tenancy (SaaS, some PaaS services such as Microsoft SQL Azure) Complexity of deployment and configuration REFERENCES / ADDITIONAL RESOURCES REFERENCE EXAMPLES Cloud Cymtec Scout eEye Digital Security Blink IBM Proventia McAfee - Host Intrusion Prevention Sourcefire - 3D System StoneGate - Virtual IPS Symantec Critical System Protection Symantec Endpoint Protection Trend Micro Deep Security Trend Micro Threat Detection Appliance TrustNet iTrust SaaS Intrusion Detection XO Enterprise Cloud Security Non-Cloud AIDE CA-eTrust Intrusion Detection Check Point IPS Cerero - Top Layer IPS Cetacea Networks - OrcaFlow Cisco Guard / IPS Detector DeepNines - BBX e-Cop - Cyclops Enterasys - IPS HP S IPS Intrusion – SecureNet / Host iPolicy Juniper Networks IDP Lancope - StealthWatch McAfee - Network Intrusion Prevention OSSEC Q1 Labs - QRadar Radware - DefensePro Samhain SoftSphere Technologies HIPS StillSecure - Strata Guard StoneGate - IPS Suricata Symantec Network Security Cloud Security Alliance Guidance: https://cloudsecurityalliance.org/guidance/csaguide-dom12-v2.10.pdf NIST Guide to Intrusion Detection and Prevention Systems (IDPS): http://csrc.nist.gov/publications/nistpubs/800-94/SP800-94.pdf Intrusion Detection: http://en.wikipedia.org/wiki/Intrusion_detection_system Intrusion Prevention: http://en.wikipedia.org/wiki/Intrusion_prevention_system Copyright © 2011 Cloud Security Alliance 19
Page 1 and 2: Defined Categories of Service 2011
Page 3 and 4: Table of Contents CLOUD SECURITY AL
Page 5 and 6: Acknowledgments Co-chairs Kevin Fie
Page 7 and 8: Executive Summary CLOUD SECURITY AL
Page 9 and 10: Continued from the previous page…
Page 17: Continued from the previous page…
Page 27: Continued from the previous page…

Defined Categories of Service 2011 - Cloud Security Alliance

Create successful ePaper yourself

Delete template?

Save as template?