Your SlideShare is downloading. ×

Clouds And Security

1,549

Published on

Published in: Technology, Business
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
1,549
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
29
Comments
0
Likes
1
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Cloud Computing = .COM 2.0? Predrag Mitrovic, CISSP, CISM, Author [email_address]
  • 2. 2 minute bio www.cloudadvisor.se
  • 3. www.cloudadvisor.se
  • 4. www.cloudadvisor.se
  • 5. 1990 Botkyrka kommun www.cloudadvisor.se
  • 6. www.cloudadvisor.se 1995 IDG Nätverk & Kommunikation
  • 7. 1997 NetHouse Konsult & Media www.cloudadvisor.se
  • 8. www.cloudadvisor.se 1999 Novell EMEA
  • 9. 2000 Microsoft www.cloudadvisor.se
  • 10. www.cloudadvisor.se 2007 LabCenter
  • 11. www.cloudadvisor.se October 1st MyNethouse
  • 12. www.cloudadvisor.se
  • 13. www.cloudadvisor.se
  • 14.
    • www.cloudadvisor.se
  • 15. www.cloudadvisor.se
  • 16. Security-as-a-Service Storage-as-a-Service Integration-as-a-Service Database-as-a-Service Information-as-a-Service Process-as-a-Service Application-as-a-Service Platform-as-a-Service Management/Governance-as-a-Service Testing-as-a-Service
  • 17. Trends behind the hype
    • CPU Speed doubled every 24 months
    • Memory capacity doubles every 18 months
    • Bandwidth explosion
    • OSS
    • The programmable web
    • Virtualization
    • Information explosion (+50% growth YoY)
    • 70 % of ICT budgets for maintenance
    • Up to 85% of capacity idle
    • Unclear value perception from business side
    www.cloudadvisor.se
  • 18. www.cloudadvisor.se
    • Geekandpoke.com under en creative commons-licens
  • 19. Definition
    • Clouds are hardware-based services offering compute, network and storage capacity where:
      • Hardware management is highly abstracted from the buyer
      • Buyers incur infrastructure costs as variable OPEX
      • Infrastructure capacity is highly elastic (up or down)
      • McKinsey & Company
    www.cloudadvisor.se
  • 20. The idea Shared infrastructure www.cloudadvisor.se Server OS Database App Server Storage Network App 1 Server OS Database App Server Storage Network App 2 Server OS Database App Server Storage Network App 100
  • 21. Storage Virtualized resources Virtuell Image 1 Virtual Image.. n Virtual Image 1 Security Mgmt www.cloudadvisor.se CPU, RAM, Networking SW Kernel (OS & VM) Cloud applications Risk Governance Lifecycle mgmt AAA Auditing Security in- depth Incident mgmt Reporting Use monitor Kapacity planning Network management Automati- zation Billing
    • IaaS
  • 22. Storage Virtualized resources Virtuell Image 1 Virtual Image.. n Virtual Image 1 Security Mgmt www.cloudadvisor.se CPU, RAM, Networking SW Kernel (OS & VM) Cloud applications Risk Governance Lifecycle mgmt AAA Auditing Security in- depth Incident mgmt Reporting Use monitor Kapacity planning Network management Automati- zation Billing
    • PaaS
  • 23. Storage Virtualized resources Virtuell Image 1 Virtual Image.. n Virtual Image 1 Security Mgmt www.cloudadvisor.se CPU, RAM, Networking SW Kernel (OS & VM) Cloud applications Risk Governance Lifecycle mgmt AAA Auditing Security in- depth Incident mgmt Reporting Use monitor Kapacity planning Network management Automati- zation Billing
    • SaaS
  • 24. IaaS example www.cloudadvisor.se
  • 25. PaaS examples www.cloudadvisor.se
  • 26. SaaS examples www.cloudadvisor.se
  • 27. www.cloudadvisor.se
  • 28. www.cloudadvisor.se
  • 29. www.cloudadvisor.se
  • 30. Security in the clouds
  • 31. Storage Virtualized resources Virtuell Image 1 Virtual Image.. n Virtual Image 1 Security www.cloudadvisor.se CPU, RAM, Networking SW Kernel (OS & VM) Cloud applications Risk Governance Lifecycle mgmt AAA Auditing Security in- depth Incident mgmt
  • 32. Security in depth - facility
    • Physical perimeter protected
    • Guards
    • CCTV
    • Fire safety
    • Location against natural disasters
    • Secure logistics
    www.cloudadvisor.se
  • 33. www.cloudadvisor.se
    • Environment & climate secured
    • Physical access control
    • Redundancy
    • Automated supervision – CPU, RAM, fans, disc etc
    • Enterprise FW
    • NIDS/NIPS
    Security in depth - hardware CPU, RAM, Networking
  • 34. Security in depth – SW Kernel www.cloudadvisor.se
    • Patch management: Host OS & virtual hosts
    • Hostbased FW
    • HIDS/HIPS
    • Filesystem encryption
    • OS & VM hardening
    • Routines for provisioning/de-provisioning of VM´s
    SW Kernel (OS & VM)
  • 35. Security in depth – virtualized resources www.cloudadvisor.se
    • DLP
    • Integrity auditing
    • Filesystem encryption
    • Personal FW
    • Activity monitor DB
    • Hardening
    • Authorization & Auditing
    Storage Virtualized resources Virtual Image
  • 36. Security in depth – applications www.cloudadvisor.se
    • Authentication & Authorization
    • Code quality
    • Least privilige
    • SDL
    Applications
  • 37. Soft side of security
    • Security Practice Statement?
    • Control of compliance?
    • How do I map my demands?
    • How about ”damage control”?
    www.cloudadvisor.se Security Risk Governance Lifecycle mgmt AAA Auditing Security in- depth Incident mgmt
  • 38. Enter due diligence
    • Insiders?
    • High ”administrator power”?
    • Stress test of plans/abilities business continuity and disaster recovery
    • My penetration testing?
    www.cloudadvisor.se
  • 39. Risk management www.cloudadvisor.se
  • 40. Risk management
    • Vendors KRI/KPI + my KRI/KPI = ?
    • Regular audits on vendors security policy, processes and procedures.
    • Ownership and partnering?
    www.cloudadvisor.se
  • 41. Governance www.cloudadvisor.se
  • 42. Governance
    • Recurring auditing by trusted third party to validate SPS & SLA
    • Declaration of partnerships with third party
    • Who is financing the vendor?
    www.cloudadvisor.se
  • 43. Legal www.cloudadvisor.se
  • 44. Legal
    • Plan for expected/unexpected exit: Assurance of secure delivery and destruction of data.
    • Clause for information not traversing geographical boundaries.
    • Rights to reuse my information?
    www.cloudadvisor.se
  • 45. Compliance & Audit www.cloudadvisor.se
  • 46. Compliance & audit
    • Classification:
      • Which systems are handling regulated information?
      • What data is handled within the systems?
    • SAS 70 type II audits?
    • Demand ISO 27001 certification?
    www.cloudadvisor.se
  • 47. ILM www.cloudadvisor.se
  • 48. ILM
    • Logical segregation of information – What control mechanisms do we implement for parts outside of our control?
    • Verify backup & restore of segregated information & simulate how the information is assimilated ”in-house” in case of termination.
    www.cloudadvisor.se
  • 49. Portability & Interoperability www.cloudadvisor.se
  • 50. P & I
    • SaaS
      • Process for continuous extraction in open formats
    • IaaS
      • Develop ”binaries” not tied to Virtual Machine Images specific to the vendor
    • PaaS
      • Developer platform in the cloud allows portability with platform in-house
    www.cloudadvisor.se
  • 51. Identity www.cloudadvisor.se
  • 52. Identity
    • Federation schema
      • SAML (version?)
      • WS-Federation
      • Liberty ID-FF
    • Multiple authentication factors?
    • Authorization and governing of rights on application/data?
    www.cloudadvisor.se
  • 53. Datacenter operations www.cloudadvisor.se
  • 54. Datacenter operations
    • Maintenance schemas
    • Process for misconfigurations (fallbacks)
    • Versioning
    • Helpdesk
    www.cloudadvisor.se
  • 55. Incident handling www.cloudadvisor.se
  • 56. Incident handling
    • Common definition of an incident?
    • Roles under an incident?
    • When/how am I notified?
    • Can I use my own CSIRT?
    • Police?
    • Dawn-raid on another tenant – consequence?
    www.cloudadvisor.se
  • 57. Conclusions www.cloudadvisor.se
  • 58. Cloud Computing is built on known technology – but the risks are definitively virgin territory! www.cloudadvisor.se
  • 59. There are loads of exciting opportunities – open to all! www.cloudadvisor.se
  • 60. Business demands results without ”whining and but´s” – handle it or be bypassed and marginalized! www.cloudadvisor.se
  • 61. Why not implement the philosophy of the cloud in your IT? www.cloudadvisor.se
  • 62.
    • DISCUSSION
    www.cloudadvisor.se
  • 63. Nice links
    • http://cloudforum.org
    • http://cloudsecurityalliance.org
    • http://cloudcamp.org
    • http://opencloudmanifesto.org
    • http://opencrowd.com
    • http://eucalyptus.com
    • http://aws.amazon.com/ec2
    • http://www.ibm.com/ibm/cloud/labs/
    • http://www.hpl.hp.com/research/cloud.html
    www.cloudadvisor.se
  • 64. Thank you!
    • Predrag Mitrovic, predrag@mynethouse.se
    • +46 (0) 709 – 200 350 or on the net:
    • http://mynethouse.se
    • Blogs (in Swedish only):
      • http://blogg.idg.se/itperspektiv
      • http://cloudadvisor.se
    www.cloudadvisor.se

×