SlideShare a Scribd company logo
1 of 45
Download to read offline
Cloud Security
Nimrod Luria
CTO | Q.rity
Information Security Lead | Hi-Tech
Nimrod@Qrity.com
Cloud Security
It can be confusing
                                                                                                                                                Technical
                              Institutional, Business Model and Usage
                                                                                                                  System                                       DC Operation & Management
                                                                                                         Security of the cloud architecture                                        Operation Management
                                                Security of data center facility
                                                                                                              - virtualized environment                                           - Operator access control
                                    - location, natural hazard, utility services
                                                                                                                                 - hypervisor                                     - system privilege control
  Information Security




                                         - physical access control, monitoring                          - large distributed system (grif)                                    - Unauthorized access control
                                                                                                                 - isolation of processes                                                - Incident response
                                        Communication security between user
                                                                     and cloud                                              Security of data storage               - patch and vulnerability management
                                       -reliability of communication path, QOS                           - physical location of storage for disaster                     - Antiviral software management
                                -confidentiality and security of communication                             recovery, backup and geopolitical risks                              - Application management
                                                                                                                           - isolation between data
                                            Information Lifecycle Management                                                                                Information Lifecycle Management

                                                                                                 Data encryption and key management
                                  Client device security                                                             Cryptographic solution for communication, data and operation

                                                                                       User authentication, access control, user monitoring
                                                                                               hardware reliability and redundancy
Business
Continuit




                                     Cloud provider resiliency
                                                                                                                                      Disaster recovery planning and operation
   y




                               Management and governance of cloud provider
                                                                                                                          Availability and dependability of the system and the services
                                      BCP of cloud provider
  Compliance




                                   Laws and regulations conformity
                                                  - Internal control                  Auditability and inquiry accommodation to users, third parties, administration and law enforcement
                                     - Personal data protection law
                                                                                                                               Digital forensics
                                        - FISMA, HIPAA and others
                                      Data storage location and effect from local laws and regulations and privacy requirement


                                 SLA standards and guidelines
                                                                                                                                                                                 Service level assurance
  Usability




                                                        Portability/lock-in of data and applications                                                                 - Process capability and scalability
                                                                                                                                                                       - Storage capacity and scalability
                                                                        Interoperability and the standardization (cloud to cloud, cloud to on-premise)
                         Copyright © 2009-2010                                                                                                                 Bottlenecks in data transfer
                         Information-Technology                                                        16/03/2010                                                                                   3
                         Promotion Agency
www.cloudsecurityalliance.org
Agenda
•   Private cloud architecture
•   Microsoft Private Cloud Solutions
•   Top Cloud Computing Threats
•   Trust in the Cloud
•   Cloud Security: the challenges
•   Cloud Security Frame
•   Secure cloud architecture Q&A
NIST working definition
What Constitutes cloud computing?
                               SOFTWARE
           AS A SERVICE




                               PLATFORM
           AS A SERVICE




                          INFRASTRUCTURE
           AS A SERVICE
1                                         2                                   3




    Standardize Identity with                                                     Standardize Management with
        Active Directory                         Virtualize with Hyper-V                 System Center


            4                                                      5




                  Enable Self Service with the                      Deploy One App on the Windows
                    Free Self Service Portal                                Azure Platform
Consuming and Delivering IT as a Service
                                                       Compose
                                   Service Type         Image

                                                         Deploy
                                                         Image
                                 SLA Requirements
                                                         Attach
                                                        Network

                                    Compliance      Configure Image
                                   Requirements
                             Service
              Self Service                          Configure Service
                             Model    Access
                 Portal            Requirements
                                                       Configure
                                                       Monitoring

                                  Load Estimates       Configure
Application                                            Reporting
  Owner
                                                       Configure
                                        Billing         Backup
                                         Info
                                                       Configure
                                                        Security
                                       Reporting       Monitor
                                                      Compliance
User       App
                                                                                                VM VM VM VM
                                                                           Virtual FW            1  2  3 4

                            Secure VDI
                                                                                                     Hypervisor
      CLIENTS               Support
                                              POLICY                                             Virtual Machines
Internet
                                                               SSL VPN




                                                                                             HR ZONE
           DMZ

                                                 Virtualized
                                                    Security
                                                    Services                              FINANCE ZONE

                                                                                             Services
                                          DoS Protection .1              NAT .5
                                          Firewall .2                    Intrusion prevention .6
             Policies    Reporting        Authentication .3              Real-time visibility .7
                                          Encryption .4
                        Management & Compliance                          Traffic prioritization .8
Microsoft Private Cloud Components

 SELF-SERVICE




 MANAGEMENT




VIRTUALIZATION




   IDENTITY
Trust in the Cloud
 Compliance and Risk
   Management

 Identity and Access
    Management


Information Protection


   Service Integrity


  Endpoint Integrity
Security is the Major Issue




13
Cloud computing Risks

•   LOCK-IN
                                                   UNDERTAKING MALICIOUS PROBES OR        •
•   LOSS OF GOVERNANCE
                                                                                 SCANS.
•   COMPLIANCE CHALLENGES
                                                         DISTRIBUTED DENIAL OF SERVICE    •
•   LOSS OF BUSINESS REPUTATION DUE TO CO-TENANT                                (DDOS)
    ACTIVITIES
                                                   ECONOMIC DENIAL OF SERVICE (EDOS)      •
•   CLOUD SERVICE TERMINATION OR FAILURE
                                                               LOSS OF ENCRYPTION KEYS    •
•   CLOUD PROVIDER ACQUISITION
                                                         CONFLICTS BETWEEN CUSTOMER       •
•   SUPPLY CHAIN FAILURE                           HARDENING PROCEDURES AND CLOUD
•   RESOURCE EXHAUSTION                                                 ENVIRONMENT
•   ISOLATION FAILURE                                      COMPROMISE SERVICE ENGINE      •
•   CLOUD PROVIDER MALICIOUS INSIDER                        SUBPOENA AND E-DISCOVERY      •
•   MANAGEMENT INTERFACE COMPROMISE                RISK FROM CHANGES OF JURISDICTION      •
•   INTERCEPTING DATA IN TRANSIT                                 DATA PROTECTION RISKS    •
•   DATA LEAKAGE ON UP/DOWNLOAD, INTRA-CLOUD
•   INSECURE OR INEFFECTIVE DELETION OF DATA
Commonly referenced cloud security Issues
                         Amazon: Hey Spammers, Get Off My Cloud!
 Bad co-hosts            http://voices.washingtonpost.com/securityfix/2008/07/amazon_hey_spammers_get_off_my.html



                          Bitbucket's Amazon DDoS - what went wrong
 Denial of Service        http://www.theregister.co.uk/2009/10/09/amazon_cloud_bitbucket_ddos_aftermath/



Many eggs                Lightning Zaps Amazon Cloud –                                               In-cloud federated
One basket               http://news.cnet.com/8301-1001_3-10263425-92.html
                                                                                                     Identity Management
Entitlement              Security issues with Google Docs                                            Lack of Standards
Management               http://peekay.org/2009/03/26/security-issues-with-google-docs/



 Hypervisor &             An Empirical Study into the Security Exposure to Hosts of Hostile
                          Virtualized Environments (Tavis Ormandy, Google Inc.) http://taviso.decsystem.org/virtsec.pdf
 Virtual Machine          Blue Pill http://en.wikipedia.org/wiki/Blue_Pill_(malware) see also http://invisiblethingslab.com/itl/About.html
 Vulnerabilities          Cloudburst: Arbitrary code execution vulnerability for VMWare
                   http://www.blackhat.com/presentations/bh-usa-09/KORTCHINSKY/BHUSA09-Kortchinsky-Cloudburst-SLIDES.pdf


 Crypto Ops               Resettable Public-Key Encryption: How to Encrypt on a Virtual Machine
 in VM                    http://eprint.iacr.org/2009/474



Data Provanence                             Data Remanence                                         Location & Privacy
Where did the data come from?               You can check out but can’t leave                      Who looks at/after your data?
                                                                                                   And where? Jurisdictions?
Cloud Security
Demo
• Configuring Baseline Security for the Private
  cloud
Top Cloud Computing Threats
Threat 1: Abuse and Nefarious Use of Cloud Computing
Threat 2: Insecure Interfaces and APIs
Threat 3: Malicious Insiders
Threat 4: Shared Technology Issues
Threat 5: Data Loss or Leakage
Threat 6: Account or Service Hijacking
Threat 7: Unknown Risk Profile
Abuse and Nefarious Use of Cloud Computing
Description                                Examples
Criminals continue to leverage             IaaS offerings have hosted the Zeus
new technologies to improve                botnet, InfoStealer trojan horses,
their reach, avoid detection,              and downloads for Microsoft Office
and improve the effectiveness              and Adobe PDF exploits.
of their activities. Cloud                 Additionally, botnets have used
Computing providers are                    IaaS servers for command and
actively being targeted,                   control
partially because their                    functions. Spam continues to be a
relatively weak registration               problem — as a defensive measure,
systems facilitate anonymity,              entire blocks of IaaS network
and providers’ fraud detection             addresses have been publicly
capabilities are limited.                  blacklist

Remediation                                                      Iaas   PaaS     SaaS
• Stricter initial registration and validation processes.
• Enhanced credit card fraud monitoring and coordination.
• Comprehensive introspection of customer network traffic.
• Monitoring public blacklists for one’s own network blocks.
Cloud Security
Insecure Interfaces and APIs
Description                               Examples
Reliance on a weak set of interfaces      Anonymous access and/or reusable
and APIs exposes organizations to         tokens or passwords, clear-text
a variety of security issues related      authentication or transmission of
to confidentiality, integrity,            content, inflexible access controls
availability and accountability.          or improper authorizations, limited
                                          monitoring and logging capabilities,
                                          unknown service or API
                                          dependencies.



Remediation
  Analyze the security model of cloud provider interfaces.       Iaas   PaaS     SaaS
  Ensure strong authentication and access controls are
implemented in concert with encrypted transmission.
  Understand the dependency chain associated with the API.
Malicious Insiders
Description                              Examples
The level of access granted              No public examples are available at
could enable such an adversary to        this time.
harvest confidential data or gain
complete control over the cloud
services with little or no risk of
detection.

Remediation
• Enforce strict supply chain management and conduct a comprehensive supplier
  assessment.
• Specify human resource requirements as part of legal contracts.
• Require transparency into overall information security and
  management practices, as well as compliance reporting.
                                                                  Iaas PaaS SaaS
• Determine security breach notification processes.
Description                 Shared Technology Issues
Attacks have surfaced in recent years
that target the shared technology inside
Cloud Computing environments. Disk
partitions, CPU caches, GPUs, and other             Examples
shared elements were never designed                 • Joanna Rutkowska’s Red and
for strong compartmentalization. As a                 Blue Pill exploits
result, attackers focus on how to impact            • Kortchinksy’s CloudBurst
the operations of other cloud                         presentations.
customers, and how to gain
unauthorized access to data.

Remediation
• Implement security best practices for installation/configuration.
• Monitor environment for unauthorized changes/activity.
• Promote strong authentication and access control for
  administrative access and operations.
• Enforce service level agreements for patching and vulnerability
• remediation.
                                                                      Iaas   PaaS   SaaS
• Conduct vulnerability scanning and configuration audits.
Data Loss or Leakage
Description
The threat of data compromise
increases in the cloud, due to the           Examples
number of and interactions
between risks and challenges which           Insufficient authentication,
are either unique to cloud, or more          authorization, and audit (AAA)
dangerous because of the                     controls; inconsistent use of
architectural                                encryption and software keys.
or operational characteristics of the
cloud environment
Remediation
• Implement strong API access control.
• Encrypt and protect integrity of data in transit.
• Analyzes data protection at both design and run time.
• Implement strong key generation, storage and management, and destruction
  practices.
• Contractually demand providers wipe persistent media before
  it is released into the pool.
• Contractually specify provider backup and retention strategies. Iaas PaaS   SaaS
Cloud Security
Account or Service Hijacking
Description                                 Examples
Account and service hijacking,              Amazon EC2 Zeus Password stealing.
usually with stolen credentials,
remains a top threat. With
stolen credentials, attackers
can often access critical areas
of deployed cloud computing
services

Remediation
• Prohibit the sharing of account credentials between users an services.
• Leverage strong two-factor authentication techniques where possible.
• Employ proactive monitoring to detect unauthorized activity.
• Understand cloud provider security policies and SLAs.

                                                                     Iaas   PaaS   SaaS
Cloud Security
Unknown Risk Profile
Description                                                  Examples

When adopting a cloud service, the features and               IRS asked Amazon EC2 to perform a C&A;
functionality may be well                                     Amazon refused.
advertised, but what about details or compliance of           http://news.qualys.com/newsblog/forrester-
the internal security procedures, configuration               cloud-computingqa.
hardening,                                                    Html
patching, auditing, and logging? How are your data
and related logs stored and
who has access to them? What information if any will
the vendor disclose in the event of a security incident?
Often such questions are not clearly answered or are
overlooked, leaving customers with an unknown risk
profile that may
include serious threats.


Remediation
• Disclosure of applicable logs and data.
• Partial/full disclosure of infrastructure details (e.g., patch levels, firewalls,
   etc.).
• Monitoring and alerting on necessary information.
                                                                                           Iaas    PaaS    SaaS
Fraud as a service
What’s Required?
  • Buy the malware
  • Choose a server (“bulletproof hosting”)
  • Install malware on a server
  • Infect PCs
  • Keep the malware up-to-date
Beyond Architecture: The Areas Of Critical Focus
•   Governance and Enterprise Risk Management
•   Legal and Electronic Discovery
•   Compliance and Audit
•   Information Lifecycle Management
•   Portability and Interoperability
•   Traditional Security, Business Continuity and Disaster Recovery
•   Data Center Operations
•   Incident Response, Notification and Remediation
•   Application Security
•   Encryption and Key Management
•   Identity and Access Management
•   Virtualization
Analyzing Cloud Security
• Clouds are massively complex systems can be
  reduced to simple primitives that are
  replicated thousands of times and common
  functional units




33
Cloud Security: the challenges
                                                                                    Law & Compliance
                                                                                    Provider & resource / data location
Multi-tenancy                                    Risks                              Cross-border data movement
Security of shared resources                     Lack of transparency,              PII and privacy obligations (HIPAA, GLBA)
Process isolation                                Limited audit ability              Poor quality of evidence
Data segregation                                 Regulatory violation               Auditing and compliance (PCI, ISO 27001)
‘Data sharding ‘ (fragmentation across images)   No risk transference for data
Identity & Access Management                     Infrastructure misuse / break in       Data Location & Mobility
                                                                                        EU vs. US vs. China regulations
Data Commingling                                                                         (Government access).
In-cloud segregation of data: difficult                                                 Differences in data protection
Accidental seizure of customer data                                                     between regions
 during forensic investigations                                                         Cost of keeping data hosting in
                                                                                        EU
 Resilience & Availability                    Cloud                                     Audit data is legally owned by
 Latency sensitive applications                                                         CSP and not client.
 Enforcement of SLA obligations           Service & Data                                Cases of CSP refusing to ‘hand
 Insufficient capabilities to cater for                                                 over audit logs’.
 critical data
                                             Security                                   Extremely difficult to involve law
                                                                                        enforcement with CSP activities -
Cloud lock in                                                                           breach investigation/litigation.
       Lack of standards
                                                                                       Security at multiple layers
       Lack of interoperability
                                                                                              Virtual image provided by
       Limited service portability
                                                                                              IaaS provider
       Incompatible management
                                                                                              Platform stack provided
       processes
                                                                                              by PaaS provider
                                                                                              IaaS,PaaS issues +
                                                                                              application security
Cloud Security: the challenges
                                           Isolation
  Data risks
  CSP’s do not allow clients to            Hypervisor-VM and inter-VM isolation
  classify data.                                     • Robust at system level (modulo kernel bugs)
  CSP’s cannot offer different levels                • Issues at management plane
  of security based upon data                        • Memory hijacking
  sensitivity.
  No DLP – data leakage protection
  services offered.
                                      Virtual             VM Security
                                  Infrastructure                Guest OS needs security protection
Physical 2 virtual mapping                                      • at massive scale
Crypto doesn’t like virtual          Security                   resilient VM life-cycle
Current algorithms set to                                       • secure, scalable, dynamic
optimise resource pooling
Can’t always use specialised HW
Encryption key management.
                             Reliance on VM vendor security
                                   Issues with guest OS Security
                                   Can VMWare, Microsoft be trusted to
                                   implement kernel security correctly ?…
Cloud Security
Private Clouds and User Roles


                           VMM Admin


                                                 Delegated Admin

VMM Admin
                                                                           Cloud Manager

Scope: Everything
                        Delegated Admin
Scope cannot be
                        Scope: Host groups and
                                                 Cloud Manager
modified
                        Clouds                                            Self-Service User
Can take any action                              Scope: Clouds only
                        Create cloud from                                                         Self-Service User
                        physical capacity        Subdivides clouds
                                                                         Scope: Clouds only
                        Access to cloud          Delegates clouds
                        automatically gives                                Manages services and
                                                 Includes all Self-Service VMs
                        access to host groups    User rights
                        Includes all Cloud                                 Authors templates
                        Manager rights                                   Shares resources
                                                                         Actions can be revoked
                                                                         Quota: Per-user limit
User Roles and Scope



VMM Admin       Delegated
                 Admin




                                      Self Service
                             Cloud
                                          User
                            Manager
Private Cloud Usage Scenarios

VMM Admin creates a private cloud


   VMM Admin delegates the cloud to
   Cloud Manager

       Cloud Manager sub-divides the cloud
       and assigns it to Self-Service User

           Self Service User creates VMs and
           services in the cloud
Security as a service
Identity as a service
       (IDaaS)
IAM Protocols
               and Standards
•   SAML
•   XACML
•   OAuth
•   OpenID
•   OATH
•   OpenAuth
Demo
Set Cloud CSRF (oneClick) to Stop
machine
The future of cloud computing security
• Infrastructure security
   – Greater transparency of security capabilities.
• Data security and storage
   – Predicate encryption
• Identity and access management
   – Hybrid IAM strategy
• Security management
   – Unified Management function across CSP’s
resources
• http://www.cloudsecurityalliance.org/Research.html
• http://csrc.nist.gov/groups/SNS/cloud-
  computing/index.html
• Microsoft Security Compliance Manager
   – http://www.microsoft.com/downloads/en/details.aspx?FamilyI
     D=5534bee1-3cad-4bf0-b92b-a8e545573a3e&displayLang=en
• Build Your Own Private Cloud
   – http://www.microsoft.com/virtualization/en/us/private-cloud-
     get-started.aspx
• http://blogs.technet.com/b/ddcalliance/archive/2010/02/1
  6/dynamic-infrastructure-toolkit-for-system-center-dit-sc-
  sneak-peek-into-on-boarding.aspx
Thank You !
  Nimrod@Qrity.com
Cloud Security

More Related Content

What's hot

Cloud Computing and Security - ISACA Hyderabad Chapter Presentation
Cloud Computing and Security - ISACA Hyderabad Chapter PresentationCloud Computing and Security - ISACA Hyderabad Chapter Presentation
Cloud Computing and Security - ISACA Hyderabad Chapter PresentationVenkateswar Reddy Melachervu
 
SECURE CLOUD ARCHITECTURE
SECURE CLOUD ARCHITECTURESECURE CLOUD ARCHITECTURE
SECURE CLOUD ARCHITECTUREacijjournal
 
Cloud Computing Risk Management (Multi Venue)
Cloud Computing Risk Management (Multi Venue)Cloud Computing Risk Management (Multi Venue)
Cloud Computing Risk Management (Multi Venue)Brian K. Dickard
 
Cloud Security - Security Aspects of Cloud Computing
Cloud Security - Security Aspects of Cloud ComputingCloud Security - Security Aspects of Cloud Computing
Cloud Security - Security Aspects of Cloud ComputingJim Geovedi
 
Security Issues of Cloud Computing
Security Issues of Cloud ComputingSecurity Issues of Cloud Computing
Security Issues of Cloud ComputingFalgun Rathod
 
Sukumar Nayak-Detailed-Cloud Risk Management and Audit
Sukumar Nayak-Detailed-Cloud Risk Management and AuditSukumar Nayak-Detailed-Cloud Risk Management and Audit
Sukumar Nayak-Detailed-Cloud Risk Management and AuditSukumar Nayak
 
Cloud Computing Security Issues in Infrastructure as a Service” report
Cloud Computing Security Issues in Infrastructure as a Service” reportCloud Computing Security Issues in Infrastructure as a Service” report
Cloud Computing Security Issues in Infrastructure as a Service” reportVivek Maurya
 
Security issue in cloud by himanshu tiwari
Security issue in cloud by himanshu tiwariSecurity issue in cloud by himanshu tiwari
Security issue in cloud by himanshu tiwaribhanu krishna
 
Evaluation Of The Data Security Methods In Cloud Computing Environments
Evaluation Of The Data Security Methods In Cloud Computing EnvironmentsEvaluation Of The Data Security Methods In Cloud Computing Environments
Evaluation Of The Data Security Methods In Cloud Computing Environmentsijfcstjournal
 
Cloud Computing Security Issues
Cloud Computing Security IssuesCloud Computing Security Issues
Cloud Computing Security IssuesStelios Krasadakis
 
Cloud Security for U.S. Military Agencies
Cloud Security for U.S. Military AgenciesCloud Security for U.S. Military Agencies
Cloud Security for U.S. Military AgenciesNJVC, LLC
 
Cloud Computing Risk Management (IIA Webinar)
Cloud Computing Risk Management (IIA Webinar)Cloud Computing Risk Management (IIA Webinar)
Cloud Computing Risk Management (IIA Webinar)Brian K. Dickard
 
Infrastructure Security by Sivamurthy Hiremath
Infrastructure Security by Sivamurthy HiremathInfrastructure Security by Sivamurthy Hiremath
Infrastructure Security by Sivamurthy HiremathClubHack
 
SOME SECURITY CHALLENGES IN CLOUD COMPUTING
SOME SECURITY CHALLENGES  IN CLOUD COMPUTINGSOME SECURITY CHALLENGES  IN CLOUD COMPUTING
SOME SECURITY CHALLENGES IN CLOUD COMPUTINGHoang Nguyen
 
Cloud Computing Security
Cloud Computing SecurityCloud Computing Security
Cloud Computing SecurityNithin Raj
 
Whitepaper: Security of the Cloud
Whitepaper: Security of the CloudWhitepaper: Security of the Cloud
Whitepaper: Security of the CloudCloudSmartz
 

What's hot (20)

Cloud Computing and Security - ISACA Hyderabad Chapter Presentation
Cloud Computing and Security - ISACA Hyderabad Chapter PresentationCloud Computing and Security - ISACA Hyderabad Chapter Presentation
Cloud Computing and Security - ISACA Hyderabad Chapter Presentation
 
SECURE CLOUD ARCHITECTURE
SECURE CLOUD ARCHITECTURESECURE CLOUD ARCHITECTURE
SECURE CLOUD ARCHITECTURE
 
Cloud Computing Risk Management (Multi Venue)
Cloud Computing Risk Management (Multi Venue)Cloud Computing Risk Management (Multi Venue)
Cloud Computing Risk Management (Multi Venue)
 
Cloud Security - Security Aspects of Cloud Computing
Cloud Security - Security Aspects of Cloud ComputingCloud Security - Security Aspects of Cloud Computing
Cloud Security - Security Aspects of Cloud Computing
 
Security Issues of Cloud Computing
Security Issues of Cloud ComputingSecurity Issues of Cloud Computing
Security Issues of Cloud Computing
 
Sukumar Nayak-Detailed-Cloud Risk Management and Audit
Sukumar Nayak-Detailed-Cloud Risk Management and AuditSukumar Nayak-Detailed-Cloud Risk Management and Audit
Sukumar Nayak-Detailed-Cloud Risk Management and Audit
 
Cloud Computing Security Issues in Infrastructure as a Service” report
Cloud Computing Security Issues in Infrastructure as a Service” reportCloud Computing Security Issues in Infrastructure as a Service” report
Cloud Computing Security Issues in Infrastructure as a Service” report
 
Security issue in cloud by himanshu tiwari
Security issue in cloud by himanshu tiwariSecurity issue in cloud by himanshu tiwari
Security issue in cloud by himanshu tiwari
 
Evaluation Of The Data Security Methods In Cloud Computing Environments
Evaluation Of The Data Security Methods In Cloud Computing EnvironmentsEvaluation Of The Data Security Methods In Cloud Computing Environments
Evaluation Of The Data Security Methods In Cloud Computing Environments
 
Cloud Computing Security Issues
Cloud Computing Security IssuesCloud Computing Security Issues
Cloud Computing Security Issues
 
Cloud Computing Security Issues
Cloud Computing Security Issues Cloud Computing Security Issues
Cloud Computing Security Issues
 
Cloud Security for U.S. Military Agencies
Cloud Security for U.S. Military AgenciesCloud Security for U.S. Military Agencies
Cloud Security for U.S. Military Agencies
 
Cloud security
Cloud security Cloud security
Cloud security
 
Cloud Computing Risk Management (IIA Webinar)
Cloud Computing Risk Management (IIA Webinar)Cloud Computing Risk Management (IIA Webinar)
Cloud Computing Risk Management (IIA Webinar)
 
Infrastructure Security by Sivamurthy Hiremath
Infrastructure Security by Sivamurthy HiremathInfrastructure Security by Sivamurthy Hiremath
Infrastructure Security by Sivamurthy Hiremath
 
SOME SECURITY CHALLENGES IN CLOUD COMPUTING
SOME SECURITY CHALLENGES  IN CLOUD COMPUTINGSOME SECURITY CHALLENGES  IN CLOUD COMPUTING
SOME SECURITY CHALLENGES IN CLOUD COMPUTING
 
Cloud Computing Security
Cloud Computing SecurityCloud Computing Security
Cloud Computing Security
 
Whitepaper: Security of the Cloud
Whitepaper: Security of the CloudWhitepaper: Security of the Cloud
Whitepaper: Security of the Cloud
 
Security of the Cloud
Security of the CloudSecurity of the Cloud
Security of the Cloud
 
Cloud Security
Cloud SecurityCloud Security
Cloud Security
 

Viewers also liked

Financial Risk Management: Integrated Solutions to Help Financial Institution...
Financial Risk Management: Integrated Solutions to Help Financial Institution...Financial Risk Management: Integrated Solutions to Help Financial Institution...
Financial Risk Management: Integrated Solutions to Help Financial Institution...IBM Banking
 
Security in the cloud Workshop HSTC 2014
Security in the cloud Workshop HSTC 2014Security in the cloud Workshop HSTC 2014
Security in the cloud Workshop HSTC 2014Akash Mahajan
 
Cloud Security Issues 1.04.10
Cloud Security  Issues 1.04.10Cloud Security  Issues 1.04.10
Cloud Security Issues 1.04.10Rugby7277
 
Cloud Computing Without The Hype An Executive Guide (1.00 Slideshare)
Cloud Computing Without The Hype   An Executive Guide (1.00 Slideshare)Cloud Computing Without The Hype   An Executive Guide (1.00 Slideshare)
Cloud Computing Without The Hype An Executive Guide (1.00 Slideshare)Lustratus REPAMA
 
Enterprise Strategy for Cloud Security
Enterprise Strategy for Cloud SecurityEnterprise Strategy for Cloud Security
Enterprise Strategy for Cloud SecurityBob Rhubart
 
Cloud Economics: Optimising for Cost
Cloud Economics: Optimising for CostCloud Economics: Optimising for Cost
Cloud Economics: Optimising for CostAmazon Web Services
 
Oracle Cloud Reference Architecture
Oracle Cloud Reference ArchitectureOracle Cloud Reference Architecture
Oracle Cloud Reference ArchitectureBob Rhubart
 
Cloud computing architecture and vulnerabilies
Cloud computing architecture and vulnerabiliesCloud computing architecture and vulnerabilies
Cloud computing architecture and vulnerabiliesVinay Dwivedi
 
Scaling the Cloud - Cloud Security
Scaling the Cloud - Cloud SecurityScaling the Cloud - Cloud Security
Scaling the Cloud - Cloud SecurityBill Burns
 
Cloud Computing Integration Introduction
Cloud Computing Integration IntroductionCloud Computing Integration Introduction
Cloud Computing Integration Introductiontoryharis
 
Cloud Computing Security
Cloud Computing SecurityCloud Computing Security
Cloud Computing SecurityDhaval Dave
 
Getting an open systems cloud strategy right the first time linthicm
Getting an open systems cloud strategy right the first time linthicmGetting an open systems cloud strategy right the first time linthicm
Getting an open systems cloud strategy right the first time linthicmDavid Linthicum
 
Leaders in the Cloud: Identifying Cloud Business Value for Customers
Leaders in the Cloud: Identifying Cloud Business Value for CustomersLeaders in the Cloud: Identifying Cloud Business Value for Customers
Leaders in the Cloud: Identifying Cloud Business Value for CustomersOpSource
 
Cost Optimisation with Amazon Web Services
 Cost Optimisation with Amazon Web Services Cost Optimisation with Amazon Web Services
Cost Optimisation with Amazon Web ServicesAmazon Web Services
 
Cloud Computing and Enterprise Architecture
Cloud Computing and Enterprise ArchitectureCloud Computing and Enterprise Architecture
Cloud Computing and Enterprise ArchitectureDavid Linthicum
 
Cloud computing security issues and challenges
Cloud computing security issues and challengesCloud computing security issues and challenges
Cloud computing security issues and challengesDheeraj Negi
 

Viewers also liked (17)

Financial Risk Management: Integrated Solutions to Help Financial Institution...
Financial Risk Management: Integrated Solutions to Help Financial Institution...Financial Risk Management: Integrated Solutions to Help Financial Institution...
Financial Risk Management: Integrated Solutions to Help Financial Institution...
 
Security in the cloud Workshop HSTC 2014
Security in the cloud Workshop HSTC 2014Security in the cloud Workshop HSTC 2014
Security in the cloud Workshop HSTC 2014
 
Cloud Security Issues 1.04.10
Cloud Security  Issues 1.04.10Cloud Security  Issues 1.04.10
Cloud Security Issues 1.04.10
 
Cloud Computing Without The Hype An Executive Guide (1.00 Slideshare)
Cloud Computing Without The Hype   An Executive Guide (1.00 Slideshare)Cloud Computing Without The Hype   An Executive Guide (1.00 Slideshare)
Cloud Computing Without The Hype An Executive Guide (1.00 Slideshare)
 
Enterprise Strategy for Cloud Security
Enterprise Strategy for Cloud SecurityEnterprise Strategy for Cloud Security
Enterprise Strategy for Cloud Security
 
Cloud Economics: Optimising for Cost
Cloud Economics: Optimising for CostCloud Economics: Optimising for Cost
Cloud Economics: Optimising for Cost
 
Oracle Cloud Reference Architecture
Oracle Cloud Reference ArchitectureOracle Cloud Reference Architecture
Oracle Cloud Reference Architecture
 
Cloud computing architecture and vulnerabilies
Cloud computing architecture and vulnerabiliesCloud computing architecture and vulnerabilies
Cloud computing architecture and vulnerabilies
 
Scaling the Cloud - Cloud Security
Scaling the Cloud - Cloud SecurityScaling the Cloud - Cloud Security
Scaling the Cloud - Cloud Security
 
Cloud Computing Integration Introduction
Cloud Computing Integration IntroductionCloud Computing Integration Introduction
Cloud Computing Integration Introduction
 
Cloud Computing Security
Cloud Computing SecurityCloud Computing Security
Cloud Computing Security
 
Cloud security ppt
Cloud security pptCloud security ppt
Cloud security ppt
 
Getting an open systems cloud strategy right the first time linthicm
Getting an open systems cloud strategy right the first time linthicmGetting an open systems cloud strategy right the first time linthicm
Getting an open systems cloud strategy right the first time linthicm
 
Leaders in the Cloud: Identifying Cloud Business Value for Customers
Leaders in the Cloud: Identifying Cloud Business Value for CustomersLeaders in the Cloud: Identifying Cloud Business Value for Customers
Leaders in the Cloud: Identifying Cloud Business Value for Customers
 
Cost Optimisation with Amazon Web Services
 Cost Optimisation with Amazon Web Services Cost Optimisation with Amazon Web Services
Cost Optimisation with Amazon Web Services
 
Cloud Computing and Enterprise Architecture
Cloud Computing and Enterprise ArchitectureCloud Computing and Enterprise Architecture
Cloud Computing and Enterprise Architecture
 
Cloud computing security issues and challenges
Cloud computing security issues and challengesCloud computing security issues and challenges
Cloud computing security issues and challenges
 

Similar to Cloud Security

Secure Enterprise Cloud
Secure Enterprise CloudSecure Enterprise Cloud
Secure Enterprise CloudIndu Kodukula
 
SunGard Enterprise Cloud Services @ Cloud Connect 2011
SunGard Enterprise Cloud Services @ Cloud Connect 2011SunGard Enterprise Cloud Services @ Cloud Connect 2011
SunGard Enterprise Cloud Services @ Cloud Connect 2011Satish Hemachandran
 
Sådan undgår du misbrug af kundedata og fortrolig information
Sådan undgår du misbrug af kundedata og fortrolig informationSådan undgår du misbrug af kundedata og fortrolig information
Sådan undgår du misbrug af kundedata og fortrolig informationIBM Danmark
 
Enterprise Security in Cloud
Enterprise Security in CloudEnterprise Security in Cloud
Enterprise Security in CloudLenin Aboagye
 
HTLV - DSS @Vilnius 2010
HTLV - DSS @Vilnius 2010HTLV - DSS @Vilnius 2010
HTLV - DSS @Vilnius 2010Andris Soroka
 
International approaches to critical information infrastructure protection ...
International approaches to critical information infrastructure protection   ...International approaches to critical information infrastructure protection   ...
International approaches to critical information infrastructure protection ...owaspindia
 
security and compliance in the cloud
security and compliance in the cloudsecurity and compliance in the cloud
security and compliance in the cloudAjay Rathi
 
Qradar ibm partner_enablement_220212_final
Qradar ibm partner_enablement_220212_finalQradar ibm partner_enablement_220212_final
Qradar ibm partner_enablement_220212_finalArrow ECS UK
 
Security Patterns How To Make Security Arch Easy To Consume
Security Patterns   How To Make Security Arch Easy To ConsumeSecurity Patterns   How To Make Security Arch Easy To Consume
Security Patterns How To Make Security Arch Easy To ConsumeJeff Johnson
 
The Data Distribution Service
The Data Distribution ServiceThe Data Distribution Service
The Data Distribution ServiceAngelo Corsaro
 
Testing cloud services - EuroSTAR
Testing cloud services - EuroSTARTesting cloud services - EuroSTAR
Testing cloud services - EuroSTARJeroen Mengerink
 
Managing a public cloud
Managing a public cloudManaging a public cloud
Managing a public cloudInterop
 
Managed vs customer presentation
Managed vs customer presentationManaged vs customer presentation
Managed vs customer presentationhemanth102030
 
Integrated Cloud Framework: Security, Governance, Compliance, Content Applica...
Integrated Cloud Framework: Security, Governance, Compliance, Content Applica...Integrated Cloud Framework: Security, Governance, Compliance, Content Applica...
Integrated Cloud Framework: Security, Governance, Compliance, Content Applica...Chad Lawler
 
Avensus Corporate Presentation
Avensus Corporate PresentationAvensus Corporate Presentation
Avensus Corporate PresentationParth Agrawal
 
Symantec Enterprise Mobility - Mobile World Congress February 2012
Symantec Enterprise Mobility - Mobile World Congress February 2012Symantec Enterprise Mobility - Mobile World Congress February 2012
Symantec Enterprise Mobility - Mobile World Congress February 2012Symantec
 
Meraki 2012 Corporate Brochure
Meraki 2012 Corporate BrochureMeraki 2012 Corporate Brochure
Meraki 2012 Corporate Brochureguillaumepays
 

Similar to Cloud Security (20)

Secure Enterprise Cloud
Secure Enterprise CloudSecure Enterprise Cloud
Secure Enterprise Cloud
 
SunGard Enterprise Cloud Services @ Cloud Connect 2011
SunGard Enterprise Cloud Services @ Cloud Connect 2011SunGard Enterprise Cloud Services @ Cloud Connect 2011
SunGard Enterprise Cloud Services @ Cloud Connect 2011
 
Sådan undgår du misbrug af kundedata og fortrolig information
Sådan undgår du misbrug af kundedata og fortrolig informationSådan undgår du misbrug af kundedata og fortrolig information
Sådan undgår du misbrug af kundedata og fortrolig information
 
Enterprise Security in Cloud
Enterprise Security in CloudEnterprise Security in Cloud
Enterprise Security in Cloud
 
Enterprise Security in Hybrid Cloud ISACA-SV 2012
Enterprise Security in Hybrid Cloud ISACA-SV 2012Enterprise Security in Hybrid Cloud ISACA-SV 2012
Enterprise Security in Hybrid Cloud ISACA-SV 2012
 
HTLV - DSS @Vilnius 2010
HTLV - DSS @Vilnius 2010HTLV - DSS @Vilnius 2010
HTLV - DSS @Vilnius 2010
 
International approaches to critical information infrastructure protection ...
International approaches to critical information infrastructure protection   ...International approaches to critical information infrastructure protection   ...
International approaches to critical information infrastructure protection ...
 
security and compliance in the cloud
security and compliance in the cloudsecurity and compliance in the cloud
security and compliance in the cloud
 
Securityinsideout
SecurityinsideoutSecurityinsideout
Securityinsideout
 
Qradar ibm partner_enablement_220212_final
Qradar ibm partner_enablement_220212_finalQradar ibm partner_enablement_220212_final
Qradar ibm partner_enablement_220212_final
 
Security Patterns How To Make Security Arch Easy To Consume
Security Patterns   How To Make Security Arch Easy To ConsumeSecurity Patterns   How To Make Security Arch Easy To Consume
Security Patterns How To Make Security Arch Easy To Consume
 
The Data Distribution Service
The Data Distribution ServiceThe Data Distribution Service
The Data Distribution Service
 
Testing cloud services - EuroSTAR
Testing cloud services - EuroSTARTesting cloud services - EuroSTAR
Testing cloud services - EuroSTAR
 
Managing a public cloud
Managing a public cloudManaging a public cloud
Managing a public cloud
 
Managed vs customer presentation
Managed vs customer presentationManaged vs customer presentation
Managed vs customer presentation
 
Integrated Cloud Framework: Security, Governance, Compliance, Content Applica...
Integrated Cloud Framework: Security, Governance, Compliance, Content Applica...Integrated Cloud Framework: Security, Governance, Compliance, Content Applica...
Integrated Cloud Framework: Security, Governance, Compliance, Content Applica...
 
Avensus Corporate Presentation
Avensus Corporate PresentationAvensus Corporate Presentation
Avensus Corporate Presentation
 
Cloud Auditing
Cloud AuditingCloud Auditing
Cloud Auditing
 
Symantec Enterprise Mobility - Mobile World Congress February 2012
Symantec Enterprise Mobility - Mobile World Congress February 2012Symantec Enterprise Mobility - Mobile World Congress February 2012
Symantec Enterprise Mobility - Mobile World Congress February 2012
 
Meraki 2012 Corporate Brochure
Meraki 2012 Corporate BrochureMeraki 2012 Corporate Brochure
Meraki 2012 Corporate Brochure
 

Recently uploaded

Stobox 4: Revolutionizing Investment in Real-World Assets Through Tokenization
Stobox 4: Revolutionizing Investment in Real-World Assets Through TokenizationStobox 4: Revolutionizing Investment in Real-World Assets Through Tokenization
Stobox 4: Revolutionizing Investment in Real-World Assets Through TokenizationStobox
 
Webinar: The Art of Prioritizing Your Product Roadmap by AWS Sr PM - Tech
Webinar: The Art of Prioritizing Your Product Roadmap by AWS Sr PM - TechWebinar: The Art of Prioritizing Your Product Roadmap by AWS Sr PM - Tech
Webinar: The Art of Prioritizing Your Product Roadmap by AWS Sr PM - TechProduct School
 
The Zero-ETL Approach: Enhancing Data Agility and Insight
The Zero-ETL Approach: Enhancing Data Agility and InsightThe Zero-ETL Approach: Enhancing Data Agility and Insight
The Zero-ETL Approach: Enhancing Data Agility and InsightSafe Software
 
Emil Eifrem at GraphSummit Copenhagen 2024 - The Art of the Possible.pptx
Emil Eifrem at GraphSummit Copenhagen 2024 - The Art of the Possible.pptxEmil Eifrem at GraphSummit Copenhagen 2024 - The Art of the Possible.pptx
Emil Eifrem at GraphSummit Copenhagen 2024 - The Art of the Possible.pptxNeo4j
 
UiPath Studio Web workshop series - Day 4
UiPath Studio Web workshop series - Day 4UiPath Studio Web workshop series - Day 4
UiPath Studio Web workshop series - Day 4DianaGray10
 
From the origin to the future of Open Source model and business
From the origin to the future of  Open Source model and businessFrom the origin to the future of  Open Source model and business
From the origin to the future of Open Source model and businessFrancesco Corti
 
20140402 - Smart house demo kit
20140402 - Smart house demo kit20140402 - Smart house demo kit
20140402 - Smart house demo kitJamie (Taka) Wang
 
.NET 8 ChatBot with Azure OpenAI Services.pptx
.NET 8 ChatBot with Azure OpenAI Services.pptx.NET 8 ChatBot with Azure OpenAI Services.pptx
.NET 8 ChatBot with Azure OpenAI Services.pptxHansamali Gamage
 
Scenario Library et REX Discover industry- and role- based scenarios
Scenario Library et REX Discover industry- and role- based scenariosScenario Library et REX Discover industry- and role- based scenarios
Scenario Library et REX Discover industry- and role- based scenariosErol GIRAUDY
 
UiPath Studio Web workshop Series - Day 3
UiPath Studio Web workshop Series - Day 3UiPath Studio Web workshop Series - Day 3
UiPath Studio Web workshop Series - Day 3DianaGray10
 
SIM INFORMATION SYSTEM: REVOLUTIONIZING DATA MANAGEMENT
SIM INFORMATION SYSTEM: REVOLUTIONIZING DATA MANAGEMENTSIM INFORMATION SYSTEM: REVOLUTIONIZING DATA MANAGEMENT
SIM INFORMATION SYSTEM: REVOLUTIONIZING DATA MANAGEMENTxtailishbaloch
 
March Patch Tuesday
March Patch TuesdayMarch Patch Tuesday
March Patch TuesdayIvanti
 
The New Cloud World Order Is FinOps (Slideshow)
The New Cloud World Order Is FinOps (Slideshow)The New Cloud World Order Is FinOps (Slideshow)
The New Cloud World Order Is FinOps (Slideshow)codyslingerland1
 
Novo Nordisk's journey in developing an open-source application on Neo4j
Novo Nordisk's journey in developing an open-source application on Neo4jNovo Nordisk's journey in developing an open-source application on Neo4j
Novo Nordisk's journey in developing an open-source application on Neo4jNeo4j
 
UiPath Studio Web workshop series - Day 2
UiPath Studio Web workshop series - Day 2UiPath Studio Web workshop series - Day 2
UiPath Studio Web workshop series - Day 2DianaGray10
 
Graphene Quantum Dots-Based Composites for Biomedical Applications
Graphene Quantum Dots-Based Composites for  Biomedical ApplicationsGraphene Quantum Dots-Based Composites for  Biomedical Applications
Graphene Quantum Dots-Based Composites for Biomedical Applicationsnooralam814309
 
My key hands-on projects in Quantum, and QAI
My key hands-on projects in Quantum, and QAIMy key hands-on projects in Quantum, and QAI
My key hands-on projects in Quantum, and QAIVijayananda Mohire
 
LF Energy Webinar - Unveiling OpenEEMeter 4.0
LF Energy Webinar - Unveiling OpenEEMeter 4.0LF Energy Webinar - Unveiling OpenEEMeter 4.0
LF Energy Webinar - Unveiling OpenEEMeter 4.0DanBrown980551
 
How to become a GDSC Lead GDSC MI AOE.pptx
How to become a GDSC Lead GDSC MI AOE.pptxHow to become a GDSC Lead GDSC MI AOE.pptx
How to become a GDSC Lead GDSC MI AOE.pptxKaustubhBhavsar6
 
TrustArc Webinar - How to Live in a Post Third-Party Cookie World
TrustArc Webinar - How to Live in a Post Third-Party Cookie WorldTrustArc Webinar - How to Live in a Post Third-Party Cookie World
TrustArc Webinar - How to Live in a Post Third-Party Cookie WorldTrustArc
 

Recently uploaded (20)

Stobox 4: Revolutionizing Investment in Real-World Assets Through Tokenization
Stobox 4: Revolutionizing Investment in Real-World Assets Through TokenizationStobox 4: Revolutionizing Investment in Real-World Assets Through Tokenization
Stobox 4: Revolutionizing Investment in Real-World Assets Through Tokenization
 
Webinar: The Art of Prioritizing Your Product Roadmap by AWS Sr PM - Tech
Webinar: The Art of Prioritizing Your Product Roadmap by AWS Sr PM - TechWebinar: The Art of Prioritizing Your Product Roadmap by AWS Sr PM - Tech
Webinar: The Art of Prioritizing Your Product Roadmap by AWS Sr PM - Tech
 
The Zero-ETL Approach: Enhancing Data Agility and Insight
The Zero-ETL Approach: Enhancing Data Agility and InsightThe Zero-ETL Approach: Enhancing Data Agility and Insight
The Zero-ETL Approach: Enhancing Data Agility and Insight
 
Emil Eifrem at GraphSummit Copenhagen 2024 - The Art of the Possible.pptx
Emil Eifrem at GraphSummit Copenhagen 2024 - The Art of the Possible.pptxEmil Eifrem at GraphSummit Copenhagen 2024 - The Art of the Possible.pptx
Emil Eifrem at GraphSummit Copenhagen 2024 - The Art of the Possible.pptx
 
UiPath Studio Web workshop series - Day 4
UiPath Studio Web workshop series - Day 4UiPath Studio Web workshop series - Day 4
UiPath Studio Web workshop series - Day 4
 
From the origin to the future of Open Source model and business
From the origin to the future of  Open Source model and businessFrom the origin to the future of  Open Source model and business
From the origin to the future of Open Source model and business
 
20140402 - Smart house demo kit
20140402 - Smart house demo kit20140402 - Smart house demo kit
20140402 - Smart house demo kit
 
.NET 8 ChatBot with Azure OpenAI Services.pptx
.NET 8 ChatBot with Azure OpenAI Services.pptx.NET 8 ChatBot with Azure OpenAI Services.pptx
.NET 8 ChatBot with Azure OpenAI Services.pptx
 
Scenario Library et REX Discover industry- and role- based scenarios
Scenario Library et REX Discover industry- and role- based scenariosScenario Library et REX Discover industry- and role- based scenarios
Scenario Library et REX Discover industry- and role- based scenarios
 
UiPath Studio Web workshop Series - Day 3
UiPath Studio Web workshop Series - Day 3UiPath Studio Web workshop Series - Day 3
UiPath Studio Web workshop Series - Day 3
 
SIM INFORMATION SYSTEM: REVOLUTIONIZING DATA MANAGEMENT
SIM INFORMATION SYSTEM: REVOLUTIONIZING DATA MANAGEMENTSIM INFORMATION SYSTEM: REVOLUTIONIZING DATA MANAGEMENT
SIM INFORMATION SYSTEM: REVOLUTIONIZING DATA MANAGEMENT
 
March Patch Tuesday
March Patch TuesdayMarch Patch Tuesday
March Patch Tuesday
 
The New Cloud World Order Is FinOps (Slideshow)
The New Cloud World Order Is FinOps (Slideshow)The New Cloud World Order Is FinOps (Slideshow)
The New Cloud World Order Is FinOps (Slideshow)
 
Novo Nordisk's journey in developing an open-source application on Neo4j
Novo Nordisk's journey in developing an open-source application on Neo4jNovo Nordisk's journey in developing an open-source application on Neo4j
Novo Nordisk's journey in developing an open-source application on Neo4j
 
UiPath Studio Web workshop series - Day 2
UiPath Studio Web workshop series - Day 2UiPath Studio Web workshop series - Day 2
UiPath Studio Web workshop series - Day 2
 
Graphene Quantum Dots-Based Composites for Biomedical Applications
Graphene Quantum Dots-Based Composites for  Biomedical ApplicationsGraphene Quantum Dots-Based Composites for  Biomedical Applications
Graphene Quantum Dots-Based Composites for Biomedical Applications
 
My key hands-on projects in Quantum, and QAI
My key hands-on projects in Quantum, and QAIMy key hands-on projects in Quantum, and QAI
My key hands-on projects in Quantum, and QAI
 
LF Energy Webinar - Unveiling OpenEEMeter 4.0
LF Energy Webinar - Unveiling OpenEEMeter 4.0LF Energy Webinar - Unveiling OpenEEMeter 4.0
LF Energy Webinar - Unveiling OpenEEMeter 4.0
 
How to become a GDSC Lead GDSC MI AOE.pptx
How to become a GDSC Lead GDSC MI AOE.pptxHow to become a GDSC Lead GDSC MI AOE.pptx
How to become a GDSC Lead GDSC MI AOE.pptx
 
TrustArc Webinar - How to Live in a Post Third-Party Cookie World
TrustArc Webinar - How to Live in a Post Third-Party Cookie WorldTrustArc Webinar - How to Live in a Post Third-Party Cookie World
TrustArc Webinar - How to Live in a Post Third-Party Cookie World
 

Cloud Security

  • 1. Cloud Security Nimrod Luria CTO | Q.rity Information Security Lead | Hi-Tech Nimrod@Qrity.com
  • 3. It can be confusing Technical Institutional, Business Model and Usage System DC Operation & Management Security of the cloud architecture Operation Management Security of data center facility - virtualized environment - Operator access control - location, natural hazard, utility services - hypervisor - system privilege control Information Security - physical access control, monitoring - large distributed system (grif) - Unauthorized access control - isolation of processes - Incident response Communication security between user and cloud Security of data storage - patch and vulnerability management -reliability of communication path, QOS - physical location of storage for disaster - Antiviral software management -confidentiality and security of communication recovery, backup and geopolitical risks - Application management - isolation between data Information Lifecycle Management Information Lifecycle Management Data encryption and key management Client device security Cryptographic solution for communication, data and operation User authentication, access control, user monitoring hardware reliability and redundancy Business Continuit Cloud provider resiliency Disaster recovery planning and operation y Management and governance of cloud provider Availability and dependability of the system and the services BCP of cloud provider Compliance Laws and regulations conformity - Internal control Auditability and inquiry accommodation to users, third parties, administration and law enforcement - Personal data protection law Digital forensics - FISMA, HIPAA and others Data storage location and effect from local laws and regulations and privacy requirement SLA standards and guidelines Service level assurance Usability Portability/lock-in of data and applications - Process capability and scalability - Storage capacity and scalability Interoperability and the standardization (cloud to cloud, cloud to on-premise) Copyright © 2009-2010 Bottlenecks in data transfer Information-Technology 16/03/2010 3 Promotion Agency
  • 5. Agenda • Private cloud architecture • Microsoft Private Cloud Solutions • Top Cloud Computing Threats • Trust in the Cloud • Cloud Security: the challenges • Cloud Security Frame • Secure cloud architecture Q&A
  • 7. What Constitutes cloud computing? SOFTWARE AS A SERVICE PLATFORM AS A SERVICE INFRASTRUCTURE AS A SERVICE
  • 8. 1 2 3 Standardize Identity with Standardize Management with Active Directory Virtualize with Hyper-V System Center 4 5 Enable Self Service with the Deploy One App on the Windows Free Self Service Portal Azure Platform
  • 9. Consuming and Delivering IT as a Service Compose Service Type Image Deploy Image SLA Requirements Attach Network Compliance Configure Image Requirements Service Self Service Configure Service Model Access Portal Requirements Configure Monitoring Load Estimates Configure Application Reporting Owner Configure Billing Backup Info Configure Security Reporting Monitor Compliance
  • 10. User App VM VM VM VM Virtual FW 1 2 3 4 Secure VDI Hypervisor CLIENTS Support POLICY Virtual Machines Internet SSL VPN HR ZONE DMZ Virtualized Security Services FINANCE ZONE Services DoS Protection .1 NAT .5 Firewall .2 Intrusion prevention .6 Policies Reporting Authentication .3 Real-time visibility .7 Encryption .4 Management & Compliance Traffic prioritization .8
  • 11. Microsoft Private Cloud Components SELF-SERVICE MANAGEMENT VIRTUALIZATION IDENTITY
  • 12. Trust in the Cloud Compliance and Risk Management Identity and Access Management Information Protection Service Integrity Endpoint Integrity
  • 13. Security is the Major Issue 13
  • 14. Cloud computing Risks • LOCK-IN UNDERTAKING MALICIOUS PROBES OR • • LOSS OF GOVERNANCE SCANS. • COMPLIANCE CHALLENGES DISTRIBUTED DENIAL OF SERVICE • • LOSS OF BUSINESS REPUTATION DUE TO CO-TENANT (DDOS) ACTIVITIES ECONOMIC DENIAL OF SERVICE (EDOS) • • CLOUD SERVICE TERMINATION OR FAILURE LOSS OF ENCRYPTION KEYS • • CLOUD PROVIDER ACQUISITION CONFLICTS BETWEEN CUSTOMER • • SUPPLY CHAIN FAILURE HARDENING PROCEDURES AND CLOUD • RESOURCE EXHAUSTION ENVIRONMENT • ISOLATION FAILURE COMPROMISE SERVICE ENGINE • • CLOUD PROVIDER MALICIOUS INSIDER SUBPOENA AND E-DISCOVERY • • MANAGEMENT INTERFACE COMPROMISE RISK FROM CHANGES OF JURISDICTION • • INTERCEPTING DATA IN TRANSIT DATA PROTECTION RISKS • • DATA LEAKAGE ON UP/DOWNLOAD, INTRA-CLOUD • INSECURE OR INEFFECTIVE DELETION OF DATA
  • 15. Commonly referenced cloud security Issues Amazon: Hey Spammers, Get Off My Cloud! Bad co-hosts http://voices.washingtonpost.com/securityfix/2008/07/amazon_hey_spammers_get_off_my.html Bitbucket's Amazon DDoS - what went wrong Denial of Service http://www.theregister.co.uk/2009/10/09/amazon_cloud_bitbucket_ddos_aftermath/ Many eggs Lightning Zaps Amazon Cloud – In-cloud federated One basket http://news.cnet.com/8301-1001_3-10263425-92.html Identity Management Entitlement Security issues with Google Docs Lack of Standards Management http://peekay.org/2009/03/26/security-issues-with-google-docs/ Hypervisor & An Empirical Study into the Security Exposure to Hosts of Hostile Virtualized Environments (Tavis Ormandy, Google Inc.) http://taviso.decsystem.org/virtsec.pdf Virtual Machine Blue Pill http://en.wikipedia.org/wiki/Blue_Pill_(malware) see also http://invisiblethingslab.com/itl/About.html Vulnerabilities Cloudburst: Arbitrary code execution vulnerability for VMWare http://www.blackhat.com/presentations/bh-usa-09/KORTCHINSKY/BHUSA09-Kortchinsky-Cloudburst-SLIDES.pdf Crypto Ops Resettable Public-Key Encryption: How to Encrypt on a Virtual Machine in VM http://eprint.iacr.org/2009/474 Data Provanence Data Remanence Location & Privacy Where did the data come from? You can check out but can’t leave Who looks at/after your data? And where? Jurisdictions?
  • 17. Demo • Configuring Baseline Security for the Private cloud
  • 18. Top Cloud Computing Threats Threat 1: Abuse and Nefarious Use of Cloud Computing Threat 2: Insecure Interfaces and APIs Threat 3: Malicious Insiders Threat 4: Shared Technology Issues Threat 5: Data Loss or Leakage Threat 6: Account or Service Hijacking Threat 7: Unknown Risk Profile
  • 19. Abuse and Nefarious Use of Cloud Computing Description Examples Criminals continue to leverage IaaS offerings have hosted the Zeus new technologies to improve botnet, InfoStealer trojan horses, their reach, avoid detection, and downloads for Microsoft Office and improve the effectiveness and Adobe PDF exploits. of their activities. Cloud Additionally, botnets have used Computing providers are IaaS servers for command and actively being targeted, control partially because their functions. Spam continues to be a relatively weak registration problem — as a defensive measure, systems facilitate anonymity, entire blocks of IaaS network and providers’ fraud detection addresses have been publicly capabilities are limited. blacklist Remediation Iaas PaaS SaaS • Stricter initial registration and validation processes. • Enhanced credit card fraud monitoring and coordination. • Comprehensive introspection of customer network traffic. • Monitoring public blacklists for one’s own network blocks.
  • 21. Insecure Interfaces and APIs Description Examples Reliance on a weak set of interfaces Anonymous access and/or reusable and APIs exposes organizations to tokens or passwords, clear-text a variety of security issues related authentication or transmission of to confidentiality, integrity, content, inflexible access controls availability and accountability. or improper authorizations, limited monitoring and logging capabilities, unknown service or API dependencies. Remediation Analyze the security model of cloud provider interfaces. Iaas PaaS SaaS Ensure strong authentication and access controls are implemented in concert with encrypted transmission. Understand the dependency chain associated with the API.
  • 22. Malicious Insiders Description Examples The level of access granted No public examples are available at could enable such an adversary to this time. harvest confidential data or gain complete control over the cloud services with little or no risk of detection. Remediation • Enforce strict supply chain management and conduct a comprehensive supplier assessment. • Specify human resource requirements as part of legal contracts. • Require transparency into overall information security and management practices, as well as compliance reporting. Iaas PaaS SaaS • Determine security breach notification processes.
  • 23. Description Shared Technology Issues Attacks have surfaced in recent years that target the shared technology inside Cloud Computing environments. Disk partitions, CPU caches, GPUs, and other Examples shared elements were never designed • Joanna Rutkowska’s Red and for strong compartmentalization. As a Blue Pill exploits result, attackers focus on how to impact • Kortchinksy’s CloudBurst the operations of other cloud presentations. customers, and how to gain unauthorized access to data. Remediation • Implement security best practices for installation/configuration. • Monitor environment for unauthorized changes/activity. • Promote strong authentication and access control for administrative access and operations. • Enforce service level agreements for patching and vulnerability • remediation. Iaas PaaS SaaS • Conduct vulnerability scanning and configuration audits.
  • 24. Data Loss or Leakage Description The threat of data compromise increases in the cloud, due to the Examples number of and interactions between risks and challenges which Insufficient authentication, are either unique to cloud, or more authorization, and audit (AAA) dangerous because of the controls; inconsistent use of architectural encryption and software keys. or operational characteristics of the cloud environment Remediation • Implement strong API access control. • Encrypt and protect integrity of data in transit. • Analyzes data protection at both design and run time. • Implement strong key generation, storage and management, and destruction practices. • Contractually demand providers wipe persistent media before it is released into the pool. • Contractually specify provider backup and retention strategies. Iaas PaaS SaaS
  • 26. Account or Service Hijacking Description Examples Account and service hijacking, Amazon EC2 Zeus Password stealing. usually with stolen credentials, remains a top threat. With stolen credentials, attackers can often access critical areas of deployed cloud computing services Remediation • Prohibit the sharing of account credentials between users an services. • Leverage strong two-factor authentication techniques where possible. • Employ proactive monitoring to detect unauthorized activity. • Understand cloud provider security policies and SLAs. Iaas PaaS SaaS
  • 28. Unknown Risk Profile Description Examples When adopting a cloud service, the features and IRS asked Amazon EC2 to perform a C&A; functionality may be well Amazon refused. advertised, but what about details or compliance of http://news.qualys.com/newsblog/forrester- the internal security procedures, configuration cloud-computingqa. hardening, Html patching, auditing, and logging? How are your data and related logs stored and who has access to them? What information if any will the vendor disclose in the event of a security incident? Often such questions are not clearly answered or are overlooked, leaving customers with an unknown risk profile that may include serious threats. Remediation • Disclosure of applicable logs and data. • Partial/full disclosure of infrastructure details (e.g., patch levels, firewalls, etc.). • Monitoring and alerting on necessary information. Iaas PaaS SaaS
  • 29. Fraud as a service What’s Required? • Buy the malware • Choose a server (“bulletproof hosting”) • Install malware on a server • Infect PCs • Keep the malware up-to-date
  • 30. Beyond Architecture: The Areas Of Critical Focus • Governance and Enterprise Risk Management • Legal and Electronic Discovery • Compliance and Audit • Information Lifecycle Management • Portability and Interoperability • Traditional Security, Business Continuity and Disaster Recovery • Data Center Operations • Incident Response, Notification and Remediation • Application Security • Encryption and Key Management • Identity and Access Management • Virtualization
  • 31. Analyzing Cloud Security • Clouds are massively complex systems can be reduced to simple primitives that are replicated thousands of times and common functional units 33
  • 32. Cloud Security: the challenges Law & Compliance Provider & resource / data location Multi-tenancy Risks Cross-border data movement Security of shared resources Lack of transparency, PII and privacy obligations (HIPAA, GLBA) Process isolation Limited audit ability Poor quality of evidence Data segregation Regulatory violation Auditing and compliance (PCI, ISO 27001) ‘Data sharding ‘ (fragmentation across images) No risk transference for data Identity & Access Management Infrastructure misuse / break in Data Location & Mobility EU vs. US vs. China regulations Data Commingling (Government access). In-cloud segregation of data: difficult Differences in data protection Accidental seizure of customer data between regions during forensic investigations Cost of keeping data hosting in EU Resilience & Availability Cloud Audit data is legally owned by Latency sensitive applications CSP and not client. Enforcement of SLA obligations Service & Data Cases of CSP refusing to ‘hand Insufficient capabilities to cater for over audit logs’. critical data Security Extremely difficult to involve law enforcement with CSP activities - Cloud lock in breach investigation/litigation. Lack of standards Security at multiple layers Lack of interoperability Virtual image provided by Limited service portability IaaS provider Incompatible management Platform stack provided processes by PaaS provider IaaS,PaaS issues + application security
  • 33. Cloud Security: the challenges Isolation Data risks CSP’s do not allow clients to Hypervisor-VM and inter-VM isolation classify data. • Robust at system level (modulo kernel bugs) CSP’s cannot offer different levels • Issues at management plane of security based upon data • Memory hijacking sensitivity. No DLP – data leakage protection services offered. Virtual VM Security Infrastructure Guest OS needs security protection Physical 2 virtual mapping • at massive scale Crypto doesn’t like virtual Security resilient VM life-cycle Current algorithms set to • secure, scalable, dynamic optimise resource pooling Can’t always use specialised HW Encryption key management. Reliance on VM vendor security Issues with guest OS Security Can VMWare, Microsoft be trusted to implement kernel security correctly ?…
  • 35. Private Clouds and User Roles VMM Admin Delegated Admin VMM Admin Cloud Manager Scope: Everything Delegated Admin Scope cannot be Scope: Host groups and Cloud Manager modified Clouds Self-Service User Can take any action Scope: Clouds only Create cloud from Self-Service User physical capacity Subdivides clouds Scope: Clouds only Access to cloud Delegates clouds automatically gives Manages services and Includes all Self-Service VMs access to host groups User rights Includes all Cloud Authors templates Manager rights Shares resources Actions can be revoked Quota: Per-user limit
  • 36. User Roles and Scope VMM Admin Delegated Admin Self Service Cloud User Manager
  • 37. Private Cloud Usage Scenarios VMM Admin creates a private cloud VMM Admin delegates the cloud to Cloud Manager Cloud Manager sub-divides the cloud and assigns it to Self-Service User Self Service User creates VMs and services in the cloud
  • 38. Security as a service
  • 39. Identity as a service (IDaaS)
  • 40. IAM Protocols and Standards • SAML • XACML • OAuth • OpenID • OATH • OpenAuth
  • 41. Demo Set Cloud CSRF (oneClick) to Stop machine
  • 42. The future of cloud computing security • Infrastructure security – Greater transparency of security capabilities. • Data security and storage – Predicate encryption • Identity and access management – Hybrid IAM strategy • Security management – Unified Management function across CSP’s
  • 43. resources • http://www.cloudsecurityalliance.org/Research.html • http://csrc.nist.gov/groups/SNS/cloud- computing/index.html • Microsoft Security Compliance Manager – http://www.microsoft.com/downloads/en/details.aspx?FamilyI D=5534bee1-3cad-4bf0-b92b-a8e545573a3e&displayLang=en • Build Your Own Private Cloud – http://www.microsoft.com/virtualization/en/us/private-cloud- get-started.aspx • http://blogs.technet.com/b/ddcalliance/archive/2010/02/1 6/dynamic-infrastructure-toolkit-for-system-center-dit-sc- sneak-peek-into-on-boarding.aspx
  • 44. Thank You ! Nimrod@Qrity.com