Your SlideShare is downloading. ×
0
Cloud Computing Security
Muhammad Adeel Javaid,
(Microsoft Certified Partner)
Cloud Service
Models
• Software as a Service (SaaS)
• We use the provider apps
• User doesn’t manage or control the
networ...
Cloud Service
Models
• Infrastructure as a
Service (IaaS)
• Consumers gets access to
the infrastructure to deploy
their st...
Deployment Models
• Public
• Cloud infrastructure is
available to the general
public, owned by org
selling cloud services
...
Deployment Models
• Community
• Cloud infrastructure shared by
several orgs that have shared
concerns, managed by org or 3...
Security Pitfalls
• How cloud services are
provided confused with where
they are provided
• Well demarcated network
securi...
Cloud Computing –
Service Provider
Priorities
 Ensure confidentiality, integrity, and
availability in a multi-tenant
envi...
Cloud Security-Responsibility
Model
Governance
• Identify, implement
process, controls to
maintain effective
governance, risk mgt,
compliance
• Provider secur...
3rd
Party Governance
• Request clear docs on
how facility & services
are assessed
• Require definition of what
provider co...
Legal, e-Discovery
• Functional: which
functions & services in the
Cloud have legal
implications for both
parties
• Jurisd...
Legal, e-Discovery
• Both parties must understand
each other’s roles
− Litigation hold, Discovery searches
− Expert testim...
Legal, e-Discovery
• Plan for unexpected contract
termination and orderly return
or secure disposal of assets
• You should...
Compliance & Audit
• Hard to maintain with your
sec/reg requirements, harder
to demonstrate to auditors
• Right to Audit c...
Info Lifecycle Mgt
• Data security (CIA)
• Data Location
• All copies, backups stored only at
location allowed by contract...
Portability,
Interoperability
• When you have to switch cloud
providers
• Contract price increase
• Provider bankruptcy
• ...
Security, BC, DR
• Centralization of data = greater
insider threat from within the
provider
• Require onsite inspections o...
Data Center Ops
• How does provider do:
• On-demand self service
• Broad network access
• Resource pooling
• Rapid elastic...
Incident Response
•Cloud apps aren’t always
designed with data integrity,
security in mind
•Provider keep app, firewall,
I...
Application Security
• Different trust boundaries for
IaaS, PaaS, Saas
• Provider web application
security?
• Secure inter...
Encryption, Key Mgt
• Encrypt data in transit, at rest,
backup media
• Secure key store
• Protect encryption keys
• Ensure...
ID, Access Mgt
• Determine how provider
handles:
• Provisioning, deprovisioning
• Authentication
• Federation
• Authorizat...
Virtualization
• What type of virtualization is
used by the provider?
• What 3rd
party security
technology augments the vi...
Cloud Security
Responsibilities
by Providers and Users
Source: Reference [4]
Cloud Security Control Model
25
Conclusions:
• Computing clouds are changing the whole IT ,
service industry, and global economy. Clearly,
cloud computing...
References
• All material from “Security Guidance for
Critical Areas of Focus in Cloud Computing
v2.1”, http://www.cloudse...
Upcoming SlideShare
Loading in...5
×

Cloud security

391

Published on

In Cloud, existing vulnerabilities, threats, and associated attacks raise several security concerns. Vulnerabilities in Cloud can be defined as the loopholes in the security architecture of Cloud, which can be exploited by an adversary via sophisticated techniques to gain access to the network and other infrastructure resources. In these slides, we discuss major Cloud specific vulnerabilities, which pose serious threats to Cloud computing.

Published in: Technology, Business
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
391
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
55
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Transcript of "Cloud security"

  1. 1. Cloud Computing Security Muhammad Adeel Javaid, (Microsoft Certified Partner)
  2. 2. Cloud Service Models • Software as a Service (SaaS) • We use the provider apps • User doesn’t manage or control the network, servers, OS, storage or applications • Platform as a Service (PaaS) • User deploys their apps on the cloud • Controls their apps • User doesn’t manage servers, IS, storage 2
  3. 3. Cloud Service Models • Infrastructure as a Service (IaaS) • Consumers gets access to the infrastructure to deploy their stuff • Doesn’t manage or control the infrastructure • Does manage or control the OS, storage, apps, selected network components3
  4. 4. Deployment Models • Public • Cloud infrastructure is available to the general public, owned by org selling cloud services • Private • Cloud infrastructure for single org only, may be managed by the org or a 3rd party, on or off premise4
  5. 5. Deployment Models • Community • Cloud infrastructure shared by several orgs that have shared concerns, managed by org or 3rd party • Hybrid • Combo of >=2 clouds bound by standard or proprietary technology 5
  6. 6. Security Pitfalls • How cloud services are provided confused with where they are provided • Well demarcated network security border is not fixed • Cloud computing implies loss of control 6
  7. 7. Cloud Computing – Service Provider Priorities  Ensure confidentiality, integrity, and availability in a multi-tenant environment.  Effectively meet the advertised SLA, while optimizing cloud resource utilization.  Offer tenants capabilities for self- service, and achieve scaling through automation and simplification.
  8. 8. Cloud Security-Responsibility Model
  9. 9. Governance • Identify, implement process, controls to maintain effective governance, risk mgt, compliance • Provider security governance should be assessed for sufficiency, maturity, consistency with user ITSEC process9
  10. 10. 3rd Party Governance • Request clear docs on how facility & services are assessed • Require definition of what provider considers critical services, info • Perform full contract, terms of use due diligence to determine roles, accountability10
  11. 11. Legal, e-Discovery • Functional: which functions & services in the Cloud have legal implications for both parties • Jurisdictional: which governments administer laws and regs impacting services, stakeholders, data assets11
  12. 12. Legal, e-Discovery • Both parties must understand each other’s roles − Litigation hold, Discovery searches − Expert testimony • Provider must save primary and secondary (logs) data • Where is the data stored? • laws for cross border data flows 12
  13. 13. Legal, e-Discovery • Plan for unexpected contract termination and orderly return or secure disposal of assets • You should ensure you retain ownership of your data in its original form 13
  14. 14. Compliance & Audit • Hard to maintain with your sec/reg requirements, harder to demonstrate to auditors • Right to Audit clause • Analyze compliance scope • Regulatory impact on data security • Evidence requirements are met • Do Provider have SAS 70 Type II, ISO 27001/2 audit statements?14
  15. 15. Info Lifecycle Mgt • Data security (CIA) • Data Location • All copies, backups stored only at location allowed by contract, SLA and/or regulation • Compliant storage (EU mandate) for storing e-health records 15
  16. 16. Portability, Interoperability • When you have to switch cloud providers • Contract price increase • Provider bankruptcy • Provider service shutdown • Decrease in service quality • Business dispute 16
  17. 17. Security, BC, DR • Centralization of data = greater insider threat from within the provider • Require onsite inspections of provider facilities • Disaster recover, Business continuity, etc 17
  18. 18. Data Center Ops • How does provider do: • On-demand self service • Broad network access • Resource pooling • Rapid elasticity • Measured service 18
  19. 19. Incident Response •Cloud apps aren’t always designed with data integrity, security in mind •Provider keep app, firewall, IDS logs? •Provider deliver snapshots of your virtual environment? •Sensitive data must be encrypted for data breach regs 19
  20. 20. Application Security • Different trust boundaries for IaaS, PaaS, Saas • Provider web application security? • Secure inter-host communication channel 20
  21. 21. Encryption, Key Mgt • Encrypt data in transit, at rest, backup media • Secure key store • Protect encryption keys • Ensure encryption is based on industry/govt standards. • NO proprietary standard • Limit access to key stores • Key backup & recoverability • Test these procedures 21
  22. 22. ID, Access Mgt • Determine how provider handles: • Provisioning, deprovisioning • Authentication • Federation • Authorization, user profile mgt 22
  23. 23. Virtualization • What type of virtualization is used by the provider? • What 3rd party security technology augments the virtual OS? • Which controls protect admin interfaces exposed to users? 23
  24. 24. Cloud Security Responsibilities by Providers and Users Source: Reference [4]
  25. 25. Cloud Security Control Model 25
  26. 26. Conclusions: • Computing clouds are changing the whole IT , service industry, and global economy. Clearly, cloud computing demands ubiquity, efficiency, security, and trustworthiness. • Cloud computing has become a common practice in business, government, education, and entertainment leveraging 50 millions of servers globally installed at thousands of datacenters today. • Private clouds will become widespread in addition to using a few public clouds, that are under heavy competition among Google, MS, Amazon, Intel, EMC, IBM, SGI, VMWare, Saleforce.com, etc. • Effective trust management, guaranteed security, user privacy, data integrity, mobility support, and copyright protection are crucial to the universal acceptance of cloud as a
  27. 27. References • All material from “Security Guidance for Critical Areas of Focus in Cloud Computing v2.1”, http://www.cloudsecurityalliance.org • All figures in this talk taken from this paper • NIST Cloud Model: www.csrc.nist.gov/groups/SNS/cloud-computing/inde • Various cloud working groups • Open Cloud Computing Interface Working Group, Amazon EC2 API, Sun Open Cloud API, Rackspace API, GoGrid API, DMTF Open Virtualization Format (OVF) 27
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×