• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
Cloud Security ("securing the cloud")
 

Cloud Security ("securing the cloud")

on

  • 864 views

Vic Winkler's 2011 FOSE presentation in Washington DC. The talk was based on the book: "Securing the Cloud" (Elsevier 2011)....

Vic Winkler's 2011 FOSE presentation in Washington DC. The talk was based on the book: "Securing the Cloud" (Elsevier 2011).

Highlights:
--Top 10 Cloud Security Concerns;
--Is organizational control good for cloud security?;
--Architectural examples for cloud security

Statistics

Views

Total Views
864
Views on SlideShare
863
Embed Views
1

Actions

Likes
0
Downloads
26
Comments
0

1 Embed 1

https://twimg0-a.akamaihd.net 1

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    Cloud Security ("securing the cloud") Cloud Security ("securing the cloud") Presentation Transcript

    • NGI-4: CloudThe Technical Foundations of Security and Interoperability Overview Vic Winkler July 2011 Washington, DC Booz | Allen | Hamilton
    • The Technical Foundations of Security and InteroperabilityThis presentation is based on my book: “Securing the Cloud: Cloud Computer Security Techniques and Tactics” Vic Winkler (Elsevier/Syngress May 2011) Graphics are Copywrited by Elsevier/Syngress 2011My experiences in designing, implementing and operating the security for: “SunGrid” (2004+), “Network.com” (2006+) and “The Sun Public Cloud” (2007+) …And research into best practices in cloud security (2008-2011)Previously, I: Was a pioneer in network and systems based intrusion detection Designed a B1 trusted Unix system Graphics copyright Elsevier/Syngress 2011 Booz | Allen | Hamilton 2
    • A Brief, Distorted View of History  Overview Continuing Technology Evolution Graphics copyright Elsevier/Syngress 2011 Booz | Allen | Hamilton 3
    • More “Evolution” than “Revolution” So, what is “cloud”? Graphics copyright Elsevier/Syngress 2011 Booz | Allen | Hamilton 4
    • A Minor Problem With Words… Most common question: Is “cloud” secure? Booz | Allen | Hamilton 5
    • Booz Allen: Cloud Computing “Quick Look” AssessmentThe QLA approach analyzes the organization and its potential cloud candidate functions and applicationsacross eight Cloud Computing Factors, providing an in-depth assessment and suitability rating for each. Business/Mission Technology Economics Security Governance & Policy IT Management Organization Change Management Booz | Allen | Hamilton 6
    • Cloud: A Model for Computing, A Model for Service Delivery• “Cloud Services" – IT model for service delivery: Expressed, delivered and consumed over the Internet or private network – Infrastructure-as-a-Service (IaaS) – Platform-as-a-Service (PaaS) – Software-as-a-Service (SaaS)• “Cloud Computing”– IT model for computing – Environment composed of IT components necessary to develop & deliver "cloud services” Graphics copyright Elsevier/Syngress 2011 Booz | Allen | Hamilton 7
    • The Services StackTwo Perspectives What about security? …“Confidentiality”, “Integrity” and “Availability”? Graphics copyright Elsevier/Syngress 2011 Booz | Allen | Hamilton 8
    • The NIST Cloud Model Graphics copyright Elsevier/Syngress 2011 Booz | Allen | Hamilton 9
    • Security Concerns?• 10. Unknown Risks: Concern that cloud computing brings new classes of risks and vulnerabilities• 9. Control over Data: User data may be comingled with data belonging to others.• 8. Legal and Regulatory Compliance: It may be difficult (unrealistic?) to utilize public clouds when data is subject to legal restrictions or regulatory compliance• 7. Disaster Recovery and Business Continuity: Cloud tenants and users require confidence that their operations and services will continue despite a disaster• 6. Security Incidents: Tenants and users need to be informed and supported by a provider• 5. Transparency: Trust in a cloud provider’s security claims entails provider transparency• 4. Cloud Provider Viability: Since cloud providers are relatively new to the business, there are questions about provider viability and commitment• 3. Privacy and Data concerns with public or community clouds: Data may not remain in the same system, raising multiple legal concerns• 2. User Error: A user may inadvertently leak highly sensitive or classified information into a public cloud• 1. Network Availability: The cloud must be available whenever you need it Graphics copyright Elsevier/Syngress 2011 Booz | Allen | Hamilton 10
    • Security ConcernsSensitive Data & Regulatory Compliance Graphics copyright Elsevier/Syngress 2011 Booz | Allen | Hamilton 11
    • Security ConcernsTransparency Graphics copyright Elsevier/Syngress 2011 Booz | Allen | Hamilton 12
    • Security ConcernsExample of Private Cloud Concerns Graphics copyright Elsevier/Syngress 2011 Booz | Allen | Hamilton 13
    • Security ConcernsTrade Offs Graphics copyright Elsevier/Syngress 2011 Booz | Allen | Hamilton 14
    • Cloud Services are Expressed From Cloud IT Infrastructure Graphics copyright Elsevier/Syngress 2011 Booz | Allen | Hamilton 15
    • Virtualization and Elastic Service Expression Graphics copyright Elsevier/Syngress 2011 Booz | Allen | Hamilton 16
    • Is Organizational Control Good for Security? Graphics copyright Elsevier/Syngress 2011 Booz | Allen | Hamilton 17
    • Scope of Control Graphics copyright Elsevier/Syngress 2011 Booz | Allen | Hamilton 18
    • IaaS, PaaS and SaaS:Data Ownership Graphics copyright Elsevier/Syngress 2011 Booz | Allen | Hamilton 19
    • Organizational Control with Private versus Public Graphics copyright Elsevier/Syngress 2011 Booz | Allen | Hamilton 20
    • Cloud Demands Advanced Management Capabilities(This should benefit security) Graphics copyright Elsevier/Syngress 2011 Booz | Allen | Hamilton 21
    • Planning for Competitive Pricing(…in other words, “cost-effective security”) Graphics copyright Elsevier/Syngress 2011 Booz | Allen | Hamilton 22
    • Planning for Fundamental Changes Graphics copyright Elsevier/Syngress 2011 Booz | Allen | Hamilton 23
    • Patterns are Key for Cloud Infrastructure Graphics copyright Elsevier/Syngress 2011 Booz | Allen | Hamilton 24
    • …Patterns are Key for Cloud Infrastructure Graphics copyright Elsevier/Syngress 2011 Booz | Allen | Hamilton 25
    • …Patterns are Key for Cloud Infrastructure Graphics copyright Elsevier/Syngress 2011 Booz | Allen | Hamilton 26
    • ExampleSeparate Paths, Separate Networks Graphics copyright Elsevier/Syngress 2011 Booz | Allen | Hamilton 27
    • Example…Separate Paths, Separate Networks Graphics copyright Elsevier/Syngress 2011 Booz | Allen | Hamilton 28
    • Assessment:Is it “Correct”, “Secure” and Does it Meet Requirements? Graphics copyright Elsevier/Syngress 2011 Booz | Allen | Hamilton 29
    • How Much Assurance? Graphics copyright Elsevier/Syngress 2011 Booz | Allen | Hamilton 30
    • Operationally, How Will you Know? Graphics copyright Elsevier/Syngress 2011 Booz | Allen | Hamilton 31
    • Security MonitoringA High-Volume Activity Graphics copyright Elsevier/Syngress 2011 Booz | Allen | Hamilton 32
    • Monitoring Really Wants To BeA Near-Real-Time Feedback Loop Graphics copyright Elsevier/Syngress 2011 Booz | Allen | Hamilton 33
    • Beyond Security MonitoringIntegrated Operational Security Graphics copyright Elsevier/Syngress 2011 Booz | Allen | Hamilton 34
    • ExampleSecurity Use for CMDB Graphics copyright Elsevier/Syngress 2011 Booz | Allen | Hamilton 35
    • Defense-in-Depth in Infrastructure Graphics copyright Elsevier/Syngress 2011 Booz | Allen | Hamilton 36
    • What are the BIG Lessons?• Provider – Model T approach: Any color the customer wants …as long as it’s “black” • Special requests undercut profits – Plan ahead: Focus on eventual operations costs and on the certainty of change to the infrastructure – Seek to automate almost everything: • Identify procedures/processes to drive down costs • Identify and refine patterns – Segregate information • Don’t mix infrastructure management information • …with security information • …with customer data …etc. – Architect for completely separate paths: • (Public) (Infrastructure control) (Network device control) (Security management) • Entails a differentiated set of networks • Isolate, Isolate, Isolate • Encrypt, Encrypt, Encrypt• Consumer – Who is the provider? – What are you really buying? Transparency, independent verification, indemnification? Booz | Allen | Hamilton 37
    • Thank You Business: Winkler_Joachim@BAH.Com Personal: Vic@VicWinkler.Com Phone: 703.622.7111 “Securing the Cloud: Cloud Computer Security Techniques and Tactics” Vic Winkler (Elsevier/Syngress 2011) Graphics copyright Elsevier/Syngress 2011 Booz | Allen | Hamilton 38