Practical Security Problems in Cloud Computing Alon Refaeli – Porticor Technologies [email_address] May 2009

The Cloud Computing Main Elements Infrastructure As a Service (IaaS) – switch , NT, access control etc. Platform As a Service (PaaS) - .Net,Java,LAMP etc. Software As a Service (SaaS) – CRM, ERP etc.

Infrastructure As a Service (IaaS) – switch , NT, access control etc.

Platform As a Service (PaaS) - .Net,Java,LAMP etc.

Software As a Service (SaaS) – CRM, ERP etc.

Foundational Elements of Cloud Computing Business Models : Web 2.0 • Software as a Service (SaaS) • Utility Computing • Service Level Agreements • Open standards, Data Portability, and Accessibility Architecture : Autonomic System Computing Grid Computing Platform Virtualization Web Services Service Oriented Architectures Web application frameworks Open source software

Business Models :

Web 2.0

• Software as a Service (SaaS)

• Utility Computing

• Service Level Agreements

• Open standards, Data Portability, and Accessibility

Architecture :

Autonomic System Computing

Grid Computing

Platform Virtualization

Web Services

Service Oriented Architectures

Web application frameworks

Open source software

Why Cloud Computing? Capital Expenditure Multitenancy Scalability Reliability Security Performance Location Independence

Capital Expenditure

Multitenancy

Scalability

Reliability

Security

Performance

Location Independence

Cyber Threats – No End in Sight Thousands of cyber attacks each day on key utilities Well known infrastructure-based disruptions : September 11 Internet Inaccessibility , Estonian DDoS Attacks ,DNS Attacks ,Georgian Attacks from Russia General consensus – attacks growing in sophistication and scale

Thousands of cyber attacks each day on key utilities

Well known infrastructure-based disruptions : September 11 Internet Inaccessibility , Estonian DDoS Attacks ,DNS Attacks ,Georgian Attacks from Russia

General consensus – attacks growing in sophistication and scale

Security Threats + Cloud = ?? New challenges emerge as services become more distributed : Nobody ‘owns’ the cloud Everyone relies on the cloud Each individual autonomous system is responsible for securing their section of the cloud Impact of their actions now affects everyone – even more than before! Bottom line… things that impact you and your business don’t end at your gateway anymore

New challenges emerge as services become more distributed :

Nobody ‘owns’ the cloud

Everyone relies on the cloud

Each individual autonomous system is responsible for securing their section of the cloud

Impact of their actions now affects everyone – even more than before!

Bottom line… things that impact you and your business don’t end at your gateway anymore

Cloud Computing Threats

Security follows mainstream IT Platform Evolution 1990’s Operational Complexity Reduced 2000 2002 2005 Software Gateway Software Client-Server Appliance SaaS Software End-Point 2009 Virtual Machine Cloud Mobile

Key Customer Questions on SaaS and Cloud Client type services Privacy Performance Availability Personalization Encryption Global/Local Caching Application Design Multi-Tenant

What is the role of Access Management? Organizations don ’ t get a clear view of who has done what with a resource, so cannot demonstrate ‘ control ’ Common Pain points Who did access what? Who should have access to what? Siloed approach to authorization across hundreds or even thousands of applications Who has Access to what? Months to modify applications with embedded authorization policy or by deploying agents

The 3 primary security concerns for Cloud Computing 1. federated authentication 2. entitlement/authorization control (based on multiple attributes) 3. transaction logging for audit, compliance and forensics

1. federated authentication

2. entitlement/authorization control (based on multiple attributes)

3. transaction logging for audit, compliance and forensics

federated authentication No.1 is available through Identity-as-a-service vendors such as Tricipher. SAML will become the standard Federated Identity model once MS Geneva is rolled out.

No.1 is available through Identity-as-a-service vendors such as Tricipher.

SAML will become the standard Federated Identity model once MS Geneva is rolled out.

entitlement/authorization control No.2 is more difficult. Entitlement/AuthZ is built into apps such as salesforce today. However, enterprise web and file services (such as MS SharePoint) do not have the fine grained controls needed for audit & compliance. This is where network-based AuthZ players play.

No.2 is more difficult.

Entitlement/AuthZ is built into apps such as salesforce today. However, enterprise web and file services (such as MS SharePoint) do not have the fine grained controls needed for audit & compliance. This is where network-based AuthZ players play.

transaction logging No.3 - transaction logging in my opinion is the big deal-breaker. If you don't know 'who' has done 'what' in your cloud apps, then how will you survive a SOX or PCI audit? This is probably one of the major questions that needs to be answered by new Cloud Security (start-ups) vendors.

No.3 - transaction logging in my opinion is the big deal-breaker.

If you don't know 'who' has done 'what' in your cloud apps, then how will you survive a SOX or PCI audit?

This is probably one of the major questions that needs to be answered by new Cloud Security (start-ups) vendors.

Standardization of security in Cloud Computing It is still in early stage – this is the time to shape and influence – the NIST is trying to the role. The main problem is the Identity and Access Management, which will be different from the current solutions.

It is still in early stage – this is the time to shape and influence – the NIST is trying to the role.

The main problem is the Identity and Access Management, which will be different from the current solutions.

References Amazon : http://s3.amazonaws.com/aws_blog/AWS_Security_Whitepaper_2008_09.pdf RSA Event 2009 : http://www.vnunet.com/vnunet/news/2240794/rsa-2009-cryptography-experts

Amazon :

http://s3.amazonaws.com/aws_blog/AWS_Security_Whitepaper_2008_09.pdf

RSA Event 2009 :

http://www.vnunet.com/vnunet/news/2240794/rsa-2009-cryptography-experts