Cloud computing - Risks and Mitigation - GTS
Upcoming SlideShare
Loading in...5
×
 

Cloud computing - Risks and Mitigation - GTS

on

  • 4,198 views

Cloud Computing Risks and Mitigation presentation at GTS 14, São Paulo, Brazil, November 2009

Cloud Computing Risks and Mitigation presentation at GTS 14, São Paulo, Brazil, November 2009

Statistics

Views

Total Views
4,198
Views on SlideShare
3,695
Embed Views
503

Actions

Likes
2
Downloads
164
Comments
0

6 Embeds 503

http://anchisesbr.blogspot.com.br 269
http://anchisesbr.blogspot.com 189
http://www.slideshare.net 41
http://anchisesbr.blogspot.pt 2
http://www.blogger.com 1
https://www.google.com.br 1

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

Cloud computing - Risks and Mitigation - GTS Cloud computing - Risks and Mitigation - GTS Presentation Transcript

  • Cloud Computing Enterprise Risks and Mitigation Anchises M. G. de Paula iDefense Intelligence Analyst Nov. 2009 GTS - 14
  • Agenda source: sxc.hu Overview of cloud computing Cloud computing risks and generic mitigation strategies Cloud Computing for Malicious Intent Questions and answers GTS - 14 2 22 Copyright iDefense 2009
  • Overview of cloud computing 3 GTS - 14 3 Copyright iDefense 2009
  • Overview The term “cloud computing” is poorly defined GTS - 14 4 44 Copyright iDefense 2009
  • Overview The term “cloud computing” is poorly defined “Cloud computing is a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction.” Source: http://csrc.nist.gov/groups/SNS/cloud-computing/index.html GTS - 14 5 55 Copyright iDefense 2009
  • Overview The term “cloud computing” is poorly defined “Essential Cloud Characteristics: • On-demand self-service • Broad network access • Resource pooling • Location independence • Rapid elasticity • Measured service” GTS - 14 6 66 Copyright iDefense 2009
  • Overview The term “cloud computing” is poorly defined GTS - 14 7 77 Copyright iDefense 2009
  • Overview The term “cloud computing” is poorly defined Multiple vendors, multiple definitions Utility pricing model Cloud-based Service Provider (CSP) handle burden of resources GTS - 14 8 88 Copyright iDefense 2009
  • Overview Three basic categories for cloud computing technologies: – Infrastructure as a Service (IaaS) Resource Abstraction – Platform as a Service (PaaS) – Software as a Service (SaaS) GTS - 14 9 99 Copyright iDefense 2009
  • Variations on a Theme Public Cloud 10 GTS - 14 10 10 Copyright iDefense 2009
  • Variations on a Theme Public Cloud Private Cloud 11 GTS - 14 11 11 Copyright iDefense 2009
  • Variations on a Theme Public Cloud Private Cloud Hybrid Cloud 12 GTS - 14 12 12 Copyright iDefense 2009
  • Cloud computing risks and generic mitigation strategies 13 GTS - 14 13 Copyright iDefense 2009
  • Areas of Risk ▪ Privileged User Access ▪ Data Segregation ▪ Regulatory Compliance ▪ Physical Location of Data ▪ Availability ▪ Recovery ▪ Investigative Support ▪ Viability and Longevity 14 GTS - 14 14 14 Copyright iDefense 2009
  • Mitigation Strategies Understand the risks Evaluate any potential cloud-based solution and CSP Unique solution, generic risks source: sxc.hu 15 GTS - 14 15 15 Copyright iDefense 2009
  • Risks Privileged User Access: • CSP must have access • Improper access -> Data Exposure • HR policies • 3rd party of a 3rd party 16 GTS - 14 16 16 Copyright iDefense 2009
  • Mitigation Privileged User Access: • CSP must have access • Improper access -> Data Exposure • HR policies • 3rd party of a 3rd party Privilege Access Control Mitigation: – Support to HR and data policies – Outsourcing involved? – Evaluate the access controls 17 GTS - 14 17 17 Copyright iDefense 2009
  • Risks Data Segregation: • Shared common resources • Multiple consumers, same physical machine • Failure to segregate data: data exposure, loss or corruption 18 GTS - 14 18 18 Copyright iDefense 2009
  • Risks Data Segregation: • Shared common resources • Multiple consumers, same physical machine • Failure to segregate data: data exposure, loss or corruption 19 GTS - 14 19 19 Copyright iDefense 2009
  • Risks Data Segregation: • Shared common resources • Multiple consumers, same physical machine • Failure to segregate data: data exposure, loss or corruption 20 GTS - 14 20 20 Copyright iDefense 2009
  • Mitigation Data Segregation: • Shared common resources • Multiple consumers, same physical machine • Failure to segregate data: data exposure, loss or corruption Data Segregation Mitigation: – What’s the risk of data segregation failure? – Encryption of data: shifting of risks – Understand the “how, where, when” of consumer data storage 21 GTS - 14 21 21 Copyright iDefense 2009
  • Risks Regulatory Compliance: – Regulations for sensitive information and outsourcing – Conflicting regulations and laws – Failure to comply: significant legal risks 22 GTS - 14 22 22 Copyright iDefense 2009
  • Mitigation Regulatory Compliance: – Regulations for sensitive information and outsourcing – Conflicting regulations and laws – Failure to comply: significant legal risks Regulatory Control Mitigation: FISMA – Know your regulatory obligation HIPAA – Know your CSP’s regulatory obligations SOX PCI – Understand your liabilities SAS 70 – Location may change regulatory obligations Audits 23 GTS - 14 23 23 Copyright iDefense 2009
  • Risks Physical Location of Data: – Location, location, location – Location tied to regulatory issues – Volatile regions introduce a higher degree of risk – Hostile/Unethical governments have unforeseen risk of data exposure 24 GTS - 14 24 24 Copyright iDefense 2009
  • Risks Physical Location of Data: – Location, location, location – Location tied to regulatory issues – Volatile regions introduce a higher degree of risk – Hostile/Unethical governments have unforeseen risk of data exposure 10/9/09 SA pigeon 'faster than broadband' BBC News Cyber A Durban IT company pitted an 11-month- old bird armed with a 4GB memory stick against the ADSL service from the country's biggest web firm, Telkom. Winston the pigeon took two hours to carry the data 60 miles - in the same time the ADSL had sent 4% of the data. computers. 25 GTS - 14 25 25 Copyright iDefense 2009
  • Mitigation Physical Location of Data: – Location, location, location – Location tied to regulatory issues – Volatile regions introduce a higher degree of risk – Hostile/Unethical governments have unforeseen risk of data exposure Physical Location of Data Mitigation: – Identify your data’s location – Avoid CSPs that cannot guarantee the location – Avoid CSPs that use data centers in hostile countries – Use CSPs that reside in consumer’s country 26 GTS - 14 26 26 Copyright iDefense 2009
  • Risks Availability: – Constant connectivity required – Any failure terminating connectivity is a risk – Data loss and downtime risks 27 GTS - 14 27 27 Copyright iDefense 2009
  • Risks Availability: – Constant connectivity required – Any failure terminating connectivity is a risk – Data loss and downtime risks 28 GTS - 14 28 28 Copyright iDefense 2009
  • Mitigation Service Availability Mitigation: – Availability is the greatest risk ! – Understand the CSP’s infrastructure: avoid single points of failure – Private clouds may reduce the availability risk, but introduce additional cost and overhead – Establish service-level agreements (SLAs) with their CSPs – Balance the risk introduced by using multiple data centers with the risk of a single site failure – Assume at least one outage, what’s the impact to you? 29 GTS - 14 29 29 Copyright iDefense 2009
  • Risks Recovery: – Improper backups or system failure – The more data, more data loss risk – Recovery time is operational downtime 30 GTS - 14 30 30 Copyright iDefense 2009
  • Mitigation Recovery: – Improper backups or system failure – The more data, more data loss risk – Recovery time is operational downtime Recovery Mitigation: – Understand backed up systems (Encrypted? Multiple sites?) – Identify the time required to completely recover data – Practice a full recovery to test the CSP’s response time 31 GTS - 14 31 31 Copyright iDefense 2009
  • Risks Investigative Support: – Multiple consumers, aggregated logs – CSPs may hinder incident responses – Uncooperative CSPs: lost forensic data and investigation hindrances 32 GTS - 14 32 32 Copyright iDefense 2009
  • Mitigation Investigative Support: – Multiple consumers, aggregated logs – CSPs may hinder incident responses – Uncooperative CSPs: lost forensic data and investigation hindrances Investigative Support Mitigation: – Establish policies and procedures with the CSP – Avoid CSPs unwilling to participate in incident 33 GTS - 14 33 33 Copyright iDefense 2009
  • Risks Viability and Longevity: – CSP failure can occur at any time, for any reason – Risk of data loss and operational downtime – Large companies sometimes terminate services – Abrupt shutdowns are a more significant risk 34 GTS - 14 34 34 Copyright iDefense 2009
  • Mitigation Viability and Longevity: – CSP failure can occur at any time, for any reason – Risk of data loss and operational downtime – Large companies sometimes terminate services – Abrupt shutdowns are a more significant risk Viability and Longevity Mitigation: – Understand the way a CSP can “going dark” – Have a secondary CSP in mind – Review the history and financial stability of any CSP prior to engaging 35 GTS - 14 35 35 Copyright iDefense 2009
  • Cloud Computing for Malicious Intent 36 GTS - 14 36 Copyright iDefense 2009
  • Malicious use source: sxc.hu Bad guys are already using such technology ;) – Botnets – Hacking as a Service, SPAM 37 GTS - 14 37 37 Copyright iDefense 2009
  • Malicious use source: sxc.hu Bad guys are already using such technology – Botnets – Hacking as a Service, SPAM 11/9/09 Bot herders hide master control channel in Google cloud by Dan Goodin, The Register Cyber criminals' love affair with cloud computing Malicious use of Cloud Services just got steamier with the discovery that Google's AppEngine was tapped to act as the master control channel that feeds commands to large – C&C Server on the cloud networks of infected computers. – Storage of malicious data – Cracking passwords 38 GTS - 14 38 38 Copyright iDefense 2009
  • Conclusion 39 GTS - 14 39 Copyright iDefense 2009
  • Conclusions Understanding the risk of cloud-based solutions Understand the level of sensitivity of your data Perform due diligence when evaluating a CSP Identify the location of your data Get assurance that your data will remain where it is placed. Cloud computing is a new technology still experiencing growing pains. Enterprises must be aware of this and anticipate the risks the technology introduces. 40 GTS - 14 40 40 Copyright iDefense 2009
  • Additional Reading Cloud Security Alliance (CSA): “Security Guidance for Critical Areas of Focus in Cloud Computing” http://www.cloudsecurityalliance.org/guidance/csaguide.pdf NIST Cloud Computing Project http://csrc.nist.gov/groups/SNS/cloud-computing/index.html ENISA report on “Cloud Computing: Benefits, risks and recommendations for information security” http://www.enisa.europa.eu/act/rm/files/deliverables/cloud-computing-risk- assessment iDefense Topical Research Paper: “Cloud Computing” 41 GTS - 14 41 41 Copyright iDefense 2009
  • Q&A GTS - 14 42 Copyright iDefense 2009
  • Thank You Anchises M. G. de Paula iDefense Intelligence Analyst 43