Cloud computing - Risks and Mitigation - GTS

4,362 views
4,237 views

Published on

Cloud Computing Risks and Mitigation presentation at GTS 14, São Paulo, Brazil, November 2009

Published in: Technology, Business
0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
4,362
On SlideShare
0
From Embeds
0
Number of Embeds
523
Actions
Shares
0
Downloads
183
Comments
0
Likes
2
Embeds 0
No embeds

No notes for slide

Cloud computing - Risks and Mitigation - GTS

  1. 1. Cloud Computing Enterprise Risks and Mitigation Anchises M. G. de Paula iDefense Intelligence Analyst Nov. 2009 GTS - 14
  2. 2. Agenda source: sxc.hu Overview of cloud computing Cloud computing risks and generic mitigation strategies Cloud Computing for Malicious Intent Questions and answers GTS - 14 2 22 Copyright iDefense 2009
  3. 3. Overview of cloud computing 3 GTS - 14 3 Copyright iDefense 2009
  4. 4. Overview The term “cloud computing” is poorly defined GTS - 14 4 44 Copyright iDefense 2009
  5. 5. Overview The term “cloud computing” is poorly defined “Cloud computing is a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction.” Source: http://csrc.nist.gov/groups/SNS/cloud-computing/index.html GTS - 14 5 55 Copyright iDefense 2009
  6. 6. Overview The term “cloud computing” is poorly defined “Essential Cloud Characteristics: • On-demand self-service • Broad network access • Resource pooling • Location independence • Rapid elasticity • Measured service” GTS - 14 6 66 Copyright iDefense 2009
  7. 7. Overview The term “cloud computing” is poorly defined GTS - 14 7 77 Copyright iDefense 2009
  8. 8. Overview The term “cloud computing” is poorly defined Multiple vendors, multiple definitions Utility pricing model Cloud-based Service Provider (CSP) handle burden of resources GTS - 14 8 88 Copyright iDefense 2009
  9. 9. Overview Three basic categories for cloud computing technologies: – Infrastructure as a Service (IaaS) Resource Abstraction – Platform as a Service (PaaS) – Software as a Service (SaaS) GTS - 14 9 99 Copyright iDefense 2009
  10. 10. Variations on a Theme Public Cloud 10 GTS - 14 10 10 Copyright iDefense 2009
  11. 11. Variations on a Theme Public Cloud Private Cloud 11 GTS - 14 11 11 Copyright iDefense 2009
  12. 12. Variations on a Theme Public Cloud Private Cloud Hybrid Cloud 12 GTS - 14 12 12 Copyright iDefense 2009
  13. 13. Cloud computing risks and generic mitigation strategies 13 GTS - 14 13 Copyright iDefense 2009
  14. 14. Areas of Risk ▪ Privileged User Access ▪ Data Segregation ▪ Regulatory Compliance ▪ Physical Location of Data ▪ Availability ▪ Recovery ▪ Investigative Support ▪ Viability and Longevity 14 GTS - 14 14 14 Copyright iDefense 2009
  15. 15. Mitigation Strategies Understand the risks Evaluate any potential cloud-based solution and CSP Unique solution, generic risks source: sxc.hu 15 GTS - 14 15 15 Copyright iDefense 2009
  16. 16. Risks Privileged User Access: • CSP must have access • Improper access -> Data Exposure • HR policies • 3rd party of a 3rd party 16 GTS - 14 16 16 Copyright iDefense 2009
  17. 17. Mitigation Privileged User Access: • CSP must have access • Improper access -> Data Exposure • HR policies • 3rd party of a 3rd party Privilege Access Control Mitigation: – Support to HR and data policies – Outsourcing involved? – Evaluate the access controls 17 GTS - 14 17 17 Copyright iDefense 2009
  18. 18. Risks Data Segregation: • Shared common resources • Multiple consumers, same physical machine • Failure to segregate data: data exposure, loss or corruption 18 GTS - 14 18 18 Copyright iDefense 2009
  19. 19. Risks Data Segregation: • Shared common resources • Multiple consumers, same physical machine • Failure to segregate data: data exposure, loss or corruption 19 GTS - 14 19 19 Copyright iDefense 2009
  20. 20. Risks Data Segregation: • Shared common resources • Multiple consumers, same physical machine • Failure to segregate data: data exposure, loss or corruption 20 GTS - 14 20 20 Copyright iDefense 2009
  21. 21. Mitigation Data Segregation: • Shared common resources • Multiple consumers, same physical machine • Failure to segregate data: data exposure, loss or corruption Data Segregation Mitigation: – What’s the risk of data segregation failure? – Encryption of data: shifting of risks – Understand the “how, where, when” of consumer data storage 21 GTS - 14 21 21 Copyright iDefense 2009
  22. 22. Risks Regulatory Compliance: – Regulations for sensitive information and outsourcing – Conflicting regulations and laws – Failure to comply: significant legal risks 22 GTS - 14 22 22 Copyright iDefense 2009
  23. 23. Mitigation Regulatory Compliance: – Regulations for sensitive information and outsourcing – Conflicting regulations and laws – Failure to comply: significant legal risks Regulatory Control Mitigation: FISMA – Know your regulatory obligation HIPAA – Know your CSP’s regulatory obligations SOX PCI – Understand your liabilities SAS 70 – Location may change regulatory obligations Audits 23 GTS - 14 23 23 Copyright iDefense 2009
  24. 24. Risks Physical Location of Data: – Location, location, location – Location tied to regulatory issues – Volatile regions introduce a higher degree of risk – Hostile/Unethical governments have unforeseen risk of data exposure 24 GTS - 14 24 24 Copyright iDefense 2009
  25. 25. Risks Physical Location of Data: – Location, location, location – Location tied to regulatory issues – Volatile regions introduce a higher degree of risk – Hostile/Unethical governments have unforeseen risk of data exposure 10/9/09 SA pigeon 'faster than broadband' BBC News Cyber A Durban IT company pitted an 11-month- old bird armed with a 4GB memory stick against the ADSL service from the country's biggest web firm, Telkom. Winston the pigeon took two hours to carry the data 60 miles - in the same time the ADSL had sent 4% of the data. computers. 25 GTS - 14 25 25 Copyright iDefense 2009
  26. 26. Mitigation Physical Location of Data: – Location, location, location – Location tied to regulatory issues – Volatile regions introduce a higher degree of risk – Hostile/Unethical governments have unforeseen risk of data exposure Physical Location of Data Mitigation: – Identify your data’s location – Avoid CSPs that cannot guarantee the location – Avoid CSPs that use data centers in hostile countries – Use CSPs that reside in consumer’s country 26 GTS - 14 26 26 Copyright iDefense 2009
  27. 27. Risks Availability: – Constant connectivity required – Any failure terminating connectivity is a risk – Data loss and downtime risks 27 GTS - 14 27 27 Copyright iDefense 2009
  28. 28. Risks Availability: – Constant connectivity required – Any failure terminating connectivity is a risk – Data loss and downtime risks 28 GTS - 14 28 28 Copyright iDefense 2009
  29. 29. Mitigation Service Availability Mitigation: – Availability is the greatest risk ! – Understand the CSP’s infrastructure: avoid single points of failure – Private clouds may reduce the availability risk, but introduce additional cost and overhead – Establish service-level agreements (SLAs) with their CSPs – Balance the risk introduced by using multiple data centers with the risk of a single site failure – Assume at least one outage, what’s the impact to you? 29 GTS - 14 29 29 Copyright iDefense 2009
  30. 30. Risks Recovery: – Improper backups or system failure – The more data, more data loss risk – Recovery time is operational downtime 30 GTS - 14 30 30 Copyright iDefense 2009
  31. 31. Mitigation Recovery: – Improper backups or system failure – The more data, more data loss risk – Recovery time is operational downtime Recovery Mitigation: – Understand backed up systems (Encrypted? Multiple sites?) – Identify the time required to completely recover data – Practice a full recovery to test the CSP’s response time 31 GTS - 14 31 31 Copyright iDefense 2009
  32. 32. Risks Investigative Support: – Multiple consumers, aggregated logs – CSPs may hinder incident responses – Uncooperative CSPs: lost forensic data and investigation hindrances 32 GTS - 14 32 32 Copyright iDefense 2009
  33. 33. Mitigation Investigative Support: – Multiple consumers, aggregated logs – CSPs may hinder incident responses – Uncooperative CSPs: lost forensic data and investigation hindrances Investigative Support Mitigation: – Establish policies and procedures with the CSP – Avoid CSPs unwilling to participate in incident 33 GTS - 14 33 33 Copyright iDefense 2009
  34. 34. Risks Viability and Longevity: – CSP failure can occur at any time, for any reason – Risk of data loss and operational downtime – Large companies sometimes terminate services – Abrupt shutdowns are a more significant risk 34 GTS - 14 34 34 Copyright iDefense 2009
  35. 35. Mitigation Viability and Longevity: – CSP failure can occur at any time, for any reason – Risk of data loss and operational downtime – Large companies sometimes terminate services – Abrupt shutdowns are a more significant risk Viability and Longevity Mitigation: – Understand the way a CSP can “going dark” – Have a secondary CSP in mind – Review the history and financial stability of any CSP prior to engaging 35 GTS - 14 35 35 Copyright iDefense 2009
  36. 36. Cloud Computing for Malicious Intent 36 GTS - 14 36 Copyright iDefense 2009
  37. 37. Malicious use source: sxc.hu Bad guys are already using such technology ;) – Botnets – Hacking as a Service, SPAM 37 GTS - 14 37 37 Copyright iDefense 2009
  38. 38. Malicious use source: sxc.hu Bad guys are already using such technology – Botnets – Hacking as a Service, SPAM 11/9/09 Bot herders hide master control channel in Google cloud by Dan Goodin, The Register Cyber criminals' love affair with cloud computing Malicious use of Cloud Services just got steamier with the discovery that Google's AppEngine was tapped to act as the master control channel that feeds commands to large – C&C Server on the cloud networks of infected computers. – Storage of malicious data – Cracking passwords 38 GTS - 14 38 38 Copyright iDefense 2009
  39. 39. Conclusion 39 GTS - 14 39 Copyright iDefense 2009
  40. 40. Conclusions Understanding the risk of cloud-based solutions Understand the level of sensitivity of your data Perform due diligence when evaluating a CSP Identify the location of your data Get assurance that your data will remain where it is placed. Cloud computing is a new technology still experiencing growing pains. Enterprises must be aware of this and anticipate the risks the technology introduces. 40 GTS - 14 40 40 Copyright iDefense 2009
  41. 41. Additional Reading Cloud Security Alliance (CSA): “Security Guidance for Critical Areas of Focus in Cloud Computing” http://www.cloudsecurityalliance.org/guidance/csaguide.pdf NIST Cloud Computing Project http://csrc.nist.gov/groups/SNS/cloud-computing/index.html ENISA report on “Cloud Computing: Benefits, risks and recommendations for information security” http://www.enisa.europa.eu/act/rm/files/deliverables/cloud-computing-risk- assessment iDefense Topical Research Paper: “Cloud Computing” 41 GTS - 14 41 41 Copyright iDefense 2009
  42. 42. Q&A GTS - 14 42 Copyright iDefense 2009
  43. 43. Thank You Anchises M. G. de Paula iDefense Intelligence Analyst 43

×