Cloud computing security
Upcoming SlideShare
Loading in...5
×
 

Cloud computing security

on

  • 1,165 views

A talk about Cloud computing and the risks and benefits that such an squema presents to our IT operations

A talk about Cloud computing and the risks and benefits that such an squema presents to our IT operations

Statistics

Views

Total Views
1,165
Views on SlideShare
1,165
Embed Views
0

Actions

Likes
0
Downloads
37
Comments
0

0 Embeds 0

No embeds

Accessibility

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    Cloud computing security Cloud computing security Presentation Transcript

    • Cloud Computing & Security: Are there clouds in our sky ?
    • > Antonio Sanz > I3A - IT Manager > Security Expert> http://i3a.unizar.es > ansanz@unizar.es > @antoniosanzalc
    • CloudComputing
    • Index 4 > Cloud Computing > Opportunities > Cloud Computing risks > Migrating to a Cloud InfraestructureTema 1: Diseño de software seguroCloud Computing Security
    • “Cloud computing is a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage,applications, and services) that can be rapidly provisioned andreleased with minimal management effort or service provider interaction” [*First & last boring slide. Promise]
    • Cloud Computing: Main point 6 >On demand >Ubiquous >Resource pool >Elastic >MeasureableTema 1: Diseño de software seguroCloud Computing Security
    • Service Types
    • IaaS – Infrastructure as a Service 8 > Raw infrastructure > Storage, network & servers > We do the rest > Flexible but costly > Ej: Amazon AWSTema 1: Diseño de software seguroCloud Computing Security
    • PaaS – Platform as a Service 9 > You’ve got the OS but no apps > IaaS + OS + Base services > App deploying ok (.jar) > Less control but less cost > Ej: Google App EngineTema 1: Diseño de software seguroCloud Computing Security
    • SaaS – Software as a Service 10 > You’ve got everything > Iaas + Paas + Apps > Ready to go > Minimal control / Minimal effort > Ej: Salesforce.com (CRM)Tema 1: Diseño de software seguroCloud Computing Security
    • Public, Private Clouds 11 > Públic: Public access, shared resources, (-security, -cost) Ej: Amazon AWS > Private: Private access, dedicated resources (+security, +cost) Ej: NASA Nebula OpenStackTema 1: Diseño de software seguroCloud Computing Security
    • Community , Hybrid 12 > Community: Group that shares a private cloud Ej: Business holding > Hybrid: Mix some of the othersTema 1: Diseño de software seguroCloud Computing Security
    • Technology
    • Technologies 14 > Virtualization > Shared storage > High speed networks > Multidevice access > Advanced Middleware (access, monitoring, provisioning)Tema 1: Diseño de software seguroCloud Computing Security
    • Advantages
    • Cloud Computing Pros 16 > Elasticity / Scalability > Availability > Performance > Ubiquous access > Very low CAPEX > OPEX savingsTema 1: Diseño de software seguroCloud Computing Security
    • Success Case
    • Amazon AWS - http://aws.amazon.com/ 18 > Amazon Web Services > EC2 (Elastic Cloud Computing) > S3 (Simple Storage Service) > You can do … almost everything > Others: Rackspace, vCloud, Azure, IBM (great, too)Tema 1: Diseño de software seguroCloud Computing Security
    • NetFlix - http://www.netflix.com/ 19 > Video streaming (Films, serials, shows) > Almost 20% of EEUU bandwidth > Uses Amazon AWS > Benefits: Escalability + Availability > Video transcoding “on the fly” with EC2 > Video storage in EC3 with S3 > Usage data analysis with EC2Tema 1: Diseño de software seguroCloud Computing Security
    • Dropbox - http://www.dropbox.com/ 20 > Backup in the cloud > Around 12Pb (12.000 Tb) > Uses Amazon S3 > Benefit: Escalability > Business model (VIP): http://www.w2lessons.com/2011/04/econo mics-of-dropbox.htmlTema 1: Diseño de software seguroCloud Computing Security
    • Technology Cloud Is Good!
    • Cloud Computing Risks
    • Business Risks
    • Vendor Lock-In
    • = To have you by the ballsVendor Lock-In
    • Vendor Lock-In
    • Vendor lock-in 27 > It’s hard to say goodbye > SaaS : No “export” option > PaaS : API interoperability > IaaS : Different technologies > Defsense: Right CP (Cloud Provider) choiceTema 1: Diseño de software seguroCloud Computing Security
    • Lack of IT Governance
    • Lack of IT Governance 29 > IT Governance != Cloud Computing Governance > Limited funcionalities / High costs > Loss of Control of our IT > Defense: Clear objectives & design, Right CP choiceTema 1: Diseño de software seguroCloud Computing Security
    • Compliance & Laws
    • Compliance & Laws 31 > We need to comply with all the regulations (PCI DSS, LOPD) > Imposes transitive compliance on the CP > Legal lapses > Defense: Good analysis, right CP choiceTema 1: Diseño de software seguroCloud Computing Security
    • SLAs
    • SLA (Service Level Agreements) 33 > Contract signed with CP > Services offered > Warranties offered > Service metrics & compensations/penalties > Defense: SLA study & tuningTema 1: Diseño de software seguroCloud Computing Security
    • Provider Failures
    • Provider failures 35 > “Errare machina est” > Starting security standards > CP Business Continuity plan > OUR Business Continuity plan > Defense: Business continuity definition, right CP choiceTema 1: Diseño de software seguroCloud Computing Security
    • Third party failures
    • Third party failures 37 > CP = Service & Technologies Integrator > But … what about electricity, connectivity, HVAC ? > We have to take care of our facilities too > Defense: Right CP choice, third party evaluation (CP and proper)Tema 1: Diseño de software seguroCloud Computing Security
    • Technical risks
    • ResourceStarvation
    • Resource starvation 40 > Resources are assigned on demand > CP scales up … but how ? > Situation: No more resources available when they were most needed !! > Defense: Resource reservation, right CP choiceTema 1: Diseño de software seguroCloud Computing Security
    • Isolation Faults
    • Isolation Faults 42 > Cloud = Shared Resources = Shared flat > How secure is your neighbour ? > Third party security failure Everybody is compromised > Defense: Private Clouds, right CP choiceTema 1: Diseño de software seguroCloud Computing Security
    • Data leaks
    • Data leaks 44 > Lots of sensitive info in our CP > Disgruntled employees > Wrong service configuration > Defense: Right CP choice, cipher use, log reviewsTema 1: Diseño de software seguroCloud Computing Security
    • Data Transit
    • Data Transit 46 > Network Information flows > Local interception > On transit interception > In-Cloud Intercepcion > Defense: SSL, cipher useTema 1: Diseño de software seguroCloud Computing Security
    • Cloud Provider Compromise
    • CP Compromise 48 > Cloud = Technology mesh = Lots of possible security flaws > Cloud interface management attacks > Cloud user management attacks > Infrastructure attacks > Defense: Right CP choice, SLAs, incident response planningTema 1: Diseño de software seguroCloud Computing Security
    • DDOS
    • DDOS / EDOS 50 > DDOS (Distributed Denial Of Service) > Intended to take down an infrastructure Attack to availability > Cloud Neighbour are collateral damage > EDOS (Economic Denial of Service) > Intended to cause economic damage > Defense: SLAs, charge limits, incident responseTema 1: Diseño de software seguroCloud Computing Security
    • Cipher & Backup
    • Cipher 52 > Sensible info Cipher > Secure information deletion (wipe) > Defensas: Strong ciphers, guardar claves, SLATema 1: Diseño de software seguroCloud Computing Security
    • Backups 53 > Info is EVERYTHING Backups > Don’t forget your backups (even if the CP does … you too) > Automated procedure > Defensa: Procedure design, right CP choiceTema 1: Diseño de software seguroCloud Computing Security
    • Logs Access 54 > Logs = Activity of our IT > Needed to do debugging > Critic if a security incident arises > How can access my logs ? > Defense: SLA, right CP choiceTema 1: Diseño de software seguroCloud Computing Security
    • DisasterRecovery
    • Disaster Recovery 56 > Shit happens (Murphy’s Law) > Earthquakes, fires, floods, alien invasions… > Our CP must have a Business Continuity plan > We must have ours !! > Defense: Business Continuity planTema 1: Diseño de software seguroCloud Computing Security
    • 57Legal RisksTema 1: Diseño de software seguroCloud Computing Security
    • Compliance & Laws 58 > Lots of laws & regulations > Is our CP compliant ? > National & International laws > Defense: Preliminary analysis, right CP choiceTema 1: Diseño de software seguroCloud Computing Security
    • Data protection 59 > LOPD (Ley Orgánica de Protección de Datos) > Cloud implies sometimes international data transfers Complicated issues > Safe Harbour Amazon, Google > Defense: Preliminary analysis, right CP choiceTema 1: Diseño de software seguroCloud Computing Security
    • Computer Forensic 60 > Security incident in our CP Someone has set up a child pornography site > Maybe anyone in our cloud !! > Possible result = Server seizure > Defense: Right CP choice, SLA, Business Continuity planTema 1: Diseño de software seguroCloud Computing Security
    • Using Cloud Computing
    • Analyze
    • Identify Services 63 > Services that can benefit most from Cloud Computing > Main benefits: Scalability, Availability & Elasticity > Intermitent but heavy resource use services (Ej: Sports newspapers on mondays)Tema 1: Diseño de software seguroCloud Computing Security
    • Evaluate CC models 64 > IaaS, PaaS, SaaS ? > ¿Public, Private, Hybrid, Community? > See what others like us are doing > Decide which model fits our needs bestTema 1: Diseño de software seguroCloud Computing Security
    • Know
    • Defining security needs 66 > Know our service throughly > Define the information flows > Identify sensitive info > Measure how critical the service is > Assign a value to the sreviceTema 1: Diseño de software seguroCloud Computing Security
    • Risk Analysis 67 > Know the existing risks when using cloud computing > Apply them to our service > Define a maximum risk level > Important!: Be utterly objectiveTema 1: Diseño de software seguroCloud Computing Security
    • Plan
    • Evaluate cloud providers 69 > Read carefully the SLA (Service Level Agreements) > Read it again > Evaluate security compliance > Added value services > Price !Tema 1: Diseño de software seguroCloud Computing Security
    • Security controls 70 > Define security controls > Controls in the cloud & our IT > Technical & procedural control > Target: Lower our real riskTema 1: Diseño de software seguroCloud Computing Security
    • Decide
    • Bean counting … 72 > Migration costs > Cloud operation costs > Current operation costs > Troubleshooting costs (both cloud & current) > Make money talk …Tema 1: Diseño de software seguroCloud Computing Security
    • Make a decision 73 > Evaluate pros & cons of our current IT model & cloud computing > It’s not all about money … > Informed decision taking > You always should have a plan BTema 1: Diseño de software seguroCloud Computing Security
    • CC offers great opportunitiesCC has risks There has to be a plan
    • Conclusiones 75 >Cloud computing is here >Lots of business models & opportunities >Must know all the risks >Must have a sensible business planTema 1: Diseño de software seguroCloud Computing Security
    • Conclusiones I love it when a cloud plan comes together
    • Don’t be under a cloud !
    • More info?. Press here ! 78 Cloud Security Alliance https://cloudsecurityalliance.org/ Cloud Computing Security Guide - CSA http://cloudsecurityalliance.org/guidance/csaguide.v2.1.pdf ENISA – Cloud Computing Security Risks http://www.enisa.europa.eu/act/rm/files/deliverables/cloud-computing- risk-assessment Australia Gov. - Cloud Computing Risk Analysis Report http://www.dsd.gov.au/publications/Cloud_Computing_Security_Consid erations.pdfTema 1: Diseño de software seguroCloud Computing Security
    • Have a plan and jump into the sky !Antonio Sanz / ansanz@unizar.es / @antoniosanzalc $slides = http://www.slideshare.net/ansanz