Cloud Computing & Security: Are    there clouds in our sky ?
> Antonio Sanz  > I3A - IT Manager    > Security Expert> http://i3a.unizar.es > ansanz@unizar.es  > @antoniosanzalc
CloudComputing
Index                                        4     > Cloud Computing     > Opportunities     > Cloud Computing risks     >...
“Cloud computing is a model for  enabling ubiquitous, convenient, on-demand network access to a    shared pool of configur...
Cloud Computing: Main point        6         >On demand         >Ubiquous         >Resource pool         >Elastic         ...
Service Types
IaaS – Infrastructure as a Service                        8                            > Raw infrastructure               ...
PaaS – Platform as a Service                           9                         > You’ve got the OS but no               ...
SaaS – Software as a Service                             10                            > You’ve got everything            ...
Public, Private Clouds                      11         > Públic: Public access, shared           resources, (-security, -c...
Community , Hybrid                        12        > Community: Group that shares          a private cloud          Ej: B...
Technology
Technologies                            14        > Virtualization        > Shared storage        > High speed networks   ...
Advantages
Cloud Computing Pros                16        > Elasticity / Scalability        > Availability        > Performance       ...
Success Case
Amazon AWS - http://aws.amazon.com/          18        > Amazon Web Services        > EC2 (Elastic Cloud Computing)       ...
NetFlix - http://www.netflix.com/               19     > Video streaming (Films, serials, shows)     > Almost 20% of EEUU ...
Dropbox - http://www.dropbox.com/                 20        > Backup in the cloud        > Around 12Pb (12.000 Tb)        ...
Technology             Cloud               Is             Good!
Cloud Computing Risks
Business Risks
Vendor Lock-In
= To have you  by the   ballsVendor Lock-In
Vendor Lock-In
Vendor lock-in                                     27     > It’s hard to say goodbye     > SaaS : No “export” option     >...
Lack of IT Governance
Lack of IT Governance                      29    > IT Governance != Cloud Computing      Governance    > Limited funcional...
Compliance & Laws
Compliance & Laws                          31       > We need to comply with all the         regulations (PCI DSS, LOPD)  ...
SLAs
SLA (Service Level Agreements)       33      > Contract signed with CP      > Services offered      > Warranties offered  ...
Provider Failures
Provider failures                       35        > “Errare machina est”        > Starting security standards        > CP ...
Third party failures
Third party failures                             37        > CP = Service & Technologies          Integrator        > But ...
Technical risks
ResourceStarvation
Resource starvation                            40       > Resources are assigned on demand       > CP scales up … but how ...
Isolation Faults
Isolation Faults                                 42     > Cloud = Shared Resources = Shared flat     > How secure is your ...
Data leaks
Data leaks                                       44        > Lots of sensitive info in our CP        > Disgruntled employe...
Data Transit
Data Transit                                46        > Network        Information flows        > Local interception      ...
Cloud Provider Compromise
CP Compromise                                    48     > Cloud = Technology mesh = Lots of       possible security flaws ...
DDOS
DDOS / EDOS                                        50        > DDOS (Distributed Denial Of Service)        > Intended to t...
Cipher & Backup
Cipher                                        52        > Sensible info      Cipher        > Secure information deletion (...
Backups                                        53        > Info is EVERYTHING        Backups        > Don’t forget your ba...
Logs Access                                     54        > Logs = Activity of our IT        > Needed to do debugging     ...
DisasterRecovery
Disaster Recovery                                    56     > Shit happens (Murphy’s Law)     > Earthquakes, fires, floods...
57Legal RisksTema 1: Diseño de software seguroCloud Computing Security
Compliance & Laws                               58        > Lots of laws & regulations        > Is our CP compliant ?     ...
Data protection                                 59        > LOPD (Ley Orgánica de Protección          de Datos)        > C...
Computer Forensic                          60       > Security incident in our CP         Someone has set up a child      ...
Using Cloud Computing
Analyze
Identify Services                             63       > Services that can benefit most from         Cloud Computing      ...
Evaluate CC models                           64        > IaaS, PaaS, SaaS ?        > ¿Public, Private, Hybrid,          Co...
Know
Defining security needs                        66        > Know our service throughly        > Define the information flow...
Risk Analysis                                67       > Know the existing risks when using         cloud computing       >...
Plan
Evaluate cloud providers                   69        > Read carefully the SLA (Service          Level Agreements)        >...
Security controls                        70       > Define security controls       > Controls in the cloud & our IT       ...
Decide
Bean counting …                              72        > Migration costs        > Cloud operation costs        > Current o...
Make a decision                                73        > Evaluate pros & cons of our current          IT model & cloud c...
CC offers great  opportunitiesCC has   risks          There has to            be a plan
Conclusiones                              75     >Cloud computing is here     >Lots of business models &      opportunitie...
Conclusiones               I love it               when a               cloud                 plan                comes   ...
Don’t be under a cloud !
More info?. Press here !                                          78  Cloud Security Alliance  https://cloudsecurityallian...
Have a plan and jump into the sky !Antonio Sanz / ansanz@unizar.es / @antoniosanzalc    $slides = http://www.slideshare.ne...
Upcoming SlideShare
Loading in...5
×

Cloud computing security

1,094

Published on

A talk about Cloud computing and the risks and benefits that such an squema presents to our IT operations

Published in: Technology, Business
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
1,094
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
51
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Cloud computing security

  1. 1. Cloud Computing & Security: Are there clouds in our sky ?
  2. 2. > Antonio Sanz > I3A - IT Manager > Security Expert> http://i3a.unizar.es > ansanz@unizar.es > @antoniosanzalc
  3. 3. CloudComputing
  4. 4. Index 4 > Cloud Computing > Opportunities > Cloud Computing risks > Migrating to a Cloud InfraestructureTema 1: Diseño de software seguroCloud Computing Security
  5. 5. “Cloud computing is a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage,applications, and services) that can be rapidly provisioned andreleased with minimal management effort or service provider interaction” [*First & last boring slide. Promise]
  6. 6. Cloud Computing: Main point 6 >On demand >Ubiquous >Resource pool >Elastic >MeasureableTema 1: Diseño de software seguroCloud Computing Security
  7. 7. Service Types
  8. 8. IaaS – Infrastructure as a Service 8 > Raw infrastructure > Storage, network & servers > We do the rest > Flexible but costly > Ej: Amazon AWSTema 1: Diseño de software seguroCloud Computing Security
  9. 9. PaaS – Platform as a Service 9 > You’ve got the OS but no apps > IaaS + OS + Base services > App deploying ok (.jar) > Less control but less cost > Ej: Google App EngineTema 1: Diseño de software seguroCloud Computing Security
  10. 10. SaaS – Software as a Service 10 > You’ve got everything > Iaas + Paas + Apps > Ready to go > Minimal control / Minimal effort > Ej: Salesforce.com (CRM)Tema 1: Diseño de software seguroCloud Computing Security
  11. 11. Public, Private Clouds 11 > Públic: Public access, shared resources, (-security, -cost) Ej: Amazon AWS > Private: Private access, dedicated resources (+security, +cost) Ej: NASA Nebula OpenStackTema 1: Diseño de software seguroCloud Computing Security
  12. 12. Community , Hybrid 12 > Community: Group that shares a private cloud Ej: Business holding > Hybrid: Mix some of the othersTema 1: Diseño de software seguroCloud Computing Security
  13. 13. Technology
  14. 14. Technologies 14 > Virtualization > Shared storage > High speed networks > Multidevice access > Advanced Middleware (access, monitoring, provisioning)Tema 1: Diseño de software seguroCloud Computing Security
  15. 15. Advantages
  16. 16. Cloud Computing Pros 16 > Elasticity / Scalability > Availability > Performance > Ubiquous access > Very low CAPEX > OPEX savingsTema 1: Diseño de software seguroCloud Computing Security
  17. 17. Success Case
  18. 18. Amazon AWS - http://aws.amazon.com/ 18 > Amazon Web Services > EC2 (Elastic Cloud Computing) > S3 (Simple Storage Service) > You can do … almost everything > Others: Rackspace, vCloud, Azure, IBM (great, too)Tema 1: Diseño de software seguroCloud Computing Security
  19. 19. NetFlix - http://www.netflix.com/ 19 > Video streaming (Films, serials, shows) > Almost 20% of EEUU bandwidth > Uses Amazon AWS > Benefits: Escalability + Availability > Video transcoding “on the fly” with EC2 > Video storage in EC3 with S3 > Usage data analysis with EC2Tema 1: Diseño de software seguroCloud Computing Security
  20. 20. Dropbox - http://www.dropbox.com/ 20 > Backup in the cloud > Around 12Pb (12.000 Tb) > Uses Amazon S3 > Benefit: Escalability > Business model (VIP): http://www.w2lessons.com/2011/04/econo mics-of-dropbox.htmlTema 1: Diseño de software seguroCloud Computing Security
  21. 21. Technology Cloud Is Good!
  22. 22. Cloud Computing Risks
  23. 23. Business Risks
  24. 24. Vendor Lock-In
  25. 25. = To have you by the ballsVendor Lock-In
  26. 26. Vendor Lock-In
  27. 27. Vendor lock-in 27 > It’s hard to say goodbye > SaaS : No “export” option > PaaS : API interoperability > IaaS : Different technologies > Defsense: Right CP (Cloud Provider) choiceTema 1: Diseño de software seguroCloud Computing Security
  28. 28. Lack of IT Governance
  29. 29. Lack of IT Governance 29 > IT Governance != Cloud Computing Governance > Limited funcionalities / High costs > Loss of Control of our IT > Defense: Clear objectives & design, Right CP choiceTema 1: Diseño de software seguroCloud Computing Security
  30. 30. Compliance & Laws
  31. 31. Compliance & Laws 31 > We need to comply with all the regulations (PCI DSS, LOPD) > Imposes transitive compliance on the CP > Legal lapses > Defense: Good analysis, right CP choiceTema 1: Diseño de software seguroCloud Computing Security
  32. 32. SLAs
  33. 33. SLA (Service Level Agreements) 33 > Contract signed with CP > Services offered > Warranties offered > Service metrics & compensations/penalties > Defense: SLA study & tuningTema 1: Diseño de software seguroCloud Computing Security
  34. 34. Provider Failures
  35. 35. Provider failures 35 > “Errare machina est” > Starting security standards > CP Business Continuity plan > OUR Business Continuity plan > Defense: Business continuity definition, right CP choiceTema 1: Diseño de software seguroCloud Computing Security
  36. 36. Third party failures
  37. 37. Third party failures 37 > CP = Service & Technologies Integrator > But … what about electricity, connectivity, HVAC ? > We have to take care of our facilities too > Defense: Right CP choice, third party evaluation (CP and proper)Tema 1: Diseño de software seguroCloud Computing Security
  38. 38. Technical risks
  39. 39. ResourceStarvation
  40. 40. Resource starvation 40 > Resources are assigned on demand > CP scales up … but how ? > Situation: No more resources available when they were most needed !! > Defense: Resource reservation, right CP choiceTema 1: Diseño de software seguroCloud Computing Security
  41. 41. Isolation Faults
  42. 42. Isolation Faults 42 > Cloud = Shared Resources = Shared flat > How secure is your neighbour ? > Third party security failure Everybody is compromised > Defense: Private Clouds, right CP choiceTema 1: Diseño de software seguroCloud Computing Security
  43. 43. Data leaks
  44. 44. Data leaks 44 > Lots of sensitive info in our CP > Disgruntled employees > Wrong service configuration > Defense: Right CP choice, cipher use, log reviewsTema 1: Diseño de software seguroCloud Computing Security
  45. 45. Data Transit
  46. 46. Data Transit 46 > Network Information flows > Local interception > On transit interception > In-Cloud Intercepcion > Defense: SSL, cipher useTema 1: Diseño de software seguroCloud Computing Security
  47. 47. Cloud Provider Compromise
  48. 48. CP Compromise 48 > Cloud = Technology mesh = Lots of possible security flaws > Cloud interface management attacks > Cloud user management attacks > Infrastructure attacks > Defense: Right CP choice, SLAs, incident response planningTema 1: Diseño de software seguroCloud Computing Security
  49. 49. DDOS
  50. 50. DDOS / EDOS 50 > DDOS (Distributed Denial Of Service) > Intended to take down an infrastructure Attack to availability > Cloud Neighbour are collateral damage > EDOS (Economic Denial of Service) > Intended to cause economic damage > Defense: SLAs, charge limits, incident responseTema 1: Diseño de software seguroCloud Computing Security
  51. 51. Cipher & Backup
  52. 52. Cipher 52 > Sensible info Cipher > Secure information deletion (wipe) > Defensas: Strong ciphers, guardar claves, SLATema 1: Diseño de software seguroCloud Computing Security
  53. 53. Backups 53 > Info is EVERYTHING Backups > Don’t forget your backups (even if the CP does … you too) > Automated procedure > Defensa: Procedure design, right CP choiceTema 1: Diseño de software seguroCloud Computing Security
  54. 54. Logs Access 54 > Logs = Activity of our IT > Needed to do debugging > Critic if a security incident arises > How can access my logs ? > Defense: SLA, right CP choiceTema 1: Diseño de software seguroCloud Computing Security
  55. 55. DisasterRecovery
  56. 56. Disaster Recovery 56 > Shit happens (Murphy’s Law) > Earthquakes, fires, floods, alien invasions… > Our CP must have a Business Continuity plan > We must have ours !! > Defense: Business Continuity planTema 1: Diseño de software seguroCloud Computing Security
  57. 57. 57Legal RisksTema 1: Diseño de software seguroCloud Computing Security
  58. 58. Compliance & Laws 58 > Lots of laws & regulations > Is our CP compliant ? > National & International laws > Defense: Preliminary analysis, right CP choiceTema 1: Diseño de software seguroCloud Computing Security
  59. 59. Data protection 59 > LOPD (Ley Orgánica de Protección de Datos) > Cloud implies sometimes international data transfers Complicated issues > Safe Harbour Amazon, Google > Defense: Preliminary analysis, right CP choiceTema 1: Diseño de software seguroCloud Computing Security
  60. 60. Computer Forensic 60 > Security incident in our CP Someone has set up a child pornography site > Maybe anyone in our cloud !! > Possible result = Server seizure > Defense: Right CP choice, SLA, Business Continuity planTema 1: Diseño de software seguroCloud Computing Security
  61. 61. Using Cloud Computing
  62. 62. Analyze
  63. 63. Identify Services 63 > Services that can benefit most from Cloud Computing > Main benefits: Scalability, Availability & Elasticity > Intermitent but heavy resource use services (Ej: Sports newspapers on mondays)Tema 1: Diseño de software seguroCloud Computing Security
  64. 64. Evaluate CC models 64 > IaaS, PaaS, SaaS ? > ¿Public, Private, Hybrid, Community? > See what others like us are doing > Decide which model fits our needs bestTema 1: Diseño de software seguroCloud Computing Security
  65. 65. Know
  66. 66. Defining security needs 66 > Know our service throughly > Define the information flows > Identify sensitive info > Measure how critical the service is > Assign a value to the sreviceTema 1: Diseño de software seguroCloud Computing Security
  67. 67. Risk Analysis 67 > Know the existing risks when using cloud computing > Apply them to our service > Define a maximum risk level > Important!: Be utterly objectiveTema 1: Diseño de software seguroCloud Computing Security
  68. 68. Plan
  69. 69. Evaluate cloud providers 69 > Read carefully the SLA (Service Level Agreements) > Read it again > Evaluate security compliance > Added value services > Price !Tema 1: Diseño de software seguroCloud Computing Security
  70. 70. Security controls 70 > Define security controls > Controls in the cloud & our IT > Technical & procedural control > Target: Lower our real riskTema 1: Diseño de software seguroCloud Computing Security
  71. 71. Decide
  72. 72. Bean counting … 72 > Migration costs > Cloud operation costs > Current operation costs > Troubleshooting costs (both cloud & current) > Make money talk …Tema 1: Diseño de software seguroCloud Computing Security
  73. 73. Make a decision 73 > Evaluate pros & cons of our current IT model & cloud computing > It’s not all about money … > Informed decision taking > You always should have a plan BTema 1: Diseño de software seguroCloud Computing Security
  74. 74. CC offers great opportunitiesCC has risks There has to be a plan
  75. 75. Conclusiones 75 >Cloud computing is here >Lots of business models & opportunities >Must know all the risks >Must have a sensible business planTema 1: Diseño de software seguroCloud Computing Security
  76. 76. Conclusiones I love it when a cloud plan comes together
  77. 77. Don’t be under a cloud !
  78. 78. More info?. Press here ! 78 Cloud Security Alliance https://cloudsecurityalliance.org/ Cloud Computing Security Guide - CSA http://cloudsecurityalliance.org/guidance/csaguide.v2.1.pdf ENISA – Cloud Computing Security Risks http://www.enisa.europa.eu/act/rm/files/deliverables/cloud-computing- risk-assessment Australia Gov. - Cloud Computing Risk Analysis Report http://www.dsd.gov.au/publications/Cloud_Computing_Security_Consid erations.pdfTema 1: Diseño de software seguroCloud Computing Security
  79. 79. Have a plan and jump into the sky !Antonio Sanz / ansanz@unizar.es / @antoniosanzalc $slides = http://www.slideshare.net/ansanz
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×