Your SlideShare is downloading. ×
Cloud computing security
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×

Saving this for later?

Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime - even offline.

Text the download link to your phone

Standard text messaging rates apply

Cloud computing security

1,034
views

Published on

A talk about Cloud computing and the risks and benefits that such an squema presents to our IT operations

A talk about Cloud computing and the risks and benefits that such an squema presents to our IT operations

Published in: Technology, Business

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
1,034
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
45
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Cloud Computing & Security: Are there clouds in our sky ?
  • 2. > Antonio Sanz > I3A - IT Manager > Security Expert> http://i3a.unizar.es > ansanz@unizar.es > @antoniosanzalc
  • 3. CloudComputing
  • 4. Index 4 > Cloud Computing > Opportunities > Cloud Computing risks > Migrating to a Cloud InfraestructureTema 1: Diseño de software seguroCloud Computing Security
  • 5. “Cloud computing is a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage,applications, and services) that can be rapidly provisioned andreleased with minimal management effort or service provider interaction” [*First & last boring slide. Promise]
  • 6. Cloud Computing: Main point 6 >On demand >Ubiquous >Resource pool >Elastic >MeasureableTema 1: Diseño de software seguroCloud Computing Security
  • 7. Service Types
  • 8. IaaS – Infrastructure as a Service 8 > Raw infrastructure > Storage, network & servers > We do the rest > Flexible but costly > Ej: Amazon AWSTema 1: Diseño de software seguroCloud Computing Security
  • 9. PaaS – Platform as a Service 9 > You’ve got the OS but no apps > IaaS + OS + Base services > App deploying ok (.jar) > Less control but less cost > Ej: Google App EngineTema 1: Diseño de software seguroCloud Computing Security
  • 10. SaaS – Software as a Service 10 > You’ve got everything > Iaas + Paas + Apps > Ready to go > Minimal control / Minimal effort > Ej: Salesforce.com (CRM)Tema 1: Diseño de software seguroCloud Computing Security
  • 11. Public, Private Clouds 11 > Públic: Public access, shared resources, (-security, -cost) Ej: Amazon AWS > Private: Private access, dedicated resources (+security, +cost) Ej: NASA Nebula OpenStackTema 1: Diseño de software seguroCloud Computing Security
  • 12. Community , Hybrid 12 > Community: Group that shares a private cloud Ej: Business holding > Hybrid: Mix some of the othersTema 1: Diseño de software seguroCloud Computing Security
  • 13. Technology
  • 14. Technologies 14 > Virtualization > Shared storage > High speed networks > Multidevice access > Advanced Middleware (access, monitoring, provisioning)Tema 1: Diseño de software seguroCloud Computing Security
  • 15. Advantages
  • 16. Cloud Computing Pros 16 > Elasticity / Scalability > Availability > Performance > Ubiquous access > Very low CAPEX > OPEX savingsTema 1: Diseño de software seguroCloud Computing Security
  • 17. Success Case
  • 18. Amazon AWS - http://aws.amazon.com/ 18 > Amazon Web Services > EC2 (Elastic Cloud Computing) > S3 (Simple Storage Service) > You can do … almost everything > Others: Rackspace, vCloud, Azure, IBM (great, too)Tema 1: Diseño de software seguroCloud Computing Security
  • 19. NetFlix - http://www.netflix.com/ 19 > Video streaming (Films, serials, shows) > Almost 20% of EEUU bandwidth > Uses Amazon AWS > Benefits: Escalability + Availability > Video transcoding “on the fly” with EC2 > Video storage in EC3 with S3 > Usage data analysis with EC2Tema 1: Diseño de software seguroCloud Computing Security
  • 20. Dropbox - http://www.dropbox.com/ 20 > Backup in the cloud > Around 12Pb (12.000 Tb) > Uses Amazon S3 > Benefit: Escalability > Business model (VIP): http://www.w2lessons.com/2011/04/econo mics-of-dropbox.htmlTema 1: Diseño de software seguroCloud Computing Security
  • 21. Technology Cloud Is Good!
  • 22. Cloud Computing Risks
  • 23. Business Risks
  • 24. Vendor Lock-In
  • 25. = To have you by the ballsVendor Lock-In
  • 26. Vendor Lock-In
  • 27. Vendor lock-in 27 > It’s hard to say goodbye > SaaS : No “export” option > PaaS : API interoperability > IaaS : Different technologies > Defsense: Right CP (Cloud Provider) choiceTema 1: Diseño de software seguroCloud Computing Security
  • 28. Lack of IT Governance
  • 29. Lack of IT Governance 29 > IT Governance != Cloud Computing Governance > Limited funcionalities / High costs > Loss of Control of our IT > Defense: Clear objectives & design, Right CP choiceTema 1: Diseño de software seguroCloud Computing Security
  • 30. Compliance & Laws
  • 31. Compliance & Laws 31 > We need to comply with all the regulations (PCI DSS, LOPD) > Imposes transitive compliance on the CP > Legal lapses > Defense: Good analysis, right CP choiceTema 1: Diseño de software seguroCloud Computing Security
  • 32. SLAs
  • 33. SLA (Service Level Agreements) 33 > Contract signed with CP > Services offered > Warranties offered > Service metrics & compensations/penalties > Defense: SLA study & tuningTema 1: Diseño de software seguroCloud Computing Security
  • 34. Provider Failures
  • 35. Provider failures 35 > “Errare machina est” > Starting security standards > CP Business Continuity plan > OUR Business Continuity plan > Defense: Business continuity definition, right CP choiceTema 1: Diseño de software seguroCloud Computing Security
  • 36. Third party failures
  • 37. Third party failures 37 > CP = Service & Technologies Integrator > But … what about electricity, connectivity, HVAC ? > We have to take care of our facilities too > Defense: Right CP choice, third party evaluation (CP and proper)Tema 1: Diseño de software seguroCloud Computing Security
  • 38. Technical risks
  • 39. ResourceStarvation
  • 40. Resource starvation 40 > Resources are assigned on demand > CP scales up … but how ? > Situation: No more resources available when they were most needed !! > Defense: Resource reservation, right CP choiceTema 1: Diseño de software seguroCloud Computing Security
  • 41. Isolation Faults
  • 42. Isolation Faults 42 > Cloud = Shared Resources = Shared flat > How secure is your neighbour ? > Third party security failure Everybody is compromised > Defense: Private Clouds, right CP choiceTema 1: Diseño de software seguroCloud Computing Security
  • 43. Data leaks
  • 44. Data leaks 44 > Lots of sensitive info in our CP > Disgruntled employees > Wrong service configuration > Defense: Right CP choice, cipher use, log reviewsTema 1: Diseño de software seguroCloud Computing Security
  • 45. Data Transit
  • 46. Data Transit 46 > Network Information flows > Local interception > On transit interception > In-Cloud Intercepcion > Defense: SSL, cipher useTema 1: Diseño de software seguroCloud Computing Security
  • 47. Cloud Provider Compromise
  • 48. CP Compromise 48 > Cloud = Technology mesh = Lots of possible security flaws > Cloud interface management attacks > Cloud user management attacks > Infrastructure attacks > Defense: Right CP choice, SLAs, incident response planningTema 1: Diseño de software seguroCloud Computing Security
  • 49. DDOS
  • 50. DDOS / EDOS 50 > DDOS (Distributed Denial Of Service) > Intended to take down an infrastructure Attack to availability > Cloud Neighbour are collateral damage > EDOS (Economic Denial of Service) > Intended to cause economic damage > Defense: SLAs, charge limits, incident responseTema 1: Diseño de software seguroCloud Computing Security
  • 51. Cipher & Backup
  • 52. Cipher 52 > Sensible info Cipher > Secure information deletion (wipe) > Defensas: Strong ciphers, guardar claves, SLATema 1: Diseño de software seguroCloud Computing Security
  • 53. Backups 53 > Info is EVERYTHING Backups > Don’t forget your backups (even if the CP does … you too) > Automated procedure > Defensa: Procedure design, right CP choiceTema 1: Diseño de software seguroCloud Computing Security
  • 54. Logs Access 54 > Logs = Activity of our IT > Needed to do debugging > Critic if a security incident arises > How can access my logs ? > Defense: SLA, right CP choiceTema 1: Diseño de software seguroCloud Computing Security
  • 55. DisasterRecovery
  • 56. Disaster Recovery 56 > Shit happens (Murphy’s Law) > Earthquakes, fires, floods, alien invasions… > Our CP must have a Business Continuity plan > We must have ours !! > Defense: Business Continuity planTema 1: Diseño de software seguroCloud Computing Security
  • 57. 57Legal RisksTema 1: Diseño de software seguroCloud Computing Security
  • 58. Compliance & Laws 58 > Lots of laws & regulations > Is our CP compliant ? > National & International laws > Defense: Preliminary analysis, right CP choiceTema 1: Diseño de software seguroCloud Computing Security
  • 59. Data protection 59 > LOPD (Ley Orgánica de Protección de Datos) > Cloud implies sometimes international data transfers Complicated issues > Safe Harbour Amazon, Google > Defense: Preliminary analysis, right CP choiceTema 1: Diseño de software seguroCloud Computing Security
  • 60. Computer Forensic 60 > Security incident in our CP Someone has set up a child pornography site > Maybe anyone in our cloud !! > Possible result = Server seizure > Defense: Right CP choice, SLA, Business Continuity planTema 1: Diseño de software seguroCloud Computing Security
  • 61. Using Cloud Computing
  • 62. Analyze
  • 63. Identify Services 63 > Services that can benefit most from Cloud Computing > Main benefits: Scalability, Availability & Elasticity > Intermitent but heavy resource use services (Ej: Sports newspapers on mondays)Tema 1: Diseño de software seguroCloud Computing Security
  • 64. Evaluate CC models 64 > IaaS, PaaS, SaaS ? > ¿Public, Private, Hybrid, Community? > See what others like us are doing > Decide which model fits our needs bestTema 1: Diseño de software seguroCloud Computing Security
  • 65. Know
  • 66. Defining security needs 66 > Know our service throughly > Define the information flows > Identify sensitive info > Measure how critical the service is > Assign a value to the sreviceTema 1: Diseño de software seguroCloud Computing Security
  • 67. Risk Analysis 67 > Know the existing risks when using cloud computing > Apply them to our service > Define a maximum risk level > Important!: Be utterly objectiveTema 1: Diseño de software seguroCloud Computing Security
  • 68. Plan
  • 69. Evaluate cloud providers 69 > Read carefully the SLA (Service Level Agreements) > Read it again > Evaluate security compliance > Added value services > Price !Tema 1: Diseño de software seguroCloud Computing Security
  • 70. Security controls 70 > Define security controls > Controls in the cloud & our IT > Technical & procedural control > Target: Lower our real riskTema 1: Diseño de software seguroCloud Computing Security
  • 71. Decide
  • 72. Bean counting … 72 > Migration costs > Cloud operation costs > Current operation costs > Troubleshooting costs (both cloud & current) > Make money talk …Tema 1: Diseño de software seguroCloud Computing Security
  • 73. Make a decision 73 > Evaluate pros & cons of our current IT model & cloud computing > It’s not all about money … > Informed decision taking > You always should have a plan BTema 1: Diseño de software seguroCloud Computing Security
  • 74. CC offers great opportunitiesCC has risks There has to be a plan
  • 75. Conclusiones 75 >Cloud computing is here >Lots of business models & opportunities >Must know all the risks >Must have a sensible business planTema 1: Diseño de software seguroCloud Computing Security
  • 76. Conclusiones I love it when a cloud plan comes together
  • 77. Don’t be under a cloud !
  • 78. More info?. Press here ! 78 Cloud Security Alliance https://cloudsecurityalliance.org/ Cloud Computing Security Guide - CSA http://cloudsecurityalliance.org/guidance/csaguide.v2.1.pdf ENISA – Cloud Computing Security Risks http://www.enisa.europa.eu/act/rm/files/deliverables/cloud-computing- risk-assessment Australia Gov. - Cloud Computing Risk Analysis Report http://www.dsd.gov.au/publications/Cloud_Computing_Security_Consid erations.pdfTema 1: Diseño de software seguroCloud Computing Security
  • 79. Have a plan and jump into the sky !Antonio Sanz / ansanz@unizar.es / @antoniosanzalc $slides = http://www.slideshare.net/ansanz