Presd1 10


Published on

Published in: Technology, Business
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Presd1 10

  1. 1. Cloud Security: Identifying the Risks Jim Reavis, Executive Director May, 2010
  2. 2. About the Cloud Security Alliance • Global, not-for-profit organization • Inclusive membership, supporting broad spectrum of subject matter expertise • Building best practices and a trusted cloud ecosystem • CSA Guidance V2.1 – Released Dec 2009 • CSA Top Threats Research – Released March 2010 • CSA Cloud Controls Matrix – Released April 2010 • Trusted Cloud Initiative – Release Q4 2010 • CSA Cloud Metrics Working Group – release TBA • Consensus Assessment Initiative “To promote the use of best practices for providing security assurance within Cloud Computing, and provide education on the uses of Cloud Computing to help secure all other forms of computing.” Copyright © 2010 Cloud Security Alliance
  3. 3. Is Cloud Computing Working? • Eli Lilly • New drug research project • IT promised system in 3 months, > $100,000 USD • Scientist completed in one day in cloud, < $500 USD • Japanese government agencies • RFP for custom software development • Chose PaaS for 25% of cost and deployment time over traditional software house Copyright © 2010 Cloud Security Alliance
  4. 4. What is Cloud Computing? • Compute as a utility: third major era of computing • Mainframe • PC Client/Server • Cloud computing: On demand model for allocation and consumption of computing • Cloud enabled by • Moore‟s Law: Costs of compute & storage approaching zero • Hyperconnectivity: Robust bandwidth from dotcom investments • Service Oriented Architecture (SOA) • Scale: Major providers create massive IT capabilities • Disruptive to IT and IT Security • Challenges many of our IT definitions, e.g. what is data? Copyright © 2010 Cloud Security Alliance
  5. 5. Defining Cloud • On demand provisioning • Elasticity • Multi-tenancy • Key types • Infrastructure as a Service (IaaS): basic O/S & storage • Platform as a Service (PaaS): IaaS + rapid app development • Software as a Service (SaaS): complete application • Public, Private, Community & Hybrid Cloud deployments Copyright © 2010 Cloud Security Alliance
  6. 6. S-P-I Framework You “RFP” security in SaaS Software as a Service You build security in PaaS Platform as a Service IaaS Infrastructure as a Service Copyright © 2010 Cloud Security Alliance
  7. 7. Top Threats to Cloud Computing Cloud Security Risks / Threats • Shared Technology Vulnerabilities • Data Loss/Data Leakage • Malicious Insiders • Account Service or Hijacking of Traffic • Insecure APIs • Nefarious Use of Service • Unknown Risk Profile Copyright © 2010 Cloud Security Alliance
  8. 8. Shared Technology Vulnerabilities Description • Exposed hardware, operating systems, middleware, application stacks and network components may posses known vulnerabilities Impact • Successful exploitation could impact multiple customers Example • Cloudburst - Kostya Kortchinksy (Blackhat 2009) • Arbitrary code execution vulnerability identified in VMware SVGA II device, a virtualized PCI Display Adapter • Vulnerable component present on VMware Workstation, VMware Player, VMware Server and VMware ESX Copyright © 2010 Cloud Security Alliance
  9. 9. Data Loss / Data Leakage Description • Data compromise due to improper access controls or weak encryption • Poorly secured data is at greater risk due to the multi-tenant architecture Impact • Data integrity and confidentiality Example • Hey, You, Get Off of My Cloud: Exploring Information Leakage in Third- Party Compute Clouds (UCSD/MIT) • Research detailing techniques to ensure that images are deployed on the same physical hardware as a victim and then leveraging cross- VM attacks to identify data leakage Copyright © 2010 Cloud Security Alliance
  10. 10. Malicious Insiders Description • Employees of the cloud vendor may abuse privileges to access customer data/functionality • Reduced visibility into internal processes may inhibit detection of the breach Impact • Data confidentiality and integrity • Reputational damage • Legal repercussions Example • Google Investigates Insider Threat After China Hack (eWeek) • “Google is investigating whether some of its own staff are behind the repeated attempts to hack into the Gmail accounts of Chinese human rights activists” Copyright © 2010 Cloud Security Alliance
  11. 11. Interception or Hijacking of Traffic Description • Intercept and/or redirect traffic destined for the clients or cloud • Steal credentials to eavesdrop or manipulate account information / services Impact • Confidentiality and integrity of data • Damage to reputation • Consequences (legal) from malicious use of resources Example • Twitter DNS account compromise • Zeus botnet C&Cs on compromised Amazon EC2 accounts Copyright © 2010 Cloud Security Alliance
  12. 12. Insecure APIs Description • APIs designed to permit access to functionality and data may be vulnerable or improperly utilized, exposing applications to attack Impact • Data confidentiality and integrity • Denial of service Example • P0wning the Programmable Web (Websense – AusCERT 2009_ • 80% of tested applications not using available security in APIs (e.g. unencrypted traffic and basic authentication) • Demonstrated CSRF, MITM and data leakage attacks Copyright © 2010 Cloud Security Alliance
  13. 13. Nefarious Use of Service Description • Attackers are drawn to the cloud for the same reasons as legitimate consumers – access to massive proceesing power at a low cost Impact • Password cracking, DDoS, malware hosting, spam, C&C servers, CAPTCHA cracking, etc. Example • Current search of for „‟ returns 21 results • “In the past three years, ScanSafe has recorded 80 unique malware incidents involving amazonaws” – ScanSafe blog • Amazon's EC2 Having Problems With Spam and Malware - Slashdot Copyright © 2010 Cloud Security Alliance
  14. 14. Unknown Risk Profile Description • A lack of visibility into security controls could leave cloud consumers exposed to unnecessary risk. Impact • Significant data breaches could occur, possibly without the knowledge of the cloud consumer. Example • Heartland Payment Systems was “willing to do only the bare minimum and comply with state laws instead of taking the extra effort to notify every single customer, regardless of law, about whether their data [had] been stolen.” Copyright © 2010 Cloud Security Alliance
  15. 15. Survey Results Top Ranked Threats RANK THREAT PERCENT 1) Data Loss/Leakage 28.8% 2) Abuse and Nefarious use of Cloud 17.8% Computing 3) Insecure API‟s 15.1% 4) Malicious Insiders 11.0% 5) Account/Service and Traffic Hijacking 9.6% 6) Unknown Risk Profile 9.6% 7) Shared Technology Vulnerabilities 8.2% Copyright © 2010 Cloud Security Alliance
  16. 16. Status Revisions • Top threats list will be updated 2x per year Process • Recommended changes will be solicited from CSA participants • Panel of judges will be established with representation from the security community, solution providers and cloud consumers • Recommendations will be summarized and solicited to judges for review • Judges will vote on any recommended changes • Contact project team to recommend judges Copyright © 2010 Cloud Security Alliance
  17. 17. CSA Guidance Domains Cloud Architecture Governance and Enterprise Risk Management Governing the Legal and Electronic Discovery Cloud • Popular best practices Compliance and Audit Information Lifecycle Management for securing cloud Portability and Interoperability computing Security, Bus. Cont,, and Disaster Recovery Operating in the Cloud Data Center Operations • 13 Domains of concern – Incident Response, Notification, Remediation governing & operating Application Security Encryption and Key Management groupings Identity and Access Management Virtualization Guidance > 100k downloads: Copyright © 2010 Cloud Security Alliance
  18. 18. Summary • Cloud Computing is real and transformational • Challenges for People, Process, Technology, Organizations and Countries • Broad governance approach needed • Tactical fixes needed • Combination of updating existing best practices and creating completely new best practices • Common sense not optional Copyright © 2010 Cloud Security Alliance
  19. 19. Contact • Help us secure cloud computing • • • LinkedIn: • Twitter: @cloudsa Copyright © 2010 Cloud Security Alliance
  20. 20. Thank you!