+ Follow

What Everyone Ought To Know About Cloud Security

by craigbalding

22,176 views

I gave this presentation at RSA Europe 2009.

Accessibility

View text version

Upload Details

Uploaded via SlideShare as Microsoft PowerPoint

Usage Rights

File a copyright complaint

16 Embeds 11,782

http://cloudsecurity.org	11646
http://www.slideshare.net	60
http://translate.googleusercontent.com	35
http://www.techgig.com	9
http://cloudsecurity.org.	8
http://127.0.0.1	5
http://feeds.feedburner.com	5
http://localhost	4
http://webcache.googleusercontent.com	3
http://74.125.93.132	1
https://jujo00obo2o234ungd3t8qjfcjrs3o6k-a-sites-opensocial.googleusercontent.com	1
http://mail50.paran.com	1
file://	1
http://207.46.192.232	1
http://www.netvibes.com	1
http://65.55.177.205	1

More...

Statistics

Likes: 29
Downloads: 0
Comments: 0
Embed Views: 11,782
Views on SlideShare: 10,394
Total Views: 22,176

What Everyone Ought To Know About Cloud Security Presentation Transcript

What Everyone Ought To Know About Cloud Security Craig Balding cloudsecurity.org 20/10/09 | Session ID: BUS-106 Classification: Intermediate

Agenda Decomposing Cloud Objectives Understand Implementations Applying Security

Objectives

Define ‘Cloud’

Explore Cloud Attributes

Understand the 3 Layer Cloud Model

Link Security Controls to Layer

Explore Cloud Deployment Types

Public, Private & Virtual Private Security

Examine Key Cloud Security Controls

Cloud is the New Pink

Who Said This? "We will make cloud computing announcements, because if orange is the new pink, we'll make orange blouses"

Larry Ellison, CEO

Cloud vs. Grid Google Trends

Actions Speak Louder…

BUT Cloud != Virtualization

“ ABSTRACTION !”

Defining Cloud “… the market seems to have come to the conclusion that cloud computing has a lot in common with obscenity--you may not be able to define it, but you'll know it when you see it” James Urquhart – The Wisdom of Clouds

Decomposing Cloud

Smells Like Cloud

Abstraction of Resources

On Demand

Elastic

Scalable

as a Service (aaS)

Cloud Layers Jericho Forum

Cloud Security?

Cloud Deployments

Cloud Cube Model Jericho Forum

Public Cloud: MS Azure

Public Cloud: Amazon Web Services

Public Cloud: force.com

Virtual Private Cloud

Private Cloud

Key Cloud Security Controls

How Much Time Do We Have? 80 pages

Recap: Risk Mitigation Must Cover…

Abstraction of Resources

On Demand

Elastic

Scalable

as a Service (aaS)

It’s all about Workloads…

… and Providers!

SSL/TLS Is Not The Cure-All

… nor is Hiding Behind Contracts

Cloud Technology Concerns

Compute: Hypervisors

Software Platform Maturity

Network: VPN, Intercloud

Distributed Storage

Federation

API Security

Billing

The Hypervisor

Cloud Platform Maturity

InterCloud VPN

Eventually Consistent

Identity / Federation

API Security

Non-Technology Concerns

Billing

Change Control

ToS/SLA

Legal

Audits

Visibility

Billing

Change Control “… someone once likened the process of upgrading our core websearch infrastructure to “ changing the tires on a car while you’re going at 60 down the freeway. ” Urs Holzle – SVP Operations, Google

ToS & SLA

Legal

Audits The Tour On/off-site “ Certification” Change Control Security Awareness SDLC, Scans/Testing

Visibility Provider actions Admin activity Intrusion Detection A6 Working Group

Short Term Recommendations

Implement Detection of Public Cloud Use for Company Business

Get Involved: business/IT leadership plans around cloud

Dive Deeper into Cloud Platforms

Track Cloud Security Alliance, ENISA, NIST

Try a Cloud Yourself

Further Reading & Contact Cloud & Cloud Security http://cloudsecurity.org/resources Email : [email_address]

Appendix

Cloud Model: Infrastructure (IaaS) Chris Hoff

Cloud Model: Platform (PaaS) Chris Hoff

Cloud Model: Software (SaaS) Chris Hoff