• Like
  • Save
Cloud security: Risks and Rewards for New Entrants
Upcoming SlideShare
Loading in...5
×
 

Cloud security: Risks and Rewards for New Entrants

on

  • 1,611 views

Show notes: The cloud is a service model that entails great benefits for its new entrants. However its risks are not particularly well understood. This report identifies some of the more prevalent ...

Show notes: The cloud is a service model that entails great benefits for its new entrants. However its risks are not particularly well understood. This report identifies some of the more prevalent risks of the cloud and suggests basic ways that executives can protect themselves in it.

Statistics

Views

Total Views
1,611
Views on SlideShare
1,608
Embed Views
3

Actions

Likes
1
Downloads
67
Comments
0

1 Embed 3

http://www.cloud24by7.com 3

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment
  • Introduction: 30 seconds Show notes: The cloud is a service model that entails great benefits for its new entrants. However its risks are not particularly well understood. This report identifies some of the more prevalent risks of the cloud and suggests basic ways that executives can protect themselves in it. Multiple choice: Which form of attack is inherently linked to the multi-tenant aspect of the clouda) DDoSb) Phishingc) Side Channel Attacksd) Man-in-the-middle attacke) CloudburstWhat is the term used to describe the forceful placement of a virtual instance next to a target one?Cloud cartographyCloud mappingInfrastructure targetingCloud trackingProcessor Framing
  • 1 minuteNow before we start, we have to ask ourselves, what is the cloud? The cloud is a large network that encompasses 3 distinct but interrelated service models: The first is security as a service, where software is coded, maintained and brought directly to the end user through the web. Think Salesforce or even something as commonplace as GmailPlatform as a service employs, well, a software platform that’s run by the cloud service provider. Developers are free to use this platform and its related tools to bring innovative new technologies to the front. Think of Google’s App Engine or Microsoft Azure.Finally, Infrastructure as a service supplies the raw and complex processing power that companies need to bring a large service to many different users at time.http://www.gunthergerlach.com/2009/04/defining-cloud-computing-from-the-scratch/
  • 30 sNow consider that these services are often built on top of oneanohter. At the bottom you have infrastructure as a service, supporting the underlying platform. At the middle level lies Platform as a service, which harnesses the power provided by the infrastuucture base. And at the top level, you have software as a service, which is a piece of software that can be coded on a development platform and likewise distrubuted all over the cloud using the infrsature. This forms what we call the cloud dependency model, which I’ll get to later.
  • 1 minutePWC 2011 Global Why does this matter to important CIO’s or future executives like you? Well, you have to keep up with the competition.In a PwC Information Security Survey of 12,thousand IT leaders 49% of respondents said their organization employs some form of cloud computing today, up 14% the year before Business leaders are eager to harness four characteristics of the cloud. There’s elasticity, where additional processing power can be ordered at the click of a button. Accessibility, meaning you can access the cloud anywhere you have an internet connection. Multi-tenancy, which i’ll explain more next. And a pay-as-you-go usage model, which can help optimize costs. The cloud is a finite network that can house a near infinite amount of what we call instances. Whenever you request a new instance on the cloud, it is distributed on a physical server somewhere in that network. You’ll be operating within the presence of other virtual machines, and that’s what we call multi-tenancy. But its this aspect as well as the elasticity characteristic that make the cloud so cheap.
  • 30 secondsNow it’s not all fun and games on the cloud. You also have to be aware of the risks. Now that’s where this report comes in. Have to know the risks. I’ll be going over 4 of the more prevalent or interesting risks inherent to the cloud, and ways you might be able to counteract them. Adoption statistic (PwC)
  • 1 minNow we have to distinguish between old risks that we’ve seen for a long time on the internet, and new risks that come specifically to the cloud and its unique properties. Some risks, such as phishing aren’t really cloud risks, as they work or fail just as long as you have an internet connection. But sometimes, we can have a hybrid of both. Take for example a DDoS attack, or distributed denial of service attack. This involves a slew of machines making false requests in order to overload a serverBut DDoS attacks can evolve using the cloud’s scalable properties. What would happen if instead of overloading your server, you’d just provision additional infrastructure to support them. Things would get awfully expensive very quickly if they continue. Cristofer Hoff, a cloud security expert at Cisco systems, calls this the Economic Denial of service attack. Now you notice how things get better with the cloud. Even attacks.
  • 1 minuteWe’re used to seeing security as protection across various network’s boundaries. Now the tools used to control programs and instances on the cloud have created more attack surfaces that may prove to be additional vulnerabilities within what is now part of your network.As I said earlier, In the multi-tenant environment physical servers house several virtual environments. The cloud companies use programs called hypervisors to allocate resources of the physical machine among each instance.In PaaS cloud models, the provider uses an Application Program Interface or API to communicate with the developer’s programs and submit requests on real time basis.Hopefully, yuo start to see the implications. Both of these solutions help run the cloud, but at the same time allow for unmitigated access to user data if breached.
  • 2 minutesNow, recall how cloud services often build up on one another. Take potential hypervisor and API vulnerabilities into account when you consider the cloud dependency stack. At the Infrastructure level, you open up the model to attacks of the hypervisor, while at the platform level, API security risks take precedent. What we start to see is a proliferation of access points, all of which can lead directly to data leakage or loss.This inherent risk is compounded by the fact that each level of the cloud model has to be configured properly to ensure compatibility. A Host of security controls are running at the CSP in order to ensure the security of data. However, improperly configured security controls at the client level can lead to additional security flaws that may be exploitable from other parties.
  • 2 minuteshttp://xeround.com/blog/wp-content/uploads/2010/11/istock_000012045246xsmall.jpg?w=300The multi-tenancy aspect of the cloud creates another security risk that’s been the subject of intense scrutiny over the last number of years. Though as you wouldn’t want to invite a malicious third party into your physical server, the cloud with its open brand of service opens their networks to a host of parties. A high profile research paper in 2009 called Hey, you get off of my cloud, demonstrated the concept of Cloud cartography on Amazon’s EC2 service. Cloud cartography is a technique that can be used to exploit the multi-tenant aspect of the cloud to forcefully position a malicious instance next to a target one, and later use this positioning to institute an attack on the instance. This may seem impossible, after all, instances seem to be positioned almost anywhere in the cloud. However, the researchers were able to succeed in 50% of co-location efforts, all for around 100 dollars. Even a pure brute force method led to 126of 141 instances being co-located in 510 efforts But why is this important? The fact of the matter is, it opens up yet another method of attack that can be used to steal data from a company
  • Now once co-residency is established on the same physical infrastructure, hackers can use an indirect method of spying called a side channel attackOne type of side channel attack utilizes the system cache to monitor activity throughout the physical server. The system cache is a temporary memroy storage bank used by the processor, but simply wasnt built with strong segregation facilities in mind. Therefore, it remains observable by all parties. By obersving the activity levels of the cache, a malicious user could monitor the timing of individual spikes in cache usage to do things like infer keyboard strokes in the target VM. This has huge potential ramifications, as you can easily imagine how indirect channel attacks can lead to direct stealing of employee passwords and the ultimate loss of data security for a company or its customers.
  • http://www.cloudsoftwareprogram.org/rs/371/e9c4455d-a317-4f4c-9f70-108d736bae98/b4f/filename/cloud-security.jpgNow that we outlined some of the more unique risks of the cloud, how can executives prepare for a transition to it? Well, there are a numberof ways that they can try to compensate
  • 1 minuteNow , encryption remains a popular solution in tech circles today. After seeing the increased potential for data leakage that happens as a result of adopting the cloud model, you could possibly see why encryption remains a must for new entrantsEncryption allows you to ensure that the right people are accessing your cloud servers through validation procedures, as well as provides you with base level protection over your information. Businesses that plan to use the cloud for storage or archiving can use encryption to transfer data into a basically unreadable format to minimize the chances of it being deciphered if intercepted or stolen. However, encryption does have limitations. By virtue of its being undecipherable, encrypted data cannot be used for processing by cloud servers. Take for example the case of Google, which struggled over encrypting its gmail service for over 2 years. Its said that even a simple search using encrypted data make processing take up to 1 trillion times longer. Executives have to be sure to balance the security benefits of encryption with its processing costs
  • 1 minuteA strong service level agreement can mean all the difference when mitigating risks of financial exposure in the cloud. THis is especially true since, according to a Ponemn survey, 69% of cloud service provders believe security to be the primary responsibility of the users, while only 35% of cloud users seem to agree. CSP’s in gneral seem to be understandably protective over their security policies, but executives must be sure to ensure that it doesn’t impede in their own hardening procedures. Teh service provider may be hesitant to hand over basic access data or logs that may be essential for continuous monitoring by the user. They may also be subject to confiscate your data in the case of a security breach, unintentional or otherwise. A strong service level agreement can effectively divide the rights and responsibilities between each party in the cloud contract, and must be addressed to facilitate conitnuous monitoring or enforce ownership rights over the relationship.
  • 1 minuteFinally, given the sheer number of threats that emerge from the basic cloud dependency stack, it makes sense for exeuctives to apply a unified risk assessment approach in order to manage cloud security. Of course we’re all familiar with the ISACA COBIT Framework, a control objcetive model which certainly can be applied to a cloud environment given a little tweaking. However, a number of organizations have come forward to impart on new entrants a cloud-specific risk model. One such organization is the European network and Infromation Security Agency (or EniSA) , and its Cloud computing asuranceframeowork. A sort of meeting ground can be found with the CSA’s Cloud controls matrix. It applies elements of all of the previously mentioned frameworks, taking concepts from each to form a definitive best practise security framework. Getting to know these firsthand would be another great way for exeuctives to educate themselves on newsecurity risks that result from cloud adoption.
  • Now the help is out there. Here are a couple of links to the more popular forms of the security framework. Take a little time to browse through them all to see which one is most compatible with your existing security framework if you plan to become a new entrant.
  • Now I’m just going to talk briefly about some opportunities that are available for CA’s to help provide additional assurance to new entrants in the cloud
  • First of all, its important to see Cloud Computing as an opportunity to provide an extension on the assurance function that it currently applies to service providersExecutives currently require a stong level of assurance to make a conscious decision over their choice of CSPs. The CA assurance function relevant to the cloud is generally limited to the control based assessment that is the 5970 report. However, the 5970 merely relates to the testing of controls at a service provider over it and its clients’ financial reporting models. It fails to provide a complex assessment over the CSP’s security controls, which is what executives desparately need to distinguish between cloud service providers.Applying the trusted CA assurance brand to create a cloud-assurance model seems to be a lucrative opportunity worth looking into.
  • https://cloudsecurityalliance.org/education/certificate-of-cloud-security-knowledge/CA’s lookign to get a jump ahead of the pack to bolster their competencies and increase their own marketability can look to an offering by the cloud sercurity alliance. The CSA has recently instituted a certificate of cloud security knowledge, which designates an individual as a specialist in identifying and addressing security risks in the cloud. This quote from Gary Phillips from Symantec outlines one way that CA’s can help distinguish themselves in the cloud assurance function.
  • So what have I told you today. The cloud is a profound opportunity for executives who look to leverage its powerful and cost effective characteristics to drive their businesses forward. However, it is these chracteristics that create new risks that we must now look out for, whether it be the proliferation of new atack surfaces or new threats taht evolve with the cloud.It will pay dividends to be prepared. A unified risk assessment process will go a long way towards understanding the many risks out there, while implementing clinet-side controls and a strong service level agreeemnt facilitate the risk mitigation and risk avoidance practises.
  • http://www.collaborationideas.com/wp-content/uploads/2011/06/cloudcomputing.jpgHopefully, you now have a better understanding of how the cloud works and ways you can protect yourself. Thanks for listening!

Cloud security: Risks and Rewards for New Entrants Cloud security: Risks and Rewards for New Entrants Presentation Transcript

  • Cloud Security: Risks and Recommendations for New Entrants
    A Report by Irvin Choo
    ACC 626
  • What is the Cloud?
  • What is the Cloud?
  • Cloud Characteristics
    Elasticity
    Automatic Provisioning/De-provisioning
    Accessibility
    Anywhere and everywhere
    Multi-tenancy
    Know your neighbour
    Pay-as-you-go
  • Cloud Security Risks
    Old risks vs. New risks
    Cloud Dependency Stack
    Expanding Attack
    Surfaces
    Cloud Cartography
    and Side Channels
  • Cloud Security Risks
    Old Risks vs. New Risks
    Some risks (e.g. Phishing often attributed to cloud) – not a cloud specific risk
    New risks should span from the inherent properties of cloud computing models
    Can have a hybrid of both
    Distributed Denial of Service vs. Economic Denial of Service
    EDoS: using elasticity aspect to provision resources beyond sustainable capacities
  • Cloud Security Risks
    Expanding Attack surfaces
    Hypervisors (IaaS)
    Allocate resources to virtual environment within the physical server
    Application Program Interfaces (PaaS)
    Proprietary
    Communicates between developer’s program and underlying platform
  • Cloud Security Risks
    SaaS
    PaaS
    The Cloud Dependency Stack
    Compatibility concerns
    Misconfiguration of software
    High integration, high risk
    Compromise at any level can undermine the entire infrastructure
    IaaS
    Cloud Physical Infrastructure
  • Cloud Security Risks
    Cloud Cartography
    Multi-tenancy issue
    Locating VM’s in the cloud
    Random Distribution?
    Hey, you, get off of my Cloud! (Amazon EC2 study)
    50% success rate
    Even brute force methods fairly successful
    Inexpensive
  • Cloud Security Risks
    Side Channel Attacks
    Primary risk from multi-tenant environment
    Indirect form of spying
    Listening through the cache
    Can infer information rather than directly intercepting it
    Researchers were able to guess passwords by monitoring spikes in cache activity
    Can change face of corporate espionage
  • Controls and Recommendations
    First Steps
    Responsibilities and the SLA
    Security Frameworks
  • Controls and Recommendations
    First Steps
    Why is encryption important?
    Ensure authorize access
    Provides base level protection over information
    Basic encryption policies
    Authentication data
    Data for archiving/storage
    Limitations
    Not suited for data in transit/rapid processing (e.g. SaaS)
    Gmail struggled with encryption until 2010
  • Controls and Recommendations
    Responsibilities and the SLA
    Ponemon: 69% of cloud service providers believe security to be responsibility of the users
    Continuous monitoring
    CSP may be hesitant to give access data/logs
    Generally secretive security policies
    Securing ownership of data in case of security breaches
  • Controls and Recommendations
    Recommended Security Frameworks
    Strong response to lack of cloud-based security risk framework
    ISACA COBIT Framework for IT Governance of control
    International Organization for Standardization ISO 27001
    ENISA Cloud Computing Assurance Framework
    Cloud Security Alliance Cloud Controls Matrix
  • Controls and Recommendations
    Recommended Security Frameworks
  • Implications for CA’s
    Assurance Opportunities
    Certificate of Cloud Security Knowledge
  • Implications for CA’s
    • Cloud Computing is an opportunity for CAs
    Executives require stronger cloud-based assurance model
    5970/CSAE 3416 is inadequate
    Cloud risks extend far beyond financial reporting considerations
    Distinguishing between Cloud service providers
  • Implications for CAs
    CSA Certificate of Cloud Security Knowledge
    “The Certificate of Cloud Security Knowledge provides individuals with a solid foundation in cloud security issues and best practices. Organizations that leverage this training will be better positioned to get the most out of their investments in cloud computing. In addition, the certification can be a large help with recruitment efforts as organizations can easily qualify the experience of an individual in cloud security if they have earned the CCSK certificate.”
    ~ Gary Phillips, senior director, technology assurance and
    standards research, Symantec Corp
  • Conclusions
    Cloud entails new risks
    Expansion of attack surfaces
    Evolution of old threats
    Risks can be mitigated by
    Implementing client-side controls
    Strong Service level agreement
    Unified risk assessment process
  • Thank you!!
  • Works Cited
    Al Morsy, M., Grundy, J., & Müller, I. (2010, Nov 30). An Analysis of The Cloud Computing Security Problem. Retrieved June 15, 2011, from Swinburne University of Technology: http://www.ict.swin.edu.au/personal/malmorsy/Pubs/cloud2010_1.pdf
    Brenner, B. (2009). Why Security Matters Again. Retrieved May 28, 2011, from CIO Online.
    Brodkin, J. (2010). 5 Problems with SaaS Security. Network World, 28 (18), pp. 1-2.
    CA Technologies and the Ponemon Institute Roll out Study on Cloud Providers and Consumers. (2011, May 31). Entertainment Close-up .
    Choo, R. (2010). Cloud Computing: Challenges and Future Directions. Retrieved May 24, 2011, from Trends & Issues in Crime and Criminal Justice: http://www.aic.gov.au/documents/C/4/D/%7BC4D887F9-7D3B-4CFE-9D88-567C01AB8CA0%7Dtandi400.pdf
    Cloud Computing Information Assurance Framework. (2009, November 2009). Retrieved June 15, 2011, from European Network and Information Security Agency: http://www.enisa.europa.eu/act/rm/files/deliverables/cloud-computing-information-assurance-framework
    Cloud Computing: Benefits, Risks and Recommendations for Information Security. (2009). Retrieved May 28, 2011, from European Network and Information Security Agency: http://www.enisa.europa.eu/act/rm/files/deliverables/cloud-computing-risk-assessment
    Cloud Computing: Business Benefits. (2009). Retrieved June 17, 2011, from ISACA: http://www.isaca.org/Knowledge-Center/Research/Documents/Cloud-Computing-28Oct09-Research.pdf?id=91d6e1d8-4d4f-4b13-b039-6488b36b3da5
    Cloud Computing: Business Benefits With Security, Governance. (2009). Retrieved June 20, 2011, from ISACA: http://www.isaca.org/Knowledge-Center/Research/Documents/Cloud-Computing-28Oct09-Research.pdf?id=91d6e1d8-4d4f-4b13-b039-6488b36b3da5
  • Works Cited
    Cloud Controls Matrix. (2010, December 15). Retrieved June 16, 2011, from Cloud Security Alliance: https://cloudsecurityalliance.org/research/projects/cloud-controls-matrix-ccm/
    COBIT Framework for IT Governance and Control. (2011). Retrieved June 15, 2011, from ISACA: http://www.isaca.org/Knowledge-Center/COBIT/Pages/Overview.aspx
    Farrell, R. (2010). Securing the Cloud. Information Security Journal, 6 (19), pp. 310-319.
    Friedman, A. A., & West, D. M. (2010, October). Issues in Technology Innovation. Retrieved June 14, 2011, from Connections Magazine: http://www.connectionsmagazine.com/papers/10/29.pdf
    Greengard, S. (2010). Weaving a Web 2.0 Security Strategy. Baseline, 1 (106), pp. 20-24.
    Greenwald, J. (2010). Savings Cloud Risks of Outsourcing Tech. Business Insurance, 1 (1247), pp. 4-5.
    Gregg, M. (2011). 10 Security Concerns for Cloud Computing. Retrieved June 1, 2011, from Global Knowledge: http://www.globalknowledge.ae/knowledge%20centre/white%20papers/virtualisation%20white%20papers/10%20security%20concerns%20for%20cloud.aspx
    Hoff, C. (2009). The Economic Denial of Sustainability Concept. Retrieved June 1, 2011, from Rational Security: http://rationalsecurity.typepad.com/blog/edos/
    Jarabek, C. (2010). A Review of Cloud computing Security: Virtualization, Side-Channel Attacks and Management. Retrieved May 31, 2011, from University of Calgary: http://people.ucalgary.ca/~cjjarabe/papers/jarabek_cloud_security.pdf
    Lempereur, C., & Cimpean, D. (2011, May 12). An assurance framework for cloud computing(. Retrieved June 18, 2011, from ISACA Berlin: http://www.isaca.be/media/files/an_assurance_framework_for_cloud_computing_12may2011
    Loveland, G. (2010). Security Among the clouds. Compliance Week, 8 (83).
    Mather, T., Kumaraswamy, S., & Latif, S. (2009). Cloud Security and Privacy: An Enterprise Perspective on Risks and Compliance.
  • Works Cited
    McMillon, M. (2010). Deconstructing Cloud Computing. Retrieved June 1, 2011, from ISACA Denver: http://www.isaca-denver.org/Chapter-Resources/Cloud_Computing_Security_Public_v1.3.ppt
    Mullins, R. J. (2010). New Cloud Security Certification Launched. Infromation Week, 1 (1277), p. 16.
    Peterson, R. (2008, September 11). What You Need to Know About Cloud Computing. Retrieved June 15, 2011, from PC Magazine: http://www.pcmag.com/article2/0,2817,2330239,00.asp
    Ristenpart, T., Tromer, E., Shacham, H., & Savage, S. (2009). Hey, You, Get off of My Cloud: Exploring Information Leakage in Third-Party Compute Clouds. Retrieved June 1, 2011, from Massachusetts Institute of Technology: http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.150.681&rep=rep1&type=pdf
    Shipley, G. (2010). Cloud Computing: Risks. Information Week, 1 (1262), pp. 20-23.
    The Cloudy Prognosis for Data Security in Virtual Enterprises. (2011). Database Trends and Applications, 25 (1), pp. 7-9.
    Todd, B. (2000, February 18). Distributed Denial of Service Attacks. Retrieved June 14, 2011, from Linux Security: http://www.linuxsecurity.com/resource_files/intrusion_detection/ddos-whitepaper.html
    Top Threats to Cloud Computing. (2010). Retrieved May 24, 2011, from Cloud Security Alliance: http://www.cloudsecurityalliance.org/topthreats
    Transitioning from Section 5970 to CSAE 3416. (2011, March 29). Retrieved June 16, 2011, from PricewaterhouseCoopers: http://www.pwc.com/ca/en/financial-reporting/newsletter/2011-03-29-transitioning-from-section-5970-to-csae-3416.jhtml
    Urquhart, J. (2010, November 22). Cloud security is dependent on the law. Retrieved June 16, 2011, from CNET News: http://news.cnet.com/8301-19413_3-20023507-240.html?part=rss&tag=feed&subj=TheWisdomofClouds
    Zetter, K. (2009, April 7). FBI Defends Disruptive Raids on Texas Data Centers. Retrieved June 16, 2011, from Wired: http://www.wired.com/threatlevel/2009/04/data-centers-ra/