Your SlideShare is downloading. ×
Cloud Security: Risks and Recommendations for New Entrants
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Cloud Security: Risks and Recommendations for New Entrants

2,730

Published on

Show notes: The cloud is a service model that entails great benefits for its new entrants. However its risks are not particularly well understood. This report identifies some of the more prevalent …

Show notes: The cloud is a service model that entails great benefits for its new entrants. However its risks are not particularly well understood. This report identifies some of the more prevalent risks of the cloud and suggests basic ways that executives can protect themselves in it.

Published in: Technology, Business
1 Comment
1 Like
Statistics
Notes
  • Good start and improve further on the control part and vendor mgmt .
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
No Downloads
Views
Total Views
2,730
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
155
Comments
1
Likes
1
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide
  • Introduction: 30 seconds Show notes: The cloud is a service model that entails great benefits for its new entrants. However its risks are not particularly well understood. This report identifies some of the more prevalent risks of the cloud and suggests basic ways that executives can protect themselves in it. Multiple choice: Which form of attack is inherently linked to the multi-tenant aspect of the clouda) DDoSb) Phishingc) Side Channel Attacksd) Man-in-the-middle attacke) CloudburstWhat is the term used to describe the forceful placement of a virtual instance next to a target one?Cloud cartographyCloud mappingInfrastructure targetingCloud trackingProcessor Framing
  • 1 minuteNow before we start, we have to ask ourselves, what is the cloud? The cloud is a large network that encompasses 3 distinct but interrelated service models: The first is security as a service, where software is coded, maintained and brought directly to the end user through the web. Think Salesforce or even something as commonplace as GmailPlatform as a service employs, well, a software platform that’s run by the cloud service provider. Developers are free to use this platform and its related tools to bring innovative new technologies to the front. Think of Google’s App Engine or Microsoft Azure.Finally, Infrastructure as a service supplies the raw and complex processing power that companies need to bring a large service to many different users at time.http://www.gunthergerlach.com/2009/04/defining-cloud-computing-from-the-scratch/
  • 30 sNow consider that these services are often built on top of oneanohter. At the bottom you have infrastructure as a service, supporting the underlying platform. At the middle level lies Platform as a service, which harnesses the power provided by the infrastuucture base. And at the top level, you have software as a service, which is a piece of software that can be coded on a development platform and likewise distrubuted all over the cloud using the infrsature. This forms what we call the cloud dependency model, which I’ll get to later.
  • 1 minutePWC 2011 Global Why does this matter to important CIO’s or future executives like you? Well, you have to keep up with the competition.In a PwC Information Security Survey of 12,thousand IT leaders 49% of respondents said their organization employs some form of cloud computing today, up 14% the year before Business leaders are eager to harness four characteristics of the cloud. There’s elasticity, where additional processing power can be ordered at the click of a button. Accessibility, meaning you can access the cloud anywhere you have an internet connection. Multi-tenancy, which i’ll explain more next. And a pay-as-you-go usage model, which can help optimize costs. The cloud is a finite network that can house a near infinite amount of what we call instances. Whenever you request a new instance on the cloud, it is distributed on a physical server somewhere in that network. You’ll be operating within the presence of other virtual machines, and that’s what we call multi-tenancy. But its this aspect as well as the elasticity characteristic that make the cloud so cheap.
  • 30 secondsNow it’s not all fun and games on the cloud. You also have to be aware of the risks. Now that’s where this report comes in. Have to know the risks. I’ll be going over 4 of the more prevalent or interesting risks inherent to the cloud, and ways you might be able to counteract them. Adoption statistic (PwC)
  • 1 minNow we have to distinguish between old risks that we’ve seen for a long time on the internet, and new risks that come specifically to the cloud and its unique properties. Some risks, such as phishing aren’t really cloud risks, as they work or fail just as long as you have an internet connection. But sometimes, we can have a hybrid of both. Take for example a DDoS attack, or distributed denial of service attack. This involves a slew of machines making false requests in order to overload a serverBut DDoS attacks can evolve using the cloud’s scalable properties. What would happen if instead of overloading your server, you’d just provision additional infrastructure to support them. Things would get awfully expensive very quickly if they continue. Cristofer Hoff, a cloud security expert at Cisco systems, calls this the Economic Denial of service attack. Now you notice how things get better with the cloud. Even attacks.
  • 1 minuteWe’re used to seeing security as protection across various network’s boundaries. Now the tools used to control programs and instances on the cloud have created more attack surfaces that may prove to be additional vulnerabilities within what is now part of your network.As I said earlier, In the multi-tenant environment physical servers house several virtual environments. The cloud companies use programs called hypervisors to allocate resources of the physical machine among each instance.In PaaS cloud models, the provider uses an Application Program Interface or API to communicate with the developer’s programs and submit requests on real time basis.Hopefully, yuo start to see the implications. Both of these solutions help run the cloud, but at the same time allow for unmitigated access to user data if breached.
  • 2 minutesNow, recall how cloud services often build up on one another. Take potential hypervisor and API vulnerabilities into account when you consider the cloud dependency stack. At the Infrastructure level, you open up the model to attacks of the hypervisor, while at the platform level, API security risks take precedent. What we start to see is a proliferation of access points, all of which can lead directly to data leakage or loss.This inherent risk is compounded by the fact that each level of the cloud model has to be configured properly to ensure compatibility. A Host of security controls are running at the CSP in order to ensure the security of data. However, improperly configured security controls at the client level can lead to additional security flaws that may be exploitable from other parties.
  • 2 minuteshttp://xeround.com/blog/wp-content/uploads/2010/11/istock_000012045246xsmall.jpg?w=300The multi-tenancy aspect of the cloud creates another security risk that’s been the subject of intense scrutiny over the last number of years. Though as you wouldn’t want to invite a malicious third party into your physical server, the cloud with its open brand of service opens their networks to a host of parties. A high profile research paper in 2009 called Hey, you get off of my cloud, demonstrated the concept of Cloud cartography on Amazon’s EC2 service. Cloud cartography is a technique that can be used to exploit the multi-tenant aspect of the cloud to forcefully position a malicious instance next to a target one, and later use this positioning to institute an attack on the instance. This may seem impossible, after all, instances seem to be positioned almost anywhere in the cloud. However, the researchers were able to succeed in 50% of co-location efforts, all for around 100 dollars. Even a pure brute force method led to 126of 141 instances being co-located in 510 efforts But why is this important? The fact of the matter is, it opens up yet another method of attack that can be used to steal data from a company
  • Now once co-residency is established on the same physical infrastructure, hackers can use an indirect method of spying called a side channel attackOne type of side channel attack utilizes the system cache to monitor activity throughout the physical server. The system cache is a temporary memroy storage bank used by the processor, but simply wasnt built with strong segregation facilities in mind. Therefore, it remains observable by all parties. By obersving the activity levels of the cache, a malicious user could monitor the timing of individual spikes in cache usage to do things like infer keyboard strokes in the target VM. This has huge potential ramifications, as you can easily imagine how indirect channel attacks can lead to direct stealing of employee passwords and the ultimate loss of data security for a company or its customers.
  • http://www.cloudsoftwareprogram.org/rs/371/e9c4455d-a317-4f4c-9f70-108d736bae98/b4f/filename/cloud-security.jpgNow that we outlined some of the more unique risks of the cloud, how can executives prepare for a transition to it? Well, there are a numberof ways that they can try to compensate
  • 1 minuteNow , encryption remains a popular solution in tech circles today. After seeing the increased potential for data leakage that happens as a result of adopting the cloud model, you could possibly see why encryption remains a must for new entrantsEncryption allows you to ensure that the right people are accessing your cloud servers through validation procedures, as well as provides you with base level protection over your information. Businesses that plan to use the cloud for storage or archiving can use encryption to transfer data into a basically unreadable format to minimize the chances of it being deciphered if intercepted or stolen. However, encryption does have limitations. By virtue of its being undecipherable, encrypted data cannot be used for processing by cloud servers. Take for example the case of Google, which struggled over encrypting its gmail service for over 2 years. Its said that even a simple search using encrypted data make processing take up to 1 trillion times longer. Executives have to be sure to balance the security benefits of encryption with its processing costs
  • 1 minuteA strong service level agreement can mean all the difference when mitigating risks of financial exposure in the cloud. THis is especially true since, according to a Ponemn survey, 69% of cloud service provders believe security to be the primary responsibility of the users, while only 35% of cloud users seem to agree. CSP’s in gneral seem to be understandably protective over their security policies, but executives must be sure to ensure that it doesn’t impede in their own hardening procedures. Teh service provider may be hesitant to hand over basic access data or logs that may be essential for continuous monitoring by the user. They may also be subject to confiscate your data in the case of a security breach, unintentional or otherwise. A strong service level agreement can effectively divide the rights and responsibilities between each party in the cloud contract, and must be addressed to facilitate conitnuous monitoring or enforce ownership rights over the relationship.
  • 1 minuteFinally, given the sheer number of threats that emerge from the basic cloud dependency stack, it makes sense for exeuctives to apply a unified risk assessment approach in order to manage cloud security. Of course we’re all familiar with the ISACA COBIT Framework, a control objcetive model which certainly can be applied to a cloud environment given a little tweaking. However, a number of organizations have come forward to impart on new entrants a cloud-specific risk model. One such organization is the European network and Infromation Security Agency (or EniSA) , and its Cloud computing asuranceframeowork. A sort of meeting ground can be found with the CSA’s Cloud controls matrix. It applies elements of all of the previously mentioned frameworks, taking concepts from each to form a definitive best practise security framework. Getting to know these firsthand would be another great way for exeuctives to educate themselves on newsecurity risks that result from cloud adoption.
  • Now the help is out there. Here are a couple of links to the more popular forms of the security framework. Take a little time to browse through them all to see which one is most compatible with your existing security framework if you plan to become a new entrant.
  • Now I’m just going to talk briefly about some opportunities that are available for CA’s to help provide additional assurance to new entrants in the cloud
  • First of all, its important to see Cloud Computing as an opportunity to provide an extension on the assurance function that it currently applies to service providersExecutives currently require a stong level of assurance to make a conscious decision over their choice of CSPs. The CA assurance function relevant to the cloud is generally limited to the control based assessment that is the 5970 report. However, the 5970 merely relates to the testing of controls at a service provider over it and its clients’ financial reporting models. It fails to provide a complex assessment over the CSP’s security controls, which is what executives desparately need to distinguish between cloud service providers.Applying the trusted CA assurance brand to create a cloud-assurance model seems to be a lucrative opportunity worth looking into.
  • https://cloudsecurityalliance.org/education/certificate-of-cloud-security-knowledge/CA’s lookign to get a jump ahead of the pack to bolster their competencies and increase their own marketability can look to an offering by the cloud sercurity alliance. The CSA has recently instituted a certificate of cloud security knowledge, which designates an individual as a specialist in identifying and addressing security risks in the cloud. This quote from Gary Phillips from Symantec outlines one way that CA’s can help distinguish themselves in the cloud assurance function.
  • So what have I told you today. The cloud is a profound opportunity for executives who look to leverage its powerful and cost effective characteristics to drive their businesses forward. However, it is these chracteristics that create new risks that we must now look out for, whether it be the proliferation of new atack surfaces or new threats taht evolve with the cloud.It will pay dividends to be prepared. A unified risk assessment process will go a long way towards understanding the many risks out there, while implementing clinet-side controls and a strong service level agreeemnt facilitate the risk mitigation and risk avoidance practises.
  • http://www.collaborationideas.com/wp-content/uploads/2011/06/cloudcomputing.jpgHopefully, you now have a better understanding of how the cloud works and ways you can protect yourself. Thanks for listening!
  • Transcript

    • 1. Cloud Security: Risks and Recommendations for New Entrants
      A Report by Irvin Choo
      ACC 626
    • 2. What is the Cloud?
    • 3. What is the Cloud?
    • 4. Cloud Characteristics
      Elasticity
      Automatic Provisioning/De-provisioning
      Accessibility
      Anywhere and everywhere
      Multi-tenancy
      Know your neighbour
      Pay-as-you-go
    • 5. Cloud Security Risks
      Old risks vs. New risks
      Cloud Dependency Stack
      Expanding Attack
      Surfaces
      Cloud Cartography
      and Side Channels
    • 6. Cloud Security Risks
      Old Risks vs. New Risks
      Some risks (e.g. Phishing often attributed to cloud) – not a cloud specific risk
      New risks should span from the inherent properties of cloud computing models
      Can have a hybrid of both
      Distributed Denial of Service vs. Economic Denial of Service
      EDoS: using elasticity aspect to provision resources beyond sustainable capacities
    • 7. Cloud Security Risks
      Expanding Attack surfaces
      Hypervisors (IaaS)
      Allocate resources to virtual environment within the physical server
      Application Program Interfaces (PaaS)
      Proprietary
      Communicates between developer’s program and underlying platform
    • 8. Cloud Security Risks
      SaaS
      PaaS
      The Cloud Dependency Stack
      Compatibility concerns
      Misconfiguration of software
      High integration, high risk
      Compromise at any level can undermine the entire infrastructure
      IaaS
      Cloud Physical Infrastructure
    • 9. Cloud Security Risks
      Cloud Cartography
      Multi-tenancy issue
      Locating VM’s in the cloud
      Random Distribution?
      Hey, you, get off of my Cloud! (Amazon EC2 study)
      50% success rate
      Even brute force methods fairly successful
      Inexpensive
    • 10. Cloud Security Risks
      Side Channel Attacks
      Primary risk from multi-tenant environment
      Indirect form of spying
      Listening through the cache
      Can infer information rather than directly intercepting it
      Researchers were able to guess passwords by monitoring spikes in cache activity
      Can change face of corporate espionage
    • 11. Controls and Recommendations
      First Steps
      Responsibilities and the SLA
      Security Frameworks
    • 12. Controls and Recommendations
      First Steps
      Why is encryption important?
      Ensure authorize access
      Provides base level protection over information
      Basic encryption policies
      Authentication data
      Data for archiving/storage
      Limitations
      Not suited for data in transit/rapid processing (e.g. SaaS)
      Gmail struggled with encryption until 2010
    • 13. Controls and Recommendations
      Responsibilities and the SLA
      Ponemon: 69% of cloud service providers believe security to be responsibility of the users
      Continuous monitoring
      CSP may be hesitant to give access data/logs
      Generally secretive security policies
      Securing ownership of data in case of security breaches
    • 14. Controls and Recommendations
      Recommended Security Frameworks
      Strong response to lack of cloud-based security risk framework
      ISACA COBIT Framework for IT Governance of control
      International Organization for Standardization ISO 27001
      ENISA Cloud Computing Assurance Framework
      Cloud Security Alliance Cloud Controls Matrix
    • 15. Controls and Recommendations
      Recommended Security Frameworks
    • 16. Implications for CA’s
      Assurance Opportunities
      Certificate of Cloud Security Knowledge
    • 17. Implications for CA’s
      • Cloud Computing is an opportunity for CAs
      Executives require stronger cloud-based assurance model
      5970/CSAE 3416 is inadequate
      Cloud risks extend far beyond financial reporting considerations
      Distinguishing between Cloud service providers
    • 18. Implications for CAs
      CSA Certificate of Cloud Security Knowledge
      “The Certificate of Cloud Security Knowledge provides individuals with a solid foundation in cloud security issues and best practices. Organizations that leverage this training will be better positioned to get the most out of their investments in cloud computing. In addition, the certification can be a large help with recruitment efforts as organizations can easily qualify the experience of an individual in cloud security if they have earned the CCSK certificate.”
      ~ Gary Phillips, senior director, technology assurance and
      standards research, Symantec Corp
    • 19. Conclusions
      Cloud entails new risks
      Expansion of attack surfaces
      Evolution of old threats
      Risks can be mitigated by
      Implementing client-side controls
      Strong Service level agreement
      Unified risk assessment process
    • 20. Thank you!!
    • 21. Works Cited
      Al Morsy, M., Grundy, J., & Müller, I. (2010, Nov 30). An Analysis of The Cloud Computing Security Problem. Retrieved June 15, 2011, from Swinburne University of Technology: http://www.ict.swin.edu.au/personal/malmorsy/Pubs/cloud2010_1.pdf
      Brenner, B. (2009). Why Security Matters Again. Retrieved May 28, 2011, from CIO Online.
      Brodkin, J. (2010). 5 Problems with SaaS Security. Network World, 28 (18), pp. 1-2.
      CA Technologies and the Ponemon Institute Roll out Study on Cloud Providers and Consumers. (2011, May 31). Entertainment Close-up .
      Choo, R. (2010). Cloud Computing: Challenges and Future Directions. Retrieved May 24, 2011, from Trends & Issues in Crime and Criminal Justice: http://www.aic.gov.au/documents/C/4/D/%7BC4D887F9-7D3B-4CFE-9D88-567C01AB8CA0%7Dtandi400.pdf
      Cloud Computing Information Assurance Framework. (2009, November 2009). Retrieved June 15, 2011, from European Network and Information Security Agency: http://www.enisa.europa.eu/act/rm/files/deliverables/cloud-computing-information-assurance-framework
      Cloud Computing: Benefits, Risks and Recommendations for Information Security. (2009). Retrieved May 28, 2011, from European Network and Information Security Agency: http://www.enisa.europa.eu/act/rm/files/deliverables/cloud-computing-risk-assessment
      Cloud Computing: Business Benefits. (2009). Retrieved June 17, 2011, from ISACA: http://www.isaca.org/Knowledge-Center/Research/Documents/Cloud-Computing-28Oct09-Research.pdf?id=91d6e1d8-4d4f-4b13-b039-6488b36b3da5
      Cloud Computing: Business Benefits With Security, Governance. (2009). Retrieved June 20, 2011, from ISACA: http://www.isaca.org/Knowledge-Center/Research/Documents/Cloud-Computing-28Oct09-Research.pdf?id=91d6e1d8-4d4f-4b13-b039-6488b36b3da5
    • 22. Works Cited
      Cloud Controls Matrix. (2010, December 15). Retrieved June 16, 2011, from Cloud Security Alliance: https://cloudsecurityalliance.org/research/projects/cloud-controls-matrix-ccm/
      COBIT Framework for IT Governance and Control. (2011). Retrieved June 15, 2011, from ISACA: http://www.isaca.org/Knowledge-Center/COBIT/Pages/Overview.aspx
      Farrell, R. (2010). Securing the Cloud. Information Security Journal, 6 (19), pp. 310-319.
      Friedman, A. A., & West, D. M. (2010, October). Issues in Technology Innovation. Retrieved June 14, 2011, from Connections Magazine: http://www.connectionsmagazine.com/papers/10/29.pdf
      Greengard, S. (2010). Weaving a Web 2.0 Security Strategy. Baseline, 1 (106), pp. 20-24.
      Greenwald, J. (2010). Savings Cloud Risks of Outsourcing Tech. Business Insurance, 1 (1247), pp. 4-5.
      Gregg, M. (2011). 10 Security Concerns for Cloud Computing. Retrieved June 1, 2011, from Global Knowledge: http://www.globalknowledge.ae/knowledge%20centre/white%20papers/virtualisation%20white%20papers/10%20security%20concerns%20for%20cloud.aspx
      Hoff, C. (2009). The Economic Denial of Sustainability Concept. Retrieved June 1, 2011, from Rational Security: http://rationalsecurity.typepad.com/blog/edos/
      Jarabek, C. (2010). A Review of Cloud computing Security: Virtualization, Side-Channel Attacks and Management. Retrieved May 31, 2011, from University of Calgary: http://people.ucalgary.ca/~cjjarabe/papers/jarabek_cloud_security.pdf
      Lempereur, C., & Cimpean, D. (2011, May 12). An assurance framework for cloud computing(. Retrieved June 18, 2011, from ISACA Berlin: http://www.isaca.be/media/files/an_assurance_framework_for_cloud_computing_12may2011
      Loveland, G. (2010). Security Among the clouds. Compliance Week, 8 (83).
      Mather, T., Kumaraswamy, S., & Latif, S. (2009). Cloud Security and Privacy: An Enterprise Perspective on Risks and Compliance.
    • 23. Works Cited
      McMillon, M. (2010). Deconstructing Cloud Computing. Retrieved June 1, 2011, from ISACA Denver: http://www.isaca-denver.org/Chapter-Resources/Cloud_Computing_Security_Public_v1.3.ppt
      Mullins, R. J. (2010). New Cloud Security Certification Launched. Infromation Week, 1 (1277), p. 16.
      Peterson, R. (2008, September 11). What You Need to Know About Cloud Computing. Retrieved June 15, 2011, from PC Magazine: http://www.pcmag.com/article2/0,2817,2330239,00.asp
      Ristenpart, T., Tromer, E., Shacham, H., & Savage, S. (2009). Hey, You, Get off of My Cloud: Exploring Information Leakage in Third-Party Compute Clouds. Retrieved June 1, 2011, from Massachusetts Institute of Technology: http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.150.681&rep=rep1&type=pdf
      Shipley, G. (2010). Cloud Computing: Risks. Information Week, 1 (1262), pp. 20-23.
      The Cloudy Prognosis for Data Security in Virtual Enterprises. (2011). Database Trends and Applications, 25 (1), pp. 7-9.
      Todd, B. (2000, February 18). Distributed Denial of Service Attacks. Retrieved June 14, 2011, from Linux Security: http://www.linuxsecurity.com/resource_files/intrusion_detection/ddos-whitepaper.html
      Top Threats to Cloud Computing. (2010). Retrieved May 24, 2011, from Cloud Security Alliance: http://www.cloudsecurityalliance.org/topthreats
      Transitioning from Section 5970 to CSAE 3416. (2011, March 29). Retrieved June 16, 2011, from PricewaterhouseCoopers: http://www.pwc.com/ca/en/financial-reporting/newsletter/2011-03-29-transitioning-from-section-5970-to-csae-3416.jhtml
      Urquhart, J. (2010, November 22). Cloud security is dependent on the law. Retrieved June 16, 2011, from CNET News: http://news.cnet.com/8301-19413_3-20023507-240.html?part=rss&tag=feed&subj=TheWisdomofClouds
      Zetter, K. (2009, April 7). FBI Defends Disruptive Raids on Texas Data Centers. Retrieved June 16, 2011, from Wired: http://www.wired.com/threatlevel/2009/04/data-centers-ra/

    ×