Cloud Computing: Let’s Clear the Air

CLOUD COMPUTING Let’s Clear the Air...

MESenior Linux System Administrator for MNX Solutions; MSP in Monroe

MESenior Linux System Administrator for MNX Solutions; MSP in MonroeBuilt/taught Linux curriculum for Eastern Michigan University

MESenior Linux System Administrator for MNX Solutions; MSP in MonroeBuilt/taught Linux curriculum for Eastern Michigan UniversityPreviously the cloud computing subject matter expert for ePrize

MESenior Linux System Administrator for MNX Solutions; MSP in MonroeBuilt/taught Linux curriculum for Eastern Michigan UniversityPreviously the cloud computing subject matter expert for ePrize Deployed multi-cloud provider scalable infrastructure to handle Super Bowl advertising traffic for two digital promotions in 2010

MESenior Linux System Administrator for MNX Solutions; MSP in MonroeBuilt/taught Linux curriculum for Eastern Michigan UniversityPreviously the cloud computing subject matter expert for ePrize Deployed multi-cloud provider scalable infrastructure to handle Super Bowl advertising traffic for two digital promotions in 2010Hold the Certificate of Cloud Security Knowledge (CCSK) from theCloud Security Alliance

MESenior Linux System Administrator for MNX Solutions; MSP in MonroeBuilt/taught Linux curriculum for Eastern Michigan UniversityPreviously the cloud computing subject matter expert for ePrize Deployed multi-cloud provider scalable infrastructure to handle Super Bowl advertising traffic for two digital promotions in 2010Hold the Certificate of Cloud Security Knowledge (CCSK) from theCloud Security AlliancePresent at events on configuration management & scalability in cloudcomputing and other elastic infrastructure

GIANT MISCONCEPTION

GIANT MISCONCEPTIONWhen someone says they are ‘going to the cloud’ that may not mean they are utilizing ‘cloud computing’

GIANT MISCONCEPTIONWhen someone says they are ‘going to the cloud’ that may not mean they are utilizing ‘cloud computing’ if that was true...

GIANT MISCONCEPTIONWhen someone says they are ‘going to the cloud’ that may not mean they are utilizing ‘cloud computing’ if that was true...Everything outside of your own data closets and on- site data centers would be cloud computing

GIANT MISCONCEPTIONWhen someone says they are ‘going to the cloud’ that may not mean they are utilizing ‘cloud computing’ if that was true...Everything outside of your own data closets and on- site data centers would be cloud computing cloud still means Internet...

GIANT MISCONCEPTIONWhen someone says they are ‘going to the cloud’ that may not mean they are utilizing ‘cloud computing’ if that was true...Everything outside of your own data closets and on- site data centers would be cloud computing cloud still means Internet... Going to ‘the cloud’ may just mean ‘I am not using a server I can physically see 24x7 anymore’

Cloud Computing Involves...On-demand self-serviceBroad network accessResource poolingRapid elasticityMeasured Service

On-demand self-service

On-demand self-service“A consumer can unilaterally provision computing capabilities,such as server time and network storage, as needed automaticallywithout requiring human interaction with each service’sprovider.”

On-demand self-service“A consumer can unilaterally provision computing capabilities,such as server time and network storage, as needed automaticallywithout requiring human interaction with each service’sprovider.”Consider an API (Application Programming Interface) or webconsole that allows you, the consumer, to take resources as youdesire them without calling a company and asking for a quote toget something in two or three days

Broad network access

Broad network access“Capabilities are available over the network and accessedthrough standard mechanisms that promote use byheterogeneous thin or thick client platforms (e.g., mobilephones, laptops, and PDAs).”

Broad network access“Capabilities are available over the network and accessedthrough standard mechanisms that promote use byheterogeneous thin or thick client platforms (e.g., mobilephones, laptops, and PDAs).”The cloud should be accessible without regard to your method ofaccess. The consumer should determine the use-case and scopeof network access to services, not the provider.

Resource pooling

Resource pooling“The provider’s computing resources are pooled to servemultiple consumers using a multi-tenant model, with differentphysical and virtual resources dynamically assigned andreassigned according to consumer demand. There is a sense oflocation independence in that the customer generally has nocontrol or knowledge over the exact location of the providedresources but may be able to specify location at a higher level ofabstraction.”

Resource pooling“The provider’s computing resources are pooled to servemultiple consumers using a multi-tenant model, with differentphysical and virtual resources dynamically assigned andreassigned according to consumer demand. There is a sense oflocation independence in that the customer generally has nocontrol or knowledge over the exact location of the providedresources but may be able to specify location at a higher level ofabstraction.”Consumers want resources; they don’t want hardware. A cloudprovider should provide as much or little resource allocation asthe consumer requests -- whichever resource they want.

Rapid elasticity

Rapid elasticity“Capabilities can be rapidly and elastically provisioned, in somecases automatically, to quickly scale out, and rapidly released toquickly scale in. To the consumer, the capabilities available forprovisioning often appear to be unlimited and can be purchasedin any quantity at any time.”

Rapid elasticity“Capabilities can be rapidly and elastically provisioned, in somecases automatically, to quickly scale out, and rapidly released toquickly scale in. To the consumer, the capabilities available forprovisioning often appear to be unlimited and can be purchasedin any quantity at any time.”Adding more cloud resources should not be an arduous processfor the consumer. Further, the provider should allow theconsumer to dictate circumstances which automatically addresources to meet demand before an absence of resource canoccur

Measured Service

Measured Service“Cloud systems automatically control and optimize resource useby leveraging a metering capability at some level of abstractionappropriate to the type of service. Resource usage can bemonitored, controlled, and reported, providing transparency forboth the provider and consumer of the utilized service.”

Measured Service“Cloud systems automatically control and optimize resource useby leveraging a metering capability at some level of abstractionappropriate to the type of service. Resource usage can bemonitored, controlled, and reported, providing transparency forboth the provider and consumer of the utilized service.”Consumers in the cloud should pay for what they are using in amore structured manner than traditional resource servicemodels. For instance, if I have a ‘server’ in the cloud, I only payfor it when it’s turned out; not a monthly flat fee.

Typical Cloud Confusion

Typical Cloud ConfusionUtilizing virtualization and providing it to a consumer is not necessarilya cloud service. You will often see virtualization as a means-to-an-end toprovide multi-tenant infrastructure for cloud service but it is notrequired to be a cloud computing service

Typical Cloud ConfusionUtilizing virtualization and providing it to a consumer is not necessarilya cloud service. You will often see virtualization as a means-to-an-end toprovide multi-tenant infrastructure for cloud service but it is notrequired to be a cloud computing serviceA lot of things are (by definition) cloud computing because of Softwareas a Service (SaaS).Basically any piece of software that you can accesson the Internet which performs a task that may otherwise occur on yourdesktop (e.g. GMail, Dropbox)

Typical Cloud ConfusionUtilizing virtualization and providing it to a consumer is not necessarilya cloud service. You will often see virtualization as a means-to-an-end toprovide multi-tenant infrastructure for cloud service but it is notrequired to be a cloud computing serviceA lot of things are (by definition) cloud computing because of Softwareas a Service (SaaS).Basically any piece of software that you can accesson the Internet which performs a task that may otherwise occur on yourdesktop (e.g. GMail, Dropbox)Many people are talking about Infrastructure as a Service (IaaS) whenreferring to cloud computing, but this is not the only part of the cloud

Software as a Service (SaaS)

Software as a Service (SaaS)“The capability provided to the consumer is to use the provider’sapplications running on a cloud infrastructure. The applications areaccessible from various client devices through a thin client interfacesuch as a web browser.”

Software as a Service (SaaS)“The capability provided to the consumer is to use the provider’sapplications running on a cloud infrastructure. The applications areaccessible from various client devices through a thin client interfacesuch as a web browser.”GMail is a SaaS offering because it provides you an application tointeract with e-mail systems without having to have an e-mail client onyour personal device; merely a web browser

Software as a Service (SaaS)“The capability provided to the consumer is to use the provider’sapplications running on a cloud infrastructure. The applications areaccessible from various client devices through a thin client interfacesuch as a web browser.”GMail is a SaaS offering because it provides you an application tointeract with e-mail systems without having to have an e-mail client onyour personal device; merely a web browserDropbox provides online storage through a web interface that you canupload/share/download files. They also have a desktop client tosynchronize. If you had to use the desktop client, it wouldn’t be a SaaSanymore. The online storage offered is a component of IaaS.

Platform as a Service (PaaS)

Platform as a Service (PaaS)“The capability provided to the consumer is to deploy onto the cloudinfrastructure consumer-created or acquired applications createdusing programming languages and tools supported by the provider.”

Platform as a Service (PaaS)“The capability provided to the consumer is to deploy onto the cloudinfrastructure consumer-created or acquired applications createdusing programming languages and tools supported by the provider.”Microsoft Azure can provide you the ability to run your application ontheir cloud infrastructure without having to buy a server or worryabout setting up a web server

Platform as a Service (PaaS)“The capability provided to the consumer is to deploy onto the cloudinfrastructure consumer-created or acquired applications createdusing programming languages and tools supported by the provider.”Microsoft Azure can provide you the ability to run your application ontheir cloud infrastructure without having to buy a server or worryabout setting up a web serverPHPFog combines a caching engine, load balancer, application server,and database server into one service that allows you to deploy yourPHP application without the hassle of managing those components

Infrastructure as a Service (IaaS)

Infrastructure as a Service (IaaS)“The capability provided to the consumer is to provision processing,storage, networks, and other fundamental computing resources wherethe consumer is able to deploy and run arbitrary software, which caninclude operating systems and applications.”

Infrastructure as a Service (IaaS)“The capability provided to the consumer is to provision processing,storage, networks, and other fundamental computing resources wherethe consumer is able to deploy and run arbitrary software, which caninclude operating systems and applications.”Generally people reference this in terms of deploying an OperatingSystem such as Linux or Windows onto a provider’s multi-tenanthardware. This is often accomplished using virtualization technology.

Infrastructure as a Service (IaaS)“The capability provided to the consumer is to provision processing,storage, networks, and other fundamental computing resources wherethe consumer is able to deploy and run arbitrary software, which caninclude operating systems and applications.”Generally people reference this in terms of deploying an OperatingSystem such as Linux or Windows onto a provider’s multi-tenanthardware. This is often accomplished using virtualization technology.Can also be related to online storage; you don’t control the hard driveor necessarily the location but you control what data you put online.Because it’s just a resource and not “software”, it’s IaaS not SaaS.

Typical Cloud Deployments

Typical Cloud DeploymentsPrivate Cloud: Your resources look like traditional cloudcomputing due (elastic, on-demand, etc.) but usually deployedon-site or heavily controlled and segregated from other people

Typical Cloud DeploymentsPrivate Cloud: Your resources look like traditional cloudcomputing due (elastic, on-demand, etc.) but usually deployedon-site or heavily controlled and segregated from other peoplePublic Cloud: Your resources are being placed within the samehardware, network, and storage as other people.You have littlecontrol to say where the data is or how the underlying aspects ofyour environment are created and managed.

Typical Cloud DeploymentsPrivate Cloud: Your resources look like traditional cloudcomputing due (elastic, on-demand, etc.) but usually deployedon-site or heavily controlled and segregated from other peoplePublic Cloud: Your resources are being placed within the samehardware, network, and storage as other people.You have littlecontrol to say where the data is or how the underlying aspects ofyour environment are created and managed.Hybrid Cloud: Some resources are public, some are private.

To Put This Another Way...

To Put This Another Way... You don’t control anything except how SaaS you use a service and what data you put into the service. Someone else controls the OS, network, hardware, storage, etc.

To Put This Another Way... You don’t control anything except how SaaS you use a service and what data you put into the service. Someone else controls the OS, network, hardware, storage, etc. You don’t necessarily interact with a software package but a building block to PaaS which you can architect software from or manage software that you will integrate with to provide functionality.

To Put This Another Way... You don’t control anything except how SaaS you use a service and what data you put into the service. Someone else controls the OS, network, hardware, storage, etc. You don’t necessarily interact with a software package but a building block to PaaS which you can architect software from or manage software that you will integrate with to provide functionality. You don’t control the hardware, IaaS network, or storage but you do get to say how much of it you leverage and the software on top of the stack you want.

Fear and Loathing in the Cloud

Fear and Loathing in the Cloud “Cloud Computing is unproven”

Fear and Loathing in the Cloud “Cloud Computing is unproven”Cloud computing at its core are old services provided in a new way

Fear and Loathing in the Cloud “Cloud Computing is unproven”Cloud computing at its core are old services provided in a new way If you run a web site on a cloud provider, you’re not somehow less safe than if you were to use a traditional ‘shared hosting’ web provider. Your data, network traffic, and applications are still being placed on the same resources as hundreds of other people.

Fear and Loathing in the Cloud “Cloud Computing is unproven”Cloud computing at its core are old services provided in a new way If you run a web site on a cloud provider, you’re not somehow less safe than if you were to use a traditional ‘shared hosting’ web provider. Your data, network traffic, and applications are still being placed on the same resources as hundreds of other people. We’ve all been using Hotmail, Yahoo! Mail, and other SaaS offerings for years now. There have been security issues but generally related to singular accounts rather than the entire service offering.

Fear and Loathing in the Cloud“Amazon Web Services doesn’t meet industry requirements”

Fear and Loathing in the Cloud“Amazon Web Services doesn’t meet industry requirements”Amazon Web Services are...

Fear and Loathing in the Cloud“Amazon Web Services doesn’t meet industry requirements”Amazon Web Services are... ISO 27001 SAS 70 Type II PCI DSS Level 1 HIPPA ...compliant.

Fear and Loathing in the Cloud “If I go to the cloud, my data will be stolen”

Fear and Loathing in the Cloud “If I go to the cloud, my data will be stolen”Sharing storage does not mean that your data is available just becausesomeone else has bits on the same hard drive

Fear and Loathing in the Cloud “If I go to the cloud, my data will be stolen”Sharing storage does not mean that your data is available just becausesomeone else has bits on the same hard driveSharing networking does not mean all of your traffic is viewable by othertenants of the network in a passive way (or even through commonnetwork attacks)

Fear and Loathing in the Cloud “If I go to the cloud, my data will be stolen”Sharing storage does not mean that your data is available just becausesomeone else has bits on the same hard driveSharing networking does not mean all of your traffic is viewable by othertenants of the network in a passive way (or even through commonnetwork attacks)Virtualization is actually a fantastic security mechanism inherently dueto the implementation of separation of resources you probably didn’thave at your last web hosting provider

Fear and Loathing in the Cloud “I can’t trust XYZ provider’s people”

Fear and Loathing in the Cloud “I can’t trust XYZ provider’s people”Cloud computing means that people at a company have access to yourservers, network, storage, and potentially your data

Fear and Loathing in the Cloud “I can’t trust XYZ provider’s people”Cloud computing means that people at a company have access to yourservers, network, storage, and potentially your dataColocation, dedicated hosting, shared hosting, virtual private serversand all other off-site hardware and software means that....

Fear and Loathing in the Cloud “I can’t trust XYZ provider’s people”Cloud computing means that people at a company have access to yourservers, network, storage, and potentially your dataColocation, dedicated hosting, shared hosting, virtual private serversand all other off-site hardware and software means that.... See above.

Fear and Loathing in the Cloud “I can’t trust XYZ provider’s people”Cloud computing means that people at a company have access to yourservers, network, storage, and potentially your dataColocation, dedicated hosting, shared hosting, virtual private serversand all other off-site hardware and software means that.... See above.The situation does not change. I’d trust Amazon with my data before arandom data center in Michigan who has been around a few months.

The cloud can be nasty, though.

The cloud can be nasty, though. Consider this scenario:

The cloud can be nasty, though. Consider this scenario: A criminal has access to 10,000 stolen credit cards

The cloud can be nasty, though. Consider this scenario: A criminal has access to 10,000 stolen credit cards Aforementioned criminal posses basic programming skills

The cloud can be nasty, though. Consider this scenario: A criminal has access to 10,000 stolen credit cards Aforementioned criminal posses basic programming skills API calls are sent to create 20 ‘server instances’ per credit card at 10 different cloud providers

The cloud can be nasty, though. Consider this scenario: A criminal has access to 10,000 stolen credit cards Aforementioned criminal posses basic programming skills API calls are sent to create 20 ‘server instances’ per credit card at 10 different cloud providers Criminal now has 2 million servers to conduct attacks, distribute piracy, spam people, or attempt to dilute available resources for potential legit customers

Bot-nets used to take effort!

Bot-nets used to take effort!Old bot nets were handfuls of Grandparent’s slow computersrunning 56k modems on AOL and infected with spyware

Bot-nets used to take effort!Old bot nets were handfuls of Grandparent’s slow computersrunning 56k modems on AOL and infected with spywareNew bot nets can be created on-demand with sizes beingdetermined by the number of cloud computing (IaaS) providerswho accept a credit card/PayPal account and will automaticallyprovide resources without even so much as a phone call

Bot-nets used to take effort!Old bot nets were handfuls of Grandparent’s slow computersrunning 56k modems on AOL and infected with spywareNew bot nets can be created on-demand with sizes beingdetermined by the number of cloud computing (IaaS) providerswho accept a credit card/PayPal account and will automaticallyprovide resources without even so much as a phone callCloud bot nets allow criminals to rent high-capacity computingresources on amazing network connections with no existing‘infections’ needed

It’s not all bad, though.

It’s not all bad, though.Companies such as Rackspace or Amazon are well staffed and trained todeal with cyber criminals by deploying fraud and abuse detectionsystems to help react quickly to negative situations

It’s not all bad, though.Companies such as Rackspace or Amazon are well staffed and trained todeal with cyber criminals by deploying fraud and abuse detectionsystems to help react quickly to negative situationsIt’s easier for a large cloud provider to shutdown rogue accounts, blockstolen credit cards, and provide law enforcement with evidence than aMom-and-Pop web hosting provider or a random teenager’s computerthat has been infected with a trojan

It’s not all bad, though.Companies such as Rackspace or Amazon are well staffed and trained todeal with cyber criminals by deploying fraud and abuse detectionsystems to help react quickly to negative situationsIt’s easier for a large cloud provider to shutdown rogue accounts, blockstolen credit cards, and provide law enforcement with evidence than aMom-and-Pop web hosting provider or a random teenager’s computerthat has been infected with a trojanSome providers like Amazon require account creation to involve simpleadditional hoops such as phone call verification to an automated service;not a fix but it definitely makes would-be criminals work harder

Cloud Security Practices

Cloud Security PracticesCryptography everywhere you can...

Cloud Security PracticesCryptography everywhere you can... Data that is sitting on random disks across data centers you don’t know the location of should be encrypted so that if hard drive(s) were stolen, your data would still be reasonably safe

Cloud Security PracticesCryptography everywhere you can... Data that is sitting on random disks across data centers you don’t know the location of should be encrypted so that if hard drive(s) were stolen, your data would still be reasonably safe Transport encryption (SSL/TLS) should be applied for any sensitive traffic between cloud servers to each other as well as cloud servers to general end-users (e.g. webmail users utilizing your SaaS)

Cloud Security PracticesCryptography everywhere you can... Data that is sitting on random disks across data centers you don’t know the location of should be encrypted so that if hard drive(s) were stolen, your data would still be reasonably safe Transport encryption (SSL/TLS) should be applied for any sensitive traffic between cloud servers to each other as well as cloud servers to general end-users (e.g. webmail users utilizing your SaaS) No customer PII, PHI, or otherwise sensitive information should be accessible in a cleartext format without previously having to enter a passphrase or utilize a private key to decrypt said information

Cloud Security PracticesAudit your resources against either traditional compliance standards(PCI, HIPPA, SOX, etc.) or with your company’s own guiding practices

Cloud Security PracticesAudit your resources against either traditional compliance standards(PCI, HIPPA, SOX, etc.) or with your company’s own guiding practicesEnsure strong network filtering when able to do so. Amazon for instanceallows a network-based inbound firewall ruleset; stack that with a host-based firewall on each instance to ensure no gaps exist if one fails

Cloud Security PracticesAudit your resources against either traditional compliance standards(PCI, HIPPA, SOX, etc.) or with your company’s own guiding practicesEnsure strong network filtering when able to do so. Amazon for instanceallows a network-based inbound firewall ruleset; stack that with a host-based firewall on each instance to ensure no gaps exist if one failsUtilize multi-factor authentication at an account level (Amazon hastoken integration) and also at your service level (IaaS, SaaS)

Cloud Security PracticesAudit your resources against either traditional compliance standards(PCI, HIPPA, SOX, etc.) or with your company’s own guiding practicesEnsure strong network filtering when able to do so. Amazon for instanceallows a network-based inbound firewall ruleset; stack that with a host-based firewall on each instance to ensure no gaps exist if one failsUtilize multi-factor authentication at an account level (Amazon hastoken integration) and also at your service level (IaaS, SaaS) Ann Arbor-based Duo Security for Linux/Juniper/Cisco MFA

Cloud Security PracticesTry to mitigate the sensitive information you store in the cloud; keepthat data in-house/on-site if at all possible

Cloud Security PracticesTry to mitigate the sensitive information you store in the cloud; keepthat data in-house/on-site if at all possibleImplement host-based intrusion detection systems (OSSEC, Tripwire)

Cloud Security PracticesTry to mitigate the sensitive information you store in the cloud; keepthat data in-house/on-site if at all possibleImplement host-based intrusion detection systems (OSSEC, Tripwire)Use strong passwords on all accounts and try to reduce password reuse

Cloud Security PracticesTry to mitigate the sensitive information you store in the cloud; keepthat data in-house/on-site if at all possibleImplement host-based intrusion detection systems (OSSEC, Tripwire)Use strong passwords on all accounts and try to reduce password reuseEnsure the cloud provider you utilize meets industry standardcompliance for required certifications relevant to your business

Cloud Security PracticesTry to mitigate the sensitive information you store in the cloud; keepthat data in-house/on-site if at all possibleImplement host-based intrusion detection systems (OSSEC, Tripwire)Use strong passwords on all accounts and try to reduce password reuseEnsure the cloud provider you utilize meets industry standardcompliance for required certifications relevant to your businessDiscuss legal concerns with your counsel or the cloud provider beforejumping in and looking back realizing it’s too late to be proactive

Other Cloud Practices

Other Cloud PracticesHave detailed documentation on how your cloud infrastructure is setupso that if you had to migrate from one provider to another, youwouldn’t have to scramble to figure out how to

Other Cloud PracticesHave detailed documentation on how your cloud infrastructure is setupso that if you had to migrate from one provider to another, youwouldn’t have to scramble to figure out how toConfiguration management tools (Puppet, Chef, CFEngine) can allowfor rapid deployment of infrastructure by treating components(services, software, configuration) as code and allowing it to beversioned and managed easily

Other Cloud PracticesHave detailed documentation on how your cloud infrastructure is setupso that if you had to migrate from one provider to another, youwouldn’t have to scramble to figure out how toConfiguration management tools (Puppet, Chef, CFEngine) can allowfor rapid deployment of infrastructure by treating components(services, software, configuration) as code and allowing it to beversioned and managed easilyIf you have a server in the cloud that cannot fail, you probably need tore-think how you’ve deployed your infrastructure or application

Other Cloud PracticesHave detailed documentation on how your cloud infrastructure is setupso that if you had to migrate from one provider to another, youwouldn’t have to scramble to figure out how toConfiguration management tools (Puppet, Chef, CFEngine) can allowfor rapid deployment of infrastructure by treating components(services, software, configuration) as code and allowing it to beversioned and managed easilyIf you have a server in the cloud that cannot fail, you probably need tore-think how you’ve deployed your infrastructure or applicationTreat your IaaS as ephemeral and plan for failure; be resilient!

Does this all sound familiar?

Does this all sound familiar?Cloud practices are not very different in most cases than regularinformation security practices

Does this all sound familiar?Cloud practices are not very different in most cases than regularinformation security practices Cloud computing is still the same technology that we’ve been securing just with new applications and some bells & whistles

Does this all sound familiar?Cloud practices are not very different in most cases than regularinformation security practices Cloud computing is still the same technology that we’ve been securing just with new applications and some bells & whistlesDon’t complicate cloud security practices with fancy new products: stickto standard cryptography, strong passwords, separation of privilege,multi-factor authentication, and limit your stored sensitive data

Does this all sound familiar?Cloud practices are not very different in most cases than regularinformation security practices Cloud computing is still the same technology that we’ve been securing just with new applications and some bells & whistlesDon’t complicate cloud security practices with fancy new products: stickto standard cryptography, strong passwords, separation of privilege,multi-factor authentication, and limit your stored sensitive dataFace your fears in your existing environment before going to the cloud!Things will not magically change by going to a IaaS, PaaS, or SaaS.

What should I do differently?

What should I do differently?When our source-code is hidden there’s typically a harder time toexploit it; that doesn’t mean it’s necessarily safe!

What should I do differently?When our source-code is hidden there’s typically a harder time toexploit it; that doesn’t mean it’s necessarily safe! When our servers are on-site, there’s typically a harder time to exploit them; that doesn’t mean they are necessarily safe!

What should I do differently?When our source-code is hidden there’s typically a harder time toexploit it; that doesn’t mean it’s necessarily safe! When our servers are on-site, there’s typically a harder time to exploit them; that doesn’t mean they are necessarily safe!Implement the best practices you should be already doing and don’tskimp on follow-through; be aggressive with your security.

What should I do differently?When our source-code is hidden there’s typically a harder time toexploit it; that doesn’t mean it’s necessarily safe! When our servers are on-site, there’s typically a harder time to exploit them; that doesn’t mean they are necessarily safe!Implement the best practices you should be already doing and don’tskimp on follow-through; be aggressive with your security.Going from a data center cage that you have keys to into a cloudprovider’s cluster of computing resources does take a leap of faith so beready to let go of some safety-nets you’re used to.

Why NOT to go to the cloud...

Why NOT to go to the cloud...If you’re PCI DSS Level 1, it’s not impossible to do so in the cloud butyou’re going to have to find the right QSA :)

Why NOT to go to the cloud...If you’re PCI DSS Level 1, it’s not impossible to do so in the cloud butyou’re going to have to find the right QSA :) 2013 is next PCI council revision; things may change then

Why NOT to go to the cloud...If you’re PCI DSS Level 1, it’s not impossible to do so in the cloud butyou’re going to have to find the right QSA :) 2013 is next PCI council revision; things may change thenIf you don’t architect for failure, that’s exactly what you will have

Why NOT to go to the cloud...If you’re PCI DSS Level 1, it’s not impossible to do so in the cloud butyou’re going to have to find the right QSA :) 2013 is next PCI council revision; things may change thenIf you don’t architect for failure, that’s exactly what you will have Some companies did have AWS failures recently on a grand scale; other companies survived the AWS outage...

Why NOT to go to the cloud...If you’re PCI DSS Level 1, it’s not impossible to do so in the cloud butyou’re going to have to find the right QSA :) 2013 is next PCI council revision; things may change thenIf you don’t architect for failure, that’s exactly what you will have Some companies did have AWS failures recently on a grand scale; other companies survived the AWS outage...If you fail (architecture or security) plan on being in the news quickly;it’s very popular to bash the cloud!

References/Appendixhttp://csrc.nist.gov/publications/drafts/800-145/Draft-SP-800-145_cloud-definition.pdfhttp://cloudsecurityalliance.org/http://aws.amazon.com/security/http://www.duosecurity.com/http://cseweb.ucsd.edu/~hovav/dist/cloudsec.pdfhttp://sites.google.com/site/detroitcloudgroup/http://clouddevday.com/

Thank You! Questions?mark.stanislav@gmail.com@markstanislavuncompiled.com

Cloud Computing: Let’s Clear the Air

by Mark Stanislav on May 18, 2011

Accessibility

Categories

Tags

Upload Details

Usage Rights

1 Embed 1

Statistics

Cloud Computing: Let’s Clear the Air — Presentation Transcript