Your SlideShare is downloading. ×
Cloud Computing Security
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Cloud Computing Security

254
views

Published on

Published in: Technology

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
254
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
9
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Cloud Computing: Finding the Silver Lining Steve Hanna, Juniper NetworksCopyright © 2009 Juniper Networks, Inc. 1
  • 2. Agenda   What is Cloud Computing?   Security Analysis of Cloud Computing   ConclusionsCopyright © 2009 Juniper Networks, Inc. 2
  • 3. Agenda   What is Cloud Computing?   Security Analysis of Cloud Computing   ConclusionsCopyright © 2009 Juniper Networks, Inc. 3
  • 4. Cloud Computing Defined   Dynamically scalable shared resources accessed over a network •  Only pay for what you use •  Shared internally or with other customers •  Resources = storage, computing, services, etc. •  Internal network or Internet   Notes •  Similar to Timesharing •  Rent IT resources vs. buy •  New term – definition still being developedCopyright © 2009 Juniper Networks, Inc. 4
  • 5. Conventional Data Center Data Center Data Applications Enterprise LAN Office User Internet Remote UserCopyright © 2009 Juniper Networks, Inc. 5
  • 6. Cloud Computing Model Enterprise 2 Cloud Provider Enterprise 1 Enterprise LAN Data Applications Enterprise LAN Office User Internet Remote UserCopyright © 2009 Juniper Networks, Inc. 6
  • 7. Many Flavors of Cloud Computing   SaaS – Software as a Service •  Network-hosted application   DaaS – Data as a Service •  Customer queries against provider’s database   PaaS– Platform as a Service •  Network-hosted software development platform   IaaS – Infrastructure as a Service •  Provider hosts customer VMs or provides network storage   IPMaaS – Identity and Policy Management as a Service •  Provider manages identity and/or access control policy for customer   NaaS – Network as a Service •  Provider offers virtualized networks (e.g. VPNs)Copyright © 2009 Juniper Networks, Inc. 7
  • 8. Cloud Computing Providers DaaS SaaS PaaS IPM Software & Data IPMaaS Infrastructure NaaS IaaS (DC/server)Copyright © 2009 Juniper Networks, Inc. 8
  • 9. Cloud Computing Pros and Cons Compliance/regulatory laws mandate on-site Pros ownership of data Reduced costs Resource sharing is more Security and privacy efficient Latency & bandwidth guarantees Management moves to Absence of robust SLAs cloud provider Uncertainty around Consumption based cost interoperability, portability & lock in Faster time to roll out new services Availability & reliability Dynamic resource availability for crunch Inhibitors periodsCopyright © 2009 Juniper Networks, Inc. 9
  • 10. Who’s using Clouds today?Copyright © 2009 Juniper Networks, Inc. 10
  • 11. Example: Mogulus   Mogulus is a live broadcast platform on the internet. (cloud customer) •  Producers can use the Mogulus browser-based Studio application to create LIVE, scheduled and on-demand internet television to broadcast anywhere on the web through a single player widget.   Mogulus is entirely hosted on cloud (cloud provider)   On Election night Mogulus ramped to: •  87000 videos @500kbps = 43.5 Gbps •  http://www.mogulus.comCopyright © 2009 Juniper Networks, Inc. 11
  • 12. Example: Animoto   Animoto is a video rendering & production house with service available over the Internet (cloud customer) •  With their patent-pending technology and high-end motion design, each video is a fully customized orchestration of user-selected images and music in several formats, including DVD.   Animoto is entirely hosted on cloud (cloud provider)   Released Facebook App: users were able to easily render their photos into MTV like videos •  Ramped from 25,000 users to 250,000 users in three days •  Signing up 20,000 new users per hour at peak •  Went from 50 to 3500 servers in 5 days •  Two weeks later scaled back to 100 servers •  http://www.animoto.comCopyright © 2009 Juniper Networks, Inc. 12
  • 13. Example: New York Times   Timesmachine is a news archive of the NY Times available in pdf over the Internet to newspaper subscribers (cloud customer)   Timesmachine is entirely hosted on cloud (cloud provider)   Timesmachine needed infrastructure to host several terabits of data •  Internal IT rejected due to cost •  Business owners got the data up on cloud for $50 over one weekend •  http://timesmachine.nytimes.comCopyright © 2009 Juniper Networks, Inc. 13
  • 14. Example: Eli Lilly   Eli Lilly is the 10th largest pharmaceutical company in the world (cloud customer)   Moved entire R&D environment to cloud (cloud provider)   Results: •  Reduced costs •  Global access to R&D applications •  Rapid transition due to VM hosting •  Time to deliver new services greatly reduced: •  New server: 7.5 weeks down to 3 minutes •  New collaboration: 8 weeks down to 5 minutes •  64 node linux cluster: 12 weeks down to 5 minutesCopyright © 2009 Juniper Networks, Inc. 14
  • 15. Who’s using Clouds today?   Startups & Small businesses •  Can use clouds for everything •  SaaS, IaaS, collaboration services, online presence   Mid-Size Enterprises •  Can use clouds for many things •  Compute cycles for R&D projects, online collaboration, partner integration, social networking, new business tools   Large Enterprises •  More likely to have hybrid models where they keep some things in house •  On premises data for legal and risk management reasonsCopyright © 2009 Juniper Networks, Inc. 15
  • 16. Agenda   What is Cloud Computing?   Security Analysis of Cloud Computing   ConclusionsCopyright © 2009 Juniper Networks, Inc. 16
  • 17. Information Security Risk Management Process (ISO 27005)   Establish Context   Risk Assessment •  Identify Risks •  Identify Assets •  Identify Threats •  Identify Existing Controls •  Identify Vulnerabilities •  Identify Consequences •  Estimate Risks •  Evaluate Risks   Develop Risk Treatment Plan •  Reduce, Retain, Avoid, or Transfer Risks   Risk Acceptance   Implement Risk Treatment Plan   Monitor and Review RisksCopyright © 2009 Juniper Networks, Inc. 17
  • 18. Streamlined Security Analysis Process   Identify Assets •  Which assets are we trying to protect? •  What properties of these assets must be maintained?   Identify Threats •  What attacks can be mounted? •  What other threats are there (natural disasters, etc.)?   Identify Countermeasures •  How can we counter those attacks?   Appropriate for Organization-Independent Analysis •  We have no organizational context or policiesCopyright © 2009 Juniper Networks, Inc. 18
  • 19. Identify AssetsCopyright © 2009 Juniper Networks, Inc. 19
  • 20. Conventional Data Center Data Center Data Applications Enterprise LAN Office User Internet Remote UserCopyright © 2009 Juniper Networks, Inc. 20
  • 21. Cloud Computing Model Enterprise 2 Cloud Provider Enterprise 1 Enterprise LAN Data Applications Enterprise LAN Office User Internet Remote UserCopyright © 2009 Juniper Networks, Inc. 21
  • 22. Identify Assets   Customer Data   Customer Applications   Client Computing DevicesCopyright © 2009 Juniper Networks, Inc. 22
  • 23. Information Security Principles (Triad)   C I A •  Confidentiality •  Prevent unauthorized disclosure •  Integrity •  Preserve information integrity •  Availability •  Ensure information is available when neededCopyright © 2009 Juniper Networks, Inc. 23
  • 24. Identify Assets & Principles   Customer Data •  Confidentiality, integrity, and availability   Customer Applications •  Confidentiality, integrity, and availability   Client Computing Devices •  Confidentiality, integrity, and availabilityCopyright © 2009 Juniper Networks, Inc. 24
  • 25. Identify ThreatsCopyright © 2009 Juniper Networks, Inc. 25
  • 26. Cloud Computing Model Enterprise 2 Cloud Provider Enterprise 1 Enterprise LAN Data Applications Enterprise LAN Office User Internet Remote UserCopyright © 2009 Juniper Networks, Inc. 26
  • 27. Identify Threats   Failures in Provider Security   Attacks by Other Customers   Availability and Reliability Issues   Legal and Regulatory Issues   Perimeter Security Model Broken   Integrating Provider and Customer Security SystemsCopyright © 2009 Juniper Networks, Inc. 27
  • 28. Failures in Provider Security   Explanation •  Provider controls servers, network, etc. •  Customer must trust provider’s security •  Failures may violate CIA principles   Countermeasures •  Verify and monitor provider’s security   Notes •  Outside verification may suffice •  For SMB, provider security may exceed customer securityCopyright © 2009 Juniper Networks, Inc. 28
  • 29. Attacks by Other Customers   Threats •  Provider resources shared with untrusted parties •  CPU, storage, network •  Customer data and applications must be separated •  Failures will violate CIA principles   Countermeasures •  Hypervisors for compute separation •  MPLS, VPNs, VLANs, firewalls for network separation •  Cryptography (strong) •  Application-layer separation (less strong)Copyright © 2009 Juniper Networks, Inc. 29
  • 30. Availability and Reliability Issues   Threats •  Clouds may be less available than in-house IT •  Complexity increases chance of failure •  Clouds are prominent attack targets •  Internet reliability is spotty •  Shared resources may provide attack vectors •  BUT cloud providers focus on availability   Countermeasures •  Evaluate provider measures to ensure availability •  Monitor availability carefully •  Plan for downtime •  Use public clouds for less essential applicationsCopyright © 2009 Juniper Networks, Inc. 30
  • 31. Legal and Regulatory Issues   Threats •  Laws and regulations may prevent cloud computing •  Requirements to retain control •  Certification requirements not met by provider •  Geographical limitations – EU Data Privacy •  New locations may trigger new laws and regulations   Countermeasures •  Evaluate legal issues •  Require provider compliance with laws and regulations •  Restrict geography as neededCopyright © 2009 Juniper Networks, Inc. 31
  • 32. Perimeter Security Model BrokenCopyright © 2009 Juniper Networks, Inc. 32
  • 33. Perimeter Security Model Data Center Data Applications Safe Zone Enterprise LAN Office User Internet Remote UserCopyright © 2009 Juniper Networks, Inc. 33
  • 34. Perimeter Security with Cloud Computing? Enterprise 2 Cloud Provider Enterprise 1 Enterprise LAN Data Applications Enterprise LAN Office User Internet Remote UserCopyright © 2009 Juniper Networks, Inc. 34
  • 35. Perimeter Security Model Broken   Threats •  Including the cloud in your perimeter •  Lets attackers inside the perimeter •  Prevents mobile users from accessing the cloud directly •  Not including the cloud in your perimeter •  Essential services aren’t trusted •  No access controls on cloud   Countermeasures •  Drop the perimeter model!Copyright © 2009 Juniper Networks, Inc. 35
  • 36. Integrating Provider and Customer Security   Threat •  Disconnected provider and customer security systems •  Fired employee retains access to cloud •  Misbehavior in cloud not reported to customer   Countermeasures •  At least, integrate identity management •  Consistent access controls •  Better, integrate monitoring and notifications   Notes •  Can use SAML, LDAP, RADIUS, XACML, IF-MAP, etc.Copyright © 2009 Juniper Networks, Inc. 36
  • 37. Agenda   What is Cloud Computing?   Security Analysis of Cloud Computing   ConclusionsCopyright © 2009 Juniper Networks, Inc. 37
  • 38. Bottom Line on Cloud Computing Security   Engage in full risk management process for each case   For small and medium organizations •  Cloud security may be a big improvement! •  Cost savings may be large (economies of scale)   For large organizations •  Already have large, secure data centers •  Main sweet spots: •  Elastic services •  Internet-facing services   Employ countermeasures listed aboveCopyright © 2009 Juniper Networks, Inc. 38
  • 39. Security Analysis Skills Reviewed Today   Information Security Risk Management Process •  Variations used throughout IT industry •  ISO 27005, NIST SP 800-30, etc. •  Requires thorough knowledge of threats and controls •  Bread and butter of InfoSec – Learn it! •  Time-consuming but not difficult   Streamlined Security Analysis Process •  Many variations •  RFC 3552, etc. •  Requires thorough knowledge of threats and controls •  Useful for organization-independent analysis •  Practice this on any RFC or other standard •  Become able to do it in 10 minutesCopyright © 2009 Juniper Networks, Inc. 39
  • 40. DiscussionCopyright © 2009 Juniper Networks, Inc. 40
  • 41. Copyright © 2009 Juniper Networks, Inc. 41