Security in the Cloud
Upcoming SlideShare
Loading in...5
×
 

Security in the Cloud

on

  • 1,135 views

"Security the Cloud" - webinar slides on 27th Oct 2011

"Security the Cloud" - webinar slides on 27th Oct 2011

Statistics

Views

Total Views
1,135
Slideshare-icon Views on SlideShare
906
Embed Views
229

Actions

Likes
1
Downloads
16
Comments
0

4 Embeds 229

http://blog.facilelogin.com 219
http://a0.twimg.com 6
http://tweetedtimes.com 3
http://127.0.0.1:8775 1

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    Security in the Cloud Security in the Cloud Presentation Transcript

    • Prabath  Siriwardena  –  Software  Architect,  WSO2  
    • WHY  ?  
    • Cloud  Computing  
    • Cloud  Computing  
    • As  a  Service  ?  
    • As  a  Service  ?  Pay  per  use   Resource  Sharing  Self  service  provisioning   Unlimited  Resource  
    • •  In  public   –  IaaS,  PaaS,  SaaS  available  on  the  Internet   –  Use  one  of  the  cloud  service  providers   –  Information  is  stored  and  managed  by  provider  under  SLA  •  In  Private   –  Have  a  cloud,  in-­‐house   –  IaaS  provides  by  hardware  on  your  data  centers   –  PaaS  running  on  your  IaaS   –  SaaS  executing  on  your  PaaS  •  Or  use  both   –  Hybrid  Cloud  
    • Enterprise  IT  in  2010  
    • Enterprise  IT  in  2015+  
    • What  do  you  expect  from  a  platform  ?  
    • •  Public  Cloud   –  Fast  time  to  market   –  Makes  it  easier  to  write  scalable  code  •  Private  Cloud   –  Give  each  team  their  own  instant  infrastructure   –  Govern  centrally  but  code  and  deploy  by  team   –  Automated  governance,  registry,  identity   –  Instant  BAM  
    • •  Distributed  /  Dynamically  Wired  (works  properly  in  the  cloud)   –  Finds  services  across  applications     –  Reuse  services  from  other  departments  e.g.  People  information  required  by  all  of  Finance,   Engineering  and  Sales  •  Elastic  (uses  the  cloud  efficiently)   –  Scales  up  and  down  as  needed   –  Some  departments  might  want  varying  resources  with  varying  bandwidth  with  varying   priority  •  Multi-­‐tenant  (only  costs  when  you  use  it)   –  Virtual  isolated  instances  to  facilitate  isolation  between  departments  etc.   –  e.g.  Sales  vs.  Finance  tenants.  Finance  want  complete  isolation  for  some  sensitive  services  •  Self-­‐service  (in  the  hands  of  users)   –  De-­‐centralized  creation  and  management  of  tenants   –  No  need  to  come  to  IT  department  to  gain  access  –  served  via  portal  –  no  need  to  be  on  the   queue  or  waiting  list  •  Granularly  Billed  and  Metered  (pay  for  just  what  you  use)   –  Allocate  costs  to  exactly  who  uses  them   –  Bill  and  cost  various  departments  per  use     –  Get  rid  of  the  situations  where  unused  computing  assets  lying  in  one  department  while  the   other  departments  are  starving  for  the  same  •  Incrementally  Deployed  and  Tested  (supports  seamless  live  upgrade)   –  Not  disrupt  other  operations  
    • ProviderIAAS   N   F   Application   N   F   Middleware   N   F   Guest  OS   F   N   Hypervisor   F   N   Storage   F   N   Hardware   Organization F   N   Network  
    • ProviderPAAS   M   L   Application   M   L   Middleware   F   N   Guest  OS   F   N   Hypervisor   F   N   Storage   F   N   Hardware   Organization F   N   Network  
    • ProviderSAAS   M   L   Application   F   N   Middleware   F   N   Guest  OS   F   N   Hypervisor   F   N   Storage   F   N   Hardware   Organization F   N   Network  
    • IaaS   PaaS   SaaS   Data   Organization   Organization   Organization  Applications   Organization   Shared   Service  Provider   Systems   Service  Provider   Service  Provider   Service  Provider   Storage   Service  Provider   Service  Provider   Service  Provider   Network   Service  Provider   Service  Provider   Service  Provider  
    • SAAS  More  Control   PAAS   IAAS  
    • Private   Public   Compliance   Organization   Service  Provider   Governance   Organization   Service  Provider   Security   Organization   Service  Provider   Operations   Organization   Service  Provider   Risk   Organization   Shared   Cloud  Owner   Organization   Service  Provider    or  leased  Use  limited  to     Organization   Public  
    • Public  Ownership   Hybrid   Private  
    • Multi-­‐tenancy  
    • •  Can  be  used  to  give  departments  their  own   PaaS  world  to  operate  in  •  Yet  all  share  same  hardware  resources   –  Not  all  departments  need  resources  at  the  same  time   –  Really  pay  per  use   –  Opportunity  to  unify    departmental  level  small  server  pools    •  Drastically  reduce  admin/management  costs   –  One  software  installation  to  maintain  •  Use  differentiated  QoS  
    • Multi-­‐tenancy  ¡  Three  possible  ways   §  Machine  per  tenant   §  VM  per  tenant   §  Share  machine/VM  across  tenants  ¡  Challenges   §  Data  isolation   §  Logic  isolation     §  Security  
    • Data  Isolation  –  Separated  DB   Multi-­‐tenancy  
    • Data  Isolation  –  Shared  DB  /  Separate  Schema   Multi-­‐tenancy  
    • Data  Isolation  –  Shared  DB  /  Shared  Schema   Multi-­‐tenancy  
    • Data  Access  -­‐  Security  Patterns  Trusted  Database  Connections  
    • Data  Access  -­‐  Security  Patterns  Trusted  Database  Connections  
    • Data  Access  -­‐  Security  Patterns  Trusted  Database  Connections  
    • Data  Access  -­‐  Security  Patterns  Secure  Database  Tables   GRANT SELECT, UPDATE, INSERT, DELETE ON [TableName] FOR [UserName]
    • Data  Access  -­‐  Security  Patterns  Tenant  View  Filter   CREATE  VIEW  TenantEmployees  AS     SELECT  *  FROM  Employees  WHERE  TenantID  =   SUSER_SID()
    • •  Data  Confidentiality/Integrity/Availability  •  Data  Lineage  •  Data  Provenance  •  Data  Remanence  
    •                      Data  Confidentiality/Integrity/Availability   Storage   Processing   Transmission   Confidentiality   Symmetric   Homomorphic   SSL   Encryption   Encryption   Integrity   MAC   Homomorphic   SSL   Encryption   Availability   Redundancy   Redundancy   Redundancy  
    • cloud  security     forxg  vhfxulwb    Homomorphic  Encryption   cloud   forxg   security     vhfxulwb     cloud   security     forxg   vhfxulwb    
    • Vendor   CVE   KVM   32   QEMU   23   VMWare   126   XEN   86  •  VM  Escape  (Host  code  execution)  •  Guest  code  execution  with  privilege  
    • •  Identity  Management  •  Access  Management  •  Key  Management  •  System  &  Network  Auditing  •  Security  Monitoring  •  Security  Testing  &  Vulnerability  Remediation  •  System  &  Network  Controls  
    • •  Controls  over  identity  information  Identity  Management   •  Strong  Identity  Management  system  for  cloud   personnel   •  Large  scale  needs  for  authenticating  cloud   tenants  and  users   •  Federated  Identity   •  Audits  for  legal  activities   •  Identity  Recycle?   •  Means  to  verify  assertions  of  identity  by  cloud   provider  personnel  
    • •  Cloud  personnel  shall  have  restricted  access  to  Access  Management   the  customer  data   •  Multifactor  authentication  for  highly  privileged   operations   •  Large  scale  needs  for  authenticating  cloud   tenants  and  users   •  Least  privileged  principal  and  RBAC   •  White-­‐listed  IPs  for  remote  access  by  cloud   personnel    
    • •  Encryption  the  key  to  protect  data  in  transit  and   at  rest  Key  Management   •  All  keys  secured  properly   •  Effective  procedures  to  recover  from   compromised  keys   •  Effective  procedures  for  key  revocation      
    • System  &  Network  Auditing   •  All  security  related  events  must  be  recorded  with   all  relevant  information   •  Generated  audit  events  must  be  logged  in  near   real-­‐time  manner   •  Integrity  &  confidentiality  of  audit  logs  should  be   protected   •  Audit  logs  needs  to  be  securely  archived    
    • •  Generation  of  alerts  in  recognition  of  a  critical  Security  Monitoring   security  breach   •  Delivery  of  security  alerts  in  deferent  means   securely   •  Cloud  wide  intrusion  and  anomaly  detection   •  Periodic  checks  to  make  sure  monitoring  system   runs  healthy    
    • •  Well  defined  set  of  security  test  cases   •  Separate  environments  for  development,  Security  Testing   testing,  staging  and  production   •  Patch  management  
    • System  &  Network    Controls   •  Should  be  implemented  for  infrastructure   systems   •  Network  isolation  in  between  different  functional   areas  in  the  cloud   •  Assure  the  integrity  of  OSes,  VM  images  and   infrastructure  applications   •  Isolation  between  different  VMs    
    • •  Abuse  &  nefarious  use  of  cloud  computing   •  Password/key  cracking,  DDOS,  CAPTCH   solving  farms,  building  rainbow  tables  •  Insecure  interfaces  and  APIs  •  Malicious  insiders  •  Shared  technology  issues  •  Data  loss  and  leakage  •  Account  or  service  hijacking  •  Unknown  risk  profile