Info Sec 2010 Possibilities And Security Challenges Of Cloud Computing (Handout)


Published on

Handout of a presentation given at the InfoSec 2010 Conference in Manila, Philippines last 25 August 2010.

  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Info Sec 2010 Possibilities And Security Challenges Of Cloud Computing (Handout)

  1. 1. Possibilities and SecurityChallenges of Cloud ComputingInfoSec Conference 2010Hotel IntercontinentalMakati City, Philippines25 August 2010Pierre U. Tagle, Ph.D., Outline 1 Introduction 2 What is Cloud Computing? 3 Possibilities and Security Challenges 4 Critical Areas for Cloud Implementations 2
  2. 2. Introduction Mobiliance Incorporated is an We offer services to: INDEPENDENT technology • EVALUATE and understand consulting and software services your business needs; firm which partners with • Recommend ways to commercial and government ENHANCE how technology, establishments/organisations to people and processes fits solve their toughest Information into your business; Technology problems and issues. • INTEGRATE new and existing technology to better suit your business; • MAINTAIN your technology investments; and • Help you PRESERVE your investment to carry your business into the future. 3 Our Services• Security Assessment and • Technology Assessment Design and Design – Addresses from a • IT Governance / Risk company’s entire Management security framework – Disaster Recovery / to smaller, tactical Business Continuity concerns. – IT Governance• Network Assessment and – IT Risk Assessments Design • Technology Management – Addresses on the Advice (Virtual CIO/CTO) network/systems infrastructure, • Software Development covering design, – From complete SDLC performance, or to assist in reliability and specific phases availability. 4
  3. 3. What is Cloud Computing? • Virtually every vendor or provider has jumped on the cloud computing bandwagon and has slapped the “cloud” label on it, e.g. hosting, outsourcing, ASP, on-demand computing, grid computing, utility computing, etc. – Some reports indicate that there were at least 22 different definitions of the cloud in use. • Cloud computing is NOT a technology revolution, but rather a process and business evolution – on how many technologies and services are used in enabling what is referred to as Cloud Computing. • A simplified definition can be that cloud computing allows businesses to increase IT capacity on the fly without investing in new infrastructure, training new personnel and/or licensing new software, and are able to use it as a pay-per-use service. 5 NIST Cloud Definition Framework“Cloud computing is amodel for enablingconvenient, on-demand networkaccess to a sharedpool of configurablecomputing resourcesthat can be rapidlyprovisioned andreleased with minimalmanagement effort orservice provider The NIST cloud model promotes availabilityinteraction.” and is composed of 5 essential characteristics, 3 service models and 4 deployment models. 6
  4. 4. 5 Essential Characteristics • On-demand self-service • Broad network access • Resource pooling – Location independence • Rapid elasticity • Measure service Source: 7 3 Cloud Service / Delivery Models• Cloud Software as a Service (SaaS) – Use provider’s apps over a network• Cloud Platform as a Service (PaaS) – Deploy customer- created applications to a cloud• Cloud Infrastructure as a Service (IaaS) Source: NIST Presentations – Rent processing, storage, network Note: To be considered “cloud” these must be capacity, etc. deployed on top of a cloud infrastructure with the key characteristics. 8
  5. 5. Cloud Services Examples • SaaS – – Google Apps • PaaS – Google AppsEngine,, IBM IT Factory • IaaS – Amazon Elastic Compute Cloud (Amazon EC2), IBM Blue Cloud, Sun Grid – Amazon Simple Storage Service (Amazon S3) 9 Cloud Deployment Models• Private cloud – Enterprise owned or leased• Community cloud – Shared infrastructure for specific communitiy• Public cloud – Available to the public, typically mega-scale infrastructure• Hybrid cloud – Composition of 2 or more clouds 10
  6. 6. Possibilities and Benefits 11 Adoption Areas 12
  7. 7. Cloud Computing Challenges & Risks • Data Protection – Where is my data? – How does my data securely enter/exit the cloud? (and how is it protected during transit?) – Who has access to my • Integration and Cost data? – How easy is it to integrate • Risk / Incident Management with in-house IT? – Who is accountable if – Are there customization something goes wrong? options to suit my needs? – What’s the disaster – Will on-demand cost recovery plan? more? – What happens if my cloud – How difficult to migrate provider disappears? back to an in-house – How is the environment system? (if possible) monitored? How are we • Compliance notified in the event of – Are there any regulatory failures/outages? requirements? 13 Challenges and Risks Security remains the top concern and was raised by 87.5% of respondents in IDC 2009 survey (up from 74.6% in 2008) 14
  8. 8. Service Provider Requirements• Pricing is key area BUT• security and related concerns can be “seen” in user wish-list of the service features SLAs, option to move back on-premise, allow managing on-premise , offer both on-premise and public cloud services, have local presence 15 Security in the Cloud • Security controls in cloud computing are no different than security controls in an IT environment BUT... – the various cloud service models, operational models, and technologies used to enable cloud services may present different risks to the Source: Cloud Security Alliance organisation. • Understanding the “Cloud computing is about gracefully losing differences between service control while maintaining accountability models and their even if the operational responsibility implementation is critical to falls upon one or more third parties.” the management of risk to – Cloud Security Alliance the organisation. 16
  9. 9. Security Advantages• Reduction of exposure of internal sensitive data with move to external cloud – Data fragmentation and dispersal are managed by unbiased party (cloud vendor assertion) – Various studies show that a large amount of abuse are done by internal IT professionals• Cloud homogeneity makes security auditing / testing simpler• Clouds enable automated security management• Redundancy / Disaster Recovery 17 Security Challenges• Trusting vendor’s security model• Customer inability to respond to audit findings• Indirect administrator accountability• Obtaining support for investigations• Indirect administrator accountability• Proprietary implementations cannot be examined• Loss of physical control• Data dispersal and international privacy laws• Logging challenges• Quality of service guarantees 18
  10. 10. Ensuring Compliance in the Cloud • The use of cloud computing by itself does not provide for or prevent achieving compliance. • Cloud services must be mapped against compensating controls to determine which exists and which do not – either by the end user, service provider or a third party. • Gaps analysis results are fed into the risk assessment framework – accept, transfer or Source: Cloud Security Alliance mitigate. 19Cloud Implementation Use Case Taxonomy • Service Consumer – SaaS is consumed by end users, e.g. employees, clients, partners – PaaS is consumed by software developers – IaaS is consumed by IT managersSource: Cloud Computing Use Case Discussion Group • The various components must be managed by the company or a third party solution provider. 20
  11. 11. Determining Candidates for the Cloud • Review applications and IT • Typical Rules of Thumb: resources / systems – If mission-critical and • Categorise into: non-core then possibly – Mission-critical, i.e. good candidate for the business will not cloud survive without it – If mission-critical and – Non-mission critical core, possibly keep • Sub-categorise into: internal or in private cloud – Core business practices, i.e. provides – If non-mission critical service differentiation and non-core then okay for public clouds – Non-core, i.e. internal activities – If non-mission critical and core, possibly keep internal or in private cloud 21 Candidates for the Public Cloud GOOD BAD • Applications used by mobile • Applications with very workers, particularly those sensitive data (with possible used to manage time, regulatory or legal risk) activities, etc. • Applications that require very • Software development intensive data workloads or environments very performance sensitive • Applications that require applications hardware/software not – Possible cost issue normally available within the • Applications that require company extensive or high • Applications that run customization infrequently but require considerable resources, e.g. test and pre-production systems • Backup for critical applications • Distributed server and data centre locations 22
  12. 12. Cloud Adoption Model Example • Prepare IT portfolio – Virtualization not necessary but can simplify migration, updates, etc. • Cloud experimentation – Usage, experimentation and laying of groundwork • Cloud foundations – Finalize application architecture and platform • Cloud exploitation – Deployment (either private or public) in the cloud – Get apps into production, along with processes, policies and proceduresSource: • Cloud actualization / HyperCloud – Fully dynamic and autonomic compute environment 23 Cloud Usage Examples • Nasdaq – uses Amazon S3 to deliver historical stock and mutual fund information, rather than add load to its database/computing infra • Animoto – start-up used Amazon’s cloud services was able to keep up with soaring demand and scale up from 50 to 3,500 instances over a three-day period • Times – wanted to place 60-year period worth of images (i.e. 15-million news stories) moved 4-TB into Amazon S3, ran the software on EC2 then launched the product • Mogulus – streams 120,000 live TV channels over the Internet but owns no hardware except for its laptops. 24
  13. 13. Recommended Areas of Critical Focus GOVERNANCE DOMAINS OPERATIONAL DOMAINS • Governance & Enterprise • Security, Business Risk Management Continuity & Disaster • Legal Recovery • Compliance and Audit • Data Centre Operations • Information Life Cycle • Incident Management Management • Application Security • Portability and • Encryption & Key Interoperability Management • Identity & Access Management • Virtualisation 25Governance Domains
  14. 14. Governance & Enterprise Risk Management• Ability of an organisation to govern and measure enterprise risk introduced with the use of Cloud Computing – Legal precedence for agreements – Assess risk of a cloud provider – Responsibility to protect data – How international boundaries affects issues• Risk management approaches – Include provider’s security governance, risk management and compliance structures and processes – Consistency between provider and end user risk assessment approaches • provider’s design of the cloud service vs. user’s assessment of the cloud service risk. – Adjust DRP/BCP to include new scenarios, e.g. loss of provider services RECOMMENDATIONS 27 Legal Aspects Potential legal issues with the use of Cloud Computing – Protection requirements for information & computer systems – Security disclosure laws – Regulatory requirements – Privacy requirements – International laws RECOMMENDATIONS 28
  15. 15. Compliance and Audit • Ensuring and proving compliance when using Cloud Computing – Company security policies – Industry standards and/or certifications – Regulatory, legislative and other compliance requirements • The end user must understand: – Regulatory application for the use of a cloud service – Division of compliance responsibilities (vs. provider) – Provider’s ability to produce evidence needed for compliance – End user’s role in bridging the gap between provider and audit requirements RECOMMENDATIONS 29 Information Lifecycle Management• Management of data that • The Data Security Lifecycle is placed within the Cloud. – Identification and control of data – Compensating controls to deal with loss of physical control – Data confidentiality, integrity and availability Source: Cloud Security Alliance • Maps to the more general Information Lifecycle Management (ILM) RECOMMENDATIONS 30
  16. 16. Portability and Interoperability • Ability to move data and/or services from one cloud provider to another, or move it back in- house – Portability – Interoperability • Companies may need to switch providers due to: – Unacceptable increase in cost – Provider ceases operation – Provider ceases one or more services – Unacceptable decrease in service quality – Business disputes RECOMMENDATIONS 31Operational Domains
  17. 17. Security, Business Continuity and Disaster Recovery • How does cloud computing affect the current operational processes and procedures in relation to security, business continuity and disaster recovery • How does cloud computing assist in diminishing risks in certain areas? While possibly increasing in others? RECOMMENDATIONS 33 Data Centre Operations• Identifying common data centre characteristics that are: – Disadvantageous to on-going services and/or – Fundamental to long-term stability.• Technology architectures will differ across providers but they all must support compartmentalization with controls segregating each layer of the infrastructure – Note that some cloud providers may be users of other cloud services, e.g. a SaaS vendor uses PaaS or IaaS vendor(s). RECOMMENDATIONS 34
  18. 18. Incident Management • Proper and adequate incident detection, response, notification and remediation. – Includes processes and procedures at both provider and end user levels • Does the cloud bring about complexities to current incident management procedures? RECOMMENDATIONS 35 Application Security • What type ofApplication cloud platform to Security Compliance use? SaaS,Architecture PaaS, or IaaS? Cloud • Cloud Apps applications will Tools both impact and SDLC & be impacted by Services various factors • Migrate existing app or design a new app for cloud deployment? Vulnerabilities RECOMMENDATIONS 36
  19. 19. Encryption and Key Management• Cloud environments Encrypt data Secure sensitive information even are shared, within provider’s environment. and providers in transit for Confidentiality generally have privileged and Integrity access Encryption• Encryption offers benefits Encrypt data Differences in implementation from of less reliance at rest IaaS to PaaS to SaaS on provider• Identifying proper encryption usage and Encrypt data Protect against misuse of key on backup lost/stolen media. management media RECOMMENDATIONS 37 Identity and Access Management • Even without the cloud, the management of identities and access control remains one of the key challenges facing IT in any organisation. • Management of identities to provide access control when extending the organisation into the cloud. Identity Provisioning Authentication • Secure and time management of provisioning Address authentication related and deprovisioning of users challenges, e.g. strong authentication in the cloud. (multi-factor), delegated • Extension of current user authentication, and trust management management processes to across cloud services. the cloud. Authorization and User Profile Management Federation Establishment of trusted user profile and policy information, Authenticate users of using it to control access within cloud services using the the cloud, and using this in an organisation’s chosen auditable way. identity provider. RECOMMENDATIONS 38
  20. 20. IDaaS• Identity as a Service (IDaaS) should follow the same best practices used for internal IAM implementations• For internal users: – Review provider’s options to provide secure access to the cloud – Review cost reduction vs. risk mitigation measures to address risks of having employee information with IDaaS.• For external users (e.g. partners) the information owners need to incorporate interactions with IAM providers into the SDLC and in threat assessments• PaaS users should review use of industry standards by IDaaS vendors• Proprietary solutions represent a significant risk, the use of open standards is recommended. 39 Virtualisation • Use of virtualisation technology in cloud computing, particularly the security issues related to the system/hardware virtualisation. RECOMMENDATIONS 40
  21. 21. Conclusion• In any move towards an emerging technology and business model, you need in-depth understanding of: – Your IT team (whether in-house or 3rd party including consultants / partners) and capabilities – The Solutions, and – The Service Providers and/or Vendors• No difference with cloud computing any decision to move to the cloud should involve at least the enterprise architects, developers, product/service owners and stakeholders, IT management and if needed, outsourcing partners.• Concerns with cloud computing are valid but not insurmountable. Credible solutions do exist and continuously being improved / fine-tuned to meet the perceived challenges and user requirements. 41