Cloud Computing: New Approaches for Security

623 views

Published on

Cloud and Big Data Conference 2013
CnS Events, Vienna, Austria
8 October 2013

Published in: Technology, Business
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
623
On SlideShare
0
From Embeds
0
Number of Embeds
12
Actions
Shares
0
Downloads
24
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide
  • Risk Mitigation Data leakage Encryption Data loss Multi-source, backup Vendor Standards, multi-source, backup, exit strategy lock-in Service loss SLA, audit, certifications Compliance SLA, audit, certifications Old trust basis:Personal observationPersonal experienceHuman InsightNew trust basis:Public verificationContractsCompensationDesign challenges:IntegrationUser managementReliabilityGovernance / SLAsSecurity
  • Backdoor in Dual-EC DRBG (Dual Elliptic Curve Deterministic Random Bit Generator) http://rump2007.cr.yp.to/15-shumow.pdf
  • Backdoor in Dual-EC DRBG (Dual Elliptic Curve Deterministic Random Bit Generator) http://rump2007.cr.yp.to/15-shumow.pdf
  • ACID: Atomic Consistent Isolated DurableBASE: Basic Availability, Soft-state,Eventual consistency
  • Risk Mitigation Data leakage Encryption Data loss Multi-source, backup Vendor Standards, multi-source, backup, exit strategy lock-in Service loss SLA, audit, certifications Compliance SLA, audit, certifications Old trust basis:Personal observationPersonal experienceHuman InsightNew trust basis:Public verificationContractsCompensationDesign challenges:IntegrationUser managementReliabilityGovernance / SLAsSecurity
  • Cloud Computing: New Approaches for Security

    1. 1. 24/01/2013 1John Rhoton – 2013 Cloud Computing New Approaches for Security John Rhoton Cloud and Big Data Conference 2013 CnS Events, Vienna, Austria 8 October 2013 rhoton@gmail.com
    2. 2. 24/01/2013 2John Rhoton – 2013 Agenda • Security Context • Trust Shift • Security Challenges • Remediation – Best practices – Tools
    3. 3. 24/01/2013 3John Rhoton – 2013 75% 67% 63% 53% 53% 52% Major social unrest impacting Business activities Economical recession Cyber attacks Natural disasters impacting a major Business Hub Collapse of the Euro zone Military or business tensions impacting access to natural resources Major threatening scenarios according to CEOs Source : 16th Annual Global CEO Survey, 2013, PwC 63% of CEO identify Cyber attacks as TOP 3 Threats for their company 14% Percentage of spending in IT Security in 2010. This ratio was only 8.2% in 2007. 11,36 billion $ Investments in 2011 in US for classified data security. Information Security is now considered as high-stake topic by most CEOs. As a result: IT Security investments are significantly growing. Source: Forrester, The Evolution Of IT Security, 2010 To 2011 Source: Report on Cost Estimates for Security Classification Activities for FiscalYear 2011 5,5 billion of attacks stopped in 2011 Volume of attacks was 3 billion in 2010 Sourrce: SYMANTEC IT Security is now a Top CEO concern Source: Beamap
    4. 4. 24/01/2013 4John Rhoton – 2013 Risk to data security continue to intensify and show no signs of abating. Given today’s elevated threat environment, Companies must prepare to address the new Security context and review their mitigation strategies. Increasing volume and source of data to protect 80% of data did not exist 2 years ago 1,8 Zetabytes Volume of data created in 2011 7,9 Zetabytes Estimated Volume of data for 2015 IT Systems more connected, mobile and open Mobile Social media Bring your own device Development of Cyber-activism practices and cyber-attacks Anonymous Wikileaks Stuxnet* IT infrastructure more and more complex and heterogeneous Cloud Computing Big Data Technology Innovation *Stuxnet is a computer worm discovered in June 2010 that is believed to have been created by the United States and Israelto attack Iran's nuclear facilities New Security context for IT infrastructure Source: Beamap
    5. 5. 24/01/2013 5John Rhoton – 2013 Top 10 Challenges to Enterprise Cloud Adoption 33% Implementation/transition/ integration costs too high 31% Integration with existing architecture 30% Data loss and privacy risks 30% Loss of control 26% Lack of visibility into future demand, associated costs 26% A lack of interoperability between cloud providers 26% General security risks 21% Risk of intellectual property theft 18% Legal and regulatory compliance 18% Transparency of operational controls and data Source: KPMG International’s Global cloud survey: the implementation challenge
    6. 6. 24/01/2013 6John Rhoton – 2013 Cloud Security Challenges and Benefits • Most companies overestimate their internal security and underestimate Cloud provider security • Providers invest heavily in security processes, mechanisms, tools and skill that enterprises cannot easily match • But, not all cloud providers are equal! They have different resources and expertise, so it is important to vet each service individually! • Initial Cloud security analysis may reveal gaps but these can be addressed with: • Best practice architectures • Appropriate tools (e.g. API management, Identity management) Key Observations • Customer data is a key asset for every Company • However, todays #1 solution for CRM is a Cloud solution : Salesforce.com • Salesforce.com has become a de-facto standard CRM solution selected after due diligence by industry leaders: Would you store your Customer Data in the Cloud ? Would you store key regulatory data in the Cloud ? Example of Cloud Provider investment in Security matter: AWS opened a Security Blog in April 2013 Nasdaq OMX is offering Wall Street brokers a chance to store key regulatory data on Amazon’s “cloud” computers, marking the ecommerce conglomerate’s boldest incursion into the financial services sector. (Financial Times) How to Build Trust in Cloud ? The CSA Security, Trust & Assurance Registry (STAR) is a publicly accessible registry that documents the security controls provided by various cloud computing offerings. https://cloudsecurityalliance.org/star/ Source: Beamap
    7. 7. 24/01/2013 7John Rhoton – 2013 The biggest cultural hurdle to cloud adoption is acceptance of shift from direct to indirect trust. • Whatstays the same? • Humans (subject to negligenceand malice) administer IT systems (subject to infectionand failure) • But explicitservice contracts replace implicitemploymentcontracts • Processesthat are audited,certified and exposed to public scrutinymay be much stronger than secret internalequivalents Trust Shift • Personal observation • Personal experience • Insight Employees Contractors Partners Suppliers Experts Legal Counsel Auditors Public Scrutiny• Public verification • Contracts • Compensation Directtrust model Indirect trustmodel
    8. 8. 24/01/2013 8John Rhoton – 2013 Business Continuity Eliminate High Probability Low Probability High ImpactLow Impact Resilience Risk Treatment
    9. 9. 24/01/2013 9John Rhoton – 2013 Barriers • Compliance • Data leakage • Data loss • Service loss • Vendor lock-in
    10. 10. 24/01/2013 10John Rhoton – 2013 Compliance Enforce Logical Barriers Global Internet versus National Laws
    11. 11. 24/01/2013 11John Rhoton – 2013 All governments have equivalent to Patriot Act Western Governments collaborate to satisfy requests regardless of location of provider and/or data Requests are executed regardless of whether data is hosted on cloud or on-premise. Cf comparison of governmental authorities’ access to data in the cloud (next slide) Hot Topic #1 Is Patriot Act an American phenomenon ?1 Governmental Compliance (Hot topics)
    12. 12. 24/01/2013 12John Rhoton – 2013 May government require a Cloud provider to disclose customer data? May a Cloud provider voluntarily disclose customer data to the government in response to an informal request? If a Cloud provider must disclose customer data to the government, must the customer be notified? May government monitor Electronic communications sent through the systems of a Cloud provider? Are government orders to disclose Customer data subject to review by a judge? Can the government require the Cloud provider to disclose data in foreign country? Yes No – must request data through legal process Yes, for content data, except with a search warrant Yes Yes Yes Yes Yes, except for personal data without a legal Purpose No Yes Yes Yes Yes Yes, except for personal data without a legal Purpose No Yes Yes Yes Yes Yes, except for personal data without a legal purpose Yes, except may withhold until disclosure no longer would compromise the investigation Yes Yes No, not without cooperation from the other country’s government US laws are no more threatening than others ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! Source: Hogan Lovells White Paper “A Global Reality: Governmental Access to Data in the Cloud” bit.ly/PMDuWL Comparison of Governmental Access
    13. 13. 24/01/2013 13John Rhoton – 2013 All governments have equivalent to Patriot Act Western Governments collaborate to satisfy requests regardless of location of provider and/or data Requests are executed regardless of whether data is hosted on cloud or on-premise. Cf comparison of governmental authorities’ access to data in the cloud (next slide) Sophisticated intelligence agencies (USA, Russia, China, Israel, France...) have means to obtain any information they require Corporate data is not usually an interesting target but may be in some instances. Interception of corporate data by an intelligence agency doesn't automatically result in harm to corporation. It depends on how they use it (e.g. corporate espionage). It is impossible to secure against this threat. Some agencies resort to unlawful means (e.g. bribery, extortion) to obtain this data. Protecting corporate data (e.g. through encryption) doesn't prevent access but makes it more costly to obtain and therefore less likely governments will obtain it unless they have a clear purpose. Hot Topic #1 Is Patriot Act an American phenomenon ? Hot Topic #2 Is PRISM a danger for Corporate Data ? 1 2 Shortly after Snowden's leaked documents, the big Internet companies and their allies issued dire warnings, predicting that American businesses would lose tens of billions of dollars in revenue abroad as distrustful customers seek out local alternatives. At Amazon, which was not named in Snowden's documents but is seen as a likely victim because it is a top provider of cloud computing services, a spokeswoman said global demand "has never been greater." There are multiple theories for why the business impact of the Snowden leaks has been so minimal. One is that cloud customers have few good alternatives, since U.S. companies have most of the market and switching costs money. Perhaps more convincing, Amazon, Microsoft and some others offer data centers in Europe with encryption that prevents significant hurdles to snooping by anyone including the service providers themselves and the U.S. agencies. Encryption, however, comes with drawbacks, making using the cloud more cumbersome. Hot Topic #3 PRISM: Risk or Opportunity for US Cloud Computing Industry ?3 Governmental Compliance (Hot topics) Source: Beamap
    14. 14. 24/01/2013 14John Rhoton – 2013 Host Guest Guest Guest Guest Host Guest Guest 1 2 3 4 5 6 Multi-tenancy Increases Threat Vectors Expand Monitoring Scope and Depth
    15. 15. 24/01/2013 15John Rhoton – 2013 Confidentiality • Data Governance – Data loss prevention • Compartmentalization • Encryption Classify data, Select and Combine Options
    16. 16. 24/01/2013 16John Rhoton – 2013 Identity Federation Identity challenges • Password proliferation • Weak authentication • Support costs • User productivity Implement Identity Standards (SAML, SCIM)
    17. 17. 24/01/2013 17John Rhoton – 2013 Redundancy • Dimensions – Physical – Geographical – Technological – Organizational • Horizontal Scalability • ACID (Atomic Consistent Isolated Durable) => BASE (Basic Availability, Soft-state, Eventual consistency) Architect for scale
    18. 18. 24/01/2013 18John Rhoton – 2013 Business Continuity • Cold Site • Warm Site • Hot Site • Double-Active Multi-dimensional redundancy is critical
    19. 19. 24/01/2013 19John Rhoton – 2013 Lock-in vs. Cloud Stacks Proprietary Hardware Proprietary Software Open Source Consortium Driven Balance ease with flexibility
    20. 20. 24/01/2013 20John Rhoton – 2013 Denial of Service Account/ Service Hijacking Insecure Interfaces and API Data Loss Shared Technologies Data Breaches REMEDIATION PRINCIPLES CLOUD RISKS Cloud Risks and Remediation Source: Beamap
    21. 21. 24/01/2013 21John Rhoton – 2013 On-premise Datacenter Public Cloud Public Cloud This scenario is based on the following concepts: • Mobility of VM from on-premise Datacenter to Cloud with the same “Security” requirements • Propagation of the Network security rules to the Cloud (firewalling, IP addresses…) • Propagation of QoS rules (Resiliency, back-up & restores…) Scenario illustration Description Network Security Resiliency Identity and access management Attack protection Encryption Application Security Sample Cloud Architecture Source: Beamap
    22. 22. 24/01/2013 22John Rhoton – 2013 Cloud-based Protection Services • Malware • Denial of Service • Identity Management • Backup and Restore • Intrusion Prevention
    23. 23. 24/01/2013 23John Rhoton – 2013 The Key components of the Cloud reference architecture: 1. Virtual Private Cloud with VPN connection to the corporate Datacenter 2. Dual connectivity (Direct connection to back-up VPN connection) 3. At least two Availability zones used to provide application resiliency 4. Elastic Load Balancers to distribute workloads across servers and availability zones 5. Data replication across availability zones 6. Application tiering 7. Database tiering 8. Database snapshots 9. DoS filter 10.Identity Router 11.API Security Management module 12.Cloud Management module Cloud Management Layer Cloudreferencearchitecture Key Management System (External system) (External system) 1 2 3 4 5 6 7 8 9 10 11 12 Cloud Reference Architecture Source: Beamap
    24. 24. 24/01/2013 24John Rhoton – 2013 Summary • Security is perceived as biggest challenge to cloud computing • Risks are often over-hyped for dubious reasons – Market protection – Job security • Cloud security is under-rated • Internal security is over-rated • Security challenges real but addressable – Encryption / Strong Authentication – Network security / Isolation – Multi-sourcing strategy – Redundancy
    25. 25. 24/01/2013 25John Rhoton – 2013 Emotional vs Factual • Fear, Uncertainty and Doubt • Increased Effort – Evaluation – Negotiation – Integration – Implementation • Reduce CAPEX benefits Plan early, think objectively
    26. 26. 24/01/2013 26John Rhoton – 2013 Contact Details Feel free to reach out to me at: linkedin/in/rhoton or look me up at: amazon.com/author/rhoton slideshare.net/rhoton

    ×