Cloud Security - Made simple


Published on

Cloud security is must for any of the IaaS, PaaS, SaaS or CaaS initiative. this presentation aims to simplify the concept of cloud security with clear steps to achieve it. It also summarize the controls required to implement cloud security.

Published in: Technology, Business
1 Like
  • Be the first to comment

No Downloads
Total Views
On Slideshare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Cloud Security - Made simple

  1. 1. Cloud SecurityCloud Security sameer paradia sameer paradia
  2. 2. Goals 1. Brief on Cloud Computing 2. Security Threats  2 Security Threats 3. Framework  4. Controls   4. Controls
  3. 3. Understand Cloud Cl d
  4. 4. Essential CharacteristicOn‐Demand Lowered requirement to  forecasts Lowered requirement to forecasts Demand trends are predicted by the  providerUsage‐metered Usage metered Pay‐by‐the‐realtime use Self‐service from pool of resources Resources managed by consumer  Resources managed by consumer with a GUI or APIElastic Scalability Grow or shrink resources as required Grow or shrink resources as requiredUbiquitous  Network The network is essential to use the  service ser i e
  5. 5. Beyond basic..Modes of Deployment p S i Services Types Compute Storage IaaSDeployment Network Datacentre  models Web 2.0 Applications  Public cloud S PaaS Runtime Development tools Business  Hybrid cloud Middleware Database Java Runtime Private cloud Pi t l dCommunity cloud Collaboratio ERP / CRM aS n Saa Business  Enterprise  Processes Applications
  6. 6. Security Threat Thr t
  7. 7. Lots of noise on....Cloud Security? do we simplify it how it...
  8. 8. It is same As current InfoSec practice You have to take the ha e same approach as current ISMS
  9. 9. Cloud Security• What is it? – Protection of your information in Protection of your information in  cloud• Why is critical? – Your information is at central  unknown place in cloud – No visibility of security measures in No visibility of security measures in  Public cloud• Impact of breach  on business? – Lack of Compliance  k f li – Legal issue – Breach of privacy Breach of privacy
  10. 10. Threats in XaaS Threats in XaaS Models• SaaS:  – Built in security functionality Built in security functionality – Least consumer extensibility – Relatively high level of integrated security• PaaS – Enable developers to build their own applications on top of the platform – M More extensible than SaaS, at the expense of customer ready features ibl h S S h f d f – Built in capabilities are less complete, but there is more flexibility to layer on additional  security• IaaS  – Few  application‐like features,  – Enormous extensibility – Less integrated security capabilities and functionality beyond protecting the  infrastructure itself  – Assets to be managed and secured by the cloud consumer
  11. 11. Security Framework Fr rk
  12. 12. 1. Identify asset  2. Assess impact  3. Map the asset  to c oud y to cloudify o ta se g of transferring  to potential  to potential a) Data assets on cloud  cloud  b) Applications on business in  deployment  case of breach  case of breach models Security Framework 4. Evaluate  5. Evaluate the  controls in  Dataflow , to  ata o , to each of Iaas/  understand the  Paas/ Saas flow  layer  y depending  upon asset
  13. 13. Cloud Controls C tr l
  14. 14. 3 Dimensions of cloud security Business  IT Assets  Risk  Criticality  C iti lit in cloud i l d Assessment A t For achieving robust and practical security consider all 3 perspective
  15. 15. Types of Controls Types of Controls Governance G Operational O ti l (Strategic)  (Tactical) • Risk Management  • BCP/ DR• Legal & Electronic  • Data centre  Discovery Operations• Compliance/ Audit • Incident • Information Life  Management  M t cycle management  • Application security• Portability and Portability and  • Encryption Encryption  Interoperability • Identity & Access  Management  Management • Virtualization 
  16. 16. Implement Controls• Possible controls – Layered security  – facilities (physical security) – network infrastructure(network  t ki f t t ( t k security) – IT systems (system security) – information and applications  (application security).• IaaS Cloud provider : IaaS Cloud provider :  – address security controls such as  physical security, environmental  security, and virtualization security it d i t li ti it• SaaS – Addresses upto Application layer Addresses upto Application layer
  17. 17. Summary• Consider three perspective‐ Assets, Risk management and  Business criticality • Cloud as an operational model  neither  provide for nor prevent  p p achieving compliance • Selection of control depends on  the service and deployment model the service and deployment model• Control varies depending on  the  design, deployment, and  management of the resources f h• Most of Security controls in cloud  are, same as normal IT  environment
  18. 18. Sameer Paradia – CGEIT, CISM, CISSP( IT Security for 12+ y g y years out of 20+ y years of IT Services/ Outsourcing work experience. g p
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.