Cloud security and privacy

2,228 views
2,134 views

Published on

This presentation captures the essence and highlights of the book "Cloud Security and Privacy" - http://www.amazon.com/gp/product/0596802765/

Published in: Technology, News & Politics
0 Comments
3 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
2,228
On SlideShare
0
From Embeds
0
Number of Embeds
9
Actions
Shares
0
Downloads
194
Comments
0
Likes
3
Embeds 0
No embeds

No notes for slide

Cloud security and privacy

  1. 1. “Head
in
the
clouds,
feet
on
the
 ground
‐
the
business
side
of
 security
in
the
cloud”

 Subra
Kumaraswamy
 subra.k@gmail.com
 Twi=er
‐
@Subrak

 Dec
07,
2009
 www.securityforum.org Cloud ISF 20th Annual World Subra Kumaraswamy Security and privacy – Congress 2009 1
 Copyright © 2009 Information Security Forum Limited 1
  2. 2. Cloud Computing: Evolution www.securityforum.org Cloud ISF 20th Annual World Subra Kumaraswamy Security and privacy – Congress 2009 Copyright © 2009 Information Security Forum Limited 2 2
  3. 3. 5 Essential Cloud Characteristics •  On-demand self-service •  Broad network access •  Resource pooling -  Location independence •  Rapid elasticity •  Measured service www.securityforum.org Cloud ISF 20th Annual World Subra Kumaraswamy Security and privacy – Congress 2009 Copyright © 2009 Information Security Forum Limited 3 3
  4. 4. 3 Cloud Service Models •  Cloud Software as a Service (SaaS) -  Use provider’s applications over a network •  Cloud Platform as a Service (PaaS) -  Deploy customer-created applications to a cloud •  Cloud Infrastructure as a Service (IaaS) -  Rent processing, storage, network capacity, and other fundamental computing resources •  To be considered “cloud” they must be deployed on top of cloud infrastructure that has the key characteristics www.securityforum.org Cloud ISF 20th Annual World Subra Kumaraswamy Security and privacy – Congress 2009 Copyright © 2009 Information Security Forum Limited 4 4
  5. 5. Cloud Pyramid of Flexibility www.securityforum.org Cloud ISF 20th Annual World Subra Kumaraswamy Security and privacy – Congress 2009 Copyright © 2009 Information Security Forum Limited 5 5
  6. 6. 4 Cloud Deployment Models •  Private cloud -  enterprise owned or leased •  Community cloud -  shared infrastructure for specific community •  Public cloud -  Sold to the public, mega-scale infrastructure •  Hybrid cloud -  composition of two or more clouds www.securityforum.org Cloud ISF 20th Annual World Subra Kumaraswamy Security and privacy – Congress 2009 Copyright © 2009 Information Security Forum Limited 6 6
  7. 7. The Cloud: How are people using it? 7 www.securityforum.org Cloud ISF 20th Annual World Subra Kumaraswamy Security and privacy – Congress 2009 Copyright © 2009 Information Security Forum Limited 7
  8. 8. Changing IT Relationships www.securityforum.org Cloud ISF 20th Annual World Subra Kumaraswamy Security and privacy – Congress 2009 Copyright © 2009 Information Security Forum Limited 8
  9. 9. What Not a Cloud? 9 www.securityforum.org Cloud ISF 20th Annual World Subra Kumaraswamy Security and privacy – Congress 2009 Copyright © 2009 Information Security Forum Limited 9
  10. 10. Focusing the Security Discussion IaaS, Hybrid, Application Domains HPC/ SaaS, Analytics Public, CRM Private Software as a Service Hybrid Public XaaS Layers Platform as a Service Infrastructure as a Service IaaS, Public, Transcoding www.securityforum.org Cloud ISF 20th Annual World Subra Kumaraswamy Security and privacy – Congress 2009 Copyright © 2009 Information Security Forum Limited 10
  11. 11. Components of Information Security Encryption, Data masking, Content protection Application-level Host-level Network-level www.securityforum.org Cloud ISF 20th Annual World Subra Kumaraswamy Security and privacy – Congress 2009 Copyright © 2009 Information Security Forum Limited 11
  12. 12. Analyzing Cloud Security •  Some key issues: -  Trust, multi-tenancy, encryption, key management compliance •  Clouds are massively complex systems can be reduced to simple primitives that are replicated thousands of times and common functional units •  Cloud security is a tractable problem -  There are both advantages and challenges www.securityforum.org Cloud ISF 20th Annual World Subra Kumaraswamy Security and privacy – Congress 2009 Copyright © 2009 Information Security Forum Limited 12
  13. 13. Balancing Threat Exposure and Cost Effectiveness •  Private clouds may have less threat exposure than community or hosted clouds which have less threat exposure than public clouds. •  Massive public clouds may be more cost effective than large community clouds which may be more cost effective than small private clouds. www.securityforum.org Cloud ISF 20th Annual World Subra Kumaraswamy Security and privacy – Congress 2009 Copyright © 2009 Information Security Forum Limited 13
  14. 14. General Security Advantages •  Democratization of security capabilities •  Shifting public data to a external cloud reduces the exposure of the internal sensitive data •  Forcing functions to add security controls •  Clouds enable automated security management •  Redundancy / Disaster Recovery www.securityforum.org Cloud ISF 20th Annual World Subra Kumaraswamy Security and privacy – Congress 2009 Copyright © 2009 Information Security Forum Limited 14
  15. 15. General Security Challenges •  Trusting vendor’s security model •  Customer inability to respond to audit findings •  Obtaining support for investigations •  Indirect administrator accountability •  Proprietary implementations can’t be examined •  Loss of physical control www.securityforum.org Cloud ISF 20th Annual World Subra Kumaraswamy Security and privacy – Congress 2009 Copyright © 2009 Information Security Forum Limited 15
  16. 16. Infrastructure Security Trust boundaries have moved •  Specifically, customers are unsure where those trust boundaries have moved to •  Established model of network tiers or zones no longer exists - Domain model does not fully replicate previous model •  No viable (scalable) model for host-to-host trust •  Data labeling/tagging required at application-level - Data separation is logical, not physical www.securityforum.org Cloud ISF 20th Annual World Subra Kumaraswamy Security and privacy – Congress 2009 Copyright © 2009 Information Security Forum Limited 16 16
  17. 17. Data Security •  Provider’s data collection efforts and monitoring of such (e.g., IPS, NBA) •  Use of encryption —  Point-to-multipoint data-in-transit an issue —  Data-at-rest possibly not encrypted —  Data being processed definitely not encrypted —  Key management is a significant issue —  Advocated alternative methods (e.g., obfuscation, redaction, truncation) are not adequate •  Data lineage, provenance •  Data remanence www.securityforum.org Cloud ISF 20th Annual World Subra Kumaraswamy Security and privacy – Congress 2009 Copyright © 2009 Information Security Forum Limited 17 17
  18. 18. Identity and Access Management (IAM) Generally speaking, poor situation today: •  Provisioning of user access is proprietary to provider •  Strong authentication available only through delegation •  Federated identity widely not available •  User profiles are limited to “administrator” and “user” •  Privilege management is coarse, not granular www.securityforum.org Cloud ISF 20th Annual World Subra Kumaraswamy Security and privacy – Congress 2009 Copyright © 2009 Information Security Forum Limited 18 18
  19. 19. Privacy Considerations Transborder data issues may be exacerbated •  Specifically, where are cloud computing activities occurring? Data governance is weak •  Encryption is not pervasive •  Data remanence receives inadequate attention •  CSPs absolve themselves of privacy concerns: “We don’t look at your data” www.securityforum.org Cloud ISF 20th Annual World Subra Kumaraswamy Security and privacy – Congress 2009 Copyright © 2009 Information Security Forum Limited 19 19
  20. 20. Audit & Compliance Considerations •  Effectiveness of current audit frameworks questionable (e.g., SAS 70 Type II) •  CSP users need to define: - their control requirements - understand their CSP’s internal control monitoring processes -  analyze relevant external audit reports •  Issue is assurance of compliance www.securityforum.org Cloud ISF 20th Annual World Subra Kumaraswamy Security and privacy – Congress 2009 Copyright © 2009 Information Security Forum Limited 20 20
  21. 21. Impact on Role of Corporate IT •  Governance issue as internal IT becomes “consultants” and business analysts to business units •  Delineation of responsibilities between providers and customers much more nebulous than between customers and outsourcers, collocation facilities, or ASPs •  Cloud computing likely to involve much more direct business unit interaction with CSPs than with other providers previously www.securityforum.org Cloud ISF 20th Annual World Subra Kumaraswamy Security and privacy – Congress 2009 Copyright © 2009 Information Security Forum Limited 21 21
  22. 22. Getting Ready – IT Security •  Governance framework that can be aligned with partners •  Federation of Identity, strong authentication, privileged access and key management •  Classification of data and privacy policy for data in cloud •  Security Automation – Image standardization, user/ network policy template •  Understand the cloud service provider security architecture, SLA, policies, security feature and interfaces •  Understand the ephemeral nature of compute and storage cloud and plan for archival of security logs www.securityforum.org Cloud ISF 20th Annual World Subra Kumaraswamy Security and privacy – Congress 2009 Copyright © 2009 Information Security Forum Limited 22
  23. 23. Conclusions •  Part of customers’ infrastructure security moves beyond their control •  Provider’s infrastructure security may (enterprise) or may not (SMB) be less robust than customers’ expectations •  Data security becomes significantly more important – yet provider capabilities are inadequate (except for simple storage which can be encrypted, and processing of non-sensitive (unregulated and unclassified) data www.securityforum.org Cloud ISF 20th Annual World Subra Kumaraswamy Security and privacy – Congress 2009 Copyright © 2009 Information Security Forum Limited 23 23
  24. 24. Conclusions (continued) •  IAM is less than adequate for enterprises – weak management of weak credentials unless (authentication) delegated back to customers •  Because of above, expect significant business unit pressure to desensitize or anonymize data; expect this to become a chokepoint -  No established standards for obfuscation, redaction, or truncation www.securityforum.org Cloud ISF 20th Annual World Subra Kumaraswamy Security and privacy – Congress 2009 Copyright © 2009 Information Security Forum Limited 24 24
  25. 25. Conclusions (continued) •  Relationship between business units and corporate IT departments vis-à-vis CSPs will shift greater power to business units from IT •  Number of functions performed today by corporate IT departments will shift to CSPs, along with corresponding job positions www.securityforum.org Cloud ISF 20th Annual World Subra Kumaraswamy Security and privacy – Congress 2009 Copyright © 2009 Information Security Forum Limited 25 25
  26. 26. What’s Good about the Cloud? •  A lot! Both for enterprises and SMBs – for handling of non-sensitive (unregulated and unclassified) data •  Cost •  Flexibility •  Scalability •  Speed www.securityforum.org Cloud ISF 20th Annual World Subra Kumaraswamy Security and privacy – Congress 2009 Copyright © 2009 Information Security Forum Limited 26 26
  27. 27. Thank
you
 subra.k@gmail.com
 Twi=er
‐
@subrak

 Disclaimer

 The
views
and
opinions
expressed
during
this
conference
are
those
of
the
speakers
and
do
not
necessarily
reflect
the
views
and
 opinions
held
by
Sun
Microsystems.

Nothing
in
this
conference
should
be
construed
as
professional
or
legal
advice
or
as
creaGng
a
 professional‐customer
or
a=orney‐client
relaGonship.

If
professional,
legal,
or
other
expert
assistance
is
required,
the
services
of
a
 competent
professional
should
be
sought.
 Dec
7th,
2009
 www.securityforum.org Cloud ISF 20th Annual World Subra Kumaraswamy Security and privacy – Congress 2009 27
 Copyright © 2009 Information Security Forum Limited 27

×