This presentation is provides a background on Cloud Services and associated Cloud Security. It is intended to provide an overview of how to maintain the confidentiality, integrity and availability of your company's information systems and assets when choosing to migrate to a cloud based IaaS, PaaS or SaaS model.
Story Board.pptxrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr
Security Related Issues Associated With Migrating to Cloud Services
1. Information Security 365/765, Fall Semester, 2015
Course Instructor, Nicholas Davis, CISA, CISSP
November 12 – Cloud Services Security Overview
2. Cloud SecurityCloud Security
Even in the Cloud, CIA MattersEven in the Cloud, CIA Matters
Remember, the cornerstone of our class
this semester is:
•Confidentiality
•Integrity
•Availability
11/12/15 UNIVERSITY OF WISCONSIN 2
3. What is This “Cloud” Thing?What is This “Cloud” Thing?
“Cloud” is a buzzword
Suggests the promise and
convenience of being able to
access files from anywhere
it’s a physical infrastructure, its
many computers housed in
massive warehouses all over the
world
As long as it works, we don’t care
much about physical location
11/12/15 UNIVERSITY OF WISCONSIN 3
4. Core Beneficial Attributes ofCore Beneficial Attributes of
Cloud ComputingCloud Computing
• Massive scale
• Homogeneity
• Virtualization
• Resilient computing
• Low cost software
• Geographic distribution
• Service orientation
• Advanced security technologies
11/12/15 UNIVERSITY OF WISCONSIN 4
5. Security Benefits ofSecurity Benefits of
Cloud ComputingCloud Computing
Transfers risk from internal to
external, reducing work which
must be done internally, in many
situations
Consistency means less
replication, easier to maintain, test
and audit
High availability, business
continuity and disaster recovery
are usually included in a cloud
deployment
11/12/15 UNIVERSITY OF WISCONSIN 5
6. Concerns Related toConcerns Related to
Cloud ComputingCloud Computing
Trusting someone else to do things the
way you want them done
Lack of visibility into the cloud
infrastructure for performing audit and
compliance work and researching
security related incidents
Defining and enforcing system
administration accountability
Loss of control over physical assets
11/12/15 UNIVERSITY OF WISCONSIN 6
7. A Memorable Cloud QuoteA Memorable Cloud Quote
Galen Gruman, InfoWorld
Executive Editor
“A way to increase capacity
or add capabilities on the fly
without investing in new
infrastructure, training new
personnel, or licensing new
software.”
11/12/15 UNIVERSITY OF WISCONSIN 7
8. 10 Beneficial Characteristics10 Beneficial Characteristics
Of Using the CloudOf Using the Cloud
11/12/15 UNIVERSITY OF WISCONSIN 8
9. The 10 Characteristics ofThe 10 Characteristics of
“Cloud”: Agility“Cloud”: Agility
Agility improves with users' ability to re-
provision technological infrastructure
resources. It lets you get stuff done fast!
11/12/15 UNIVERSITY OF WISCONSIN 9
10. The 10 Characteristics ofThe 10 Characteristics of
“Cloud”: Cost“Cloud”: Cost
Cost reductions claimed by cloud
providers. A public-cloud delivery model
converts capital expenditure to
operational expenditure. Fewer IT skills
are required for implementation (in-
house)
11/12/15 UNIVERSITY OF WISCONSIN 10
11. The 10 Characteristics ofThe 10 Characteristics of
“Cloud”: Location“Cloud”: Location
Device and location independence
enable users to have ubiquitous access.
As infrastructure is off-site (typically
provided by a third-party) and accessed
via the Internet, users can connect from
anywhere
11/12/15 UNIVERSITY OF WISCONSIN 11
12. The 10 Characteristics ofThe 10 Characteristics of
“Cloud”: Maintenance“Cloud”: Maintenance
Maintenance of cloud computing
applications is easier, because they do
not need to be installed on each user's
computer and can be accessed from
different places.
11/12/15 UNIVERSITY OF WISCONSIN 12
13. The 10 Characteristics ofThe 10 Characteristics of
“Cloud”: Multitenancy“Cloud”: Multitenancy
Multitenancy enables sharing of resources
and costs across a large pool of users thus
allowing for: centralization of
infrastructure in locations with lower costs
(such as real estate, electricity, etc.)
Peak-load capacity increases (users need
not engineer for highest possible load-
levels)
Utilization and efficiency improvements for
systems that are often only 10–20% utilized
11/12/15 UNIVERSITY OF WISCONSIN 13
14. The 10 Characteristics ofThe 10 Characteristics of
“Cloud”: Performance“Cloud”: Performance
Performance is monitored, and
consistent
11/12/15 UNIVERSITY OF WISCONSIN 14
15. The 10 Characteristics ofThe 10 Characteristics of
“Cloud”: Productivity“Cloud”: Productivity
Productivity may be increased when
multiple users can work on the
same data simultaneously, rather
than waiting for it to be saved and
emailed. Time may be saved as
information does not need to be re-
entered when fields are matched,
nor do users need to install
application software upgrades to
their computer.
11/12/15 UNIVERSITY OF WISCONSIN 15
16. The 10 Characteristics ofThe 10 Characteristics of
“Cloud”: Reliability“Cloud”: Reliability
Reliability improves with the use of
multiple redundant sites, which makes
well-designed cloud computing suitable
for business continuity and disaster
recovery
11/12/15 UNIVERSITY OF WISCONSIN 16
17. The 10 Characteristics ofThe 10 Characteristics of
“Cloud”: Scalability“Cloud”: Scalability
Scalability and elasticity via
dynamic ("on-demand")
provisioning of resources on a
fine-grained, self-service basis
in near real-time, without users
having to engineer for peak
loads
11/12/15 UNIVERSITY OF WISCONSIN 17
18. The 10 Characteristics ofThe 10 Characteristics of
“Cloud”: Security“Cloud”: Security
Security can improve due to
centralization of data, increased
security-focused resources
HOWEVER…
Concerns can persist about loss of
control over certain sensitive data
11/12/15 UNIVERSITY OF WISCONSIN 18
19. Cloud Security Can Be BetterCloud Security Can Be Better
Than On-Site SecurityThan On-Site Security
Security is often as good as or better
than other traditional systems, in part
because providers are able to devote
resources to solving security issues that
many customers cannot afford to tackle
HOWEVER…
There are many more issues to consider,
so let’s examine them, together, today.
11/12/15 UNIVERSITY OF WISCONSIN 19
20. Three Major Types of CloudThree Major Types of Cloud
ServicesServices
Infrastructure as a service IaaS
Platform as a service PaaS
Software as a service SaaS
11/12/15 UNIVERSITY OF WISCONSIN 20
21. Infrastructure As A Service
(IaaS)
Providers of IaaS offer computers –
physical or (more often) virtual
machines – and other resources.
IaaS refers to online services that
abstract user from the detail of
infrastructure like physical
computing resources, location, data
partitioning, scaling, security,
backup etc.
11/12/15 UNIVERSITY OF WISCONSIN 21
22. Platform as a service (PaaS)Platform as a service (PaaS)
PaaS vendors offers a development
environment to application
developers. The provider typically
develops toolkit and standards for
development and channels for
distribution and payment. In the
PaaS models, cloud providers
deliver a computing platform,
typically including operating
system, programming-language
execution environment, database,
and web server.
11/12/15 UNIVERSITY OF WISCONSIN 22
23. Software As A Service
(SaaS)
In the software as a service (SaaS)
model, users gain access to
application software and
databases. Cloud providers
manage the infrastructure and
platforms that run the
applications. SaaS is sometimes
referred to as "on-demand
software" and is usually priced on
a pay-per-use basis or using a
subscription fee.
11/12/15 UNIVERSITY OF WISCONSIN 23
24. The Deeper You Go, The MoreThe Deeper You Go, The More
Control Is Lost In Terms OfControl Is Lost In Terms Of
ConfigurabilityConfigurability
11/12/15 UNIVERSITY OF WISCONSIN 24
25. The Deeper You Go, The LessThe Deeper You Go, The Less
Security Related Work FallsSecurity Related Work Falls
Upon the CustomerUpon the Customer
11/12/15 UNIVERSITY OF WISCONSIN 25
26. Cloud Clients
Users access cloud computing
using networked client devices,
such as desktop computers,
laptops, tablets and smartphones
and any Ethernet enabled device
such as Home Automation
Gadgets. Some of these devices –
cloud clients – rely on cloud
computing for all or a majority of
their applications so as to be
essentially useless without it.
Examples are thin clients and the
browser-based Chromebook.
11/12/15 UNIVERSITY OF WISCONSIN 26
27. Deployment Models
Private Cloud
Private cloud is cloud infrastructure
operated solely for a single
organization, whether managed
internally or by a third-party, and
hosted either internally or
externally.[4] Undertaking a private
cloud project requires a significant
level and degree of engagement to
virtualize the business environment
11/12/15 UNIVERSITY OF WISCONSIN 27
28. Deployment Models
Private Cloud
Self-run data centers are generally
•Capital intensive
•They have a significant physical footprint,
requiring allocations of space, hardware, and
environmental controls
•These assets have to be refreshed periodically,
resulting in additional capital expenditures
•They have attracted criticism because users "still
have to buy, build, and manage them" and thus
do not benefit from less hands-on management,
essentially “ lacking the economic model that
makes cloud computing such an intriguing
concept
11/12/15 UNIVERSITY OF WISCONSIN 28
29. Public CloudPublic Cloud
A cloud is called a "public cloud" when the
services are rendered over a network that is
open for public use. Public cloud services
may be free.
11/12/15 UNIVERSITY OF WISCONSIN 29
30. Hybrid CloudHybrid Cloud
Hybrid cloud is a composition of two or more
clouds (private, or public) that remain distinct
entities but are bound together, offering the
benefits of multiple deployment models. Hybrid
cloud can also mean the ability to connect
collocation, managed and/or dedicated services
with cloud resources
11/12/15 UNIVERSITY OF WISCONSIN 30
31. Security Issues Associated With
the Cloud
There are a number of security issues/concerns
associated with cloud computing and these issues
fall into two broad categories:
•Security issues faced by cloud providers
(organizations providing software-, platform-, or
infrastructure-as-a-service via the cloud)
•Security issues faced by their customers (companies
or organizations who host applications or store data
on the cloud).
11/12/15 UNIVERSITY OF WISCONSIN 31
32. Security Issues Associated WithSecurity Issues Associated With
the Cloudthe Cloud
The responsibility goes both ways,
however: the provider must ensure
that their infrastructure is secure
and that their clients’ data and
applications are protected while the
user must take measures to fortify
their application and use strong
passwords and authentication
measures
11/12/15 UNIVERSITY OF WISCONSIN 32
33. The Insider Threat PersistsThe Insider Threat Persists
In The CloudIn The Cloud
Cloud Service providers
must ensure that thorough
background checks are
conducted for employees
who have physical access to
the servers in the data
center. Additionally, data
centers must be frequently
monitored for suspicious
activity.
11/12/15 UNIVERSITY OF WISCONSIN 33
34. Issues Associated WithIssues Associated With
Multi TenancyMulti Tenancy
In order to conserve resources, cut costs, and maintain
efficiency, Cloud Service Providers often store more than
one customer's data on the same server. As a result, there
is a chance that one user's private data can be viewed by
other users (possibly even competitors). To handle such
sensitive situations, cloud service providers should
ensure proper data isolation and logical storage
segregation.
11/12/15 UNIVERSITY OF WISCONSIN 34
35. Issues Associated WithIssues Associated With
VirtualizationVirtualization
The extensive use of virtualization in
implementing cloud infrastructure
brings unique security concerns for
customers or tenants of a public cloud
service. Virtualization alters the
relationship between the OS and
underlying hardware. Specific
concerns include the potential to
compromise the virtualization
software, or "hypervisor".
11/12/15 UNIVERSITY OF WISCONSIN 35
36. 4 Categories of Cloud4 Categories of Cloud
Security ControlsSecurity Controls
We have seen a variant these categories before,
when we talked about Physical Security.
•Deterrent
•Preventive
•Detective
•Corrective
11/12/15 UNIVERSITY OF WISCONSIN 36
37. Deterrent ControlsDeterrent Controls
These controls are intended to
reduce attacks on a cloud
system. Much like a warning
sign on a fence or a property,
deterrent controls typically
reduce the threat level by
informing potential attackers
that there will be adverse
consequences for them if they
proceed. (Some consider them
a subset of preventive
controls.)
11/12/15 UNIVERSITY OF WISCONSIN 37
38. Preventive ControlsPreventive Controls
Strengthen the system against
incidents, generally by reducing
if not actually eliminating
vulnerabilities. Strong
authentication of cloud users,
for instance, makes it less likely
that unauthorized users can
access cloud systems, and more
likely that cloud users are
positively identified.
11/12/15 UNIVERSITY OF WISCONSIN 38
39. Detective ControlsDetective Controls
Are intended to detect and react appropriately to
any incidents that occur. In the event of an
attack, a detective control will signal the
preventative or corrective controls to address the
issue.
11/12/15 UNIVERSITY OF WISCONSIN 39
40. Corrective ControlsCorrective Controls
Corrective controls reduce the
consequences of an incident,
normally by limiting the
damage. They come into effect
during or after an incident.
Restoring system backups in
order to rebuild a
compromised system is an
example of a corrective
control.
11/12/15 UNIVERSITY OF WISCONSIN 40
41. Cloud Compliance StillCloud Compliance Still
Means ComplianceMeans Compliance
Numerous laws and regulations
pertain to the storage and use of data.
In the US these include privacy or
data protection laws, Payment Card
Industry - Data Security Standard
(PCI DSS), the Health Insurance
Portability and Accountability Act
(HIPAA), the Sarbanes-Oxley Act, the
Federal Information Security
Management Act of 2002 (FISMA).
11/12/15 UNIVERSITY OF WISCONSIN 41
42. Multijurisdictional LocationMultijurisdictional Location
Can Mean Increased ComplianceCan Mean Increased Compliance
RequirementsRequirements
Similar laws may apply in different
legal jurisdictions and may differ
quite markedly from those enforced
in the US. Cloud service users may
often need to be aware of the legal
and regulatory differences between
the jurisdictions. For example, data
stored by a Cloud Service Provider
may be located in, say, Singapore and
mirrored in the US.
11/12/15 UNIVERSITY OF WISCONSIN 42
43. Customer ResponsibilitiesCustomer Responsibilities
For Cloud ComplianceFor Cloud Compliance
Many of these regulations mandate
particular controls (such as strong
access controls and audit trails) and
require regular reporting. Cloud
customers must ensure that their
cloud providers adequately fulfil
such requirements as appropriate,
enabling them to comply with their
obligations since, to a large extent,
they remain accountable.
11/12/15 UNIVERSITY OF WISCONSIN 43
44. Core Areas to Consider For ComplianceCore Areas to Consider For Compliance
Business Continuity and Data Recovery
Cloud providers have business
continuity and data recovery plans in
place to ensure that service can be
maintained in case of a disaster or an
emergency and that any data loss will
be recovered. These plans may be
shared with and reviewed by their
customers, ideally dovetailing with the
customers' own continuity
arrangements. Joint continuity
exercises may be appropriate,
simulating a major Internet or
electricity supply failure for instance.
11/12/15 UNIVERSITY OF WISCONSIN 44
45. Logs and Audit Trails
In addition to producing logs and audit trails,
cloud providers work with their customers to
ensure that these logs and audit trails are
properly secured, maintained for as long as the
customer requires, and are accessible for the
purposes of forensic investigation (eDiscovery).
11/12/15 UNIVERSITY OF WISCONSIN 45
46. Other Compliance RequirementsOther Compliance Requirements
Unique to Cloud SecurityUnique to Cloud Security
In addition to the requirements to which
customers are subject, the data centers
used by cloud providers may also be
subject to compliance requirements.
Using a cloud service provider (CSP) can
lead to additional security concerns
around data jurisdiction since customer
or tenant data may not remain on the
same system, or in the same data center
or even within the same provider's
cloud.
11/12/15 UNIVERSITY OF WISCONSIN 46
47. Legal and ContractualLegal and Contractual
AgreementsAgreements
Aside from the security and compliance issues
enumerated above, cloud providers and their
customers will negotiate terms around liability
(stipulating how incidents involving data loss or
compromise will be resolved, for example),
intellectual property, and end-of-service. These
issues are discussed in Service-Level Agreements
(SLA).
11/12/15 UNIVERSITY OF WISCONSIN 47
48. Evaluating Your AssetsEvaluating Your Assets
BEFORE Moving to the CloudBEFORE Moving to the Cloud
How would your company be impacted if:
•The asset became widely public & widely
distributed?
•An employee of our cloud provider accessed
the asset?
•The process of function were manipulated by
an outsider?
•The process or function failed to provide
expected results?
•The info/data was unexpectedly changed?
•The asset were unavailable for a period of
time?
11/12/15 UNIVERSITY OF WISCONSIN 48
49. Use FIPS 200 As YourUse FIPS 200 As Your
Cloud Security GuideCloud Security Guide
FIPS 200 standard emphases more
security during the development,
implementation, and operation of more
secure information systems.
FIPS 200 defines following 17 security
areas covered under confidentiality,
integrity, and availability (CIA) of federal
information systems and the information
processed, stored, and transmitted by
those systems.
11/12/15 UNIVERSITY OF WISCONSIN 49
50. Use FIPS 200 As Your CloudUse FIPS 200 As Your Cloud
Security GuideSecurity Guide
1. Access Control
2. Awareness and Training
3. Audit and Accountability
4. Certification, Accreditation, and Security Assessments
5. Configuration Management
6. Contingency Planning
7. Identification and Authentication
8. Incident Response
9. Maintenance
11/12/15 UNIVERSITY OF WISCONSIN 50
51. Use FIPS 200 As YourUse FIPS 200 As Your
Cloud Security GuideCloud Security Guide
10. Media Protection
11. Physical and Environmental Protection
12. Planning
13. Personnel Security
14. Risk Assessment
15. Systems and Services Acquisition
16. System and Communications Protection; and
17. System and Information Integrity
11/12/15 UNIVERSITY OF WISCONSIN 51
52. Solid Governance isSolid Governance is
Cloud Security Checks and BalancesCloud Security Checks and Balances
•Value delivery
•Strategic alignment
•Resource management
•Risk management
•Performance management
11/12/15 UNIVERSITY OF WISCONSIN 52
53. Considerations WhenConsiderations When
Selecting a Cloud ProviderSelecting a Cloud Provider
• What type of self service options exist?
• What types of shared resources are
employed across all customers?
• Who provides utilities and network
access?
• How fast can additional capacity be
brought online?
• How do they measure their service, in
terms of billing? Electricity use?
Network usage? Fixed cost sharing?
11/12/15 UNIVERSITY OF WISCONSIN 53
54. Other Cloud ConsiderationsOther Cloud Considerations
Do They Have These?Do They Have These?
• Incident Response Plans
• Application testing, security
standards for development
• If encryption services are provided,
how are the keys managed
• Facility access policies and
technologies
• Described how their virtualization
technologies function and associated
security controls
11/12/15 UNIVERSITY OF WISCONSIN 54
55. Worst Case ScenarioWorst Case Scenario
Cloud Provider QuesitonsCloud Provider Quesitons
What Would Happen If:What Would Happen If:
• Company data became distributed to
the public, such as in case of Ashley
Madison?
• A cloud provider employee saw
sensitive information?
• A cloud service was manipulated to
malfunction, by an outside party?
• You lost access to the cloud service, for
a period of time?
11/12/15 UNIVERSITY OF WISCONSIN 55
56. Clouds Can Float AwayClouds Can Float Away
Always Plan For ChangeAlways Plan For Change
• If you have to switch cloud providers
• Cloud Provider goes out of business
• Provider service shutdown
• Business disagreement
• Changes if costs / billing
• Service quality decrease
11/12/15 UNIVERSITY OF WISCONSIN 56