Security Related Issues Associated With Migrating to Cloud Services

Information Security 365/765, Fall Semester, 2015
Course Instructor, Nicholas Davis, CISA, CISSP
November 12 – Cloud Services Security Overview

Cloud SecurityCloud Security
Even in the Cloud, CIA MattersEven in the Cloud, CIA Matters
Remember, the cornerstone of our class
this semester is:
•Confidentiality
•Integrity
•Availability
11/12/15 UNIVERSITY OF WISCONSIN 2

What is This “Cloud” Thing?What is This “Cloud” Thing?
“Cloud” is a buzzword
Suggests the promise and
convenience of being able to
access files from anywhere
it’s a physical infrastructure, its
many computers housed in
massive warehouses all over the
world
As long as it works, we don’t care
much about physical location

Core Beneficial Attributes ofCore Beneficial Attributes of
Cloud ComputingCloud Computing
• Massive scale
• Homogeneity
• Virtualization
• Resilient computing
• Low cost software
• Geographic distribution
• Service orientation
• Advanced security technologies

Security Benefits ofSecurity Benefits of
Transfers risk from internal to
external, reducing work which
must be done internally, in many
situations
Consistency means less
replication, easier to maintain, test
and audit
High availability, business
continuity and disaster recovery
are usually included in a cloud
deployment

Concerns Related toConcerns Related to
Trusting someone else to do things the
way you want them done
Lack of visibility into the cloud
infrastructure for performing audit and
compliance work and researching
security related incidents
Defining and enforcing system
administration accountability
Loss of control over physical assets

A Memorable Cloud QuoteA Memorable Cloud Quote
Galen Gruman, InfoWorld
Executive Editor
“A way to increase capacity
or add capabilities on the fly
without investing in new
infrastructure, training new
personnel, or licensing new
software.”

10 Beneficial Characteristics10 Beneficial Characteristics
Of Using the CloudOf Using the Cloud

The 10 Characteristics ofThe 10 Characteristics of
“Cloud”: Agility“Cloud”: Agility
Agility improves with users' ability to re-
provision technological infrastructure
resources. It lets you get stuff done fast!

“Cloud”: Cost“Cloud”: Cost
Cost reductions claimed by cloud
providers. A public-cloud delivery model
converts capital expenditure to
operational expenditure. Fewer IT skills
are required for implementation (in-
house)

“Cloud”: Location“Cloud”: Location
Device and location independence
enable users to have ubiquitous access.
As infrastructure is off-site (typically
provided by a third-party) and accessed
via the Internet, users can connect from
anywhere

“Cloud”: Maintenance“Cloud”: Maintenance
Maintenance of cloud computing
applications is easier, because they do
not need to be installed on each user's
computer and can be accessed from
different places.

“Cloud”: Multitenancy“Cloud”: Multitenancy
Multitenancy enables sharing of resources
and costs across a large pool of users thus
allowing for: centralization of
infrastructure in locations with lower costs
(such as real estate, electricity, etc.)
Peak-load capacity increases (users need
not engineer for highest possible load-
levels)
Utilization and efficiency improvements for
systems that are often only 10–20% utilized

“Cloud”: Performance“Cloud”: Performance
Performance is monitored, and
consistent

“Cloud”: Productivity“Cloud”: Productivity
Productivity may be increased when
multiple users can work on the
same data simultaneously, rather
than waiting for it to be saved and
emailed. Time may be saved as
information does not need to be re-
entered when fields are matched,
nor do users need to install
application software upgrades to
their computer.

“Cloud”: Reliability“Cloud”: Reliability
Reliability improves with the use of
multiple redundant sites, which makes
well-designed cloud computing suitable
for business continuity and disaster
recovery

“Cloud”: Scalability“Cloud”: Scalability
Scalability and elasticity via
dynamic ("on-demand")
provisioning of resources on a
fine-grained, self-service basis
in near real-time, without users
having to engineer for peak
loads

“Cloud”: Security“Cloud”: Security
Security can improve due to
centralization of data, increased
security-focused resources
HOWEVER…
Concerns can persist about loss of
control over certain sensitive data

Cloud Security Can Be BetterCloud Security Can Be Better
Than On-Site SecurityThan On-Site Security
Security is often as good as or better
than other traditional systems, in part
because providers are able to devote
resources to solving security issues that
many customers cannot afford to tackle
HOWEVER…
There are many more issues to consider,
so let’s examine them, together, today.

Three Major Types of CloudThree Major Types of Cloud
ServicesServices
Infrastructure as a service IaaS
Platform as a service PaaS
Software as a service SaaS

Infrastructure As A Service
(IaaS)
Providers of IaaS offer computers –
physical or (more often) virtual
machines – and other resources.
IaaS refers to online services that
abstract user from the detail of
infrastructure like physical
computing resources, location, data
partitioning, scaling, security,
backup etc.

Platform as a service (PaaS)Platform as a service (PaaS)
PaaS vendors offers a development
environment to application
developers. The provider typically
develops toolkit and standards for
development and channels for
distribution and payment. In the
PaaS models, cloud providers
deliver a computing platform,
typically including operating
system, programming-language
execution environment, database,
and web server.

Software As A Service
(SaaS)
In the software as a service (SaaS)
model, users gain access to
application software and
databases. Cloud providers
manage the infrastructure and
platforms that run the
applications. SaaS is sometimes
referred to as "on-demand
software" and is usually priced on
a pay-per-use basis or using a
subscription fee.

The Deeper You Go, The MoreThe Deeper You Go, The More
Control Is Lost In Terms OfControl Is Lost In Terms Of
ConfigurabilityConfigurability

The Deeper You Go, The LessThe Deeper You Go, The Less
Security Related Work FallsSecurity Related Work Falls
Upon the CustomerUpon the Customer

Cloud Clients
Users access cloud computing
using networked client devices,
such as desktop computers,
laptops, tablets and smartphones
and any Ethernet enabled device
such as Home Automation
Gadgets. Some of these devices –
cloud clients – rely on cloud
computing for all or a majority of
their applications so as to be
essentially useless without it.
Examples are thin clients and the
browser-based Chromebook.

Deployment Models
Private Cloud
Private cloud is cloud infrastructure
operated solely for a single
organization, whether managed
internally or by a third-party, and
hosted either internally or
externally.[4] Undertaking a private
cloud project requires a significant
level and degree of engagement to
virtualize the business environment

Deployment Models
Private Cloud
Self-run data centers are generally
•Capital intensive
•They have a significant physical footprint,
requiring allocations of space, hardware, and
environmental controls
•These assets have to be refreshed periodically,
resulting in additional capital expenditures
•They have attracted criticism because users "still
have to buy, build, and manage them" and thus
do not benefit from less hands-on management,
essentially “ lacking the economic model that
makes cloud computing such an intriguing
concept

Public CloudPublic Cloud
A cloud is called a "public cloud" when the
services are rendered over a network that is
open for public use. Public cloud services
may be free.

Hybrid CloudHybrid Cloud
Hybrid cloud is a composition of two or more
clouds (private, or public) that remain distinct
entities but are bound together, offering the
benefits of multiple deployment models. Hybrid
cloud can also mean the ability to connect
collocation, managed and/or dedicated services
with cloud resources

Security Issues Associated With
the Cloud
There are a number of security issues/concerns
associated with cloud computing and these issues
fall into two broad categories:
•Security issues faced by cloud providers
(organizations providing software-, platform-, or
infrastructure-as-a-service via the cloud)
•Security issues faced by their customers (companies
or organizations who host applications or store data
on the cloud).

Security Issues Associated WithSecurity Issues Associated With
the Cloudthe Cloud
The responsibility goes both ways,
however: the provider must ensure
that their infrastructure is secure
and that their clients’ data and
applications are protected while the
user must take measures to fortify
their application and use strong
passwords and authentication
measures

The Insider Threat PersistsThe Insider Threat Persists
In The CloudIn The Cloud
Cloud Service providers
must ensure that thorough
background checks are
conducted for employees
who have physical access to
the servers in the data
center. Additionally, data
centers must be frequently
monitored for suspicious
activity.

Issues Associated WithIssues Associated With
Multi TenancyMulti Tenancy
In order to conserve resources, cut costs, and maintain
efficiency, Cloud Service Providers often store more than
one customer's data on the same server. As a result, there
is a chance that one user's private data can be viewed by
other users (possibly even competitors). To handle such
sensitive situations, cloud service providers should
ensure proper data isolation and logical storage
segregation.

Issues Associated WithIssues Associated With
VirtualizationVirtualization
The extensive use of virtualization in
implementing cloud infrastructure
brings unique security concerns for
customers or tenants of a public cloud
service. Virtualization alters the
relationship between the OS and
underlying hardware. Specific
concerns include the potential to
compromise the virtualization
software, or "hypervisor".

4 Categories of Cloud4 Categories of Cloud
Security ControlsSecurity Controls
We have seen a variant these categories before,
when we talked about Physical Security.
•Deterrent
•Preventive
•Detective
•Corrective

Deterrent ControlsDeterrent Controls
These controls are intended to
reduce attacks on a cloud
system. Much like a warning
sign on a fence or a property,
deterrent controls typically
reduce the threat level by
informing potential attackers
that there will be adverse
consequences for them if they
proceed. (Some consider them
a subset of preventive
controls.)

Preventive ControlsPreventive Controls
Strengthen the system against
incidents, generally by reducing
if not actually eliminating
vulnerabilities. Strong
authentication of cloud users,
for instance, makes it less likely
that unauthorized users can
access cloud systems, and more
likely that cloud users are
positively identified.

Detective ControlsDetective Controls
Are intended to detect and react appropriately to
any incidents that occur. In the event of an
attack, a detective control will signal the
preventative or corrective controls to address the
issue.

Corrective ControlsCorrective Controls
Corrective controls reduce the
consequences of an incident,
normally by limiting the
damage. They come into effect
during or after an incident.
Restoring system backups in
order to rebuild a
compromised system is an
example of a corrective
control.

Cloud Compliance StillCloud Compliance Still
Means ComplianceMeans Compliance
Numerous laws and regulations
pertain to the storage and use of data.
In the US these include privacy or
data protection laws, Payment Card
Industry - Data Security Standard
(PCI DSS), the Health Insurance
Portability and Accountability Act
(HIPAA), the Sarbanes-Oxley Act, the
Federal Information Security
Management Act of 2002 (FISMA).

Multijurisdictional LocationMultijurisdictional Location
Can Mean Increased ComplianceCan Mean Increased Compliance
RequirementsRequirements
Similar laws may apply in different
legal jurisdictions and may differ
quite markedly from those enforced
in the US. Cloud service users may
often need to be aware of the legal
and regulatory differences between
the jurisdictions. For example, data
stored by a Cloud Service Provider
may be located in, say, Singapore and
mirrored in the US.

Customer ResponsibilitiesCustomer Responsibilities
For Cloud ComplianceFor Cloud Compliance
Many of these regulations mandate
particular controls (such as strong
access controls and audit trails) and
require regular reporting. Cloud
customers must ensure that their
cloud providers adequately fulfil
such requirements as appropriate,
enabling them to comply with their
obligations since, to a large extent,
they remain accountable.

Core Areas to Consider For ComplianceCore Areas to Consider For Compliance
Business Continuity and Data Recovery
Cloud providers have business
continuity and data recovery plans in
place to ensure that service can be
maintained in case of a disaster or an
emergency and that any data loss will
be recovered. These plans may be
shared with and reviewed by their
customers, ideally dovetailing with the
customers' own continuity
arrangements. Joint continuity
exercises may be appropriate,
simulating a major Internet or
electricity supply failure for instance.

Logs and Audit Trails
In addition to producing logs and audit trails,
cloud providers work with their customers to
ensure that these logs and audit trails are
properly secured, maintained for as long as the
customer requires, and are accessible for the
purposes of forensic investigation (eDiscovery).

Other Compliance RequirementsOther Compliance Requirements
Unique to Cloud SecurityUnique to Cloud Security
In addition to the requirements to which
customers are subject, the data centers
used by cloud providers may also be
subject to compliance requirements.
Using a cloud service provider (CSP) can
lead to additional security concerns
around data jurisdiction since customer
or tenant data may not remain on the
same system, or in the same data center
or even within the same provider's
cloud.

Legal and ContractualLegal and Contractual
AgreementsAgreements
Aside from the security and compliance issues
enumerated above, cloud providers and their
customers will negotiate terms around liability
(stipulating how incidents involving data loss or
compromise will be resolved, for example),
intellectual property, and end-of-service. These
issues are discussed in Service-Level Agreements
(SLA).

Evaluating Your AssetsEvaluating Your Assets
BEFORE Moving to the CloudBEFORE Moving to the Cloud
How would your company be impacted if:
•The asset became widely public & widely
distributed?
•An employee of our cloud provider accessed
the asset?
•The process of function were manipulated by
an outsider?
•The process or function failed to provide
expected results?
•The info/data was unexpectedly changed?
•The asset were unavailable for a period of
time?

Use FIPS 200 As YourUse FIPS 200 As Your
Cloud Security GuideCloud Security Guide
FIPS 200 standard emphases more
security during the development,
implementation, and operation of more
secure information systems.
FIPS 200 defines following 17 security
areas covered under confidentiality,
integrity, and availability (CIA) of federal
information systems and the information
processed, stored, and transmitted by
those systems.

Use FIPS 200 As Your CloudUse FIPS 200 As Your Cloud
Security GuideSecurity Guide
1. Access Control
2. Awareness and Training
3. Audit and Accountability
4. Certification, Accreditation, and Security Assessments
5. Configuration Management
6. Contingency Planning
7. Identification and Authentication
8. Incident Response
9. Maintenance

Use FIPS 200 As YourUse FIPS 200 As Your
Cloud Security GuideCloud Security Guide
10. Media Protection
11. Physical and Environmental Protection
12. Planning
13. Personnel Security
14. Risk Assessment
15. Systems and Services Acquisition
16. System and Communications Protection; and
17. System and Information Integrity

Solid Governance isSolid Governance is
Cloud Security Checks and BalancesCloud Security Checks and Balances
•Value delivery
•Strategic alignment
•Resource management
•Risk management
•Performance management

Considerations WhenConsiderations When
Selecting a Cloud ProviderSelecting a Cloud Provider
• What type of self service options exist?
• What types of shared resources are
employed across all customers?
• Who provides utilities and network
access?
• How fast can additional capacity be
brought online?
• How do they measure their service, in
terms of billing? Electricity use?
Network usage? Fixed cost sharing?

Other Cloud ConsiderationsOther Cloud Considerations
Do They Have These?Do They Have These?
• Incident Response Plans
• Application testing, security
standards for development
• If encryption services are provided,
how are the keys managed
• Facility access policies and
technologies
• Described how their virtualization
technologies function and associated
security controls

Worst Case ScenarioWorst Case Scenario
Cloud Provider QuesitonsCloud Provider Quesitons
What Would Happen If:What Would Happen If:
• Company data became distributed to
the public, such as in case of Ashley
Madison?
• A cloud provider employee saw
sensitive information?
• A cloud service was manipulated to
malfunction, by an outside party?
• You lost access to the cloud service, for
a period of time?

Clouds Can Float AwayClouds Can Float Away
Always Plan For ChangeAlways Plan For Change
• If you have to switch cloud providers
• Cloud Provider goes out of business
• Provider service shutdown
• Business disagreement
• Changes if costs / billing
• Service quality decrease

Security Related Issues Associated With Migrating to Cloud Services

Recommended

Recommended

More Related Content

Similar to Security Related Issues Associated With Migrating to Cloud Services

Similar to Security Related Issues Associated With Migrating to Cloud Services (20)

More from Nicholas Davis

More from Nicholas Davis (20)

Recently uploaded

Recently uploaded (20)

Security Related Issues Associated With Migrating to Cloud Services