Cloud Computing Security
Upcoming SlideShare
Loading in...5
×
 

Cloud Computing Security

on

  • 477 views

This is a presentation I recently gave at the VCU Cybersecurity Fair on Cloud Computing Security.

This is a presentation I recently gave at the VCU Cybersecurity Fair on Cloud Computing Security.

Statistics

Views

Total Views
477
Views on SlideShare
476
Embed Views
1

Actions

Likes
0
Downloads
15
Comments
0

1 Embed 1

http://www.docshut.com 1

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

Cloud Computing Security Cloud Computing Security Presentation Transcript

  • VCU Cybersecurity Fair
    Security in the Cloud
    Presented By:
    Bryan Miller
  • Speaker Introduction
    What is the “Cloud”
    SaaS, PaaS, IaaS
    Public, Private and Hybrid Clouds
    Vendor Offerings
    Security Issues
    Wrap-Up
    10/4/2011
    Security in the Cloud
    1
    Agenda
  • B.S. Information Systems – VCU
    M.S. Computer Science – VCU
    President, Syrinx Technologies, 2007
    Member of ISSA, HIMSS, InfraGard, ILTA
    Adjunct Faculty Member in Information Systems and Computer Science @ VCU, FTEMS lecturer
    CISSP, former Cisco CCIE in R/S
    Published author
    Over 25 years in the industry
    10/4/2011
    Security in the Cloud
    2
    Speaker Introduction
  • Convenient, on-demand network access to a shared pool of configurable resources:
    Networks
    Servers
    Storage
    Applications
    Services
    Rapid and minimal management effort or service provider interaction (based on NIST)
    10/4/2011
    Security in the Cloud
    3
    What is the “Cloud”?
  • NIST SP 800-145 definition:
    "Cloud computing is a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. This cloud model promotes availability and is composed of five essential characteristics, three service models, and four deployment models.”
    10/4/2011
    Security in the Cloud
    4
    The NIST Standard for Cloud Computing
  • IDC – 2008
    Security was the factor most likely to discourage the use of cloud computing?
    72% of small (<100 employees) businesses
    63% of mid-sized (100-199 employees) businesses
    IDC – 2011
    50% of small businesses
    47% of mid-sized businesses
    10/4/2011
    Security in the Cloud
    5
    First, Some Statistics
  • By 2014, the conservative estimate is that the “cloud business” will be approximately $100 billion dollars.
    By 2012, approximately 20% of businesses will not own any IT resources.
    10/4/2011
    Security in the Cloud
    6
  • 10/4/2011
    Security in the Cloud
    7
  • 10/4/2011
    Security in the Cloud
    8
  • Applications delivered over the web
    Vendor handles software updates and patches
    Application Programming Interfaces (APIs) integration among S/W
    • Examples
    • Salesforce.com
    • Office 365
    10/4/2011
    Security in the Cloud
    9
    Software as a Service (SaaS)
  • Architectural tools to build systems
    Platform managed and monitored
    Web-based user interface tools
    • Examples
    • Google Apps Engine
    • Microsoft Azure
    • Force.com
    10/4/2011
    Security in the Cloud
    10
    Platform as a Service (PaaS)
  • Outsource storage, hardware, servers
    Typically charged on a per-use basis
    Hardware can be multi-tenant or dedicated
    • Examples
    • Amazon Web Services (AWS)
    • OpenStack
    • Dell
    10/4/2011
    Security in the Cloud
    11
    Infrastructure as a Service (IaaS)
  • Public
    Shared resources, usually multi-tenant
    Off-premise
    Private
    Resources dedicated to client
    On-premise or off-premise
    Hybrid
    Combination of on-premise and cloud-based services
    Growing in popularity as companies slowly transition applications
    10/4/2011
    Security in the Cloud
    12
    Public vs. Private vs. Hybrid Cloud Models
  • Amazon Web Services EC2 - IaaS
    Data centers (Regions)
    Virginia
    Northern California
    Ireland
    Singapore
    Tokyo
    Within each region, services are divided into Availability Zones
    AWS GovCloud – Accessible by US only, allows government agencies to store data
    Currently used by NASA
    10/4/2011
    Security in the Cloud
    13
    Vendor Offerings
  • Microsoft Azure – PaaS
    Windows Azure – OS providing scalable compute and storage facilities
    Windows SQL Azure – Cloud-based, scalable version of SQL Server
    OpenStack - IaaS
    Open source software
    Over 100 partner companies
    Rackspace
    Dell
    Citrix
    Cisco
    10/4/2011
    Security in the Cloud
    14
  • Dell – IaaS
    Built on VMware technology (vCloud family of products)
    Adding support for Azure and OpenStack
    3 models:
    Pay as you go
    Reserved
    Dedicated
    Apple iCloud - SaaS
    Stores music, photos, applications, calendars, documents
    5 GB of free storage
    10/4/2011
    Security in the Cloud
    15
  • Take into account the following:
    Response times
    Data corruption
    Service degradation/outage
    Data breach
    Backup/Restore issues
    What happens if the company closes or is sold
    Regulatory issues
    HIPAA – do you have a BA agreement in place?
    PCI – are you sure your provider is compliant?
    10/4/2011
    Security in the Cloud
    16
    What about SLAs?
  • Bloomberg News reported that hackers used AWS’s EC2 to launch an attack against Sony’s PlayStation Network.
    The attack reportedly compromised the personal accounts of more than 100 million Sony customers.
    Prices for EC2 range from 3 cents to $2.48 an hour for users on the East coast of the U.S. Dual GPU setups are currently priced at $2.10/hr.
    Network World magazine reported that Exploits as a Service (EaaS) is becoming a profitable business.
    10/4/2011
    Security in the Cloud
    17
    Security Issues
  • Definition: The point at which cloud computing causes a catastrophic failure.
    Intellectual property is the lifeblood of an organization.
    IP can get lost in the shuffle of VM sprawl, data sprawl, technology sprawl or the speed at which business is performed.
    How can things go wrong?
    A salesperson mails himself a report to Gmail for home access.
    A customer service team uses Dropbox1 to transfer client files.
    A PM is frustrated by IT policies and stands up a free server in the Amazon EC2 cloud
    1 June 2011: Passwords optional for 4 hours, approximately 100 accounts were affected
    10/4/2011
    Security in the Cloud
    18
    Cloudpocalypse
  • Amazon EC2 Outages
    July, 2008
    Affected multiple Availability Zones
    Affected US and EU
    April, 2011
    Affected Reddit, Foursquare, Quora
    Elastic Book Store went offline (provides mountable disk volumes to EC2)
    3 days of outage for some users
    Why? During maintenance the data traffic was moved to a secondary, low-capacity network instead of the proper backup networks
    August, 2011
    Why: Lightning strike in Dublin, Ireland
    Knocked European cloud services offline for 2 days
    Affected Netflix, Quora, Foursquare
    10/4/2011
    Security in the Cloud
    19
    When the Cloud Dissipates
  • Gmail Outages
    2008:
    July 16 – “long outage”
    August 6 – up to 15 hours
    August 11 – 2 hours
    August 15 – up to 24 hours
    October 16 – 30 hours
    2009:
    February 24 – 2 hours
    September 1 – 2 hours
    2011:
    February 27 – several hours
    August 8 – several hours
    10/4/2011
    Security in the Cloud
    20
  • Decide if the cloud is appropriate for the given business model
    Choose the vendor and precisely define the SLA
    Test thoroughly before moving into production
    Migrate slowly and carefully watch the metrics
    Make sure the users/clients are happy
    Routinely test the backup and restore process
    Don’t forget about DR and BCP
    10/4/2011
    Security in the Cloud
    21
    Wrap-Up