Cloud Computing Security
Upcoming SlideShare
Loading in...5
×
 

Cloud Computing Security

on

  • 467 views

This is a presentation I recently gave at the VCU Cybersecurity Fair on Cloud Computing Security.

This is a presentation I recently gave at the VCU Cybersecurity Fair on Cloud Computing Security.

Statistics

Views

Total Views
467
Views on SlideShare
466
Embed Views
1

Actions

Likes
0
Downloads
15
Comments
0

1 Embed 1

http://www.docshut.com 1

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    Cloud Computing Security Cloud Computing Security Presentation Transcript

    • VCU Cybersecurity Fair
      Security in the Cloud
      Presented By:
      Bryan Miller
    • Speaker Introduction
      What is the “Cloud”
      SaaS, PaaS, IaaS
      Public, Private and Hybrid Clouds
      Vendor Offerings
      Security Issues
      Wrap-Up
      10/4/2011
      Security in the Cloud
      1
      Agenda
    • B.S. Information Systems – VCU
      M.S. Computer Science – VCU
      President, Syrinx Technologies, 2007
      Member of ISSA, HIMSS, InfraGard, ILTA
      Adjunct Faculty Member in Information Systems and Computer Science @ VCU, FTEMS lecturer
      CISSP, former Cisco CCIE in R/S
      Published author
      Over 25 years in the industry
      10/4/2011
      Security in the Cloud
      2
      Speaker Introduction
    • Convenient, on-demand network access to a shared pool of configurable resources:
      Networks
      Servers
      Storage
      Applications
      Services
      Rapid and minimal management effort or service provider interaction (based on NIST)
      10/4/2011
      Security in the Cloud
      3
      What is the “Cloud”?
    • NIST SP 800-145 definition:
      "Cloud computing is a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. This cloud model promotes availability and is composed of five essential characteristics, three service models, and four deployment models.”
      10/4/2011
      Security in the Cloud
      4
      The NIST Standard for Cloud Computing
    • IDC – 2008
      Security was the factor most likely to discourage the use of cloud computing?
      72% of small (<100 employees) businesses
      63% of mid-sized (100-199 employees) businesses
      IDC – 2011
      50% of small businesses
      47% of mid-sized businesses
      10/4/2011
      Security in the Cloud
      5
      First, Some Statistics
    • By 2014, the conservative estimate is that the “cloud business” will be approximately $100 billion dollars.
      By 2012, approximately 20% of businesses will not own any IT resources.
      10/4/2011
      Security in the Cloud
      6
    • 10/4/2011
      Security in the Cloud
      7
    • 10/4/2011
      Security in the Cloud
      8
    • Applications delivered over the web
      Vendor handles software updates and patches
      Application Programming Interfaces (APIs) integration among S/W
      • Examples
      • Salesforce.com
      • Office 365
      10/4/2011
      Security in the Cloud
      9
      Software as a Service (SaaS)
    • Architectural tools to build systems
      Platform managed and monitored
      Web-based user interface tools
      • Examples
      • Google Apps Engine
      • Microsoft Azure
      • Force.com
      10/4/2011
      Security in the Cloud
      10
      Platform as a Service (PaaS)
    • Outsource storage, hardware, servers
      Typically charged on a per-use basis
      Hardware can be multi-tenant or dedicated
      • Examples
      • Amazon Web Services (AWS)
      • OpenStack
      • Dell
      10/4/2011
      Security in the Cloud
      11
      Infrastructure as a Service (IaaS)
    • Public
      Shared resources, usually multi-tenant
      Off-premise
      Private
      Resources dedicated to client
      On-premise or off-premise
      Hybrid
      Combination of on-premise and cloud-based services
      Growing in popularity as companies slowly transition applications
      10/4/2011
      Security in the Cloud
      12
      Public vs. Private vs. Hybrid Cloud Models
    • Amazon Web Services EC2 - IaaS
      Data centers (Regions)
      Virginia
      Northern California
      Ireland
      Singapore
      Tokyo
      Within each region, services are divided into Availability Zones
      AWS GovCloud – Accessible by US only, allows government agencies to store data
      Currently used by NASA
      10/4/2011
      Security in the Cloud
      13
      Vendor Offerings
    • Microsoft Azure – PaaS
      Windows Azure – OS providing scalable compute and storage facilities
      Windows SQL Azure – Cloud-based, scalable version of SQL Server
      OpenStack - IaaS
      Open source software
      Over 100 partner companies
      Rackspace
      Dell
      Citrix
      Cisco
      10/4/2011
      Security in the Cloud
      14
    • Dell – IaaS
      Built on VMware technology (vCloud family of products)
      Adding support for Azure and OpenStack
      3 models:
      Pay as you go
      Reserved
      Dedicated
      Apple iCloud - SaaS
      Stores music, photos, applications, calendars, documents
      5 GB of free storage
      10/4/2011
      Security in the Cloud
      15
    • Take into account the following:
      Response times
      Data corruption
      Service degradation/outage
      Data breach
      Backup/Restore issues
      What happens if the company closes or is sold
      Regulatory issues
      HIPAA – do you have a BA agreement in place?
      PCI – are you sure your provider is compliant?
      10/4/2011
      Security in the Cloud
      16
      What about SLAs?
    • Bloomberg News reported that hackers used AWS’s EC2 to launch an attack against Sony’s PlayStation Network.
      The attack reportedly compromised the personal accounts of more than 100 million Sony customers.
      Prices for EC2 range from 3 cents to $2.48 an hour for users on the East coast of the U.S. Dual GPU setups are currently priced at $2.10/hr.
      Network World magazine reported that Exploits as a Service (EaaS) is becoming a profitable business.
      10/4/2011
      Security in the Cloud
      17
      Security Issues
    • Definition: The point at which cloud computing causes a catastrophic failure.
      Intellectual property is the lifeblood of an organization.
      IP can get lost in the shuffle of VM sprawl, data sprawl, technology sprawl or the speed at which business is performed.
      How can things go wrong?
      A salesperson mails himself a report to Gmail for home access.
      A customer service team uses Dropbox1 to transfer client files.
      A PM is frustrated by IT policies and stands up a free server in the Amazon EC2 cloud
      1 June 2011: Passwords optional for 4 hours, approximately 100 accounts were affected
      10/4/2011
      Security in the Cloud
      18
      Cloudpocalypse
    • Amazon EC2 Outages
      July, 2008
      Affected multiple Availability Zones
      Affected US and EU
      April, 2011
      Affected Reddit, Foursquare, Quora
      Elastic Book Store went offline (provides mountable disk volumes to EC2)
      3 days of outage for some users
      Why? During maintenance the data traffic was moved to a secondary, low-capacity network instead of the proper backup networks
      August, 2011
      Why: Lightning strike in Dublin, Ireland
      Knocked European cloud services offline for 2 days
      Affected Netflix, Quora, Foursquare
      10/4/2011
      Security in the Cloud
      19
      When the Cloud Dissipates
    • Gmail Outages
      2008:
      July 16 – “long outage”
      August 6 – up to 15 hours
      August 11 – 2 hours
      August 15 – up to 24 hours
      October 16 – 30 hours
      2009:
      February 24 – 2 hours
      September 1 – 2 hours
      2011:
      February 27 – several hours
      August 8 – several hours
      10/4/2011
      Security in the Cloud
      20
    • Decide if the cloud is appropriate for the given business model
      Choose the vendor and precisely define the SLA
      Test thoroughly before moving into production
      Migrate slowly and carefully watch the metrics
      Make sure the users/clients are happy
      Routinely test the backup and restore process
      Don’t forget about DR and BCP
      10/4/2011
      Security in the Cloud
      21
      Wrap-Up