SlideShare a Scribd company logo

Cloud Security.ppt

Download as PPT, PDF
A
AkashRajBehera

cloud security

Technology
1 of 34
Cloud Security
Customers’ biggest concerns KPMG International’s 2012 Global Cloud Provider Survey (n=179)
Customers’ biggest concerns KPMG International’s 2012 Global Cloud Provider Survey (n=179)
Customers’ biggest concerns KPMG International’s 2012 Global Cloud Provider Survey (n=179)
Customers’ biggest concerns KPMG International’s 2012 Global Cloud Provider Survey (n=179)
Challenges in using the cloud • Security • Privacy • Compliance
SECURITY
Cloud security • What’s not new? – Phishing, password, malware, downtime etc. • What’s new? Understand… – Change in trust boundaries – Impact of using • Public vs. private cloud • IaaS vs. PaaS vs. SaaS – Division of responsibilities between customer and Cloud Service Provider (CSP)
Security management • Availability • Access control • Monitoring • Vulnerability, patching, configuration • Incident response
Amazon Web Services (AWS) • Elastic Cloud Compute (EC2) “Virtual Servers in the Cloud” • Simple Storage Service (S3) “Scalable Storage in the Cloud” • DynamoDB “Fast, Predictable, Highly-scalable NoSQL data store” • Other services … https://aws.amazon.com/
Availability • Why is this important? – “Amazon Web Services suffers outage, takes down Vine, Instagram, others,” Aug 26, 2013* • E.g. AWS features – Distributed denial of service (DDoS) protection – Fault-tolerant, independent failure zones *http://www.zdnet.com/amazon-web-services-suffers-outage-takes-down-vine-instagram-flipboard-with-it-7000019842/
Access control • Who should have access? – To VM, app, services etc. – Users, admin, business admin, others? • E.g. AWS features – Built-in firewalls control access to instances – Multi-factor authentication: password + authentication code from MFA device – Monitor AWS employee accesses
Monitoring • Monitor – Availability, unauthorized activities etc. • E.g. AWS features – DoS, MITM, port scan, packet sniffing – Password brute-force detection – Access logs (request type, resource, IP, time etc.)
Vulnerability, patching, configuration • E.g. AWS features – Patching • Automatic Software Patching for Amazon supplied Windows image – Configuration • Password expiration for AWS employees – Vulnerability • Vulnerability scans on the host operating system, web application and DB in the AWS environment
Customer responsibilities • Cloud is a shared environment
Customer responsibilities • Cloud is a shared environment “AWS manages the underlying infrastructure but you must secure anything you put on the infrastructure.”
Customer responsibilities • AWS requires customers to – Patch VM guest operating system – Prevent port scans – Change keys periodically – Vulnerability testing of apps – Others…
Data issue: confidentiality • Transit between cloud and intranet – E.g. use HTTPS • Possible for simple storage – E.g. data in Amazon S3 encrypted with AES-256 • Difficult for data processed by cloud – Overhead of searching, indexing etc. • E.g., iCloud does not encrypt data on mail server* – If encrypted, data decrypted before processing • Is it possible to perform computations on encrypted data?^ *iCloud: iCloud security and privacy overview, Retrieved Oct 30, 2013, https://support.apple.com/kb/HT4865 ^See Fully Homomorphic Encryption Scheme, Wikipedia, http://en.wikipedia.org/wiki/Homomorphic_encryption
Encryption management • Algorithms – Proprietary vs. standards • Key size • Key management – Ideally by customer – Does CSP have decryption keys? – E.g. Apple uses master key to decrypt iCloud data to screen “objectionable” content* *Apple holds the master decryption key when it comes to iCloud security, privacy, ArsTechnica, Apr 3, 2012
Data issue: comingled data • Cloud uses multi-tenancy – Data comingled with other users’ data • Application vulnerabilities may allow unauthorized access – E.g. Google docs unauthorized sharing, Mar 2009 – “identified and fixed a bug which may have caused you to share some of your documents without your knowledge.”
PRIVACY AND COMPLIANCE
Privacy challenges • Protect PII – personally identifiable information • Ensure conformance to FIPs (fair info. Practices) principles • Compliance with laws and regulations – GLBA, HIPAA, PCI-DSS, Patriot Act etc. • Multi-jurisdictional requirements – EU Directive, EU-US Safe Harbor
Key FIPs requirements Use limitation It is easier to combine data from multiple sources in the cloud. How do we ensure data is used for originally specified purposes? Retention Is CSP retention period consistent with company needs? Does CSP have proper backup and archival? Deletion Does CSP delete data securely and from all storage sources? Security Does CSP provide reasonable security for data, e.g., encryption of PII, access control and integrity? Accountability Company can transfer liability to CSP, but not accountability. How does company identify privacy breaches and notify its users? Access Can company provide access to data on the cloud?
Laws and regulations • Require compliance with different FIPs – Laws in different countries provide different privacy protections • EU Directive more strict than US • In US, data stored on public cloud has less protection than personal servers – May be subpoenaed without notice*
MITIGATION
SLA should contain: • The list of services the provider will deliver and a complete definition of each service. • Metrics to determine whether the provider is delivering the service as promised • Auditing mechanism to monitor the service. • Responsibilities of the provider and the consumer • Remedies available to both provider and client if the terms of the SLA are not met. • A description of how the SLA will change over time. Service Level Agreement (SLA)
• Security: Client and CSP must understand security requirements. • Data encryption: Data must be encrypted while it is in motion and while it is at rest. The details of the encryption algorithms and access control policies should be specified. • Privacy: Basic privacy concerns are addressed by requirements such as data encryption, retention, and deletion. An SLA should make it clear how the cloud provider isolates data and applications in a multi-tenant environment. • Data retention/deletion: How does CSP prove they comply with retention laws and deletion policies? • Hardware erasure/ destruction: Same as #4. • Regulatory compliance: If regulations must be enforced because of the type of data, CSP must be able to prove compliance. • Transparency: For critical data and applications CSP must be proactive in notifying client when the terms of the SLA are breached including infrastructure issues like outages and performance problems as well as security incidents. Service Level Agreement (SLA)
• Certification: CSP should be responsible for proving required certification and keeping it current. • Performance definitions: Defining terminology such as uptime and other contractual metric terms (i.e. – uptime could mean all servers on continent are available or only one designated server is available.) • Monitoring: Responsible party for monitoring including identification of any third-party organization designated to monitor performance of the provider. • Audit Rights: To monitor for any data breaches including loss of data and availability issues. SLA should clarify when and how the audits will take place. • Metrics: to be monitored in real-time and audited after occurrence. Metrics of an SLA must be objectively and unambiguously defined. • Human interaction: On-demand self-service is one of the basic characteristics of cloud computing, but SLA should provide customer service when needed. Review and summary of cloud service level agreements, From "Cloud Computing Use Cases Whitepaper" Version 4.0, Service Level Agreement (SLA)
Service level agreements KPMG International’s 2012 Global Cloud Provider Survey (n=179) Do you [CSP] have SLAs in your cloud offerings today? • Increasing to deal with loss of control – SLA permits CMU IRB data on Box.com; can’t use Dropbox Do you expect to have SLAs in cloud offerings within 3 years?
Top SLA parameters System availability Regulatory compliance Data security Functional capabilities Response time Other performance levels What do you [CSP] believe are the most important SLA parameters today?* *KPMG International’s 2012 Global Cloud Provider Survey (n=179)
What steps are you [CSP] taking to improve data security and privacy in your cloud offerings? (top 3)* CSPs improving security *KPMG International’s 2012 Global Cloud Provider Survey (n=179) Improving real-time threat detection Greater use of data encryption Tighter restrictions on user access
Private and hybrid clouds • Rise in hybrid and private cloud for sensitive data • Private cloud cost can be prohibitive • Hybrid cloud ranks 4 on Gartner top 10 strategic technology trends, 2014 KPMG's The Cloud: Changing the Business Ecosystem, 2011 Models companies use/intend to use* (Larger companies prefer private)
Summary • Cloud is a tradeoff between cost, security and privacy • Change in trust boundaries leads to security and privacy challenges • Mostly no new security or privacy issues per se
References • Cloud security and privacy, 2009, Mather et al. • CIO Agenda Report, Gartner, 2013 • KPMG International’s Global Cloud Provider Survey, 2012 • KPMG's The Cloud: Changing the Business Ecosystem, 2011 • How Much Will PRISM Cost the U.S. Cloud Computing Industry? ITIF Report, Aug. 2013 • Apple holds the master decryption key when it comes to iCloud security, privacy, ArsTechnica, Apr 3, 2012 • AWS Whitepaper: Overview of Security Processes, Oct 30, 2013 http://media.amazonwebservices.com/pdf/AWS_Security_Whitepaper.pdf • iCloud: iCloud security and privacy overview, Oct 30, 2013, https://support.apple.com/kb/HT4865 • Homomorphic Encryption Scheme, Wikipedia, http://en.wikipedia.org/wiki/Homomorphic_encryption

Recommended

Cloud Security Standards: What to Expect and What to Negotiate V2.0
Cloud Security Standards: What to Expect and What to Negotiate V2.0Cloud Security Standards: What to Expect and What to Negotiate V2.0
Cloud Security Standards: What to Expect and What to Negotiate V2.0Cloud Standards Customer Council
 
Latest Developments in Cloud Security Standards and Privacy
Latest Developments in Cloud Security Standards and PrivacyLatest Developments in Cloud Security Standards and Privacy
Latest Developments in Cloud Security Standards and PrivacyCloud Standards Customer Council
 
Transforming cloud security into an advantage
Transforming cloud security into an advantageTransforming cloud security into an advantage
Transforming cloud security into an advantageMoshe Ferber
 
Cloud services and it security
Cloud services and it securityCloud services and it security
Cloud services and it securityEast Midlands Cyber Security Forum
 
CSA Introduction 2013 David Ross
CSA Introduction 2013 David RossCSA Introduction 2013 David Ross
CSA Introduction 2013 David RossGraeme Wood
 
Introduction to CSA Australia 2013 by David Ross
Introduction to CSA Australia 2013 by David RossIntroduction to CSA Australia 2013 by David Ross
Introduction to CSA Australia 2013 by David RossCloudSecurityAllianceAustralia
 
Compliance in Public Cloud & CSA Framework
Compliance in Public Cloud & CSA FrameworkCompliance in Public Cloud & CSA Framework
Compliance in Public Cloud & CSA FrameworkCloudSecurityAllianceAustralia
 
Cloud computing & service level agreements
Cloud computing & service level agreementsCloud computing & service level agreements
Cloud computing & service level agreementsCade Zvavanjanja
 

Recommended

Cloud Security Standards: What to Expect and What to Negotiate V2.0
Cloud Security Standards: What to Expect and What to Negotiate V2.0Cloud Security Standards: What to Expect and What to Negotiate V2.0
Cloud Security Standards: What to Expect and What to Negotiate V2.0Cloud Standards Customer Council
 
Latest Developments in Cloud Security Standards and Privacy
Latest Developments in Cloud Security Standards and PrivacyLatest Developments in Cloud Security Standards and Privacy
Latest Developments in Cloud Security Standards and PrivacyCloud Standards Customer Council
 
Transforming cloud security into an advantage
Transforming cloud security into an advantageTransforming cloud security into an advantage
Transforming cloud security into an advantageMoshe Ferber
 
Cloud services and it security
Cloud services and it securityCloud services and it security
Cloud services and it securityEast Midlands Cyber Security Forum
 
CSA Introduction 2013 David Ross
CSA Introduction 2013 David RossCSA Introduction 2013 David Ross
CSA Introduction 2013 David RossGraeme Wood
 
Introduction to CSA Australia 2013 by David Ross
Introduction to CSA Australia 2013 by David RossIntroduction to CSA Australia 2013 by David Ross
Introduction to CSA Australia 2013 by David RossCloudSecurityAllianceAustralia
 
Compliance in Public Cloud & CSA Framework
Compliance in Public Cloud & CSA FrameworkCompliance in Public Cloud & CSA Framework
Compliance in Public Cloud & CSA FrameworkCloudSecurityAllianceAustralia
 
Cloud computing & service level agreements
Cloud computing & service level agreementsCloud computing & service level agreements
Cloud computing & service level agreementsCade Zvavanjanja
 
Week 3 lecture material cc
Week 3 lecture material ccWeek 3 lecture material cc
Week 3 lecture material ccAnkit Gupta
 
Guide to security patterns for cloud systems and data security in aws and azure
Guide to security patterns for cloud systems and data security in aws and azureGuide to security patterns for cloud systems and data security in aws and azure
Guide to security patterns for cloud systems and data security in aws and azureAbdul Khan
 
The wonders of Cloud Computing.pptx
The wonders of Cloud Computing.pptxThe wonders of Cloud Computing.pptx
The wonders of Cloud Computing.pptxOmSatpathy
 
gkkCloudtechnologyassociate(cta)day 2
gkkCloudtechnologyassociate(cta)day 2gkkCloudtechnologyassociate(cta)day 2
gkkCloudtechnologyassociate(cta)day 2Anne Starr
 
Embracing Cloud in a Traditional Data Center
Embracing Cloud in a Traditional Data CenterEmbracing Cloud in a Traditional Data Center
Embracing Cloud in a Traditional Data CenterBrian Anderson
 
Securing Data in the Cloud - GISEC2017
Securing Data in the Cloud - GISEC2017Securing Data in the Cloud - GISEC2017
Securing Data in the Cloud - GISEC2017Sohaib Mahmood
 
IT Series: Cloud Computing Done Right CISOA 2011
IT Series: Cloud Computing Done Right CISOA 2011IT Series: Cloud Computing Done Right CISOA 2011
IT Series: Cloud Computing Done Right CISOA 2011Donald E. Hester
 
Cloud Security
Cloud SecurityCloud Security
Cloud SecurityPyingkodi Maran
 
Critical Hong Kong Banking, Securities and Insurance Workloads on the Cloud –...
Critical Hong Kong Banking, Securities and Insurance Workloads on the Cloud –...Critical Hong Kong Banking, Securities and Insurance Workloads on the Cloud –...
Critical Hong Kong Banking, Securities and Insurance Workloads on the Cloud –...Amazon Web Services
 
Pros and Cons of Moving to Cloud and Managed Services
Pros and Cons of Moving to Cloud and Managed ServicesPros and Cons of Moving to Cloud and Managed Services
Pros and Cons of Moving to Cloud and Managed ServicesEagle Technologies
 
Cloud Customer Architecture for Securing Workloads on Cloud Services
Cloud Customer Architecture for Securing Workloads on Cloud ServicesCloud Customer Architecture for Securing Workloads on Cloud Services
Cloud Customer Architecture for Securing Workloads on Cloud ServicesCloud Standards Customer Council
 
Public Cloud Service Agreements: What to Expect and What to Negotiate V2.0
Public Cloud Service Agreements: What to Expect and What to Negotiate V2.0Public Cloud Service Agreements: What to Expect and What to Negotiate V2.0
Public Cloud Service Agreements: What to Expect and What to Negotiate V2.0Cloud Standards Customer Council
 
Cloud security issues and concerns
Cloud security issues and concernsCloud security issues and concerns
Cloud security issues and concernsMrinal Baowaly
 
Key Considerations for Cloud Procurement - AWS Innovate Ottawa:
Key Considerations for Cloud Procurement - AWS Innovate Ottawa: Key Considerations for Cloud Procurement - AWS Innovate Ottawa:
Key Considerations for Cloud Procurement - AWS Innovate Ottawa:Amazon Web Services
 
The Art of Cloud Auditing - ISACA ID
The Art of Cloud Auditing - ISACA IDThe Art of Cloud Auditing - ISACA ID
The Art of Cloud Auditing - ISACA IDEryk Budi Pratama
 
dtechnClouologyassociatepart2
dtechnClouologyassociatepart2dtechnClouologyassociatepart2
dtechnClouologyassociatepart2Anne Starr
 
Sukumar Nayak-Detailed-Cloud Risk Management and Audit
Sukumar Nayak-Detailed-Cloud Risk Management and AuditSukumar Nayak-Detailed-Cloud Risk Management and Audit
Sukumar Nayak-Detailed-Cloud Risk Management and AuditSukumar Nayak
 
3.pptx
3.pptx3.pptx
3.pptxsalutiontechnology
 
The most trusted, proven enterprise-class Cloud:Closer than you think
The most trusted, proven enterprise-class Cloud:Closer than you think The most trusted, proven enterprise-class Cloud:Closer than you think
The most trusted, proven enterprise-class Cloud:Closer than you think Uni Systems S.M.S.A.
 
Security & Compliance in the Cloud [2019]
Security & Compliance in the Cloud [2019]Security & Compliance in the Cloud [2019]
Security & Compliance in the Cloud [2019]Tudor Damian
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 

More Related Content

Similar to Cloud Security.ppt

Week 3 lecture material cc
Week 3 lecture material ccWeek 3 lecture material cc
Week 3 lecture material ccAnkit Gupta
 
Guide to security patterns for cloud systems and data security in aws and azure
Guide to security patterns for cloud systems and data security in aws and azureGuide to security patterns for cloud systems and data security in aws and azure
Guide to security patterns for cloud systems and data security in aws and azureAbdul Khan
 
The wonders of Cloud Computing.pptx
The wonders of Cloud Computing.pptxThe wonders of Cloud Computing.pptx
The wonders of Cloud Computing.pptxOmSatpathy
 
gkkCloudtechnologyassociate(cta)day 2
gkkCloudtechnologyassociate(cta)day 2gkkCloudtechnologyassociate(cta)day 2
gkkCloudtechnologyassociate(cta)day 2Anne Starr
 
Embracing Cloud in a Traditional Data Center
Embracing Cloud in a Traditional Data CenterEmbracing Cloud in a Traditional Data Center
Embracing Cloud in a Traditional Data CenterBrian Anderson
 
Securing Data in the Cloud - GISEC2017
Securing Data in the Cloud - GISEC2017Securing Data in the Cloud - GISEC2017
Securing Data in the Cloud - GISEC2017Sohaib Mahmood
 
IT Series: Cloud Computing Done Right CISOA 2011
IT Series: Cloud Computing Done Right CISOA 2011IT Series: Cloud Computing Done Right CISOA 2011
IT Series: Cloud Computing Done Right CISOA 2011Donald E. Hester
 
Critical Hong Kong Banking, Securities and Insurance Workloads on the Cloud –...
Critical Hong Kong Banking, Securities and Insurance Workloads on the Cloud –...Critical Hong Kong Banking, Securities and Insurance Workloads on the Cloud –...
Critical Hong Kong Banking, Securities and Insurance Workloads on the Cloud –...Amazon Web Services
 
Pros and Cons of Moving to Cloud and Managed Services
Pros and Cons of Moving to Cloud and Managed ServicesPros and Cons of Moving to Cloud and Managed Services
Pros and Cons of Moving to Cloud and Managed ServicesEagle Technologies
 
Cloud Customer Architecture for Securing Workloads on Cloud Services
Cloud Customer Architecture for Securing Workloads on Cloud ServicesCloud Customer Architecture for Securing Workloads on Cloud Services
Cloud Customer Architecture for Securing Workloads on Cloud ServicesCloud Standards Customer Council
 
Public Cloud Service Agreements: What to Expect and What to Negotiate V2.0
Public Cloud Service Agreements: What to Expect and What to Negotiate V2.0Public Cloud Service Agreements: What to Expect and What to Negotiate V2.0
Public Cloud Service Agreements: What to Expect and What to Negotiate V2.0Cloud Standards Customer Council
 
Cloud security issues and concerns
Cloud security issues and concernsCloud security issues and concerns
Cloud security issues and concernsMrinal Baowaly
 
Key Considerations for Cloud Procurement - AWS Innovate Ottawa:
Key Considerations for Cloud Procurement - AWS Innovate Ottawa: Key Considerations for Cloud Procurement - AWS Innovate Ottawa:
Key Considerations for Cloud Procurement - AWS Innovate Ottawa:Amazon Web Services
 
The Art of Cloud Auditing - ISACA ID
The Art of Cloud Auditing - ISACA IDThe Art of Cloud Auditing - ISACA ID
The Art of Cloud Auditing - ISACA IDEryk Budi Pratama
 
dtechnClouologyassociatepart2
dtechnClouologyassociatepart2dtechnClouologyassociatepart2
dtechnClouologyassociatepart2Anne Starr
 
Sukumar Nayak-Detailed-Cloud Risk Management and Audit
Sukumar Nayak-Detailed-Cloud Risk Management and AuditSukumar Nayak-Detailed-Cloud Risk Management and Audit
Sukumar Nayak-Detailed-Cloud Risk Management and AuditSukumar Nayak
 
The most trusted, proven enterprise-class Cloud:Closer than you think
The most trusted, proven enterprise-class Cloud:Closer than you think The most trusted, proven enterprise-class Cloud:Closer than you think
The most trusted, proven enterprise-class Cloud:Closer than you think Uni Systems S.M.S.A.
 
Security & Compliance in the Cloud [2019]
Security & Compliance in the Cloud [2019]Security & Compliance in the Cloud [2019]
Security & Compliance in the Cloud [2019]Tudor Damian
 

Similar to Cloud Security.ppt (20)

Week 3 lecture material cc
Week 3 lecture material ccWeek 3 lecture material cc
Week 3 lecture material cc
 
Guide to security patterns for cloud systems and data security in aws and azure
Guide to security patterns for cloud systems and data security in aws and azureGuide to security patterns for cloud systems and data security in aws and azure
Guide to security patterns for cloud systems and data security in aws and azure
 
The wonders of Cloud Computing.pptx
The wonders of Cloud Computing.pptxThe wonders of Cloud Computing.pptx
The wonders of Cloud Computing.pptx
 
gkkCloudtechnologyassociate(cta)day 2
gkkCloudtechnologyassociate(cta)day 2gkkCloudtechnologyassociate(cta)day 2
gkkCloudtechnologyassociate(cta)day 2
 
Embracing Cloud in a Traditional Data Center
Embracing Cloud in a Traditional Data CenterEmbracing Cloud in a Traditional Data Center
Embracing Cloud in a Traditional Data Center
 
Securing Data in the Cloud - GISEC2017
Securing Data in the Cloud - GISEC2017Securing Data in the Cloud - GISEC2017
Securing Data in the Cloud - GISEC2017
 
IT Series: Cloud Computing Done Right CISOA 2011
IT Series: Cloud Computing Done Right CISOA 2011IT Series: Cloud Computing Done Right CISOA 2011
IT Series: Cloud Computing Done Right CISOA 2011
 
Cloud Security
Cloud SecurityCloud Security
Cloud Security
 
Critical Hong Kong Banking, Securities and Insurance Workloads on the Cloud –...
Critical Hong Kong Banking, Securities and Insurance Workloads on the Cloud –...Critical Hong Kong Banking, Securities and Insurance Workloads on the Cloud –...
Critical Hong Kong Banking, Securities and Insurance Workloads on the Cloud –...
 
Pros and Cons of Moving to Cloud and Managed Services
Pros and Cons of Moving to Cloud and Managed ServicesPros and Cons of Moving to Cloud and Managed Services
Pros and Cons of Moving to Cloud and Managed Services
 
Cloud Customer Architecture for Securing Workloads on Cloud Services
Cloud Customer Architecture for Securing Workloads on Cloud ServicesCloud Customer Architecture for Securing Workloads on Cloud Services
Cloud Customer Architecture for Securing Workloads on Cloud Services
 
Public Cloud Service Agreements: What to Expect and What to Negotiate V2.0
Public Cloud Service Agreements: What to Expect and What to Negotiate V2.0Public Cloud Service Agreements: What to Expect and What to Negotiate V2.0
Public Cloud Service Agreements: What to Expect and What to Negotiate V2.0
 
Cloud security issues and concerns
Cloud security issues and concernsCloud security issues and concerns
Cloud security issues and concerns
 
Key Considerations for Cloud Procurement - AWS Innovate Ottawa:
Key Considerations for Cloud Procurement - AWS Innovate Ottawa: Key Considerations for Cloud Procurement - AWS Innovate Ottawa:
Key Considerations for Cloud Procurement - AWS Innovate Ottawa:
 
The Art of Cloud Auditing - ISACA ID
The Art of Cloud Auditing - ISACA IDThe Art of Cloud Auditing - ISACA ID
The Art of Cloud Auditing - ISACA ID
 
dtechnClouologyassociatepart2
dtechnClouologyassociatepart2dtechnClouologyassociatepart2
dtechnClouologyassociatepart2
 
Sukumar Nayak-Detailed-Cloud Risk Management and Audit
Sukumar Nayak-Detailed-Cloud Risk Management and AuditSukumar Nayak-Detailed-Cloud Risk Management and Audit
Sukumar Nayak-Detailed-Cloud Risk Management and Audit
 
3.pptx
3.pptx3.pptx
3.pptx
 
The most trusted, proven enterprise-class Cloud:Closer than you think
The most trusted, proven enterprise-class Cloud:Closer than you think The most trusted, proven enterprise-class Cloud:Closer than you think
The most trusted, proven enterprise-class Cloud:Closer than you think
 
Security & Compliance in the Cloud [2019]
Security & Compliance in the Cloud [2019]Security & Compliance in the Cloud [2019]
Security & Compliance in the Cloud [2019]
 

Recently uploaded

My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...Fwdays
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr LapshynFwdays
 
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Wonjun Hwang
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024The Digital Insurer
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxNavinnSomaal
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 

Recently uploaded (20)

My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
 
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptx
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 

Cloud Security.ppt

  • 2. Customers’ biggest concerns KPMG International’s 2012 Global Cloud Provider Survey (n=179)
  • 3. Customers’ biggest concerns KPMG International’s 2012 Global Cloud Provider Survey (n=179)
  • 4. Customers’ biggest concerns KPMG International’s 2012 Global Cloud Provider Survey (n=179)
  • 5. Customers’ biggest concerns KPMG International’s 2012 Global Cloud Provider Survey (n=179)
  • 6. Challenges in using the cloud • Security • Privacy • Compliance
  • 8. Cloud security • What’s not new? – Phishing, password, malware, downtime etc. • What’s new? Understand… – Change in trust boundaries – Impact of using • Public vs. private cloud • IaaS vs. PaaS vs. SaaS – Division of responsibilities between customer and Cloud Service Provider (CSP)
  • 9. Security management • Availability • Access control • Monitoring • Vulnerability, patching, configuration • Incident response
  • 10. Amazon Web Services (AWS) • Elastic Cloud Compute (EC2) “Virtual Servers in the Cloud” • Simple Storage Service (S3) “Scalable Storage in the Cloud” • DynamoDB “Fast, Predictable, Highly-scalable NoSQL data store” • Other services … https://aws.amazon.com/
  • 11. Availability • Why is this important? – “Amazon Web Services suffers outage, takes down Vine, Instagram, others,” Aug 26, 2013* • E.g. AWS features – Distributed denial of service (DDoS) protection – Fault-tolerant, independent failure zones *http://www.zdnet.com/amazon-web-services-suffers-outage-takes-down-vine-instagram-flipboard-with-it-7000019842/
  • 12. Access control • Who should have access? – To VM, app, services etc. – Users, admin, business admin, others? • E.g. AWS features – Built-in firewalls control access to instances – Multi-factor authentication: password + authentication code from MFA device – Monitor AWS employee accesses
  • 13. Monitoring • Monitor – Availability, unauthorized activities etc. • E.g. AWS features – DoS, MITM, port scan, packet sniffing – Password brute-force detection – Access logs (request type, resource, IP, time etc.)
  • 14. Vulnerability, patching, configuration • E.g. AWS features – Patching • Automatic Software Patching for Amazon supplied Windows image – Configuration • Password expiration for AWS employees – Vulnerability • Vulnerability scans on the host operating system, web application and DB in the AWS environment
  • 15. Customer responsibilities • Cloud is a shared environment
  • 16. Customer responsibilities • Cloud is a shared environment “AWS manages the underlying infrastructure but you must secure anything you put on the infrastructure.”
  • 17. Customer responsibilities • AWS requires customers to – Patch VM guest operating system – Prevent port scans – Change keys periodically – Vulnerability testing of apps – Others…
  • 18. Data issue: confidentiality • Transit between cloud and intranet – E.g. use HTTPS • Possible for simple storage – E.g. data in Amazon S3 encrypted with AES-256 • Difficult for data processed by cloud – Overhead of searching, indexing etc. • E.g., iCloud does not encrypt data on mail server* – If encrypted, data decrypted before processing • Is it possible to perform computations on encrypted data?^ *iCloud: iCloud security and privacy overview, Retrieved Oct 30, 2013, https://support.apple.com/kb/HT4865 ^See Fully Homomorphic Encryption Scheme, Wikipedia, http://en.wikipedia.org/wiki/Homomorphic_encryption
  • 19. Encryption management • Algorithms – Proprietary vs. standards • Key size • Key management – Ideally by customer – Does CSP have decryption keys? – E.g. Apple uses master key to decrypt iCloud data to screen “objectionable” content* *Apple holds the master decryption key when it comes to iCloud security, privacy, ArsTechnica, Apr 3, 2012
  • 20. Data issue: comingled data • Cloud uses multi-tenancy – Data comingled with other users’ data • Application vulnerabilities may allow unauthorized access – E.g. Google docs unauthorized sharing, Mar 2009 – “identified and fixed a bug which may have caused you to share some of your documents without your knowledge.”
  • 22. Privacy challenges • Protect PII – personally identifiable information • Ensure conformance to FIPs (fair info. Practices) principles • Compliance with laws and regulations – GLBA, HIPAA, PCI-DSS, Patriot Act etc. • Multi-jurisdictional requirements – EU Directive, EU-US Safe Harbor
  • 23. Key FIPs requirements Use limitation It is easier to combine data from multiple sources in the cloud. How do we ensure data is used for originally specified purposes? Retention Is CSP retention period consistent with company needs? Does CSP have proper backup and archival? Deletion Does CSP delete data securely and from all storage sources? Security Does CSP provide reasonable security for data, e.g., encryption of PII, access control and integrity? Accountability Company can transfer liability to CSP, but not accountability. How does company identify privacy breaches and notify its users? Access Can company provide access to data on the cloud?
  • 24. Laws and regulations • Require compliance with different FIPs – Laws in different countries provide different privacy protections • EU Directive more strict than US • In US, data stored on public cloud has less protection than personal servers – May be subpoenaed without notice*
  • 26. SLA should contain: • The list of services the provider will deliver and a complete definition of each service. • Metrics to determine whether the provider is delivering the service as promised • Auditing mechanism to monitor the service. • Responsibilities of the provider and the consumer • Remedies available to both provider and client if the terms of the SLA are not met. • A description of how the SLA will change over time. Service Level Agreement (SLA)
  • 27. • Security: Client and CSP must understand security requirements. • Data encryption: Data must be encrypted while it is in motion and while it is at rest. The details of the encryption algorithms and access control policies should be specified. • Privacy: Basic privacy concerns are addressed by requirements such as data encryption, retention, and deletion. An SLA should make it clear how the cloud provider isolates data and applications in a multi-tenant environment. • Data retention/deletion: How does CSP prove they comply with retention laws and deletion policies? • Hardware erasure/ destruction: Same as #4. • Regulatory compliance: If regulations must be enforced because of the type of data, CSP must be able to prove compliance. • Transparency: For critical data and applications CSP must be proactive in notifying client when the terms of the SLA are breached including infrastructure issues like outages and performance problems as well as security incidents. Service Level Agreement (SLA)
  • 28. • Certification: CSP should be responsible for proving required certification and keeping it current. • Performance definitions: Defining terminology such as uptime and other contractual metric terms (i.e. – uptime could mean all servers on continent are available or only one designated server is available.) • Monitoring: Responsible party for monitoring including identification of any third-party organization designated to monitor performance of the provider. • Audit Rights: To monitor for any data breaches including loss of data and availability issues. SLA should clarify when and how the audits will take place. • Metrics: to be monitored in real-time and audited after occurrence. Metrics of an SLA must be objectively and unambiguously defined. • Human interaction: On-demand self-service is one of the basic characteristics of cloud computing, but SLA should provide customer service when needed. Review and summary of cloud service level agreements, From "Cloud Computing Use Cases Whitepaper" Version 4.0, Service Level Agreement (SLA)
  • 29. Service level agreements KPMG International’s 2012 Global Cloud Provider Survey (n=179) Do you [CSP] have SLAs in your cloud offerings today? • Increasing to deal with loss of control – SLA permits CMU IRB data on Box.com; can’t use Dropbox Do you expect to have SLAs in cloud offerings within 3 years?
  • 30. Top SLA parameters System availability Regulatory compliance Data security Functional capabilities Response time Other performance levels What do you [CSP] believe are the most important SLA parameters today?* *KPMG International’s 2012 Global Cloud Provider Survey (n=179)
  • 31. What steps are you [CSP] taking to improve data security and privacy in your cloud offerings? (top 3)* CSPs improving security *KPMG International’s 2012 Global Cloud Provider Survey (n=179) Improving real-time threat detection Greater use of data encryption Tighter restrictions on user access
  • 32. Private and hybrid clouds • Rise in hybrid and private cloud for sensitive data • Private cloud cost can be prohibitive • Hybrid cloud ranks 4 on Gartner top 10 strategic technology trends, 2014 KPMG's The Cloud: Changing the Business Ecosystem, 2011 Models companies use/intend to use* (Larger companies prefer private)
  • 33. Summary • Cloud is a tradeoff between cost, security and privacy • Change in trust boundaries leads to security and privacy challenges • Mostly no new security or privacy issues per se
  • 34. References • Cloud security and privacy, 2009, Mather et al. • CIO Agenda Report, Gartner, 2013 • KPMG International’s Global Cloud Provider Survey, 2012 • KPMG's The Cloud: Changing the Business Ecosystem, 2011 • How Much Will PRISM Cost the U.S. Cloud Computing Industry? ITIF Report, Aug. 2013 • Apple holds the master decryption key when it comes to iCloud security, privacy, ArsTechnica, Apr 3, 2012 • AWS Whitepaper: Overview of Security Processes, Oct 30, 2013 http://media.amazonwebservices.com/pdf/AWS_Security_Whitepaper.pdf • iCloud: iCloud security and privacy overview, Oct 30, 2013, https://support.apple.com/kb/HT4865 • Homomorphic Encryption Scheme, Wikipedia, http://en.wikipedia.org/wiki/Homomorphic_encryption

Editor's Notes

  1. Is downtime new? No, but it may manifest in new ways. Access over the Internet. What could go wrong? What security CSP provides; what customer is responsible
  2. What is independent failure zone? Why is it important? -Geolocation: storms, thunder, earth quakes -network disruption: under sea cable problem What could be an issue though of storing data in multiple zones? Is 99% acceptable? 1/3 day per month = 8 hours!
  3. What is packet sniffing? Shared physical machines, shared network
  4. CSP may decrypt your data for law enforcement Why would you encrypt data? – theft. What about deletion? Securely?
  5. Add reference for *
  6. Cant find the distribution of companies in the KPMG survey