Clouds And Security

1,767 views

Published on

Published in: Technology, Business
  • Be the first to comment

Clouds And Security

  1. 1. Cloud Computing = .COM 2.0? Predrag Mitrovic, CISSP, CISM, Author [email_address]
  2. 2. 2 minute bio www.cloudadvisor.se
  3. 3. www.cloudadvisor.se
  4. 4. www.cloudadvisor.se
  5. 5. 1990 Botkyrka kommun www.cloudadvisor.se
  6. 6. www.cloudadvisor.se 1995 IDG Nätverk & Kommunikation
  7. 7. 1997 NetHouse Konsult & Media www.cloudadvisor.se
  8. 8. www.cloudadvisor.se 1999 Novell EMEA
  9. 9. 2000 Microsoft www.cloudadvisor.se
  10. 10. www.cloudadvisor.se 2007 LabCenter
  11. 11. www.cloudadvisor.se October 1st MyNethouse
  12. 12. www.cloudadvisor.se
  13. 13. www.cloudadvisor.se
  14. 14. <ul><li>www.cloudadvisor.se </li></ul>
  15. 15. www.cloudadvisor.se
  16. 16. Security-as-a-Service Storage-as-a-Service Integration-as-a-Service Database-as-a-Service Information-as-a-Service Process-as-a-Service Application-as-a-Service Platform-as-a-Service Management/Governance-as-a-Service Testing-as-a-Service
  17. 17. Trends behind the hype <ul><li>CPU Speed doubled every 24 months </li></ul><ul><li>Memory capacity doubles every 18 months </li></ul><ul><li>Bandwidth explosion </li></ul><ul><li>OSS </li></ul><ul><li>The programmable web </li></ul><ul><li>Virtualization </li></ul><ul><li>Information explosion (+50% growth YoY) </li></ul><ul><li>70 % of ICT budgets for maintenance </li></ul><ul><li>Up to 85% of capacity idle </li></ul><ul><li>Unclear value perception from business side </li></ul>www.cloudadvisor.se
  18. 18. www.cloudadvisor.se <ul><li>Geekandpoke.com under en creative commons-licens </li></ul>
  19. 19. Definition <ul><li>Clouds are hardware-based services offering compute, network and storage capacity where: </li></ul><ul><ul><li>Hardware management is highly abstracted from the buyer </li></ul></ul><ul><ul><li>Buyers incur infrastructure costs as variable OPEX </li></ul></ul><ul><ul><li>Infrastructure capacity is highly elastic (up or down) </li></ul></ul><ul><ul><li>McKinsey & Company </li></ul></ul>www.cloudadvisor.se
  20. 20. The idea Shared infrastructure www.cloudadvisor.se Server OS Database App Server Storage Network App 1 Server OS Database App Server Storage Network App 2 Server OS Database App Server Storage Network App 100
  21. 21. Storage Virtualized resources Virtuell Image 1 Virtual Image.. n Virtual Image 1 Security Mgmt www.cloudadvisor.se CPU, RAM, Networking SW Kernel (OS & VM) Cloud applications Risk Governance Lifecycle mgmt AAA Auditing Security in- depth Incident mgmt Reporting Use monitor Kapacity planning Network management Automati- zation Billing <ul><li>IaaS </li></ul>
  22. 22. Storage Virtualized resources Virtuell Image 1 Virtual Image.. n Virtual Image 1 Security Mgmt www.cloudadvisor.se CPU, RAM, Networking SW Kernel (OS & VM) Cloud applications Risk Governance Lifecycle mgmt AAA Auditing Security in- depth Incident mgmt Reporting Use monitor Kapacity planning Network management Automati- zation Billing <ul><li>PaaS </li></ul>
  23. 23. Storage Virtualized resources Virtuell Image 1 Virtual Image.. n Virtual Image 1 Security Mgmt www.cloudadvisor.se CPU, RAM, Networking SW Kernel (OS & VM) Cloud applications Risk Governance Lifecycle mgmt AAA Auditing Security in- depth Incident mgmt Reporting Use monitor Kapacity planning Network management Automati- zation Billing <ul><li>SaaS </li></ul>
  24. 24. IaaS example www.cloudadvisor.se
  25. 25. PaaS examples www.cloudadvisor.se
  26. 26. SaaS examples www.cloudadvisor.se
  27. 27. www.cloudadvisor.se
  28. 28. www.cloudadvisor.se
  29. 29. www.cloudadvisor.se
  30. 30. Security in the clouds
  31. 31. Storage Virtualized resources Virtuell Image 1 Virtual Image.. n Virtual Image 1 Security www.cloudadvisor.se CPU, RAM, Networking SW Kernel (OS & VM) Cloud applications Risk Governance Lifecycle mgmt AAA Auditing Security in- depth Incident mgmt
  32. 32. Security in depth - facility <ul><li>Physical perimeter protected </li></ul><ul><li>Guards </li></ul><ul><li>CCTV </li></ul><ul><li>Fire safety </li></ul><ul><li>Location against natural disasters </li></ul><ul><li>Secure logistics </li></ul>www.cloudadvisor.se
  33. 33. www.cloudadvisor.se <ul><li>Environment & climate secured </li></ul><ul><li>Physical access control </li></ul><ul><li>Redundancy </li></ul><ul><li>Automated supervision – CPU, RAM, fans, disc etc </li></ul><ul><li>Enterprise FW </li></ul><ul><li>NIDS/NIPS </li></ul>Security in depth - hardware CPU, RAM, Networking
  34. 34. Security in depth – SW Kernel www.cloudadvisor.se <ul><li>Patch management: Host OS & virtual hosts </li></ul><ul><li>Hostbased FW </li></ul><ul><li>HIDS/HIPS </li></ul><ul><li>Filesystem encryption </li></ul><ul><li>OS & VM hardening </li></ul><ul><li>Routines for provisioning/de-provisioning of VM´s </li></ul>SW Kernel (OS & VM)
  35. 35. Security in depth – virtualized resources www.cloudadvisor.se <ul><li>DLP </li></ul><ul><li>Integrity auditing </li></ul><ul><li>Filesystem encryption </li></ul><ul><li>Personal FW </li></ul><ul><li>Activity monitor DB </li></ul><ul><li>Hardening </li></ul><ul><li>Authorization & Auditing </li></ul>Storage Virtualized resources Virtual Image
  36. 36. Security in depth – applications www.cloudadvisor.se <ul><li>Authentication & Authorization </li></ul><ul><li>Code quality </li></ul><ul><li>Least privilige </li></ul><ul><li>SDL </li></ul>Applications
  37. 37. Soft side of security <ul><li>Security Practice Statement? </li></ul><ul><li>Control of compliance? </li></ul><ul><li>How do I map my demands? </li></ul><ul><li>How about ”damage control”? </li></ul><ul><li>… </li></ul>www.cloudadvisor.se Security Risk Governance Lifecycle mgmt AAA Auditing Security in- depth Incident mgmt
  38. 38. Enter due diligence <ul><li>Insiders? </li></ul><ul><li>High ”administrator power”? </li></ul><ul><li>Stress test of plans/abilities business continuity and disaster recovery </li></ul><ul><li>My penetration testing? </li></ul>www.cloudadvisor.se
  39. 39. Risk management www.cloudadvisor.se
  40. 40. Risk management <ul><li>Vendors KRI/KPI + my KRI/KPI = ? </li></ul><ul><li>Regular audits on vendors security policy, processes and procedures. </li></ul><ul><li>Ownership and partnering? </li></ul>www.cloudadvisor.se
  41. 41. Governance www.cloudadvisor.se
  42. 42. Governance <ul><li>Recurring auditing by trusted third party to validate SPS & SLA </li></ul><ul><li>Declaration of partnerships with third party </li></ul><ul><li>Who is financing the vendor? </li></ul>www.cloudadvisor.se
  43. 43. Legal www.cloudadvisor.se
  44. 44. Legal <ul><li>Plan for expected/unexpected exit: Assurance of secure delivery and destruction of data. </li></ul><ul><li>Clause for information not traversing geographical boundaries. </li></ul><ul><li>Rights to reuse my information? </li></ul>www.cloudadvisor.se
  45. 45. Compliance & Audit www.cloudadvisor.se
  46. 46. Compliance & audit <ul><li>Classification: </li></ul><ul><ul><li>Which systems are handling regulated information? </li></ul></ul><ul><ul><li>What data is handled within the systems? </li></ul></ul><ul><li>SAS 70 type II audits? </li></ul><ul><li>Demand ISO 27001 certification? </li></ul>www.cloudadvisor.se
  47. 47. ILM www.cloudadvisor.se
  48. 48. ILM <ul><li>Logical segregation of information – What control mechanisms do we implement for parts outside of our control? </li></ul><ul><li>Verify backup & restore of segregated information & simulate how the information is assimilated ”in-house” in case of termination. </li></ul>www.cloudadvisor.se
  49. 49. Portability & Interoperability www.cloudadvisor.se
  50. 50. P & I <ul><li>SaaS </li></ul><ul><ul><li>Process for continuous extraction in open formats </li></ul></ul><ul><li>IaaS </li></ul><ul><ul><li>Develop ”binaries” not tied to Virtual Machine Images specific to the vendor </li></ul></ul><ul><li>PaaS </li></ul><ul><ul><li>Developer platform in the cloud allows portability with platform in-house </li></ul></ul>www.cloudadvisor.se
  51. 51. Identity www.cloudadvisor.se
  52. 52. Identity <ul><li>Federation schema </li></ul><ul><ul><li>SAML (version?) </li></ul></ul><ul><ul><li>WS-Federation </li></ul></ul><ul><ul><li>Liberty ID-FF </li></ul></ul><ul><li>Multiple authentication factors? </li></ul><ul><li>Authorization and governing of rights on application/data? </li></ul>www.cloudadvisor.se
  53. 53. Datacenter operations www.cloudadvisor.se
  54. 54. Datacenter operations <ul><li>Maintenance schemas </li></ul><ul><li>Process for misconfigurations (fallbacks) </li></ul><ul><li>Versioning </li></ul><ul><li>Helpdesk </li></ul>www.cloudadvisor.se
  55. 55. Incident handling www.cloudadvisor.se
  56. 56. Incident handling <ul><li>Common definition of an incident? </li></ul><ul><li>Roles under an incident? </li></ul><ul><li>When/how am I notified? </li></ul><ul><li>Can I use my own CSIRT? </li></ul><ul><li>Police? </li></ul><ul><li>Dawn-raid on another tenant – consequence? </li></ul>www.cloudadvisor.se
  57. 57. Conclusions www.cloudadvisor.se
  58. 58. Cloud Computing is built on known technology – but the risks are definitively virgin territory! www.cloudadvisor.se
  59. 59. There are loads of exciting opportunities – open to all! www.cloudadvisor.se
  60. 60. Business demands results without ”whining and but´s” – handle it or be bypassed and marginalized! www.cloudadvisor.se
  61. 61. Why not implement the philosophy of the cloud in your IT? www.cloudadvisor.se
  62. 62. <ul><li>DISCUSSION </li></ul>www.cloudadvisor.se
  63. 63. Nice links <ul><li>http://cloudforum.org </li></ul><ul><li>http://cloudsecurityalliance.org </li></ul><ul><li>http://cloudcamp.org </li></ul><ul><li>http://opencloudmanifesto.org </li></ul><ul><li>http://opencrowd.com </li></ul><ul><li>http://eucalyptus.com </li></ul><ul><li>http://aws.amazon.com/ec2 </li></ul><ul><li>http://www.ibm.com/ibm/cloud/labs/ </li></ul><ul><li>http://www.hpl.hp.com/research/cloud.html </li></ul>www.cloudadvisor.se
  64. 64. Thank you! <ul><li>Predrag Mitrovic, predrag@mynethouse.se </li></ul><ul><li>+46 (0) 709 – 200 350 or on the net: </li></ul><ul><li>http://mynethouse.se </li></ul><ul><li>Blogs (in Swedish only): </li></ul><ul><ul><li>http://blogg.idg.se/itperspektiv </li></ul></ul><ul><ul><li>http://cloudadvisor.se </li></ul></ul>www.cloudadvisor.se

×