Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Cloud Security ("securing the cloud")

1,321 views

Published on

Vic Winkler's 2011 FOSE presentation in Washington DC. The talk was based on the book: "Securing the Cloud" (Elsevier 2011).

Highlights:
--Top 10 Cloud Security Concerns;
--Is organizational control good for cloud security?;
--Architectural examples for cloud security

Published in: Technology, Business
  • Be the first to comment

  • Be the first to like this

Cloud Security ("securing the cloud")

  1. 1. NGI-4: CloudThe Technical Foundations of Security and Interoperability Overview Vic Winkler July 2011 Washington, DC Booz | Allen | Hamilton
  2. 2. The Technical Foundations of Security and InteroperabilityThis presentation is based on my book: “Securing the Cloud: Cloud Computer Security Techniques and Tactics” Vic Winkler (Elsevier/Syngress May 2011) Graphics are Copywrited by Elsevier/Syngress 2011My experiences in designing, implementing and operating the security for: “SunGrid” (2004+), “Network.com” (2006+) and “The Sun Public Cloud” (2007+) …And research into best practices in cloud security (2008-2011)Previously, I: Was a pioneer in network and systems based intrusion detection Designed a B1 trusted Unix system Graphics copyright Elsevier/Syngress 2011 Booz | Allen | Hamilton 2
  3. 3. A Brief, Distorted View of History  Overview Continuing Technology Evolution Graphics copyright Elsevier/Syngress 2011 Booz | Allen | Hamilton 3
  4. 4. More “Evolution” than “Revolution” So, what is “cloud”? Graphics copyright Elsevier/Syngress 2011 Booz | Allen | Hamilton 4
  5. 5. A Minor Problem With Words… Most common question: Is “cloud” secure? Booz | Allen | Hamilton 5
  6. 6. Booz Allen: Cloud Computing “Quick Look” AssessmentThe QLA approach analyzes the organization and its potential cloud candidate functions and applicationsacross eight Cloud Computing Factors, providing an in-depth assessment and suitability rating for each. Business/Mission Technology Economics Security Governance & Policy IT Management Organization Change Management Booz | Allen | Hamilton 6
  7. 7. Cloud: A Model for Computing, A Model for Service Delivery• “Cloud Services" – IT model for service delivery: Expressed, delivered and consumed over the Internet or private network – Infrastructure-as-a-Service (IaaS) – Platform-as-a-Service (PaaS) – Software-as-a-Service (SaaS)• “Cloud Computing”– IT model for computing – Environment composed of IT components necessary to develop & deliver "cloud services” Graphics copyright Elsevier/Syngress 2011 Booz | Allen | Hamilton 7
  8. 8. The Services StackTwo Perspectives What about security? …“Confidentiality”, “Integrity” and “Availability”? Graphics copyright Elsevier/Syngress 2011 Booz | Allen | Hamilton 8
  9. 9. The NIST Cloud Model Graphics copyright Elsevier/Syngress 2011 Booz | Allen | Hamilton 9
  10. 10. Security Concerns?• 10. Unknown Risks: Concern that cloud computing brings new classes of risks and vulnerabilities• 9. Control over Data: User data may be comingled with data belonging to others.• 8. Legal and Regulatory Compliance: It may be difficult (unrealistic?) to utilize public clouds when data is subject to legal restrictions or regulatory compliance• 7. Disaster Recovery and Business Continuity: Cloud tenants and users require confidence that their operations and services will continue despite a disaster• 6. Security Incidents: Tenants and users need to be informed and supported by a provider• 5. Transparency: Trust in a cloud provider’s security claims entails provider transparency• 4. Cloud Provider Viability: Since cloud providers are relatively new to the business, there are questions about provider viability and commitment• 3. Privacy and Data concerns with public or community clouds: Data may not remain in the same system, raising multiple legal concerns• 2. User Error: A user may inadvertently leak highly sensitive or classified information into a public cloud• 1. Network Availability: The cloud must be available whenever you need it Graphics copyright Elsevier/Syngress 2011 Booz | Allen | Hamilton 10
  11. 11. Security ConcernsSensitive Data & Regulatory Compliance Graphics copyright Elsevier/Syngress 2011 Booz | Allen | Hamilton 11
  12. 12. Security ConcernsTransparency Graphics copyright Elsevier/Syngress 2011 Booz | Allen | Hamilton 12
  13. 13. Security ConcernsExample of Private Cloud Concerns Graphics copyright Elsevier/Syngress 2011 Booz | Allen | Hamilton 13
  14. 14. Security ConcernsTrade Offs Graphics copyright Elsevier/Syngress 2011 Booz | Allen | Hamilton 14
  15. 15. Cloud Services are Expressed From Cloud IT Infrastructure Graphics copyright Elsevier/Syngress 2011 Booz | Allen | Hamilton 15
  16. 16. Virtualization and Elastic Service Expression Graphics copyright Elsevier/Syngress 2011 Booz | Allen | Hamilton 16
  17. 17. Is Organizational Control Good for Security? Graphics copyright Elsevier/Syngress 2011 Booz | Allen | Hamilton 17
  18. 18. Scope of Control Graphics copyright Elsevier/Syngress 2011 Booz | Allen | Hamilton 18
  19. 19. IaaS, PaaS and SaaS:Data Ownership Graphics copyright Elsevier/Syngress 2011 Booz | Allen | Hamilton 19
  20. 20. Organizational Control with Private versus Public Graphics copyright Elsevier/Syngress 2011 Booz | Allen | Hamilton 20
  21. 21. Cloud Demands Advanced Management Capabilities(This should benefit security) Graphics copyright Elsevier/Syngress 2011 Booz | Allen | Hamilton 21
  22. 22. Planning for Competitive Pricing(…in other words, “cost-effective security”) Graphics copyright Elsevier/Syngress 2011 Booz | Allen | Hamilton 22
  23. 23. Planning for Fundamental Changes Graphics copyright Elsevier/Syngress 2011 Booz | Allen | Hamilton 23
  24. 24. Patterns are Key for Cloud Infrastructure Graphics copyright Elsevier/Syngress 2011 Booz | Allen | Hamilton 24
  25. 25. …Patterns are Key for Cloud Infrastructure Graphics copyright Elsevier/Syngress 2011 Booz | Allen | Hamilton 25
  26. 26. …Patterns are Key for Cloud Infrastructure Graphics copyright Elsevier/Syngress 2011 Booz | Allen | Hamilton 26
  27. 27. ExampleSeparate Paths, Separate Networks Graphics copyright Elsevier/Syngress 2011 Booz | Allen | Hamilton 27
  28. 28. Example…Separate Paths, Separate Networks Graphics copyright Elsevier/Syngress 2011 Booz | Allen | Hamilton 28
  29. 29. Assessment:Is it “Correct”, “Secure” and Does it Meet Requirements? Graphics copyright Elsevier/Syngress 2011 Booz | Allen | Hamilton 29
  30. 30. How Much Assurance? Graphics copyright Elsevier/Syngress 2011 Booz | Allen | Hamilton 30
  31. 31. Operationally, How Will you Know? Graphics copyright Elsevier/Syngress 2011 Booz | Allen | Hamilton 31
  32. 32. Security MonitoringA High-Volume Activity Graphics copyright Elsevier/Syngress 2011 Booz | Allen | Hamilton 32
  33. 33. Monitoring Really Wants To BeA Near-Real-Time Feedback Loop Graphics copyright Elsevier/Syngress 2011 Booz | Allen | Hamilton 33
  34. 34. Beyond Security MonitoringIntegrated Operational Security Graphics copyright Elsevier/Syngress 2011 Booz | Allen | Hamilton 34
  35. 35. ExampleSecurity Use for CMDB Graphics copyright Elsevier/Syngress 2011 Booz | Allen | Hamilton 35
  36. 36. Defense-in-Depth in Infrastructure Graphics copyright Elsevier/Syngress 2011 Booz | Allen | Hamilton 36
  37. 37. What are the BIG Lessons?• Provider – Model T approach: Any color the customer wants …as long as it’s “black” • Special requests undercut profits – Plan ahead: Focus on eventual operations costs and on the certainty of change to the infrastructure – Seek to automate almost everything: • Identify procedures/processes to drive down costs • Identify and refine patterns – Segregate information • Don’t mix infrastructure management information • …with security information • …with customer data …etc. – Architect for completely separate paths: • (Public) (Infrastructure control) (Network device control) (Security management) • Entails a differentiated set of networks • Isolate, Isolate, Isolate • Encrypt, Encrypt, Encrypt• Consumer – Who is the provider? – What are you really buying? Transparency, independent verification, indemnification? Booz | Allen | Hamilton 37
  38. 38. Thank You Business: Winkler_Joachim@BAH.Com Personal: Vic@VicWinkler.Com Phone: 703.622.7111 “Securing the Cloud: Cloud Computer Security Techniques and Tactics” Vic Winkler (Elsevier/Syngress 2011) Graphics copyright Elsevier/Syngress 2011 Booz | Allen | Hamilton 38

×