RAHUL GURNANICDAC Certified Cyber Security ProfessionalMS Cyber Law & Information Security,Indian Institute of Information Technology - Allahabad
agenda• Virtualization - brief overview• Essential Features of a cloud environment• Cloud Service Models• Cloud Deployment Models• Benefits of Cloud• Security Concerns in different Cloudenvironments• Mapping the traditional IT securityrequirements to Cloud environment• Two viewpoints on Cloud Security
VIRTUALIZATION• A cloud comprises of virtual machines hosted on a remote or local serverwhich are accessed and used on as and when needed basis.• The virtual machines can be defined to have any configuration that a realworld machine would have, just the host machine should be able to supportit. Even servers can be hosted easily on a cloud.• Just imagine if you are able to host your server in a virtual environment,how much cost, space and business overheads would you save if your serversare hosted on a cloud !
Essential Features of a cloud 1.On- Demand Self Service2.Broad network access3.Resource Pooling4.Rapid Elasticity5.Measured Service
On-demand self-service.A customer using cloud services should be able to provisioncomputing capabilities such as server time and networkstorage himself as and when required without requiringhuman interaction with the service provider.Broad network access.The cloud services should be available over the network andaccessible thorugh standard devices such as laptops,smartphones and tablet computersResource pooling. (& Location Independence)The service provider’s computing resources are pooled toserve multiple consumers using a multi-tenant model, withdifferent physical and virtual resources dynamically assignedand reassigned according to consumer demand.
Rapid elasticity.• Capabilities can be elastically provisioned and released, insome cases automatically, to scale rapidly outward andinward commensurate with demand.• To the consumer, the capabilities available for provisioningoften appear to be unlimited and can be appropriated inany quantity at any time.Measured service.• Cloud systems automatically control and optimize resourceuse by leveraging a metering capability at some level ofabstraction appropriate to the type of service (e.g.,storage, processing, bandwidth, and active user accounts).• Resource usage can be monitored, controlled, andreported, providing transparency for both the provider andconsumer of the utilized service.
Cloud Services1.Software as a Service (SaaS).2.Platform as a Service (PaaS).3.Infrastructure as a Service (IaaS).4.Business Process as a Service(BPAAS)
Software as a Service (SaaS).• The capability provided to the consumer is to use theprovider’s applications running on a cloud infrastructure.• The applications are accessible from various client devicesthrough either a thin client interface, such as a webbrowser (e.g., web-based email), or a program interface.• The consumer does not manage or control the underlyingcloud infrastructure including network, servers, operatingsystems, storage, or even individual applicationcapabilities, with the possible exception of limited user-specific application configuration settings.
Platform as a Service (PaaS).• The capability provided to the consumer is to deploy ontothe cloud infrastructure consumer-created or acquiredapplications created using programming languages,libraries, services, and tools supported by the provider.• The consumer does not manage or control the underlyingcloud infrastructure including network, servers, operatingsystems, or storage, but has control over the deployedapplications and possibly configuration settings for theapplication-hosting environment.
Infrastructure as a Service (IaaS)• The capability provided to the consumer is toprovision processing, storage, networks, andother fundamental computing resources.• The consumer is able to deploy and run arbitrarysoftware, which can include operating systemsand applications.• The consumer does not manage or control theunderlying cloud infrastructure but has controlover operating systems, storage, and deployedapplications; and possibly limited control ofselect networking components (e.g., hostfirewalls).
Business Process as a Service (BPAAS).• It is a form of business process outsourcing (BPO)that employs a cloud computing service model.• Whereas the aim of traditional BPO is to reducelabor costs, BPaaS reduces labor count throughincreased automation, thereby cutting costs in theprocess.• It adheres to cloud computings traditionalmonthly pricing schedule.• Types of outsourcing services offered via theBPaaS model include HR functions such as payrolland benefits administration, procurement,advertising, marketing and industry operationprocesses.
• Private cloud• Public cloud• Hybrid cloud• Community cloudDeployment Models
Private cloud• The cloud infrastructure is set up for exclusive use by an individualorganization which may have multiple consumers.• It may be owned, managed, and operated by the organization itself or athird party.• It may be set up in the organizations premises or a remote location.Community cloud• It is for exclusive use by a specific community of consumers fromorganizations that have shared concerns (e.g., mission, securityrequirements, policy, and compliance considerations).• It may be owned, managed, and operated by one or more of theorganizations in the community, a third party, or some combination ofthem, and it may exist on or off premises.
Public cloud• It is set up for open use by the general public.• It may be owned, managed, and operated by abusiness, academic, or government organization, orsome combination of them. It exists on the premises ofthe cloud provider.Hybrid cloud• The cloud infrastructure is a composition of two ormore distinct cloud infrastructures (private,community, or public) that remain unique entities,• but are bound together by standardized or proprietarytechnology that enables data and applicationportability (e.g., cloud bursting for load balancingbetween clouds).
• Reducing capital Expenditure on IT• Having a predictable Operations Expenditure• Letting the organization focus on its corecompetency
Security ConcernsTOP CONCERN INADOPTION OFCLOUDPhysical controlsget replaced byvirtual controlsIn a cloud environment, access expands,control shifts, and the speed ofprovisioning resources and applicationsincreases - greatly affecting all aspectsof IT security.Cloud computing tests the limitsof security operations andinfrastructure.
Integrated servicemanagement, automation,provisioning, self serviceKey security focus:Infrastructure and IdentityManage datacenteridentitiesSecure virtual machinesPatch default imagesMonitor logs on allresourcesNetwork isolationCloud Enabled Data CenterInfrastructure as a Service(IaaS): Cut IT expense andcomplexity through cloud datacentersPlatform-as-a-Service (PaaS):Accelerate time to market withcloud platform servicesPre-built, pre-integrated ITinfrastructures tuned toapplication-specific needsKey security focus:Applications and DataSecure shared databasesEncrypt private informationBuild secure applicationsKeep an audit trailIntegrate existing securityCloud Platform Services
Advanced platform forcreating, managing, andmonetizing cloud servicesKey security focus:Data and ComplianceIsolate cloud tenantsPolicy and regulationsManage security operationsBuild compliant datacentersOffer backup and resiliencyCloud Service ProviderInnovatebusiness models by becoming acloud service providerSoftware as a Service (SaaS):Gain immediateaccess with business solutionson cloudCapabilities provided toconsumers for using aprovider’s applicationsKey security focus:Compliance andGovernanceHarden exposed applicationsSecurely federate identityDeploy access controlsEncrypt communicationsManage application policiesBusiness Solutions on Cloud
People and IdentityApplication and ProcessNetwork, Server and EndpointData and InformationPhysical InfrastructureGovernance, Risk and ComplianceSecurity and Privacy DomainsMultiple Logins, Onboarding IssuesMulti-tenancy, Data SeparationAudit Silos, Compliance ControlsProvider Controlled, Lack of VisibilityVirtualization, Network IsolationExternal Facing, Quick ProvisioningCLOUDSelf-ServiceHighly VirtualizedLocation IndependenceWorkload AutomationRapid ElasticityStandardizationHow security and privacy domains get related to cloudenvironments ?
Two viewpoints for cloud securitySecurity from the cloud...cloud is used to deliver security as-a-service - focusingon services such as vulnerability scanning, web and emailsecurity, etc.Security for the cloud..focus is on secure usage of Cloud applications – like byensuring Audit, Access and Secure Connectivity.There are various business solutionsavailable from different vendorssupporting both the models.