Cloud Security: Risks and Recommendations for New Entrants


Published on

Show notes: The cloud is a service model that entails great benefits for its new entrants. However its risks are not particularly well understood. This report identifies some of the more prevalent risks of the cloud and suggests basic ways that executives can protect themselves in it.

Published in: Technology, Business
1 Comment
1 Like
  • Good start and improve further on the control part and vendor mgmt .
    Are you sure you want to  Yes  No
    Your message goes here
No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • Introduction: 30 seconds Show notes: The cloud is a service model that entails great benefits for its new entrants. However its risks are not particularly well understood. This report identifies some of the more prevalent risks of the cloud and suggests basic ways that executives can protect themselves in it. Multiple choice: Which form of attack is inherently linked to the multi-tenant aspect of the clouda) DDoSb) Phishingc) Side Channel Attacksd) Man-in-the-middle attacke) CloudburstWhat is the term used to describe the forceful placement of a virtual instance next to a target one?Cloud cartographyCloud mappingInfrastructure targetingCloud trackingProcessor Framing
  • 1 minuteNow before we start, we have to ask ourselves, what is the cloud? The cloud is a large network that encompasses 3 distinct but interrelated service models: The first is security as a service, where software is coded, maintained and brought directly to the end user through the web. Think Salesforce or even something as commonplace as GmailPlatform as a service employs, well, a software platform that’s run by the cloud service provider. Developers are free to use this platform and its related tools to bring innovative new technologies to the front. Think of Google’s App Engine or Microsoft Azure.Finally, Infrastructure as a service supplies the raw and complex processing power that companies need to bring a large service to many different users at time.
  • 30 sNow consider that these services are often built on top of oneanohter. At the bottom you have infrastructure as a service, supporting the underlying platform. At the middle level lies Platform as a service, which harnesses the power provided by the infrastuucture base. And at the top level, you have software as a service, which is a piece of software that can be coded on a development platform and likewise distrubuted all over the cloud using the infrsature. This forms what we call the cloud dependency model, which I’ll get to later.
  • 1 minutePWC 2011 Global Why does this matter to important CIO’s or future executives like you? Well, you have to keep up with the competition.In a PwC Information Security Survey of 12,thousand IT leaders 49% of respondents said their organization employs some form of cloud computing today, up 14% the year before Business leaders are eager to harness four characteristics of the cloud. There’s elasticity, where additional processing power can be ordered at the click of a button. Accessibility, meaning you can access the cloud anywhere you have an internet connection. Multi-tenancy, which i’ll explain more next. And a pay-as-you-go usage model, which can help optimize costs. The cloud is a finite network that can house a near infinite amount of what we call instances. Whenever you request a new instance on the cloud, it is distributed on a physical server somewhere in that network. You’ll be operating within the presence of other virtual machines, and that’s what we call multi-tenancy. But its this aspect as well as the elasticity characteristic that make the cloud so cheap.
  • 30 secondsNow it’s not all fun and games on the cloud. You also have to be aware of the risks. Now that’s where this report comes in. Have to know the risks. I’ll be going over 4 of the more prevalent or interesting risks inherent to the cloud, and ways you might be able to counteract them. Adoption statistic (PwC)
  • 1 minNow we have to distinguish between old risks that we’ve seen for a long time on the internet, and new risks that come specifically to the cloud and its unique properties. Some risks, such as phishing aren’t really cloud risks, as they work or fail just as long as you have an internet connection. But sometimes, we can have a hybrid of both. Take for example a DDoS attack, or distributed denial of service attack. This involves a slew of machines making false requests in order to overload a serverBut DDoS attacks can evolve using the cloud’s scalable properties. What would happen if instead of overloading your server, you’d just provision additional infrastructure to support them. Things would get awfully expensive very quickly if they continue. Cristofer Hoff, a cloud security expert at Cisco systems, calls this the Economic Denial of service attack. Now you notice how things get better with the cloud. Even attacks.
  • 1 minuteWe’re used to seeing security as protection across various network’s boundaries. Now the tools used to control programs and instances on the cloud have created more attack surfaces that may prove to be additional vulnerabilities within what is now part of your network.As I said earlier, In the multi-tenant environment physical servers house several virtual environments. The cloud companies use programs called hypervisors to allocate resources of the physical machine among each instance.In PaaS cloud models, the provider uses an Application Program Interface or API to communicate with the developer’s programs and submit requests on real time basis.Hopefully, yuo start to see the implications. Both of these solutions help run the cloud, but at the same time allow for unmitigated access to user data if breached.
  • 2 minutesNow, recall how cloud services often build up on one another. Take potential hypervisor and API vulnerabilities into account when you consider the cloud dependency stack. At the Infrastructure level, you open up the model to attacks of the hypervisor, while at the platform level, API security risks take precedent. What we start to see is a proliferation of access points, all of which can lead directly to data leakage or loss.This inherent risk is compounded by the fact that each level of the cloud model has to be configured properly to ensure compatibility. A Host of security controls are running at the CSP in order to ensure the security of data. However, improperly configured security controls at the client level can lead to additional security flaws that may be exploitable from other parties.
  • 2 minutes multi-tenancy aspect of the cloud creates another security risk that’s been the subject of intense scrutiny over the last number of years. Though as you wouldn’t want to invite a malicious third party into your physical server, the cloud with its open brand of service opens their networks to a host of parties. A high profile research paper in 2009 called Hey, you get off of my cloud, demonstrated the concept of Cloud cartography on Amazon’s EC2 service. Cloud cartography is a technique that can be used to exploit the multi-tenant aspect of the cloud to forcefully position a malicious instance next to a target one, and later use this positioning to institute an attack on the instance. This may seem impossible, after all, instances seem to be positioned almost anywhere in the cloud. However, the researchers were able to succeed in 50% of co-location efforts, all for around 100 dollars. Even a pure brute force method led to 126of 141 instances being co-located in 510 efforts But why is this important? The fact of the matter is, it opens up yet another method of attack that can be used to steal data from a company
  • Now once co-residency is established on the same physical infrastructure, hackers can use an indirect method of spying called a side channel attackOne type of side channel attack utilizes the system cache to monitor activity throughout the physical server. The system cache is a temporary memroy storage bank used by the processor, but simply wasnt built with strong segregation facilities in mind. Therefore, it remains observable by all parties. By obersving the activity levels of the cache, a malicious user could monitor the timing of individual spikes in cache usage to do things like infer keyboard strokes in the target VM. This has huge potential ramifications, as you can easily imagine how indirect channel attacks can lead to direct stealing of employee passwords and the ultimate loss of data security for a company or its customers.
  • that we outlined some of the more unique risks of the cloud, how can executives prepare for a transition to it? Well, there are a numberof ways that they can try to compensate
  • 1 minuteNow , encryption remains a popular solution in tech circles today. After seeing the increased potential for data leakage that happens as a result of adopting the cloud model, you could possibly see why encryption remains a must for new entrantsEncryption allows you to ensure that the right people are accessing your cloud servers through validation procedures, as well as provides you with base level protection over your information. Businesses that plan to use the cloud for storage or archiving can use encryption to transfer data into a basically unreadable format to minimize the chances of it being deciphered if intercepted or stolen. However, encryption does have limitations. By virtue of its being undecipherable, encrypted data cannot be used for processing by cloud servers. Take for example the case of Google, which struggled over encrypting its gmail service for over 2 years. Its said that even a simple search using encrypted data make processing take up to 1 trillion times longer. Executives have to be sure to balance the security benefits of encryption with its processing costs
  • 1 minuteA strong service level agreement can mean all the difference when mitigating risks of financial exposure in the cloud. THis is especially true since, according to a Ponemn survey, 69% of cloud service provders believe security to be the primary responsibility of the users, while only 35% of cloud users seem to agree. CSP’s in gneral seem to be understandably protective over their security policies, but executives must be sure to ensure that it doesn’t impede in their own hardening procedures. Teh service provider may be hesitant to hand over basic access data or logs that may be essential for continuous monitoring by the user. They may also be subject to confiscate your data in the case of a security breach, unintentional or otherwise. A strong service level agreement can effectively divide the rights and responsibilities between each party in the cloud contract, and must be addressed to facilitate conitnuous monitoring or enforce ownership rights over the relationship.
  • 1 minuteFinally, given the sheer number of threats that emerge from the basic cloud dependency stack, it makes sense for exeuctives to apply a unified risk assessment approach in order to manage cloud security. Of course we’re all familiar with the ISACA COBIT Framework, a control objcetive model which certainly can be applied to a cloud environment given a little tweaking. However, a number of organizations have come forward to impart on new entrants a cloud-specific risk model. One such organization is the European network and Infromation Security Agency (or EniSA) , and its Cloud computing asuranceframeowork. A sort of meeting ground can be found with the CSA’s Cloud controls matrix. It applies elements of all of the previously mentioned frameworks, taking concepts from each to form a definitive best practise security framework. Getting to know these firsthand would be another great way for exeuctives to educate themselves on newsecurity risks that result from cloud adoption.
  • Now the help is out there. Here are a couple of links to the more popular forms of the security framework. Take a little time to browse through them all to see which one is most compatible with your existing security framework if you plan to become a new entrant.
  • Now I’m just going to talk briefly about some opportunities that are available for CA’s to help provide additional assurance to new entrants in the cloud
  • First of all, its important to see Cloud Computing as an opportunity to provide an extension on the assurance function that it currently applies to service providersExecutives currently require a stong level of assurance to make a conscious decision over their choice of CSPs. The CA assurance function relevant to the cloud is generally limited to the control based assessment that is the 5970 report. However, the 5970 merely relates to the testing of controls at a service provider over it and its clients’ financial reporting models. It fails to provide a complex assessment over the CSP’s security controls, which is what executives desparately need to distinguish between cloud service providers.Applying the trusted CA assurance brand to create a cloud-assurance model seems to be a lucrative opportunity worth looking into.
  •’s lookign to get a jump ahead of the pack to bolster their competencies and increase their own marketability can look to an offering by the cloud sercurity alliance. The CSA has recently instituted a certificate of cloud security knowledge, which designates an individual as a specialist in identifying and addressing security risks in the cloud. This quote from Gary Phillips from Symantec outlines one way that CA’s can help distinguish themselves in the cloud assurance function.
  • So what have I told you today. The cloud is a profound opportunity for executives who look to leverage its powerful and cost effective characteristics to drive their businesses forward. However, it is these chracteristics that create new risks that we must now look out for, whether it be the proliferation of new atack surfaces or new threats taht evolve with the cloud.It will pay dividends to be prepared. A unified risk assessment process will go a long way towards understanding the many risks out there, while implementing clinet-side controls and a strong service level agreeemnt facilitate the risk mitigation and risk avoidance practises.
  •, you now have a better understanding of how the cloud works and ways you can protect yourself. Thanks for listening!
  • Cloud Security: Risks and Recommendations for New Entrants

    1. 1. Cloud Security: Risks and Recommendations for New Entrants<br />A Report by Irvin Choo<br />ACC 626<br />
    2. 2. What is the Cloud?<br />
    3. 3. What is the Cloud?<br />
    4. 4. Cloud Characteristics<br />Elasticity<br />Automatic Provisioning/De-provisioning<br />Accessibility<br />Anywhere and everywhere<br />Multi-tenancy<br />Know your neighbour<br />Pay-as-you-go<br />
    5. 5. Cloud Security Risks<br />Old risks vs. New risks<br />Cloud Dependency Stack<br />Expanding Attack <br /> Surfaces<br />Cloud Cartography <br /> and Side Channels<br />
    6. 6. Cloud Security Risks<br />Old Risks vs. New Risks<br />Some risks (e.g. Phishing often attributed to cloud) – not a cloud specific risk<br />New risks should span from the inherent properties of cloud computing models<br />Can have a hybrid of both<br />Distributed Denial of Service vs. Economic Denial of Service<br />EDoS: using elasticity aspect to provision resources beyond sustainable capacities<br />
    7. 7. Cloud Security Risks<br />Expanding Attack surfaces<br />Hypervisors (IaaS)<br />Allocate resources to virtual environment within the physical server<br />Application Program Interfaces (PaaS)<br />Proprietary<br />Communicates between developer’s program and underlying platform<br />
    8. 8. Cloud Security Risks<br />SaaS<br />PaaS<br />The Cloud Dependency Stack<br />Compatibility concerns<br />Misconfiguration of software<br />High integration, high risk <br />Compromise at any level can undermine the entire infrastructure<br />IaaS<br />Cloud Physical Infrastructure<br />
    9. 9. Cloud Security Risks<br />Cloud Cartography<br />Multi-tenancy issue<br />Locating VM’s in the cloud<br />Random Distribution?<br />Hey, you, get off of my Cloud! (Amazon EC2 study)<br />50% success rate<br />Even brute force methods fairly successful<br />Inexpensive <br />
    10. 10. Cloud Security Risks<br />Side Channel Attacks<br />Primary risk from multi-tenant environment <br />Indirect form of spying<br />Listening through the cache<br />Can infer information rather than directly intercepting it<br />Researchers were able to guess passwords by monitoring spikes in cache activity <br />Can change face of corporate espionage<br />
    11. 11. Controls and Recommendations<br />First Steps<br />Responsibilities and the SLA<br />Security Frameworks<br />
    12. 12. Controls and Recommendations<br />First Steps<br />Why is encryption important?<br />Ensure authorize access<br />Provides base level protection over information<br />Basic encryption policies<br />Authentication data<br />Data for archiving/storage<br />Limitations<br />Not suited for data in transit/rapid processing (e.g. SaaS)<br />Gmail struggled with encryption until 2010 <br />
    13. 13. Controls and Recommendations<br />Responsibilities and the SLA<br />Ponemon: 69% of cloud service providers believe security to be responsibility of the users<br />Continuous monitoring<br />CSP may be hesitant to give access data/logs<br />Generally secretive security policies<br />Securing ownership of data in case of security breaches<br />
    14. 14. Controls and Recommendations<br />Recommended Security Frameworks<br />Strong response to lack of cloud-based security risk framework<br />ISACA COBIT Framework for IT Governance of control<br />International Organization for Standardization ISO 27001 <br />ENISA Cloud Computing Assurance Framework<br />Cloud Security Alliance Cloud Controls Matrix<br />
    15. 15. Controls and Recommendations<br />Recommended Security Frameworks<br />
    16. 16. Implications for CA’s<br />Assurance Opportunities<br />Certificate of Cloud Security Knowledge <br />
    17. 17. Implications for CA’s<br /><ul><li>Cloud Computing is an opportunity for CAs</li></ul>Executives require stronger cloud-based assurance model<br />5970/CSAE 3416 is inadequate <br />Cloud risks extend far beyond financial reporting considerations<br />Distinguishing between Cloud service providers<br />
    18. 18. Implications for CAs<br />CSA Certificate of Cloud Security Knowledge<br />“The Certificate of Cloud Security Knowledge provides individuals with a solid foundation in cloud security issues and best practices. Organizations that leverage this training will be better positioned to get the most out of their investments in cloud computing. In addition, the certification can be a large help with recruitment efforts as organizations can easily qualify the experience of an individual in cloud security if they have earned the CCSK certificate.”<br /> ~ Gary Phillips, senior director, technology assurance and <br /> standards research, Symantec Corp<br />
    19. 19. Conclusions <br />Cloud entails new risks<br />Expansion of attack surfaces <br />Evolution of old threats<br />Risks can be mitigated by<br />Implementing client-side controls<br />Strong Service level agreement<br />Unified risk assessment process<br />
    20. 20. Thank you!!<br />
    21. 21. Works Cited<br />Al Morsy, M., Grundy, J., & Müller, I. (2010, Nov 30). An Analysis of The Cloud Computing Security Problem. Retrieved June 15, 2011, from Swinburne University of Technology:<br />Brenner, B. (2009). Why Security Matters Again. Retrieved May 28, 2011, from CIO Online.<br />Brodkin, J. (2010). 5 Problems with SaaS Security. Network World, 28 (18), pp. 1-2.<br />CA Technologies and the Ponemon Institute Roll out Study on Cloud Providers and Consumers. (2011, May 31). Entertainment Close-up .<br />Choo, R. (2010). Cloud Computing: Challenges and Future Directions. Retrieved May 24, 2011, from Trends & Issues in Crime and Criminal Justice:<br />Cloud Computing Information Assurance Framework. (2009, November 2009). Retrieved June 15, 2011, from European Network and Information Security Agency:<br />Cloud Computing: Benefits, Risks and Recommendations for Information Security. (2009). Retrieved May 28, 2011, from European Network and Information Security Agency:<br />Cloud Computing: Business Benefits. (2009). Retrieved June 17, 2011, from ISACA:<br />Cloud Computing: Business Benefits With Security, Governance. (2009). Retrieved June 20, 2011, from ISACA:<br />
    22. 22. Works Cited<br />Cloud Controls Matrix. (2010, December 15). Retrieved June 16, 2011, from Cloud Security Alliance:<br />COBIT Framework for IT Governance and Control. (2011). Retrieved June 15, 2011, from ISACA:<br />Farrell, R. (2010). Securing the Cloud. Information Security Journal, 6 (19), pp. 310-319.<br />Friedman, A. A., & West, D. M. (2010, October). Issues in Technology Innovation. Retrieved June 14, 2011, from Connections Magazine:<br />Greengard, S. (2010). Weaving a Web 2.0 Security Strategy. Baseline, 1 (106), pp. 20-24.<br />Greenwald, J. (2010). Savings Cloud Risks of Outsourcing Tech. Business Insurance, 1 (1247), pp. 4-5.<br />Gregg, M. (2011). 10 Security Concerns for Cloud Computing. Retrieved June 1, 2011, from Global Knowledge:<br />Hoff, C. (2009). The Economic Denial of Sustainability Concept. Retrieved June 1, 2011, from Rational Security:<br />Jarabek, C. (2010). A Review of Cloud computing Security: Virtualization, Side-Channel Attacks and Management. Retrieved May 31, 2011, from University of Calgary:<br />Lempereur, C., & Cimpean, D. (2011, May 12). An assurance framework for cloud computing(. Retrieved June 18, 2011, from ISACA Berlin:<br />Loveland, G. (2010). Security Among the clouds. Compliance Week, 8 (83).<br />Mather, T., Kumaraswamy, S., & Latif, S. (2009). Cloud Security and Privacy: An Enterprise Perspective on Risks and Compliance.<br />
    23. 23. Works Cited<br />McMillon, M. (2010). Deconstructing Cloud Computing. Retrieved June 1, 2011, from ISACA Denver:<br />Mullins, R. J. (2010). New Cloud Security Certification Launched. Infromation Week, 1 (1277), p. 16.<br />Peterson, R. (2008, September 11). What You Need to Know About Cloud Computing. Retrieved June 15, 2011, from PC Magazine:,2817,2330239,00.asp<br />Ristenpart, T., Tromer, E., Shacham, H., & Savage, S. (2009). Hey, You, Get off of My Cloud: Exploring Information Leakage in Third-Party Compute Clouds. Retrieved June 1, 2011, from Massachusetts Institute of Technology:<br />Shipley, G. (2010). Cloud Computing: Risks. Information Week, 1 (1262), pp. 20-23.<br />The Cloudy Prognosis for Data Security in Virtual Enterprises. (2011). Database Trends and Applications, 25 (1), pp. 7-9.<br />Todd, B. (2000, February 18). Distributed Denial of Service Attacks. Retrieved June 14, 2011, from Linux Security:<br />Top Threats to Cloud Computing. (2010). Retrieved May 24, 2011, from Cloud Security Alliance:<br />Transitioning from Section 5970 to CSAE 3416. (2011, March 29). Retrieved June 16, 2011, from PricewaterhouseCoopers:<br />Urquhart, J. (2010, November 22). Cloud security is dependent on the law. Retrieved June 16, 2011, from CNET News:<br />Zetter, K. (2009, April 7). FBI Defends Disruptive Raids on Texas Data Centers. Retrieved June 16, 2011, from Wired:<br />