SlideShare a Scribd company logo
1 of 54
A Comprehensive Overview of
Secure Cloud Computing
Outline
What is Cloud Computing
Cloud Computing Infrastructure Security
Cloud Storage and Data Security
Identity Management in the Cloud
Security Management in the Cloud
Privacy
Audit and Compliance
Cloud Service Providers
Security as a Service
Impact of Cloud Computing
Directions
Reference: Cloud Security and Privacy: Mather,
Kumaraswamy and Latif, O’Reilly Publishers
What is Cloud Computing?
Definition
SPI Framework
Traditional Software Model
Cloud Services Delivery Model
Deployment Model
Key Drivers
Impact
Governance
Barriers
Definition of Cloud Computing
Multitenancy - shared resources
Massive scalability
Elasticity
Pay as you go
Self provisioning of resources
SPI Framework
Software as a Service (SAAS), Platform as a Service (PaaS),
Infrastructure as a Service (IaaS)
Several Technologies work together
- Cloud access devices
- Browsers and thin clients
- High speed broad band access
- Data centers and Server farms
- Storage devices
- Virtualization technologies
- APIs
Traditional Software Model
Large upfront licensing costs
Annual support costs
Depends on number of users
Not based on usage
Organization is responsible for hardware
Security is a consideration
Customized applications
Cloud Services Delivery Model
SaaS
- Rents software on a subscription basis
- Service includes software, hardware and support
- Users access the service through authorized device
- Suitable for a company to outsource hosting of apps
PaaS
- Vendor offers development environment to application
developers
- Provide develops toolkits, building blocks, payment
hooks
IaaS
- Processing power and storage service
- Hypervisor is at this level
Deployment Models
Public Clouds
- Hosted, operated and managed by third party vendor
- Security and day to day management by the vendor
Private Clouds
- Networks, infrastructures, data centers owned by the
organization
Hybrid Clouds
- Sensitive applications in a private cloud and non sensitive
applications in a public cloud
Key Drivers
Small investment and low ongoing costs
Economies of scale
Open standards
Sustainability
Impact
How are the following communities Impacted by the Cloud?
Individual Customers
Individual Businesses
Start-ups
Small and Medium sized businesses
Large businesses
Governance
Five layers of governance for IT are Network, Storage Server,
Services and Apps
For on premise hosting, organization has control over
Storage, Server, Services and Apps; Vendor and organization
have share control over networks
For SaaS model all layers are controlled by the vendor
For the IaaS model, Apps are controlled by the organization,
Services controlled by both while the network, storage and
server controlled by the vendor
For PaaS, Apps and Services are controlled by both while
servers, storage and network controlled by the vendor
Barriers
Security
Privacy
Connectivity and Open access
Reliability
Interoperability
Independence from CSP (cloud service provider)
Economic value
IR governance
Changes in IT organization
Political issues
Cloud Computing Infrastructure Security
Infrastructure Security at the Network Level
Infrastructure Security at the Host Level
Infrastructure Security at the Application Level
Note: We will examine IaaS, PaaS and SaaS Security issues at
Network, Host and Application Levels
Security at the Network Level
Ensuring data confidentiality and integrity of the
organizations data in transit to and from the public cloud
provider
Ensuring proper access control (Authentication,
Authorization, Auditing) to resources in the public cloud
Ensuring availability of the Internet facing resources of the
public cloud used by the organization
Replacing the established network zones and tiers with
domains
How can you mitigate the risk factors?
Security at the Host Level
Host security at PaaS and SaaS Level
- Both the PaaS and SaaS hide the host operating system
from end users
- Host security responsibilities in SaaS and PaaS are
transferred to CSP
Host security at IaaS Level
- Virtualization software security
Hypervisor security
Threats: Blue Pill attack on the hypervisor
- Customer guest OS or virtual server security
Attacks to the guest OS: e.g., stealing keys used to
access and manage the hosts
Security at the Application Level
Usually it’s the responsibility of both the CSP and the
customer
Application security at the SaaS level
- SaaS Providers are responsible for providing application
security
Application security at the PaaS level
- Security of the PaaS Platform
- Security of the customer applications deployed on a PaaS
platform
Application security at the IaaS Level
- Customer applications treated a black box
- IaaS is not responsible for application level security
Cloud Storage and Data Security
Aspects of Data Security
Data Security Mitigation
Provider Data and its Security
Aspects of Data Security
Security for
- Data in transit
- Data at rest
- Processing of data including multitenancy
- Data Lineage
- Data Provenance
- Data remnance
Solutions include encryption, identity management, sanitation
Data Security Mitigation
Even through data in transit is encrypted, use of the data in
the cloud will require decryption.
- That is, cloud will have unencrypted data
Mitigation
- Sensitive data cannot be stored in a public cloud
- Homomorphic encryption may be a solution in the future
Provider Data and its Security
What data does the provider collect – e.g., metadata, and how
can this data be secured?
Data security issues
- Access control, Key management for encrypting
Confidentiality, Integrity and Availability are objectives of data
security in the cloud
Identity and Access Management (IAM) in the
Cloud
Trust boundaries and IAM
Why IAM?
IAM challenges
IAM definitions
IAM architecture and practice
Getting ready for the cloud
Relevant IAM standards and protocols for cloud services
IAM practices in the cloud
Cloud authorization management
Cloud Service provider IAM practice
Trust Boundaries and IAM
In a traditional environment, trust boundary is within the
control of the organization
This includes the governance of the networks, servers,
services, and applications
In a cloud environment, the trust boundary is dynamic and
moves within the control of the service provider as well ass
organizations
Identity federation is an emerging industry best practice for
dealing with dynamic and loosely coupled trust relationships
in the collaboration model of an organization
Core of the architecture is the directory service which is the
repository for the identity, credentials and user attributes
Why IAM
Improves operational efficiency and regulatory compliance
management
IAM enables organizations to achieve access cont6rol and
operational security
Cloud use cases that need IAM
- Organization employees accessing SaaS se4rvidce using
identity federation
- IT admin access CSP management console to provision
resources and access foe users using a corporate identity
- Developers creating accounts for partner users in PaaS
- End uses access storage service in a cloud
- Applications residing in a cloud serviced provider access
storage from another cloud service
IAM Challenges
Provisioning resources to users rapidly to accommodate their
changing roles
Handle turnover in an organization
Disparate dictionaries, identities, access rights
Need standards and protocols that address the IAM
challenges
IAM Definitions
Authentication
- Verifying the identity of a user, system or service
Authorization
- Privileges that a user or system or service has after being
authenticated (e.g., access control)
Auditing
- Exam what the user, system or service has carried out
- Check for compliance
IAM Practice
IAMN process consists of the following:
- User management (for managing identity life cycles),
- Authentication management,
- Authorization management,
- Access management,
- Data management and provisioning,
- Monitoring and auditing
- Provisioning,
- Credential and attribute management,
- Entitlement management,
- Compliance management,
- Identity federation management,
- Centralization of authentication and authorization,
Getting Ready for the Cloud
Organization using a cloud must plan for user account
provisioning
- How can a user be authenticated in a cloud
Organization can use cloud based solutions from a vendor for
IAM (e.g., Symplified)
- Identity Management as a Service
Industry standards for federated identity management
- SAML, WS-Federation, Liberty Alliance
Relevant IAM Standards, Protocols for Cloud
IAM Standards and Specifications for Organizations
- SAML
- SPML
- XACML
- OAuth (Open Authentication) – cloud service X accessing
data in cloud service Y without disclosing credentials
IAM Standards and Specifications for Consumers
- OpenID
- Information Cards
- Open Authenticate (OATH)
- Open Authentication API (OpenAuth)
IAM Practices in the Cloud
Cloud Identity Administration
- Life cycle management of user identities in the cloud
Federated Identity (SSO)
- Enterprise an enterprise Identity provider within an
Organization perimeter
- Cloud-based Identity provider
Cloud Authorization Management
XACML is the preferred model for authorization
RBAC is being explored
Dual roles: Administrator and User
IAM support for compliance management
Cloud Service Provider and IAM Practice
What is the responsibility of the CSP and the responsibility of
the organization/enterprise?
Enterprise IAM requirements
- Provisioning of cloud service accounts to users
- Provisioning of cloud services for service to service
integration’
- SSO support for users based on federation standards
- Support for international and regulatory policy
requirements
- User activity monitoring
How can enterprises expand their IAM requirements to SaaS,
PaaS and IaaS
Security Management in the Cloud
Security Management Standards
Security Management in the Cloud
Availability Management
Access Control
Security Vulnerability, Patch and Configuration Management
Security Management Standards
Security Manage3ment has to be carried out in the cloud
Standards include ITIL (Information Technology
Infrastructure Library) and ISO 27001/27002
What are the policies, procedures, processes and work
instruction for managing security
Security Management in the Cloud
Availability Management (ITIL)
Access Control (ISIO, ITIL)
Vulnerability Management (ISO, IEC)
Patch Management (ITIL)
Configuration Management (ITIL)
Incident Response (ISO/IEC)
System use and Access Monitoring
Availability Management
SaaS availability
- Customer responsibility: Customer must understand SLA
and communication methods
- SaaS health monitoring
PaaS availability
- Customer responsibility
- ‘PaaS health monitoring
IaaS availability
- Customer responsibility
- IaaS health monitoring
Access Control Management in the Cloud
Who should have access and why
How is a resources accessed
How is the access monitored
Impact of access control of SaaS, PaaS and IaaS
Security Vulnerability, Patch and Configuration
(VPC) Management
How can security vulnerability, patch and configuration
management for an organization be extended to a cloud
environment
What is the impact of VPS on SaaS, PaaS and IaaS
Privacy
Privacy and Data Life Cycle
Key Privacy Concerns in the Cloud
Who is Responsible for Privacy
Privacy Risk Management and Compliance ion the Cloud
Legal and Regulatory Requirements
Privacy and Data Life Cycle
Privacy: Accountability of organizations to data subjects as
well as the transparency to an organization’s practice around
personal information
Data Life Cycle
- Generation, Use, Transfer, Transformation, Storage,
Archival, Destruction
- Need policies
Privacy Concerns in the Cloud
Access
Compliance
Storage
Retention
Destruction
Audit and Monitoring
Privacy Breaches
Who is Responsible for Privacy
Organization that collected the information in the first place –
the owner organization
What is the role of the CSP?
Organizations can transfer liability but not accountability
Risk assessment and mitigation throughout the data lifecycle
Knowledge about legal obligations
Privacy Risk Management and Compliance
Collection Limitation Principle
Use Limitation Principle
Security Principle
Retention and Destruction Principle
Transfer Principle
Accountab9lity Principle
Legal and Regulatory Requirements
US Regulations
- Federal Rules of Civil Procedure
- US Patriot Act
- Electronic Communications Privacy Act
- FISMA
- GLBA
- HIPAA
- HITECH Act
International regulations
- EU Directive
- APEC Privacy Framework
Audit and Compliance
Internal Policy Compliance
Governance, Risk and Compliance (GRC)
Control Objectives
Regulatory/External Compliance
Cloud Security Alliance
Auditing for Compliance
Audit and Compliance
Defines Strategy
Define Requirements (provide services to clients)
Defines Architecture (that is architect and structure services
to meet requirements)
Define Policies
Defines process and procedures
Ongoing operations
Ongoing monitoring
Continuous improvement
Governance, Risk and Compliance
Risk assessment
Key controls (to address the risks and compliance
requirements)
Monitoring
Reporting
Continuous improvement
Risk assessment – new IT projects and systems
Control Objectives
Security Policy
Organization of information security
Asset management
Human resources security
Physical and environmental security
Communications and operations management
Access control
Information systems acquisition, development and
maintenance
Information Security incident management
Compliance
Key Management
Regulatory/External Compliance
Sarbanes-Oxley Act
PCI DSS
HIPAA
COBIT
What is the impact of Cloud computing on the above
regulations?
Cloud Security Alliance (CSA)
Create and apply best practices to securing the cloud
Objectives include
- Promote common level of understanding between
consumers and providers
- Promote independent research into best practices
- Launch awareness and educational programs
- Create consensus
White Paper produced by CSA consist of 15 domains
- Architecture, Risk management, Legal, Lifecycle
management, applications security, storage, virtualization,
- - - -
Auditing for Compliance
Internal and External Audits
Audit Framework
- SAS 70
- SysTrust
- WebTrust
- ISO 27001 certification
Relevance to Cloud
Cloud Service Providers
Amazon Web Services (IaaS)
Google (SaaS, PaaS)
Microsoft Azure (SaaS, IaaS)
Proofpoint (SaaS, IaaS)
RightScale (SaaS)
Slaeforce.com (SaaS, PaaS)
Sun Open Cloud Platform
Workday (SaaS)
Security as a Service
Email Filtering
Web Content Filtering
Vulnerability Management
Identity Management
Impact of Cloud Computing
Benefits
- Low cost solution
- Responsiveness flexibility
- IT Expense marches Transaction volume
- Business users are in direct control of technology
decisions
- Line between home computing applications and
enterprise applications will blur
Threats
- Vested interest of cloud providers
- Less control over the use of technologies
- Perceived risk of using cloud computing
- Portability and Lock-in to Proprietary systems for CSPs
- Lack of integration and componentization
Directions
Analysts predict that cloud computing will be a huge growth
area
Cloud growth will be much higher than traditional IT growth
Will likely revolutionize IT
Need to examine how traditional solutions for IAM,
Governance, Risk Assessment etc will work for Cloud
Technologies will be enhanced (IaaS, PaaS, SaaS)
Security will continue o be a major concern

More Related Content

What's hot

Network security policies
Network security policiesNetwork security policies
Network security policies
Usman Mukhtar
 
Introduction to the client server computing By Attaullah Hazrat
Introduction to the client server computing By Attaullah HazratIntroduction to the client server computing By Attaullah Hazrat
Introduction to the client server computing By Attaullah Hazrat
Attaullah Hazrat
 
Authentication(pswrd,token,certificate,biometric)
Authentication(pswrd,token,certificate,biometric)Authentication(pswrd,token,certificate,biometric)
Authentication(pswrd,token,certificate,biometric)
Ali Raw
 

What's hot (20)

Network security policies
Network security policiesNetwork security policies
Network security policies
 
Identity and access management
Identity and access managementIdentity and access management
Identity and access management
 
Introduction to the client server computing By Attaullah Hazrat
Introduction to the client server computing By Attaullah HazratIntroduction to the client server computing By Attaullah Hazrat
Introduction to the client server computing By Attaullah Hazrat
 
Network Virtualization
Network VirtualizationNetwork Virtualization
Network Virtualization
 
Security in distributed systems
Security in distributed systems Security in distributed systems
Security in distributed systems
 
5. Identity and Access Management
5. Identity and Access Management5. Identity and Access Management
5. Identity and Access Management
 
Cluster Computing
Cluster ComputingCluster Computing
Cluster Computing
 
Authentication(pswrd,token,certificate,biometric)
Authentication(pswrd,token,certificate,biometric)Authentication(pswrd,token,certificate,biometric)
Authentication(pswrd,token,certificate,biometric)
 
Security Issues of Cloud Computing
Security Issues of Cloud ComputingSecurity Issues of Cloud Computing
Security Issues of Cloud Computing
 
Cloud Computing Security
Cloud Computing SecurityCloud Computing Security
Cloud Computing Security
 
Virtual Machine provisioning and migration services
Virtual Machine provisioning and migration servicesVirtual Machine provisioning and migration services
Virtual Machine provisioning and migration services
 
Cloud computing and Cloud Enabling Technologies
Cloud computing and Cloud Enabling TechnologiesCloud computing and Cloud Enabling Technologies
Cloud computing and Cloud Enabling Technologies
 
AAA & RADIUS Protocols
AAA & RADIUS ProtocolsAAA & RADIUS Protocols
AAA & RADIUS Protocols
 
Authentication
AuthenticationAuthentication
Authentication
 
Ch07 Access Control Fundamentals
Ch07 Access Control FundamentalsCh07 Access Control Fundamentals
Ch07 Access Control Fundamentals
 
Cloud security ppt
Cloud security pptCloud security ppt
Cloud security ppt
 
Network Security and Firewall
Network Security and FirewallNetwork Security and Firewall
Network Security and Firewall
 
IAM Cloud
IAM CloudIAM Cloud
IAM Cloud
 
Key Challenges In CLOUD COMPUTING
Key Challenges In CLOUD COMPUTINGKey Challenges In CLOUD COMPUTING
Key Challenges In CLOUD COMPUTING
 
Network Audit
Network AuditNetwork Audit
Network Audit
 

Similar to Lecture5

Ibm cloud forum managing heterogenousclouds_final
Ibm cloud forum managing heterogenousclouds_finalIbm cloud forum managing heterogenousclouds_final
Ibm cloud forum managing heterogenousclouds_final
Mauricio Godoy
 

Similar to Lecture5 (20)

Lecture31.ppt
Lecture31.pptLecture31.ppt
Lecture31.ppt
 
Layer 7 Technologies: Enabling Hybrid Enterprise/Cloud SOA
Layer 7 Technologies: Enabling Hybrid Enterprise/Cloud SOALayer 7 Technologies: Enabling Hybrid Enterprise/Cloud SOA
Layer 7 Technologies: Enabling Hybrid Enterprise/Cloud SOA
 
Cloud services and it security
Cloud services and it securityCloud services and it security
Cloud services and it security
 
Modernizing Technology Governance
Modernizing Technology GovernanceModernizing Technology Governance
Modernizing Technology Governance
 
AWS Webcast - Top 3 Ways to Improve Web App Security
AWS Webcast - Top 3 Ways to Improve Web App SecurityAWS Webcast - Top 3 Ways to Improve Web App Security
AWS Webcast - Top 3 Ways to Improve Web App Security
 
talk6securingcloudamarprusty-191030091632.pptx
talk6securingcloudamarprusty-191030091632.pptxtalk6securingcloudamarprusty-191030091632.pptx
talk6securingcloudamarprusty-191030091632.pptx
 
SaaS Platform Securing
SaaS Platform SecuringSaaS Platform Securing
SaaS Platform Securing
 
Accelerated Saa S Exec Briefing V2
Accelerated Saa S Exec Briefing V2Accelerated Saa S Exec Briefing V2
Accelerated Saa S Exec Briefing V2
 
Cloud Customer Architecture for Securing Workloads on Cloud Services
Cloud Customer Architecture for Securing Workloads on Cloud ServicesCloud Customer Architecture for Securing Workloads on Cloud Services
Cloud Customer Architecture for Securing Workloads on Cloud Services
 
Managing Identity from the Cloud: Transformation Advantages at VantisLife Ins...
Managing Identity from the Cloud: Transformation Advantages at VantisLife Ins...Managing Identity from the Cloud: Transformation Advantages at VantisLife Ins...
Managing Identity from the Cloud: Transformation Advantages at VantisLife Ins...
 
Making Sense Of Cloud Computing - by Mark Rivington
Making Sense Of Cloud Computing - by Mark RivingtonMaking Sense Of Cloud Computing - by Mark Rivington
Making Sense Of Cloud Computing - by Mark Rivington
 
ShareResponsibilityModel.pptx
ShareResponsibilityModel.pptxShareResponsibilityModel.pptx
ShareResponsibilityModel.pptx
 
Architecting SaaS
Architecting SaaSArchitecting SaaS
Architecting SaaS
 
Module 5-cloud computing-SECURITY IN THE CLOUD
Module 5-cloud computing-SECURITY IN THE CLOUDModule 5-cloud computing-SECURITY IN THE CLOUD
Module 5-cloud computing-SECURITY IN THE CLOUD
 
Softchoice & Microsoft: Public Cloud Security Webinar
Softchoice & Microsoft: Public Cloud Security WebinarSoftchoice & Microsoft: Public Cloud Security Webinar
Softchoice & Microsoft: Public Cloud Security Webinar
 
Cloud Ecosystems A Perspective
Cloud Ecosystems A PerspectiveCloud Ecosystems A Perspective
Cloud Ecosystems A Perspective
 
Operational Complexity: The Biggest Security Threat to Your AWS Environment
Operational Complexity: The Biggest Security Threat to Your AWS EnvironmentOperational Complexity: The Biggest Security Threat to Your AWS Environment
Operational Complexity: The Biggest Security Threat to Your AWS Environment
 
AWS Finland User Group Meetup 2017-05-23
AWS Finland User Group Meetup 2017-05-23AWS Finland User Group Meetup 2017-05-23
AWS Finland User Group Meetup 2017-05-23
 
Ibm cloud forum managing heterogenousclouds_final
Ibm cloud forum managing heterogenousclouds_finalIbm cloud forum managing heterogenousclouds_final
Ibm cloud forum managing heterogenousclouds_final
 
(ENT202) Four Critical Things to Consider When Moving Your Core Business Appl...
(ENT202) Four Critical Things to Consider When Moving Your Core Business Appl...(ENT202) Four Critical Things to Consider When Moving Your Core Business Appl...
(ENT202) Four Critical Things to Consider When Moving Your Core Business Appl...
 

Recently uploaded

Standard vs Custom Battery Packs - Decoding the Power Play
Standard vs Custom Battery Packs - Decoding the Power PlayStandard vs Custom Battery Packs - Decoding the Power Play
Standard vs Custom Battery Packs - Decoding the Power Play
Epec Engineered Technologies
 
Digital Communication Essentials: DPCM, DM, and ADM .pptx
Digital Communication Essentials: DPCM, DM, and ADM .pptxDigital Communication Essentials: DPCM, DM, and ADM .pptx
Digital Communication Essentials: DPCM, DM, and ADM .pptx
pritamlangde
 
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
ssuser89054b
 
scipt v1.pptxcxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx...
scipt v1.pptxcxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx...scipt v1.pptxcxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx...
scipt v1.pptxcxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx...
HenryBriggs2
 
Query optimization and processing for advanced database systems
Query optimization and processing for advanced database systemsQuery optimization and processing for advanced database systems
Query optimization and processing for advanced database systems
meharikiros2
 

Recently uploaded (20)

8086 Microprocessor Architecture: 16-bit microprocessor
8086 Microprocessor Architecture: 16-bit microprocessor8086 Microprocessor Architecture: 16-bit microprocessor
8086 Microprocessor Architecture: 16-bit microprocessor
 
Standard vs Custom Battery Packs - Decoding the Power Play
Standard vs Custom Battery Packs - Decoding the Power PlayStandard vs Custom Battery Packs - Decoding the Power Play
Standard vs Custom Battery Packs - Decoding the Power Play
 
Augmented Reality (AR) with Augin Software.pptx
Augmented Reality (AR) with Augin Software.pptxAugmented Reality (AR) with Augin Software.pptx
Augmented Reality (AR) with Augin Software.pptx
 
Convergence of Robotics and Gen AI offers excellent opportunities for Entrepr...
Convergence of Robotics and Gen AI offers excellent opportunities for Entrepr...Convergence of Robotics and Gen AI offers excellent opportunities for Entrepr...
Convergence of Robotics and Gen AI offers excellent opportunities for Entrepr...
 
Online electricity billing project report..pdf
Online electricity billing project report..pdfOnline electricity billing project report..pdf
Online electricity billing project report..pdf
 
Digital Communication Essentials: DPCM, DM, and ADM .pptx
Digital Communication Essentials: DPCM, DM, and ADM .pptxDigital Communication Essentials: DPCM, DM, and ADM .pptx
Digital Communication Essentials: DPCM, DM, and ADM .pptx
 
Memory Interfacing of 8086 with DMA 8257
Memory Interfacing of 8086 with DMA 8257Memory Interfacing of 8086 with DMA 8257
Memory Interfacing of 8086 with DMA 8257
 
Employee leave management system project.
Employee leave management system project.Employee leave management system project.
Employee leave management system project.
 
Introduction to Geographic Information Systems
Introduction to Geographic Information SystemsIntroduction to Geographic Information Systems
Introduction to Geographic Information Systems
 
Theory of Time 2024 (Universal Theory for Everything)
Theory of Time 2024 (Universal Theory for Everything)Theory of Time 2024 (Universal Theory for Everything)
Theory of Time 2024 (Universal Theory for Everything)
 
Introduction to Serverless with AWS Lambda
Introduction to Serverless with AWS LambdaIntroduction to Serverless with AWS Lambda
Introduction to Serverless with AWS Lambda
 
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
 
fitting shop and tools used in fitting shop .ppt
fitting shop and tools used in fitting shop .pptfitting shop and tools used in fitting shop .ppt
fitting shop and tools used in fitting shop .ppt
 
scipt v1.pptxcxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx...
scipt v1.pptxcxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx...scipt v1.pptxcxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx...
scipt v1.pptxcxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx...
 
Path loss model, OKUMURA Model, Hata Model
Path loss model, OKUMURA Model, Hata ModelPath loss model, OKUMURA Model, Hata Model
Path loss model, OKUMURA Model, Hata Model
 
UNIT 4 PTRP final Convergence in probability.pptx
UNIT 4 PTRP final Convergence in probability.pptxUNIT 4 PTRP final Convergence in probability.pptx
UNIT 4 PTRP final Convergence in probability.pptx
 
HAND TOOLS USED AT ELECTRONICS WORK PRESENTED BY KOUSTAV SARKAR
HAND TOOLS USED AT ELECTRONICS WORK PRESENTED BY KOUSTAV SARKARHAND TOOLS USED AT ELECTRONICS WORK PRESENTED BY KOUSTAV SARKAR
HAND TOOLS USED AT ELECTRONICS WORK PRESENTED BY KOUSTAV SARKAR
 
Query optimization and processing for advanced database systems
Query optimization and processing for advanced database systemsQuery optimization and processing for advanced database systems
Query optimization and processing for advanced database systems
 
Signal Processing and Linear System Analysis
Signal Processing and Linear System AnalysisSignal Processing and Linear System Analysis
Signal Processing and Linear System Analysis
 
Post office management system project ..pdf
Post office management system project ..pdfPost office management system project ..pdf
Post office management system project ..pdf
 

Lecture5

  • 1. A Comprehensive Overview of Secure Cloud Computing
  • 2. Outline What is Cloud Computing Cloud Computing Infrastructure Security Cloud Storage and Data Security Identity Management in the Cloud Security Management in the Cloud Privacy Audit and Compliance Cloud Service Providers Security as a Service Impact of Cloud Computing Directions Reference: Cloud Security and Privacy: Mather, Kumaraswamy and Latif, O’Reilly Publishers
  • 3. What is Cloud Computing? Definition SPI Framework Traditional Software Model Cloud Services Delivery Model Deployment Model Key Drivers Impact Governance Barriers
  • 4. Definition of Cloud Computing Multitenancy - shared resources Massive scalability Elasticity Pay as you go Self provisioning of resources
  • 5. SPI Framework Software as a Service (SAAS), Platform as a Service (PaaS), Infrastructure as a Service (IaaS) Several Technologies work together - Cloud access devices - Browsers and thin clients - High speed broad band access - Data centers and Server farms - Storage devices - Virtualization technologies - APIs
  • 6. Traditional Software Model Large upfront licensing costs Annual support costs Depends on number of users Not based on usage Organization is responsible for hardware Security is a consideration Customized applications
  • 7. Cloud Services Delivery Model SaaS - Rents software on a subscription basis - Service includes software, hardware and support - Users access the service through authorized device - Suitable for a company to outsource hosting of apps PaaS - Vendor offers development environment to application developers - Provide develops toolkits, building blocks, payment hooks IaaS - Processing power and storage service - Hypervisor is at this level
  • 8. Deployment Models Public Clouds - Hosted, operated and managed by third party vendor - Security and day to day management by the vendor Private Clouds - Networks, infrastructures, data centers owned by the organization Hybrid Clouds - Sensitive applications in a private cloud and non sensitive applications in a public cloud
  • 9. Key Drivers Small investment and low ongoing costs Economies of scale Open standards Sustainability
  • 10. Impact How are the following communities Impacted by the Cloud? Individual Customers Individual Businesses Start-ups Small and Medium sized businesses Large businesses
  • 11. Governance Five layers of governance for IT are Network, Storage Server, Services and Apps For on premise hosting, organization has control over Storage, Server, Services and Apps; Vendor and organization have share control over networks For SaaS model all layers are controlled by the vendor For the IaaS model, Apps are controlled by the organization, Services controlled by both while the network, storage and server controlled by the vendor For PaaS, Apps and Services are controlled by both while servers, storage and network controlled by the vendor
  • 12. Barriers Security Privacy Connectivity and Open access Reliability Interoperability Independence from CSP (cloud service provider) Economic value IR governance Changes in IT organization Political issues
  • 13. Cloud Computing Infrastructure Security Infrastructure Security at the Network Level Infrastructure Security at the Host Level Infrastructure Security at the Application Level Note: We will examine IaaS, PaaS and SaaS Security issues at Network, Host and Application Levels
  • 14. Security at the Network Level Ensuring data confidentiality and integrity of the organizations data in transit to and from the public cloud provider Ensuring proper access control (Authentication, Authorization, Auditing) to resources in the public cloud Ensuring availability of the Internet facing resources of the public cloud used by the organization Replacing the established network zones and tiers with domains How can you mitigate the risk factors?
  • 15. Security at the Host Level Host security at PaaS and SaaS Level - Both the PaaS and SaaS hide the host operating system from end users - Host security responsibilities in SaaS and PaaS are transferred to CSP Host security at IaaS Level - Virtualization software security Hypervisor security Threats: Blue Pill attack on the hypervisor - Customer guest OS or virtual server security Attacks to the guest OS: e.g., stealing keys used to access and manage the hosts
  • 16. Security at the Application Level Usually it’s the responsibility of both the CSP and the customer Application security at the SaaS level - SaaS Providers are responsible for providing application security Application security at the PaaS level - Security of the PaaS Platform - Security of the customer applications deployed on a PaaS platform Application security at the IaaS Level - Customer applications treated a black box - IaaS is not responsible for application level security
  • 17. Cloud Storage and Data Security Aspects of Data Security Data Security Mitigation Provider Data and its Security
  • 18. Aspects of Data Security Security for - Data in transit - Data at rest - Processing of data including multitenancy - Data Lineage - Data Provenance - Data remnance Solutions include encryption, identity management, sanitation
  • 19. Data Security Mitigation Even through data in transit is encrypted, use of the data in the cloud will require decryption. - That is, cloud will have unencrypted data Mitigation - Sensitive data cannot be stored in a public cloud - Homomorphic encryption may be a solution in the future
  • 20. Provider Data and its Security What data does the provider collect – e.g., metadata, and how can this data be secured? Data security issues - Access control, Key management for encrypting Confidentiality, Integrity and Availability are objectives of data security in the cloud
  • 21. Identity and Access Management (IAM) in the Cloud Trust boundaries and IAM Why IAM? IAM challenges IAM definitions IAM architecture and practice Getting ready for the cloud Relevant IAM standards and protocols for cloud services IAM practices in the cloud Cloud authorization management Cloud Service provider IAM practice
  • 22. Trust Boundaries and IAM In a traditional environment, trust boundary is within the control of the organization This includes the governance of the networks, servers, services, and applications In a cloud environment, the trust boundary is dynamic and moves within the control of the service provider as well ass organizations Identity federation is an emerging industry best practice for dealing with dynamic and loosely coupled trust relationships in the collaboration model of an organization Core of the architecture is the directory service which is the repository for the identity, credentials and user attributes
  • 23. Why IAM Improves operational efficiency and regulatory compliance management IAM enables organizations to achieve access cont6rol and operational security Cloud use cases that need IAM - Organization employees accessing SaaS se4rvidce using identity federation - IT admin access CSP management console to provision resources and access foe users using a corporate identity - Developers creating accounts for partner users in PaaS - End uses access storage service in a cloud - Applications residing in a cloud serviced provider access storage from another cloud service
  • 24. IAM Challenges Provisioning resources to users rapidly to accommodate their changing roles Handle turnover in an organization Disparate dictionaries, identities, access rights Need standards and protocols that address the IAM challenges
  • 25. IAM Definitions Authentication - Verifying the identity of a user, system or service Authorization - Privileges that a user or system or service has after being authenticated (e.g., access control) Auditing - Exam what the user, system or service has carried out - Check for compliance
  • 26. IAM Practice IAMN process consists of the following: - User management (for managing identity life cycles), - Authentication management, - Authorization management, - Access management, - Data management and provisioning, - Monitoring and auditing - Provisioning, - Credential and attribute management, - Entitlement management, - Compliance management, - Identity federation management, - Centralization of authentication and authorization,
  • 27. Getting Ready for the Cloud Organization using a cloud must plan for user account provisioning - How can a user be authenticated in a cloud Organization can use cloud based solutions from a vendor for IAM (e.g., Symplified) - Identity Management as a Service Industry standards for federated identity management - SAML, WS-Federation, Liberty Alliance
  • 28. Relevant IAM Standards, Protocols for Cloud IAM Standards and Specifications for Organizations - SAML - SPML - XACML - OAuth (Open Authentication) – cloud service X accessing data in cloud service Y without disclosing credentials IAM Standards and Specifications for Consumers - OpenID - Information Cards - Open Authenticate (OATH) - Open Authentication API (OpenAuth)
  • 29. IAM Practices in the Cloud Cloud Identity Administration - Life cycle management of user identities in the cloud Federated Identity (SSO) - Enterprise an enterprise Identity provider within an Organization perimeter - Cloud-based Identity provider
  • 30. Cloud Authorization Management XACML is the preferred model for authorization RBAC is being explored Dual roles: Administrator and User IAM support for compliance management
  • 31. Cloud Service Provider and IAM Practice What is the responsibility of the CSP and the responsibility of the organization/enterprise? Enterprise IAM requirements - Provisioning of cloud service accounts to users - Provisioning of cloud services for service to service integration’ - SSO support for users based on federation standards - Support for international and regulatory policy requirements - User activity monitoring How can enterprises expand their IAM requirements to SaaS, PaaS and IaaS
  • 32. Security Management in the Cloud Security Management Standards Security Management in the Cloud Availability Management Access Control Security Vulnerability, Patch and Configuration Management
  • 33. Security Management Standards Security Manage3ment has to be carried out in the cloud Standards include ITIL (Information Technology Infrastructure Library) and ISO 27001/27002 What are the policies, procedures, processes and work instruction for managing security
  • 34. Security Management in the Cloud Availability Management (ITIL) Access Control (ISIO, ITIL) Vulnerability Management (ISO, IEC) Patch Management (ITIL) Configuration Management (ITIL) Incident Response (ISO/IEC) System use and Access Monitoring
  • 35. Availability Management SaaS availability - Customer responsibility: Customer must understand SLA and communication methods - SaaS health monitoring PaaS availability - Customer responsibility - ‘PaaS health monitoring IaaS availability - Customer responsibility - IaaS health monitoring
  • 36. Access Control Management in the Cloud Who should have access and why How is a resources accessed How is the access monitored Impact of access control of SaaS, PaaS and IaaS
  • 37. Security Vulnerability, Patch and Configuration (VPC) Management How can security vulnerability, patch and configuration management for an organization be extended to a cloud environment What is the impact of VPS on SaaS, PaaS and IaaS
  • 38. Privacy Privacy and Data Life Cycle Key Privacy Concerns in the Cloud Who is Responsible for Privacy Privacy Risk Management and Compliance ion the Cloud Legal and Regulatory Requirements
  • 39. Privacy and Data Life Cycle Privacy: Accountability of organizations to data subjects as well as the transparency to an organization’s practice around personal information Data Life Cycle - Generation, Use, Transfer, Transformation, Storage, Archival, Destruction - Need policies
  • 40. Privacy Concerns in the Cloud Access Compliance Storage Retention Destruction Audit and Monitoring Privacy Breaches
  • 41. Who is Responsible for Privacy Organization that collected the information in the first place – the owner organization What is the role of the CSP? Organizations can transfer liability but not accountability Risk assessment and mitigation throughout the data lifecycle Knowledge about legal obligations
  • 42. Privacy Risk Management and Compliance Collection Limitation Principle Use Limitation Principle Security Principle Retention and Destruction Principle Transfer Principle Accountab9lity Principle
  • 43. Legal and Regulatory Requirements US Regulations - Federal Rules of Civil Procedure - US Patriot Act - Electronic Communications Privacy Act - FISMA - GLBA - HIPAA - HITECH Act International regulations - EU Directive - APEC Privacy Framework
  • 44. Audit and Compliance Internal Policy Compliance Governance, Risk and Compliance (GRC) Control Objectives Regulatory/External Compliance Cloud Security Alliance Auditing for Compliance
  • 45. Audit and Compliance Defines Strategy Define Requirements (provide services to clients) Defines Architecture (that is architect and structure services to meet requirements) Define Policies Defines process and procedures Ongoing operations Ongoing monitoring Continuous improvement
  • 46. Governance, Risk and Compliance Risk assessment Key controls (to address the risks and compliance requirements) Monitoring Reporting Continuous improvement Risk assessment – new IT projects and systems
  • 47. Control Objectives Security Policy Organization of information security Asset management Human resources security Physical and environmental security Communications and operations management Access control Information systems acquisition, development and maintenance Information Security incident management Compliance Key Management
  • 48. Regulatory/External Compliance Sarbanes-Oxley Act PCI DSS HIPAA COBIT What is the impact of Cloud computing on the above regulations?
  • 49. Cloud Security Alliance (CSA) Create and apply best practices to securing the cloud Objectives include - Promote common level of understanding between consumers and providers - Promote independent research into best practices - Launch awareness and educational programs - Create consensus White Paper produced by CSA consist of 15 domains - Architecture, Risk management, Legal, Lifecycle management, applications security, storage, virtualization, - - - -
  • 50. Auditing for Compliance Internal and External Audits Audit Framework - SAS 70 - SysTrust - WebTrust - ISO 27001 certification Relevance to Cloud
  • 51. Cloud Service Providers Amazon Web Services (IaaS) Google (SaaS, PaaS) Microsoft Azure (SaaS, IaaS) Proofpoint (SaaS, IaaS) RightScale (SaaS) Slaeforce.com (SaaS, PaaS) Sun Open Cloud Platform Workday (SaaS)
  • 52. Security as a Service Email Filtering Web Content Filtering Vulnerability Management Identity Management
  • 53. Impact of Cloud Computing Benefits - Low cost solution - Responsiveness flexibility - IT Expense marches Transaction volume - Business users are in direct control of technology decisions - Line between home computing applications and enterprise applications will blur Threats - Vested interest of cloud providers - Less control over the use of technologies - Perceived risk of using cloud computing - Portability and Lock-in to Proprietary systems for CSPs - Lack of integration and componentization
  • 54. Directions Analysts predict that cloud computing will be a huge growth area Cloud growth will be much higher than traditional IT growth Will likely revolutionize IT Need to examine how traditional solutions for IAM, Governance, Risk Assessment etc will work for Cloud Technologies will be enhanced (IaaS, PaaS, SaaS) Security will continue o be a major concern