Cloud Security

1,361 views

Published on

Cloud Security

Published in: Technology, Business
0 Comments
5 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
1,361
On SlideShare
0
From Embeds
0
Number of Embeds
133
Actions
Shares
0
Downloads
161
Comments
0
Likes
5
Embeds 0
No embeds

No notes for slide

Cloud Security

  1. 1. Cloud Security http://clean-clouds.comhttp://clean-clouds.com
  2. 2.  Security Objectives Cloud Characteristics & Security Implications Cloud Security Challenges Control & Cloud Service Model Roles & Responsibilities Security Guidelines Documents & ChecklistsObjectiveshttp://clean-clouds.com
  3. 3.  Cloud security is about 3 objectives: Confidentiality ◦ Confidentiality (C): keeping data private ◦ Integrity (I): data in the cloud is what is supposed to be ◦ Availability (A): availability of Cloud Security Information Availability IntegritySecurity Objectives
  4. 4.  All kinds of security measures, are cheaper when implemented on a larger scale. ◦ (e.g. filtering, backup patch management, hardening of virtual machine instances and hypervisors, etc)  The same amount of investment in security buys better protection. Cloud Computing~ Economy of Scale & Securityhttp://clean-clouds.com
  5. 5.  Cloud computing presents an added level of risk ◦ Services are outsourced to a third party. ◦ Off-Premise ◦ Multi-tenant architecture ◦ Loss of Governance - Less control over data and operations ◦ Legal and Contractual RisksCloud Security - Overview Source: Unknown / Missing
  6. 6. Cloud Characteristics -> Outsourced Source: Unknown / Missinghttp://clean-clouds.com
  7. 7. Cloud Characteristics -> Off- Premise Source: Unknown / Missinghttp://clean-clouds.com
  8. 8. Multi-Tenant Architecture~ Shared Resources Source: Unknown / Missinghttp://clean-clouds.com
  9. 9. Loss of Governance The client cedes control to the Provider on a number of issues effecting security: External pen testing not permitted. ◦ Very limited logs available. ◦ Usually no forensics service offered ◦ Not possible to inspect hardware ◦ No information on location/jurisdiction of data. ◦ Outsource or sub-contract services to third-parties (fourth parties?) Source: Unknown / Missing
  10. 10.  Data in multiple jurisdictions, some of which may be risky. ◦ Multiple transfers of data exacerbate the problem  Subpoena and e-discovery  Intellectual Property  Risk Allocation and limitation of liability  Compliance challenges–how to provide evidence of compliance.Legal and Contractual Risks Source: Unknown / Missing
  11. 11.  Data dispersal and international privacy laws ◦ Exposure of data to foreign government and data subpoenas ◦ Data retention issues Need for isolation management Multi-tenancy Logging challenges Data ownership issues Quality of service guarantees Cloud Security Challenges - Part 1 Source: Unknown / Missing 11
  12. 12.  Dependence on secure hypervisors  Attraction to hackers (high value target)  Security of virtual OSs in the cloud  Possibility for massive outages  Encryption needs for cloud computing ◦ Encrypting administrative access to OS instances ◦ Encrypting application data at rest ◦ Encrypting application data at transits  Public cloud vs internal cloud securityCloud Security Challenges - Part 2 Source: Unknown / Missing 12
  13. 13.  Issues with moving PII and sensitive data to the cloud ◦ Privacy impact assessments Using SLAs to obtain cloud security ◦ Suggested requirements for cloud SLAs ◦ Issues with cloud forensics Contingency planning and disaster recovery for cloud implementations Handling compliance ◦ FISMA ◦ HIPAA ◦ FDA ◦ PCI ◦ SAS 70 Audits Additional Issueshttp://clean-clouds.com 13
  14. 14. Control & Cloud Service Model Source: Unknown / Missinghttp://clean-clouds.com
  15. 15. Responsibilitieshttp://clean-clouds.com
  16. 16. CIA & Cloud Service Model Source: Unknown / Missinghttp://clean-clouds.com
  17. 17. Why Security is “X” factor for Cloud Service Provider?http://clean-clouds.com
  18. 18.  Skin in the Game is term by investor “warren buffet” referring to situation in which high ranking insiders uses their own money to buy stock in the company they are running.Skin in the Game & Cloud ServiceProvider Source: Unknown / Missing
  19. 19. Security Guidelines for Application Migration on Cloudhttp://clean-clouds.com
  20. 20. How Security Guidelines can help? Source: Unknown / Missinghttp://clean-clouds.com
  21. 21. Cloud Security Areashttp://clean-clouds.com
  22. 22.  Authentication ◦ Existing authentication or Cloud providers’ authentication service?  SSO ◦ Single sign on for applications on cloud and on premise?  Authorization ◦ User Provision and De-Provisioning Service  User directory & Federation Services ◦ How trust is maintained across cloud and on premise domain? Identity & Access Managementhttp://clean-clouds.com
  23. 23.  Fedreration Service like ADFS 2.0 implements standards such as WS- Trust, WS-Federation which is useful.  Using the WS-Federation standard, Novell Access Manager supports multiple identity stores out of the box, including Novell eDirectory, Microsoft Active Directory and Sun ONE Directory Server.  IBM Tivoli Federated Identity Manager is used for federation services.Directory Services Source: Unknown / Missing
  24. 24.  Hardware, database, memory, etc. .. –like buying a hotel room or booking an aircraft.Data Security Source: Unknown / Missing
  25. 25.  Data Confidentiality  Data Integrity  Availability  Backup & Archive  Key Management Information Security Life-Cyclehttp://clean-clouds.com
  26. 26.  Encryption technique e.g. 128/256-bit AES symmetric/Asymmetric encryption File system or disk encryption techniques Does the encryption meet FIPS 140-2? Practical processing operations on encrypted data are not possibleEncryption is sufficient? Source: Unknown / Missing
  27. 27.  Concerns ◦ Security for Data in transit ◦ Perimeter Security ◦ N/W Security Threats (DoS, Man in the middle , Packet sniffing)  Solutions ◦ Virtual Private Cloud ◦ IPSec networks ◦ Stateful firewallNetwork Security Source: Unknown / Missing
  28. 28.  Virtualization / Hypervisor Threats - How is your data and application isolated from other customers?  Host Operating System - How to protect Host Operating System?  OS hardening - How OS level security like OS hardening are maintained?  Anti-virus - ensure security from Malware & Spyware? Virtualization Securityhttp://clean-clouds.com
  29. 29.  Environmental Safeguards - (SAS70) Type II audit procedures ◦ Redundancy ◦ Climate and Temperature ◦ Fire Detection and Suppression  Physical Security - (SAS70) Type II audit procedures ◦ Professional security staff utilizing video surveillance, ◦ Authorized staff must pass two-factor authentication ◦ Access to datacenters by employees must be logged and audited routinelyPhysical Security Source: Unknown / Missing
  30. 30.  What constitutes a cloud-based incident? ◦ Customer vs. Provider definitions  What technologies play a key role in incident detection and response? ◦ Network security, host controls, monitoring/alerting  What do cloud customers need to ask/know about provider incident response? ◦ Will consumer organizations be provided an audit trail? Maybe. Incident response in the Cloudhttp://clean-clouds.com
  31. 31. Download with Linkedin Username/Password http://clean-clouds.com
  32. 32. Download with Linkedin Username/Password http://clean-clouds.com
  33. 33. Download with Linkedin Username/Password http://clean-clouds.com
  34. 34. Download with Linkedin Username/Password http://clean-clouds.com
  35. 35. Download with Linkedin Username/Password http://clean-clouds.com
  36. 36. http://clean-clouds.com

×