Next slides explain the characteristics.Motivation: not to win the debate on who is the most pure cloud providerTo explain why without these essential characteristics the model provides no – or only very limited business value, hence the case / ROI will fail.Push out to other NIST slides, if asked for (breakout deck)
Illustrate: process optimized, lower cost, time to market, but automation (cost) only possible by having sufficient scale Also: the trend to do with less and less personal interaction for lower valued products
The obvious, but add the Intel trends
Explain why ALL resources in cloud must be pooled.
Scale up but also: scale down.Explain (story) why providers with short term contracts are more successful.Explain why many private clouds (financed pool, just a few servers with Vmware, limited in upper size)are not clouds
Explain the pay per use model. Explain why this requires metering and rating . Compare to telco industryExplain why cloud with fixed price do not bring the business benefits to the user
Number of hosts accessed directly by the browser, per user transaction, averaged across 3,000 companies
Reiterate some other drivers
Explain why this is a disruptive innovation, mention driversMade possible by gartner curve starting in 2000, internetAdd virtualization and other technology pushAdd economy of scale, see Msoft doc “the economics of the cloud”Add Nicholas Carr, 2007Add Intel trends
Todo: move the cases to the breakout deck, select depending on type of participant and their markets
Explain why Private cloud is in fact a dedicated pool. All characteristics must applyExplain the risk of a fixed, dedicated pool.Expand on the perceived risks by customers (reason why they elect a private cloud) , true risks and the trade offs
Case: private cloud. Cloud computing
Case: PaaS cloud, private
Case: community SaaS cloud
Ohm2013 cloud security 101 slideshare
Cloud Security 101
presented at OHM2013
“what would General Eisenhower say about PRISM”
Dr. Peter HJ van Eijk
Cloud Security: an oxymoron?
The knee-jerk reaction of a lot of people when they
first hear about cloud is:
– “The PATRIOT act/PRISM allows the US
government/YFTLA * to see everything that
(I do/everything my company does)
on the internet”
– “Therefore, the cloud is evil”
– “Besides: cloud computing is marketing hype.”
Is YFTLA ruining your internet?
Whose internet is it anyway?
*) Your favorite three letter agency
This talk’s roadmap
• Who am I? Who are you?
• Security and power in a historical context
• The Cloud: hype or reality?
• Basic cloud security concepts and methods
• Wrap up
Who am I?
• One of the world’s most experienced
independent cloud trainers.
• Developing and delivering cloud training such as
CCSK, Cloud Essentials and Cloud Governance
• Work history: University of Twente, AT&T Bell
Labs 07974, EDS, Eunet, Deloitte, independent
• See www.clubcloudcomputing.com for more
Who are you at OHM2013?
• You are probably professionally involved in IT
or IT security
• You might work at or for corporate IT or with
• Or maybe for a three-letter agency
• You might be a senior
developer, sysadmin, risk manager, consultant
Dwight D. Eisenhower
• 5-star general US army
• Supreme commander of
Allied Forces in Europe
• Responsible for D-day ‘the
longest day’ invasion of
Normandy June 1944
• 1st Supreme Allied
Commander Europe (NATO)
• 34th president of the USA
• Instituted NASA and DARPA
Dwight D Eisenhower warns in 1961
• On January 17, 1961, Eisenhower gave his final televised Address to the Nation
from the Oval Office. In his farewell speech, Eisenhower raised the issue of the
Cold War and role of the U.S. armed forces. He described the Cold War: "We face a
hostile ideology global in scope, atheistic in character, ruthless in purpose and
insidious in method ..." and warned about what he saw as unjustified government
spending proposals and continued with a warning that "we must guard
against the acquisition of unwarranted
influence, whether sought or unsought, by the
military–industrial complex." He said, "we recognize the
imperative need for this development ... the potential for the disastrous rise of
misplaced power exists and will persist ... Only an alert and
knowledgeable citizenry can compel the proper
meshing of the huge industrial and military
machinery of defense with our peaceful methods
and goals, so that security and liberty may prosper
2013 update: g/the Cold War/s//Terrorism/
“we must guard against the
acquisition of unwarranted
influence, whether sought or
unsought, by the
DARPA: Defense Advanced Research
• Part of the military-industrial complex
• Established 1958 under Eisenhower
• Funds a significant part of all US Information
• Set up ARPAnet in 1969, which we now know as
• Arguably the most important founding
(grand)father of “the cloud”
Who is who?
• The internet is a product of the military-industrial
• Who is part of this complex?
– HP, Cisco, AT&T, IBM, Microsoft, most US universities
and research agencies, etc.
– Most of Silicon Valley
– The security industry ….
• That includes you, probably.
Whose side are you on?
• Friend or Foe?
• Black hat or white hat?
• Cat or mouse?
• Inventor or user?
• You decide …
Personal opinion and story
• I believe there is a role for regulation and
governments in the way we collectively handle
• I don’t believe that uncontrolled access to
data is healthy, neither by governments or
• “A car with your name on it is used for an
armed robbery” <- this and similar things have
happened to me.
WHAT IS CLOUD COMPUTING AND
WHY ARE PEOPLE USING IT?
Cloud computing is a type of IT outsourcing
See NIST definitions on http://www.nist.gov/itl/cloud/
NIST: Cloud computing is a model for enabling
convenient, on-demand network access to a shared pool
of configurable computing resources *…+. This cloud
model promotes availability and is composed of five
• On-demand self-service
• Broad network access,
• Resource pooling
• Rapid elasticity
• Measured Service (pay as you go)
Colloquial: Your data on somebody
else’s hard disk.
The consumer can
unilaterally decide to change
consumption, i.e. through a
No human intervention at
The service is accessible
•through a variety of
•by a variety of devices: PC,
The network is a given
The resources are pooled to
serve a number of
independent users. This is
also called ‘multi-tenancy’.
Resources will be allocated
Resources could be
The resources can be scaled
up and down quickly.
This is done without
intervention, through the
on-demand self service.
The consumption of the
resource is measured in a
meaningful way, e.g.
capacity, user counts.
This usage can be the basis
for the billing of the
Software as a Service
Platform as a Service
Infrastructure as a Service
Not all clouds are created equal: three ‘service models’
Web API / PaaS connection
Who is hosting my website, really?
Integration happens client side
* Source: Gomez 2010
In November 2010, 30% of web transactions used an Amazon EC2 object
Companies are flocking to the cloud
because of the business benefits
they experience or expect
Generic IT outsourcing
• Speed of deployment
• Fast scale up and down
• Low initial cost
• Low capital cost
• Easier integration
• Wider user base
IT is outgrowing the capability of
organizations to manage IT
• IT is still one of the fastest growing and innovative
technologies, 50 years and counting
• From 1:20 to 1:1000 productivity.
– i.e. servers, workplaces, network connections
• Do you think that Joe R. SME can run secure IT in
his closet? Really. What are you smoking?
It is ‘cloud’ when the consumer
experiences it as ‘cloud’.
The cloud is *BIG*.
Amazon, Google and Microsoft have
200K-2M+ servers, each.
Akamai runs 10-20% of total
• Much cheaper
• Not as good (initially)
• Rapidly improving
• Eventually drives original
out of the market
• Addresses ‘over served’
• Mass manufacturing
• Cloud Computing
•Up to date content
Content hosted at
Flickr, Twitter and
Dutch Olympic committee website
• Challenge: The Dutch Olympic committee had a
traditionally hosted website for the Beijing games
in 2008, running up a bill of more than 150.000
• Approach: For the Vancouver games they totally
changed the concept. The website became a single
page, hosted in the cloud. This page then pulls in
social media content that is hashtagged #os2010.
• It is displayed on two panes. The top
one, whitelisted by author name, is the editorial
content. The rest is social media content. Run cost
for the new website: a few hundred euro per
Oxfam: flexible capacity
• Type of organization: charity, relief aid
• # IT staff: ~200
• Challenge: inconsistent infrastructure, no scalability for
seasonal or exceptional (i.e. natural disasters) demand
• Approach: IBM private cloud (IaaS)
KLM: dispersed workforce
• Type of organization: Airline
• Challenge: dispersed workforce, multilingual,
multiple devices to work on
• Solution: SaaS. Google Apps Premier Edition
for more than 10.000 crew members
Canadian Pacific: flexible deployment
• Type of organization: Railroad
– “…lead times to get new infrastructure for
development, for test, for experimentation purposes as
well as production purposes,” said Stuart
Charlton, executive IT advisor at CP.
• Approach: IaaS private cloud plus Amazon;
– IBM WebSphere eXtreme Scale for developing distributed
Commonwealth of Virginia:
• Type of organization: Public Government
• Challenge: procurement process spread over 171
agencies, most having their own IT systems, controlling
• Approach: Community SaaS procurement system
Cloud is the same, but different
• Like Websites/web technology
– Technical risk
• but different
– Scalability and elasticity much higher
• Like outsourcing
– Third party risk
• but different
– Speed of control and failure is much higher
– Chains of providers
– More sharing
– But taken to much higher levels of automation
Cloud computing implies
massive sharing and scaling
– Capacity management
– Multi-tenancy leakage
– More ‘collateral damage’ of legal action
– Bigger impact of failures
– More interesting target for cybercrime
You cannot manage this risk on a yearly or even
See Animoto autoscaling (next slide)
Animoto, EC2 and
Launch of Facebook modification
Peak of 4700 instances
4/14/2008 4/15/2008 4/16/2008 4/18/2008 4/19/2008 4/20/20084/17/20084/13/2008
Using RightScale, Animoto
automatically scaled to
handle a dramatic load to
Inside scoop at http://blog.rightscale.com/2008/04/23/animoto-facebook-scale-up/40
Cloud Computing differs from
• Contracts much more flexible/volatile
• More sharing of resources across customers
• Little influence from customer
• More players and layers involved
• More legal implications
Cloud brings new technology
– VMs, storage, databases, application code
• Federated Identity Management
– OpenID, Oauth, SAML
This tends to be a tough challenge for
•Software publishers moving to a SaaS model and
•Hosting companies moving to an IaaS model
Compliance is harder in the cloud
• More moving parts
• More regulation
– E-DPD, PCI-
DSS, HIPAA, Sox, Ediscovery, Netneutrality, privacy,
etc, etc, etc
• More risk exposure
– The world is our playfield
Cloud Security Alliance
The Cloud Security Alliance (CSA) is an industry
consortium, volunteer based, open.
• Sample products
– CCSK (Certificate of Cloud Security Knowledge)
• CSA guidance, ENISA study
– Clouds Controls Matrix
– STAR registry
• Disclosure: I am a certified CCSK trainer, and
Dutch chapter board member.
Similar/complementary efforts underway at
ISO, ISACA, etc.
CCSK Course Structure
1 Intro to Cloud Computing
2 Infrastructure Security
•Securing base infrastructure
•Management plane security
•Securing Virtual Hosts and
•IaaS, PaaS, SaaS security
3 Managing Cloud
Security and Risk
•Risk and Governance
•Legal and Compliance
•Incident response and more
4 Data Security for Cloud
•Cloud Data Architectures
•Data Security Lifecycle
•Data security and
•Data Loss prevention
5 Securing Cloud
Applications and Users
•Identity and Access
6 Selecting Cloud Services
•What to look for in a cloud
•Security as a Service
• No longer sufficient
• Still required, with additional surface to
protect (hypervisor, management plane)
• More opportunity for fine grained and elastic
controls, especially through automation
• A blanket (perimeter) approach to data
• The data that matters to you might not be in
your datacenter to begin with
• Lifecycle model allows more precise controls
to be applied
• Encryption can be applied on multiple levels.
• Web security++ (OWASP on steroids)
• Application lifecycle model allows more fine-
grained controls to be applied
• Federated ID-management allows decoupling
of Identity Providers and Relying Parties
• Can reduce the need for credential sprawl and
Security as a Service
• The cloud can be a source of security solutions
• E.g. spam filtering, web filtering, management
dashboards, DDOS protection.
How does professional security and
risk management work?
• Risk based: professional risk management
prioritizes the most important risks
– No superfluous or useless measures and controls
• Professional risk management incorporates audit
and compliance obligations
– Anchor in operational process, instead of running a
troublesome project for each audit
• Professional risk management is repeatable and
– Champagne? Really? Did you expect the audit to be a
one time effort?
• Cloud security alliance: Cloud Control Matrix
• ISACA : Cobit, mostly cost/value based
• ISO: ISO 27001 Information Security
• CloudControls.org: Dutch initiative
• ISO: ISO 20000 Not security but relevant as a
service management and governance
Cloud Security Alliance
Cloud Control Matrix
• CSA: dominant industry coalition
• Cloud Controls Matrix version 1.3
– soon to be v3.0
• CCM features:
– 11 control areas, 98 controls
– Selectable by S-P-I, Provider/Tenant
– Cross referenced to COBIT, ISO, HIPPAA, PCI-DSS
• 3rd and 4th party management
• Identity and Access Management (IAM)
The future of cloud GRC
• Collaborative effort between provider and
• Continuous audit
• As automated as possible
• Integrated GRC: risk management in the
widest sense of the word drives governance
– Compliance is a collateral benefit
– Maturity level of organization rises
CCM (Cloud Control Matrix), CAIQ (Consensus Assessments Initiative Questionnaire),
Cloud Audit and CTP (Cloud Trust Protocol) are products maintained by CSA (Cloud
Cloud compliance in real-time
CCM CO-02: Independent reviews and assessments shall be
performed at least annually *…+
CAIQ CO-02.3: Do you conduct regular application
penetration tests of your cloud infrastructure as
prescribed by industry best practices and guidance?
Cloud Audit http://mycloudprovider.com
CTP "It is 11 pm, do you know in which geography your
virtual machines are running?"
Sample Questions to Vendors
CO-02CO-02a - Do you allow tenants to view your SAS70 Type II/SSAE 16 SOC2/ISAE3402 or
similar third party audit reports?
CO-02b - Do you conduct network penetration tests of your cloud service infrastructure
regularly as prescribed by industry best practices and guidance?
CO-02c - Do you conduct application penetration tests of your cloud service infrastructure
regularly as prescribed by industry best practices and guidance?
CO-02d - Do you conduct internal audits regularly as prescribed by industry best
practices and guidance?
CO-02e - Do you conduct external audits regularly as prescribed by industry best
practices and guidance?
CO-02f - Are the results of the network penetration tests available to tenants at their
CO-02g - Are the results of internal and external audits available to tenants at their
Data Governance -
DG-02DG-02a - Do you provide a capability to identify virtual machines via policy tags/metadata
(ex. Tags can be used to limit guest operating systems from
booting/instantiating/transporting data in the wrong country, etc.?)
DG-02b - Do you provide a capability to identify hardware via policy
tags/metadata/hardware tags (ex. TXT/TPM, VN-Tag, etc.)?
DG-02c - Do you have a capability to use system geographic location as an
DG-02d - Can you provide the physical location/geography of storage of a tenant’s data
DG-02e - Do you allow tenants to define acceptable geographical locations for data
routing or resource instantiation?
Security, Trust and Assurance Registry (STAR)
• Cloud Security Alliance initiative
• An online clearinghouse where cloud
providers can submit documentation detailing
their security controls for review by potential
customers, indexed by CAIQ reference
• 22 participating providers, including Amazon
Web services, Microsoft Azure.
Patriot act !?
• In the context of cloud
computing, the Patriot act hardly
adds anything to the power that
the US federal government
already has in accessing digital
• Other governments have
similar, or even more extensive
• Competitive advantage based on
not having infrastructure on US
territory is speculative, at best.The Sting, Paul Newman to Robert Redford: “If this goes wrong, the Feds will be the least of our problems.”
• It is a new world out there, and it has only just
• Cloud computing is inevitable
• New security issues *and* controls exist
• You can be an ‘alert and knowledgeable
citizen’ and ‘security and liberty may prosper
• If you apply your own moral compass
and search for CCSK