Cloud Computing Security Needs & Problems Alon Refaeli


Published on

Cloud Computing Security Needs & Problems

  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Cloud Computing Security Needs & Problems Alon Refaeli

  1. 1. Practical Security Problems in Cloud Computing Alon Refaeli – Porticor Technologies [email_address] May 2009
  2. 2. The Cloud Computing Main Elements <ul><li>Infrastructure As a Service (IaaS) – switch , NT, access control etc. </li></ul><ul><li>Platform As a Service (PaaS) - .Net,Java,LAMP etc. </li></ul><ul><li>Software As a Service (SaaS) – CRM, ERP etc. </li></ul>
  3. 3. Foundational Elements of Cloud Computing <ul><li>Business Models : </li></ul><ul><li>Web 2.0 </li></ul><ul><li>• Software as a Service (SaaS) </li></ul><ul><li>• Utility Computing </li></ul><ul><li>• Service Level Agreements </li></ul><ul><li>• Open standards, Data Portability, and Accessibility </li></ul><ul><li>Architecture : </li></ul><ul><ul><li>Autonomic System Computing </li></ul></ul><ul><ul><li>Grid Computing </li></ul></ul><ul><ul><li>Platform Virtualization </li></ul></ul><ul><ul><li>Web Services </li></ul></ul><ul><ul><li>Service Oriented Architectures </li></ul></ul><ul><ul><li>Web application frameworks </li></ul></ul><ul><ul><li>Open source software </li></ul></ul>
  4. 4. Why Cloud Computing? <ul><li>Capital Expenditure </li></ul><ul><li>Multitenancy </li></ul><ul><li>Scalability </li></ul><ul><li>Reliability </li></ul><ul><li>Security </li></ul><ul><li>Performance </li></ul><ul><li>Location Independence </li></ul>
  5. 5. Cyber Threats – No End in Sight <ul><li>Thousands of cyber attacks each day on key utilities </li></ul><ul><li>Well known infrastructure-based disruptions : September 11 Internet Inaccessibility , Estonian DDoS Attacks ,DNS Attacks ,Georgian Attacks from Russia </li></ul><ul><li>General consensus – attacks growing in sophistication and scale </li></ul>
  6. 6. Security Threats + Cloud = ?? <ul><li>New challenges emerge as services become more distributed : </li></ul><ul><li>Nobody ‘owns’ the cloud </li></ul><ul><li>Everyone relies on the cloud </li></ul><ul><li>Each individual autonomous system is responsible for securing their section of the cloud </li></ul><ul><li>Impact of their actions now affects everyone – even more than before! </li></ul><ul><li>Bottom line… things that impact you and your business don’t end at your gateway anymore </li></ul>
  7. 7. Cloud Computing Threats
  8. 8. Security follows mainstream IT Platform Evolution 1990’s Operational Complexity Reduced 2000 2002 2005 Software Gateway Software Client-Server Appliance SaaS Software End-Point 2009 Virtual Machine Cloud Mobile
  9. 9. Key Customer Questions on SaaS and Cloud Client type services Privacy Performance Availability Personalization Encryption Global/Local Caching Application Design Multi-Tenant
  10. 10. What is the role of Access Management? Organizations don ’ t get a clear view of who has done what with a resource, so cannot demonstrate ‘ control ’ Common Pain points Who did access what? Who should have access to what? Siloed approach to authorization across hundreds or even thousands of applications Who has Access to what? Months to modify applications with embedded authorization policy or by deploying agents
  11. 11. The 3 primary security concerns for Cloud Computing <ul><li>1. federated authentication </li></ul><ul><li>2. entitlement/authorization control (based on multiple attributes) </li></ul><ul><li>3. transaction logging for audit, compliance and forensics </li></ul>
  12. 12. federated authentication <ul><li>No.1 is available through Identity-as-a-service vendors such as Tricipher. </li></ul><ul><li>SAML will become the standard Federated Identity model once MS Geneva is rolled out. </li></ul>
  13. 13. entitlement/authorization control <ul><li>No.2 is more difficult. </li></ul><ul><li>Entitlement is built into apps such as salesforce today. However, enterprise web and file services (such as MS SharePoint) do not have the fine grained controls needed for audit & compliance. This is where network-based AuthZ players play. </li></ul>
  14. 14. transaction logging <ul><li>No.3 - transaction logging in my opinion is the big deal-breaker. </li></ul><ul><li>If you don't know 'who' has done 'what' in your cloud apps, then how will you survive a SOX or PCI audit? </li></ul><ul><li>This is probably one of the major questions that needs to be answered by new Cloud Security (start-ups) vendors. </li></ul>
  15. 15. Standardization of security in Cloud Computing <ul><li>It is still in early stage – this is the time to shape and influence – the NIST is trying to the role. </li></ul><ul><li>The main problem is the Identity and Access Management, which will be different from the current solutions. </li></ul>
  16. 16. References <ul><li>Amazon : </li></ul><ul><li> </li></ul><ul><li>RSA Event 2009 : </li></ul><ul><li> </li></ul>