This document discusses network security considerations for cloud computing. It begins with an introduction to different cloud deployment models including Software as a Service (SaaS), Platform as a Service (PaaS), and Infrastructure as a Service (IaaS). It then covers each model in more detail, describing features and benefits. The document also discusses virtualization techniques, risks of cloud computing including loss of control and operational risks, and security best practices such as host hardening and securing inter-host communication. Standard organizations developing cloud computing security standards are also mentioned.

1. Cloud Computing: Network Security in the CloudTeam #5Chris VerdinShantHovespianAwetHagosJason ReifmanJohn Meador4/15/20101

2. AgendaCloud Intro by ChrisSaaSby ShantPaaSby AwetIaaSby JasonWEB Security in the Cloudby JohnConclusionby Chris??? -ask4/15/20102

3. Introduction4/15/20103

4. Deployment Models:4/15/20104

5. Deployment Models:4/15/20105

6. Deployment Models:4/15/20106

7. Software as a ServiceSaaS Web Videohttp://www.youtube.com/watch?v=MHxUzR88A-YASP v.sSaaSSummary & Benefits4/15/20107SaaSPaaSIaaSCloudStack

8. ASPs vsSaaS4/15/20108SaaSPaaSIaaSCloudStack

9. SaaS Today4/15/20109SaaSPaaSIaaSCloudStack

10. Summary & BenefitsSaaStifactionBenefits:Quicker time to valueLower cost of ownershipHigher return on investmentGreater scalability and agilityState-of-the-Industry/State-of-the-Art4/15/201010SaaSPaaSIaaSCloudStack

11. Platform as a ServiceForce.com boasts to be fastest way to build custom cloud apps and Web sitesWith Force.com, you can build and deliver applications 5 times faster, at about ½ the cost of traditional software platforms. They deliver a complete platform with a simplified programming model so just about any business can use it to build apps.SaaSPaaSIaaSCloudStack4/15/201011

12. Platform as a Service – Force.com featuresUnlimited real-time database customizations Every application links with a database that stores information about your business’ employees, events, or inventory. Force.com enables users to easily setup a database with walkthrough wizards that aid in building custom objects and relationships. Programmable user interface Force.com can automatically generate a rich user interface (dashboard). Or a developer can build their own UI with Web technologies such as JavaScript, Flash, or CSS. Programmable cloud logic Apps need business logic to ensure rules and calculate results or deal with exceptions. Fore.com has an easy-to-use formula language similar to Excel. It also includes programming language and Eclipse-based IDE developers can use to write their on code that runs on Force.comVisual process manager Most business process can be mapped out with Force.com’s visual process manager and point-and-click workflow. You can rapidly build application wizards, design multi-step processes, and automate manual tasks including approvals, assign tasks, send out alerts and send messages.4/15/201012SaaSPaaSIaaSCloudStack

13. Platform as a ServiceSaaSPaaSIaaSCloudStackForce.com video: http://www.youtube.com/watch?v=EzE6haADxRc4/15/201013

14. Infrastructure as a ServiceAka “Utility” as a Service; on-demand, metered IaaS is lower on the cloud stack or “down stack” and closest to the hardwareIaaS provides the underlying hardware and operating system resourcesIaaS offers CPU, memory, storage, networking and security as a package. Infrastructure can include firewalls, virtual private networks (VPNs), virtual machines (VMs), routers, switches, physical servers, and storage/databases.4/15/201014SaaSPaaSIaaSCloudStack

15. VirtualizationCloud computing is a set of pooled resources delivered over the internet.To pool resources we use virtualization.Virtualization – used to create logical versions of a physical device or operating system.Device can be server, storage or network equip.Two types of virtualization:SegmentationAggregation4/15/201015SaaSPaaSIaaSCloudStack

16. VirtualizationSegmentation - enables many virtual instances within a single physical device*Take advantage of underutilized resources SaaSPaaSIaaSCloudStackApplicationApplicationApplicationOSOSOS4/15/201016

17. VirtualizationAggregation – enables multiple physical devices to be represented by a single virtual instance.Allows physical resources to be added to a cluster as needed = “on-demand”.Provides scalabilityManifested in today’s utility or grid computing.4/15/201017SaaSPaaSIaaSCloudStack

18. Segmentation + AggregationConsider the benefits of having a single server virtual machine (leveraging segmentation) depend upon a network-attached storage array as its “disk” (leveraging aggregation).=> Runtime isolation and storage scalabilityIAAS providers have used the combination of segmentation and aggregation to allow customers to: Pay as they go for the services they use. While being able to scale up or down. 4/15/201018SaaSPaaSIaaSCloudStack

19. Benefitsof IaaSAccess to expensive hardware -incl. servers on an as need basis without considerable set-up and maintenance costs.Cost savings also includes:IT staff Storage spaceEnergy bills Scalability – adjust your settings online to add or remove resources based on business needs.4/15/201019SaaSPaaSIaaSCloudStack

20. Benefitsof IaaS(cont.)Access to backup, security, and data management services.Service providers are able to very quickly make copies of a virtual environment to provide back-up services, and testing environments or “sandboxes”.Don’t have to physically move machines to relocate employee.Increased efficiency of existing resources due to virtualization. 4/15/201020SaaSPaaSIaaSCloudStack

21. Risks of IaaSLarge concern is Loss of ControlIn an IaaS offering the responsibility for securing:The underlying infrastructure and abstraction layers belongs to the provider, The remainder of the stack is the consumer’s responsibility.Confidentiality can be a concern because data can be moved across multiple networks.4/15/201021SaaSPaaSIaaSCloudStack

22. Service Level AgreementSLA -the only legal agreement between the service provider and clientcontract that can cover a wide range of issues:Defining service Performance managementProblem managementCustomer’s duties and responsibilities SecurityDisaster recoveryBusiness continuity 4/15/201022SaaSPaaSIaaSCloudStack

23. Trusting the Virtual Machine ImageIaaS providers make a vast number of virtual machine images available to their customersSome of these virtual machine images are provided by the IaaS provider itself, but some are provided by other customers.virtual image should undergo the same level of security verification and hardening for hosts within the enterprise.Options: provide your own image or get from trusted host.4/15/201023SaaSPaaSIaaSCloudStack

24. Hardening HostsProtecting host against attacks.IaaS platforms provide the ability to block and filter traffic based on IP address and port.Not equivalent to the network security controls in most enterprises. Hosts running within an IaaS are similar to hosts running in the DMZ (demilitarized zone)of your enterprise’s network.Like being in the DMZ where the hosts are on the internet it is especially import to harden the hosts.4/15/201024SaaSPaaSIaaSCloudStack

25. Hardening Hosts (cont.)A best practice for cloud-based applications is to build custom operating systems and application platform images that have only the capabilities necessary to support the application stack.Limits the overall attack surface of the host.Greatly reduces the number of patches needed to keep that application stack secure.4/15/201025SaaSPaaSIaaSCloudStack

26. Securing Inter-host Communication Hosts are running in a shared infrastructure with other companies so it is important to secure the communication in a cloud-based application. Administrators that maintain the data center running the hosts and network should not be afforded the same level of trust as administrators of an internal data center.4/15/201026SaaSPaaSIaaSCloudStack

27. IaaS Provider exampleAmazon Web Services – uses the same global computing infrastructure that Amazon.com uses for their retail business.Amazon’s scalable, reliable, and secure distributed computing infrastructure has been honed for over 13 years.Services include:Amazon Elastic Compute Cloud (Amazon EC2™)Amazon Simple Storage Service (Amazon S3™) Amazon CloudFront™Amazon SimpleDB™Amazon Simple Queue Service (Amazon SQS™)4/15/201027SaaSPaaSIaaSCloudStack

28. Security features of AWSAmazon EC2’s instances cannot send spoofed network traffic. Port scanning is a violation of Amazons policy, when unauthorized port scanning occurs it is automatically stopped and blocked. To help prevent man in the middle attacks all of the AWS APIs are available via SSL-protected endpoints which provide server authentication. Packet sniffing by other tenants is mitigated since it is not possible for a virtual instance running in promiscuous mode to receive or “sniff” traffic that is intended for a different virtual instance. 4/15/201028SaaSPaaSIaaSCloudStack

29. Cloud Standard Organizations and Task ForcesRisks in Cloud ComputingLegal Issues in Cloud ComputingSecurity in the Cloud4/15/201029

30. Security in the CloudCloud Standard Organizations and Task ForcesCloud Security Alliance (CSA)

31. National Institute of Standards and Technology (NIST)

32. American Institute of Certified Public Accountants (AICPA)

33. Distributed Management Task Force (DMTF)4/15/201030

34. Security in the CloudRisks in Cloud ComputingStandards RiskOperational RiskSecurity RiskCompliance Risk4/15/201031

35. Security in the CloudRisks in Cloud ComputingStandards RiskStandards do not yet existCSA, NIST AICPA and DTMF developing a set of standards for Cloud ComputingStandards will apply to security, operational auditing and compliance4/15/201032

36. Security in the CloudRisks in Cloud ComputingOperational RiskPrimary RiskFirm’s data is now housed and controlled by the Cloud ProviderSafety and control of a firm’s dataOther RisksData SegregationDisaster Recovery 4/15/201033

37. Security in the CloudRisks in Cloud ComputingSecurity RiskPrimary Risk Unauthorized access to a firm’s data and processesAuthentication and AuthorizationControlled at the Cloud Provider and not at the firmFederated SOA authentication may be a future optionOn-line Identity SOA’s now exist4/15/201034

38. Security in the CloudRisks in Cloud ComputingCompliance Risks and Issues