Information Systems 497c - Informations Security

1. Cloud Computing: Network Security in the Cloud Team #5 Chris Verdin ShantHovespian AwetHagos Jason Reifman John Meador 4/15/2010 1

2. Agenda Cloud Intro by Chris SaaSby Shant PaaSby Awet IaaSby Jason WEB Security in the Cloudby John Conclusionby Chris ??? -ask 4/15/2010 2

3. Introduction 4/15/2010 3

4. Deployment Models: 4/15/2010 4

5. Deployment Models: 4/15/2010 5

6. Deployment Models: 4/15/2010 6

7. Software as a Service SaaS Web Video http://www.youtube.com/watch?v=MHxUzR88A-Y ASP v.sSaaS Summary & Benefits 4/15/2010 7 SaaS PaaS IaaS Cloud Stack

8. ASPs vsSaaS 4/15/2010 8 SaaS PaaS IaaS Cloud Stack

9. SaaS Today 4/15/2010 9 SaaS PaaS IaaS Cloud Stack

10. Summary & Benefits SaaStifaction Benefits: Quicker time to value Lower cost of ownership Higher return on investment Greater scalability and agility State-of-the-Industry/State-of-the-Art 4/15/2010 10 SaaS PaaS IaaS Cloud Stack

11. Platform as a Service Force.com boasts to be fastest way to build custom cloud apps and Web sites With Force.com, you can build and deliver applications 5 times faster, at about ½ the cost of traditional software platforms. They deliver a complete platform with a simplified programming model so just about any business can use it to build apps. SaaS PaaS IaaS Cloud Stack 4/15/2010 11

12. Platform as a Service – Force.com features Unlimited real-time database customizations Every application links with a database that stores information about your business’ employees, events, or inventory. Force.com enables users to easily setup a database with walkthrough wizards that aid in building custom objects and relationships. Programmable user interface Force.com can automatically generate a rich user interface (dashboard). Or a developer can build their own UI with Web technologies such as JavaScript, Flash, or CSS. Programmable cloud logic Apps need business logic to ensure rules and calculate results or deal with exceptions. Fore.com has an easy-to-use formula language similar to Excel. It also includes programming language and Eclipse-based IDE developers can use to write their on code that runs on Force.com Visual process manager Most business process can be mapped out with Force.com’s visual process manager and point-and-click workflow. You can rapidly build application wizards, design multi-step processes, and automate manual tasks including approvals, assign tasks, send out alerts and send messages. 4/15/2010 12 SaaS PaaS IaaS Cloud Stack

13. Platform as a Service SaaS PaaS IaaS Cloud Stack Force.com video: http://www.youtube.com/watch?v=EzE6haADxRc 4/15/2010 13

14. Infrastructure as a Service Aka “Utility” as a Service; on-demand, metered IaaS is lower on the cloud stack or “down stack” and closest to the hardware IaaS provides the underlying hardware and operating system resources IaaS offers CPU, memory, storage, networking and security as a package. Infrastructure can include firewalls, virtual private networks (VPNs), virtual machines (VMs), routers, switches, physical servers, and storage/databases. 4/15/2010 14 SaaS PaaS IaaS Cloud Stack

15. Virtualization Cloud computing is a set of pooled resources delivered over the internet. To pool resources we use virtualization. Virtualization – used to create logical versions of a physical device or operating system. Device can be server, storage or network equip. Two types of virtualization: Segmentation Aggregation 4/15/2010 15 SaaS PaaS IaaS Cloud Stack

16. Virtualization Segmentation - enables many virtual instances within a single physical device *Take advantage of underutilized resources SaaS PaaS IaaS Cloud Stack Application Application Application OS OS OS 4/15/2010 16

17. Virtualization Aggregation – enables multiple physical devices to be represented by a single virtual instance. Allows physical resources to be added to a cluster as needed = “on-demand”. Provides scalability Manifested in today’s utility or grid computing. 4/15/2010 17 SaaS PaaS IaaS Cloud Stack

18. Segmentation + Aggregation Consider the benefits of having a single server virtual machine (leveraging segmentation) depend upon a network-attached storage array as its “disk” (leveraging aggregation). => Runtime isolation and storage scalability IAAS providers have used the combination of segmentation and aggregation to allow customers to: Pay as they go for the services they use. While being able to scale up or down. 4/15/2010 18 SaaS PaaS IaaS Cloud Stack

19. Benefitsof IaaS Access to expensive hardware -incl. servers on an as need basis without considerable set-up and maintenance costs. Cost savings also includes: IT staff Storage space Energy bills Scalability – adjust your settings online to add or remove resources based on business needs. 4/15/2010 19 SaaS PaaS IaaS Cloud Stack

20. Benefitsof IaaS(cont.) Access to backup, security, and data management services. Service providers are able to very quickly make copies of a virtual environment to provide back-up services, and testing environments or “sandboxes”. Don’t have to physically move machines to relocate employee. Increased efficiency of existing resources due to virtualization. 4/15/2010 20 SaaS PaaS IaaS Cloud Stack

21. Risks of IaaS Large concern is Loss of Control In an IaaS offering the responsibility for securing: The underlying infrastructure and abstraction layers belongs to the provider, The remainder of the stack is the consumer’s responsibility. Confidentiality can be a concern because data can be moved across multiple networks. 4/15/2010 21 SaaS PaaS IaaS Cloud Stack

22. Service Level Agreement SLA -the only legal agreement between the service provider and client contract that can cover a wide range of issues: Defining service Performance management Problem management Customer’s duties and responsibilities Security Disaster recovery Business continuity 4/15/2010 22 SaaS PaaS IaaS Cloud Stack

23. Trusting the Virtual Machine Image IaaS providers make a vast number of virtual machine images available to their customers Some of these virtual machine images are provided by the IaaS provider itself, but some are provided by other customers. virtual image should undergo the same level of security verification and hardening for hosts within the enterprise. Options: provide your own image or get from trusted host. 4/15/2010 23 SaaS PaaS IaaS Cloud Stack

25. Hardening Hosts (cont.) A best practice for cloud-based applications is to build custom operating systems and application platform images that have only the capabilities necessary to support the application stack. Limits the overall attack surface of the host. Greatly reduces the number of patches needed to keep that application stack secure. 4/15/2010 25 SaaS PaaS IaaS Cloud Stack

26. Securing Inter-host Communication Hosts are running in a shared infrastructure with other companies so it is important to secure the communication in a cloud-based application. Administrators that maintain the data center running the hosts and network should not be afforded the same level of trust as administrators of an internal data center. 4/15/2010 26 SaaS PaaS IaaS Cloud Stack

27. IaaS Provider example Amazon Web Services – uses the same global computing infrastructure that Amazon.com uses for their retail business. Amazon’s scalable, reliable, and secure distributed computing infrastructure has been honed for over 13 years. Services include: Amazon Elastic Compute Cloud (Amazon EC2™) Amazon Simple Storage Service (Amazon S3™) Amazon CloudFront™ Amazon SimpleDB™ Amazon Simple Queue Service (Amazon SQS™) 4/15/2010 27 SaaS PaaS IaaS Cloud Stack

28. Security features of AWS Amazon EC2’s instances cannot send spoofed network traffic. Port scanning is a violation of Amazons policy, when unauthorized port scanning occurs it is automatically stopped and blocked. To help prevent man in the middle attacks all of the AWS APIs are available via SSL-protected endpoints which provide server authentication. Packet sniffing by other tenants is mitigated since it is not possible for a virtual instance running in promiscuous mode to receive or “sniff” traffic that is intended for a different virtual instance. 4/15/2010 28 SaaS PaaS IaaS Cloud Stack

29. Cloud Standard Organizations and Task Forces Risks in Cloud Computing Legal Issues in Cloud Computing Security in the Cloud 4/15/2010 29

31. National Institute of Standards and Technology (NIST)

32. American Institute of Certified Public Accountants (AICPA)

33. Distributed Management Task Force (DMTF)4/15/2010 30

34. Security in the Cloud Risks in Cloud Computing Standards Risk Operational Risk Security Risk Compliance Risk 4/15/2010 31

35. Security in the Cloud Risks in Cloud Computing Standards Risk Standards do not yet exist CSA, NIST AICPA and DTMF developing a set of standards for Cloud Computing Standards will apply to security, operational auditing and compliance 4/15/2010 32

36. Security in the Cloud Risks in Cloud Computing Operational Risk Primary Risk Firm’s data is now housed and controlled by the Cloud Provider Safety and control of a firm’s data Other Risks Data Segregation Disaster Recovery 4/15/2010 33

37. Security in the Cloud Risks in Cloud Computing Security Risk Primary Risk Unauthorized access to a firm’s data and processes Authentication and Authorization Controlled at the Cloud Provider and not at the firm Federated SOA authentication may be a future option On-line Identity SOA’s now exist 4/15/2010 34

39. Primary Risk

40. Firms are ultimately responsible for compliance to Federal and State regulatory laws

41. Health Insurance Portability and Privacy Act – (HIPPA)

42. Personal medical information for the Insurance and Medical Industry

43. Sarbanes-Oxley Act of 2002 (SOX)

44. Covers reporting and accounting of corporate income and operating expenses4/15/2010 35

45. Security in the Cloud Legal Issues in Cloud Computing Legal Short List Trans Border Information Flow Data on the cloud may be subject to the laws of multiple jurisdictions Cyber Attacks Impact large population of unrelated users New Data Privacy Laws Businesses may be legally barred from placing certain kinds of information on the cloud 4/15/2010 36

46. The End 4/15/2010 37

47. The End 4/15/2010 38