Cloud Computing: Network Security in the CloudTeam #5Chris VerdinShantHovespianAwetHagosJason ReifmanJohn Meador4/15/20101
AgendaCloud Intro by ChrisSaaSby ShantPaaSby AwetIaaSby JasonWEB Security in the Cloudby JohnConclusionby Chris???  -ask4/15/20102
Introduction4/15/20103
Deployment Models:4/15/20104
Deployment Models:4/15/20105
Deployment Models:4/15/20106
Software as a ServiceSaaS Web Videohttp://www.youtube.com/watch?v=MHxUzR88A-YASP v.sSaaSSummary & Benefits4/15/20107SaaSPaaSIaaSCloudStack
ASPs vsSaaS4/15/20108SaaSPaaSIaaSCloudStack
SaaS Today4/15/20109SaaSPaaSIaaSCloudStack
Summary & BenefitsSaaStifactionBenefits:Quicker time to valueLower cost of ownershipHigher return on investmentGreater scalability and agilityState-of-the-Industry/State-of-the-Art4/15/201010SaaSPaaSIaaSCloudStack
Platform as a ServiceForce.com boasts to be fastest way to build custom cloud apps and Web sitesWith Force.com, you can build and deliver applications 5 times faster, at about ½ the cost of traditional software platforms. They deliver a complete platform with a simplified programming model so just about any business can use it to build apps.SaaSPaaSIaaSCloudStack4/15/201011
Platform as a Service – Force.com featuresUnlimited real-time database customizations	Every application links with a database that stores information about your business’ employees, events, or inventory. Force.com enables users to easily setup a database with walkthrough wizards that aid in building custom objects and relationships. Programmable user interface	Force.com can automatically generate a rich user interface (dashboard). Or a developer can build their own UI with Web technologies such as JavaScript, Flash, or CSS. Programmable cloud logic	Apps need business logic to ensure rules and calculate results or deal with exceptions. Fore.com has an easy-to-use formula language similar to Excel. It also includes programming language and Eclipse-based IDE developers can use to write their on code that runs on Force.comVisual process manager	Most business process can be mapped out with Force.com’s visual process manager and point-and-click workflow. You can rapidly build application wizards, design multi-step processes, and automate manual tasks including approvals, assign tasks, send out alerts and send messages.4/15/201012SaaSPaaSIaaSCloudStack
Platform as a ServiceSaaSPaaSIaaSCloudStackForce.com video: http://www.youtube.com/watch?v=EzE6haADxRc4/15/201013
Infrastructure as a ServiceAka “Utility” as a Service; on-demand, metered IaaS is lower on the cloud stack or “down stack” and closest to the hardwareIaaS provides the underlying hardware and operating system resourcesIaaS offers CPU, memory, storage, networking and security as a package. Infrastructure can include firewalls, virtual private networks (VPNs), virtual machines (VMs), routers, switches, physical servers, and storage/databases.4/15/201014SaaSPaaSIaaSCloudStack
VirtualizationCloud computing is a set of pooled resources delivered over the internet.To pool resources we use virtualization.Virtualization – used to create logical versions of a physical device or operating system.Device can be server, storage or network equip.Two types of virtualization:SegmentationAggregation4/15/201015SaaSPaaSIaaSCloudStack
VirtualizationSegmentation -  enables many virtual instances within a single physical device*Take advantage of underutilized resources SaaSPaaSIaaSCloudStackApplicationApplicationApplicationOSOSOS4/15/201016
VirtualizationAggregation – enables multiple physical devices to be represented by a single virtual instance.Allows physical resources to be added to a cluster as needed = “on-demand”.Provides scalabilityManifested in today’s utility or grid computing.4/15/201017SaaSPaaSIaaSCloudStack
Segmentation + AggregationConsider the benefits of having a single server virtual machine (leveraging segmentation) depend upon a network-attached storage array as its “disk” (leveraging aggregation).=> Runtime isolation and storage scalabilityIAAS providers have used the combination of segmentation and aggregation to allow customers to: Pay as they go for the services they use. While being able to scale up or down.  4/15/201018SaaSPaaSIaaSCloudStack
Benefitsof IaaSAccess to expensive hardware -incl. servers on an as need basis without considerable set-up and maintenance costs.Cost savings also includes:IT staff Storage spaceEnergy bills Scalability – adjust your settings online to add or remove resources based on business needs.4/15/201019SaaSPaaSIaaSCloudStack
Benefitsof IaaS(cont.)Access to backup, security, and data management services.Service providers are able to very quickly make copies of a virtual environment to provide back-up services, and testing environments or “sandboxes”.Don’t have to physically move machines to relocate employee.Increased efficiency of existing resources due to virtualization.  4/15/201020SaaSPaaSIaaSCloudStack
Risks of IaaSLarge concern is Loss of ControlIn an IaaS offering the responsibility for securing:The underlying infrastructure and abstraction layers belongs to the provider, The remainder of the stack is the consumer’s responsibility.Confidentiality can be a concern because data can be moved across multiple networks.4/15/201021SaaSPaaSIaaSCloudStack
Service Level AgreementSLA -the only legal agreement between the service provider and clientcontract that can cover a wide range of issues:Defining service Performance managementProblem managementCustomer’s duties and responsibilities SecurityDisaster recoveryBusiness continuity 4/15/201022SaaSPaaSIaaSCloudStack
Trusting the Virtual Machine ImageIaaS providers make a vast number of virtual machine images available to their customersSome of these virtual machine images are provided by the IaaS provider itself, but some are provided by other customers.virtual image should undergo the same level of security verification and hardening for hosts within the enterprise.Options:  provide your own image or get from trusted host.4/15/201023SaaSPaaSIaaSCloudStack
Hardening HostsProtecting host against attacks.IaaS platforms provide the ability to block and filter traffic based on IP address and port.Not equivalent to the network security controls in most enterprises. Hosts running within an IaaS are similar to hosts running in the DMZ (demilitarized zone)of your enterprise’s network.Like being in the DMZ where the hosts are on the internet it is especially import to harden the hosts.4/15/201024SaaSPaaSIaaSCloudStack
Hardening Hosts (cont.)A best practice for cloud-based applications is to build custom operating systems and application platform images that have only the capabilities necessary to support the application stack.Limits the overall attack surface of the host.Greatly reduces the number of patches needed to keep that application stack secure.4/15/201025SaaSPaaSIaaSCloudStack
Securing Inter-host Communication Hosts are running in a shared infrastructure with other companies so it is important to secure the communication in a cloud-based application. Administrators that maintain the data center running the hosts and network should not be afforded the same level of trust as administrators of an internal data center.4/15/201026SaaSPaaSIaaSCloudStack
IaaS Provider exampleAmazon Web Services – uses the same global computing infrastructure that Amazon.com uses for their retail business.Amazon’s scalable, reliable, and secure distributed computing infrastructure has been honed for over 13 years.Services include:Amazon Elastic Compute Cloud (Amazon EC2™)Amazon Simple Storage Service (Amazon S3™) Amazon CloudFront™Amazon SimpleDB™Amazon Simple Queue Service (Amazon SQS™)4/15/201027SaaSPaaSIaaSCloudStack
Security features of AWSAmazon EC2’s instances cannot send spoofed network traffic.  Port scanning is a violation of Amazons policy, when unauthorized port scanning occurs it is automatically stopped and blocked.  To help prevent man in the middle attacks all of the AWS APIs are available via SSL-protected endpoints which provide server authentication. Packet sniffing by other tenants is mitigated since it is not possible for a virtual instance running in promiscuous mode to receive or “sniff” traffic that is intended for a different virtual instance. 4/15/201028SaaSPaaSIaaSCloudStack
Cloud Standard Organizations and Task ForcesRisks in Cloud ComputingLegal Issues in Cloud ComputingSecurity in the Cloud4/15/201029
Security in the CloudCloud Standard Organizations and Task ForcesCloud Security Alliance (CSA)
National Institute of Standards and Technology (NIST)
American Institute of Certified Public Accountants (AICPA)
Distributed Management Task Force (DMTF)4/15/201030
Security in the CloudRisks in Cloud ComputingStandards RiskOperational RiskSecurity RiskCompliance Risk4/15/201031
Security in the CloudRisks in Cloud ComputingStandards RiskStandards do not yet existCSA, NIST AICPA and DTMF developing a set of standards for Cloud ComputingStandards will apply to security, operational auditing and compliance4/15/201032
Security in the CloudRisks in Cloud ComputingOperational RiskPrimary RiskFirm’s data is now housed and controlled by the Cloud ProviderSafety and control of a firm’s dataOther RisksData SegregationDisaster Recovery 4/15/201033
Security in the CloudRisks in Cloud ComputingSecurity RiskPrimary Risk Unauthorized access to a firm’s data and processesAuthentication and AuthorizationControlled at the Cloud Provider and not at the firmFederated SOA authentication may be a future optionOn-line Identity SOA’s now exist4/15/201034
Security in the CloudRisks in Cloud ComputingCompliance Risks and Issues

Cloud Computing Presentation

  • 1.
    Cloud Computing: NetworkSecurity in the CloudTeam #5Chris VerdinShantHovespianAwetHagosJason ReifmanJohn Meador4/15/20101
  • 2.
    AgendaCloud Intro byChrisSaaSby ShantPaaSby AwetIaaSby JasonWEB Security in the Cloudby JohnConclusionby Chris??? -ask4/15/20102
  • 3.
  • 4.
  • 5.
  • 6.
  • 7.
    Software as aServiceSaaS Web Videohttp://www.youtube.com/watch?v=MHxUzR88A-YASP v.sSaaSSummary & Benefits4/15/20107SaaSPaaSIaaSCloudStack
  • 8.
  • 9.
  • 10.
    Summary & BenefitsSaaStifactionBenefits:Quickertime to valueLower cost of ownershipHigher return on investmentGreater scalability and agilityState-of-the-Industry/State-of-the-Art4/15/201010SaaSPaaSIaaSCloudStack
  • 11.
    Platform as aServiceForce.com boasts to be fastest way to build custom cloud apps and Web sitesWith Force.com, you can build and deliver applications 5 times faster, at about ½ the cost of traditional software platforms. They deliver a complete platform with a simplified programming model so just about any business can use it to build apps.SaaSPaaSIaaSCloudStack4/15/201011
  • 12.
    Platform as aService – Force.com featuresUnlimited real-time database customizations Every application links with a database that stores information about your business’ employees, events, or inventory. Force.com enables users to easily setup a database with walkthrough wizards that aid in building custom objects and relationships. Programmable user interface Force.com can automatically generate a rich user interface (dashboard). Or a developer can build their own UI with Web technologies such as JavaScript, Flash, or CSS. Programmable cloud logic Apps need business logic to ensure rules and calculate results or deal with exceptions. Fore.com has an easy-to-use formula language similar to Excel. It also includes programming language and Eclipse-based IDE developers can use to write their on code that runs on Force.comVisual process manager Most business process can be mapped out with Force.com’s visual process manager and point-and-click workflow. You can rapidly build application wizards, design multi-step processes, and automate manual tasks including approvals, assign tasks, send out alerts and send messages.4/15/201012SaaSPaaSIaaSCloudStack
  • 13.
    Platform as aServiceSaaSPaaSIaaSCloudStackForce.com video: http://www.youtube.com/watch?v=EzE6haADxRc4/15/201013
  • 14.
    Infrastructure as aServiceAka “Utility” as a Service; on-demand, metered IaaS is lower on the cloud stack or “down stack” and closest to the hardwareIaaS provides the underlying hardware and operating system resourcesIaaS offers CPU, memory, storage, networking and security as a package. Infrastructure can include firewalls, virtual private networks (VPNs), virtual machines (VMs), routers, switches, physical servers, and storage/databases.4/15/201014SaaSPaaSIaaSCloudStack
  • 15.
    VirtualizationCloud computing isa set of pooled resources delivered over the internet.To pool resources we use virtualization.Virtualization – used to create logical versions of a physical device or operating system.Device can be server, storage or network equip.Two types of virtualization:SegmentationAggregation4/15/201015SaaSPaaSIaaSCloudStack
  • 16.
    VirtualizationSegmentation - enables many virtual instances within a single physical device*Take advantage of underutilized resources SaaSPaaSIaaSCloudStackApplicationApplicationApplicationOSOSOS4/15/201016
  • 17.
    VirtualizationAggregation – enablesmultiple physical devices to be represented by a single virtual instance.Allows physical resources to be added to a cluster as needed = “on-demand”.Provides scalabilityManifested in today’s utility or grid computing.4/15/201017SaaSPaaSIaaSCloudStack
  • 18.
    Segmentation + AggregationConsiderthe benefits of having a single server virtual machine (leveraging segmentation) depend upon a network-attached storage array as its “disk” (leveraging aggregation).=> Runtime isolation and storage scalabilityIAAS providers have used the combination of segmentation and aggregation to allow customers to: Pay as they go for the services they use. While being able to scale up or down. 4/15/201018SaaSPaaSIaaSCloudStack
  • 19.
    Benefitsof IaaSAccess toexpensive hardware -incl. servers on an as need basis without considerable set-up and maintenance costs.Cost savings also includes:IT staff Storage spaceEnergy bills Scalability – adjust your settings online to add or remove resources based on business needs.4/15/201019SaaSPaaSIaaSCloudStack
  • 20.
    Benefitsof IaaS(cont.)Access tobackup, security, and data management services.Service providers are able to very quickly make copies of a virtual environment to provide back-up services, and testing environments or “sandboxes”.Don’t have to physically move machines to relocate employee.Increased efficiency of existing resources due to virtualization. 4/15/201020SaaSPaaSIaaSCloudStack
  • 21.
    Risks of IaaSLargeconcern is Loss of ControlIn an IaaS offering the responsibility for securing:The underlying infrastructure and abstraction layers belongs to the provider, The remainder of the stack is the consumer’s responsibility.Confidentiality can be a concern because data can be moved across multiple networks.4/15/201021SaaSPaaSIaaSCloudStack
  • 22.
    Service Level AgreementSLA-the only legal agreement between the service provider and clientcontract that can cover a wide range of issues:Defining service Performance managementProblem managementCustomer’s duties and responsibilities SecurityDisaster recoveryBusiness continuity 4/15/201022SaaSPaaSIaaSCloudStack
  • 23.
    Trusting the VirtualMachine ImageIaaS providers make a vast number of virtual machine images available to their customersSome of these virtual machine images are provided by the IaaS provider itself, but some are provided by other customers.virtual image should undergo the same level of security verification and hardening for hosts within the enterprise.Options: provide your own image or get from trusted host.4/15/201023SaaSPaaSIaaSCloudStack
  • 24.
    Hardening HostsProtecting hostagainst attacks.IaaS platforms provide the ability to block and filter traffic based on IP address and port.Not equivalent to the network security controls in most enterprises. Hosts running within an IaaS are similar to hosts running in the DMZ (demilitarized zone)of your enterprise’s network.Like being in the DMZ where the hosts are on the internet it is especially import to harden the hosts.4/15/201024SaaSPaaSIaaSCloudStack
  • 25.
    Hardening Hosts (cont.)Abest practice for cloud-based applications is to build custom operating systems and application platform images that have only the capabilities necessary to support the application stack.Limits the overall attack surface of the host.Greatly reduces the number of patches needed to keep that application stack secure.4/15/201025SaaSPaaSIaaSCloudStack
  • 26.
    Securing Inter-host CommunicationHosts are running in a shared infrastructure with other companies so it is important to secure the communication in a cloud-based application. Administrators that maintain the data center running the hosts and network should not be afforded the same level of trust as administrators of an internal data center.4/15/201026SaaSPaaSIaaSCloudStack
  • 27.
    IaaS Provider exampleAmazonWeb Services – uses the same global computing infrastructure that Amazon.com uses for their retail business.Amazon’s scalable, reliable, and secure distributed computing infrastructure has been honed for over 13 years.Services include:Amazon Elastic Compute Cloud (Amazon EC2™)Amazon Simple Storage Service (Amazon S3™) Amazon CloudFront™Amazon SimpleDB™Amazon Simple Queue Service (Amazon SQS™)4/15/201027SaaSPaaSIaaSCloudStack
  • 28.
    Security features ofAWSAmazon EC2’s instances cannot send spoofed network traffic. Port scanning is a violation of Amazons policy, when unauthorized port scanning occurs it is automatically stopped and blocked. To help prevent man in the middle attacks all of the AWS APIs are available via SSL-protected endpoints which provide server authentication. Packet sniffing by other tenants is mitigated since it is not possible for a virtual instance running in promiscuous mode to receive or “sniff” traffic that is intended for a different virtual instance. 4/15/201028SaaSPaaSIaaSCloudStack
  • 29.
    Cloud Standard Organizationsand Task ForcesRisks in Cloud ComputingLegal Issues in Cloud ComputingSecurity in the Cloud4/15/201029
  • 30.
    Security in theCloudCloud Standard Organizations and Task ForcesCloud Security Alliance (CSA)
  • 31.
    National Institute ofStandards and Technology (NIST)
  • 32.
    American Institute ofCertified Public Accountants (AICPA)
  • 33.
    Distributed Management TaskForce (DMTF)4/15/201030
  • 34.
    Security in theCloudRisks in Cloud ComputingStandards RiskOperational RiskSecurity RiskCompliance Risk4/15/201031
  • 35.
    Security in theCloudRisks in Cloud ComputingStandards RiskStandards do not yet existCSA, NIST AICPA and DTMF developing a set of standards for Cloud ComputingStandards will apply to security, operational auditing and compliance4/15/201032
  • 36.
    Security in theCloudRisks in Cloud ComputingOperational RiskPrimary RiskFirm’s data is now housed and controlled by the Cloud ProviderSafety and control of a firm’s dataOther RisksData SegregationDisaster Recovery 4/15/201033
  • 37.
    Security in theCloudRisks in Cloud ComputingSecurity RiskPrimary Risk Unauthorized access to a firm’s data and processesAuthentication and AuthorizationControlled at the Cloud Provider and not at the firmFederated SOA authentication may be a future optionOn-line Identity SOA’s now exist4/15/201034
  • 38.
    Security in theCloudRisks in Cloud ComputingCompliance Risks and Issues