Welcome to secure360 2012
 Did you remember to scan your badge for CPE
  Credits? Ask your Room Volunteer for assistance.


 Please complete the Session Survey front and
  back (this is Room 12), and leave on your seat.
         Note: “Session” is Tuesday or Wednesday



 Are you tweeting? #Sec360
Cloud computing is a model for enabling
ubiquitous, convenient, on-demand network
access to a shared pool of configurable
computing resources (e.g., networks, servers,
storage, applications, and services) that
can be rapidly provisioned and released with
minimal management effort or service
provider interaction. This cloud model is
composed of five essential characteristics,
three service models, and four deployment
models.
Broad             Rapid                Measured       On-Demand
Network Access       Elasticity             Service       Self-Service

                           Resource Pooling
                        Essential Characteristics


                                                        Infrastructure as
Software as a                    Platform as a
                                                                a
Service (SaaS)                  Service (PaaS)
                                                         Service (IaaS)
                                Service Models



   Public             Private                Hybrid        Community


                            Deployment Models

                 NIST Visual Model of Cloud Computing
Essential Characteristics

From                          From
Here                          Here



               Cloud




   Yup,                Wait! Over
 Here Too              Here Too!



       Broad Network Access
Essential Characteristics


             Bigger Cloud




Little                      Little
Cloud                       Cloud


         Rapid Elasticity
Essential Characteristics
A Lot



Middlin’



A Little



                        Time




                Measured Service
Essential Characteristics

             I want to do
               it. NOW!




  On-Demand Self-Service
Essential Characteristics


             Everybody uses
              the same water.




     Resource Pooling
Service Models
 Presentation                  Presentation
   Modality                      Platform
                   APIs
                Applications




                                                                                               (Software as a Service)
Data             Metadata             Content

       Integration and Middleware




                                                                     (Platform as a Service)

                                                                                                       SaaS
                   APIs




                                                (Infrastructure as


                                                                              PaaS
                                                     a Service)
                                                       IaaS
           Abstraction
                 Hardware
                 Facilities
Service Models


       Here’s a bunch
       of logs, have at
       it.


    IaaS
Service Models

Here’s a
foundation, some
tools, and more
materials. Knock
yourself out.

             PaaS
Service Models

      It’s all in there.
      Just move in.




    SaaS
Who’s In Control?


 SaaS


             Less Control
 PaaS        As We Go Up




 IaaS
Deployment Models

        Private



       Community



         Public



        Hybrid
Deployment Models



                                                                                            Private



Source: http://dogs.icanhascheezburger.com/2012/03/16/funny-dog-pictures-mine-all-mine-2/
Deployment Models




       Public



Source: http://popupcity.net/2009/11/on-moscows-public-toilets/
Deployment Models



            Community
Deployment Models



                    Hybrid



http://www.coolfunnycomments.com/funnypictures/dogs_041.html
Actors

 Consume
  r
 Provider
 Broker
 Auditor
 Carrier
Things to Think About

   Visibility         Backups
   Compliance         Encryption
   Availability       Logging
   Audit              Authentication
   Disaster Rec.      Access control
   Monitoring         Monitoring
Questions to Ask Yourself


  How would we be harmed if
  the asset became widely
  public and widely distributed?
Questions to Ask Yourself


  How would we be harmed if an
  employee of our cloud provider
  accessed the asset?
Questions to Ask Yourself


  How would we be harmed if
  the process or function were
  manipulated by an outsider?
Questions to Ask Yourself


  How would we be harmed if
  the process or function failed
  to provide expected results?
Questions to Ask Yourself


  How would we be harmed if
  the information/data were
  unexpectedly changed?
Questions to Ask Yourself


  How would we be harmed if
  the asset were unavailable for
  a period of time?
References

NIST SP800-145 Cloud Definition
http://csrc.nist.gov/publications/nistpubs/800-145/SP800-145.pdf
NIST SP800-146 Cloud Computing Synopsis and
Recommendations
http://csrc.nist.gov/publications/drafts/800-146/Draft-NIST-SP800-146.pdf
NIST SP500-292 Cloud Computing Reference Architecture
http://www.nist.gov/customcf/get_pdf.cfm?pub_id=909505
Cloud Security Alliance Guidance
https://cloudsecurityalliance.org/guidance/csaguide.v3.0.pdf
ENISA Cloud Risk Assessment
http://www.enisa.europa.eu/activities/risk-management/files/deliverables/cloud-computing-risk-assessment
Australian DoD Cloud Security Considerations
http://www.dsd.gov.au/publications/Cloud_Computing_Security_Considerations.pdf
Jericho Cloud Cube
https://collaboration.opengroup.org/jericho/cloud_cube_model_v1.0.pdf
Cloud Security Rules
http://www.amazon.com/The-Cloud-Security-Rules-Technology/dp/1463691785
Questions?


Twitter: @kriggins,
@infosecramblins
Email: kriggins@infosecramblings

Cloud computing 101

  • 2.
    Welcome to secure3602012  Did you remember to scan your badge for CPE Credits? Ask your Room Volunteer for assistance.  Please complete the Session Survey front and back (this is Room 12), and leave on your seat.  Note: “Session” is Tuesday or Wednesday  Are you tweeting? #Sec360
  • 3.
    Cloud computing isa model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. This cloud model is composed of five essential characteristics, three service models, and four deployment models.
  • 4.
    Broad Rapid Measured On-Demand Network Access Elasticity Service Self-Service Resource Pooling Essential Characteristics Infrastructure as Software as a Platform as a a Service (SaaS) Service (PaaS) Service (IaaS) Service Models Public Private Hybrid Community Deployment Models NIST Visual Model of Cloud Computing
  • 5.
    Essential Characteristics From From Here Here Cloud Yup, Wait! Over Here Too Here Too! Broad Network Access
  • 6.
    Essential Characteristics Bigger Cloud Little Little Cloud Cloud Rapid Elasticity
  • 7.
  • 8.
    Essential Characteristics I want to do it. NOW! On-Demand Self-Service
  • 9.
    Essential Characteristics Everybody uses the same water. Resource Pooling
  • 10.
    Service Models Presentation Presentation Modality Platform APIs Applications (Software as a Service) Data Metadata Content Integration and Middleware (Platform as a Service) SaaS APIs (Infrastructure as PaaS a Service) IaaS Abstraction Hardware Facilities
  • 11.
    Service Models Here’s a bunch of logs, have at it. IaaS
  • 12.
    Service Models Here’s a foundation,some tools, and more materials. Knock yourself out. PaaS
  • 13.
    Service Models It’s all in there. Just move in. SaaS
  • 14.
    Who’s In Control? SaaS Less Control PaaS As We Go Up IaaS
  • 16.
    Deployment Models Private Community Public Hybrid
  • 17.
    Deployment Models Private Source: http://dogs.icanhascheezburger.com/2012/03/16/funny-dog-pictures-mine-all-mine-2/
  • 18.
    Deployment Models Public Source: http://popupcity.net/2009/11/on-moscows-public-toilets/
  • 19.
  • 20.
    Deployment Models Hybrid http://www.coolfunnycomments.com/funnypictures/dogs_041.html
  • 21.
    Actors  Consume r  Provider  Broker  Auditor  Carrier
  • 22.
    Things to ThinkAbout  Visibility  Backups  Compliance  Encryption  Availability  Logging  Audit  Authentication  Disaster Rec.  Access control  Monitoring  Monitoring
  • 24.
    Questions to AskYourself How would we be harmed if the asset became widely public and widely distributed?
  • 25.
    Questions to AskYourself How would we be harmed if an employee of our cloud provider accessed the asset?
  • 26.
    Questions to AskYourself How would we be harmed if the process or function were manipulated by an outsider?
  • 27.
    Questions to AskYourself How would we be harmed if the process or function failed to provide expected results?
  • 28.
    Questions to AskYourself How would we be harmed if the information/data were unexpectedly changed?
  • 29.
    Questions to AskYourself How would we be harmed if the asset were unavailable for a period of time?
  • 30.
    References NIST SP800-145 CloudDefinition http://csrc.nist.gov/publications/nistpubs/800-145/SP800-145.pdf NIST SP800-146 Cloud Computing Synopsis and Recommendations http://csrc.nist.gov/publications/drafts/800-146/Draft-NIST-SP800-146.pdf NIST SP500-292 Cloud Computing Reference Architecture http://www.nist.gov/customcf/get_pdf.cfm?pub_id=909505 Cloud Security Alliance Guidance https://cloudsecurityalliance.org/guidance/csaguide.v3.0.pdf ENISA Cloud Risk Assessment http://www.enisa.europa.eu/activities/risk-management/files/deliverables/cloud-computing-risk-assessment Australian DoD Cloud Security Considerations http://www.dsd.gov.au/publications/Cloud_Computing_Security_Considerations.pdf Jericho Cloud Cube https://collaboration.opengroup.org/jericho/cloud_cube_model_v1.0.pdf Cloud Security Rules http://www.amazon.com/The-Cloud-Security-Rules-Technology/dp/1463691785
  • 31.

Editor's Notes

  • #11 Wow. That makes my head hurt. Let’s see if we can’t find a simpler metaphor.