Cloud computing security

Cloud Computing & Security: Are
there clouds in our sky ?

> Antonio Sanz
> I3A - IT Manager
> Security Expert
> http://i3a.unizar.es
> ansanz@unizar.es
> @antoniosanzalc

Index 4

> Cloud Computing

> Opportunities

> Cloud Computing risks

> Migrating to a Cloud Infraestructure

Tema 1: Diseño de software seguro
Cloud Computing Security

“Cloud computing is a model for
enabling ubiquitous, convenient,
on-demand network access to a
shared pool of configurable
computing resources (e.g.,
networks, servers, storage,
applications, and services) that can
be rapidly provisioned and
released with minimal management
effort or service provider
interaction”

[*First & last boring slide. Promise]

Cloud Computing: Main point 6

>On demand
>Ubiquous
>Resource pool
>Elastic
>Measureable

IaaS – Infrastructure as a Service 8

> Raw infrastructure

> Storage, network & servers

> We do the rest

> Flexible but costly

> Ej: Amazon AWS


PaaS – Platform as a Service 9

> You’ve got the OS but no
apps

> IaaS + OS + Base services

> App deploying ok (.jar)

> Less control but less cost

> Ej: Google App Engine


SaaS – Software as a Service 10

> You’ve got everything

> Iaas + Paas + Apps

> Ready to go

> Minimal control / Minimal
effort

> Ej: Salesforce.com (CRM)


Public, Private Clouds 11

> Públic: Public access, shared
resources, (-security, -cost)
Ej: Amazon AWS

> Private: Private access,
dedicated resources (+security,
+cost)
Ej: NASA Nebula OpenStack


Community , Hybrid 12

> Community: Group that shares
a private cloud
Ej: Business holding

> Hybrid: Mix some of the others


Technologies 14

> Virtualization

> Shared storage

> High speed networks

> Multidevice access

> Advanced Middleware (access,
monitoring, provisioning)


Cloud Computing Pros 16

> Elasticity / Scalability

> Availability

> Performance

> Ubiquous access

> Very low CAPEX

> OPEX savings


Amazon AWS - http://aws.amazon.com/ 18

> Amazon Web Services

> EC2 (Elastic Cloud Computing)

> S3 (Simple Storage Service)

> You can do … almost everything

> Others: Rackspace, vCloud, Azure,
IBM (great, too)


NetFlix - http://www.netflix.com/ 19

> Video streaming (Films, serials, shows)

> Almost 20% of EEUU bandwidth

> Uses Amazon AWS

> Benefits: Escalability + Availability

> Video transcoding “on the fly” with EC2

> Video storage in EC3 with S3

> Usage data analysis with EC2


Dropbox - http://www.dropbox.com/ 20

> Backup in the cloud

> Around 12Pb (12.000 Tb)

> Uses Amazon S3

> Benefit: Escalability

> Business model (VIP):
http://www.w2lessons.com/2011/04/econo
mics-of-dropbox.html


Technology

Cloud
Is
Good!

= To have you
by the balls

Vendor Lock-In

Vendor lock-in 27

> It’s hard to say goodbye

> SaaS : No “export” option

> PaaS : API interoperability

> IaaS : Different technologies

> Defsense: Right CP (Cloud Provider) choice


Lack of IT Governance 29

> IT Governance != Cloud Computing
Governance

> Limited funcionalities / High costs

> Loss of Control of our IT

> Defense: Clear objectives & design,
Right CP choice


Compliance & Laws 31

> We need to comply with all the
regulations (PCI DSS, LOPD)

> Imposes transitive compliance on
the CP

> Legal lapses

> Defense: Good analysis, right CP
choice


SLA (Service Level Agreements) 33

> Contract signed with CP

> Services offered

> Warranties offered

> Service metrics &
compensations/penalties

> Defense: SLA study & tuning


Provider failures 35

> “Errare machina est”

> Starting security standards

> CP Business Continuity plan

> OUR Business Continuity plan

> Defense: Business continuity
definition, right CP choice


Third party failures 37

> CP = Service & Technologies
Integrator

> But … what about electricity,
connectivity, HVAC ?

> We have to take care of our
facilities too

> Defense: Right CP choice, third party
evaluation (CP and proper)


Resource starvation 40

> Resources are assigned on demand

> CP scales up … but how ?

> Situation: No more resources
available when they were most
needed !!

> Defense: Resource reservation, right
CP choice


Isolation Faults 42

> Cloud = Shared Resources = Shared flat

> How secure is your neighbour ?

> Third party security failure Everybody
is compromised

> Defense: Private Clouds, right CP choice


Data leaks 44

> Lots of sensitive info in our CP

> Disgruntled employees

> Wrong service configuration

> Defense: Right CP choice, cipher use,
log reviews


Data Transit 46

> Network Information flows

> Local interception

> On transit interception

> In-Cloud Intercepcion

> Defense: SSL, cipher use


CP Compromise 48

> Cloud = Technology mesh = Lots of
possible security flaws

> Cloud interface management attacks

> Cloud user management attacks

> Infrastructure attacks

> Defense: Right CP choice, SLAs, incident
response planning


DDOS / EDOS 50

> DDOS (Distributed Denial Of Service)

> Intended to take down an infrastructure
Attack to availability

> Cloud Neighbour are collateral damage

> EDOS (Economic Denial of Service)

> Intended to cause economic damage

> Defense: SLAs, charge limits, incident
response


Cipher 52

> Sensible info Cipher

> Secure information deletion (wipe)

> Defensas: Strong ciphers, guardar
claves, SLA


Backups 53

> Info is EVERYTHING Backups

> Don’t forget your backups (even if
the CP does … you too)

> Automated procedure

> Defensa: Procedure design, right CP
choice


Logs Access 54

> Logs = Activity of our IT

> Needed to do debugging

> Critic if a security incident arises

> How can access my logs ?

> Defense: SLA, right CP choice


Disaster Recovery 56

> Shit happens (Murphy’s Law)

> Earthquakes, fires, floods, alien invasions…

> Our CP must have a Business Continuity
plan

> We must have ours !!

> Defense: Business Continuity plan


57
Legal Risks


Compliance & Laws 58

> Lots of laws & regulations

> Is our CP compliant ?

> National & International laws

> Defense: Preliminary analysis, right
CP choice


Data protection 59

> LOPD (Ley Orgánica de Protección
de Datos)

> Cloud implies sometimes
international data transfers
Complicated issues

> Safe Harbour Amazon, Google

> Defense: Preliminary analysis, right
CP choice


Computer Forensic 60

> Security incident in our CP
Someone has set up a child
pornography site

> Maybe anyone in our cloud !!

> Possible result = Server seizure

> Defense: Right CP choice, SLA,
Business Continuity plan


Identify Services 63

> Services that can benefit most from
Cloud Computing

> Main benefits: Scalability,
Availability & Elasticity

> Intermitent but heavy resource use
services (Ej: Sports newspapers on
mondays)


Evaluate CC models 64

> IaaS, PaaS, SaaS ?

> ¿Public, Private, Hybrid,
Community?

> See what others like us are doing

> Decide which model fits our needs
best


Defining security needs 66

> Know our service throughly

> Define the information flows

> Identify sensitive info

> Measure how critical the service is

> Assign a value to the srevice


Risk Analysis 67

> Know the existing risks when using
cloud computing

> Apply them to our service

> Define a maximum risk level

> Important!: Be utterly objective


Evaluate cloud providers 69

> Read carefully the SLA (Service
Level Agreements)

> Read it again

> Evaluate security compliance

> Added value services

> Price !


Security controls 70

> Define security controls

> Controls in the cloud & our IT

> Technical & procedural control

> Target: Lower our real risk


Bean counting … 72

> Migration costs

> Cloud operation costs

> Current operation costs

> Troubleshooting costs (both cloud
& current)

> Make money talk …


Make a decision 73

> Evaluate pros & cons of our current
IT model & cloud computing

> It’s not all about money …

> Informed decision taking

> You always should have a plan B


CC offers great
opportunities
CC has risks
There has to
be a plan

Conclusiones 75

>Cloud computing is here

>Lots of business models &
opportunities

>Must know all the risks

>Must have a sensible business plan


Conclusiones

I love it
when a
cloud
plan
comes
together

More info?. Press here ! 78

Cloud Security Alliance
https://cloudsecurityalliance.org/

Cloud Computing Security Guide - CSA
http://cloudsecurityalliance.org/guidance/csaguide.v2.1.pdf

ENISA – Cloud Computing Security Risks
http://www.enisa.europa.eu/act/rm/files/deliverables/cloud-computing-
risk-assessment

Australia Gov. - Cloud Computing Risk Analysis Report
http://www.dsd.gov.au/publications/Cloud_Computing_Security_Consid
erations.pdf


Have a plan and jump into the sky !

Antonio Sanz / ansanz@unizar.es / @antoniosanzalc
$slides = http://www.slideshare.net/ansanz

Cloud computing security

More Related Content

What's hot

Viewers also liked

Similar to Cloud computing security

More from Antonio Sanz Alcober

Recently uploaded

Cloud computing security