This document summarizes a presentation on cybersecurity in the cloud. The presentation covered cloud computing definitions and models including SaaS, PaaS, IaaS, and public, private and hybrid clouds. It discussed major cloud vendors like Amazon Web Services, Microsoft Azure, and OpenStack. The presentation addressed security issues in the cloud like outages, data breaches, and regulatory compliance. It emphasized the importance of service level agreements, testing disaster recovery plans, and monitoring metrics when adopting cloud services.

1. VCU Cybersecurity FairSecurity in the CloudPresented By: Bryan Miller

2. Speaker IntroductionWhat is the “Cloud”SaaS, PaaS, IaaSPublic, Private and Hybrid CloudsVendor OfferingsSecurity IssuesWrap-Up10/4/2011Security in the Cloud1Agenda

3. B.S. Information Systems – VCUM.S. Computer Science – VCUPresident, Syrinx Technologies, 2007Member of ISSA, HIMSS, InfraGard, ILTAAdjunct Faculty Member in Information Systems and Computer Science @ VCU, FTEMS lecturerCISSP, former Cisco CCIE in R/SPublished authorOver 25 years in the industry10/4/2011Security in the Cloud2Speaker Introduction

4. Convenient, on-demand network access to a shared pool of configurable resources: NetworksServersStorageApplicationsServices Rapid and minimal management effort or service provider interaction (based on NIST)10/4/2011Security in the Cloud3What is the “Cloud”?

5. NIST SP 800-145 definition:"Cloud computing is a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. This cloud model promotes availability and is composed of five essential characteristics, three service models, and four deployment models.”10/4/2011Security in the Cloud4The NIST Standard for Cloud Computing

6. IDC – 2008Security was the factor most likely to discourage the use of cloud computing?72% of small (<100 employees) businesses63% of mid-sized (100-199 employees) businessesIDC – 201150% of small businesses47% of mid-sized businesses10/4/2011Security in the Cloud5First, Some Statistics

7. By 2014, the conservative estimate is that the “cloud business” will be approximately $100 billion dollars.By 2012, approximately 20% of businesses will not own any IT resources.10/4/2011Security in the Cloud6

8. 10/4/2011Security in the Cloud7

9. 10/4/2011Security in the Cloud8

10. Applications delivered over the webVendor handles software updates and patchesApplication Programming Interfaces (APIs) integration among S/WExamples

11. Salesforce.com

12. Office 36510/4/2011Security in the Cloud9Software as a Service (SaaS)

13. Architectural tools to build systemsPlatform managed and monitoredWeb-based user interface toolsExamples

14. Google Apps Engine

15. Microsoft Azure

16. Force.com10/4/2011Security in the Cloud10Platform as a Service (PaaS)

17. Outsource storage, hardware, serversTypically charged on a per-use basisHardware can be multi-tenant or dedicatedExamples

18. Amazon Web Services (AWS)

19. OpenStack

20. Dell10/4/2011Security in the Cloud11Infrastructure as a Service (IaaS)

21. PublicShared resources, usually multi-tenantOff-premisePrivateResources dedicated to clientOn-premise or off-premiseHybridCombination of on-premise and cloud-based servicesGrowing in popularity as companies slowly transition applications10/4/2011Security in the Cloud12Public vs. Private vs. Hybrid Cloud Models

22. Amazon Web Services EC2 - IaaSData centers (Regions)VirginiaNorthern CaliforniaIrelandSingaporeTokyoWithin each region, services are divided into Availability ZonesAWS GovCloud – Accessible by US only, allows government agencies to store data Currently used by NASA10/4/2011Security in the Cloud13Vendor Offerings

23. Microsoft Azure – PaaSWindows Azure – OS providing scalable compute and storage facilitiesWindows SQL Azure – Cloud-based, scalable version of SQL ServerOpenStack - IaaSOpen source softwareOver 100 partner companiesRackspaceDellCitrixCisco10/4/2011Security in the Cloud14

24. Dell – IaaSBuilt on VMware technology (vCloud family of products)Adding support for Azure and OpenStack3 models:Pay as you goReservedDedicatedApple iCloud - SaaSStores music, photos, applications, calendars, documents5 GB of free storage10/4/2011Security in the Cloud15

25. Take into account the following:Response timesData corruptionService degradation/outageData breachBackup/Restore issuesWhat happens if the company closes or is soldRegulatory issuesHIPAA – do you have a BA agreement in place?PCI – are you sure your provider is compliant?10/4/2011Security in the Cloud16What about SLAs?

26. Bloomberg News reported that hackers used AWS’s EC2 to launch an attack against Sony’s PlayStation Network.The attack reportedly compromised the personal accounts of more than 100 million Sony customers.Prices for EC2 range from 3 cents to $2.48 an hour for users on the East coast of the U.S. Dual GPU setups are currently priced at $2.10/hr.Network World magazine reported that Exploits as a Service (EaaS) is becoming a profitable business.10/4/2011Security in the Cloud17Security Issues

27. Definition: The point at which cloud computing causes a catastrophic failure.Intellectual property is the lifeblood of an organization.IP can get lost in the shuffle of VM sprawl, data sprawl, technology sprawl or the speed at which business is performed.How can things go wrong?A salesperson mails himself a report to Gmail for home access.A customer service team uses Dropbox1 to transfer client files.A PM is frustrated by IT policies and stands up a free server in the Amazon EC2 cloud1 June 2011: Passwords optional for 4 hours, approximately 100 accounts were affected10/4/2011Security in the Cloud18Cloudpocalypse

28. Amazon EC2 OutagesJuly, 2008Affected multiple Availability ZonesAffected US and EUApril, 2011Affected Reddit, Foursquare, QuoraElastic Book Store went offline (provides mountable disk volumes to EC2)3 days of outage for some usersWhy? During maintenance the data traffic was moved to a secondary, low-capacity network instead of the proper backup networksAugust, 2011Why: Lightning strike in Dublin, IrelandKnocked European cloud services offline for 2 daysAffected Netflix, Quora, Foursquare10/4/2011Security in the Cloud19When the Cloud Dissipates

29. Gmail Outages2008:July 16 – “long outage”August 6 – up to 15 hoursAugust 11 – 2 hoursAugust 15 – up to 24 hoursOctober 16 – 30 hours2009:February 24 – 2 hoursSeptember 1 – 2 hours2011:February 27 – several hoursAugust 8 – several hours10/4/2011Security in the Cloud20

30. Decide if the cloud is appropriate for the given business modelChoose the vendor and precisely define the SLATest thoroughly before moving into productionMigrate slowly and carefully watch the metricsMake sure the users/clients are happyRoutinely test the backup and restore processDon’t forget about DR and BCP10/4/2011Security in the Cloud21Wrap-Up