The document discusses cloud security, emphasizing the need for traditional information security practices to adapt to cloud environments. Key topics include the essential characteristics of cloud computing, types of services (IaaS, PaaS, SaaS), security threats, and a framework for managing security controls. It highlights the importance of considering assets, risk management, and business criticality when implementing security measures in the cloud.

1. Cloud Security
Cloud Security
sameer paradia
sameer paradia

2. Goals
1. Brief on Cloud Computing
2. Security Threats
2 Security Threats
3. Framework
4. Controls
4. Controls
http://www.flickr.com/photos/tomhaymes/3212
92834/

3. Understand Cloud
Cl d

4. Essential Characteristic
On‐Demand
Lowered requirement to forecasts
Lowered requirement to forecasts
Demand trends are predicted by the
provider
Usage‐metered
Usage metered
Pay‐by‐the‐realtime use
Self‐service from pool of resources
Resources managed by consumer
Resources managed by consumer
with a GUI or API
Elastic Scalability
Grow or shrink resources as required
Grow or shrink resources as required
Ubiquitous Network
The network is essential to use the
service
ser i e

5. Beyond basic..
Modes of Deployment
p S i
Services
Types
Compute Storage
IaaS
Deployment Network Datacentre
models
Web 2.0 Applications
Public cloud S
PaaS Runtime
Development tools
Business
Hybrid cloud Middleware
Database Java Runtime
Private cloud
Pi t l d
Community cloud Collaboratio
ERP / CRM
aS
n
Saa
Business Enterprise
Processes Applications

6. Security Threat
Thr t

7. Lots of noise on....
Cloud Security?
...how do we simplify it
how it...
http://www.flickr.com/photos/purpleslog/2870445256/in/photostream/

8. It is
same
As current InfoSec
practice
You have to take the
ha e
same approach as
current ISMS
http://www.flickr.com/photos/pheckaboolala/341063811
9

9. Cloud Security
• What is it?
– Protection of your information in
Protection of your information in
cloud
• Why is critical?
– Your information is at central
unknown place in cloud
– No visibility of security measures in
No visibility of security measures in
Public cloud
• Impact of breach on business?
– Lack of Compliance
k f li
– Legal issue
– Breach of privacy
Breach of privacy
http://www.flickr.com/photos/nigeljohnson73/6788941421

10. Threats in XaaS
Threats in XaaS Models
• SaaS:
– Built in security functionality
Built in security functionality
– Least consumer extensibility
– Relatively high level of integrated security
• PaaS
– Enable developers to build their own applications on top of the platform
– M
More extensible than SaaS, at the expense of customer ready features
ibl h S S h f d f
– Built in capabilities are less complete, but there is more flexibility to layer on additional
security
• IaaS
– Few application‐like features,
– Enormous extensibility
– Less integrated security capabilities and functionality beyond protecting the
infrastructure itself
– Assets to be managed and secured by the cloud consumer

11. Security Framework
Fr rk

12. 1. Identify asset 2. Assess impact 3. Map the asset
to c oud y
to cloudify o ta se g
of transferring to potential
to potential
a) Data assets on cloud cloud
b) Applications on business in deployment
case of breach
case of breach models
Security Framework
4. Evaluate 5. Evaluate the
controls in Dataflow , to
ata o , to
each of Iaas/ understand the
Paas/ Saas flow
layer
y
depending
upon asset

13. Cloud Controls
C tr l

14. 3 Dimensions of cloud security
Business IT Assets Risk
Criticality
C iti lit in cloud
i l d Assessment
A t
For achieving robust and practical security consider all 3 perspective

15. Types of Controls
Types of Controls
Governance
G Operational
O ti l
(Strategic) (Tactical)
• Risk Management • BCP/ DR
• Legal & Electronic • Data centre
Discovery Operations
• Compliance/ Audit • Incident
• Information Life Management
M t
cycle management • Application security
• Portability and
Portability and • Encryption
Encryption
Interoperability • Identity & Access
Management
Management
• Virtualization

16. Implement Controls
• Possible controls – Layered security
– facilities (physical security)
– network infrastructure(network
t ki f t t ( t k
security)
– IT systems (system security)
– information and applications
(application security).
• IaaS Cloud provider :
IaaS Cloud provider :
– address security controls such as
physical security, environmental
security, and virtualization security
it d i t li ti it
• SaaS
– Addresses upto Application layer
Addresses upto Application layer
http://www.flickr.com/photos/telstar/2816038167

17. Summary
• Consider three perspective‐
Assets, Risk management and
Business criticality
• Cloud as an operational model
neither provide for nor prevent
p p
achieving compliance
• Selection of control depends on
the service and deployment model
the service and deployment model
• Control varies depending on the
design, deployment, and
management of the resources
f h
• Most of Security controls in cloud
are, same as normal IT
environment
http://www.flickr.com/photos/isadocafe/2095153000/

18. Sameer Paradia – CGEIT, CISM, CISSP
(sameer_m_paradia@yahoo.com)
Practicing IT Security for 12+ y
g y years out of 20+ y
years of IT Services/ Outsourcing work experience.
g p
http://www.flickr.com/photos/forgetmeknottphotography/7003899183/sizes/l/in/photostream/