Trying to understand the possible cloud risks

1. Cloud Security
Reality or Illusion
By:Srinivas Thimmaiah
Date: 11 Mar 2017
Srinivas Thimmaiah | Cloud Security | 11 Mar 2017 1

2. About me
Srinivas Thimmaiah | Cloud Security | 11 Mar 2017 Page 2
An seasoned Information Security professional, speaker & blogger having around
13+ years of rich and insightful work experience in the areas of Information
Security Assurance, Governance, Risk Management, BCM, Supplier
Management, Awareness, IT Security, operational excellence and also in
influencing team members and management.
CISM, ISO 27001 certified, CISCO certified Information Security & IT Security
experienced professional.

3. Agenda
 Cloud Ecosystem
 Whatis Cloud computing
 Cloudservices
 Deploymentmodels
 Cloud adoption trends 2017
 Cloud Risks
 Conclusion
Srinivas Thimmaiah | Cloud Security | 11 Mar 2017 Page 3

4. CloudEcosystem
Cloud computing is the delivery of computing services—servers, storage,
databases, networking, software, analytics and more—over the Internet (“the
cloud”).
Srinivas Thimmaiah | Cloud Security | 11 Mar 2017 Page 4
Source: Microsoft
Rapid Elasticity
Broad Network Access
Measure service On-demand self-service
Resource pooling
Characteristics of Cloud Computing

5. CloudEcosystem
Srinivas Thimmaiah | Cloud Security | 11 Mar 2017 Page 5
Cloud Service Models
Infrastructure as a Service
Platform as a Service
Software as a Service
Application platform or
middleware as a service on
which developers can build and
deploy custom applications
Compute, storage, IT infra as
a service, rather than as
dedicated capability
End-user applications
delivered as a service rather
than on-premises software
SaaS
(consume)
PaaS
(build)
IaaS
(host)

6. CloudEcosystem
Srinivas Thimmaiah | Cloud Security | 11 Mar 2017 Page 6
Public Private
CommunityHybrid
Cloud Deployment Models

7. CloudEcosystem
Srinivas Thimmaiah | Cloud Security | 11 Mar 2017 Page 7
Public
Private
CommunityHybrid
Cloud Deployment Models
 Provisioned by general public
 Exists on the premise of the
cloud provider
 May be owned, managed by
business, government or a
combination
Organizations
Google
Zoho
Salesforce
Microsoft
AmazonYahoo
Rackspace

8. Public
Private
CommunityHybrid
CloudEcosystem
Srinivas Thimmaiah | Cloud Security | 11 Mar 2017 Page 8
Cloud Deployment Models
 Provisioned for single
organization
 May exist on or off site
 May be managed by
organization or outsourced

9. CloudEcosystem
Srinivas Thimmaiah | Cloud Security | 11 Mar 2017 Page 9
Public Private
Community
Cloud
Hybrid
 Provisioned for exclusive use by
a specific community
 May be managed by one or
more of the community
organizations
 May be managed by community
organization or outsourced
Cloud Deployment Models
Community of Organizations

10. CloudEcosystem
Srinivas Thimmaiah | Cloud Security | 11 Mar 2017 Page 10
Public Private
CommunityHybrid
 Combination of two or
more distinct cloud
infrastructures
Cloud Deployment Models
Public Cloud
Private Cloud
Organization

11. Cloudadoptiontrends of2017
Srinivas Thimmaiah | Cloud Security | 11 Mar 2017 Page 11
Source: Rightscale 2016 State of the Cloud Report
Public Cloud Private Cloud Hybrid Cloud Any Cloud
88% 89% 89%
63%
77%
72%
58%
71%
67%
93% 95% 95%

12. CloudRisks
Srinivas Thimmaiah | Cloud Security | 11 Mar 2017 Page 12
Risks
Policy &
Organization Risks
Technical Risks Legal Risks
Generic Risks
Source: csaguide

13. CloudRisks
Srinivas Thimmaiah | Cloud Security | 11 Mar 2017 Page 13
Lock-in
Loss of governance
Compliance challenges
Loss of business reputation due
to cotenant activities
Cloud service termination
or failure
Cloud provider acquisition
Supply chain failure
Policy &
Organization
risks
Source: csaguide

14. CloudRisks
Srinivas Thimmaiah | Cloud Security | 11 Mar 2017 Page 14
Resource exhaustion (under or over provisioning)
Isolation failure
Cloud provider malicious insider –
abuse of high privilege roles
Management interface compromise (manipulation, availability of infrastructure)
Intercepting data in transit
Insecure of ineffective deletion of data
Data leakage on up/download, intra-cloud
Distributed denial of service
(DDOS)
Economic denial of service
(EDOS)
Loss of encryption keys
Undertaking malicious probes
or scans Compromise server engine
Technical
risks
Source: csaguide

15. CloudRisks
Srinivas Thimmaiah | Cloud Security | 11 Mar 2017 Page 15
Risk from changes of
jurisdiction
Licensing risks Data protection risks
Subpoena and e-discovery
Legal
risks
Source: csaguide

16. CloudRisks
Srinivas Thimmaiah | Cloud Security | 11 Mar 2017 Page 16
Modifying network traffic
Privilege escalation
Loss or compromise of security logs
Network management (i.e, network congestion/mis-connection/non-optimal use)
Backup lost, stolen
Unauthorized access to premises
Natural disaster
Theft of computer equipment
Network breaks
Social engineering attacks
Loss or compromise of operational logs
Generic
risks
Source: csaguide

17. Conclusion
Srinivas Thimmaiah | Cloud Security | 11 Mar 2017 Page 17
 Effective onboarding process
 Vendor analysis
 Risk management
 Contract Management
 Justification for cloud adoption
 Re-visit the services
 Monitoring the services
Source: From Body to Spirit; From Illusion to Reality

18. Srinivas Thimmaiah | Cloud Security | 11 Mar 2017 Page 18

19. Srinivas Thimmaiah | Cloud Security | 11 Mar 2017 Page 19

20. Srinivas Thimmaiah | Cloud Security | 11 Mar 2017 Page 20
https://www.google.co.in/search?q=road+with+car&biw=1920&bih=935&source=lnms&tbm=isch&sa=X&ved=
0ahUKEwiGx-
W6va_SAhVI_iwKHULgBTwQ_AUIBigB#tbm=isch&q=cloud+security+icon&*&imgrc=QnwqNekhOpC6-M:
https://www.google.co.in/search?q=road+with+car&biw=1920&bih=935&source=lnms&tbm=isch&sa=X&ved=
0ahUKEwiGx-
W6va_SAhVI_iwKHULgBTwQ_AUIBigB#tbm=isch&q=cars+on+highway&*&imgrc=WRHPKYuTO2knwM:
References