Uploaded byirvinc
PPTX, PDF808 views

Cloud security: Risks and Rewards for New Entrants

The document discusses the risks and recommended security frameworks for cloud computing, highlighting both traditional and new risks associated with its unique characteristics. It emphasizes the importance of client-side controls, strong service level agreements, and continuous monitoring to mitigate these risks. Additionally, the document suggests that certification in cloud security can enhance organizational capability and recruitment efforts.

Embed presentation

Downloaded 75 times
Cloud Security: Risks and Recommendations for New EntrantsA Report by Irvin ChooACC 626
What is the Cloud?
What is the Cloud?
Cloud CharacteristicsElasticityAutomatic Provisioning/De-provisioningAccessibilityAnywhere and everywhereMulti-tenancyKnow your neighbourPay-as-you-go
Cloud Security RisksOld risks vs. New risksCloud Dependency StackExpanding Attack SurfacesCloud Cartography and Side Channels
Cloud Security RisksOld Risks vs. New RisksSome risks (e.g. Phishing often attributed to cloud) – not a cloud specific riskNew risks should span from the inherent properties of cloud computing modelsCan have a hybrid of bothDistributed Denial of Service vs. Economic Denial of ServiceEDoS: using elasticity aspect to provision resources beyond sustainable capacities
Cloud Security RisksExpanding Attack surfacesHypervisors (IaaS)Allocate resources to virtual environment within the physical serverApplication Program Interfaces (PaaS)ProprietaryCommunicates between developer’s program and underlying platform
Cloud Security RisksSaaSPaaSThe Cloud Dependency StackCompatibility concernsMisconfiguration of softwareHigh integration, high risk Compromise at any level can undermine the entire infrastructureIaaSCloud Physical Infrastructure
Cloud Security RisksCloud CartographyMulti-tenancy issueLocating VM’s in the cloudRandom Distribution?Hey, you, get off of my Cloud! (Amazon EC2 study)50% success rateEven brute force methods fairly successfulInexpensive
Cloud Security RisksSide Channel AttacksPrimary risk from multi-tenant environment Indirect form of spyingListening through the cacheCan infer information rather than directly intercepting itResearchers were able to guess passwords by monitoring spikes in cache activity Can change face of corporate espionage
Controls and RecommendationsFirst StepsResponsibilities and the SLASecurity Frameworks
Controls and RecommendationsFirst StepsWhy is encryption important?Ensure authorize accessProvides base level protection over informationBasic encryption policiesAuthentication dataData for archiving/storageLimitationsNot suited for data in transit/rapid processing (e.g. SaaS)Gmail struggled with encryption until 2010
Controls and RecommendationsResponsibilities and the SLAPonemon: 69% of cloud service providers believe security to be responsibility of the usersContinuous monitoringCSP may be hesitant to give access data/logsGenerally secretive security policiesSecuring ownership of data in case of security breaches
Controls and RecommendationsRecommended Security FrameworksStrong response to lack of cloud-based security risk frameworkISACA COBIT Framework for IT Governance of controlInternational Organization for Standardization ISO 27001 ENISA Cloud Computing Assurance FrameworkCloud Security Alliance Cloud Controls Matrix
Controls and RecommendationsRecommended Security Frameworks
Implications for CA’sAssurance OpportunitiesCertificate of Cloud Security Knowledge
Implications for CA’sCloud Computing is an opportunity for CAsExecutives require stronger cloud-based assurance model5970/CSAE 3416 is inadequate Cloud risks extend far beyond financial reporting considerationsDistinguishing between Cloud service providers
Implications for CAsCSA Certificate of Cloud Security Knowledge“The Certificate of Cloud Security Knowledge provides individuals with a solid foundation in cloud security issues and best practices. Organizations that leverage this training will be better positioned to get the most out of their investments in cloud computing. In addition, the certification can be a large help with recruitment efforts as organizations can easily qualify the experience of an individual in cloud security if they have earned the CCSK certificate.” ~ Gary Phillips, senior director, technology assurance and standards research, Symantec Corp
Conclusions Cloud entails new risksExpansion of attack surfaces Evolution of old threatsRisks can be mitigated byImplementing client-side controlsStrong Service level agreementUnified risk assessment process
Thank you!!
Works CitedAl Morsy, M., Grundy, J., & Müller, I. (2010, Nov 30). An Analysis of The Cloud Computing Security Problem. Retrieved June 15, 2011, from Swinburne University of Technology: http://www.ict.swin.edu.au/personal/malmorsy/Pubs/cloud2010_1.pdfBrenner, B. (2009). Why Security Matters Again. Retrieved May 28, 2011, from CIO Online.Brodkin, J. (2010). 5 Problems with SaaS Security. Network World, 28 (18), pp. 1-2.CA Technologies and the Ponemon Institute Roll out Study on Cloud Providers and Consumers. (2011, May 31). Entertainment Close-up .Choo, R. (2010). Cloud Computing: Challenges and Future Directions. Retrieved May 24, 2011, from Trends & Issues in Crime and Criminal Justice: http://www.aic.gov.au/documents/C/4/D/%7BC4D887F9-7D3B-4CFE-9D88-567C01AB8CA0%7Dtandi400.pdfCloud Computing Information Assurance Framework. (2009, November 2009). Retrieved June 15, 2011, from European Network and Information Security Agency: http://www.enisa.europa.eu/act/rm/files/deliverables/cloud-computing-information-assurance-frameworkCloud Computing: Benefits, Risks and Recommendations for Information Security. (2009). Retrieved May 28, 2011, from European Network and Information Security Agency: http://www.enisa.europa.eu/act/rm/files/deliverables/cloud-computing-risk-assessmentCloud Computing: Business Benefits. (2009). Retrieved June 17, 2011, from ISACA: http://www.isaca.org/Knowledge-Center/Research/Documents/Cloud-Computing-28Oct09-Research.pdf?id=91d6e1d8-4d4f-4b13-b039-6488b36b3da5Cloud Computing: Business Benefits With Security, Governance. (2009). Retrieved June 20, 2011, from ISACA: http://www.isaca.org/Knowledge-Center/Research/Documents/Cloud-Computing-28Oct09-Research.pdf?id=91d6e1d8-4d4f-4b13-b039-6488b36b3da5
Works CitedCloud Controls Matrix. (2010, December 15). Retrieved June 16, 2011, from Cloud Security Alliance: https://cloudsecurityalliance.org/research/projects/cloud-controls-matrix-ccm/COBIT Framework for IT Governance and Control. (2011). Retrieved June 15, 2011, from ISACA: http://www.isaca.org/Knowledge-Center/COBIT/Pages/Overview.aspxFarrell, R. (2010). Securing the Cloud. Information Security Journal, 6 (19), pp. 310-319.Friedman, A. A., & West, D. M. (2010, October). Issues in Technology Innovation. Retrieved June 14, 2011, from Connections Magazine: http://www.connectionsmagazine.com/papers/10/29.pdfGreengard, S. (2010). Weaving a Web 2.0 Security Strategy. Baseline, 1 (106), pp. 20-24.Greenwald, J. (2010). Savings Cloud Risks of Outsourcing Tech. Business Insurance, 1 (1247), pp. 4-5.Gregg, M. (2011). 10 Security Concerns for Cloud Computing. Retrieved June 1, 2011, from Global Knowledge: http://www.globalknowledge.ae/knowledge%20centre/white%20papers/virtualisation%20white%20papers/10%20security%20concerns%20for%20cloud.aspxHoff, C. (2009). The Economic Denial of Sustainability Concept. Retrieved June 1, 2011, from Rational Security: http://rationalsecurity.typepad.com/blog/edos/Jarabek, C. (2010). A Review of Cloud computing Security: Virtualization, Side-Channel Attacks and Management. Retrieved May 31, 2011, from University of Calgary: http://people.ucalgary.ca/~cjjarabe/papers/jarabek_cloud_security.pdfLempereur, C., & Cimpean, D. (2011, May 12). An assurance framework for cloud computing(. Retrieved June 18, 2011, from ISACA Berlin: http://www.isaca.be/media/files/an_assurance_framework_for_cloud_computing_12may2011Loveland, G. (2010). Security Among the clouds. Compliance Week, 8 (83).Mather, T., Kumaraswamy, S., & Latif, S. (2009). Cloud Security and Privacy: An Enterprise Perspective on Risks and Compliance.
Works CitedMcMillon, M. (2010). Deconstructing Cloud Computing. Retrieved June 1, 2011, from ISACA Denver: http://www.isaca-denver.org/Chapter-Resources/Cloud_Computing_Security_Public_v1.3.pptMullins, R. J. (2010). New Cloud Security Certification Launched. Infromation Week, 1 (1277), p. 16.Peterson, R. (2008, September 11). What You Need to Know About Cloud Computing. Retrieved June 15, 2011, from PC Magazine: http://www.pcmag.com/article2/0,2817,2330239,00.aspRistenpart, T., Tromer, E., Shacham, H., & Savage, S. (2009). Hey, You, Get off of My Cloud: Exploring Information Leakage in Third-Party Compute Clouds. Retrieved June 1, 2011, from Massachusetts Institute of Technology: http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.150.681&rep=rep1&type=pdfShipley, G. (2010). Cloud Computing: Risks. Information Week, 1 (1262), pp. 20-23.The Cloudy Prognosis for Data Security in Virtual Enterprises. (2011). Database Trends and Applications, 25 (1), pp. 7-9.Todd, B. (2000, February 18). Distributed Denial of Service Attacks. Retrieved June 14, 2011, from Linux Security: http://www.linuxsecurity.com/resource_files/intrusion_detection/ddos-whitepaper.htmlTop Threats to Cloud Computing. (2010). Retrieved May 24, 2011, from Cloud Security Alliance: http://www.cloudsecurityalliance.org/topthreatsTransitioning from Section 5970 to CSAE 3416. (2011, March 29). Retrieved June 16, 2011, from PricewaterhouseCoopers: http://www.pwc.com/ca/en/financial-reporting/newsletter/2011-03-29-transitioning-from-section-5970-to-csae-3416.jhtmlUrquhart, J. (2010, November 22). Cloud security is dependent on the law. Retrieved June 16, 2011, from CNET News: http://news.cnet.com/8301-19413_3-20023507-240.html?part=rss&tag=feed&subj=TheWisdomofCloudsZetter, K. (2009, April 7). FBI Defends Disruptive Raids on Texas Data Centers. Retrieved June 16, 2011, from Wired: http://www.wired.com/threatlevel/2009/04/data-centers-ra/

More Related Content

PDF
INFORMATION SECURITY IN CLOUD COMPUTING
byijitcs
 
PDF
Cloud Computing Security
byArunvignesh Venkatesh
 
PDF
Introduction to cloud security
byIAEME Publication
 
PDF
Symantec Cloud Security Threat Report
bySymantec
 
PDF
Most viewed article for an year in academia - Advanced Computing: An Internat...
byacijjournal
 
PDF
Security research trends in 2020
byAIRCC Publishing Corporation
 
PPTX
Trends Affecting the Future of Cybersecurity
byMason Bird
 
PPTX
Ohm2013 cloud security 101 slideshare
byPeter HJ van Eijk
 
INFORMATION SECURITY IN CLOUD COMPUTING
byijitcs
 
Cloud Computing Security
byArunvignesh Venkatesh
 
Introduction to cloud security
byIAEME Publication
 
Symantec Cloud Security Threat Report
bySymantec
 
Most viewed article for an year in academia - Advanced Computing: An Internat...
byacijjournal
 
Security research trends in 2020
byAIRCC Publishing Corporation
 
Trends Affecting the Future of Cybersecurity
byMason Bird
 
Ohm2013 cloud security 101 slideshare
byPeter HJ van Eijk
 

What's hot

PDF
Research Article On Web Application Security
bySaadSaif6
 
PPTX
Implications of GDPR for IoT Big Data Security and Privacy Fabric
byMark Underwood
 
PDF
Adapting for the Internet of Things
byTripwire
 
PPTX
A survey on the security of cloud computing
byLubna_Alhenaki
 
PDF
cloud security
byadultgroup1
 
PPTX
9 Things You Need to Know Before Moving to the Cloud
bykairostech
 
PPTX
Security of Cloud Computing Survey
byLubna_Alhenaki
 
PDF
Symantec Webinar Cloud Security Threat Report
bySymantec
 
PPTX
A recommendation for software development responses for future
byMax Justice
 
PDF
Will Today’s Cybersecurity Guidelines and Standards Become Mandates for Conne...
byTJR Global
 
PDF
Cloud computing advances in 2020
byAIRCC Publishing Corporation
 
PPTX
What i learned at issa international summit 2019
byUlf Mattsson
 
PPTX
Secure Digital Transformation- Cybersecurity Skills for a Safe Journey to Dev...
byTroy Marshall
 
PDF
Is the Cloud Safe? Ensuring Security in the Cloud
byTechSoup
 
PDF
Security Everywhere: A Growth Engine for the Digital Economy
byCisco Russia
 
PDF
Capstone Team Report -The Vicious Circle of Smart Grid Security
byreuben_mathew
 
PDF
Cyber Security Models - CxT Group
byCXT Group
 
PDF
BriefingsDirect Transcript--How security leverages virtualization to counter ...
byDana Gardner
 
PDF
A1 - Cibersegurança - Raising the Bar for Cybersecurity
bySpark Security
 
Research Article On Web Application Security
bySaadSaif6
 
Implications of GDPR for IoT Big Data Security and Privacy Fabric
byMark Underwood
 
Adapting for the Internet of Things
byTripwire
 
A survey on the security of cloud computing
byLubna_Alhenaki
 
cloud security
byadultgroup1
 
9 Things You Need to Know Before Moving to the Cloud
bykairostech
 
Security of Cloud Computing Survey
byLubna_Alhenaki
 
Symantec Webinar Cloud Security Threat Report
bySymantec
 
A recommendation for software development responses for future
byMax Justice
 
Will Today’s Cybersecurity Guidelines and Standards Become Mandates for Conne...
byTJR Global
 
Cloud computing advances in 2020
byAIRCC Publishing Corporation
 
What i learned at issa international summit 2019
byUlf Mattsson
 
Secure Digital Transformation- Cybersecurity Skills for a Safe Journey to Dev...
byTroy Marshall
 
Is the Cloud Safe? Ensuring Security in the Cloud
byTechSoup
 
Security Everywhere: A Growth Engine for the Digital Economy
byCisco Russia
 
Capstone Team Report -The Vicious Circle of Smart Grid Security
byreuben_mathew
 
Cyber Security Models - CxT Group
byCXT Group
 
BriefingsDirect Transcript--How security leverages virtualization to counter ...
byDana Gardner
 
A1 - Cibersegurança - Raising the Bar for Cybersecurity
bySpark Security
 

Similar to Cloud security: Risks and Rewards for New Entrants

PPTX
Cloud Computing Security Essentials for beginners
byssuser1e89a0
 
PDF
Cloud Security, Standards and Applications
byDr. Sunil Kr. Pandey
 
PDF
Cloud_security_v2_chpater_9_s_version.pdf
byalkabarala01
 
PPTX
How to Secure Your IaaS and PaaS Environments
byInfo-Tech Research Group
 
PPTX
Practical Security for the Cloud
byChirag Joshi, CISA, CISM, CRISC
 
PPT
Cloud Computing Security Issues
byDiscover Cloud Computing
 
PPTX
cloud computer security fundamentals Unit-5.pptx
bySuryaBasnet3
 
POT
Automation alley day in the cloud presentation - formatted
byMatthew Moldvan
 
PPT
Effectively and Securely Using the Cloud Computing Paradigm
byfanc1985
 
PPT
Presentation on Effectively and Securely Using the Cloud Computing Paradigm v26
byBill Annibell
 
PPT
Presentation On Effectively And Securely Using The Cloud Computing Paradigm V26
byTT L
 
PPT
Cloud computing security and privacy christian goire
bygoire
 
DOCX
C11-1 CASE STUDY 11 CLOUD COMPUTING (IN)SECURITY .docx
byRAHUL126667
 
PDF
Various Security Issues and their Remedies in Cloud Computing
byINFOGAIN PUBLICATION
 
PDF
Losing Control to the Cloud
byRochester Security Summit
 
PDF
How Secure Is Cloud
byWilliam Lam
 
PPT
Cloud computing security - Insights
bygiorgiacaleffi
 
PPT
4831586.ppt
byahmad21315
 
PPTX
Cloud Security: A matter of trust?
byMark Williams
 
PPTX
What is Cloud Security, and Can I Have Some?
byJohn Kinsella
 
Cloud Computing Security Essentials for beginners
byssuser1e89a0
 
Cloud Security, Standards and Applications
byDr. Sunil Kr. Pandey
 
Cloud_security_v2_chpater_9_s_version.pdf
byalkabarala01
 
How to Secure Your IaaS and PaaS Environments
byInfo-Tech Research Group
 
Practical Security for the Cloud
byChirag Joshi, CISA, CISM, CRISC
 
Cloud Computing Security Issues
byDiscover Cloud Computing
 
cloud computer security fundamentals Unit-5.pptx
bySuryaBasnet3
 
Automation alley day in the cloud presentation - formatted
byMatthew Moldvan
 
Effectively and Securely Using the Cloud Computing Paradigm
byfanc1985
 
Presentation on Effectively and Securely Using the Cloud Computing Paradigm v26
byBill Annibell
 
Presentation On Effectively And Securely Using The Cloud Computing Paradigm V26
byTT L
 
Cloud computing security and privacy christian goire
bygoire
 
C11-1 CASE STUDY 11 CLOUD COMPUTING (IN)SECURITY .docx
byRAHUL126667
 
Various Security Issues and their Remedies in Cloud Computing
byINFOGAIN PUBLICATION
 
Losing Control to the Cloud
byRochester Security Summit
 
How Secure Is Cloud
byWilliam Lam
 
Cloud computing security - Insights
bygiorgiacaleffi
 
4831586.ppt
byahmad21315
 
Cloud Security: A matter of trust?
byMark Williams
 
What is Cloud Security, and Can I Have Some?
byJohn Kinsella
 

Recently uploaded

PPTX
Protecting Data in an AI Driven World - Cybersecurity in 2026
byYasir Naveed Riaz
 
PDF
Day 3 - Data and Application Security - 2nd Sight Lab Cloud Security Class
by2nd Sight Lab
 
PDF
Cybersecurity: Safeguarding Digital Assets
byYasir Naveed Riaz
 
PPTX
AI's Impact on Cybersecurity - Challenges and Opportunities
byYasir Naveed Riaz
 
PDF
December Patch Tuesday
byIvanti
 
PDF
Real-Time Data Insight Using Microsoft Forms for Business
byElevate
 
PDF
DevFest El Jadida 2025 - Product Thinking
byElmehdi AMLOU
 
PDF
Security Forum Sessions from Houston 2025 Event
byMark Simos
 
PPTX
AI in Cybersecurity: Digital Defense by Yasir Naveed Riaz
byYasir Naveed Riaz
 
PPTX
Conversational Agents – Building Intelligent Assistants [Virtual Hands-on Wor...
byUiPathCommunity
 
PPTX
Data Privacy and Protection: Safeguarding Information in a Connected World
byYasir Naveed Riaz
 
PDF
Usage Control for Process Discovery through a Trusted Execution Environment
byValerioGoretti
 
PDF
Energy Storage Landscape Clean Energy Ministerial
bySurajitBanerjee38
 
PPTX
THIS IS CYBER SECURITY NOTES USED IN CLASS ON VARIOUS TOPICS USED IN CYBERSEC...
byMelissaGblinwon
 
PDF
Unser Jahresrückblick – MarvelClient in 2025
bypanagenda
 
PPTX
Cybercrime in the Digital Age: Risks, Impact & Protection
byYasir Naveed Riaz
 
PPTX
cybercrime in Information security .pptx
byismaeelsahib032
 
PPTX
wob-report.pptxwob-report.pptxwob-report.pptx
byssuser0d171c
 
PPTX
Unit-4-ARTIFICIAL NEURAL NETWORKS.pptx ANN ppt Artificial neural network
byssuserd4481a
 
PDF
Session 1 - Solving Semi-Structured Documents with Document Understanding
byDianaGray10
 
Protecting Data in an AI Driven World - Cybersecurity in 2026
byYasir Naveed Riaz
 
Day 3 - Data and Application Security - 2nd Sight Lab Cloud Security Class
by2nd Sight Lab
 
Cybersecurity: Safeguarding Digital Assets
byYasir Naveed Riaz
 
AI's Impact on Cybersecurity - Challenges and Opportunities
byYasir Naveed Riaz
 
December Patch Tuesday
byIvanti
 
Real-Time Data Insight Using Microsoft Forms for Business
byElevate
 
DevFest El Jadida 2025 - Product Thinking
byElmehdi AMLOU
 
Security Forum Sessions from Houston 2025 Event
byMark Simos
 
AI in Cybersecurity: Digital Defense by Yasir Naveed Riaz
byYasir Naveed Riaz
 
Conversational Agents – Building Intelligent Assistants [Virtual Hands-on Wor...
byUiPathCommunity
 
Data Privacy and Protection: Safeguarding Information in a Connected World
byYasir Naveed Riaz
 
Usage Control for Process Discovery through a Trusted Execution Environment
byValerioGoretti
 
Energy Storage Landscape Clean Energy Ministerial
bySurajitBanerjee38
 
THIS IS CYBER SECURITY NOTES USED IN CLASS ON VARIOUS TOPICS USED IN CYBERSEC...
byMelissaGblinwon
 
Unser Jahresrückblick – MarvelClient in 2025
bypanagenda
 
Cybercrime in the Digital Age: Risks, Impact & Protection
byYasir Naveed Riaz
 
cybercrime in Information security .pptx
byismaeelsahib032
 
wob-report.pptxwob-report.pptxwob-report.pptx
byssuser0d171c
 
Unit-4-ARTIFICIAL NEURAL NETWORKS.pptx ANN ppt Artificial neural network
byssuserd4481a
 
Session 1 - Solving Semi-Structured Documents with Document Understanding
byDianaGray10
 

Cloud security: Risks and Rewards for New Entrants

  • 1.
    Cloud Security: Risksand Recommendations for New EntrantsA Report by Irvin ChooACC 626
  • 2.
  • 3.
  • 4.
  • 5.
    Cloud Security RisksOldrisks vs. New risksCloud Dependency StackExpanding Attack SurfacesCloud Cartography and Side Channels
  • 6.
    Cloud Security RisksOldRisks vs. New RisksSome risks (e.g. Phishing often attributed to cloud) – not a cloud specific riskNew risks should span from the inherent properties of cloud computing modelsCan have a hybrid of bothDistributed Denial of Service vs. Economic Denial of ServiceEDoS: using elasticity aspect to provision resources beyond sustainable capacities
  • 7.
    Cloud Security RisksExpandingAttack surfacesHypervisors (IaaS)Allocate resources to virtual environment within the physical serverApplication Program Interfaces (PaaS)ProprietaryCommunicates between developer’s program and underlying platform
  • 8.
    Cloud Security RisksSaaSPaaSTheCloud Dependency StackCompatibility concernsMisconfiguration of softwareHigh integration, high risk Compromise at any level can undermine the entire infrastructureIaaSCloud Physical Infrastructure
  • 9.
    Cloud Security RisksCloudCartographyMulti-tenancy issueLocating VM’s in the cloudRandom Distribution?Hey, you, get off of my Cloud! (Amazon EC2 study)50% success rateEven brute force methods fairly successfulInexpensive
  • 10.
    Cloud Security RisksSideChannel AttacksPrimary risk from multi-tenant environment Indirect form of spyingListening through the cacheCan infer information rather than directly intercepting itResearchers were able to guess passwords by monitoring spikes in cache activity Can change face of corporate espionage
  • 11.
    Controls and RecommendationsFirstStepsResponsibilities and the SLASecurity Frameworks
  • 12.
    Controls and RecommendationsFirstStepsWhy is encryption important?Ensure authorize accessProvides base level protection over informationBasic encryption policiesAuthentication dataData for archiving/storageLimitationsNot suited for data in transit/rapid processing (e.g. SaaS)Gmail struggled with encryption until 2010
  • 13.
    Controls and RecommendationsResponsibilitiesand the SLAPonemon: 69% of cloud service providers believe security to be responsibility of the usersContinuous monitoringCSP may be hesitant to give access data/logsGenerally secretive security policiesSecuring ownership of data in case of security breaches
  • 14.
    Controls and RecommendationsRecommendedSecurity FrameworksStrong response to lack of cloud-based security risk frameworkISACA COBIT Framework for IT Governance of controlInternational Organization for Standardization ISO 27001 ENISA Cloud Computing Assurance FrameworkCloud Security Alliance Cloud Controls Matrix
  • 15.
  • 16.
    Implications for CA’sAssuranceOpportunitiesCertificate of Cloud Security Knowledge
  • 17.
    Implications for CA’sCloudComputing is an opportunity for CAsExecutives require stronger cloud-based assurance model5970/CSAE 3416 is inadequate Cloud risks extend far beyond financial reporting considerationsDistinguishing between Cloud service providers
  • 18.
    Implications for CAsCSACertificate of Cloud Security Knowledge“The Certificate of Cloud Security Knowledge provides individuals with a solid foundation in cloud security issues and best practices. Organizations that leverage this training will be better positioned to get the most out of their investments in cloud computing. In addition, the certification can be a large help with recruitment efforts as organizations can easily qualify the experience of an individual in cloud security if they have earned the CCSK certificate.” ~ Gary Phillips, senior director, technology assurance and standards research, Symantec Corp
  • 19.
    Conclusions Cloud entailsnew risksExpansion of attack surfaces Evolution of old threatsRisks can be mitigated byImplementing client-side controlsStrong Service level agreementUnified risk assessment process
  • 20.
  • 21.
    Works CitedAl Morsy,M., Grundy, J., & Müller, I. (2010, Nov 30). An Analysis of The Cloud Computing Security Problem. Retrieved June 15, 2011, from Swinburne University of Technology: http://www.ict.swin.edu.au/personal/malmorsy/Pubs/cloud2010_1.pdfBrenner, B. (2009). Why Security Matters Again. Retrieved May 28, 2011, from CIO Online.Brodkin, J. (2010). 5 Problems with SaaS Security. Network World, 28 (18), pp. 1-2.CA Technologies and the Ponemon Institute Roll out Study on Cloud Providers and Consumers. (2011, May 31). Entertainment Close-up .Choo, R. (2010). Cloud Computing: Challenges and Future Directions. Retrieved May 24, 2011, from Trends & Issues in Crime and Criminal Justice: http://www.aic.gov.au/documents/C/4/D/%7BC4D887F9-7D3B-4CFE-9D88-567C01AB8CA0%7Dtandi400.pdfCloud Computing Information Assurance Framework. (2009, November 2009). Retrieved June 15, 2011, from European Network and Information Security Agency: http://www.enisa.europa.eu/act/rm/files/deliverables/cloud-computing-information-assurance-frameworkCloud Computing: Benefits, Risks and Recommendations for Information Security. (2009). Retrieved May 28, 2011, from European Network and Information Security Agency: http://www.enisa.europa.eu/act/rm/files/deliverables/cloud-computing-risk-assessmentCloud Computing: Business Benefits. (2009). Retrieved June 17, 2011, from ISACA: http://www.isaca.org/Knowledge-Center/Research/Documents/Cloud-Computing-28Oct09-Research.pdf?id=91d6e1d8-4d4f-4b13-b039-6488b36b3da5Cloud Computing: Business Benefits With Security, Governance. (2009). Retrieved June 20, 2011, from ISACA: http://www.isaca.org/Knowledge-Center/Research/Documents/Cloud-Computing-28Oct09-Research.pdf?id=91d6e1d8-4d4f-4b13-b039-6488b36b3da5
  • 22.
    Works CitedCloud ControlsMatrix. (2010, December 15). Retrieved June 16, 2011, from Cloud Security Alliance: https://cloudsecurityalliance.org/research/projects/cloud-controls-matrix-ccm/COBIT Framework for IT Governance and Control. (2011). Retrieved June 15, 2011, from ISACA: http://www.isaca.org/Knowledge-Center/COBIT/Pages/Overview.aspxFarrell, R. (2010). Securing the Cloud. Information Security Journal, 6 (19), pp. 310-319.Friedman, A. A., & West, D. M. (2010, October). Issues in Technology Innovation. Retrieved June 14, 2011, from Connections Magazine: http://www.connectionsmagazine.com/papers/10/29.pdfGreengard, S. (2010). Weaving a Web 2.0 Security Strategy. Baseline, 1 (106), pp. 20-24.Greenwald, J. (2010). Savings Cloud Risks of Outsourcing Tech. Business Insurance, 1 (1247), pp. 4-5.Gregg, M. (2011). 10 Security Concerns for Cloud Computing. Retrieved June 1, 2011, from Global Knowledge: http://www.globalknowledge.ae/knowledge%20centre/white%20papers/virtualisation%20white%20papers/10%20security%20concerns%20for%20cloud.aspxHoff, C. (2009). The Economic Denial of Sustainability Concept. Retrieved June 1, 2011, from Rational Security: http://rationalsecurity.typepad.com/blog/edos/Jarabek, C. (2010). A Review of Cloud computing Security: Virtualization, Side-Channel Attacks and Management. Retrieved May 31, 2011, from University of Calgary: http://people.ucalgary.ca/~cjjarabe/papers/jarabek_cloud_security.pdfLempereur, C., & Cimpean, D. (2011, May 12). An assurance framework for cloud computing(. Retrieved June 18, 2011, from ISACA Berlin: http://www.isaca.be/media/files/an_assurance_framework_for_cloud_computing_12may2011Loveland, G. (2010). Security Among the clouds. Compliance Week, 8 (83).Mather, T., Kumaraswamy, S., & Latif, S. (2009). Cloud Security and Privacy: An Enterprise Perspective on Risks and Compliance.
  • 23.
    Works CitedMcMillon, M.(2010). Deconstructing Cloud Computing. Retrieved June 1, 2011, from ISACA Denver: http://www.isaca-denver.org/Chapter-Resources/Cloud_Computing_Security_Public_v1.3.pptMullins, R. J. (2010). New Cloud Security Certification Launched. Infromation Week, 1 (1277), p. 16.Peterson, R. (2008, September 11). What You Need to Know About Cloud Computing. Retrieved June 15, 2011, from PC Magazine: http://www.pcmag.com/article2/0,2817,2330239,00.aspRistenpart, T., Tromer, E., Shacham, H., & Savage, S. (2009). Hey, You, Get off of My Cloud: Exploring Information Leakage in Third-Party Compute Clouds. Retrieved June 1, 2011, from Massachusetts Institute of Technology: http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.150.681&rep=rep1&type=pdfShipley, G. (2010). Cloud Computing: Risks. Information Week, 1 (1262), pp. 20-23.The Cloudy Prognosis for Data Security in Virtual Enterprises. (2011). Database Trends and Applications, 25 (1), pp. 7-9.Todd, B. (2000, February 18). Distributed Denial of Service Attacks. Retrieved June 14, 2011, from Linux Security: http://www.linuxsecurity.com/resource_files/intrusion_detection/ddos-whitepaper.htmlTop Threats to Cloud Computing. (2010). Retrieved May 24, 2011, from Cloud Security Alliance: http://www.cloudsecurityalliance.org/topthreatsTransitioning from Section 5970 to CSAE 3416. (2011, March 29). Retrieved June 16, 2011, from PricewaterhouseCoopers: http://www.pwc.com/ca/en/financial-reporting/newsletter/2011-03-29-transitioning-from-section-5970-to-csae-3416.jhtmlUrquhart, J. (2010, November 22). Cloud security is dependent on the law. Retrieved June 16, 2011, from CNET News: http://news.cnet.com/8301-19413_3-20023507-240.html?part=rss&tag=feed&subj=TheWisdomofCloudsZetter, K. (2009, April 7). FBI Defends Disruptive Raids on Texas Data Centers. Retrieved June 16, 2011, from Wired: http://www.wired.com/threatlevel/2009/04/data-centers-ra/

Editor's Notes

  • #2 Introduction: 30 seconds Show notes: The cloud is a service model that entails great benefits for its new entrants. However its risks are not particularly well understood. This report identifies some of the more prevalent risks of the cloud and suggests basic ways that executives can protect themselves in it. Multiple choice: Which form of attack is inherently linked to the multi-tenant aspect of the clouda) DDoSb) Phishingc) Side Channel Attacksd) Man-in-the-middle attacke) CloudburstWhat is the term used to describe the forceful placement of a virtual instance next to a target one?Cloud cartographyCloud mappingInfrastructure targetingCloud trackingProcessor Framing
  • #3 1 minuteNow before we start, we have to ask ourselves, what is the cloud? The cloud is a large network that encompasses 3 distinct but interrelated service models: The first is security as a service, where software is coded, maintained and brought directly to the end user through the web. Think Salesforce or even something as commonplace as GmailPlatform as a service employs, well, a software platform that’s run by the cloud service provider. Developers are free to use this platform and its related tools to bring innovative new technologies to the front. Think of Google’s App Engine or Microsoft Azure.Finally, Infrastructure as a service supplies the raw and complex processing power that companies need to bring a large service to many different users at time.http://www.gunthergerlach.com/2009/04/defining-cloud-computing-from-the-scratch/
  • #4 30 sNow consider that these services are often built on top of oneanohter. At the bottom you have infrastructure as a service, supporting the underlying platform. At the middle level lies Platform as a service, which harnesses the power provided by the infrastuucture base. And at the top level, you have software as a service, which is a piece of software that can be coded on a development platform and likewise distrubuted all over the cloud using the infrsature. This forms what we call the cloud dependency model, which I’ll get to later.
  • #5 1 minutePWC 2011 Global Why does this matter to important CIO’s or future executives like you? Well, you have to keep up with the competition.In a PwC Information Security Survey of 12,thousand IT leaders 49% of respondents said their organization employs some form of cloud computing today, up 14% the year before Business leaders are eager to harness four characteristics of the cloud. There’s elasticity, where additional processing power can be ordered at the click of a button. Accessibility, meaning you can access the cloud anywhere you have an internet connection. Multi-tenancy, which i’ll explain more next. And a pay-as-you-go usage model, which can help optimize costs. The cloud is a finite network that can house a near infinite amount of what we call instances. Whenever you request a new instance on the cloud, it is distributed on a physical server somewhere in that network. You’ll be operating within the presence of other virtual machines, and that’s what we call multi-tenancy. But its this aspect as well as the elasticity characteristic that make the cloud so cheap.
  • #6 30 secondsNow it’s not all fun and games on the cloud. You also have to be aware of the risks. Now that’s where this report comes in. Have to know the risks. I’ll be going over 4 of the more prevalent or interesting risks inherent to the cloud, and ways you might be able to counteract them. Adoption statistic (PwC)
  • #7 1 minNow we have to distinguish between old risks that we’ve seen for a long time on the internet, and new risks that come specifically to the cloud and its unique properties. Some risks, such as phishing aren’t really cloud risks, as they work or fail just as long as you have an internet connection. But sometimes, we can have a hybrid of both. Take for example a DDoS attack, or distributed denial of service attack. This involves a slew of machines making false requests in order to overload a serverBut DDoS attacks can evolve using the cloud’s scalable properties. What would happen if instead of overloading your server, you’d just provision additional infrastructure to support them. Things would get awfully expensive very quickly if they continue. Cristofer Hoff, a cloud security expert at Cisco systems, calls this the Economic Denial of service attack. Now you notice how things get better with the cloud. Even attacks.
  • #8 1 minuteWe’re used to seeing security as protection across various network’s boundaries. Now the tools used to control programs and instances on the cloud have created more attack surfaces that may prove to be additional vulnerabilities within what is now part of your network.As I said earlier, In the multi-tenant environment physical servers house several virtual environments. The cloud companies use programs called hypervisors to allocate resources of the physical machine among each instance.In PaaS cloud models, the provider uses an Application Program Interface or API to communicate with the developer’s programs and submit requests on real time basis.Hopefully, yuo start to see the implications. Both of these solutions help run the cloud, but at the same time allow for unmitigated access to user data if breached.
  • #9 2 minutesNow, recall how cloud services often build up on one another. Take potential hypervisor and API vulnerabilities into account when you consider the cloud dependency stack. At the Infrastructure level, you open up the model to attacks of the hypervisor, while at the platform level, API security risks take precedent. What we start to see is a proliferation of access points, all of which can lead directly to data leakage or loss.This inherent risk is compounded by the fact that each level of the cloud model has to be configured properly to ensure compatibility. A Host of security controls are running at the CSP in order to ensure the security of data. However, improperly configured security controls at the client level can lead to additional security flaws that may be exploitable from other parties.
  • #10 2 minuteshttp://xeround.com/blog/wp-content/uploads/2010/11/istock_000012045246xsmall.jpg?w=300The multi-tenancy aspect of the cloud creates another security risk that’s been the subject of intense scrutiny over the last number of years. Though as you wouldn’t want to invite a malicious third party into your physical server, the cloud with its open brand of service opens their networks to a host of parties. A high profile research paper in 2009 called Hey, you get off of my cloud, demonstrated the concept of Cloud cartography on Amazon’s EC2 service. Cloud cartography is a technique that can be used to exploit the multi-tenant aspect of the cloud to forcefully position a malicious instance next to a target one, and later use this positioning to institute an attack on the instance. This may seem impossible, after all, instances seem to be positioned almost anywhere in the cloud. However, the researchers were able to succeed in 50% of co-location efforts, all for around 100 dollars. Even a pure brute force method led to 126of 141 instances being co-located in 510 efforts But why is this important? The fact of the matter is, it opens up yet another method of attack that can be used to steal data from a company
  • #11 Now once co-residency is established on the same physical infrastructure, hackers can use an indirect method of spying called a side channel attackOne type of side channel attack utilizes the system cache to monitor activity throughout the physical server. The system cache is a temporary memroy storage bank used by the processor, but simply wasnt built with strong segregation facilities in mind. Therefore, it remains observable by all parties. By obersving the activity levels of the cache, a malicious user could monitor the timing of individual spikes in cache usage to do things like infer keyboard strokes in the target VM. This has huge potential ramifications, as you can easily imagine how indirect channel attacks can lead to direct stealing of employee passwords and the ultimate loss of data security for a company or its customers.
  • #12 http://www.cloudsoftwareprogram.org/rs/371/e9c4455d-a317-4f4c-9f70-108d736bae98/b4f/filename/cloud-security.jpgNow that we outlined some of the more unique risks of the cloud, how can executives prepare for a transition to it? Well, there are a numberof ways that they can try to compensate
  • #13 1 minuteNow , encryption remains a popular solution in tech circles today. After seeing the increased potential for data leakage that happens as a result of adopting the cloud model, you could possibly see why encryption remains a must for new entrantsEncryption allows you to ensure that the right people are accessing your cloud servers through validation procedures, as well as provides you with base level protection over your information. Businesses that plan to use the cloud for storage or archiving can use encryption to transfer data into a basically unreadable format to minimize the chances of it being deciphered if intercepted or stolen. However, encryption does have limitations. By virtue of its being undecipherable, encrypted data cannot be used for processing by cloud servers. Take for example the case of Google, which struggled over encrypting its gmail service for over 2 years. Its said that even a simple search using encrypted data make processing take up to 1 trillion times longer. Executives have to be sure to balance the security benefits of encryption with its processing costs
  • #14 1 minuteA strong service level agreement can mean all the difference when mitigating risks of financial exposure in the cloud. THis is especially true since, according to a Ponemn survey, 69% of cloud service provders believe security to be the primary responsibility of the users, while only 35% of cloud users seem to agree. CSP’s in gneral seem to be understandably protective over their security policies, but executives must be sure to ensure that it doesn’t impede in their own hardening procedures. Teh service provider may be hesitant to hand over basic access data or logs that may be essential for continuous monitoring by the user. They may also be subject to confiscate your data in the case of a security breach, unintentional or otherwise. A strong service level agreement can effectively divide the rights and responsibilities between each party in the cloud contract, and must be addressed to facilitate conitnuous monitoring or enforce ownership rights over the relationship.
  • #15 1 minuteFinally, given the sheer number of threats that emerge from the basic cloud dependency stack, it makes sense for exeuctives to apply a unified risk assessment approach in order to manage cloud security. Of course we’re all familiar with the ISACA COBIT Framework, a control objcetive model which certainly can be applied to a cloud environment given a little tweaking. However, a number of organizations have come forward to impart on new entrants a cloud-specific risk model. One such organization is the European network and Infromation Security Agency (or EniSA) , and its Cloud computing asuranceframeowork. A sort of meeting ground can be found with the CSA’s Cloud controls matrix. It applies elements of all of the previously mentioned frameworks, taking concepts from each to form a definitive best practise security framework. Getting to know these firsthand would be another great way for exeuctives to educate themselves on newsecurity risks that result from cloud adoption.
  • #16 Now the help is out there. Here are a couple of links to the more popular forms of the security framework. Take a little time to browse through them all to see which one is most compatible with your existing security framework if you plan to become a new entrant.
  • #17 Now I’m just going to talk briefly about some opportunities that are available for CA’s to help provide additional assurance to new entrants in the cloud
  • #18 First of all, its important to see Cloud Computing as an opportunity to provide an extension on the assurance function that it currently applies to service providersExecutives currently require a stong level of assurance to make a conscious decision over their choice of CSPs. The CA assurance function relevant to the cloud is generally limited to the control based assessment that is the 5970 report. However, the 5970 merely relates to the testing of controls at a service provider over it and its clients’ financial reporting models. It fails to provide a complex assessment over the CSP’s security controls, which is what executives desparately need to distinguish between cloud service providers.Applying the trusted CA assurance brand to create a cloud-assurance model seems to be a lucrative opportunity worth looking into.
  • #19 https://cloudsecurityalliance.org/education/certificate-of-cloud-security-knowledge/CA’s lookign to get a jump ahead of the pack to bolster their competencies and increase their own marketability can look to an offering by the cloud sercurity alliance. The CSA has recently instituted a certificate of cloud security knowledge, which designates an individual as a specialist in identifying and addressing security risks in the cloud. This quote from Gary Phillips from Symantec outlines one way that CA’s can help distinguish themselves in the cloud assurance function.
  • #20 So what have I told you today. The cloud is a profound opportunity for executives who look to leverage its powerful and cost effective characteristics to drive their businesses forward. However, it is these chracteristics that create new risks that we must now look out for, whether it be the proliferation of new atack surfaces or new threats taht evolve with the cloud.It will pay dividends to be prepared. A unified risk assessment process will go a long way towards understanding the many risks out there, while implementing clinet-side controls and a strong service level agreeemnt facilitate the risk mitigation and risk avoidance practises.
  • #21 http://www.collaborationideas.com/wp-content/uploads/2011/06/cloudcomputing.jpgHopefully, you now have a better understanding of how the cloud works and ways you can protect yourself. Thanks for listening!