SlideShare a Scribd company logo

Cloud_Security_–_An_Overview_coure subject.pdf

A
AlexanderJPSibarani1

cloud security

Education
1 of 30
Download to read offline
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP Foundation OWASP http://www.owasp.org Cloud Security – An Overview Presented by, Ezhil Arasan Babaraj Ezhilarasan.babaraj@csscorp.com CSS Corp Labs CSS Corp Pvt Ltd.
OWASP Acknowledgement Thanks to Joe St Sauver, Ph.D. Security Programs Manager, Internet2 joe@uoregon.edu or joe@internet2.edu
OWASP What is Cloud computing? 3
OWASP Cloud Computing Is Many Different Things to Many Different People 4
OWASP Some Generally Accepted Characteristics Most people would agree that true cloud computing is zero up front capital costs largely eliminates operational responsibilities (e.g., if a disk fails or a switch loses connectivity, you don’t need to fix it) for the most part, cloud computing eliminates knowledge of WHERE one’s computational work is being done; your job is being run “somewhere” out there in the “cloud” offers substantial elasticity and scalability cloud computing leverages economies of scale 5
OWASP Cloud Computing Building Blocks IaaS PaaS SaaS
OWASP What's Driving Cloud Computing? Thought leaders Amazon, Google, Microsoft and many The economy Capex Vs Opex The Feds Govt, Enterprise, Innovators (startups) 7
OWASP Cloud computing Challenges
OWASP 9 Source: http://www.csrc.nist.gov/groups/SNS/cloud-computing/cloud-computing-v26.ppt at slide 17 Cloud Computing Challenges
OWASP "Cyber infrastructure Visualized"
OWASP A Cloud, With Lots of "Security" References 11
OWASP What is Cloud computing Security?
OWASP In Some Ways, "Cloud Computing Security" Is No Different Than "Regular Security" 13
OWASP There Are Some Unique Cloud-Related Areas Which We're NOT Going To Worry About Today •Contracting for Cloud Services •Compliance, Auditing and eDiscovery So what are some cloud-related security issues?
OWASP The "A" in The Security "C-I-A" Objectives Computer and network security is fundamentally about three goals/objectives Confidentiality (C) , Integrity (I), and availability (A) Availability is the Key Issue 15
OWASP Bitbucket, DDoS'd Off The Air 16
OWASP Maintenance Induced Cascading Failures 17
OWASP It's Not Just The Network: Storage Is Key, Too 18 See http://www.engadget.com/2009/10/10/t-mobile-we-probably-lost-all-your-sidekick-data/ However, see also: Microsoft Confirms Data Recovery for Sidekick Users http://www.microsoft.com/Presspass/press/2009/oct09/10-15sidekick.mspx
OWASP And Let's Not Forget About Power Issues 19
OWASP Other Security Related Issues Firewalls IDS/IPS Virtualization Security Noisy tenant, Instance Spoofing, Network & I/O Blocking Gaining Access to Local Storage Network Spoofing 20
OWASP Issues with the Choice of Cloud Provider Cloud computing is a form of outsourcing, and you need a high level of trust in the entities you'll be partnering with. It may seem daunting at first to realize that your application depends (critically!) on the trustworthiness of your cloud providers, but this is not really anything new -- today, even if you're not using the cloud, you already rely on and trust: -- network service providers, -- hardware vendors, -- software vendors, -- service providers, -- data sources, etc. Your cloud provider will be just one more entity on that list. 21
OWASP Issues with Cloud Provider Location Location of the Cloud with respect to storage & computing Due to competition of Cloud Pricing, they always look for low cost data centers Thus, your cloud provider could be working someplace you may never have heard of, such as The Dalles, Oregon, where power is cheap and fiber is plentiful, or just as easily someplace overseas. laws and policies of that jurisdiction. Are you comfortable with that framework? Are you also confident that international connectivity will remain up and uncongested? Can you live with the latencies involved? 22
OWASP Other Issues What If your cloud provider has careless or untrustworthy system administrators, the integrity/privacy of your data's at risk willingness to disclose its security practices ? Is your Cloud Provider Financially stable? Some security Incident at your corporate . How will you find the root cause? What if your system ends up being the origin of an attack? 23
OWASP Mitigating the Risk Involved in Cloud Computing 24
OWASP Mitigating Cloud Computing Availability Multi Cloud Strategy Single Cloud Provider with Multiple Region Cloud Hybrid Cloud Strategy Finally be cautious, though, it may simply make financial sense for you to just accept the risk of a rare and brief outage. (Remember, 99.99 availability==> 52+ minutes downtime/yr) 25
OWASP Mitigating Data Loss Risks (Data Availability) Off site backup Backup to an another Cloud or Region 26
OWASP Understand the Employee Risk How can you tell if your cloud provider has careful and trustworthy employees? Ask them! Do backgrounds get checked before people get hired? Do employees receive extensive in-house training? Do employees hold relevant certifications? Do checklists get used for critical operations? Are system administrator actions tracked and auditable on a post hoc basis if there's an anomalous event? Do administrative privileges get promptly removed when employees leave or change their responsibilities?
OWASP Mitigating Transparency related issues Your provider should not treat the security practices as a confidential or business proprietary thing Remember: "Trust, but verify." [A proverb frequently quoted by President Reagan during arms control negotiations] Be like Amazon & Microsoft
OWASP 29 Q & A
OWASP Additional Cloud Computing Security Resources "AWS Security Whitepaper," http://s3.amazonaws.com/ aws_blog/AWS_Security_Whitepaper_2008_09.pdf "Cloud Computing Security: Raining On The Trendy New Parade," BlackHat USA 2009, www.isecpartners.com/files/Cloud.BlackHat2009-iSEC.pdf “ENISA Cloud Computing Risk Assessment,” November 20th, 2009, www.enisa.europa.eu/act/rm/files/deliverables/ cloud-computing-risk-assessment/at_download/fullReport “Presentation on Effectively and Securely Using the Cloud Computing Paradigm v26,” 10/7/2009, NIST, http://www.csrc.nist.gov/groups/SNS/cloud-computing/ cloud-computing-v26.ppt “Security Guidance for Critical Areas of Focus in Cloud Computing, V2.1,” December 2009, Cloud Security Alliance, http://www.cloudsecurityalliance.org/csaguide.pdf 30

Recommended

Cloud Computing Security Issues
Cloud Computing Security Issues Cloud Computing Security Issues
Cloud Computing Security Issues
Discover Cloud Computing
 
Features of cloud
Features of cloudFeatures of cloud
Features of cloud
sagaroceanic11
 
The Ultimate Guide For Cloud Penetration Testing.pdf
The Ultimate Guide For Cloud Penetration Testing.pdfThe Ultimate Guide For Cloud Penetration Testing.pdf
The Ultimate Guide For Cloud Penetration Testing.pdf
Craw Cyber Security
 
bishu pdf1
bishu pdf1bishu pdf1
bishu pdf1
Bishwanth Konathala
 
test_magazine_july-2016
test_magazine_july-2016test_magazine_july-2016
test_magazine_july-2016
Valery Raulet
 
The Adoption of Cloud Technology by Enterprises - A Whitepaper by RapidValue
The Adoption of Cloud Technology by Enterprises - A Whitepaper by RapidValueThe Adoption of Cloud Technology by Enterprises - A Whitepaper by RapidValue
The Adoption of Cloud Technology by Enterprises - A Whitepaper by RapidValue
RapidValue
 
LinuxCon North America 2013: Why Lease When You Can Buy Your Cloud
LinuxCon North America 2013: Why Lease When You Can Buy Your CloudLinuxCon North America 2013: Why Lease When You Can Buy Your Cloud
LinuxCon North America 2013: Why Lease When You Can Buy Your Cloud
Mark Hinkle
 
Cisco Powered DRaaS eBook
Cisco Powered DRaaS eBookCisco Powered DRaaS eBook
Cisco Powered DRaaS eBook
Cisco Powered
 

Recommended

Cloud Computing Security Issues
Cloud Computing Security Issues Cloud Computing Security Issues
Cloud Computing Security Issues
Discover Cloud Computing
 
Features of cloud
Features of cloudFeatures of cloud
Features of cloud
sagaroceanic11
 
The Ultimate Guide For Cloud Penetration Testing.pdf
The Ultimate Guide For Cloud Penetration Testing.pdfThe Ultimate Guide For Cloud Penetration Testing.pdf
The Ultimate Guide For Cloud Penetration Testing.pdf
Craw Cyber Security
 
bishu pdf1
bishu pdf1bishu pdf1
bishu pdf1
Bishwanth Konathala
 
test_magazine_july-2016
test_magazine_july-2016test_magazine_july-2016
test_magazine_july-2016
Valery Raulet
 
The Adoption of Cloud Technology by Enterprises - A Whitepaper by RapidValue
The Adoption of Cloud Technology by Enterprises - A Whitepaper by RapidValueThe Adoption of Cloud Technology by Enterprises - A Whitepaper by RapidValue
The Adoption of Cloud Technology by Enterprises - A Whitepaper by RapidValue
RapidValue
 
LinuxCon North America 2013: Why Lease When You Can Buy Your Cloud
LinuxCon North America 2013: Why Lease When You Can Buy Your CloudLinuxCon North America 2013: Why Lease When You Can Buy Your Cloud
LinuxCon North America 2013: Why Lease When You Can Buy Your Cloud
Mark Hinkle
 
Cisco Powered DRaaS eBook
Cisco Powered DRaaS eBookCisco Powered DRaaS eBook
Cisco Powered DRaaS eBook
Cisco Powered
 
OWASP Cloud Top 10
OWASP Cloud Top 10OWASP Cloud Top 10
OWASP Cloud Top 10
Ludovic Petit
 
Cloud Considerations What you need to kn.docx
Cloud Considerations What you need to kn.docxCloud Considerations What you need to kn.docx
Cloud Considerations What you need to kn.docx
mary772
 
AWS Cloud Security From the Point of View of the Compliance
AWS Cloud Security From the Point of View of the ComplianceAWS Cloud Security From the Point of View of the Compliance
AWS Cloud Security From the Point of View of the Compliance
Yury Chemerkin
 
Cloud Security for small and medium enterprises (SME)
Cloud Security for small and medium enterprises (SME)Cloud Security for small and medium enterprises (SME)
Cloud Security for small and medium enterprises (SME)
Fabio Cerullo
 
Unique Ways Veritas can Supercharge your AWS Investment - Session Sponsored b...
Unique Ways Veritas can Supercharge your AWS Investment - Session Sponsored b...Unique Ways Veritas can Supercharge your AWS Investment - Session Sponsored b...
Unique Ways Veritas can Supercharge your AWS Investment - Session Sponsored b...
Amazon Web Services
 
AWS Security Challenges
AWS Security ChallengesAWS Security Challenges
AWS Security Challenges
STO STRATEGY
 
Understanding the Cloud
Understanding the CloudUnderstanding the Cloud
Understanding the Cloud
www.datatrak.com
 
Fearing the cloud: why the life sciences shouldn't fret
Fearing the cloud: why the life sciences shouldn't fretFearing the cloud: why the life sciences shouldn't fret
Fearing the cloud: why the life sciences shouldn't fret
Cornerstone OnDemand
 
Cisco at v mword 2015
Cisco at v mword 2015Cisco at v mword 2015
Cisco at v mword 2015
ldangelo0772
 
Clues for Solving Cloud-Based App Performance
Clues for Solving Cloud-Based App Performance Clues for Solving Cloud-Based App Performance
Clues for Solving Cloud-Based App Performance
NETSCOUT
 
CLOUD COMPUTING -DETAILED APPROACH
CLOUD COMPUTING -DETAILED APPROACHCLOUD COMPUTING -DETAILED APPROACH
CLOUD COMPUTING -DETAILED APPROACH
SHAIMA A R
 
cloud-computing-security.ppt
cloud-computing-security.pptcloud-computing-security.ppt
cloud-computing-security.ppt
SaravanaKarthikeyan10
 
What Everyone Ought To Know About Cloud Security
What Everyone Ought To Know About Cloud SecurityWhat Everyone Ought To Know About Cloud Security
What Everyone Ought To Know About Cloud Security
craigbalding
 
How SMB's benefit from cloud
How SMB's benefit from cloudHow SMB's benefit from cloud
How SMB's benefit from cloud
Alessandro Guli
 
Cloud Security Top 10 Risk Mitigation Techniques for 2019
Cloud Security Top 10 Risk Mitigation Techniques for 2019Cloud Security Top 10 Risk Mitigation Techniques for 2019
Cloud Security Top 10 Risk Mitigation Techniques for 2019
Joseph Holbrook, Chief Learning Officer (CLO)
 
Keys to success and security in the cloud
Keys to success and security in the cloudKeys to success and security in the cloud
Keys to success and security in the cloud
Scalar Decisions
 
Keys-to-Success-and-Security-in-the-Cloud
Keys-to-Success-and-Security-in-the-CloudKeys-to-Success-and-Security-in-the-Cloud
Keys-to-Success-and-Security-in-the-Cloud
patmisasi
 
IaaS Cloud Providers: A comparative analysis
IaaS Cloud Providers: A comparative analysisIaaS Cloud Providers: A comparative analysis
IaaS Cloud Providers: A comparative analysis
Graisy Biswal
 
Migrating to cloud-native_app_architectures_pivotal
Migrating to cloud-native_app_architectures_pivotalMigrating to cloud-native_app_architectures_pivotal
Migrating to cloud-native_app_architectures_pivotal
kkdlavak3
 
Migrating_to_Cloud-Native_App_Architectures_Pivotal (2)
Migrating_to_Cloud-Native_App_Architectures_Pivotal (2)Migrating_to_Cloud-Native_App_Architectures_Pivotal (2)
Migrating_to_Cloud-Native_App_Architectures_Pivotal (2)
Dean Bruckman
 
How to Create and Manage Wizard in Odoo 17
How to Create and Manage Wizard in Odoo 17How to Create and Manage Wizard in Odoo 17
How to Create and Manage Wizard in Odoo 17
Celine George
 
OS-operating systems- ch05 (CPU Scheduling) ...
OS-operating systems- ch05 (CPU Scheduling) ...OS-operating systems- ch05 (CPU Scheduling) ...
OS-operating systems- ch05 (CPU Scheduling) ...
Dr. Mazin Mohamed alkathiri
 

More Related Content

Similar to Cloud_Security_–_An_Overview_coure subject.pdf

Cloud Considerations What you need to kn.docx
Cloud Considerations What you need to kn.docxCloud Considerations What you need to kn.docx
Cloud Considerations What you need to kn.docx
mary772
 
Unique Ways Veritas can Supercharge your AWS Investment - Session Sponsored b...
Unique Ways Veritas can Supercharge your AWS Investment - Session Sponsored b...Unique Ways Veritas can Supercharge your AWS Investment - Session Sponsored b...
Unique Ways Veritas can Supercharge your AWS Investment - Session Sponsored b...
Amazon Web Services
 
AWS Security Challenges
AWS Security ChallengesAWS Security Challenges
AWS Security Challenges
STO STRATEGY
 
Fearing the cloud: why the life sciences shouldn't fret
Fearing the cloud: why the life sciences shouldn't fretFearing the cloud: why the life sciences shouldn't fret
Fearing the cloud: why the life sciences shouldn't fret
Cornerstone OnDemand
 
Keys-to-Success-and-Security-in-the-Cloud
Keys-to-Success-and-Security-in-the-CloudKeys-to-Success-and-Security-in-the-Cloud
Keys-to-Success-and-Security-in-the-Cloud
patmisasi
 
Migrating to cloud-native_app_architectures_pivotal
Migrating to cloud-native_app_architectures_pivotalMigrating to cloud-native_app_architectures_pivotal
Migrating to cloud-native_app_architectures_pivotal
kkdlavak3
 
Migrating_to_Cloud-Native_App_Architectures_Pivotal (2)
Migrating_to_Cloud-Native_App_Architectures_Pivotal (2)Migrating_to_Cloud-Native_App_Architectures_Pivotal (2)
Migrating_to_Cloud-Native_App_Architectures_Pivotal (2)
Dean Bruckman
 

Similar to Cloud_Security_–_An_Overview_coure subject.pdf (20)

OWASP Cloud Top 10
OWASP Cloud Top 10OWASP Cloud Top 10
OWASP Cloud Top 10
 
Cloud Considerations What you need to kn.docx
Cloud Considerations What you need to kn.docxCloud Considerations What you need to kn.docx
Cloud Considerations What you need to kn.docx
 
AWS Cloud Security From the Point of View of the Compliance
AWS Cloud Security From the Point of View of the ComplianceAWS Cloud Security From the Point of View of the Compliance
AWS Cloud Security From the Point of View of the Compliance
 
Cloud Security for small and medium enterprises (SME)
Cloud Security for small and medium enterprises (SME)Cloud Security for small and medium enterprises (SME)
Cloud Security for small and medium enterprises (SME)
 
Unique Ways Veritas can Supercharge your AWS Investment - Session Sponsored b...
Unique Ways Veritas can Supercharge your AWS Investment - Session Sponsored b...Unique Ways Veritas can Supercharge your AWS Investment - Session Sponsored b...
Unique Ways Veritas can Supercharge your AWS Investment - Session Sponsored b...
 
AWS Security Challenges
AWS Security ChallengesAWS Security Challenges
AWS Security Challenges
 
Understanding the Cloud
Understanding the CloudUnderstanding the Cloud
Understanding the Cloud
 
Fearing the cloud: why the life sciences shouldn't fret
Fearing the cloud: why the life sciences shouldn't fretFearing the cloud: why the life sciences shouldn't fret
Fearing the cloud: why the life sciences shouldn't fret
 
Cisco at v mword 2015
Cisco at v mword 2015Cisco at v mword 2015
Cisco at v mword 2015
 
Clues for Solving Cloud-Based App Performance
Clues for Solving Cloud-Based App Performance Clues for Solving Cloud-Based App Performance
Clues for Solving Cloud-Based App Performance
 
CLOUD COMPUTING -DETAILED APPROACH
CLOUD COMPUTING -DETAILED APPROACHCLOUD COMPUTING -DETAILED APPROACH
CLOUD COMPUTING -DETAILED APPROACH
 
cloud-computing-security.ppt
cloud-computing-security.pptcloud-computing-security.ppt
cloud-computing-security.ppt
 
What Everyone Ought To Know About Cloud Security
What Everyone Ought To Know About Cloud SecurityWhat Everyone Ought To Know About Cloud Security
What Everyone Ought To Know About Cloud Security
 
How SMB's benefit from cloud
How SMB's benefit from cloudHow SMB's benefit from cloud
How SMB's benefit from cloud
 
Cloud Security Top 10 Risk Mitigation Techniques for 2019
Cloud Security Top 10 Risk Mitigation Techniques for 2019Cloud Security Top 10 Risk Mitigation Techniques for 2019
Cloud Security Top 10 Risk Mitigation Techniques for 2019
 
Keys to success and security in the cloud
Keys to success and security in the cloudKeys to success and security in the cloud
Keys to success and security in the cloud
 
Keys-to-Success-and-Security-in-the-Cloud
Keys-to-Success-and-Security-in-the-CloudKeys-to-Success-and-Security-in-the-Cloud
Keys-to-Success-and-Security-in-the-Cloud
 
IaaS Cloud Providers: A comparative analysis
IaaS Cloud Providers: A comparative analysisIaaS Cloud Providers: A comparative analysis
IaaS Cloud Providers: A comparative analysis
 
Migrating to cloud-native_app_architectures_pivotal
Migrating to cloud-native_app_architectures_pivotalMigrating to cloud-native_app_architectures_pivotal
Migrating to cloud-native_app_architectures_pivotal
 
Migrating_to_Cloud-Native_App_Architectures_Pivotal (2)
Migrating_to_Cloud-Native_App_Architectures_Pivotal (2)Migrating_to_Cloud-Native_App_Architectures_Pivotal (2)
Migrating_to_Cloud-Native_App_Architectures_Pivotal (2)
 

Recently uploaded

Recently uploaded (20)

How to Create and Manage Wizard in Odoo 17
How to Create and Manage Wizard in Odoo 17How to Create and Manage Wizard in Odoo 17
How to Create and Manage Wizard in Odoo 17
 
OS-operating systems- ch05 (CPU Scheduling) ...
OS-operating systems- ch05 (CPU Scheduling) ...OS-operating systems- ch05 (CPU Scheduling) ...
OS-operating systems- ch05 (CPU Scheduling) ...
 
Economic Importance Of Fungi In Food Additives
Economic Importance Of Fungi In Food AdditivesEconomic Importance Of Fungi In Food Additives
Economic Importance Of Fungi In Food Additives
 
UGC NET Paper 1 Unit 7 DATA INTERPRETATION.pdf
UGC NET Paper 1 Unit 7 DATA INTERPRETATION.pdfUGC NET Paper 1 Unit 7 DATA INTERPRETATION.pdf
UGC NET Paper 1 Unit 7 DATA INTERPRETATION.pdf
 
OSCM Unit 2_Operations Processes & Systems
OSCM Unit 2_Operations Processes & SystemsOSCM Unit 2_Operations Processes & Systems
OSCM Unit 2_Operations Processes & Systems
 
Play hard learn harder: The Serious Business of Play
Play hard learn harder: The Serious Business of PlayPlay hard learn harder: The Serious Business of Play
Play hard learn harder: The Serious Business of Play
 
On National Teacher Day, meet the 2024-25 Kenan Fellows
On National Teacher Day, meet the 2024-25 Kenan FellowsOn National Teacher Day, meet the 2024-25 Kenan Fellows
On National Teacher Day, meet the 2024-25 Kenan Fellows
 
Python Notes for mca i year students osmania university.docx
Python Notes for mca i year students osmania university.docxPython Notes for mca i year students osmania university.docx
Python Notes for mca i year students osmania university.docx
 
Our Environment Class 10 Science Notes pdf
Our Environment Class 10 Science Notes pdfOur Environment Class 10 Science Notes pdf
Our Environment Class 10 Science Notes pdf
 
Sensory_Experience_and_Emotional_Resonance_in_Gabriel_Okaras_The_Piano_and_Th...
Sensory_Experience_and_Emotional_Resonance_in_Gabriel_Okaras_The_Piano_and_Th...Sensory_Experience_and_Emotional_Resonance_in_Gabriel_Okaras_The_Piano_and_Th...
Sensory_Experience_and_Emotional_Resonance_in_Gabriel_Okaras_The_Piano_and_Th...
 
dusjagr & nano talk on open tools for agriculture research and learning
dusjagr & nano talk on open tools for agriculture research and learningdusjagr & nano talk on open tools for agriculture research and learning
dusjagr & nano talk on open tools for agriculture research and learning
 
What is 3 Way Matching Process in Odoo 17.pptx
What is 3 Way Matching Process in Odoo 17.pptxWhat is 3 Way Matching Process in Odoo 17.pptx
What is 3 Way Matching Process in Odoo 17.pptx
 
VAMOS CUIDAR DO NOSSO PLANETA! .
VAMOS CUIDAR DO NOSSO PLANETA! .VAMOS CUIDAR DO NOSSO PLANETA! .
VAMOS CUIDAR DO NOSSO PLANETA! .
 
AIM of Education-Teachers Training-2024.ppt
AIM of Education-Teachers Training-2024.pptAIM of Education-Teachers Training-2024.ppt
AIM of Education-Teachers Training-2024.ppt
 
Model Attribute _rec_name in the Odoo 17
Model Attribute _rec_name in the Odoo 17Model Attribute _rec_name in the Odoo 17
Model Attribute _rec_name in the Odoo 17
 
FICTIONAL SALESMAN/SALESMAN SNSW 2024.pdf
FICTIONAL SALESMAN/SALESMAN SNSW 2024.pdfFICTIONAL SALESMAN/SALESMAN SNSW 2024.pdf
FICTIONAL SALESMAN/SALESMAN SNSW 2024.pdf
 
On_Translating_a_Tamil_Poem_by_A_K_Ramanujan.pptx
On_Translating_a_Tamil_Poem_by_A_K_Ramanujan.pptxOn_Translating_a_Tamil_Poem_by_A_K_Ramanujan.pptx
On_Translating_a_Tamil_Poem_by_A_K_Ramanujan.pptx
 
PANDITA RAMABAI- Indian political thought GENDER.pptx
PANDITA RAMABAI- Indian political thought GENDER.pptxPANDITA RAMABAI- Indian political thought GENDER.pptx
PANDITA RAMABAI- Indian political thought GENDER.pptx
 
How to Add a Tool Tip to a Field in Odoo 17
How to Add a Tool Tip to a Field in Odoo 17How to Add a Tool Tip to a Field in Odoo 17
How to Add a Tool Tip to a Field in Odoo 17
 
Unit 3 Emotional Intelligence and Spiritual Intelligence.pdf
Unit 3 Emotional Intelligence and Spiritual Intelligence.pdfUnit 3 Emotional Intelligence and Spiritual Intelligence.pdf
Unit 3 Emotional Intelligence and Spiritual Intelligence.pdf
 

Cloud_Security_–_An_Overview_coure subject.pdf

  • 1. Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP Foundation OWASP http://www.owasp.org Cloud Security – An Overview Presented by, Ezhil Arasan Babaraj Ezhilarasan.babaraj@csscorp.com CSS Corp Labs CSS Corp Pvt Ltd.
  • 2. OWASP Acknowledgement Thanks to Joe St Sauver, Ph.D. Security Programs Manager, Internet2 joe@uoregon.edu or joe@internet2.edu
  • 3. OWASP What is Cloud computing? 3
  • 4. OWASP Cloud Computing Is Many Different Things to Many Different People 4
  • 5. OWASP Some Generally Accepted Characteristics Most people would agree that true cloud computing is zero up front capital costs largely eliminates operational responsibilities (e.g., if a disk fails or a switch loses connectivity, you don’t need to fix it) for the most part, cloud computing eliminates knowledge of WHERE one’s computational work is being done; your job is being run “somewhere” out there in the “cloud” offers substantial elasticity and scalability cloud computing leverages economies of scale 5
  • 6. OWASP Cloud Computing Building Blocks IaaS PaaS SaaS
  • 7. OWASP What's Driving Cloud Computing? Thought leaders Amazon, Google, Microsoft and many The economy Capex Vs Opex The Feds Govt, Enterprise, Innovators (startups) 7
  • 11. OWASP A Cloud, With Lots of "Security" References 11
  • 12. OWASP What is Cloud computing Security?
  • 13. OWASP In Some Ways, "Cloud Computing Security" Is No Different Than "Regular Security" 13
  • 14. OWASP There Are Some Unique Cloud-Related Areas Which We're NOT Going To Worry About Today •Contracting for Cloud Services •Compliance, Auditing and eDiscovery So what are some cloud-related security issues?
  • 15. OWASP The "A" in The Security "C-I-A" Objectives Computer and network security is fundamentally about three goals/objectives Confidentiality (C) , Integrity (I), and availability (A) Availability is the Key Issue 15
  • 18. OWASP It's Not Just The Network: Storage Is Key, Too 18 See http://www.engadget.com/2009/10/10/t-mobile-we-probably-lost-all-your-sidekick-data/ However, see also: Microsoft Confirms Data Recovery for Sidekick Users http://www.microsoft.com/Presspass/press/2009/oct09/10-15sidekick.mspx
  • 19. OWASP And Let's Not Forget About Power Issues 19
  • 20. OWASP Other Security Related Issues Firewalls IDS/IPS Virtualization Security Noisy tenant, Instance Spoofing, Network & I/O Blocking Gaining Access to Local Storage Network Spoofing 20
  • 21. OWASP Issues with the Choice of Cloud Provider Cloud computing is a form of outsourcing, and you need a high level of trust in the entities you'll be partnering with. It may seem daunting at first to realize that your application depends (critically!) on the trustworthiness of your cloud providers, but this is not really anything new -- today, even if you're not using the cloud, you already rely on and trust: -- network service providers, -- hardware vendors, -- software vendors, -- service providers, -- data sources, etc. Your cloud provider will be just one more entity on that list. 21
  • 22. OWASP Issues with Cloud Provider Location Location of the Cloud with respect to storage & computing Due to competition of Cloud Pricing, they always look for low cost data centers Thus, your cloud provider could be working someplace you may never have heard of, such as The Dalles, Oregon, where power is cheap and fiber is plentiful, or just as easily someplace overseas. laws and policies of that jurisdiction. Are you comfortable with that framework? Are you also confident that international connectivity will remain up and uncongested? Can you live with the latencies involved? 22
  • 23. OWASP Other Issues What If your cloud provider has careless or untrustworthy system administrators, the integrity/privacy of your data's at risk willingness to disclose its security practices ? Is your Cloud Provider Financially stable? Some security Incident at your corporate . How will you find the root cause? What if your system ends up being the origin of an attack? 23
  • 24. OWASP Mitigating the Risk Involved in Cloud Computing 24
  • 25. OWASP Mitigating Cloud Computing Availability Multi Cloud Strategy Single Cloud Provider with Multiple Region Cloud Hybrid Cloud Strategy Finally be cautious, though, it may simply make financial sense for you to just accept the risk of a rare and brief outage. (Remember, 99.99 availability==> 52+ minutes downtime/yr) 25
  • 26. OWASP Mitigating Data Loss Risks (Data Availability) Off site backup Backup to an another Cloud or Region 26
  • 27. OWASP Understand the Employee Risk How can you tell if your cloud provider has careful and trustworthy employees? Ask them! Do backgrounds get checked before people get hired? Do employees receive extensive in-house training? Do employees hold relevant certifications? Do checklists get used for critical operations? Are system administrator actions tracked and auditable on a post hoc basis if there's an anomalous event? Do administrative privileges get promptly removed when employees leave or change their responsibilities?
  • 28. OWASP Mitigating Transparency related issues Your provider should not treat the security practices as a confidential or business proprietary thing Remember: "Trust, but verify." [A proverb frequently quoted by President Reagan during arms control negotiations] Be like Amazon & Microsoft
  • 30. OWASP Additional Cloud Computing Security Resources "AWS Security Whitepaper," http://s3.amazonaws.com/ aws_blog/AWS_Security_Whitepaper_2008_09.pdf "Cloud Computing Security: Raining On The Trendy New Parade," BlackHat USA 2009, www.isecpartners.com/files/Cloud.BlackHat2009-iSEC.pdf “ENISA Cloud Computing Risk Assessment,” November 20th, 2009, www.enisa.europa.eu/act/rm/files/deliverables/ cloud-computing-risk-assessment/at_download/fullReport “Presentation on Effectively and Securely Using the Cloud Computing Paradigm v26,” 10/7/2009, NIST, http://www.csrc.nist.gov/groups/SNS/cloud-computing/ cloud-computing-v26.ppt “Security Guidance for Critical Areas of Focus in Cloud Computing, V2.1,” December 2009, Cloud Security Alliance, http://www.cloudsecurityalliance.org/csaguide.pdf 30