Cloud security and privacy

“Head in the clouds, feet on the 
ground ‐ the business side of 
security in the cloud”  
Subra Kumaraswamy 
subra.k@gmail.com 
Twi=er ‐ @Subrak  

Dec 07, 2009  www.securityforum.org Cloud ISF 20th Annual World Subra Kumaraswamy
Security and privacy – Congress 2009 1 
Copyright © 2009 Information Security Forum Limited 1

Cloud Computing: Evolution

www.securityforum.org Cloud ISF 20th Annual World Subra Kumaraswamy
Security and privacy – Congress 2009 Copyright © 2009 Information Security Forum Limited 2
2

5 Essential Cloud Characteristics
• On-demand self-service
• Broad network access
• Resource pooling
- Location independence
• Rapid elasticity
• Measured service


3

3 Cloud Service Models
• Cloud Software as a Service (SaaS)
- Use provider’s applications over a network
• Cloud Platform as a Service (PaaS)
- Deploy customer-created applications to a cloud
• Cloud Infrastructure as a Service (IaaS)
- Rent processing, storage, network capacity, and other
fundamental computing resources
• To be considered “cloud” they must be deployed on top
of cloud infrastructure that has the key characteristics


4

Cloud Pyramid of Flexibility

5

4 Cloud Deployment Models
• Private cloud
- enterprise owned or leased
• Community cloud
- shared infrastructure for specific community
• Public cloud
- Sold to the public, mega-scale infrastructure
• Hybrid cloud
- composition of two or more clouds


6

The Cloud: How are people using it?

7

Changing IT Relationships


What Not a Cloud?

9

Focusing the Security Discussion
IaaS, Hybrid,
Application Domains
HPC/
SaaS, Analytics
Public,
CRM

Private
Software as a Service

Hybrid
Public
XaaS Layers

Platform as a Service

Infrastructure as a Service
IaaS, Public,
Transcoding


Components of Information Security

Encryption, Data masking, Content protection

Application-level
Host-level
Network-level


Analyzing Cloud Security
• Some key issues:
- Trust, multi-tenancy, encryption, key management
compliance
• Clouds are massively complex systems can be
reduced to simple primitives that are replicated
thousands of times and common functional units
• Cloud security is a tractable problem
- There are both advantages and challenges


Balancing Threat Exposure and Cost
Effectiveness
• Private clouds may have less threat exposure than
community or hosted clouds which have less threat
exposure than public clouds.
• Massive public clouds may be more cost effective
than large community clouds which may be more cost
effective than small private clouds.


General Security Advantages
• Democratization of security capabilities
• Shifting public data to a external cloud reduces
the exposure of the internal sensitive data
• Forcing functions to add security controls
• Clouds enable automated security management
• Redundancy / Disaster Recovery


General Security Challenges
• Trusting vendor’s security model
• Customer inability to respond to audit findings
• Obtaining support for investigations
• Indirect administrator accountability
• Proprietary implementations can’t be examined
• Loss of physical control


Infrastructure Security
Trust boundaries have moved
• Specifically, customers are unsure where those trust
boundaries have moved to
• Established model of network tiers or zones no
longer exists
- Domain model does not fully replicate previous
model
• No viable (scalable) model for host-to-host trust
• Data labeling/tagging required at application-level
- Data separation is logical, not physical
Security and privacy – Congress 2009 Copyright © 2009 Information Security Forum Limited
16
16

Data Security
• Provider’s data collection efforts and monitoring
of such (e.g., IPS, NBA)
• Use of encryption
— Point-to-multipoint data-in-transit an issue

— Data-at-rest possibly not encrypted
— Data being processed definitely not encrypted

— Key management is a significant issue

— Advocated alternative methods (e.g., obfuscation,
redaction, truncation) are not adequate
• Data lineage, provenance
• Data remanence
17
17

Identity and Access Management (IAM)
Generally speaking, poor situation today:
• Provisioning of user access is proprietary to
provider
• Strong authentication available only through
delegation
• Federated identity widely not available
• User profiles are limited to “administrator” and
“user”
• Privilege management is coarse, not granular
18
18

Privacy Considerations
Transborder data issues may be exacerbated
• Specifically, where are cloud computing activities
occurring?

Data governance is weak
• Encryption is not pervasive
• Data remanence receives inadequate attention
• CSPs absolve themselves of privacy concerns:
“We don’t look at your data”

19
19

Audit & Compliance Considerations
• Effectiveness of current audit frameworks
questionable (e.g., SAS 70 Type II)

• CSP users need to define:
- their control requirements
- understand their CSP’s internal control
monitoring processes
- analyze relevant external audit reports

• Issue is assurance of compliance
20
20

Impact on Role of Corporate IT
• Governance issue as internal IT becomes
“consultants” and business analysts to business
units
• Delineation of responsibilities between
providers and customers much more nebulous
than between customers and outsourcers,
collocation facilities, or ASPs
• Cloud computing likely to involve much more
direct business unit interaction with CSPs than
with other providers previously
21
21

Getting Ready – IT Security
• Governance framework that can be aligned with partners
• Federation of Identity, strong authentication, privileged
access and key management
• Classification of data and privacy policy for data in cloud
• Security Automation – Image standardization, user/
network policy template
• Understand the cloud service provider security
architecture, SLA, policies, security feature and interfaces
• Understand the ephemeral nature of compute and storage
cloud and plan for archival of security logs

Conclusions
• Part of customers’ infrastructure security
moves beyond their control
• Provider’s infrastructure security may
(enterprise) or may not (SMB) be less robust
than customers’ expectations
• Data security becomes significantly more
important – yet provider capabilities are
inadequate (except for simple storage which can
be encrypted, and processing of non-sensitive
(unregulated and unclassified) data
23
23

Conclusions (continued)
• IAM is less than adequate for enterprises – weak
management of weak credentials unless
(authentication) delegated back to customers

• Because of above, expect significant business unit
pressure to desensitize or anonymize data;
expect this to become a chokepoint
- No established standards for obfuscation,
redaction, or truncation

24
24

Conclusions (continued)
• Relationship between business units and
corporate IT departments vis-à-vis CSPs will shift
greater power to business units from IT

• Number of functions performed today by
corporate IT departments will shift to CSPs,
along with corresponding job positions

25
25

What’s Good about the Cloud?
• A lot! Both for enterprises and SMBs – for
handling of non-sensitive (unregulated and
unclassified) data

• Cost

• Flexibility
• Scalability

• Speed
26
26

Thank you 
subra.k@gmail.com 
Twi=er ‐ @subrak  

Disclaimer  
The views and opinions expressed during this conference are those of the speakers and do not necessarily reﬂect the views and 
opinions held by Sun Microsystems.  Nothing in this conference should be construed as professional or legal advice or as creaGng a 
professional‐customer or a=orney‐client relaGonship.  If professional, legal, or other expert assistance is required, the services of a 
competent professional should be sought. 

Dec 7th, 2009  www.securityforum.org Cloud ISF 20th Annual World Subra Kumaraswamy
Security and privacy – Congress 2009 27 
Copyright © 2009 Information Security Forum Limited 27

Cloud security and privacy

Recommended

Recommended

More Related Content

What's hot

What's hot (19)

Viewers also liked

Viewers also liked (14)

Similar to Cloud security and privacy

Similar to Cloud security and privacy (20)

Recently uploaded

Recently uploaded (20)

Cloud security and privacy