SlideShare a Scribd company logo

Novel cloud computingsecurity issues

Download as PPTX, PDF
J
Joo Manthar

Novel cloud security issues and their internal security threats explained in detailed manner

Software
1 of 34
Hi – 5 Marcus Hogue Chris Jacobson Alexandra Korol Mark Ordonez Jinjia Xi Security of Cloud Computing
Topic Overview  Introduction  Cloud Basics  Securing the Cloud  Leveraging the Cloud  Final Recommendations
Introduction  Cloud Computing Industry is growing  According to Gartner, worldwide cloud services revenue is on pace to surpass $56.3 billion in 2009, a 21.3% increase from 2008 revenue of $46.4 billion, according to Gartner, Inc. The market is expected to reach $150.1 billion in 2013.  Businesses are increasing Cloud adoption  "We expect a great deal of migration towards cloud computing within the federal government in addition to the already robust private sector growth. The growth of the cloud should not outpace our ability to protect the data that goes into it..." ~ Former White House advisor Paul Kurtz, partner with Good Harbor Consulting, LLC  How can IT leaders ensure security in the
Cloud Basics  Cloud Characteristics  Service Models  SaaS  IaaS  PaaS  Deployment Models  Public  Private  Community  Hybrid
Cloud Characteristics
Cloud Service Models  Software as a Service (SaaS)  Platform as a Service (PaaS)  Infrastructure as a Service (IaaS)
Natural Evolution of the Web Source: Lew Tucker, Introduction to Cloud Computing for Enterprise Users
Four Deployment Models
Four Deployment Models
Four Deployment Models
Four Deployment Models
Securing the Cloud  Security Interaction Model  Top Security Threats  Cloud Provider Security Practices – Google Case Study
Security Interaction Model
Top Security Threats  Abuse and nefarious use of cloud computing  Insecure interfaces & API’s  Unknown risk profile  Malicious insiders  Shared technology issues  Data loss or leakage  Account or service hijacking
Abuse and nefarious use of cloud computing  Stricter initial registration and validation processes.  Enhanced credit card fraud monitoring and coordination.  Comprehensive introspection of customer network traffic.  Monitoring public blacklists for one’s own network blocks. Insecure interfaces & API’s  Analyze the security model of cloud provider interfaces.  Ensure strong authentication and access controls are implemented in concert with encrypted transmission.  Understand the dependency chain associated with the API. Unknown risk profile  Disclosure of applicable logs and data. Partial/full disclosure of infrastructure details  Monitoring and alerting on necessary information. Threat Mitigation
Malicious insiders  Enforce strict supply chain management and conduct a comprehensive supplier assessment.  Specify human resource requirements as part of legal contracts.  Require transparency into overall information security and management practices, as well as compliance reporting.  Determine security breach notification processes. Shared technology issues  Implement security best practices for installation and configuration.  Monitor environment for unauthorized changes/activity.  Promote strong authentication and access control for administrative access and operations.  Enforce service level agreements for patching and vulnerability remediation.  Conduct vulnerability scanning and configuration audits. Threat Mitigation
Data loss or leakage  Implement strong API access control.  Encrypt and protect integrity of data in transit.  Analyze data protection at both design and run time.  Implement strong key generation, storage and management, and destruction practices.  Contractually demand providers wipe persistent media before it is released into the pool.  Contractually specify provider backup and retention strategies. Account or service hijacking  Prohibit the sharing of account credentials between users and services.  Leverage strong two-factor authentication techniques where possible.  Employ proactive monitoring to detect unauthorized activity.  Understand cloud provider security policies and SLAs. Threat Mitigation
Google Security Practices  Organizational and Operational Security  Data Security  Threat Evasion  Safe Access  Privacy
Google Organizational and Operational Security  Holistic approach to security  Security team  Develop with security in mind  Regularly performs security audits and threat assessments  Employees screened, trained  Works with security community and advisors
Google Data Security  Google Code of Conduct – “Don’t be evil.”  Physical security  Logical Security  Accessibility  Redundancy
Google Threat Evasion  Spam and virus protection built into products  Protects against application & network attacks
Google Safe Access  Avoids local storage  Access controls  Encrypted connections  Integrated security
Google Privacy  Privacy policy  Does not access confidential user data  Does not alter data  Maintain own IP rights  Indemnification, liability  End of use
Leveraging the Cloud  Decision Making Process  Clan Wars Case Study
Decision Making Process  Identify the asset for cloud deployment  Evaluate the asset requirements for confidentiality, integrity, and availability  Map the asset to potential cloud deployment models  Evaluate potential cloud service models and providers  Sketch the potential data flow  Draw conclusions
Case Study: Clan Wars Company Profile Online multiplayer game In Browser Flash Processes credit card payments
Case Study: Clan Wars Decision Making Process  Identified all components as candidates  Evaluation concluded:  Payment = High concern on all factors  Game & data = Medium on all factors  Primary components mapped:  Infrastructure (Servers, storage, etc)  Payment Processing  Collaboration
Case Study: Clan Wars Data Flow
Case Study: Clan Wars Conclusion Great fit Risk requirements met Data flow supports needs Added benefits Low cost (saving ~$500/month) Low maintenance Performance
Final Recommendation No universal answer Evaluate your security needs versus the capabilities of the provider
Q & A
Supplemental Material  The sections that follow will not be covered during the presentation but are included for reference.
Rackspace Security Practices  Physical Security  System Security  Operational Infrastructure Security  Client Application Security
Cloud Consumer Best Practices Operational Domains • Traditional Security, Business Continuity, and Disaster Recovery • Data Center operations • Incident Management • Application security • Encryption & Key Mgmt • Identity & access Mgmt • Virtualization Governance Domains • Governance & Enterprise Risk Mgmt • Legal and Electronic Discovery • Compliance and Audit • Information Life Cycle Management • Portability and Interoperability

Recommended

Cloud computingsec p3
Cloud computingsec p3Cloud computingsec p3
Cloud computingsec p3
Cesar Schmitzhaus
 
Enterprise policy-management
Enterprise policy-managementEnterprise policy-management
Enterprise policy-management
Amit Bhargava
 
User Behavior based Anomaly Detection for Cyber Network Security
User Behavior based Anomaly Detection for Cyber Network SecurityUser Behavior based Anomaly Detection for Cyber Network Security
User Behavior based Anomaly Detection for Cyber Network Security
Happiest Minds Technologies
 
C:\fakepath\wg xcs data_lossprevention
C:\fakepath\wg xcs data_losspreventionC:\fakepath\wg xcs data_lossprevention
C:\fakepath\wg xcs data_lossprevention
Yustinus Simon
 
Data lake protection ft 3119 -ver1.0
Data lake protection ft 3119 -ver1.0Data lake protection ft 3119 -ver1.0
Data lake protection ft 3119 -ver1.0
Finto Thomas , CISSP, TOGAF, CCSP, ITIL. JNCIS
 
Data loss prevention by using MRSH-v2 algorithm
Data loss prevention by using MRSH-v2 algorithm Data loss prevention by using MRSH-v2 algorithm
Data loss prevention by using MRSH-v2 algorithm
IJECEIAES
 
Protect customer's personal information eng 191018
Protect customer's personal information eng 191018Protect customer's personal information eng 191018
Protect customer's personal information eng 191018
sang yoo
 
Realizing the Value of Social: Evolving from Social Media to Customer Experience
Realizing the Value of Social: Evolving from Social Media to Customer ExperienceRealizing the Value of Social: Evolving from Social Media to Customer Experience
Realizing the Value of Social: Evolving from Social Media to Customer Experience
Tata Consultancy Services
 

Recommended

Cloud computingsec p3
Cloud computingsec p3Cloud computingsec p3
Cloud computingsec p3
Cesar Schmitzhaus
 
Enterprise policy-management
Enterprise policy-managementEnterprise policy-management
Enterprise policy-management
Amit Bhargava
 
User Behavior based Anomaly Detection for Cyber Network Security
User Behavior based Anomaly Detection for Cyber Network SecurityUser Behavior based Anomaly Detection for Cyber Network Security
User Behavior based Anomaly Detection for Cyber Network Security
Happiest Minds Technologies
 
C:\fakepath\wg xcs data_lossprevention
C:\fakepath\wg xcs data_losspreventionC:\fakepath\wg xcs data_lossprevention
C:\fakepath\wg xcs data_lossprevention
Yustinus Simon
 
Data lake protection ft 3119 -ver1.0
Data lake protection ft 3119 -ver1.0Data lake protection ft 3119 -ver1.0
Data lake protection ft 3119 -ver1.0
Finto Thomas , CISSP, TOGAF, CCSP, ITIL. JNCIS
 
Data loss prevention by using MRSH-v2 algorithm
Data loss prevention by using MRSH-v2 algorithm Data loss prevention by using MRSH-v2 algorithm
Data loss prevention by using MRSH-v2 algorithm
IJECEIAES
 
Protect customer's personal information eng 191018
Protect customer's personal information eng 191018Protect customer's personal information eng 191018
Protect customer's personal information eng 191018
sang yoo
 
Realizing the Value of Social: Evolving from Social Media to Customer Experience
Realizing the Value of Social: Evolving from Social Media to Customer ExperienceRealizing the Value of Social: Evolving from Social Media to Customer Experience
Realizing the Value of Social: Evolving from Social Media to Customer Experience
Tata Consultancy Services
 
CYBERSECURITY MESH - DIGITAL TRUST FRAMEWORK
CYBERSECURITY MESH - DIGITAL TRUST FRAMEWORKCYBERSECURITY MESH - DIGITAL TRUST FRAMEWORK
CYBERSECURITY MESH - DIGITAL TRUST FRAMEWORK
Maganathin Veeraragaloo
 
Tsc2021 cyber-issues
Tsc2021 cyber-issuesTsc2021 cyber-issues
Tsc2021 cyber-issues
Ernest Staats
 
Cloud Auditing
Cloud AuditingCloud Auditing
Cloud Auditing
Jonathan Sinclair
 
internal-cloud-audit-risk-guide
internal-cloud-audit-risk-guideinternal-cloud-audit-risk-guide
internal-cloud-audit-risk-guideSatchit Dokras
 
Network Security‬ and Big ‪‎Data Analytics‬
Network Security‬ and Big ‪‎Data Analytics‬Network Security‬ and Big ‪‎Data Analytics‬
Network Security‬ and Big ‪‎Data Analytics‬
Allot Communications
 
Microsoft Platform Security Briefing
Microsoft Platform Security BriefingMicrosoft Platform Security Briefing
Microsoft Platform Security Briefingtechnext1
 
Global Cybersecurity Consulting Firm
Global Cybersecurity Consulting FirmGlobal Cybersecurity Consulting Firm
Global Cybersecurity Consulting Firm
wilsonconsulting1
 
Cyber Security - Maintaining Operational Control of Critical Services
Cyber Security - Maintaining Operational Control of Critical ServicesCyber Security - Maintaining Operational Control of Critical Services
Cyber Security - Maintaining Operational Control of Critical Services
Dave Reeves
 
Identity-Driven Security with Forsyte I.T. Solutions - Demos and Discovery
Identity-Driven Security with Forsyte I.T. Solutions - Demos and DiscoveryIdentity-Driven Security with Forsyte I.T. Solutions - Demos and Discovery
Identity-Driven Security with Forsyte I.T. Solutions - Demos and Discovery
Forsyte I.T. Solutions
 
Brochure forcepoint dlp_en
Brochure forcepoint dlp_enBrochure forcepoint dlp_en
Brochure forcepoint dlp_en
Seenee Permal, CISA, CISM
 
Enabling Science with Trust and Security – Guest Keynote
Enabling Science with Trust and Security – Guest KeynoteEnabling Science with Trust and Security – Guest Keynote
Enabling Science with Trust and Security – Guest Keynote
Globus
 
Cybersecurity roadmap : Global healthcare security architecture
Cybersecurity roadmap : Global healthcare security architectureCybersecurity roadmap : Global healthcare security architecture
Cybersecurity roadmap : Global healthcare security architecture
Priyanka Aash
 
Cyber Security Management | Cyber Security Consultant | JST Business Solution...
Cyber Security Management | Cyber Security Consultant | JST Business Solution...Cyber Security Management | Cyber Security Consultant | JST Business Solution...
Cyber Security Management | Cyber Security Consultant | JST Business Solution...
Sahabuddin Siddiqui
 
Secure your cloud applications by building solid foundations with enterprise ...
Secure your cloud applications by building solid foundations with enterprise ...Secure your cloud applications by building solid foundations with enterprise ...
Secure your cloud applications by building solid foundations with enterprise ...
Vladimir Jirasek
 
Fortifying Cyber Defense: How to Act Now to Protect Global Supply Chains
Fortifying Cyber Defense: How to Act Now to Protect Global Supply ChainsFortifying Cyber Defense: How to Act Now to Protect Global Supply Chains
Fortifying Cyber Defense: How to Act Now to Protect Global Supply Chains
Ignyte Assurance Platform
 
Cybersecurity Series SEIM Log Analysis
Cybersecurity Series SEIM Log AnalysisCybersecurity Series SEIM Log Analysis
Cybersecurity Series SEIM Log Analysis
Jim Kaplan CIA CFE
 
Office 365 data loss prevention
Office 365 data loss preventionOffice 365 data loss prevention
Office 365 data loss prevention
ssuser1eca7d
 
Practical Security for the Cloud
Practical Security for the CloudPractical Security for the Cloud
Practical Security for the Cloud
Chirag Joshi, CISA, CISM, CRISC
 
C-Level tools for Cloud security
C-Level tools for Cloud securityC-Level tools for Cloud security
C-Level tools for Cloud security
Vladimir Jirasek
 
FS-ISAC APAC Summit 2017 Singapore - Of Crown Jewels and Data Assets
FS-ISAC APAC Summit 2017 Singapore - Of Crown Jewels and Data AssetsFS-ISAC APAC Summit 2017 Singapore - Of Crown Jewels and Data Assets
FS-ISAC APAC Summit 2017 Singapore - Of Crown Jewels and Data Assets
Puneet Kukreja
 
Top Trends in Cloud Computing for 2023.pptx
Top Trends in Cloud Computing for 2023.pptxTop Trends in Cloud Computing for 2023.pptx
Top Trends in Cloud Computing for 2023.pptx
SaadZaman23
 
Cloud services and it security
Cloud services and it securityCloud services and it security
Cloud services and it security
East Midlands Cyber Security Forum
 

More Related Content

What's hot

CYBERSECURITY MESH - DIGITAL TRUST FRAMEWORK
CYBERSECURITY MESH - DIGITAL TRUST FRAMEWORKCYBERSECURITY MESH - DIGITAL TRUST FRAMEWORK
CYBERSECURITY MESH - DIGITAL TRUST FRAMEWORK
Maganathin Veeraragaloo
 
Tsc2021 cyber-issues
Tsc2021 cyber-issuesTsc2021 cyber-issues
Tsc2021 cyber-issues
Ernest Staats
 
Cloud Auditing
Cloud AuditingCloud Auditing
Cloud Auditing
Jonathan Sinclair
 
internal-cloud-audit-risk-guide
internal-cloud-audit-risk-guideinternal-cloud-audit-risk-guide
internal-cloud-audit-risk-guideSatchit Dokras
 
Network Security‬ and Big ‪‎Data Analytics‬
Network Security‬ and Big ‪‎Data Analytics‬Network Security‬ and Big ‪‎Data Analytics‬
Network Security‬ and Big ‪‎Data Analytics‬
Allot Communications
 
Microsoft Platform Security Briefing
Microsoft Platform Security BriefingMicrosoft Platform Security Briefing
Microsoft Platform Security Briefingtechnext1
 
Global Cybersecurity Consulting Firm
Global Cybersecurity Consulting FirmGlobal Cybersecurity Consulting Firm
Global Cybersecurity Consulting Firm
wilsonconsulting1
 
Cyber Security - Maintaining Operational Control of Critical Services
Cyber Security - Maintaining Operational Control of Critical ServicesCyber Security - Maintaining Operational Control of Critical Services
Cyber Security - Maintaining Operational Control of Critical Services
Dave Reeves
 
Identity-Driven Security with Forsyte I.T. Solutions - Demos and Discovery
Identity-Driven Security with Forsyte I.T. Solutions - Demos and DiscoveryIdentity-Driven Security with Forsyte I.T. Solutions - Demos and Discovery
Identity-Driven Security with Forsyte I.T. Solutions - Demos and Discovery
Forsyte I.T. Solutions
 
Brochure forcepoint dlp_en
Brochure forcepoint dlp_enBrochure forcepoint dlp_en
Brochure forcepoint dlp_en
Seenee Permal, CISA, CISM
 
Enabling Science with Trust and Security – Guest Keynote
Enabling Science with Trust and Security – Guest KeynoteEnabling Science with Trust and Security – Guest Keynote
Enabling Science with Trust and Security – Guest Keynote
Globus
 
Cybersecurity roadmap : Global healthcare security architecture
Cybersecurity roadmap : Global healthcare security architectureCybersecurity roadmap : Global healthcare security architecture
Cybersecurity roadmap : Global healthcare security architecture
Priyanka Aash
 
Cyber Security Management | Cyber Security Consultant | JST Business Solution...
Cyber Security Management | Cyber Security Consultant | JST Business Solution...Cyber Security Management | Cyber Security Consultant | JST Business Solution...
Cyber Security Management | Cyber Security Consultant | JST Business Solution...
Sahabuddin Siddiqui
 
Secure your cloud applications by building solid foundations with enterprise ...
Secure your cloud applications by building solid foundations with enterprise ...Secure your cloud applications by building solid foundations with enterprise ...
Secure your cloud applications by building solid foundations with enterprise ...
Vladimir Jirasek
 
Fortifying Cyber Defense: How to Act Now to Protect Global Supply Chains
Fortifying Cyber Defense: How to Act Now to Protect Global Supply ChainsFortifying Cyber Defense: How to Act Now to Protect Global Supply Chains
Fortifying Cyber Defense: How to Act Now to Protect Global Supply Chains
Ignyte Assurance Platform
 
Cybersecurity Series SEIM Log Analysis
Cybersecurity Series SEIM Log AnalysisCybersecurity Series SEIM Log Analysis
Cybersecurity Series SEIM Log Analysis
Jim Kaplan CIA CFE
 
Office 365 data loss prevention
Office 365 data loss preventionOffice 365 data loss prevention
Office 365 data loss prevention
ssuser1eca7d
 
Practical Security for the Cloud
Practical Security for the CloudPractical Security for the Cloud
Practical Security for the Cloud
Chirag Joshi, CISA, CISM, CRISC
 
C-Level tools for Cloud security
C-Level tools for Cloud securityC-Level tools for Cloud security
C-Level tools for Cloud security
Vladimir Jirasek
 
FS-ISAC APAC Summit 2017 Singapore - Of Crown Jewels and Data Assets
FS-ISAC APAC Summit 2017 Singapore - Of Crown Jewels and Data AssetsFS-ISAC APAC Summit 2017 Singapore - Of Crown Jewels and Data Assets
FS-ISAC APAC Summit 2017 Singapore - Of Crown Jewels and Data Assets
Puneet Kukreja
 

What's hot (20)

CYBERSECURITY MESH - DIGITAL TRUST FRAMEWORK
CYBERSECURITY MESH - DIGITAL TRUST FRAMEWORKCYBERSECURITY MESH - DIGITAL TRUST FRAMEWORK
CYBERSECURITY MESH - DIGITAL TRUST FRAMEWORK
 
Tsc2021 cyber-issues
Tsc2021 cyber-issuesTsc2021 cyber-issues
Tsc2021 cyber-issues
 
Cloud Auditing
Cloud AuditingCloud Auditing
Cloud Auditing
 
internal-cloud-audit-risk-guide
internal-cloud-audit-risk-guideinternal-cloud-audit-risk-guide
internal-cloud-audit-risk-guide
 
Network Security‬ and Big ‪‎Data Analytics‬
Network Security‬ and Big ‪‎Data Analytics‬Network Security‬ and Big ‪‎Data Analytics‬
Network Security‬ and Big ‪‎Data Analytics‬
 
Microsoft Platform Security Briefing
Microsoft Platform Security BriefingMicrosoft Platform Security Briefing
Microsoft Platform Security Briefing
 
Global Cybersecurity Consulting Firm
Global Cybersecurity Consulting FirmGlobal Cybersecurity Consulting Firm
Global Cybersecurity Consulting Firm
 
Cyber Security - Maintaining Operational Control of Critical Services
Cyber Security - Maintaining Operational Control of Critical ServicesCyber Security - Maintaining Operational Control of Critical Services
Cyber Security - Maintaining Operational Control of Critical Services
 
Identity-Driven Security with Forsyte I.T. Solutions - Demos and Discovery
Identity-Driven Security with Forsyte I.T. Solutions - Demos and DiscoveryIdentity-Driven Security with Forsyte I.T. Solutions - Demos and Discovery
Identity-Driven Security with Forsyte I.T. Solutions - Demos and Discovery
 
Brochure forcepoint dlp_en
Brochure forcepoint dlp_enBrochure forcepoint dlp_en
Brochure forcepoint dlp_en
 
Enabling Science with Trust and Security – Guest Keynote
Enabling Science with Trust and Security – Guest KeynoteEnabling Science with Trust and Security – Guest Keynote
Enabling Science with Trust and Security – Guest Keynote
 
Cybersecurity roadmap : Global healthcare security architecture
Cybersecurity roadmap : Global healthcare security architectureCybersecurity roadmap : Global healthcare security architecture
Cybersecurity roadmap : Global healthcare security architecture
 
Cyber Security Management | Cyber Security Consultant | JST Business Solution...
Cyber Security Management | Cyber Security Consultant | JST Business Solution...Cyber Security Management | Cyber Security Consultant | JST Business Solution...
Cyber Security Management | Cyber Security Consultant | JST Business Solution...
 
Secure your cloud applications by building solid foundations with enterprise ...
Secure your cloud applications by building solid foundations with enterprise ...Secure your cloud applications by building solid foundations with enterprise ...
Secure your cloud applications by building solid foundations with enterprise ...
 
Fortifying Cyber Defense: How to Act Now to Protect Global Supply Chains
Fortifying Cyber Defense: How to Act Now to Protect Global Supply ChainsFortifying Cyber Defense: How to Act Now to Protect Global Supply Chains
Fortifying Cyber Defense: How to Act Now to Protect Global Supply Chains
 
Cybersecurity Series SEIM Log Analysis
Cybersecurity Series SEIM Log AnalysisCybersecurity Series SEIM Log Analysis
Cybersecurity Series SEIM Log Analysis
 
Office 365 data loss prevention
Office 365 data loss preventionOffice 365 data loss prevention
Office 365 data loss prevention
 
Practical Security for the Cloud
Practical Security for the CloudPractical Security for the Cloud
Practical Security for the Cloud
 
C-Level tools for Cloud security
C-Level tools for Cloud securityC-Level tools for Cloud security
C-Level tools for Cloud security
 
FS-ISAC APAC Summit 2017 Singapore - Of Crown Jewels and Data Assets
FS-ISAC APAC Summit 2017 Singapore - Of Crown Jewels and Data AssetsFS-ISAC APAC Summit 2017 Singapore - Of Crown Jewels and Data Assets
FS-ISAC APAC Summit 2017 Singapore - Of Crown Jewels and Data Assets
 

Similar to Novel cloud computingsecurity issues

Top Trends in Cloud Computing for 2023.pptx
Top Trends in Cloud Computing for 2023.pptxTop Trends in Cloud Computing for 2023.pptx
Top Trends in Cloud Computing for 2023.pptx
SaadZaman23
 
Cloud services and it security
Cloud services and it securityCloud services and it security
Cloud services and it security
East Midlands Cyber Security Forum
 
Overview of GovCloud Today
Overview of GovCloud TodayOverview of GovCloud Today
Overview of GovCloud Today
GovCloud Network
 
The Art of Cloud Auditing - ISACA ID
The Art of Cloud Auditing - ISACA IDThe Art of Cloud Auditing - ISACA ID
The Art of Cloud Auditing - ISACA ID
Eryk Budi Pratama
 
Cloud Security By Dr. Anton Ravindran
Cloud Security By Dr. Anton RavindranCloud Security By Dr. Anton Ravindran
Cloud Security By Dr. Anton Ravindran
GSTF
 
Ahearn Cloud Presentation
Ahearn Cloud PresentationAhearn Cloud Presentation
Ahearn Cloud Presentation
johnjamesahearn
 
SECURING THE CLOUD DATA LAKES
SECURING THE CLOUD DATA LAKESSECURING THE CLOUD DATA LAKES
SECURING THE CLOUD DATA LAKES
Happiest Minds Technologies
 
Guide to security patterns for cloud systems and data security in aws and azure
Guide to security patterns for cloud systems and data security in aws and azureGuide to security patterns for cloud systems and data security in aws and azure
Guide to security patterns for cloud systems and data security in aws and azure
Abdul Khan
 
Governing in the Cloud
Governing in the CloudGoverning in the Cloud
Governing in the Cloud
Rolf Frydenberg
 
APIsecure 2023 - Approaching Multicloud API Security USing Metacloud, David L...
APIsecure 2023 - Approaching Multicloud API Security USing Metacloud, David L...APIsecure 2023 - Approaching Multicloud API Security USing Metacloud, David L...
APIsecure 2023 - Approaching Multicloud API Security USing Metacloud, David L...
apidays
 
Cloud Security
Cloud SecurityCloud Security
Cloud Security
AWS User Group Bengaluru
 
Cloud Security
Cloud SecurityCloud Security
Cloud Security
AWS User Group Bengaluru
 
talk6securingcloudamarprusty-191030091632.pptx
talk6securingcloudamarprusty-191030091632.pptxtalk6securingcloudamarprusty-191030091632.pptx
talk6securingcloudamarprusty-191030091632.pptx
TrongMinhHoang1
 
the_role_of_resilience_data_in_ensuring_cloud_security.pdf
the_role_of_resilience_data_in_ensuring_cloud_security.pdfthe_role_of_resilience_data_in_ensuring_cloud_security.pdf
the_role_of_resilience_data_in_ensuring_cloud_security.pdf
sarah david
 
CloudPassage Best Practices for Automatic Security Scaling
CloudPassage Best Practices for Automatic Security ScalingCloudPassage Best Practices for Automatic Security Scaling
CloudPassage Best Practices for Automatic Security Scaling
Amazon Web Services
 
2011 IIA Pittsburgh Grant Thornton LLP Presentation (Nov 2011)
2011 IIA Pittsburgh Grant Thornton LLP Presentation (Nov 2011)2011 IIA Pittsburgh Grant Thornton LLP Presentation (Nov 2011)
2011 IIA Pittsburgh Grant Thornton LLP Presentation (Nov 2011)
Danny Miller
 
MBT Webinar: Does the security of your business data keep you up at night?
MBT Webinar: Does the security of your business data keep you up at night? MBT Webinar: Does the security of your business data keep you up at night?
MBT Webinar: Does the security of your business data keep you up at night?
Jorge García
 
Cloud Security
Cloud SecurityCloud Security
Cloud Security
Pyingkodi Maran
 
Security Considerations When Using Cloud Infrastructure Services.pdf
Security Considerations When Using Cloud Infrastructure Services.pdfSecurity Considerations When Using Cloud Infrastructure Services.pdf
Security Considerations When Using Cloud Infrastructure Services.pdf
Ciente
 

Similar to Novel cloud computingsecurity issues (20)

Top Trends in Cloud Computing for 2023.pptx
Top Trends in Cloud Computing for 2023.pptxTop Trends in Cloud Computing for 2023.pptx
Top Trends in Cloud Computing for 2023.pptx
 
Cloud services and it security
Cloud services and it securityCloud services and it security
Cloud services and it security
 
Overview of GovCloud Today
Overview of GovCloud TodayOverview of GovCloud Today
Overview of GovCloud Today
 
Cloud Computing & Security Concerns
Cloud Computing & Security ConcernsCloud Computing & Security Concerns
Cloud Computing & Security Concerns
 
The Art of Cloud Auditing - ISACA ID
The Art of Cloud Auditing - ISACA IDThe Art of Cloud Auditing - ISACA ID
The Art of Cloud Auditing - ISACA ID
 
Cloud Security By Dr. Anton Ravindran
Cloud Security By Dr. Anton RavindranCloud Security By Dr. Anton Ravindran
Cloud Security By Dr. Anton Ravindran
 
Ahearn Cloud Presentation
Ahearn Cloud PresentationAhearn Cloud Presentation
Ahearn Cloud Presentation
 
SECURING THE CLOUD DATA LAKES
SECURING THE CLOUD DATA LAKESSECURING THE CLOUD DATA LAKES
SECURING THE CLOUD DATA LAKES
 
Guide to security patterns for cloud systems and data security in aws and azure
Guide to security patterns for cloud systems and data security in aws and azureGuide to security patterns for cloud systems and data security in aws and azure
Guide to security patterns for cloud systems and data security in aws and azure
 
Governing in the Cloud
Governing in the CloudGoverning in the Cloud
Governing in the Cloud
 
APIsecure 2023 - Approaching Multicloud API Security USing Metacloud, David L...
APIsecure 2023 - Approaching Multicloud API Security USing Metacloud, David L...APIsecure 2023 - Approaching Multicloud API Security USing Metacloud, David L...
APIsecure 2023 - Approaching Multicloud API Security USing Metacloud, David L...
 
Cloud Security
Cloud SecurityCloud Security
Cloud Security
 
Cloud Security
Cloud SecurityCloud Security
Cloud Security
 
talk6securingcloudamarprusty-191030091632.pptx
talk6securingcloudamarprusty-191030091632.pptxtalk6securingcloudamarprusty-191030091632.pptx
talk6securingcloudamarprusty-191030091632.pptx
 
the_role_of_resilience_data_in_ensuring_cloud_security.pdf
the_role_of_resilience_data_in_ensuring_cloud_security.pdfthe_role_of_resilience_data_in_ensuring_cloud_security.pdf
the_role_of_resilience_data_in_ensuring_cloud_security.pdf
 
CloudPassage Best Practices for Automatic Security Scaling
CloudPassage Best Practices for Automatic Security ScalingCloudPassage Best Practices for Automatic Security Scaling
CloudPassage Best Practices for Automatic Security Scaling
 
2011 IIA Pittsburgh Grant Thornton LLP Presentation (Nov 2011)
2011 IIA Pittsburgh Grant Thornton LLP Presentation (Nov 2011)2011 IIA Pittsburgh Grant Thornton LLP Presentation (Nov 2011)
2011 IIA Pittsburgh Grant Thornton LLP Presentation (Nov 2011)
 
MBT Webinar: Does the security of your business data keep you up at night?
MBT Webinar: Does the security of your business data keep you up at night? MBT Webinar: Does the security of your business data keep you up at night?
MBT Webinar: Does the security of your business data keep you up at night?
 
Cloud Security
Cloud SecurityCloud Security
Cloud Security
 
Security Considerations When Using Cloud Infrastructure Services.pdf
Security Considerations When Using Cloud Infrastructure Services.pdfSecurity Considerations When Using Cloud Infrastructure Services.pdf
Security Considerations When Using Cloud Infrastructure Services.pdf
 

Recently uploaded

Innovating Inference - Remote Triggering of Large Language Models on HPC Clus...
Innovating Inference - Remote Triggering of Large Language Models on HPC Clus...Innovating Inference - Remote Triggering of Large Language Models on HPC Clus...
Innovating Inference - Remote Triggering of Large Language Models on HPC Clus...
Globus
 
Cracking the code review at SpringIO 2024
Cracking the code review at SpringIO 2024Cracking the code review at SpringIO 2024
Cracking the code review at SpringIO 2024
Paco van Beckhoven
 
Globus Connect Server Deep Dive - GlobusWorld 2024
Globus Connect Server Deep Dive - GlobusWorld 2024Globus Connect Server Deep Dive - GlobusWorld 2024
Globus Connect Server Deep Dive - GlobusWorld 2024
Globus
 
In 2015, I used to write extensions for Joomla, WordPress, phpBB3, etc and I ...
In 2015, I used to write extensions for Joomla, WordPress, phpBB3, etc and I ...In 2015, I used to write extensions for Joomla, WordPress, phpBB3, etc and I ...
In 2015, I used to write extensions for Joomla, WordPress, phpBB3, etc and I ...
Juraj Vysvader
 
Developing Distributed High-performance Computing Capabilities of an Open Sci...
Developing Distributed High-performance Computing Capabilities of an Open Sci...Developing Distributed High-performance Computing Capabilities of an Open Sci...
Developing Distributed High-performance Computing Capabilities of an Open Sci...
Globus
 
Climate Science Flows: Enabling Petabyte-Scale Climate Analysis with the Eart...
Climate Science Flows: Enabling Petabyte-Scale Climate Analysis with the Eart...Climate Science Flows: Enabling Petabyte-Scale Climate Analysis with the Eart...
Climate Science Flows: Enabling Petabyte-Scale Climate Analysis with the Eart...
Globus
 
Gamify Your Mind; The Secret Sauce to Delivering Success, Continuously Improv...
Gamify Your Mind; The Secret Sauce to Delivering Success, Continuously Improv...Gamify Your Mind; The Secret Sauce to Delivering Success, Continuously Improv...
Gamify Your Mind; The Secret Sauce to Delivering Success, Continuously Improv...
Shahin Sheidaei
 
TROUBLESHOOTING 9 TYPES OF OUTOFMEMORYERROR
TROUBLESHOOTING 9 TYPES OF OUTOFMEMORYERRORTROUBLESHOOTING 9 TYPES OF OUTOFMEMORYERROR
TROUBLESHOOTING 9 TYPES OF OUTOFMEMORYERROR
Tier1 app
 
Corporate Management | Session 3 of 3 | Tendenci AMS
Corporate Management | Session 3 of 3 | Tendenci AMSCorporate Management | Session 3 of 3 | Tendenci AMS
Corporate Management | Session 3 of 3 | Tendenci AMS
Tendenci - The Open Source AMS (Association Management Software)
 
Using IESVE for Room Loads Analysis - Australia & New Zealand
Using IESVE for Room Loads Analysis - Australia & New ZealandUsing IESVE for Room Loads Analysis - Australia & New Zealand
Using IESVE for Room Loads Analysis - Australia & New Zealand
IES VE
 
Custom Healthcare Software for Managing Chronic Conditions and Remote Patient...
Custom Healthcare Software for Managing Chronic Conditions and Remote Patient...Custom Healthcare Software for Managing Chronic Conditions and Remote Patient...
Custom Healthcare Software for Managing Chronic Conditions and Remote Patient...
Mind IT Systems
 
Enterprise Resource Planning System in Telangana
Enterprise Resource Planning System in TelanganaEnterprise Resource Planning System in Telangana
Enterprise Resource Planning System in Telangana
NYGGS Automation Suite
 
Beyond Event Sourcing - Embracing CRUD for Wix Platform - Java.IL
Beyond Event Sourcing - Embracing CRUD for Wix Platform - Java.ILBeyond Event Sourcing - Embracing CRUD for Wix Platform - Java.IL
Beyond Event Sourcing - Embracing CRUD for Wix Platform - Java.IL
Natan Silnitsky
 
Field Employee Tracking System| MiTrack App| Best Employee Tracking Solution|...
Field Employee Tracking System| MiTrack App| Best Employee Tracking Solution|...Field Employee Tracking System| MiTrack App| Best Employee Tracking Solution|...
Field Employee Tracking System| MiTrack App| Best Employee Tracking Solution|...
informapgpstrackings
 
First Steps with Globus Compute Multi-User Endpoints
First Steps with Globus Compute Multi-User EndpointsFirst Steps with Globus Compute Multi-User Endpoints
First Steps with Globus Compute Multi-User Endpoints
Globus
 
Navigating the Metaverse: A Journey into Virtual Evolution"
Navigating the Metaverse: A Journey into Virtual Evolution"Navigating the Metaverse: A Journey into Virtual Evolution"
Navigating the Metaverse: A Journey into Virtual Evolution"
Donna Lenk
 
Exploring Innovations in Data Repository Solutions - Insights from the U.S. G...
Exploring Innovations in Data Repository Solutions - Insights from the U.S. G...Exploring Innovations in Data Repository Solutions - Insights from the U.S. G...
Exploring Innovations in Data Repository Solutions - Insights from the U.S. G...
Globus
 
Large Language Models and the End of Programming
Large Language Models and the End of ProgrammingLarge Language Models and the End of Programming
Large Language Models and the End of Programming
Matt Welsh
 
SOCRadar Research Team: Latest Activities of IntelBroker
SOCRadar Research Team: Latest Activities of IntelBrokerSOCRadar Research Team: Latest Activities of IntelBroker
SOCRadar Research Team: Latest Activities of IntelBroker
SOCRadar
 
Understanding Globus Data Transfers with NetSage
Understanding Globus Data Transfers with NetSageUnderstanding Globus Data Transfers with NetSage
Understanding Globus Data Transfers with NetSage
Globus
 

Recently uploaded (20)

Innovating Inference - Remote Triggering of Large Language Models on HPC Clus...
Innovating Inference - Remote Triggering of Large Language Models on HPC Clus...Innovating Inference - Remote Triggering of Large Language Models on HPC Clus...
Innovating Inference - Remote Triggering of Large Language Models on HPC Clus...
 
Cracking the code review at SpringIO 2024
Cracking the code review at SpringIO 2024Cracking the code review at SpringIO 2024
Cracking the code review at SpringIO 2024
 
Globus Connect Server Deep Dive - GlobusWorld 2024
Globus Connect Server Deep Dive - GlobusWorld 2024Globus Connect Server Deep Dive - GlobusWorld 2024
Globus Connect Server Deep Dive - GlobusWorld 2024
 
In 2015, I used to write extensions for Joomla, WordPress, phpBB3, etc and I ...
In 2015, I used to write extensions for Joomla, WordPress, phpBB3, etc and I ...In 2015, I used to write extensions for Joomla, WordPress, phpBB3, etc and I ...
In 2015, I used to write extensions for Joomla, WordPress, phpBB3, etc and I ...
 
Developing Distributed High-performance Computing Capabilities of an Open Sci...
Developing Distributed High-performance Computing Capabilities of an Open Sci...Developing Distributed High-performance Computing Capabilities of an Open Sci...
Developing Distributed High-performance Computing Capabilities of an Open Sci...
 
Climate Science Flows: Enabling Petabyte-Scale Climate Analysis with the Eart...
Climate Science Flows: Enabling Petabyte-Scale Climate Analysis with the Eart...Climate Science Flows: Enabling Petabyte-Scale Climate Analysis with the Eart...
Climate Science Flows: Enabling Petabyte-Scale Climate Analysis with the Eart...
 
Gamify Your Mind; The Secret Sauce to Delivering Success, Continuously Improv...
Gamify Your Mind; The Secret Sauce to Delivering Success, Continuously Improv...Gamify Your Mind; The Secret Sauce to Delivering Success, Continuously Improv...
Gamify Your Mind; The Secret Sauce to Delivering Success, Continuously Improv...
 
TROUBLESHOOTING 9 TYPES OF OUTOFMEMORYERROR
TROUBLESHOOTING 9 TYPES OF OUTOFMEMORYERRORTROUBLESHOOTING 9 TYPES OF OUTOFMEMORYERROR
TROUBLESHOOTING 9 TYPES OF OUTOFMEMORYERROR
 
Corporate Management | Session 3 of 3 | Tendenci AMS
Corporate Management | Session 3 of 3 | Tendenci AMSCorporate Management | Session 3 of 3 | Tendenci AMS
Corporate Management | Session 3 of 3 | Tendenci AMS
 
Using IESVE for Room Loads Analysis - Australia & New Zealand
Using IESVE for Room Loads Analysis - Australia & New ZealandUsing IESVE for Room Loads Analysis - Australia & New Zealand
Using IESVE for Room Loads Analysis - Australia & New Zealand
 
Custom Healthcare Software for Managing Chronic Conditions and Remote Patient...
Custom Healthcare Software for Managing Chronic Conditions and Remote Patient...Custom Healthcare Software for Managing Chronic Conditions and Remote Patient...
Custom Healthcare Software for Managing Chronic Conditions and Remote Patient...
 
Enterprise Resource Planning System in Telangana
Enterprise Resource Planning System in TelanganaEnterprise Resource Planning System in Telangana
Enterprise Resource Planning System in Telangana
 
Beyond Event Sourcing - Embracing CRUD for Wix Platform - Java.IL
Beyond Event Sourcing - Embracing CRUD for Wix Platform - Java.ILBeyond Event Sourcing - Embracing CRUD for Wix Platform - Java.IL
Beyond Event Sourcing - Embracing CRUD for Wix Platform - Java.IL
 
Field Employee Tracking System| MiTrack App| Best Employee Tracking Solution|...
Field Employee Tracking System| MiTrack App| Best Employee Tracking Solution|...Field Employee Tracking System| MiTrack App| Best Employee Tracking Solution|...
Field Employee Tracking System| MiTrack App| Best Employee Tracking Solution|...
 
First Steps with Globus Compute Multi-User Endpoints
First Steps with Globus Compute Multi-User EndpointsFirst Steps with Globus Compute Multi-User Endpoints
First Steps with Globus Compute Multi-User Endpoints
 
Navigating the Metaverse: A Journey into Virtual Evolution"
Navigating the Metaverse: A Journey into Virtual Evolution"Navigating the Metaverse: A Journey into Virtual Evolution"
Navigating the Metaverse: A Journey into Virtual Evolution"
 
Exploring Innovations in Data Repository Solutions - Insights from the U.S. G...
Exploring Innovations in Data Repository Solutions - Insights from the U.S. G...Exploring Innovations in Data Repository Solutions - Insights from the U.S. G...
Exploring Innovations in Data Repository Solutions - Insights from the U.S. G...
 
Large Language Models and the End of Programming
Large Language Models and the End of ProgrammingLarge Language Models and the End of Programming
Large Language Models and the End of Programming
 
SOCRadar Research Team: Latest Activities of IntelBroker
SOCRadar Research Team: Latest Activities of IntelBrokerSOCRadar Research Team: Latest Activities of IntelBroker
SOCRadar Research Team: Latest Activities of IntelBroker
 
Understanding Globus Data Transfers with NetSage
Understanding Globus Data Transfers with NetSageUnderstanding Globus Data Transfers with NetSage
Understanding Globus Data Transfers with NetSage
 

Novel cloud computingsecurity issues

  • 1. Hi – 5 Marcus Hogue Chris Jacobson Alexandra Korol Mark Ordonez Jinjia Xi Security of Cloud Computing
  • 2. Topic Overview  Introduction  Cloud Basics  Securing the Cloud  Leveraging the Cloud  Final Recommendations
  • 3. Introduction  Cloud Computing Industry is growing  According to Gartner, worldwide cloud services revenue is on pace to surpass $56.3 billion in 2009, a 21.3% increase from 2008 revenue of $46.4 billion, according to Gartner, Inc. The market is expected to reach $150.1 billion in 2013.  Businesses are increasing Cloud adoption  "We expect a great deal of migration towards cloud computing within the federal government in addition to the already robust private sector growth. The growth of the cloud should not outpace our ability to protect the data that goes into it..." ~ Former White House advisor Paul Kurtz, partner with Good Harbor Consulting, LLC  How can IT leaders ensure security in the
  • 4. Cloud Basics  Cloud Characteristics  Service Models  SaaS  IaaS  PaaS  Deployment Models  Public  Private  Community  Hybrid
  • 6. Cloud Service Models  Software as a Service (SaaS)  Platform as a Service (PaaS)  Infrastructure as a Service (IaaS)
  • 7. Natural Evolution of the Web Source: Lew Tucker, Introduction to Cloud Computing for Enterprise Users
  • 12. Securing the Cloud  Security Interaction Model  Top Security Threats  Cloud Provider Security Practices – Google Case Study
  • 14. Top Security Threats  Abuse and nefarious use of cloud computing  Insecure interfaces & API’s  Unknown risk profile  Malicious insiders  Shared technology issues  Data loss or leakage  Account or service hijacking
  • 15. Abuse and nefarious use of cloud computing  Stricter initial registration and validation processes.  Enhanced credit card fraud monitoring and coordination.  Comprehensive introspection of customer network traffic.  Monitoring public blacklists for one’s own network blocks. Insecure interfaces & API’s  Analyze the security model of cloud provider interfaces.  Ensure strong authentication and access controls are implemented in concert with encrypted transmission.  Understand the dependency chain associated with the API. Unknown risk profile  Disclosure of applicable logs and data. Partial/full disclosure of infrastructure details  Monitoring and alerting on necessary information. Threat Mitigation
  • 16. Malicious insiders  Enforce strict supply chain management and conduct a comprehensive supplier assessment.  Specify human resource requirements as part of legal contracts.  Require transparency into overall information security and management practices, as well as compliance reporting.  Determine security breach notification processes. Shared technology issues  Implement security best practices for installation and configuration.  Monitor environment for unauthorized changes/activity.  Promote strong authentication and access control for administrative access and operations.  Enforce service level agreements for patching and vulnerability remediation.  Conduct vulnerability scanning and configuration audits. Threat Mitigation
  • 17. Data loss or leakage  Implement strong API access control.  Encrypt and protect integrity of data in transit.  Analyze data protection at both design and run time.  Implement strong key generation, storage and management, and destruction practices.  Contractually demand providers wipe persistent media before it is released into the pool.  Contractually specify provider backup and retention strategies. Account or service hijacking  Prohibit the sharing of account credentials between users and services.  Leverage strong two-factor authentication techniques where possible.  Employ proactive monitoring to detect unauthorized activity.  Understand cloud provider security policies and SLAs. Threat Mitigation
  • 18. Google Security Practices  Organizational and Operational Security  Data Security  Threat Evasion  Safe Access  Privacy
  • 19. Google Organizational and Operational Security  Holistic approach to security  Security team  Develop with security in mind  Regularly performs security audits and threat assessments  Employees screened, trained  Works with security community and advisors
  • 20. Google Data Security  Google Code of Conduct – “Don’t be evil.”  Physical security  Logical Security  Accessibility  Redundancy
  • 21. Google Threat Evasion  Spam and virus protection built into products  Protects against application & network attacks
  • 22. Google Safe Access  Avoids local storage  Access controls  Encrypted connections  Integrated security
  • 23. Google Privacy  Privacy policy  Does not access confidential user data  Does not alter data  Maintain own IP rights  Indemnification, liability  End of use
  • 24. Leveraging the Cloud  Decision Making Process  Clan Wars Case Study
  • 25. Decision Making Process  Identify the asset for cloud deployment  Evaluate the asset requirements for confidentiality, integrity, and availability  Map the asset to potential cloud deployment models  Evaluate potential cloud service models and providers  Sketch the potential data flow  Draw conclusions
  • 26. Case Study: Clan Wars Company Profile Online multiplayer game In Browser Flash Processes credit card payments
  • 27. Case Study: Clan Wars Decision Making Process  Identified all components as candidates  Evaluation concluded:  Payment = High concern on all factors  Game & data = Medium on all factors  Primary components mapped:  Infrastructure (Servers, storage, etc)  Payment Processing  Collaboration
  • 28. Case Study: Clan Wars Data Flow
  • 29. Case Study: Clan Wars Conclusion Great fit Risk requirements met Data flow supports needs Added benefits Low cost (saving ~$500/month) Low maintenance Performance
  • 30. Final Recommendation No universal answer Evaluate your security needs versus the capabilities of the provider
  • 31. Q & A
  • 32. Supplemental Material  The sections that follow will not be covered during the presentation but are included for reference.
  • 33. Rackspace Security Practices  Physical Security  System Security  Operational Infrastructure Security  Client Application Security
  • 34. Cloud Consumer Best Practices Operational Domains • Traditional Security, Business Continuity, and Disaster Recovery • Data Center operations • Incident Management • Application security • Encryption & Key Mgmt • Identity & access Mgmt • Virtualization Governance Domains • Governance & Enterprise Risk Mgmt • Legal and Electronic Discovery • Compliance and Audit • Information Life Cycle Management • Portability and Interoperability

Editor's Notes

  1. “Worldwide cloud services revenue is on pace to surpass $56.3 billion in 2009, a 21.3 percent increase from 2008 revenue of $46.4 billion, according to Gartner, Inc. The market is expected to reach $150.1 billion in 2013.” Business processes delivered as cloud services are the largest segment of the overall cloud services market, accounting for 83 percent of the overall market in 2008. The segment, consisting of cloud-based advertising, e-commerce, human resources and payments processing, is forecast to grow 19.8 percent in 2009 to $46.6 billion, up from $38.9 billion in 2008. While much of the publicity for cloud computing currently centers on systems infrastructure delivered as a service, this is still an early-stage market. In 2008, such services accounted for only 5.5 percent of the overall cloud services market and are expected to account for 6 percent of the market in 2009. Infrastructure services revenue was $2.5 billion in 2008 and is forecast to reach $3.2 billion in 2009.
  2. General Definition – Cloud computing is the delivery of hosting services that are provided to a client over the Internet. Cloud computing is different from traditional hosting because it is on demand, a user can specify how much of the service they want and the services are completely managed by the provider of the service. http://searchcloudcomputing.techtarget.com/sDefinition/0,,sid201_gci1287881,00.html On-Demand self-service – The client can allocate resources with no interaction with a person. Examples of this are network storage. Broad network access – Access to resources on the network can be accesses by many different platforms(Cell phone, laptops, etc) Resource pooling – The cloud provider pools computing resources to support many customers. Resources can be dynamically assigned based on customer demand. Also, customers do not know the exact location of resources, but generally know the region. Resources that are pooled can include but are not limited to storage, processing, network bandwidth. Private clouds also are able to pool resources between separate parts of the same organization. Rapid Elasticity – Resources can be scaled up or down quickly. This is opaque to the customer, since the customer sees unlimited resources available and has the ability to purchase any amount of resources in any quantity for any amount of time Measured Service – Service that consumers are using is tracked and metered. This allowed the cloud to “control and optimize” resources that are being leveraged by customers. Three implementations of cloud computing – Infrastructure as a service, Platform as a service and Software as a service, which will be discussed on the next slide. (15) CSA - Security Guidance for Critical Areas of Focus in Cloud Computing v2.1.pdf
  3. CSA, Security guidance for critical areas of focus in cloud computing There are so many different cloud deployment options. This is a popular service model. It is called SPI service models. SPI refers to Software as a Service, Platform as a Service, or Infrastructure as a Service, explained in depth in next slides Higher layers are built on lower layers. Higher abstractions include lower ones. IaaS: Customer rent fundamental computing resources from service providers (for example: processing, storage, networks and so on). And they are able to run their own operation system and applications. While they do not need manage and maintain hardware. Example: Amazon EC2 provides resizable compute capacity in the cloud. PaaS: Customers deploy applications onto the provider’s infrastructure. These applications are created using programming languages and tools supported by the providers. Beside the hardware, customers do not manage operation systems. Example: Google App Engine supports two application environments: Java and Python SaaS: Customers use the provider’s application which is accessible over the Internet. Customers only need control limited user-specific application configuration setting. Example: Salesforce.Com offers CRM application. Customers use the CRM system as web application.
  4. Natural Evolution of the Web How to set up new web sites traditionally? In general, there are three steps: buy compute and storage / hardware of servers, build developer platforms, create application => output is web sites How cloud has changed this process? With cold computing, company can easily take a shortcut to build website. Some of the potential benefits include cost savings and the built-in flexibility.
  5. Regardless of the service model utilized (SaaS, PaaS, or IaaS) there are four deployment models for cloud services that address specific requirements:   Public Cloud The cloud infrastructure is made available to any organizations. For example: company may build their datacenter with Amazon Simple Storage Service, a secure VPN connect storage service and enterprise intranet. (Both service providers and company are benefit from economies of scale.)
  6. Private Cloud If company has to keep lots of sensitive information in datacenter, public cloud maybe is not best approach. The private cloud is usually a pool of resource inside a company. But it may be managed by either the company or a third party. Private cloud offers the benefit and flexibility of cloud and does not scarify security.
  7. Community Cloud The cloud infrastructure is shared by several organizations and supports a specific community that has shared concerns (e.g., mission, security requirements, policy, or compliance considerations). The US Government and NASA created a community cloud for all US government agencies.
  8. Hybrid Cloud The cloud infrastructure is a combination of two or more clouds (private, community, or public) that remain unique entities. The different types of clouds are bound together by standardized or proprietary technology that enables data and application portability.
  9. Investigate provider security practices Identify gaps between provider and consumer security policies; address as appropriate.
  10. <TODO> Insert brief description of each type of threat
  11. <TODO> Insert example of one of these threats
  12. <TODO> Insert example of one of these threats
  13. <TODO> Insert example of one of these threats
  14. Google takes a holistic approach to security They design security into products, architecture, infrastructure, and systems from the beginning. Google employs a full time security team They develop, document, and implement comprehensive security policies. The team is divided into functional areas: Perimeter defense Infrastructure defense Application defense Vulnerability detection and response The team focuses its efforts on preventative measures, and they respond to other security issues as they arise. …
  15. Google Code of Conduct The corporate culture is security- and user-centric. Physical security Google has a large global network of distributed datacenters. Geographic location of datacenters chosen to provide protection against catastrophic events. Physical access to the datacenters is limited, tightly controlled, and audited. Logical security … Accessibility … Redundancy Multiple levels of redundancy are used to ensure reliability and availability. Google maintains mirrors within a data center, as well as between datacenters.
  16. Spam and virus protection … Application & network attacks …
  17. Avoids local storage … Access controls … Encrypted connections … Integrated security …
  18. Privacy policy … Does not access confidential user data … Does not alter data … Maintain own IP rights … Indemnification, liability … End of use …
  19. Identify the asset for cloud deployment Data Applications / Functions / Processes Evaluate the asset requirements for confidentiality, integrity, and availability. Sample questions to ask include: 1. How would we be harmed if the asset became widely public and widely distributed? 2. How would we be harmed if an employee of our cloud provider accessed the asset? 3. How would we be harmed if the process or function were manipulated by an outsider? 4. How would we be harmed if the process or function failed to provide expected results? 5. How would we be harmed if the information/data were unexpectedly changed? 6. How would we be harmed if the asset were unavailable for a period of time? Map the asset to potential cloud deployment models Public Private, internal Private, external Community Hybrid Evaluate potential cloud service models and providers Service models: SaaS, IaaS, PaaS Providers: Google, Amazon, Microsoft, Rackspace Sketch the potential data flow Map data flow between organization, cloud, and other entities (i.e.: customer, vendor, etc) Before making a decision, it is important to understand whether, and how, data can move in and out of the cloud Draw conclusions
  20. Since the game is multiplayer and browser based, there is a high risk for users attempting to modify the data stream. The concern grows when considering credit card data may be involved in the process.
  21. As the company was starting from scratch, all components were considered for cloud candidates. The evaluation showed that the payment system was the highest concern. If the game was hacked in any way, we would restore from backup (and process refunds if needed). The primary components were infrastructure, payment processing, and tools for collaborating internally (such as Google Apps, Dropbox, etc.)
  22. The user begins a session by browsing to the website where they will be directed to one of two web servers via DNS round-robin load balancing. Once the user initiates the game, the flash client (SWF files) are downloaded from the CDN and the flash client begins communicating with the Java application servers via an AMF gateway to the tomcat application server. Payments happen via the web tier and the payments are processed directly via Paypal through calls to their API, rather than by Clan War’s web servers. The general process is: Clan Wars tells PayPal “User X wants to make a payment to us for $Y” PayPal handles the transaction PayPal returns a succeed/fail code for the transaction Clan Wars approves the transaction and the customer receives the item they are paying for. At no step in the process does the credit card information reside on Clan War’s servers.
  23. Usage based billing primary benefit in cost Cost of servers ~$320/month Cost of CDN ~$100/month Cost of traditional servers ~$875/month ======== Maintenance benefits: Backup/snapshots Resize servers Clone servers Data Redundancy (RAID 0+1) No concerns about maintaining file regional file servers
  24. “Close the Gap”
  25. Physical Security Limited access to data centers Biometric Scanning and access card access to datacenter Visual Monitoring via security cameras Auditing by independent firm All employees have a background screening before getting hired System Security Systems run by secure OS that always has latest patches Firewall and VPN access User can get an optional IDS Operational Security Employee training on data and privacy policies All systems are audited and logged, when someone accesses the system Follows ISO17799 security policies and procedures Application Security Passwords are stored encrypted and transmitted encrypted Random initial passwords