1. How to be safe in the cloud
“AaltoCloud”
• Cloud as a concept
Workshop
• Good to know before using cloud
• Selecting the best suitable cloud
• Using cloud safely
Tomi Järvinen
Aalto-university IT • What Aalto can offer for cloud users
Twitter/tomppaj
2. What is ”Cloud”?
•nothing new, really…
–news groups, IRC, forums, web hosting...
–marketing term, services are now in a fancy, easy to use package
–IBM new product ”Blue Cloud” came 2007 *
•there is no universally accepted definition
–concept or metaphor, which refers to the services available through network
–"only" a concept that combines old and new services
–Cloud conputing Guru Simon Wardley found 67 marketing definitions for Cloud **
accessible
scalable from
“pay only for
everywhere
elastic , dynamic what you use”
resources typically via
browser
* IBM, 2007 http://www-03.ibm.com/press/us/en/pressrelease/22613.wss
** http://www.slideshare.net/CloudCampFRA/simon-wardley-cloud-computing-why-it-matters
Simon Wardley, Cloud Guru, technology thinker, researcher at CSC Leading Edge Forum
4/26
3. ”Cloud” - corporate vs. individual users
• IaaS (Infrastructure as a Service) “IT” is outsourced, customer
pays only for the use.
• PaaS (Platform as a Service) typically software development
using tools and/or libraries from the provider.
• SaaS (Software as a service ) application can be used with
the browser.
– For corporates, e.g. Office 365
– For consumers, e.g. Facebook, Gmail, Twitter
• Today ‘anything as a service' (NaaS, SaaS...)
Definitions depend on the provider (remember, just marketing term...)
4/26
4. Why people like to use Cloud
services?
share.aalto.fi/
Magnificent
new
”DropBox”
service
http://blog.gardeviance.org/2012/07/adoption-cycles.html
4
6. Pros and cons - “consumer tools”
• ready to use/clientless • where is the data?
• scalable • who gets it?
• no IT help needed • provider employees?
• all possible bells and whistles • network traffic?
• low cost , • bottlenecks?
free of charge • privacy policy?
• Data collection and
(not really free, privacy, destruction?
addvertisement..) • terms of service?
• investigation?
(illegal content
,copyright etc.)
• lock-in? *
No Google Maps for Windows Phone 8? http://www.t3.com/news/no-google-maps-for-windows-phone-8
(at the moment 7.1.2013) seems that Maps WILL be available on Windows phone.
6
7. Discussion
• What kind of cloud services are you using?
• Which are the best ones and why?
• Do you have any concerns about cloud services?
15 min
7
8. Part 2
• Good to know before using cloud,
risks, material, providers, other issues
• Selecting the best suitable cloud service
• Using cloud safely
• What Aalto can offer for cloud users
9. Risk is not a question, it is a fact
2006 Major USA credit card processor leaked millions of credit card numbers
http://www.ftc.gov/opa/2006/02/cardsystems_r.shtm
2011 The Register UK Magazine :“Amazon cloud fell from sky”
http://www.theregister.co.uk/2011/04/29/amazon_ec2_outage_post_mortem/
personal details of 77 million PlayStation users leaked
http://www.guardian.co.uk/technology/2011/apr/27/playstation-users-identity-
theft-data-leak
LinkedIn passwords leaked by hackers
http://www.bbc.co.uk/news/technology-18338956
Microsoft Windows Live Hotmail (Four days outage for 17 000)
http://blogs.windows.com/windows_live/b/windowslive/archive/2011/01/03/hotma
il-email-access-issue-now-resolved.aspx
http://datalossdb.org/index/largest
9
10. Privacy costs
Some services are collecting huge amount of data about user. However, the
user does not know what provider is collecting:
• what data is being collected
• for how long the data is stored,
• for what purpose the data is being collected etc.
– and the service provider usually is claiming right to use the data for future
purposes. Sell data to other company in case of acquisition
hardware model, operating system version, unique device identifiers, mobile
network information, details of how you use the service, search queries, phone
number, calling-party number, forwarding numbers, time and date of calls,
duration of calls, SMS routing information and types of calls, system activity,
hardware settings, browser type, browser language, the date and time of your
request and referral URL, migth collect and store information (including personal
information) from your device using mechanisms such as browser and
application data caches…(these are from one service)
10
11. ”Patriot act”, do I have to care?
USA PATRIOT Act (commonly known as the Patriot Act) Law for
fighting against terrorism. Government can ask data from any
USA based company, including data located outside of USA.
(Microsoft, Gmail, Facebook, Dropbox...)
• 1,271 government organizations and 1,931 private companies Wikimedia commons
• 854,000 people have security clearances
• Data “for government use” might end to a third party
Take into consideration if you are working with the goverment,
with something very innovative or when co-operating with external
partners.
http://projects.washingtonpost.com/top-secret-america
http://www.webanalyticsworld.net/2012/03/eu-data-protection-law-and-the-patriot-act-in-the-cloud.html
11
12. Material not suitable for cloud (1/3)
Think about your work and information you are processing!
All the material is not suitable for a public service.
University data,
• study attainments, student evaluations
• research plans, development work
• or, e.g., information which the university is obligated to retain long
term in its records should not be processed using external services
Published intellectual property
• copyright (e.g., digital-rights management, media)
• patent (e.g., designs, processes)•
• trademark (e.g., graphics, URLs, even Logos might need approval)
12
13. Material not suitable for cloud (2/3)
Regulated information
• HR and employment
• medical
• financial
• technology and telecommunications data (usage)
• other regulated information
IT information
• activity and access logs (dynamic monitoring, audits)
• policy, rules, and authorizations (some of those)
• identity and authentication
13
14. Material not suitable for cloud (3/3)
Confidential business information
• trade secrets
• financial, tax, and insurance records
• operations data (e.g., enterprise resource planning, supply-chain
management
• other commercial information (e.g., marketing plans, customer lists,
contracts, IT architecture)
14
15. First: choose the right service (1/3)
• three basic models: Free – Advertisement – Freemium (business)
• free service (often end up to advertisement or freemium model)
• advertisement:, what is the motivation of the service provider?
– money, money, money (Facebook)
• Freemium, light free version, full with paying something (Yammer)
• And, stay focused, service for one purpose usually fits the user needs
better and lasts longer
– users learn how to use
– service does what it is supposed to do
– probably easier to find alternative solution when needed
15
16. First: choose the right service (2/3)
pay attention!
• Documentation, widely used API:s
• standard and multiple formats
• anonymity (option to study without giving personal details to external
marketing company)
• EULA, terms of service, privacy policy (Good or Bad?)
• integration to other same provider services (lock in vs. easy exit)
More information about EULAs:
open community http://tos-dr.info/ ”Terms of service - didn’t read”
16
17. Security is not provider top priority
(3/3)
audit test result
Cloud provider security audit 2011
Context Information Security, 3- 2011; Assessing Cloud Node Security, White paper
http://www.contextis.com/research/white-papers/assessing-cloud-node-security/
17
18. Second: use service wisely (1/2)
• you cannot get anything “back”
• services may claim ownership of the information
• “free” services often collect and disclose information to
third parties such as advertisers or collaboration Trend micro
partners. So, think what you share
• malicious links, think before clicking
• think where you buy from
• "fakeware / scareware“, think before buying
• be accurate, how and what you write
• please do not comment on behalf of
the University, unless it belongs to the job
description :)
• be careful, and specially with Android - >
http://www.sophos.com/en-us/security-news-trends/reports/security-threat-report/android-
malware/android-risk-mitigation.aspx
18
19. Second: use service wisely (2/2)
• keep your password / username combination safe, if the worst happens
(serious illness, even death, or matters related to legislation)
• material may be financially or for some other reason valuable
(university or relatives, e.g. script, photos, new 7 brothers:)
• use different password and user id, mnemonic?, software like "KeePass“
http://keepass.info/ for password management
• use "alias", Teemu courseX2012, etc... check if this is not against TOS.
• keep copies of everything on your own computer
• do not accept all friend requests!
• if necessary, clear the browser cache
• only "Sure" way to store files securely is an encryption
http://www.makeuseof.com/tag/5-ways-to-securely-encrypt-your-files-in-the-
cloud/
19
20. Special cloud case, email in the cloud
• actually the biggest real life risk, most incidents are related to email.
• phishing emails/malware on a daily basis
• identity thefts happen (monday mornings, stress, hurry)
• proposals to make money
• With ”SingleSignOn” Aalto-password , access to ALL you data
• Aalto IT will NEVER close your account because of full disk space or
malware, so don’t click those emails.
• Aalto IT will NEVER ask your password, neither by phone nor by email
• You will NEVER get any sanctions about accidental mistakes
If you suspect something, contact immediately Aalto service
desk or security team.
Don’t panic! Don’t be afraid to contact
21. Special case, email
• Actually biggest real life risk
• On daily basis phishing emails
• Identity theft
• Proposals to make money
• SingleSignOn Aalto-password provide access to ALL you data
• IT will NEWER close you account becaouse of full disk space or
malware, so don’t be scared and click those emails.
• IT will NEWER ask your password, not by phone, not by email
• You will NEWER get any sanctions about accidents
If you suspect something contact immediately Servicedesk or Security@aalto.fi
22. Aalto Cloud portal http://Pilvi.aalto.fi
Why we made it:
• Aalto users were asking a lot about various kind of applications and
providers
• Users had concerns
• Questions, which systems could be used for certain needs, policy?
• recommend good/ secure/ reliable/ tested services to Aalto users
Who made it:
• Aalto VIPU team* , Information security team, Aalto Web-team
22
23. http://Pilvi.aalto.fi –
”just use” cloud services for light use
Need is something for light use or for
small group, just choose the
appropriate service and start using!
Grouped by Categories:
•”Web presence”
•collaboration
•file synchronising
•blogging
•media share...
You can also find:
•feedback page
•request form, for a new services
•list about recommended and
approved services
•instructions
23
24. Instructions about heavier use (1/2)
IF the service use involves:
• processing of personal data
• processing of secret material
• processing of bank details
• administration requirements
• requirements for high 24/7 usability
• licences
• large costs
• a large number of users or several units involved
THEN Please, contact the account managers
http://www.aalto.fi/fi/about/contact/services/it/ - “asiakkuuspäälliköt”
24