The Cloud Security Landscape

The Cloud Security Landscape

An Ethical Hacker’s View

Peter Wood
Chief Executive Officer
First•Base Technologies

Who am I ?

Worked in computers and electronics since 1969
1969
Founded First•Base in 1989 (one of the first ethical hacking firms)

- Social engineer & penetration tester
- Conference speaker and security ‘expert’
- Chair of Advisory board at CSA UK & Ireland
- Vice Chair of BCS Information Risk Management and Audit Group
- ISACA Security Advisory Group and Conference Task Force 1989
- Corporate Executive Programme Expert
- IISP Interviewer

- FBCS, CITP, CISSP, MIEEE, M.Inst.ISP
- Registered BCS Security Consultant
- Member of ACM, ISACA, ISSA, Mensa

2 © First Base Technologies 2011

Agenda

• Cloud Computing: Define
• Is Cloud Computing Insecure?
• Cloud Security Guidance
• Q&A


Agenda

• Is Cloud Computing Secure?
• Q&A


Cloud Service Models

• Software (SaaS) - consumer uses a provider’s applications
running on a cloud infrastructure. Consumer does not manage
or control the underlying cloud infrastructure (including
network, servers, operating systems, storage or even
individual application capabilities, with the possible exception
of limited user-specific application configuration settings)
• Platform (PaaS) - consumer uses a provider’s infrastructure
to run their own applications. Consumer does not manage or
control the underlying cloud infrastructure (including network,
servers, operating systems or storage)
• Infrastructure (IaaS) consumer uses a provider’s
infrastructure to run their own applications and operating
systems. Consumer does not manage or control the
underlying cloud infrastructure but has control over operating
systems, storage, deployed applications, and possibly limited
control of select networking components (e.g., host firewalls)


Cloud Deployment Models

• Public Cloud - available to the general public or a large industry
group and owned by an organisation selling cloud services
• Private Cloud - operated for a single organisation. May be
managed by the organisation or a third party and may exist on-
premises or off-premises
• Community Cloud - shared by several organisations and
supports a specific community that has shared concerns (e.g.,
mission, security requirements, policy, or compliance
considerations). May be managed by the organisations or a third
party and may exist on-premises or off-premises
• Hybrid Cloud - composition of two or more clouds (private,
community, or public) that remain unique entities but are bound
together by standardised or proprietary technology that enables
data and application portability (e.g., cloud bursting for load-
balancing between clouds)


Agenda

• Q&A


Not the best approach to cloud


Typical cloud security questions

• Your data is … where?
• Which country?
• Who has access?
• Have staff been vetted?
• How well is it segregated from other users?
• Is it encrypted? Who holds the keys?
• How is it backed up (encrypted? where is it?)
• How is it transmitted (encrypted? authenticated?)
• Have the providers been tested by a reputable third party?


Amrit Williams Blog
Observations of a Digitally Enlightened Mind

• When we allow services to be delivered by a third party,
we lose all control over how they secure and maintain the
health of their environments - and you simply can't
enforce what you can't control.

• The ‘experts’ will tell you otherwise, convince you that
their model is 100 per cent secure and that you have
nothing to fear. Then again, those experts don't lose their
jobs if you fail.

Amrit Williams is CTO at BigFix and was previously a research director in
the Information Security and Risk Research Practice at Gartner, Inc.

http://techbuddha.wordpress.com/


Just a little brainstorm


Agenda

• Q&A


Security Guidance for
Critical Areas of Focus in
Cloud Computing
V2.1 -> V3.0

Cloud Security Alliance

http://www.cloudsecurityalliance.org/guidance/csaguide.v2.1.pdf
https://wiki.cloudsecurityalliance.org/guidance/index.php/Main_Page


Risk Assessment

Evaluate your tolerance for moving an asset
to various cloud computing models

• Identify the asset for the cloud deployment
• Evaluate the asset
• Map the asset to potential cloud deployment models
• Evaluate potential cloud service models and providers
• Sketch the potential data flow


Identify the asset

• Determine exactly what data or function is being
considered for the cloud
- This should include potential uses of the asset once it
moves to the cloud to account for scope creep
- Data and transaction volumes are often higher than
expected

• Data and applications don’t need to reside in the same
location; can shift only parts of functions to the cloud
- For example, host application and data in own data
centre, while outsourcing a portion of its functionality
to the cloud through a Platform as a Service


Evaluate the asset

How would we be harmed if:
• the asset became widely public and widely distributed?
• an employee of our cloud provider accessed the asset?
• the process or function were manipulated by an outsider?
• the process or function failed to provide expected results?
• the information/data were unexpectedly changed?
• the asset were unavailable for a period of time?


Map the asset to potential models

• Public
• Private, internal/on-premises
• Private, external (including dedicated or shared
infrastructure)
• Community; taking into account the hosting location,
potential service provider, and identification of other
community members
• Hybrid. To effectively evaluate a potential hybrid
deployment, you must have in mind at least a rough
architecture of where components, functions, and data
will reside


Evaluate models and providers

• In this step focus on the degree of control you’ll have at
each SPI tier to implement any required risk
management
• If you are evaluating a specific offering, at this point
you might switch to a fuller risk assessment
• Your focus will be on the degree of control you have to
implement risk mitigation in the different SPI tiers
• If you already have specific requirements (e.g. for
handling of regulated data) you can include them in the
evaluation


Sketch the potential data flow

• If you are evaluating a specific deployment option, map
out the data flow between your organisation, the cloud
service, and any customers/other nodes
• While most of these steps have been high-level, before
making a final decision it’s absolutely essential to
understand whether, and how, data can move in and out
of the cloud
• If you have yet to decide on a particular offering, you’ll
want to sketch out the rough data flow for any options
on your acceptable list. This is to insure that as you
make final decisions, you’ll be able to identify risk
exposure points.


Conclusions

• Understand the importance of what you are
considering moving to the cloud, your risk
tolerance (at least at a high level), and which
combinations of deployment and service
models are acceptable
• Have a rough idea of potential exposure points
for sensitive information and operations
• These together should give you sufficient
context to evaluate any other security controls
in the Guidance


Agenda

• Q&A


Need more information?

Peter Wood
Chief Executive Officer
First•Base Technologies LLP

peterw@firstbase.co.uk
Twitter: peterwoodx
Blog: fpws.blogspot.com

http://firstbase.co.uk
http://white-hats.co.uk
http://peterwood.com

The Cloud Security Landscape

More Related Content

What's hot

Similar to The Cloud Security Landscape

More from Peter Wood

Recently uploaded

The Cloud Security Landscape