1. Cloud Security
Reality or Illusion
By:Srinivas Thimmaiah
Date: 11 Mar 2017
Srinivas Thimmaiah | Cloud Security | 11 Mar 2017 1
2. About me
Srinivas Thimmaiah | Cloud Security | 11 Mar 2017 Page 2
An seasoned Information Security professional, speaker & blogger having around
13+ years of rich and insightful work experience in the areas of Information
Security Assurance, Governance, Risk Management, BCM, Supplier
Management, Awareness, IT Security, operational excellence and also in
influencing team members and management.
CISM, ISO 27001 certified, CISCO certified Information Security & IT Security
experienced professional.
4. CloudEcosystem
Cloud computing is the delivery of computing services—servers, storage,
databases, networking, software, analytics and more—over the Internet (“the
cloud”).
Srinivas Thimmaiah | Cloud Security | 11 Mar 2017 Page 4
Source: Microsoft
Rapid Elasticity
Broad Network Access
Measure service On-demand self-service
Resource pooling
Characteristics of Cloud Computing
5. CloudEcosystem
Srinivas Thimmaiah | Cloud Security | 11 Mar 2017 Page 5
Cloud Service Models
Infrastructure as a Service
Platform as a Service
Software as a Service
Application platform or
middleware as a service on
which developers can build and
deploy custom applications
Compute, storage, IT infra as
a service, rather than as
dedicated capability
End-user applications
delivered as a service rather
than on-premises software
SaaS
(consume)
PaaS
(build)
IaaS
(host)
7. CloudEcosystem
Srinivas Thimmaiah | Cloud Security | 11 Mar 2017 Page 7
Public
Private
CommunityHybrid
Cloud Deployment Models
Provisioned by general public
Exists on the premise of the
cloud provider
May be owned, managed by
business, government or a
combination
Organizations
Google
Zoho
Salesforce
Microsoft
AmazonYahoo
Rackspace
9. CloudEcosystem
Srinivas Thimmaiah | Cloud Security | 11 Mar 2017 Page 9
Public Private
Community
Cloud
Hybrid
Provisioned for exclusive use by
a specific community
May be managed by one or
more of the community
organizations
May be managed by community
organization or outsourced
Cloud Deployment Models
Community of Organizations
10. CloudEcosystem
Srinivas Thimmaiah | Cloud Security | 11 Mar 2017 Page 10
Public Private
CommunityHybrid
Combination of two or
more distinct cloud
infrastructures
Cloud Deployment Models
Public Cloud
Private Cloud
Organization
11. Cloudadoptiontrends of2017
Srinivas Thimmaiah | Cloud Security | 11 Mar 2017 Page 11
Source: Rightscale 2016 State of the Cloud Report
Public Cloud Private Cloud Hybrid Cloud Any Cloud
88% 89% 89%
63%
77%
72%
58%
71%
67%
93% 95% 95%
13. CloudRisks
Srinivas Thimmaiah | Cloud Security | 11 Mar 2017 Page 13
Lock-in
Loss of governance
Compliance challenges
Loss of business reputation due
to cotenant activities
Cloud service termination
or failure
Cloud provider acquisition
Supply chain failure
Policy &
Organization
risks
Source: csaguide
14. CloudRisks
Srinivas Thimmaiah | Cloud Security | 11 Mar 2017 Page 14
Resource exhaustion (under or over provisioning)
Isolation failure
Cloud provider malicious insider –
abuse of high privilege roles
Management interface compromise (manipulation, availability of infrastructure)
Intercepting data in transit
Insecure of ineffective deletion of data
Data leakage on up/download, intra-cloud
Distributed denial of service
(DDOS)
Economic denial of service
(EDOS)
Loss of encryption keys
Undertaking malicious probes
or scans Compromise server engine
Technical
risks
Source: csaguide
15. CloudRisks
Srinivas Thimmaiah | Cloud Security | 11 Mar 2017 Page 15
Risk from changes of
jurisdiction
Licensing risks Data protection risks
Subpoena and e-discovery
Legal
risks
Source: csaguide
16. CloudRisks
Srinivas Thimmaiah | Cloud Security | 11 Mar 2017 Page 16
Modifying network traffic
Privilege escalation
Loss or compromise of security logs
Network management (i.e, network congestion/mis-connection/non-optimal use)
Backup lost, stolen
Unauthorized access to premises
Natural disaster
Theft of computer equipment
Network breaks
Social engineering attacks
Loss or compromise of operational logs
Generic
risks
Source: csaguide
17. Conclusion
Srinivas Thimmaiah | Cloud Security | 11 Mar 2017 Page 17
Effective onboarding process
Vendor analysis
Risk management
Contract Management
Justification for cloud adoption
Re-visit the services
Monitoring the services
Source: From Body to Spirit; From Illusion to Reality