Cloud Computing Security


Published on

This is a presentation I recently gave at the VCU Cybersecurity Fair on Cloud Computing Security.

  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Cloud Computing Security

  1. 1. VCU Cybersecurity Fair<br />Security in the Cloud<br />Presented By: <br />Bryan Miller<br />
  2. 2. Speaker Introduction<br />What is the “Cloud”<br />SaaS, PaaS, IaaS<br />Public, Private and Hybrid Clouds<br />Vendor Offerings<br />Security Issues<br />Wrap-Up<br />10/4/2011<br />Security in the Cloud<br />1<br />Agenda<br />
  3. 3. B.S. Information Systems – VCU<br />M.S. Computer Science – VCU<br />President, Syrinx Technologies, 2007<br />Member of ISSA, HIMSS, InfraGard, ILTA<br />Adjunct Faculty Member in Information Systems and Computer Science @ VCU, FTEMS lecturer<br />CISSP, former Cisco CCIE in R/S<br />Published author<br />Over 25 years in the industry<br />10/4/2011<br />Security in the Cloud<br />2<br />Speaker Introduction<br />
  4. 4. Convenient, on-demand network access to a shared pool of configurable resources: <br />Networks<br />Servers<br />Storage<br />Applications<br />Services <br />Rapid and minimal management effort or service provider interaction (based on NIST)<br />10/4/2011<br />Security in the Cloud<br />3<br />What is the “Cloud”?<br />
  5. 5. NIST SP 800-145 definition:<br />"Cloud computing is a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. This cloud model promotes availability and is composed of five essential characteristics, three service models, and four deployment models.”<br />10/4/2011<br />Security in the Cloud<br />4<br />The NIST Standard for Cloud Computing<br />
  6. 6. IDC – 2008<br />Security was the factor most likely to discourage the use of cloud computing?<br />72% of small (<100 employees) businesses<br />63% of mid-sized (100-199 employees) businesses<br />IDC – 2011<br />50% of small businesses<br />47% of mid-sized businesses<br />10/4/2011<br />Security in the Cloud<br />5<br />First, Some Statistics<br />
  7. 7. By 2014, the conservative estimate is that the “cloud business” will be approximately $100 billion dollars.<br />By 2012, approximately 20% of businesses will not own any IT resources.<br />10/4/2011<br />Security in the Cloud<br />6<br />
  8. 8. 10/4/2011<br />Security in the Cloud<br />7<br />
  9. 9. 10/4/2011<br />Security in the Cloud<br />8<br />
  10. 10. Applications delivered over the web<br />Vendor handles software updates and patches<br />Application Programming Interfaces (APIs) integration among S/W<br /><ul><li>Examples
  11. 11.
  12. 12. Office 365</li></ul>10/4/2011<br />Security in the Cloud<br />9<br />Software as a Service (SaaS)<br />
  13. 13. Architectural tools to build systems<br />Platform managed and monitored<br />Web-based user interface tools<br /><ul><li>Examples
  14. 14. Google Apps Engine
  15. 15. Microsoft Azure
  16. 16.</li></ul>10/4/2011<br />Security in the Cloud<br />10<br />Platform as a Service (PaaS)<br />
  17. 17. Outsource storage, hardware, servers<br />Typically charged on a per-use basis<br />Hardware can be multi-tenant or dedicated<br /><ul><li>Examples
  18. 18. Amazon Web Services (AWS)
  19. 19. OpenStack
  20. 20. Dell</li></ul>10/4/2011<br />Security in the Cloud<br />11<br />Infrastructure as a Service (IaaS)<br />
  21. 21. Public<br />Shared resources, usually multi-tenant<br />Off-premise<br />Private<br />Resources dedicated to client<br />On-premise or off-premise<br />Hybrid<br />Combination of on-premise and cloud-based services<br />Growing in popularity as companies slowly transition applications<br />10/4/2011<br />Security in the Cloud<br />12<br />Public vs. Private vs. Hybrid Cloud Models<br />
  22. 22. Amazon Web Services EC2 - IaaS<br />Data centers (Regions)<br />Virginia<br />Northern California<br />Ireland<br />Singapore<br />Tokyo<br />Within each region, services are divided into Availability Zones<br />AWS GovCloud – Accessible by US only, allows government agencies to store data <br />Currently used by NASA<br />10/4/2011<br />Security in the Cloud<br />13<br />Vendor Offerings<br />
  23. 23. Microsoft Azure – PaaS<br />Windows Azure – OS providing scalable compute and storage facilities<br />Windows SQL Azure – Cloud-based, scalable version of SQL Server<br />OpenStack - IaaS<br />Open source software<br />Over 100 partner companies<br />Rackspace<br />Dell<br />Citrix<br />Cisco<br />10/4/2011<br />Security in the Cloud<br />14<br />
  24. 24. Dell – IaaS<br />Built on VMware technology (vCloud family of products)<br />Adding support for Azure and OpenStack<br />3 models:<br />Pay as you go<br />Reserved<br />Dedicated<br />Apple iCloud - SaaS<br />Stores music, photos, applications, calendars, documents<br />5 GB of free storage<br />10/4/2011<br />Security in the Cloud<br />15<br />
  25. 25. Take into account the following:<br />Response times<br />Data corruption<br />Service degradation/outage<br />Data breach<br />Backup/Restore issues<br />What happens if the company closes or is sold<br />Regulatory issues<br />HIPAA – do you have a BA agreement in place?<br />PCI – are you sure your provider is compliant?<br />10/4/2011<br />Security in the Cloud<br />16<br />What about SLAs?<br />
  26. 26. Bloomberg News reported that hackers used AWS’s EC2 to launch an attack against Sony’s PlayStation Network.<br />The attack reportedly compromised the personal accounts of more than 100 million Sony customers.<br />Prices for EC2 range from 3 cents to $2.48 an hour for users on the East coast of the U.S. Dual GPU setups are currently priced at $2.10/hr.<br />Network World magazine reported that Exploits as a Service (EaaS) is becoming a profitable business.<br />10/4/2011<br />Security in the Cloud<br />17<br />Security Issues<br />
  27. 27. Definition: The point at which cloud computing causes a catastrophic failure.<br />Intellectual property is the lifeblood of an organization.<br />IP can get lost in the shuffle of VM sprawl, data sprawl, technology sprawl or the speed at which business is performed.<br />How can things go wrong?<br />A salesperson mails himself a report to Gmail for home access.<br />A customer service team uses Dropbox1 to transfer client files.<br />A PM is frustrated by IT policies and stands up a free server in the Amazon EC2 cloud<br />1 June 2011: Passwords optional for 4 hours, approximately 100 accounts were affected<br />10/4/2011<br />Security in the Cloud<br />18<br />Cloudpocalypse<br />
  28. 28. Amazon EC2 Outages<br />July, 2008<br />Affected multiple Availability Zones<br />Affected US and EU<br />April, 2011<br />Affected Reddit, Foursquare, Quora<br />Elastic Book Store went offline (provides mountable disk volumes to EC2)<br />3 days of outage for some users<br />Why? During maintenance the data traffic was moved to a secondary, low-capacity network instead of the proper backup networks<br />August, 2011<br />Why: Lightning strike in Dublin, Ireland<br />Knocked European cloud services offline for 2 days<br />Affected Netflix, Quora, Foursquare<br />10/4/2011<br />Security in the Cloud<br />19<br />When the Cloud Dissipates<br />
  29. 29. Gmail Outages<br />2008:<br />July 16 – “long outage”<br />August 6 – up to 15 hours<br />August 11 – 2 hours<br />August 15 – up to 24 hours<br />October 16 – 30 hours<br />2009:<br />February 24 – 2 hours<br />September 1 – 2 hours<br />2011:<br />February 27 – several hours<br />August 8 – several hours<br />10/4/2011<br />Security in the Cloud<br />20<br />
  30. 30. Decide if the cloud is appropriate for the given business model<br />Choose the vendor and precisely define the SLA<br />Test thoroughly before moving into production<br />Migrate slowly and carefully watch the metrics<br />Make sure the users/clients are happy<br />Routinely test the backup and restore process<br />Don’t forget about DR and BCP<br />10/4/2011<br />Security in the Cloud<br />21<br />Wrap-Up<br />