Notes: Cloud Computing is not a technology. Its all about “sharing”. For a more elaborative definition, please refer to your white paper. :D
Compare it to an OSI modelOperational efficiency increases as you go down the stack/Decreasing CSP’s responsibility as you go down the stackSecurity concerns increase as you go up the stack/Increasing CSP responsibility as you go down the stack
Remember the email server or payroll system that you virtualized? Someone with administrator access to your virtual environment could easily swipe it and all the data without anybody knowing. Stealing a physical server out of a data center is very difficult and is sure to be noticed, stealing a virtual machine (VM), however, can be done from anywhere on your network, and someone could easily walk out with it on a flash drive in their pocket. Virtualization offers many benefits over physical servers, but there are some pitfalls you should be aware of and protect against to avoid losing sensitive data. Because a virtual machine is encapsulated into a single virtual disk file that resides on a virtual host server it is not all that difficult for someone with the appropriate access to make a copy of that disk file and access any of the data on it.
In cloud computing, there are no more data barriers. Separation of data is all logical. How does the CSO assure the consumer that the security is being taken care of, the way it was promised. What is the consumer responsible for?How do the CSPs report on security? Reporting and Management.
NotesThere is no physical separation between data sets of different customers.Point to multi point data in transit is an issue Data at rest possibly not encrypted Key Management – who handles and manages the key? Where is it stored? Data Lineage – Where does the data come from? How does it traverse? Where is it processed? Data Provenance – To prove that processing was done right. If data lineage is not possible, data remanence would be much more difficult to achieve. Data Remenace – To make sure that the data is gone from the cloud. The challenge is in a enterprise environment where 20% of the hard disks crash. How do make sure this data is wiped? How do you prove it to your auditors (who follow NIST) that you have
Does the Cloud Provider have an analytical tool? (e.g. Amazon Cloudwatch)Major IAM functionsIdentity provisioning/deprovisioningAuthenticationFederation (using IdP)AuthorizationIdentity provisioning – onboarding and offboarding users onto the cloud
Reference: Cloud security guidelines CSA
Cloud Computing - Security (BIG Data)
Cloud ComputingSecurity – The BIG Data Vasanth Ganesan MS Telecommunications & Business University of Maryland, College Park
What is Cloud Computing? Its all about “Sharing”
Like with anything new, theprimary concern is security RISKS are ALWAYS there!
Low Cloud Security Concerns High SaaS PaaS IaaS The Stack Operational Efficiency LowHigh
In Brief – “Data”• Trust Boundary• Data Security• Identity and Access Management (IAM)• Privacy Considerations Information Assurance Concerns CSA Security Guidance v2.1
Trust Boundary • Trust Boundaries have changed with cloud computing • Note: Different cloud providers might have different trust boundaries • Data barriers • Need for transparency Governance Enterprise Risk Management Compliance and AuditSource: Cloud Security and Privacy – Tim Mather
Data Security • Provider’s data collection efforts and monitoring of such • Use of encryption – Data in Transit – Data at Rest – Key management is a significant issue • Data lineage • Data provenance • Data remanence Information Lifecycle Management Encryption and Key Management Compliance and AuditSource: Cloud Security and Privacy – Tim Mather
Identity and Access Management • One of the biggest challenges today • Currently inadequate for Enterprises • Access Control tool Identity and Access Management Traditional security Compliance and AuditSource: Cloud Security and Privacy – Tim Mather
Privacy Considerations • Data is no longer static • Transborder data issues may be exacerbated – Privacy laws (inconsistent among different jurisdictions) • Data governance is weak – Encryption is not pervasive – Cloud Providers absolve themselves – Data remanence still is a “?” Information Lifecycle Management Traditional security Compliance and AuditSource: Cloud Security and Privacy – Tim Mather
Then why the Cloud? Lowers Time to TCO MarketFocus on Core ScalabilityBusiness Flexibility
Potential Questions from the Clients• Does the provider hold certifications such as ISO 27001/2, SAS 70? If yes, what is the scope of the certifications?• Does the provider share with the physical location of the servers?• To what extent are storage, memory and other data traces erased from the machines before being reallocated to a different customer? i.e. Data remanence• Does the provider support the data classification scheme used?• How does the provider guarantee isolation of resources from other customers?• Learn from the Cloud service provider (CSP) about key management. Who handles and manages the key?• How does the CSP report on its security management?• Does the CSP have an analytics tool to monitor your cloud?• What are the CSP’s control monitoring processes?• Is your data bound by local jurisdiction?