Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Fundamentals of Cloud & Cloud
Security
Viresh Suri
GlobalLogic
16th December 2015 | Delhi
Innerve - 2015
CLOUD COMPUTING
Fundamentals of
What is Cloud Computing?
Evolution of IT Computing Models
http://mydocumentum.wordpress.com/2011/05/14/monday-may-9-2011/
The NIST Definition of Cloud Computing
Cloud computing is a model for enabling
convenient, on-demand network access
to a s...
Cloud Computing Taxonomy - NIST
http://www.csrc.nist.gov/groups/SNS/cloud-computing/index.html
Private
(On-Premise)
Infrastructure
(as a Service)
Platform
(as a Service)
Service Models
Storage
Server HW
Networking
Ser...
Virtualization – The Cloud Backbone
Hypervisor
Cloud Architecture
What is driving Cloud adoption ?
Enterprise challenges
Speed of provisioning
constraints business
execution
Disaster Recovery,
Fault Tolerance,
High Availa...
How Cloud helps …
Elastic Capacity
Infinitely Scalable (Almost)
Quick and Easy Deployment
Provisioning in Minutes
Business...
Cloud Challenges
Legal & Compliance
Security Lack of Standards,
Compatibility
Reliability & Performance
A Snapshot of Cloud Providers
Holistic Migration Process
Cloud
Assessment
•Cost Analysis
•Security &
Compliance
•Migration Tools
•Application
Compatibil...
Public v/s Private Cloud Decision
Key Question Private Cloud
Preferable
Public Cloud Preferable
Demand Constant Variable
G...
CLOUD SECURITY
Fundamentals of
Important Points to know
Top cyberattack methods aimed at cloud deployments grew 45 per cent (Application
Attacks), 36 per...
CSA’s “Notorious 9” Security Threats
• Data Breaches
• Data Loss
• Account or Service Hijacking
• Insecure APIs
• Denial o...
Key Security Considerations in a Public Cloud
Network Security
• Built-in firewalls, control of network access to
instances and subnets
• Private / Dedicated Connectivi...
Configuration Management
• Inventory and Configuration Management tools
to identify resources, track to manage them
• Temp...
Data Encryption
• Available for data at rest in Storage services
• Flexible Key Management options, including
Cloud Manage...
Access Control
• Capabilities to define, enforce and manage user
access policies across services
• Identity and Access Man...
Monitoring and Logging
• Deep visibility into API calls, including
Who ? What ? When ? From Where ?
• Log aggregation, str...
Cloud Security Landscape
http://www.josephfloyd.com/blog/cloud-security-landscape
Cloud Security Comparison
http://fortycloud.com/iaas-security-state-of-the-industry/
The Road Ahead
• Clouds are more prone to security attacks than on-perm deployments
• Doesn’t mean that those attacks are ...
Security in AWS
Standards Supported
GxP
ISO 13485
AS9100
ISO/TS 16949
Shared Responsibility
AWS Foundation Services
Compute Storage Database Networking
AWS Global
Infrastructure
Regions
Availa...
AWS CloudTrail
CloudTrail records API calls on services, delivers detailed logs
Use Cases supported :
Security Analysis : ...
AWS Config
AWS Config is a fully managed service that provides you with an inventory
of your AWS resources, lets you audit...
AWS Key Management Service
• A managed service that makes it easy for you to create, control, and use
your encryption keys...
AWS IAM
• Centrally manage users, security credentials such as passwords, access
keys, permissions, policies that control ...
AWS CloudHSM
• Allows protection of encryption keys within HSMs designed and validated to government
standards for secure ...
AWS VPC
• Allows provisioning of logically isolated section of AWS cloud, where AWS
resources can be launched in a virtual...
AWS WAF
• AWS WAF is a web application firewall that helps protect your web applications
from common web exploits that cou...
AWS Inspector (Preview)
• Automated security assessment service that helps improve the security
and compliance of applicat...
viresh.suri@globallogic.com
http://www.linkedin.com/in/vireshsuri
Thank You
Upcoming SlideShare
Loading in …5
×

Cloud computing and Cloud security fundamentals

1,557 views

Published on

Presentation on Cloud Computing and Cloud Security fundamentals

Published in: Technology
  • Be the first to comment

Cloud computing and Cloud security fundamentals

  1. 1. Fundamentals of Cloud & Cloud Security Viresh Suri GlobalLogic 16th December 2015 | Delhi Innerve - 2015
  2. 2. CLOUD COMPUTING Fundamentals of
  3. 3. What is Cloud Computing?
  4. 4. Evolution of IT Computing Models http://mydocumentum.wordpress.com/2011/05/14/monday-may-9-2011/
  5. 5. The NIST Definition of Cloud Computing Cloud computing is a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. National Institute of Standards and Technology (NIST) www.nist.gov
  6. 6. Cloud Computing Taxonomy - NIST http://www.csrc.nist.gov/groups/SNS/cloud-computing/index.html
  7. 7. Private (On-Premise) Infrastructure (as a Service) Platform (as a Service) Service Models Storage Server HW Networking Servers Databases Virtualization Runtimes Applications Security & Integration Storage Server HW Networking Servers Databases Virtualization Runtimes Applications Security & Integration Storage Server HW Networking Servers Databases Virtualization Runtimes Applications Security & Integration Software (as a Service) Storage Server HW Networking Servers Databases Virtualization Runtimes Security & Integration Applications Managed by you Managed by vendor
  8. 8. Virtualization – The Cloud Backbone Hypervisor
  9. 9. Cloud Architecture
  10. 10. What is driving Cloud adoption ?
  11. 11. Enterprise challenges Speed of provisioning constraints business execution Disaster Recovery, Fault Tolerance, High Availability Existing hardware has reached end of serviceable life Datacenter capacity limits are being reached Applications & processes have variable demand High Maintenance Costs Software License Costs
  12. 12. How Cloud helps … Elastic Capacity Infinitely Scalable (Almost) Quick and Easy Deployment Provisioning in Minutes Business Agility No CapEx, only OpEx., Fine grained billing (hourly) Pay as You go Leverage Global Scalability & DR Be Free from IT Management Hassles Metering, Monitoring, Alerts
  13. 13. Cloud Challenges Legal & Compliance Security Lack of Standards, Compatibility Reliability & Performance
  14. 14. A Snapshot of Cloud Providers
  15. 15. Holistic Migration Process Cloud Assessment •Cost Analysis •Security & Compliance •Migration Tools •Application Compatibility •Defining Success Criteria Cloud Platform Validation •Understand a particular platform •Platform capabilities •Services Offered •Security considerations •Pricing •Build POCs •Compatibility issues •Identify Migration tools Data Migration •DB Options & Management •Storage Options • HA & DR support • Migration Tools •Backup / Restore points •Define success criteria Application Migration •Full Migration •Partial Migration •Run in parallel •Integration with On-Premise systems •Integration tools & Management •Create / Identify images to be used Cloud Deployment •Configure Auto- Scaling •Monitoring & Notifications •Security Configuration •Dashboards for resource management •Business Continuity Planning Cloud Optimization •Cost Saving Opportunities •Analyze usage patterns •Application Performance Tuning
  16. 16. Public v/s Private Cloud Decision Key Question Private Cloud Preferable Public Cloud Preferable Demand Constant Variable Growth Predictable Unpredictable Users Concentrated Dispersed Customization High Minimal to none Data Privacy & Security Stringent Requirement Moderate Requirement Performance Very High Moderate to High
  17. 17. CLOUD SECURITY Fundamentals of
  18. 18. Important Points to know Top cyberattack methods aimed at cloud deployments grew 45 per cent (Application Attacks), 36 per cent (Suspicious Activity) and 27 per cent (Brute Force attacks) respectively over the previous year, while top attacks aimed at on-premises deployments remained relatively flat. Read more: http://www.itproportal.com/2015/11/16/interview-charting-the-cloud- security-landscape/#ixzz3uT1S7EQ8 As per 2014 KPMG Cloud Security Report • When it comes to selecting a cloud solution, Security is the no. 1 concern • Compared to 2012 survey, security and data privacy are greater concerns than cost efficiency • Security is a lesser challenge now, compared to 2012. Cloud providers better prepared to secure data, and manage security breaches when they occur
  19. 19. CSA’s “Notorious 9” Security Threats • Data Breaches • Data Loss • Account or Service Hijacking • Insecure APIs • Denial of Service • Malicious Insiders • Abuse of Cloud Services • Insufficient Due Diligence • Shared Technology
  20. 20. Key Security Considerations in a Public Cloud
  21. 21. Network Security • Built-in firewalls, control of network access to instances and subnets • Private / Dedicated Connectivity options from office / on-premises environments • Encryption in transit • DDoS mitigation
  22. 22. Configuration Management • Inventory and Configuration Management tools to identify resources, track to manage them • Template definition and management tools to create standard / pre-configured VMs • Deployment Tools to manage creation and decommissioning of resources as per org. standard
  23. 23. Data Encryption • Available for data at rest in Storage services • Flexible Key Management options, including Cloud Managed keys / self-managed keys • Hardware based cryptographic key storage options • APIs for you to integrate encryption and data protection with any service developed / deployed on the cloud
  24. 24. Access Control • Capabilities to define, enforce and manage user access policies across services • Identity and Access Management • Multifactor authentication, including hardware based authentication options • Integration and federation with corporate directories
  25. 25. Monitoring and Logging • Deep visibility into API calls, including Who ? What ? When ? From Where ? • Log aggregation, streamlining investigations, compliance reporting • Alert notifications
  26. 26. Cloud Security Landscape http://www.josephfloyd.com/blog/cloud-security-landscape
  27. 27. Cloud Security Comparison http://fortycloud.com/iaas-security-state-of-the-industry/
  28. 28. The Road Ahead • Clouds are more prone to security attacks than on-perm deployments • Doesn’t mean that those attacks are successful • Cloud Providers are better enabled to handle security now • 2016 will be the first year when people choose cloud because of security benefits, and not elasticity / cost • However, stay cautious ! More serious attacks could be expected as well
  29. 29. Security in AWS
  30. 30. Standards Supported GxP ISO 13485 AS9100 ISO/TS 16949
  31. 31. Shared Responsibility AWS Foundation Services Compute Storage Database Networking AWS Global Infrastructure Regions Availability Zones Edge Locations Client-side Data Encryption Server-side Data Encryption Network Traffic Protection Platform, Applications, Identity & Access Management Operating System, Network, & Firewall Configuration Customer applications & content Customers
  32. 32. AWS CloudTrail CloudTrail records API calls on services, delivers detailed logs Use Cases supported : Security Analysis : Use log files as an input into log management and analysis solutions to perform security analysis and to detect user behavior patterns Track Changes to AWS Resources : Track creation, modification, and deletion of AWS resources such as Amazon EC2 instances, Amazon VPC security groups and Amazon EBS volumes Troubleshoot Operational Issues : Identify the most recent actions made to resources in your AWS account Compliance Aid : Easier to demonstrate compliance with internal policies and regulatory standards
  33. 33. AWS Config AWS Config is a fully managed service that provides you with an inventory of your AWS resources, lets you audit the resource configuration history and notifies you of resource configuration changes. Use Cases : • Am I safe ? : Continuously monitor the configurations of your resources and evaluate these configurations for potential security weaknesses • Where is the evidence ? : A complete inventory of all resources and their configuration attributes is available for any point in time • What will this change effect ? : Relationships between resources are understood, so that you can proactively assess change impact • What has changed ? : You can quickly identify the recent configuration changes to your resources by using the console or by building custom integrations with the regularly exported resource history files
  34. 34. AWS Key Management Service • A managed service that makes it easy for you to create, control, and use your encryption keys • Centralized view of all key usage in the organization • Uses HSMs to protect Key Security • Integrated with AWS CloudTrial to provide logs for all key usage for regulatory and compliance requirements
  35. 35. AWS IAM • Centrally manage users, security credentials such as passwords, access keys, permissions, policies that control which AWS services and resources users can access • Allows creation of multiple AWS users, give them their own user name, password, access keys
  36. 36. AWS CloudHSM • Allows protection of encryption keys within HSMs designed and validated to government standards for secure key management • Keys can be generated, managed and stored cryptographic keys such that they are accessible only by us • Allows regulatory compliance without compromising on application performance • CloudHSM instances are provisioned inside your VPC with an IP address that you specify, providing simple and private network connectivity to your Amazon Elastic Compute Cloud (EC2) instances
  37. 37. AWS VPC • Allows provisioning of logically isolated section of AWS cloud, where AWS resources can be launched in a virtual network defined by you • You have complete control over your virtual networking environment, including selection of your own IP address range, creation of subnets, and configuration of route tables and network gateways • You can leverage multiple layers of security, including security groups and network access control lists, to help control access to Amazon EC2 instances in each subnet • Additionally, you can create a Hardware Virtual Private Network (VPN) connection between your corporate datacenter and your VPC and leverage the AWS cloud as an extension of your corporate datacenter.
  38. 38. AWS WAF • AWS WAF is a web application firewall that helps protect your web applications from common web exploits that could affect application availability, compromise security, or consume excessive resources. • Gives you control over which traffic to allow or block to your web application by defining customizable web security rules. • You can use AWS WAF to create custom rules that block common attack patterns, such as SQL injection or cross-site scripting, and rules that are designed for your specific application. • New rules can be deployed within minutes, letting you respond quickly to changing traffic patterns. Also, AWS WAF includes a full-featured API that you can use to automate the creation, deployment, and maintenance of web security rules.
  39. 39. AWS Inspector (Preview) • Automated security assessment service that helps improve the security and compliance of applications deployed on AWS. • Automatically assesses applications for vulnerabilities or deviations from best practices. • After performing an assessment, Amazon Inspector produces a detailed report with prioritized steps for remediation. • Includes a knowledge base of hundreds of rules mapped to common security compliance standards (e.g. PCI DSS) and vulnerability definitions. Examples of built-in rules include checking for remote root login being enabled, or vulnerable software versions installed. These rules are regularly updated by AWS security researchers.
  40. 40. viresh.suri@globallogic.com http://www.linkedin.com/in/vireshsuri Thank You

×