Presentation is loading. Please wait.

Presentation is loading. Please wait.

Dr. Bhavani Thuraisingham June 2013

Similar presentations

Presentation on theme: "Dr. Bhavani Thuraisingham June 2013"— Presentation transcript:

1 Dr. Bhavani Thuraisingham June 2013
A Comprehensive Overview of Secure Cloud Computing Dr. Bhavani Thuraisingham June 2013

2 Outline What is Cloud Computing
Cloud Computing Infrastructure Security Cloud Storage and Data Security Identity Management in the Cloud Security Management in the Cloud Privacy Audit and Compliance Cloud Service Providers Security as a Service Impact of Cloud Computing Directions Reference: Cloud Security and Privacy: Mather, Kumaraswamy and Latif, O’Reilly Publishers

3 What is Cloud Computing?
Definition SPI Framework Traditional Software Model Cloud Services Delivery Model Deployment Model Key Drivers Impact Governance Barriers

4 Definition of Cloud Computing
Multitenancy - shared resources Massive scalability Elasticity Pay as you go Self provisioning of resources

5 SPI Framework Software as a Service (SAAS), Platform as a Service (PaaS), Infrastructure as a Service (IaaS) Several Technologies work together Cloud access devices Browsers and thin clients High speed broad band access Data centers and Server farms Storage devices Virtualization technologies APIs

6 Traditional Software Model
Large upfront licensing costs Annual support costs Depends on number of users Not based on usage Organization is responsible for hardware Security is a consideration Customized applications

7 Cloud Services Delivery Model
SaaS Rents software on a subscription basis Service includes software, hardware and support Users access the service through authorized device Suitable for a company to outsource hosting of apps PaaS Vendor offers development environment to application developers Provide develops toolkits, building blocks, payment hooks IaaS Processing power and storage service Hypervisor is at this level

8 Deployment Models Public Clouds
Hosted, operated and managed by third party vendor Security and day to day management by the vendor Private Clouds Networks, infrastructures, data centers owned by the organization Hybrid Clouds Sensitive applications in a private cloud and non sensitive applications in a public cloud

9 Key Drivers Small investment and low ongoing costs Economies of scale
Open standards Sustainability

10 Impact How are the following communities Impacted by the Cloud?
Individual Customers Individual Businesses Start-ups Small and Medium sized businesses Large businesses

11 Governance Five layers of governance for IT are Network, Storage Server, Services and Apps For on premise hosting, organization has control over Storage, Server, Services and Apps; Vendor and organization have share control over networks For SaaS model all layers are controlled by the vendor For the IaaS model, Apps are controlled by the organization, Services controlled by both while the network, storage and server controlled by the vendor For PaaS, Apps and Services are controlled by both while servers, storage and network controlled by the vendor

12 Barriers Security Privacy Connectivity and Open access Reliability
Interoperability Independence from CSP (cloud service provider) Economic value IR governance Changes in IT organization Political issues

13 Cloud Computing Infrastructure Security
Infrastructure Security at the Network Level Infrastructure Security at the Host Level Infrastructure Security at the Application Level Note: We will examine IaaS, PaaS and SaaS Security issues at Network, Host and Application Levels

14 Security at the Network Level
Ensuring data confidentiality and integrity of the organizations data in transit to and from the public cloud provider Ensuring proper access control (Authentication, Authorization, Auditing) to resources in the public cloud Ensuring availability of the Internet facing resources of the public cloud used by the organization Replacing the established network zones and tiers with domains How can you mitigate the risk factors?

15 Security at the Host Level
Host security at PaaS and SaaS Level Both the PaaS and SaaS hide the host operating system from end users Host security responsibilities in SaaS and PaaS are transferred to CSP Host security at IaaS Level Virtualization software security Hypervisor security Threats: Blue Pill attack on the hypervisor Customer guest OS or virtual server security Attacks to the guest OS: e.g., stealing keys used to access and manage the hosts

16 Security at the Application Level
Usually it’s the responsibility of both the CSP and the customer Application security at the SaaS level SaaS Providers are responsible for providing application security Application security at the PaaS level Security of the PaaS Platform Security of the customer applications deployed on a PaaS platform Application security at the IaaS Level Customer applications treated a black box IaaS is not responsible for application level security

17 Cloud Storage and Data Security
Aspects of Data Security Data Security Mitigation Provider Data and its Security

18 Aspects of Data Security
Security for Data in transit Data at rest Processing of data including multitenancy Data Lineage Data Provenance Data remnance Solutions include encryption, identity management, sanitation

19 Data Security Mitigation
Even through data in transit is encrypted, use of the data in the cloud will require decryption. That is, cloud will have unencrypted data Mitigation Sensitive data cannot be stored in a public cloud Homomorphic encryption may be a solution in the future

20 Provider Data and its Security
What data does the provider collect – e.g., metadata, and how can this data be secured? Data security issues Access control, Key management for encrypting Confidentiality, Integrity and Availability are objectives of data security in the cloud

21 Identity and Access Management (IAM) in the Cloud
Trust boundaries and IAM Why IAM? IAM challenges IAM definitions IAM architecture and practice Getting ready for the cloud Relevant IAM standards and protocols for cloud services IAM practices in the cloud Cloud authorization management Cloud Service provider IAM practice

22 Trust Boundaries and IAM
In a traditional environment, trust boundary is within the control of the organization This includes the governance of the networks, servers, services, and applications In a cloud environment, the trust boundary is dynamic and moves within the control of the service provider as well ass organizations Identity federation is an emerging industry best practice for dealing with dynamic and loosely coupled trust relationships in the collaboration model of an organization Core of the architecture is the directory service which is the repository for the identity, credentials and user attributes

23 Why IAM Improves operational efficiency and regulatory compliance management IAM enables organizations to achieve access cont6rol and operational security Cloud use cases that need IAM Organization employees accessing SaaS se4rvidce using identity federation IT admin access CSP management console to provision resources and access foe users using a corporate identity Developers creating accounts for partner users in PaaS End uses access storage service in a cloud Applications residing in a cloud serviced provider access storage from another cloud service

24 IAM Challenges Provisioning resources to users rapidly to accommodate their changing roles Handle turnover in an organization Disparate dictionaries, identities, access rights Need standards and protocols that address the IAM challenges

25 IAM Definitions Authentication
Verifying the identity of a user, system or service Authorization Privileges that a user or system or service has after being authenticated (e.g., access control) Auditing Exam what the user, system or service has carried out Check for compliance

26 IAM Practice IAMN process consists of the following:
User management (for managing identity life cycles), Authentication management, Authorization management, Access management, Data management and provisioning, Monitoring and auditing Provisioning, Credential and attribute management, Entitlement management, Compliance management, Identity federation management, Centralization of authentication and authorization,

27 Getting Ready for the Cloud
Organization using a cloud must plan for user account provisioning How can a user be authenticated in a cloud Organization can use cloud based solutions from a vendor for IAM (e.g., Symplified) Identity Management as a Service Industry standards for federated identity management SAML, WS-Federation, Liberty Alliance

28 Relevant IAM Standards, Protocols for Cloud
IAM Standards and Specifications for Organizations SAML SPML XACML OAuth (Open Authentication) – cloud service X accessing data in cloud service Y without disclosing credentials IAM Standards and Specifications for Consumers OpenID Information Cards Open Authenticate (OATH) Open Authentication API (OpenAuth)

29 IAM Practices in the Cloud
Cloud Identity Administration Life cycle management of user identities in the cloud Federated Identity (SSO) Enterprise an enterprise Identity provider within an Organization perimeter Cloud-based Identity provider

30 Cloud Authorization Management
XACML is the preferred model for authorization RBAC is being explored Dual roles: Administrator and User IAM support for compliance management

31 Cloud Service Provider and IAM Practice
What is the responsibility of the CSP and the responsibility of the organization/enterprise? Enterprise IAM requirements Provisioning of cloud service accounts to users Provisioning of cloud services for service to service integration’ SSO support for users based on federation standards Support for international and regulatory policy requirements User activity monitoring How can enterprises expand their IAM requirements to SaaS, PaaS and IaaS

32 Security Management in the Cloud
Security Management Standards Security Management in the Cloud Availability Management Access Control Security Vulnerability, Patch and Configuration Management

33 Security Management Standards
Security Manage3ment has to be carried out in the cloud Standards include ITIL (Information Technology Infrastructure Library) and ISO 27001/27002 What are the policies, procedures, processes and work instruction for managing security

34 Security Management in the Cloud
Availability Management (ITIL) Access Control (ISIO, ITIL) Vulnerability Management (ISO, IEC) Patch Management (ITIL) Configuration Management (ITIL) Incident Response (ISO/IEC) System use and Access Monitoring

35 Availability Management
SaaS availability Customer responsibility: Customer must understand SLA and communication methods SaaS health monitoring PaaS availability Customer responsibility ‘PaaS health monitoring IaaS availability IaaS health monitoring

36 Access Control Management in the Cloud
Who should have access and why How is a resources accessed How is the access monitored Impact of access control of SaaS, PaaS and IaaS

37 Security Vulnerability, Patch and Configuration (VPC) Management
How can security vulnerability, patch and configuration management for an organization be extended to a cloud environment What is the impact of VPS on SaaS, PaaS and IaaS

38 Privacy Privacy and Data Life Cycle Key Privacy Concerns in the Cloud
Who is Responsible for Privacy Privacy Risk Management and Compliance ion the Cloud Legal and Regulatory Requirements

39 Privacy and Data Life Cycle
Privacy: Accountability of organizations to data subjects as well as the transparency to an organization’s practice around personal information Data Life Cycle Generation, Use, Transfer, Transformation, Storage, Archival, Destruction Need policies

40 Privacy Concerns in the Cloud
Access Compliance Storage Retention Destruction Audit and Monitoring Privacy Breaches

41 Who is Responsible for Privacy
Organization that collected the information in the first place – the owner organization What is the role of the CSP? Organizations can transfer liability but not accountability Risk assessment and mitigation throughout the data lifecycle Knowledge about legal obligations

42 Privacy Risk Management and Compliance
Collection Limitation Principle Use Limitation Principle Security Principle Retention and Destruction Principle Transfer Principle Accountab9lity Principle

43 Legal and Regulatory Requirements
US Regulations Federal Rules of Civil Procedure US Patriot Act Electronic Communications Privacy Act FISMA GLBA HIPAA HITECH Act International regulations EU Directive APEC Privacy Framework

44 Audit and Compliance Internal Policy Compliance
Governance, Risk and Compliance (GRC) Control Objectives Regulatory/External Compliance Cloud Security Alliance Auditing for Compliance

45 Audit and Compliance Defines Strategy
Define Requirements (provide services to clients) Defines Architecture (that is architect and structure services to meet requirements) Define Policies Defines process and procedures Ongoing operations Ongoing monitoring Continuous improvement

46 Governance, Risk and Compliance
Risk assessment Key controls (to address the risks and compliance requirements) Monitoring Reporting Continuous improvement Risk assessment – new IT projects and systems

47 Control Objectives Security Policy
Organization of information security Asset management Human resources security Physical and environmental security Communications and operations management Access control Information systems acquisition, development and maintenance Information Security incident management Compliance Key Management

48 Regulatory/External Compliance
Sarbanes-Oxley Act PCI DSS HIPAA COBIT What is the impact of Cloud computing on the above regulations?

49 Cloud Security Alliance (CSA)
Create and apply best practices to securing the cloud Objectives include Promote common level of understanding between consumers and providers Promote independent research into best practices Launch awareness and educational programs Create consensus White Paper produced by CSA consist of 15 domains Architecture, Risk management, Legal, Lifecycle management, applications security, storage, virtualization,

50 Auditing for Compliance
Internal and External Audits Audit Framework SAS 70 SysTrust WebTrust ISO certification Relevance to Cloud

51 Cloud Service Providers
Amazon Web Services (IaaS) Google (SaaS, PaaS) Microsoft Azure (SaaS, IaaS) Proofpoint (SaaS, IaaS) RightScale (SaaS) (SaaS, PaaS) Sun Open Cloud Platform Workday (SaaS)

52 Security as a Service Email Filtering Web Content Filtering
Vulnerability Management Identity Management

53 Impact of Cloud Computing
Benefits Low cost solution Responsiveness flexibility IT Expense marches Transaction volume Business users are in direct control of technology decisions Line between home computing applications and enterprise applications will blur Threats Vested interest of cloud providers Less control over the use of technologies Perceived risk of using cloud computing Portability and Lock-in to Proprietary systems for CSPs Lack of integration and componentization

54 Directions Analysts predict that cloud computing will be a huge growth area Cloud growth will be much higher than traditional IT growth Will likely revolutionize IT Need to examine how traditional solutions for IAM, Governance, Risk Assessment etc will work for Cloud Technologies will be enhanced (IaaS, PaaS, SaaS) Security will continue o be a major concern

Download ppt "Dr. Bhavani Thuraisingham June 2013"

Similar presentations

Ads by Google