Presentation is loading. Please wait.

Presentation is loading. Please wait.

Dr. Bhavani Thuraisingham June 2013 A Comprehensive Overview of Secure Cloud Computing.

Similar presentations

Presentation on theme: "Dr. Bhavani Thuraisingham June 2013 A Comprehensive Overview of Secure Cloud Computing."— Presentation transcript:

1 Dr. Bhavani Thuraisingham June 2013 A Comprehensive Overview of Secure Cloud Computing

2 Outline l What is Cloud Computing l Cloud Computing Infrastructure Security l Cloud Storage and Data Security l Identity Management in the Cloud l Security Management in the Cloud l Privacy l Audit and Compliance l Cloud Service Providers l Security as a Service l Impact of Cloud Computing l Directions l Reference: Cloud Security and Privacy: Mather, Kumaraswamy and Latif, O’Reilly Publishers

3 What is Cloud Computing? l Definition l SPI Framework l Traditional Software Model l Cloud Services Delivery Model l Deployment Model l Key Drivers l Impact l Governance l Barriers

4 Definition of Cloud Computing l Multitenancy - shared resources l Massive scalability l Elasticity l Pay as you go l Self provisioning of resources

5 SPI Framework l Software as a Service (SAAS), Platform as a Service (PaaS), Infrastructure as a Service (IaaS) l Several Technologies work together - Cloud access devices - Browsers and thin clients - High speed broad band access - Data centers and Server farms - Storage devices - Virtualization technologies - APIs

6 Traditional Software Model l Large upfront licensing costs l Annual support costs l Depends on number of users l Not based on usage l Organization is responsible for hardware l Security is a consideration l Customized applications

7 Cloud Services Delivery Model l SaaS - Rents software on a subscription basis - Service includes software, hardware and support - Users access the service through authorized device - Suitable for a company to outsource hosting of apps l PaaS - Vendor offers development environment to application developers - Provide develops toolkits, building blocks, payment hooks l IaaS - Processing power and storage service - Hypervisor is at this level

8 Deployment Models l Public Clouds - Hosted, operated and managed by third party vendor - Security and day to day management by the vendor l Private Clouds - Networks, infrastructures, data centers owned by the organization l Hybrid Clouds - Sensitive applications in a private cloud and non sensitive applications in a public cloud

9 Key Drivers l Small investment and low ongoing costs l Economies of scale l Open standards l Sustainability

10 Impact l How are the following communities Impacted by the Cloud? l Individual Customers l Individual Businesses l Start-ups l Small and Medium sized businesses l Large businesses

11 Governance l Five layers of governance for IT are Network, Storage Server, Services and Apps l For on premise hosting, organization has control over Storage, Server, Services and Apps; Vendor and organization have share control over networks l For SaaS model all layers are controlled by the vendor l For the IaaS model, Apps are controlled by the organization, Services controlled by both while the network, storage and server controlled by the vendor l For PaaS, Apps and Services are controlled by both while servers, storage and network controlled by the vendor

12 Barriers l Security l Privacy l Connectivity and Open access l Reliability l Interoperability l Independence from CSP (cloud service provider) l Economic value l IR governance l Changes in IT organization l Political issues

13 Cloud Computing Infrastructure Security l Infrastructure Security at the Network Level l Infrastructure Security at the Host Level l Infrastructure Security at the Application Level l Note: We will examine IaaS, PaaS and SaaS Security issues at Network, Host and Application Levels

14 Security at the Network Level l Ensuring data confidentiality and integrity of the organizations data in transit to and from the public cloud provider l Ensuring proper access control (Authentication, Authorization, Auditing) to resources in the public cloud l Ensuring availability of the Internet facing resources of the public cloud used by the organization l Replacing the established network zones and tiers with domains l How can you mitigate the risk factors?

15 Security at the Host Level l Host security at PaaS and SaaS Level - Both the PaaS and SaaS hide the host operating system from end users - Host security responsibilities in SaaS and PaaS are transferred to CSP l Host security at IaaS Level - Virtualization software security l Hypervisor security l Threats: Blue Pill attack on the hypervisor - Customer guest OS or virtual server security l Attacks to the guest OS: e.g., stealing keys used to access and manage the hosts

16 Security at the Application Level l Usually it’s the responsibility of both the CSP and the customer l Application security at the SaaS level - SaaS Providers are responsible for providing application security l Application security at the PaaS level - Security of the PaaS Platform - Security of the customer applications deployed on a PaaS platform l Application security at the IaaS Level - Customer applications treated a black box - IaaS is not responsible for application level security

17 Cloud Storage and Data Security l Aspects of Data Security l Data Security Mitigation l Provider Data and its Security

18 Aspects of Data Security l Security for - Data in transit - Data at rest - Processing of data including multitenancy - Data Lineage - Data Provenance - Data remnance l Solutions include encryption, identity management, sanitation

19 Data Security Mitigation l Even through data in transit is encrypted, use of the data in the cloud will require decryption. - That is, cloud will have unencrypted data l Mitigation - Sensitive data cannot be stored in a public cloud - Homomorphic encryption may be a solution in the future

20 Provider Data and its Security l What data does the provider collect – e.g., metadata, and how can this data be secured? l Data security issues - Access control, Key management for encrypting l Confidentiality, Integrity and Availability are objectives of data security in the cloud

21 Identity and Access Management (IAM) in the Cloud l Trust boundaries and IAM l Why IAM? l IAM challenges l IAM definitions l IAM architecture and practice l Getting ready for the cloud l Relevant IAM standards and protocols for cloud services l IAM practices in the cloud l Cloud authorization management l Cloud Service provider IAM practice

22 Trust Boundaries and IAM l In a traditional environment, trust boundary is within the control of the organization l This includes the governance of the networks, servers, services, and applications l In a cloud environment, the trust boundary is dynamic and moves within the control of the service provider as well ass organizations l Identity federation is an emerging industry best practice for dealing with dynamic and loosely coupled trust relationships in the collaboration model of an organization l Core of the architecture is the directory service which is the repository for the identity, credentials and user attributes

23 Why IAM l Improves operational efficiency and regulatory compliance management l IAM enables organizations to achieve access cont6rol and operational security l Cloud use cases that need IAM - Organization employees accessing SaaS se4rvidce using identity federation - IT admin access CSP management console to provision resources and access foe users using a corporate identity - Developers creating accounts for partner users in PaaS - End uses access storage service in a cloud - Applications residing in a cloud serviced provider access storage from another cloud service

24 IAM Challenges l Provisioning resources to users rapidly to accommodate their changing roles l Handle turnover in an organization l Disparate dictionaries, identities, access rights l Need standards and protocols that address the IAM challenges

25 IAM Definitions l Authentication - Verifying the identity of a user, system or service l Authorization - Privileges that a user or system or service has after being authenticated (e.g., access control) l Auditing - Exam what the user, system or service has carried out - Check for compliance

26 IAM Practice l IAMN process consists of the following: - User management (for managing identity life cycles), - Authentication management, - Authorization management, - Access management, - Data management and provisioning, - Monitoring and auditing - Provisioning, - Credential and attribute management, - Entitlement management, - Compliance management, - Identity federation management, - Centralization of authentication and authorization,

27 Getting Ready for the Cloud l Organization using a cloud must plan for user account provisioning - How can a user be authenticated in a cloud l Organization can use cloud based solutions from a vendor for IAM (e.g., Symplified) - Identity Management as a Service l Industry standards for federated identity management - SAML, WS-Federation, Liberty Alliance

28 Relevant IAM Standards, Protocols for Cloud l IAM Standards and Specifications for Organizations - SAML - SPML - XACML - OAuth (Open Authentication) – cloud service X accessing data in cloud service Y without disclosing credentials l IAM Standards and Specifications for Consumers - OpenID - Information Cards - Open Authenticate (OATH) - Open Authentication API (OpenAuth)

29 IAM Practices in the Cloud l Cloud Identity Administration - Life cycle management of user identities in the cloud l Federated Identity (SSO) - Enterprise an enterprise Identity provider within an Organization perimeter - Cloud-based Identity provider

30 Cloud Authorization Management l XACML is the preferred model for authorization l RBAC is being explored l Dual roles: Administrator and User l IAM support for compliance management

31 Cloud Service Provider and IAM Practice l What is the responsibility of the CSP and the responsibility of the organization/enterprise? l Enterprise IAM requirements - Provisioning of cloud service accounts to users - Provisioning of cloud services for service to service integration’ - SSO support for users based on federation standards - Support for international and regulatory policy requirements - User activity monitoring l How can enterprises expand their IAM requirements to SaaS, PaaS and IaaS

32 Security Management in the Cloud l Security Management Standards l Security Management in the Cloud l Availability Management l Access Control l Security Vulnerability, Patch and Configuration Management

33 Security Management Standards l Security Manage3ment has to be carried out in the cloud l Standards include ITIL (Information Technology Infrastructure Library) and ISO 27001/27002 l What are the policies, procedures, processes and work instruction for managing security

34 Security Management in the Cloud l Availability Management (ITIL) l Access Control (ISIO, ITIL) l Vulnerability Management (ISO, IEC) l Patch Management (ITIL) l Configuration Management (ITIL) l Incident Response (ISO/IEC) l System use and Access Monitoring

35 Availability Management l SaaS availability - Customer responsibility: Customer must understand SLA and communication methods - SaaS health monitoring l PaaS availability - Customer responsibility - ‘PaaS health monitoring l IaaS availability - Customer responsibility - IaaS health monitoring

36 Access Control Management in the Cloud l Who should have access and why l How is a resources accessed l How is the access monitored l Impact of access control of SaaS, PaaS and IaaS

37 Security Vulnerability, Patch and Configuration (VPC) Management l How can security vulnerability, patch and configuration management for an organization be extended to a cloud environment l What is the impact of VPS on SaaS, PaaS and IaaS

38 Privacy l Privacy and Data Life Cycle l Key Privacy Concerns in the Cloud l Who is Responsible for Privacy l Privacy Risk Management and Compliance ion the Cloud l Legal and Regulatory Requirements

39 Privacy and Data Life Cycle l Privacy: Accountability of organizations to data subjects as well as the transparency to an organization’s practice around personal information l Data Life Cycle - Generation, Use, Transfer, Transformation, Storage, Archival, Destruction - Need policies

40 Privacy Concerns in the Cloud l Access l Compliance l Storage l Retention l Destruction l Audit and Monitoring l Privacy Breaches

41 Who is Responsible for Privacy l Organization that collected the information in the first place – the owner organization l What is the role of the CSP? l Organizations can transfer liability but not accountability l Risk assessment and mitigation throughout the data lifecycle l Knowledge about legal obligations

42 Privacy Risk Management and Compliance l Collection Limitation Principle l Use Limitation Principle l Security Principle l Retention and Destruction Principle l Transfer Principle l Accountab9lity Principle

43 Legal and Regulatory Requirements l US Regulations - Federal Rules of Civil Procedure - US Patriot Act - Electronic Communications Privacy Act - FISMA - GLBA - HIPAA - HITECH Act l International regulations - EU Directive - APEC Privacy Framework

44 Audit and Compliance l Internal Policy Compliance l Governance, Risk and Compliance (GRC) l Control Objectives l Regulatory/External Compliance l Cloud Security Alliance l Auditing for Compliance

45 Audit and Compliance l Defines Strategy l Define Requirements (provide services to clients) l Defines Architecture (that is architect and structure services to meet requirements) l Define Policies l Defines process and procedures l Ongoing operations l Ongoing monitoring l Continuous improvement

46 Governance, Risk and Compliance l Risk assessment l Key controls (to address the risks and compliance requirements) l Monitoring l Reporting l Continuous improvement l Risk assessment – new IT projects and systems

47 Control Objectives l Security Policy l Organization of information security l Asset management l Human resources security l Physical and environmental security l Communications and operations management l Access control l Information systems acquisition, development and maintenance l Information Security incident management l Compliance l Key Management

48 Regulatory/External Compliance l Sarbanes-Oxley Act l PCI DSS l HIPAA l COBIT l What is the impact of Cloud computing on the above regulations?

49 Cloud Security Alliance (CSA) l Create and apply best practices to securing the cloud l Objectives include - Promote common level of understanding between consumers and providers - Promote independent research into best practices - Launch awareness and educational programs - Create consensus l White Paper produced by CSA consist of 15 domains - Architecture, Risk management, Legal, Lifecycle management, applications security, storage, virtualization, - - - -

50 Auditing for Compliance l Internal and External Audits l Audit Framework - SAS 70 - SysTrust - WebTrust - ISO 27001 certification l Relevance to Cloud

51 Cloud Service Providers l Amazon Web Services (IaaS) l Google (SaaS, PaaS) l Microsoft Azure (SaaS, IaaS) l Proofpoint (SaaS, IaaS) l RightScale (SaaS) l (SaaS, PaaS) l Sun Open Cloud Platform l Workday (SaaS)

52 Security as a Service l Email Filtering l Web Content Filtering l Vulnerability Management l Identity Management

53 Impact of Cloud Computing l Benefits - Low cost solution - Responsiveness flexibility - IT Expense marches Transaction volume - Business users are in direct control of technology decisions - Line between home computing applications and enterprise applications will blur l Threats - Vested interest of cloud providers - Less control over the use of technologies - Perceived risk of using cloud computing - Portability and Lock-in to Proprietary systems for CSPs - Lack of integration and componentization

54 Directions l Analysts predict that cloud computing will be a huge growth area l Cloud growth will be much higher than traditional IT growth l Will likely revolutionize IT l Need to examine how traditional solutions for IAM, Governance, Risk Assessment etc will work for Cloud l Technologies will be enhanced (IaaS, PaaS, SaaS) l Security will continue o be a major concern

Download ppt "Dr. Bhavani Thuraisingham June 2013 A Comprehensive Overview of Secure Cloud Computing."

Similar presentations

Ads by Google