Presentation is loading. Please wait.

Presentation is loading. Please wait.

Virtual techdays INDIA │ 9-11 February 2011 SECURING THE CLOUD Manu Zacharia │ Information Security Evangelist MVP (Enterprise Security), C|EH, ISLA-2010.

Published by Modified over 8 years ago

Similar presentations

Presentation on theme: "Virtual techdays INDIA │ 9-11 February 2011 SECURING THE CLOUD Manu Zacharia │ Information Security Evangelist MVP (Enterprise Security), C|EH, ISLA-2010."— Presentation transcript:

1 virtual techdays INDIA │ 9-11 February 2011 SECURING THE CLOUD Manu Zacharia │ Information Security Evangelist MVP (Enterprise Security), C|EH, ISLA-2010 (ISC)², C|HFI, CCNA, MCP Certified ISO 27001:2005 Lead Auditor

2  Cloud Architecture  NIST Working Definition of Cloud Computing  Some Myths  C-RISK (Cloud Based Security RISKs)  Security Issues  Cloud Transparency  Ensuring Security & Privacy  Risk Based Approach  Risk Assessment for Cloud virtual techdays INDIA │ 9-11 February 2011 S E S S I O N A G E N D A

3  The opinion here represented are my personal ones and do not necessary reflect my employers views.  Registered brands belong to their legitimate owners.  The information contained in this presentation does not break any intellectual property, nor does it provide detailed information that may be in conflict with any laws (hopefully...) :)  Information and resources from Internet (including publications from Cloud Security Alliance, NIST, etc) were used as references for the creation of this presentation. virtual techdays INDIA │ 9-11 February 2011 DISCLAIMER & REFERENCES

4  cloud is loud  Headline stealer  Everybody is concerned about Cloud Security  Privacy concerns  Why handle cloud differently?  Simple – power of cloud  With any new technology comes new risks  New vectors - that we need to be aware of virtual techdays INDIA │ 9-11 February 2011 WHY THIS TALK?

5  Barack Obama's Technology Innovation and Government Reform Team (TIGR) describe the use of cloud computing as "one of the most important transformations the federal government will go through in the next decade."  102 billion objects as of March 2010 in Amazon Cloud  The New York Times stores PDF's of 15M scanned news articles.  NASDAQ uses cloud to deliver historical stock information.  A 64 node server cluster can be online in just five minutes  Forget about those sleepless nights in your data centers virtual techdays INDIA │ 9-11 February 2011 POWER OF CLOUD

6  Providing a collection of  services,  applications,  information, and  infrastructure comprised of pools of  compute,  network,  information, and  storage resources. virtual techdays INDIA │ 9-11 February 2011 CLOUD In Simple Terms

7  From an architectural perspective; there is much confusion  How cloud is both similar to and different from existing models of computing?  Same old, Same old - Marcus Ranum  Same Client / Server paradigm from Mainframe days – Bruce Schneier  If we don’t understand these similarities and differences, it will impact the  organizational,  operational, and  technological approaches to information security practices. virtual techdays INDIA │ 9-11 February 2011 CLOUD CONFUSION In Simple Terms

8  Current Working Draft 15 / Current Working Defenition 15  “Cloud computing is a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. This cloud model promotes availability and is composed of :  five essential characteristics,  three service models, and  four deployment models.”  Ref: http://csrc.nist.gov/groups/SNS/cloud-computing/cloud-def-v15.doc virtual techdays INDIA │ 9-11 February 2011 CLOUD ARCHITECTURE NIST Working Definition of Cloud Computing

9  Five essential characteristics  On-demand self-service  Broad network access  Resource pooling  Rapid elasticity  Measured service virtual techdays INDIA │ 9-11 February 2011 CLOUD ARCHITECTURE NIST Working Definition of Cloud Computing

10  Divided into three archetypal models.  The three fundamental classifications are known as the SPI Model.  Various other derivative combinations are also available.  Three Cloud Service Models  Cloud Software as a Service (SaaS).  Cloud Platform as a Service (PaaS).  Cloud Infrastructure as a Service (IaaS). virtual techdays INDIA │ 9-11 February 2011 CLOUD ARCHITECTURE NIST Working Definition of Cloud Computing

11  Regardless of the service model, there are four cloud deployment models:  Public Cloud  Private Cloud  Community Cloud  Hybrid Cloud  Derivative cloud deployment models are emerging due to the maturation of market offerings and customer demand.  Example - Virtual Private Clouds - Public cloud infrastructure in a private or semi-private manner using VPN. virtual techdays INDIA │ 9-11 February 2011 CLOUD ARCHITECTURE NIST Working Definition of Cloud Computing

12  Myth 1 - Virtualization is mandatory  Answer is No  Cloud services are often but not always utilized in conjunction with, and enabled by, virtualization technologies  There is no requirement that ties the abstraction of resources to virtualization technologies  In many offerings virtualization by hypervisor or operating system container is not utilized. virtual techdays INDIA │ 9-11 February 2011 CLOUD - MYTHS Myths about Cloud Computing Essential Characteristics

13  Myth 2 - Multi-tenancy as an essential cloud characteristic  Multi-tenancy is not called out as an essential cloud characteristic by NIST but is often discussed as such. virtual techdays INDIA │ 9-11 February 2011 CLOUD - MYTHS Myths about Cloud Computing Essential Characteristics

14  New twist on an old concept :)  Bursting into the cloud when necessary, or  using the cloud when additional compute resources are required temporarily virtual techdays INDIA │ 9-11 February 2011 CLOUD JARGONS Cloud Bursting

15  How it is different from the traditional bursting?  Traditionally been applied to resource allocation and automated provisioning / de-provisioning of resources, mainly focused on bandwidth.  In the cloud, it is being applied to resources such as:  servers,  application servers, application delivery systems, and  other infrastructure… required to provide on-demand computing environments that expand and contract as necessary, without manual intervention. virtual techdays INDIA │ 9-11 February 2011 CLOUD JARGONS Cloud Bursting

16  Without manual intervention means?  We generally call it - automation  But is automation sufficient for cloud? or  Is it the right thing for cloud? virtual techdays INDIA │ 9-11 February 2011 CLOUD JARGONS Cloud Bursting

17  Orchestration describes the automated  arrangement,  coordination, and  management of complex computer systems, middleware, and services. virtual techdays INDIA │ 9-11 February 2011 CLOUD JARGONS Cloud Orchestration

18  Open and proprietary APIs are evolving which seek to enable things such as  management,  security and  inter-operatibility for cloud. Examples include:  Windows Azure Storage Services REST API  Open Cloud Computing Interface Working Group,  Amazon EC2 API,  VMware’s DMTF-submitted vCloud API,  Sun’s Open Cloud API,  Rackspace API, and GoGrid’s API. virtual techdays INDIA │ 9-11 February 2011 CLOUD API OPEN & PROPRIETARY

19  Understanding the relationships and dependencies between Cloud Computing models is critical to understanding Cloud Computing security risks.  IaaS is the foundation of all cloud services, with PaaS building upon IaaS, and SaaS in turn building upon PaaS  As the capabilities are inherited, so are information security issues and risk. virtual techdays INDIA │ 9-11 February 2011 CLOUD REFERENCE MODEL RELATIONSHIPS & DEPENDENCIES

20 virtual techdays INDIA │ 9-11 February 2011 CLOUD REFERENCE MODEL RELATIONSHIPS & DEPENDENCIES

21  From an attackers point of view:  The boxes,  Storage,  Applications  Cloud based security issues  Also commonly know as Cloud Based Risk or C-RISK virtual techdays INDIA │ 9-11 February 2011 CLOUD SECURITY WHAT COULD BE TARGETTED?

22  Cloud user decides to migrate (due to various reasons including poor SLA) to another cloud service provider or to in-house IT  Different cloud service providers use different API – not compatible with each other for migrating the data   Lack of:  Tools,  Procedures,  Standard data formats, and  Interfaces, can considerably delay or prevent a successful migration. virtual techdays INDIA │ 9-11 February 2011 CLOUD SECURITY LOCK-IN

23  Any kind of intentional and un-intentional malicious activity carried out or executed on a shared platform  May affect the other tenants and associated stake holders.  Examples - Shared Service Consequences:  Blocking of IP ranges  Confiscation of resources as part of an investigation - the availability is in question.  The diversity of application running on the cloud platform and a sudden increase in the resource usage by one application can drastically affect the performance and availability of other applications shared in the same cloud infrastructure. virtual techdays INDIA │ 9-11 February 2011 CLOUD SECURITY Shared Service Consequences

24  Cloud is upcoming and promising domain for organizations to venture and expand.  Sudden take over can result in a deviation from the agreed Terms of Use & SLA which may also lead to a Lock-In situation. virtual techdays INDIA │ 9-11 February 2011 CLOUD SECURITY Sudden Acquisitions and Take-overs

25  Similar to the conventional run on the bank concept.  Bankruptcy and catastrophes does not come with an early warning.  What happens if the majority clients withdraw the associated services from a cloud infrastructure?  The cloud service providers may try to prevent that move through direct and indirect methods – which may include a lock-in also. virtual techdays INDIA │ 9-11 February 2011 CLOUD SECURITY Run-on-the-cloud

26  Organizations need to ensure that they can maintain the same when moving to cloud.  Generally - ToU prohibits VA/PT  This may introduce security vulnerabilities and gaps  Result – Loose your certification.  Example - Maintaining Certifications:  In general scenario, the PCI DSS compliance cannot be achieved with most of the cloud service.  Major downfall in performance and quality metrics may affect your certifications. virtual techdays INDIA │ 9-11 February 2011 CLOUD SECURITY Maintaining Certifications & Compliance

27  Vulnerabilities applicable to the conventional systems & networks are also applicable to cloud infrastructure.  Lack of could based security standards and non-adherence to procedures may affect the CIA of customer data. virtual techdays INDIA │ 9-11 February 2011 CLOUD SECURITY Technical and Procedural Vulnerability

28  The information deleted by the customer may be available to the cloud solution provider as part of their regular backups.  Insecure and inefficient deletion of data where true data wiping is not happening, exposing the sensitive information to other cloud users. virtual techdays INDIA │ 9-11 February 2011 CLOUD SECURITY Confidentiality is @ Risk

29  The service provider may be following good security procedures, but it is not visible to the customers and end users.  May be due to security reasons.  But end user is finally in the dark.  End user questions remains un-answered:  how the data is backed up,  who back up the data,  whether the cloud service provider does it or has they outsourced to some third party, virtual techdays INDIA │ 9-11 February 2011 CLOUD SECURITY Lack of transparency in cloud

30  how the backup is transferred to a remote site as part of the backup policy,  is it encrypted and send,  is the backup properly destroyed after the specified retention period or  is it lying somewhere in the disk,  what kind of data wiping technologies are used.  The lists of questions are big and the cloud users are in dark virtual techdays INDIA │ 9-11 February 2011 CLOUD SECURITY Lack of transparency in cloud

31  Problems testing the cloud?  Permission  How do you get permission to test your application running on a cloud when the results of your testing probably could show you data from another client completely?  Getting black hole or getting kicked-off  "In networking, black holes refer to places in the network where incoming traffic is silently discarded (or "dropped"), without informing the source that the data did not reach its intended recipient." - From Wikipedia virtual techdays INDIA │ 9-11 February 2011 CLOUD SECURITY (Security) Testing in Cloud

32  How do you track version?  How do you do regression testing?  How do you know what version of the application is currently running on the cloud?  If you test an application today and find it vulnerable or not vulnerable, how do you know that the app you testing tomorrow is the same one that you tested yesterday? – Chances are very less  virtual techdays INDIA │ 9-11 February 2011 CLOUD SECURITY (Security) Testing in Cloud

33  Adopt a risk based approach  Evaluate your tolerance for moving an asset to cloud  Have a framework to evaluate cloud risks. virtual techdays INDIA │ 9-11 February 2011 CLOUD SECURITY Addressing Security Issues in Cloud

34  Identify the asset for cloud.  Evaluate the asset  Map the asset to cloud deployment models  Evaluate cloud service models & providers  Sketch the potential data flow virtual techdays INDIA │ 9-11 February 2011 CLOUD SECURITY Risk Assessment Framework for Cloud

35  Step 1 - Determine exactly what data or function is being considered for the cloud.  Include potential use of the asset once it moves to the cloud  This will help you account for scope creep  Note: Data and transaction volumes are often higher than expected. virtual techdays INDIA │ 9-11 February 2011 CLOUD SECURITY Identify the asset for cloud.

36  Determine how important the data or function is to the organization.  An assessment of the following is recommended:  how sensitive an asset is? and  how important an application / function / process is?  How do we do it? virtual techdays INDIA │ 9-11 February 2011 CLOUD SECURITY Evaluate the asset

37  For each asset, ask the following questions:  How would we be harmed if the asset became widely public and widely distributed?  How would we be harmed if an employee of our cloud provider accessed the asset?  How would we be harmed if the process or function were manipulated by an outsider?  How would we be harmed if the process or function failed to provide expected results?  How would we be harmed if the information/data were unexpectedly changed?  How would we be harmed if the asset were unavailable for a period of time?  By doing the above we are  Assessing confidentiality, integrity, and availability requirements for the asset; and  how those are affected if all or part of the asset is handled in the cloud? virtual techdays INDIA │ 9-11 February 2011 CLOUD SECURITY Evaluate the asset

38  Map the asset to potential cloud deployment models  Determine which deployment model is good for the organizational requirement.  For the asset, determine if you are willing to accept the following options:  Public.  Private, internal/on-premises.  Private, external (including dedicated or shared infrastructure).  Community  Hybrid virtual techdays INDIA │ 9-11 February 2011 CLOUD SECURITY Map the asset to cloud deployment models

39  Focus on the degree of control you’ll have at each SPI tier to implement any required risk management. virtual techdays INDIA │ 9-11 February 2011 CLOUD SECURITY Evaluate cloud service models & providers

40  Map out the data flow between:  your organization,  the cloud service, and  any customers/other nodes. virtual techdays INDIA │ 9-11 February 2011 CLOUD SECURITY Sketch the potential data flow

41  You should have a clear understanding of the following:  the importance of what you are considering moving to the cloud,  risk tolerance,  which combinations of deployment and service models are acceptable, and  potential exposure points for sensitive information and operations. virtual techdays INDIA │ 9-11 February 2011 CLOUD SECURITY Conclusion

42 virtual techdays THANKS │ 9-11 February 2011 m@hackit.co │ http://manuzacharia.blogspot.com

Download ppt "Virtual techdays INDIA │ 9-11 February 2011 SECURING THE CLOUD Manu Zacharia │ Information Security Evangelist MVP (Enterprise Security), C|EH, ISLA-2010."

Similar presentations

Pros and Cons of Cloud Computing Professor Kam-Fai Wong Faculty of Engineering The Chinese University of Hong Kong.

Pros and Cons of Cloud Computing Professor Kam-Fai Wong Faculty of Engineering The Chinese University of Hong Kong.
Security, Privacy and the Cloud Connecticut Community Providers’ Association June 20, 2014 Steven R Bulmer, VP of Professional Services.

Security, Privacy and the Cloud Connecticut Community Providers’ Association June 20, 2014 Steven R Bulmer, VP of Professional Services.
Chapter 22: Cloud Computing and Related Security Issues Guide to Computer Network Security.

Chapter 22: Cloud Computing and Related Security Issues Guide to Computer Network Security.
By Adam Balla & Wachiu Siu

By Adam Balla & Wachiu Siu
Clouds C. Vuerli Contributed by Zsolt Nemeth. As it started.

Clouds C. Vuerli Contributed by Zsolt Nemeth. As it started.
An Approach to Secure Cloud Computing Architectures By Y. Serge Joseph FAU security Group February 24th, 2011.

An Approach to Secure Cloud Computing Architectures By Y. Serge Joseph FAU security Group February 24th, 2011.
Cloud SUT proposal OSGcloud group. Objective To fill in the Research the group about the thinking within the OSG working group To solicit new ideas/proposals.

Cloud SUT proposal OSGcloud group. Objective To fill in the Research the group about the thinking within the OSG working group To solicit new ideas/proposals.
Copyright Marchany 2010 Cloud Computing Security Issues Randy Marchany, VA Tech IT Security,

Copyright Marchany 2010 Cloud Computing Security Issues Randy Marchany, VA Tech IT Security,
Presented by Sujit Tilak. Evolution of Client/Server Architecture Clients & Server on different computer systems Local Area Network for Server and Client.

Presented by Sujit Tilak. Evolution of Client/Server Architecture Clients & Server on different computer systems Local Area Network for Server and Client.
Cloud Usability Framework

Cloud Usability Framework
Wally Kowal, President and Founder Canadian Cloud Computing Inc.

Wally Kowal, President and Founder Canadian Cloud Computing Inc.
SaaS, PaaS & TaaS By: Raza Usmani

SaaS, PaaS & TaaS By: Raza Usmani
Be Smart, Use PwrSmart What Is The Cloud?. Where Did The Cloud Come From? We get the term “Cloud” from the early days of the internet where we drew a.

Be Smart, Use PwrSmart What Is The Cloud?. Where Did The Cloud Come From? We get the term “Cloud” from the early days of the internet where we drew a.
M.A.Doman 2011. Model for enabling the delivery of computing as a SERVICE.

M.A.Doman Model for enabling the delivery of computing as a SERVICE.
Cloud Computing Guide & Handbook SAI USA Madhav Panwar.

Cloud Computing Guide & Handbook SAI USA Madhav Panwar.
Design of New or Changed Services in the Cloud: An ISO/IEC 20000 Perspective Ronald Dattero Missouri State University, CIS Dept. Stuart D. Galup Florida.

Design of New or Changed Services in the Cloud: An ISO/IEC Perspective Ronald Dattero Missouri State University, CIS Dept. Stuart D. Galup Florida.
Securing and Auditing Cloud Computing Jason Alexander Chief Information Security Officer.

Securing and Auditing Cloud Computing Jason Alexander Chief Information Security Officer.
Cloud computing Tahani aljehani.

Cloud computing Tahani aljehani.
© 2012 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual.

© 2012 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual.
Discussion on LI for Mobile Clouds

Discussion on LI for Mobile Clouds

Similar presentations

Ads by Google