WHAT IS CLOUD COMPUTING REALLY? Scott Clark Chicago Chapter President Cloud Security Alliance

The Blind Men and the Cloud It was six men of Info Tech To learning much inclined, Who went to see the Cloud (Though all of them were blind), That each by observation Might satisfy his mind

The Blind Men and the Cloud The First approached the Cloud, So sure that he was boasting “I know exactly what this is… This Cloud is simply Hosting.”

The Blind Men and the Cloud The Second grasped within the Cloud, Saying, “No it’s obvious to me, This Cloud is grid computing… Servers working together in harmony!”

The Blind Men and the Cloud The Third, in need of an answer, Cried, "Ho! I know its source of power It’s a utility computing solution Which charges by the hour.”

The Blind Men and the Cloud The Fourth reached out to touch it, It was there, but it was not “Virtualization,” said he. “That’s precisely what we’ve got!”

The Blind Men and the Cloud The Fifth, so sure the rest were wrong Declared “It’s SaaS you fools, Applications with no installation It’s breaking all the rules!"

The Blind Men and the Cloud The Sixth (whose name was Benioff), Felt the future he did know, He made haste in boldly stating, “This *IS* Web 3.0.”

The Blind Men and the Cloud And so these men of Info Tech Disputed loud and long, Each in his own opinion Exceeding stiff and strong, Though each was partly in the right, And all were partly wrong! Sam Charrington & Noreen Barczweski © 2009, Appistry, Inc

Agenda Introduction to Cloud Computing What is Different in the Cloud? CSA Guidance Additional Resources

“This Cloud is simply Hosting”

Evolution of “Hosting” CUSTOM “Co-Location” COMMODITY “Cloud Service Providers”

Evolution of Data Centers Closest to power plants Google Data Center State of Oregon Columbia River 103 Mega Watt Data Center on 30 acres Near 1.8 GW Hydropower Station

Data Center is the new “Server”

POD Computing

Google’s low cost commodity server

Is This New?? Berkeley credited Cluster of Servers Started in 1994

Broadband Network Access

Rapid Elasticity

Risk of over-provisioning: underutilization Measured Service Risk of over-provisioning: underutilization Demand Capacity Time Resources Unused resources Static data center

Heavy penalty for under-provisioning Measured Service Heavy penalty for under-provisioning Resources Demand Capacity Time (days) 1 2 3 Resources Demand Capacity Time (days) 1 2 3 Lost revenue Resources Demand Capacity Time (days) 1 2 3 Lost users

Data center in the cloud Measured Service Pay by use instead of provisioning for peak Demand Capacity Time Resources Demand Capacity Time Resources Unused resources Static data center Data center in the cloud

Resource Pooling =Virtualization Hardware OS App Hypervisor Virtualized Stack Hardware Operating System App Traditional Stack

Server Virtualization

Storage Virtualization

SuperioNetwork Virtualization Platform-Independent Razor-Thin CapEx Application ToR Switch ToR Switch Application VMs High CapEx Low Utilization High Complexity Change-Resistant Colors on projector Deploy anywhere Elastic scalability Interfaces with provisioning & orchestration systems Evolves with rapidly changing network architectures Utility licensing model

Case Study Created 10,000 Core- Cluster Leveraged Amazon’s EC2 Genentech needed a super computer to examine how proteins bind together Using Genentech’s resources would have taken weeks or months to gain access & run program

Completed in 8 Hours! Genentech’s Cost = $8,480! Infrastructure: 1250 instances with 8- core / 7-GB RAM Cluster Size: 10,000 cores, 8.75 TB RAM, 2 PB of disk space total Scale: Comparable to #114 of Top 500 Supercomputer list Security: Engineered with HTTPS & 128/256-bit AES encryption User Effort: Single click to start the cluster Start-up Time: Thousands of cores in minutes, full cluster in 45-minutes Up-front Capital Investment/Licensing Fees: $0 Total CycleCloud and Infrastructure Cost: $1,060/hour

Utility computing (IaaS) Delivery Models “Why do it yourself if you can pay someone to do it for you?” Utility computing (IaaS) Why buy machines when you can rent cycles? Examples: Amazon’s EC2, GoGrid, AppNexus Platform as a Service (PaaS) Give me nice API and take care of the implementation Example: Google App Engine, Force.com Software as a Service (SaaS) Just run it for me! Example: Gmail, Salesforce.com and NetSuite

Forrester: Cloud Market To Reach $241 Billion By 2020

Case Study – Hybrid Cloud June 25, 2009 1 Million visits in 24/hrs Twitter stood still Ticket Master crawled Yahoo! 16.4 million site visitors in 24 hours more that Election Day of 15.1 Sony.com couldn’t sell music – 200 sites down

Private to Public Burst

What About Service Oriented Architecture???

BREAK

What is Different in the Cloud? Many concepts “in the cloud” are similar to concepts in standard outsourcing There are at least four themes which require a different mindset when working on security for cloud services: Role clarity for security controls Legal / jurisdictional / cross-border data movement Virtualization concentration risk Virtualization network security control parity.

What is Different in the Cloud? Role Clarity Security ~ THEM Security ~ YOU IaaS Infrastructure as a Service PaaS Platform as a Service SaaS Software as a Service

What is Different in the Cloud? Legal / Jurisdictional Issues Amplified “Cloud” Provider Datacenter in London, U.K. “Cloud” Provider Datacenter in Sao Paolo, Brazil Your Corporate Data? “Cloud” Provider Datacenter in Geneva, Switzerland “Cloud” Provider Datacenter in Tokyo, Japan “Cloud” Provider Datacenter in San Francisco, USA

What is Different in the Cloud? Virtualization Concentration Risks “Old Way – Hack a System” “New Way – Hack a Datacenter” Hypervisor

What is Different in the Cloud? Virtualized N-Tier Control Equivalence “Current Way” “New Way” How do we ensure control parity? Internet Hypervisor Users FW WAF NIDS / IPS Presentation Layer FW WAF NIDS / IPS Internet Data Layer Users

Key Cloud Security Problems From CSA Top Threats Research: Trust: Lack of Provider transparency, impacts Governance, Risk Management, Compliance Data: Leakage, Loss or Storage in unfriendly geography Insecure Cloud software Malicious use of Cloud services Account/Service Hijacking Malicious Insiders Cloud-specific attacks 54

Cloud Security Alliance Guidance

Cloud Security Alliance Guidance Governance and Enterprise Risk Management Legal and Electronic Discovery Compliance and Audit Information Lifecycle Management Portability and Interoperability Security, Bus. Cont,, and Disaster Recovery Data Center Operations Incident Response, Notification, Remediation Application Security Encryption and Key Management Identity and Access Management Virtualization Cloud Architecture Operating in the Cloud Governing the Cloud Available at http://www.cloudsecurityalliance.org/Research.html 56

Defining Cloud On demand provisioning Elasticity Multi-tenancy Key types Infrastructure as a Service (IaaS): basic O/S & storage Platform as a Service (PaaS): IaaS + rapid dev Software as a Service (SaaS): complete application Public, Private, Community & Hybrid Cloud deployments 57

Governance and Enterprise Risk Management Due Diligence of providers governance structure and process in addition to security controls. SLA’s Risk Assessment approaches between provider and user should be consistent. Consistency in Impact Analysis and definition of likelihood Governance and Enterprise Risk Management Legal and Electronic Discovery Compliance and Audit Information Lifecycle Management Portability and Interoperability Security, Bus. Cont,, and Disaster Recovery Data Center Operations Incident Response, Notification, Remediation Application Security Encryption and Key Management Identity and Access Management Virtualization Cloud Architecture Operating in the Cloud Governing the Cloud . 58

Legal and Electronic Discovery Mutual understanding of roles related to litigation, discovery searches and expert testimony Data in custody of provider must receive equivalent guardianship as original owner Unified process for responding to subpoenas and service of process, etc Governance and Enterprise Risk Management Legal and Electronic Discovery Compliance and Audit Information Lifecycle Management Portability and Interoperability Security, Bus. Cont,, and Disaster Recovery Data Center Operations Incident Response, Notification, Remediation Application Security Encryption and Key Management Identity and Access Management Virtualization Cloud Architecture Operating in the Cloud Governing the Cloud 59

Analyze Impact or Regulations on data security Compliance and Audit Right to Audit Clause Analyze Impact or Regulations on data security Prepare evidence of how each requirement is being met Auditor qualification and selection Governance and Enterprise Risk Management Legal and Electronic Discovery Compliance and Audit Information Lifecycle Management Portability and Interoperability Security, Bus. Cont,, and Disaster Recovery Data Center Operations Incident Response, Notification, Remediation Application Security Encryption and Key Management Identity and Access Management Virtualization Cloud Architecture Operating in the Cloud Governing the Cloud 60

Information Lifecycle Management How is Integrity maintained? If compromised how its detected and reported? Identify all controls used during date lifecycle Know where you data is! Understand provider’s data search capabilities and limitations Governance and Enterprise Risk Management Legal and Electronic Discovery Compliance and Audit Information Lifecycle Management Portability and Interoperability Security, Bus. Cont,, and Disaster Recovery Data Center Operations Incident Response, Notification, Remediation Application Security Encryption and Key Management Identity and Access Management Virtualization Cloud Architecture Operating in the Cloud Governing the Cloud 61

Portability and Interoperability IaaS - Understand VM capture and porting to new provider especially if different technologies used. PaaS – Understand how logging, monitoring and audit transfers to another provider SaaS – perform regular backups into useable form without SaaS. Governance and Enterprise Risk Management Legal and Electronic Discovery Compliance and Audit Information Lifecycle Management Portability and Interoperability Security, Bus. Cont,, and Disaster Recovery Data Center Operations Incident Response, Notification, Remediation Application Security Encryption and Key Management Identity and Access Management Virtualization Cloud Architecture Operating in the Cloud Governing the Cloud 62

Security, Business Continuity and Disaster Recovery Conduct an onsite inspection whenever possible Inspect cloud providers disaster recovery and business continuity plans Ask for documentation of external and internal security controls – adherence to industry standards? Governance and Enterprise Risk Management Legal and Electronic Discovery Compliance and Audit Information Lifecycle Management Portability and Interoperability Security, Bus. Cont,, and Disaster Recovery Data Center Operations Incident Response, Notification, Remediation Application Security Encryption and Key Management Identity and Access Management Virtualization Cloud Architecture Operating in the Cloud Governing the Cloud 63

Data Center Operations Demonstration of Compartmentalization of systems, networks, management, provisioning and personnel Understanding of providers patch management policies and procedures – should be reflected in the contract! Governance and Enterprise Risk Management Legal and Electronic Discovery Compliance and Audit Information Lifecycle Management Portability and Interoperability Security, Bus. Cont,, and Disaster Recovery Data Center Operations Incident Response, Notification, Remediation Application Security Encryption and Key Management Identity and Access Management Virtualization Cloud Architecture Operating in the Cloud Governing the Cloud 64

Incident Response, Notification and Remediation May have limited involvement in Incident Response, understand prearranged communicated path to providers incident response team What incident detection and analysis tools used? Will proprietary tools make joint investigations difficult? Governance and Enterprise Risk Management Legal and Electronic Discovery Compliance and Audit Information Lifecycle Management Portability and Interoperability Security, Bus. Cont,, and Disaster Recovery Data Center Operations Incident Response, Notification, Remediation Application Security Encryption and Key Management Identity and Access Management Virtualization Cloud Architecture Operating in the Cloud Governing the Cloud 65

Application Security S-P-I creates different trust boundaries in SDLC – account for in dev, test and production Obtain contractual permission before performing remote vulnerability and application assessments provider inability to distinguish testing from an actual attack Governance and Enterprise Risk Management Legal and Electronic Discovery Compliance and Audit Information Lifecycle Management Portability and Interoperability Security, Bus. Cont,, and Disaster Recovery Data Center Operations Incident Response, Notification, Remediation Application Security Encryption and Key Management Identity and Access Management Virtualization Cloud Architecture Operating in the Cloud Governing the Cloud 66

Encryption and Key Management Separate key management from provider hosting the data creating a chain of separation Understand provider’s key management lifecycle: how keys are generated, used, stored, backed up, rotated and deleted Ensure encryption adheres to industry and government standards when stipulated in the contract Governance and Enterprise Risk Management Legal and Electronic Discovery Compliance and Audit Information Lifecycle Management Portability and Interoperability Security, Bus. Cont,, and Disaster Recovery Data Center Operations Incident Response, Notification, Remediation Application Security Encryption and Key Management Identity and Access Management Virtualization Cloud Architecture Operating in the Cloud Governing the Cloud 67

Identity and Access Management IAM is a big challenge today in secure cloud computing Identity – avoid providers proprietary solutions unique to cloud provider Local authentication service offered by provider should be OATH compliant Governance and Enterprise Risk Management Legal and Electronic Discovery Compliance and Audit Information Lifecycle Management Portability and Interoperability Security, Bus. Cont,, and Disaster Recovery Data Center Operations Incident Response, Notification, Remediation Application Security Encryption and Key Management Identity and Access Management Virtualization Cloud Architecture Operating in the Cloud Governing the Cloud 68

Virtualization Understand internal security controls to VM other than built in Hypervisor isolation – IDS, AV, vulnerability scanning etc. Understand external security controls to protect administrative interfaces exposed (Web-based, API’s) Reporting mechanisms that provides evidence of isolation and raises alerts if a breach of isolation occurs. Governance and Enterprise Risk Management Legal and Electronic Discovery Compliance and Audit Information Lifecycle Management Portability and Interoperability Security, Bus. Cont,, and Disaster Recovery Data Center Operations Incident Response, Notification, Remediation Application Security Encryption and Key Management Identity and Access Management Virtualization Cloud Architecture Operating in the Cloud Governing the Cloud 69

Additional Cloud Security Alliance Resources

Cloud Security Alliance Initiatives GRC Stack Security Guidance for Critical Areas of Focus in Cloud Computing Cloud Controls Matrix (CCM) Consensus Assessments Initiative Cloud Metrics Trusted Cloud Initiative Top Threats to Cloud Computing CloudAudit Common Assurance Maturity Model CloudSIRT Security as a Service

Cloud Controls Matrix Tool Controls derived from guidance Rated as applicable to S-P-I Customer vs Provider role Mapped to COBIT, HIPAA, ISO/IEC 27002-2005, NIST SP800-53 and PCI DSS Help bridge the gap for IT & IT auditors www.cloudsecurityalliance.org/cm.html

Help us secure cloud computing www.cloudsecurityalliance.org Contact Help us secure cloud computing www.cloudsecurityalliance.org Cloud Security Alliance, Chicago Chapter scott.clark@vyatta.com LinkedIn: http://www.linkedin.com/groups?gid=3755674 Do visit the website Do join the LinkedIn Groups – you will receive regular email updates 73

Questions?