Presentation is loading. Please wait.

Presentation is loading. Please wait.

Cloud Security: Critical Threats and Global Initiatives

Published byDaniela Gibson Modified over 6 years ago

Similar presentations

Presentation on theme: "Cloud Security: Critical Threats and Global Initiatives"— Presentation transcript:

1 Cloud Security: Critical Threats and Global Initiatives
Jim Reavis, Executive Director July, 2010

2 What is Cloud Computing?
Compute as a utility: third major era of computing Mainframe PC Client/Server Cloud computing: On demand model for allocation and consumption of computing Cloud enabled by Moore’s Law: Costs of compute & storage approaching zero Hyperconnectivity: Robust bandwidth from dotcom investments Service Oriented Architecture (SOA) Scale: Major providers create massive IT capabilities 2

3 Top Threats to Cloud Computing
Cloud Security Risks / Threats Shared Technology Vulnerabilities Data Loss/Data Leakage Malicious Insiders Account Service or Hijacking of Traffic Insecure APIs Nefarious Use of Service Unknown Risk Profile 3

4 Shared Technology Vulnerabilities
Exposed hardware, operating systems, middleware, application stacks and network components may posses known vulnerabilities Description Successful exploitation could impact multiple customers Impact Cloudburst - Kostya Kortchinksy (Blackhat 2009) Arbitrary code execution vulnerability identified in VMware SVGA II device, a virtualized PCI Display Adapter Vulnerable component present on VMware Workstation, VMware Player, VMware Server and VMware ESX Example 4

5 Data Loss / Data Leakage
Data compromise due to improper access controls or weak encryption Poorly secured data is at greater risk due to the multi-tenant architecture Description Data integrity and confidentiality Impact Hey, You, Get Off of My Cloud: Exploring Information Leakage in Third-Party Compute Clouds (UCSD/MIT) Research detailing techniques to ensure that images are deployed on the same physical hardware as a victim and then leveraging cross-VM attacks to identify data leakage Example 5

6 Malicious Insiders Employees of the cloud vendor may abuse privileges to access customer data/functionality Reduced visibility into internal processes may inhibit detection of the breach Description Data confidentiality and integrity Reputational damage Legal repercussions Impact Google Investigates Insider Threat After China Hack (eWeek) “Google is investigating whether some of its own staff are behind the repeated attempts to hack into the Gmail accounts of Chinese human rights activists” Example 6

7 Interception or Hijacking of Traffic
Intercept and/or redirect traffic destined for the clients or cloud Steal credentials to eavesdrop or manipulate account information / services Description Confidentiality and integrity of data Damage to reputation Consequences (legal) from malicious use of resources Impact Twitter DNS account compromise Zeus botnet C&Cs on compromised Amazon EC2 accounts Example 7

8 Insecure APIs APIs designed to permit access to functionality and data may be vulnerable or improperly utilized, exposing applications to attack Description Data confidentiality and integrity Denial of service Impact P0wning the Programmable Web (Websense – AusCERT 2009_ 80% of tested applications not using available security in APIs (e.g. unencrypted traffic and basic authentication) Demonstrated CSRF, MITM and data leakage attacks Example 8

9 Nefarious Use of Service
Attackers are drawn to the cloud for the same reasons as legitimate consumers – access to massive proceesing power at a low cost Description Password cracking, DDoS, malware hosting, spam, C&C servers, CAPTCHA cracking, etc. Impact Current search of MalwareDomainList.com for ‘amazonaws.com’ returns 21 results “In the past three years, ScanSafe has recorded 80 unique malware incidents involving amazonaws” – ScanSafe blog Amazon's EC2 Having Problems With Spam and Malware - Slashdot Example 9

10 Unknown Risk Profile Description Impact Example
A lack of visibility into security controls could leave cloud consumers exposed to unnecessary risk. Description Significant data breaches could occur, possibly without the knowledge of the cloud consumer. Impact Heartland Payment Systems was “willing to do only the bare minimum and comply with state laws instead of taking the extra effort to notify every single customer, regardless of law, about whether their data [had] been stolen.” Example 10

11 How will Cloud Computing play out?
Much investment in private clouds for 3-5 years Rise of mobile clouds Eventual 80/20 rule favoring public clouds Cloud assurance ecosystem being built Virtual private clouds compromise between public and private Long legacy of hybrid clouds Disruption to markets, IT, security best practices Challenges public policy and critical infrastructure

12 About the Cloud Security Alliance
Global, not-for-profit organization 10,000+ individual members Fast growing – chapters, translations, alliances Inclusive membership, supporting broad spectrum of subject matter expertise: cloud experts, security, legal, compliance, virtualization, etc We believe Cloud Computing has a robust future, we want to make it better “To promote the use of best practices for providing security assurance within Cloud Computing, and provide education on the uses of Cloud Computing to help secure all other forms of computing.” 12

13 CSA Research Projects Go to www. cloudsecurityalliance. org/Research
CSA Research Projects Go to for Research dashboard and Working Group signup 13

14 Released Research CSA Guidance for Critical areas of Focus
Popular best practices V2.1 CSA Cloud Controls Matrix Security controls framework mapped to existing regulations and standards Top Threats Released 2x annually Identity & Access Management “Dom12” paper Supporting Trusted Cloud Initiative

15 Research & Initiatives in Progress
Certificate of Cloud Security Knowledge (CCSK) Individual competency testing and certificate Trusted Cloud Initiative Interoperable IAM, reference models, cert criteria CSA Cloud Controls Matrix V2 Controls refinement, automation, increased mappings Consensus Assessments Initiative Common question sets to measure providers’ security capabilities

16 Research Initiatives being Scoped
CloudCERT Best practices research for emergency response in Cloud Standardized processes Hosted Community Cloud Security Metrics Library of recommended measurements & surveys Cloud Security Use Cases Document real world lessons learned

17 Third Party Initiative Participation
CloudAudit Common Assurance Maturity Model (CAMM) ENISA eGovernment Cloud-Standards.org NIST

18 Schedule CSA Summit at BlackHat, July 28-29, Las Vegas
CSA Congress, Nov 16-17, Orlando CSA Summit at RSA 2011 (tentative), SF Participating in most major events Several chapter launch events Other Summits as research requires 18

19 Thank you!

Download ppt "Cloud Security: Critical Threats and Global Initiatives"

Similar presentations

1© Copyright 2011 EMC Corporation. All rights reserved. The Future of the Advance Soc 3rd Annual Privacy, Access and Security Congress, Ottawa, 2012 Mike.

1© Copyright 2011 EMC Corporation. All rights reserved. The Future of the Advance Soc 3rd Annual Privacy, Access and Security Congress, Ottawa, 2012 Mike.
Lecture 4: Cloud Computing Security: a first look Xiaowei Yang (Duke University)

Lecture 4: Cloud Computing Security: a first look Xiaowei Yang (Duke University)
Www.cloudsecurityalliance.org Copyright © 2011 Cloud Security Alliance Trusted Cloud Initiative Work Group Session.

Copyright © 2011 Cloud Security Alliance Trusted Cloud Initiative Work Group Session.
Security, Privacy and the Cloud Connecticut Community Providers’ Association June 20, 2014 Steven R Bulmer, VP of Professional Services.

Security, Privacy and the Cloud Connecticut Community Providers’ Association June 20, 2014 Steven R Bulmer, VP of Professional Services.
Cloud Security Challenges Today and Tomorrow NameTitle February 2011.

Cloud Security Challenges Today and Tomorrow NameTitle February 2011.
Security Issues and Challenges in Cloud Computing

Security Issues and Challenges in Cloud Computing
Security Controls – What Works

Security Controls – What Works
Web Services, SOA and Security May 11, 2009 Michael Burnett.

Web Services, SOA and Security May 11, 2009 Michael Burnett.
Supervisor : Mr. Hadi Salimi Advanced Topics in Information Systems Mazandaran University of Science and Technology February 4, 2011 Survey on Cloud Computing.

Supervisor : Mr. Hadi Salimi Advanced Topics in Information Systems Mazandaran University of Science and Technology February 4, 2011 Survey on Cloud Computing.
8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.

8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.
1. 2 New Computing Models, and What They Mean to the Small and Mid Sized Business Consumer How your business can make practical decisions between “The.

1. 2 New Computing Models, and What They Mean to the Small and Mid Sized Business Consumer How your business can make practical decisions between “The.
Website Hardening HUIT IT Security | Sep 30 2011.

Website Hardening HUIT IT Security | Sep
Security Framework For Cloud Computing -Sharath Reddy Gajjala.

Security Framework For Cloud Computing -Sharath Reddy Gajjala.
© 2012-Robert G Parker May 24, 2012 Page: 1 © 2012-Robert G Parker May 24, 2012 Page: 1 © 2012-Robert G Parker May 24, 2012 Page: 1 © 2012-Robert G Parker.

© 2012-Robert G Parker May 24, 2012 Page: 1 © 2012-Robert G Parker May 24, 2012 Page: 1 © 2012-Robert G Parker May 24, 2012 Page: 1 © 2012-Robert G Parker.
© 2010 IBM Corporation Cloudy with a chance of security Information security in virtual environments Johan Celis Security Solutions Architect EMEA IBM.

© 2010 IBM Corporation Cloudy with a chance of security Information security in virtual environments Johan Celis Security Solutions Architect EMEA IBM.
Jim Reavis, Executive Director Cloud Security Alliance November 22, 2010 Developing a Baseline On Cloud Security.

Jim Reavis, Executive Director Cloud Security Alliance November 22, 2010 Developing a Baseline On Cloud Security.
PART THREE E-commerce in Action Norton University E-commerce in Action.

PART THREE E-commerce in Action Norton University E-commerce in Action.
Copyright © 2006 CyberRAVE LLC. All rights reserved. 1 Virtual Private Network Service Grid A Fixed-to-Mobile Secure Communications Framework Managed Security.

Copyright © 2006 CyberRAVE LLC. All rights reserved. 1 Virtual Private Network Service Grid A Fixed-to-Mobile Secure Communications Framework Managed Security.
NICE :Network Intrusion Detection and Countermeasure Selection in Virtual Network Systems.

NICE :Network Intrusion Detection and Countermeasure Selection in Virtual Network Systems.
Dell Connected Security Solutions Simplify & unify.

Dell Connected Security Solutions Simplify & unify.

Similar presentations

Ads by Google