Presentation is loading. Please wait.

Presentation is loading. Please wait.

Cloud Computing Issues. Why Is "Security" Everywhere on That Slide? Security is generally perceived as a huge issue for the cloud: During a keynote.

Similar presentations


Presentation on theme: "Cloud Computing Issues. Why Is "Security" Everywhere on That Slide? Security is generally perceived as a huge issue for the cloud: During a keynote."— Presentation transcript:

1 Cloud Computing Issues

2

3 Why Is "Security" Everywhere on That Slide? Security is generally perceived as a huge issue for the cloud: During a keynote speech to the Brookings Institution policy forum, “Cloud Computing for Business and Society,” [Microsoft General Counsel Brad] Smith also highlighted data from a survey commissioned by Microsoft measuring attitudes on cloud computing among business leaders and the general population. The survey found that while 58 percent of the general population and 86 percent of senior business leaders are excited about the potential of cloud computing, more than 90 percent of these same people are concerned about the security, access and privacy of their own data in the cloud. http://www.microsoft.com/presspass/press/2010/jan10/1-20BrookingsPR.mspx

4

5

6

7 Security Concerns of Cloud Computing 1.Where’s the data? Different countries have different requirements and controls placed on access. Because your data is in the cloud, you may not realize that the data must reside in a physical location. Your cloud provider should agree in writing to provide the level of security required for your customers.

8 Security Concerns of Cloud Computing 2. Who has access? Access control is a key concern, because insider attacks are a huge risk. A potential hacker is someone who has been entrusted with approved access to the cloud. If anyone doubts this, consider that in early 2009 an insider was accused of planting a logic bomb on Fanny Mae servers that, if launched, would have caused massive damage. Anyone considering using the cloud needs to look at who is managing their data and what types of controls are applied to these individuals.

9 Security Concerns of Cloud Computing 3. What are your regulatory requirements? Organizations operating in the US, Canada, or the European Union have many regulatory requirements that they must abide by (e.g., ISO 27002, Safe Harbor, ITIL, and COBIT). You must ensure that your cloud provider is able to meet these requirements and is willing to undergo certification, accreditation, and review.

10 Security Concerns of Cloud Computing 4. Do you have the right to audit? This particular item is no small matter; the cloud provider should agree in writing to the terms of audit.

11 Security Concerns of Cloud Computing 5. What type of training does the provider offer their employees? This is actually a rather important item, because people will always be the weakest link in security. Knowing how your provider trains their employees is an important item to review.

12 Security Concerns of Cloud Computing 6. What type of data classification system does the provider use? Questions you should be concerned with here include: Is the data classified? How is your data separated from other users? Encryption should also be discussed. Is it being used while the data is at rest and in transit? You will also want to know what type of encryption is being used. As an example, there is a big difference between WEP and WPA2.

13 Security Concerns of Cloud Computing 7. What are the service level agreement (SLA) terms? The SLA serves as a contracted level of guaranteed ervice between the cloud provider and the customer that specifies what level of services will be provided.

14 Security Concerns of Cloud Computing 8. What is the long-term viability of the provider? How long has the cloud provider been in business and what is their track record. If they go out of business, what happens to your data? Will your data be returned, and if so, in what format? As an example, in 2007, online storage service MediaMax went out of business following a system administration error that deleted active customer data. The failed company left behind unhappy users and focused concerns on the reliability of cloud computing.

15 Security Concerns of Cloud Computing 9. What happens if there is a security breach? If a security incident occurs, what support will you receive from the cloud provider? While many providers promote their services as being unhackable, cloudbased services are an attractive target to hackers.

16 Security Concerns of Cloud Computing 10. What is the disaster recovery/business continuity plan (DR/BCP)? While you may not know the physical location of your services, it is physically located somewhere. All physical locations face threats such as fire, storms, natural disasters, and loss of power. In case of any of these events, how will the cloud provider respond, and what guarantee of continued services are they promising? As an example, in February 2009, Nokia’s Contacts On Ovi servers crashed. The last reliable backup that Nokia could recover was dated January 23rd, meaning anything synced and stored by users between January 23 rd and February 9th was lost completely.

17 Cloud Computing Attacks Denial of Service (DoS) attacks - Some security professionals have argued that the cloud is more vulnerable to DoS attacks, because it is shared by many users, which makes DoS attacks much more damaging. Twitter suffered a devastating DoS attack during 2009.

18 Cloud Computing Attacks Side Channel attacks – An attacker could attempt to compromise the cloud by placing a malicious virtual machine in close proximity to a target cloud server and then launching a side channel attack.

19 Cloud Computing Attacks Authentication attacks – Authentication is a weak point in hosted and virtual services and is frequently targeted. There are many different ways to authenticate users; for example, based on what a person knows, has, or is. The mechanisms used to secure the authentication process and the methods used are a frequent target of attackers.

20 Cloud Computing Attacks Man-in-the-middle cryptographic attacks – This attack is carried out when an attacker places himself between two users. Anytime attackers can place themselves in the communication’s path, there is the possibility that they can intercept and modify communications.

21 Streamlined Security Analysis Process Identify Assets Which assets are we trying to protect? What properties of these assets must be maintained? Identify Threats What attacks can be mounted? What other threats are there (natural disasters, etc.)? Identify Countermeasures How can we counter those attacks? Appropriate for Organization-Independent Analysis We have no organizational context or policies

22 Identify Assets Customer Data Customer Applications Client Computing Devices

23 Information Security Principles (Triad) C I A Confidentiality Prevent unauthorized disclosure Integrity Preserve information integrity Availability Ensure information is available when needed

24 Identify Assets & Principles Customer Data Confidentiality, integrity, and availability Customer Applications Confidentiality, integrity, and availability Client Computing Devices Confidentiality, integrity, and availability

25 Cloud Computing Model

26 Identify Threats Failures in Provider Security Attacks by Other Customers Availability and Reliability Issues Legal and Regulatory Issues Perimeter Security Model Broken Integrating Provider and Customer Security Systems

27 Failures in Provider Security Explanation Provider controls servers, network, etc. Customer must trust provider’s security Failures may violate CIA principles Countermeasures Verify and monitor provider’s security Notes Outside verification may suffice For SMB, provider

28 Attacks by Other Customers Threats Provider resources shared with untrusted parties CPU, storage, network Customer data and applications must be separated Failures will violate CIA principles Countermeasures Hypervisors for compute separation MPLS, VPNs, VLANs, firewalls for network separation Cryptography (strong) Application-layer separation (less strong)

29 Availability and Reliability Issues Threats Clouds may be less available than in-house IT Complexity increases chance of failure Clouds are prominent attack targets Internet reliability is spotty Shared resources may provide attack vectors BUT cloud providers focus on availability Countermeasures Evaluate provider measures to ensure availability Monitor availability carefully Plan for downtime Use public clouds for less essential applications

30 Legal and Regulatory Issues Threats Laws and regulations may prevent cloud computing Requirements to retain control Certification requirements not met by provider Geographical limitations – EU Data Privacy New locations may trigger new laws and regulations Countermeasures Evaluate legal issues Require provider compliance with laws and regulations Restrict geography as needed

31 Perimeter Security with Cloud Computing?

32 Perimeter Security Model Broken Threats Including the cloud in your perimeter Lets attackers inside the perimeter Prevents mobile users from accessing the cloud directly Not including the cloud in your perimeter Essential services aren’t trusted No access controls on cloud Countermeasures Drop the perimeter model!

33 Integrating Provider and Customer Security Threat Disconnected provider and customer security systems Fired employee retains access to cloud Misbehavior in cloud not reported to customer Countermeasures At least, integrate identity management Consistent access controls Better, integrate monitoring and notifications

34 Bottom Line on Cloud Computing Security Engage in full risk management process for each case For small and medium organizations Cloud security may be a big improvement! Cost savings may be large (economies of scale) For large organizations Already have large, secure data centers Main sweet spots: Elastic services Internet-facing services Employ countermeasures listed above

35 Security Analysis Skills Reviewed Today  Information Security Risk Management Process Variations used throughout IT industry ISO 27005, NIST SP 800-30, etc. Requires thorough knowledge of threats and controls Bread and butter of InfoSec – Learn it! Time-consuming but not difficult Streamlined Security Analysis Process Many variations RFC 3552, etc. Requires thorough knowledge of threats and controls Useful for organization-independent analysis Practice this on any RFC or other standard Become able to do it in 10 minutes

36 Q&A


Download ppt "Cloud Computing Issues. Why Is "Security" Everywhere on That Slide? Security is generally perceived as a huge issue for the cloud: During a keynote."

Similar presentations


Ads by Google