PowerPoint Presentation - SPU by yurtgc548


									Cloud Computing Issues
Why Is "Security" Everywhere on That Slide?
• Security is generally perceived as a huge issue
  for the cloud:
       During a keynote speech to the Brookings Institution
policy forum, “Cloud Computing for Business and Society,”
[Microsoft General Counsel Brad] Smith also highlighted data
from a survey commissioned by Microsoft measuring attitudes
on cloud computing among business leaders and the general
       The survey found that while 58 percent of the general
population and 86 percent of senior business leaders are excited
about the potential of cloud computing, more than 90 percent of
these same people are concerned about the security, access and
privacy of their own data in the cloud.

Security Concerns of Cloud Computing
1. Where’s the data?
Different countries have different requirements
and controls placed on access. Because your
data is in the cloud, you may not realize that the
data must reside in a physical location. Your
cloud provider should agree in writing to
provide the level of security required for your
       Security Concerns of Cloud
2. Who has access?
Access control is a key concern, because insider
attacks are a huge risk. A potential hacker is
someone who has been entrusted with approved
access to the cloud. If anyone doubts this, consider
that in early 2009 an insider was accused of
planting a logic bomb on Fanny Mae servers that, if
launched, would have caused massive damage.
Anyone considering using the cloud needs to look
at who is managing their data and what types of
controls are applied to these individuals.
Security Concerns of Cloud Computing

3. What are your regulatory requirements?
Organizations operating in the US, Canada, or
the European Union have many regulatory
requirements that they must abide by (e.g., ISO
27002, Safe Harbor, ITIL, and COBIT). You must
ensure that your cloud provider is able to meet
these requirements and is willing to undergo
certification, accreditation, and review.
       Security Concerns of Cloud
4. Do you have the right to audit?
This particular item is no small matter; the cloud
provider should agree in writing to the terms of
       Security Concerns of Cloud
5. What type of training does the provider offer
their employees?
This is actually a rather important item, because
people will always be the weakest link in
security. Knowing how your provider trains their
employees is an important item to review.
       Security Concerns of Cloud
6. What type of data classification system does the
provider use?
Questions you should be concerned with here
include: Is the data classified? How is your data
separated from other users? Encryption should also
be discussed. Is it being used while the data is at
rest and in transit? You will also want to know what
type of encryption is being used. As an example,
there is a big difference between WEP and WPA2.
       Security Concerns of Cloud
7. What are the service level agreement (SLA)
The SLA serves as a contracted level of
guaranteed ervice between the cloud provider
and the customer that specifies what level of
services will be provided.
       Security Concerns of Cloud
8. What is the long-term viability of the provider?
How long has the cloud provider been in business
and what is their track record. If they go out of
business, what happens to your data? Will your
data be returned, and if so, in what format? As an
example, in 2007, online storage service MediaMax
went out of business following a system
administration error that deleted active customer
data. The failed company left behind unhappy users
and focused concerns on the reliability of cloud
       Security Concerns of Cloud
9. What happens if there is a security breach?
If a security incident occurs, what support will
you receive from the cloud provider? While
many providers promote their services as being
unhackable, cloudbased services are an
attractive target to hackers.
        Security Concerns of Cloud
10. What is the disaster recovery/business continuity
plan (DR/BCP)?
While you may not know the physical location of your
services, it is physically located somewhere. All physical
locations face threats such as fire, storms, natural
disasters, and loss of power. In case of any of these
events, how will the cloud provider respond, and what
guarantee of continued services are they promising? As
an example, in February 2009, Nokia’s Contacts On Ovi
servers crashed. The last reliable backup that Nokia could
recover was dated January 23rd, meaning anything
synced and stored by users between January 23rd and
February 9th was lost completely.
      Cloud Computing Attacks
• Denial of Service (DoS) attacks - Some
  security professionals have argued that the
  cloud is more vulnerable to DoS attacks,
  because it is shared by many users, which
  makes DoS attacks much more damaging.
  Twitter suffered a devastating DoS attack
  during 2009.
      Cloud Computing Attacks
• Side Channel attacks – An attacker could
  attempt to compromise the cloud by placing a
  malicious virtual machine in close proximity to
  a target cloud server and then launching a
  side channel attack.
      Cloud Computing Attacks
• Authentication attacks – Authentication is a
  weak point in hosted and virtual services and
  is frequently targeted. There are many
  different ways to authenticate users; for
  example, based on what a person knows, has,
  or is. The mechanisms used to secure the
  authentication process and the methods used
  are a frequent target of attackers.
      Cloud Computing Attacks
• Man-in-the-middle cryptographic attacks –
  This attack is carried out when an attacker
  places himself between two users. Anytime
  attackers can place themselves in the
  communication’s path, there is the possibility
  that they can intercept and modify
Streamlined Security Analysis Process
• Identify Assets
  • Which assets are we trying to protect?
  • What properties of these assets must be maintained?
• Identify Threats
  • What attacks can be mounted?
  • What other threats are there (natural disasters, etc.)?
• Identify Countermeasures
  • How can we counter those attacks?
• Appropriate for Organization-Independent Analysis
  • We have no organizational context or policies
             Identify Assets
• Customer Data
• Customer Applications
• Client Computing Devices
Information Security Principles (Triad)

 • Confidentiality
      • Prevent unauthorized disclosure
 • Integrity
      • Preserve information integrity
 • Availability
      • Ensure information is available when needed
    Identify Assets & Principles
• Customer Data
    • Confidentiality, integrity, and availability
• Customer Applications
    • Confidentiality, integrity, and availability
• Client Computing Devices
    • Confidentiality, integrity, and availability
Cloud Computing Model
              Identify Threats
•   Failures in Provider Security
•   Attacks by Other Customers
•   Availability and Reliability Issues
•   Legal and Regulatory Issues
•   Perimeter Security Model Broken
•   Integrating Provider and Customer Security
    Failures in Provider Security
• Explanation
    • Provider controls servers, network, etc.
    • Customer must trust provider’s security
    • Failures may violate CIA principles
• Countermeasures
    • Verify and monitor provider’s security
• Notes
    • Outside verification may suffice
    • For SMB, provider
    Attacks by Other Customers
• Threats
    • Provider resources shared with untrusted parties
    • CPU, storage, network
    • Customer data and applications must be separated
    • Failures will violate CIA principles
• Countermeasures
    • Hypervisors for compute separation
    • MPLS, VPNs, VLANs, firewalls for network separation
    • Cryptography (strong)
    • Application-layer separation (less strong)
 Availability and Reliability Issues
• Threats
    • Clouds may be less available than in-house IT
    • Complexity increases chance of failure
    • Clouds are prominent attack targets
    • Internet reliability is spotty
    • Shared resources may provide attack vectors
    • BUT cloud providers focus on availability
• Countermeasures
    • Evaluate provider measures to ensure availability
    • Monitor availability carefully
    • Plan for downtime
    • Use public clouds for less essential applications
    Legal and Regulatory Issues
• Threats
    • Laws and regulations may prevent cloud computing
    • Requirements to retain control
    • Certification requirements not met by provider
    • Geographical limitations – EU Data Privacy
    • New locations may trigger new laws and regulations
• Countermeasures
    • Evaluate legal issues
    • Require provider compliance with laws and regulations
    • Restrict geography as needed
Perimeter Security with Cloud
Perimeter Security Model Broken
• Threats
    • Including the cloud in your perimeter
    • Lets attackers inside the perimeter
    • Prevents mobile users from accessing the cloud directly
    • Not including the cloud in your perimeter
    • Essential services aren’t trusted
    • No access controls on cloud
• Countermeasures
    • Drop the perimeter model!
 Integrating Provider and Customer
• Threat
    • Disconnected provider and customer security systems
    • Fired employee retains access to cloud
    • Misbehavior in cloud not reported to customer
• Countermeasures
    • At least, integrate identity management
    • Consistent access controls
    • Better, integrate monitoring and notifications
     Bottom Line on Cloud Computing
• Engage in full risk management process for each case
• For small and medium organizations
     • Cloud security may be a big improvement!
     • Cost savings may be large (economies of scale)
• For large organizations
     • Already have large, secure data centers
     • Main sweet spots:
     • Elastic services
     • Internet-facing services
• Employ countermeasures listed above
     Security Analysis Skills Reviewed
•    Information Security Risk Management Process
    • Variations used throughout IT industry
       • ISO 27005, NIST SP 800-30, etc.
    • Requires thorough knowledge of threats and controls
    • Bread and butter of InfoSec – Learn it!
    • Time-consuming but not difficult
• Streamlined Security Analysis Process
    • Many variations
       • RFC 3552, etc.
    • Requires thorough knowledge of threats and controls
    • Useful for organization-independent analysis
    • Practice this on any RFC or other standard
    • Become able to do it in 10 minutes

To top