1 / 36

Cloud Computing Issues

Cloud Computing Issues. Why Is "Security" Everywhere on That Slide?. Security is generally perceived as a huge issue for the cloud:.

lunea-mayo
Download Presentation

Cloud Computing Issues

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Cloud Computing Issues

  2. Why Is "Security" Everywhere on That Slide? • Security is generally perceived as a huge issue for the cloud: During a keynote speech to the Brookings Institution policy forum, “Cloud Computing for Business and Society,” [Microsoft General Counsel Brad] Smith also highlighted data from a survey commissioned by Microsoft measuring attitudes on cloud computing among business leaders and the general population. The survey found that while 58 percent of the general population and 86 percent of senior business leaders are excited about the potential of cloud computing, more than 90 percent of these same people are concerned about the security, access and privacy of their own data in the cloud. http://www.microsoft.com/presspass/press/2010/jan10/1-20BrookingsPR.mspx

  3. Security Concerns of Cloud Computing • Where’s the data? Different countries have different requirements and controls placed on access. Because your data is in the cloud, you may not realize that the data must reside in a physical location. Your cloud provider should agree in writing to provide the level of security required for your customers.

  4. Security Concerns of Cloud Computing 2. Who has access? Access control is a key concern, because insider attacks are a huge risk. A potential hacker is someone who has been entrusted with approved access to the cloud. If anyone doubts this, consider that in early 2009 an insider was accused of planting a logic bomb on Fanny Mae servers that, if launched, would have caused massive damage. Anyone considering using the cloud needs to look at who is managing their data and what types of controls are applied to these individuals.

  5. Security Concerns of Cloud Computing 3. What are your regulatory requirements? Organizations operating in the US, Canada, or the European Union have many regulatory requirements that they must abide by (e.g., ISO 27002, Safe Harbor, ITIL, and COBIT). You must ensure that your cloud provider is able to meet these requirements and is willing to undergo certification, accreditation, and review.

  6. Security Concerns of Cloud Computing 4. Do you have the right to audit? This particular item is no small matter; the cloud provider should agree in writing to the terms of audit.

  7. Security Concerns of Cloud Computing 5. What type of training does the provider offer their employees? This is actually a rather important item, because people will always be the weakest link in security. Knowing how your provider trains their employees is an important item to review.

  8. Security Concerns of Cloud Computing 6. What type of data classification system does the provider use? Questions you should be concerned with here include: Is the data classified? How is your data separated from other users? Encryption should also be discussed. Is it being used while the data is at rest and in transit? You will also want to know what type of encryption is being used. As an example, there is a big difference between WEP and WPA2.

  9. Security Concerns of Cloud Computing 7. What are the service level agreement (SLA) terms? The SLA serves as a contracted level of guaranteed ervice between the cloud provider and the customer that specifies what level of services will be provided.

  10. Security Concerns of Cloud Computing 8. What is the long-term viability of the provider? How long has the cloud provider been in business and what is their track record. If they go out of business, what happens to your data? Will your data be returned, and if so, in what format? As an example, in 2007, online storage service MediaMax went out of business following a system administration error that deleted active customer data. The failed company left behind unhappy users and focused concerns on the reliability of cloud computing.

  11. Security Concerns of Cloud Computing 9. What happens if there is a security breach? If a security incident occurs, what support will you receive from the cloud provider? While many providers promote their services as being unhackable, cloudbased services are an attractive target to hackers.

  12. Security Concerns of Cloud Computing 10. What is the disaster recovery/business continuity plan (DR/BCP)? While you may not know the physical location of your services, it is physically located somewhere. All physical locations face threats such as fire, storms, natural disasters, and loss of power. In case of any of these events, how will the cloud provider respond, and what guarantee of continued services are they promising? As an example, in February 2009, Nokia’s Contacts On Ovi servers crashed. The last reliable backup that Nokia could recover was dated January 23rd, meaning anything synced and stored by users between January 23rd and February 9th was lost completely.

  13. Cloud Computing Attacks • Denial of Service (DoS) attacks - Some security professionals have argued that the cloud is more vulnerable to DoS attacks, because it is shared by many users, which makes DoS attacks much more damaging. Twitter suffered a devastating DoS attack during 2009.

  14. Cloud Computing Attacks • Side Channel attacks – An attacker could attempt to compromise the cloud by placing a malicious virtual machine in close proximity to a target cloud server and then launching a side channel attack.

  15. Cloud Computing Attacks • Authentication attacks – Authentication is a weak point in hosted and virtual services and is frequently targeted. There are many different ways to authenticate users; for example, based on what a person knows, has, or is. The mechanisms used to secure the authentication process and the methods used are a frequent target of attackers.

  16. Cloud Computing Attacks • Man-in-the-middle cryptographic attacks – This attack is carried out when an attacker places himself between two users. Anytime attackers can place themselves in the communication’s path, there is the possibility that they can intercept and modify communications.

  17. Streamlined Security Analysis Process • Identify Assets • Which assets are we trying to protect? • What properties of these assets must be maintained? • Identify Threats • What attacks can be mounted? • What other threats are there (natural disasters, etc.)? • Identify Countermeasures • How can we counter those attacks? • Appropriate for Organization-Independent Analysis • We have no organizational context or policies

  18. Identify Assets • Customer Data • Customer Applications • Client Computing Devices

  19. Information Security Principles (Triad) C I A • Confidentiality • Prevent unauthorized disclosure • Integrity • Preserve information integrity • Availability • Ensure information is available when needed

  20. Identify Assets & Principles • Customer Data • Confidentiality, integrity, and availability • Customer Applications • Confidentiality, integrity, and availability • Client Computing Devices • Confidentiality, integrity, and availability

  21. Cloud Computing Model

  22. Identify Threats • Failures in Provider Security • Attacks by Other Customers • Availability and Reliability Issues • Legal and Regulatory Issues • Perimeter Security Model Broken • Integrating Provider and Customer Security Systems

  23. Failures in Provider Security • Explanation • Provider controls servers, network, etc. • Customer must trust provider’s security • Failures may violate CIA principles • Countermeasures • Verify and monitor provider’s security • Notes • Outside verification may suffice • For SMB, provider

  24. Attacks by Other Customers • Threats • Provider resources shared with untrusted parties • CPU, storage, network • Customer data and applications must be separated • Failures will violate CIA principles • Countermeasures • Hypervisors for compute separation • MPLS, VPNs, VLANs, firewalls for network separation • Cryptography (strong) • Application-layer separation (less strong)

  25. Availability and Reliability Issues • Threats • Clouds may be less available than in-house IT • Complexity increases chance of failure • Clouds are prominent attack targets • Internet reliability is spotty • Shared resources may provide attack vectors • BUT cloud providers focus on availability • Countermeasures • Evaluate provider measures to ensure availability • Monitor availability carefully • Plan for downtime • Use public clouds for less essential applications

  26. Legal and Regulatory Issues • Threats • Laws and regulations may prevent cloud computing • Requirements to retain control • Certification requirements not met by provider • Geographical limitations – EU Data Privacy • New locations may trigger new laws and regulations • Countermeasures • Evaluate legal issues • Require provider compliance with laws and regulations • Restrict geography as needed

  27. Perimeter Security with Cloud Computing?

  28. Perimeter Security Model Broken • Threats • Including the cloud in your perimeter • Lets attackers inside the perimeter • Prevents mobile users from accessing the cloud directly • Not including the cloud in your perimeter • Essential services aren’t trusted • No access controls on cloud • Countermeasures • Drop the perimeter model!

  29. Integrating Provider and Customer Security • Threat • Disconnected provider and customer security systems • Fired employee retains access to cloud • Misbehavior in cloud not reported to customer • Countermeasures • At least, integrate identity management • Consistent access controls • Better, integrate monitoring and notifications

  30. Bottom Line on Cloud Computing Security • Engage in full risk management process for each case • For small and medium organizations • Cloud security may be a big improvement! • Cost savings may be large (economies of scale) • For large organizations • Already have large, secure data centers • Main sweet spots: • Elastic services • Internet-facing services • Employ countermeasures listed above

  31. Security Analysis Skills Reviewed Today •  Information Security Risk Management Process • Variations used throughout IT industry • ISO 27005, NIST SP 800-30, etc. • Requires thorough knowledge of threats and controls • Bread and butter of InfoSec – Learn it! • Time-consuming but not difficult • Streamlined Security Analysis Process • Many variations • RFC 3552, etc. • Requires thorough knowledge of threats and controls • Useful for organization-independent analysis • Practice this on any RFC or other standard • Become able to do it in 10 minutes

  32. Q&A

More Related