1 / 21

Cyber Security and Cloud Computing

Cyber Security and Cloud Computing. Dr Daniel Prince Course Director MSc in Cyber Security d.prince@lancaster.ac.uk. Scope of Today. SME Attractors for Cloud Switching to the Cloud Public Private Hybrid Big issues to consider Summary. SME Space.

oakley
Download Presentation

Cyber Security and Cloud Computing

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Cyber Security and Cloud Computing Dr Daniel Prince Course Director MSc in Cyber Security d.prince@lancaster.ac.uk

  2. Scope of Today • SME Attractors for Cloud • Switching to the Cloud • Public • Private • Hybrid • Big issues to consider • Summary

  3. SME Space • 2.1m companies registered for VAT and or PAYE in March 2010 • 98% of these businesses have less than 50 employees • Only 0.4% have more than 250 employee • (Source: Office for National Statistics) • Drivers • Reduce expenditure on IT systems • Maintain capabilities • Flexibility to expand or reduce requirements • Data sharing

  4. SME Security View • Lack in-house IT and infosec expertise • Already used to outsourced IT service model • Traditionally neglected by security vendors • Few SMEs have any formal security policy • Fewer have implemented ISMS or certification • Mostly dependent on IT contractor advice. • 66% of all security breaches occur within organisations with less 100 employees

  5. Switch to Cloud Computing • Considerations • Security and Privacy Issues • Public data • Personal data (citizens sensitivities) • Compliance • Government security policies • Legal requirements • Need to protect assets to succeed • Confidentiality, Integrity, Availability, Reputation • Financial loss, loss of output, damage to reputation

  6. Switch to Cloud Computing… • Compromise of personal data • Damage to customers • Damage to organisational reputation • Information Security Management System (ISMS) • ISO/IEC 27001:2005 • ITIL • Policies and procedures • Legal and regulatory systems

  7. Legislation affecting the Cloud Letting Data Out Keeping Data In Freedom of Information Act 2000 Official Secrets Act 1989 Data Protection Act 1998 Data Protection Act 1998 European Directive 95/46/EC European Convention on Human Rights Human Rights Act 1998 (www.arborcentre.co.uk)

  8. Legislation affecting the Cloud • Conflicting demands of privacy and freedom • Use of meta data – what to keep? • Requires comprehensive procedures • Storage • Cataloguing • Auditing • Retrieval (www.staynalive.com)

  9. Public Cloud Challenges • Maintaining security and sovereignty • Where are servers located? • Data sovereignty – which country is data in • What security is in place? • Data segregation in virtual environment • Compliance with legal and government policies • Audit and compliance • Visibility of audit results and security logs • Disaster recovery plans • What business continuity is in place

  10. Public Cloud Challenges… • Deletion of data • Can all copies be removed? • Standards for purging data/memory • Risks from other customers business • Attack against another customer could impact • Highest customer security controls for all • Maintaining compliance • Span several jurisdictions • Different legal requirements

  11. Private Cloud Challenges • Does not have security by default • Policies and standards have to be applied • Off Premise (3rd Party provider) • Service Level Agreements (SLA’s) required • Vetting of staff • Bearer bandwidth and availability • On Premise • Control of security management • Maintaining compliance simpler

  12. Hybrid Cloud Challenges • All advantages/disadvantages of Public/Private Clouds • Separate public/personal data • Public non-sensitive data in Public Cloud • Personal and sensitive data in Private Cloud • Help to gain trust of citizens • Maintaining compliance • Need to maintain compliance of both • Extra workload

  13. Loss of Physical Control • ENISA (2009) -  non-cloud attack vectors translate with the same or a lower probability of occurrence in their cloud counterparts. • HOWEVER, malicious insiders... • Counter arguments cite information security standards (e.g., ISO27001), however, there remains a lack of clarity as to whom will be managing data.

  14. Exposing Sensitive Data • First, legal liability under current Data Protection Laws within the European Union? • ENISA has advised public bodies in member states against using the cloud for anything other than non-sensitive and non-mission critical data. • Second, what types of data can legally be stored in the cloud? • Compliance requires proof of certain activities. • PCI DSS requirement 10.2 for “tracking and monitoring all access to network resources"

  15. Exposing Sensitive Data • Third, the transfer and storage of data in non-domestic and potentially unknown jurisdictions. • EU Data Protection Directive - Data must be stored within the 27 member states or 3 of the EEA member countries, unless "sufficient" levels of protection can be proved. • Review of 31 T&Cs found 15 to make no mention of data location or transit protection. • Data Protection Laws between member states - the Directive may sometimes provide inadequate protection (e.g., Germany)!

  16. Exposing Sensitive Data • Cross-border movement of data and the impact of changing jurisdictions, associated legal obligations, and law enforcement practices (e.g., the USA's PATRIOT Act). • Some T&Cs state the willingness to disclose data without court orders upon request from law-enforcement agencies, or if it's in the immediate "public interest".

  17. Other Implications • What are the implications of CSP acquisition or failure? • Acquisition and the possibility of sudden changes in CSP policies and non-binding agreements? • Review of 27 T&Cs found: • 8 to mention no process for varying terms. • 13 to state amendments could be posted on their website, and continued use is acceptance. • Only 3 to state changes must be in writing with the agreement of both parties. • Cloud-based IAM solution are comparatively inadequate to their non-cloud alternatives. • Lack of widespread CSP support for open APIs and federation standards, e.g., SAML, XACML, and SPML.

  18. Multi-tenancy • First, negative consequences from co-tenant activities. • Second, isolation failure through compromising the underlying  privileged architecture. • Third, there's a correlation between the increasing complexity of cloud offerings (especially inter-cloud), and the ambiguity over the division of security responsibilities between CSPs and their customers.

  19. Take Away • Start by thinking about your information • What legal requirements cover you? • Think about Threat and Risk • Think about how you can get out of the Cloud cleanly • Scour the Terms and Conditions

  20. Summary • It's not just a new technology, but a new business model. • Does the cloud provide a false sense of security? • Why holding back: • Risks not fully understood • Lack of trust in security • Lack of confidence in technology • Risks to data security and privacy need to mature

  21. CSC 2011

More Related