1 / 19

Hot Topics:Mobility in the Cloud

Adam Goldstein - IT Security Engineer, Dartmouth College EduCause Security Professionals Conference– April 13, 2010. Hot Topics:Mobility in the Cloud. Data on the Move…. Institutional data is increasingly leaving the institution Mobile devices mean mobile data Drivers: Productivity

rcenteno
Download Presentation

Hot Topics:Mobility in the Cloud

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Adam Goldstein - IT Security Engineer, Dartmouth College EduCause Security Professionals Conference– April 13, 2010 Hot Topics:Mobility in the Cloud

  2. Data on the Move… Institutional data is increasingly leaving the institution Mobile devices mean mobile data Drivers: Productivity Telecommuting Users like them! Services in the Cloud Drivers: Cost Ease of use Allows institutions to focus on their core business Users like them!

  3. Data Protection • Protecting data is as important as ever-why? • Cybercrime and fraud a growing trend and significant problem • Data protection laws • Compliance trends • Significant cost of breaches

  4. The dilemma… • How do we protect data when the data is on the move?

  5. Cloud Computing- Definitions Software as a Service (SaaS) Google Apps, Salesforce.com, MS BPOS Platform as a Service (PaaS) Google App Engine, MS Azure, Force.com Infrasctucture as a Service (IaaS) Amazon EC2 Rackspace Cloud GoGrid

  6. The Appeal of the Cloud Low cost Ease of use Scalability Minimizes infrastructure requirements Allows schools to focus on being a school

  7. Concerns with the Cloud Some of the commonly cited concerns include: Bandwidth limitations Service availability Security!!! Legal issues!!!

  8. Cloud-Security Concerns • Technical concern examples: • Authentication issues (both users and admins) • Consolidating targets for the bad guys • Procedural concern examples: • Auditing? • Are vendors implementing appropriate controls?

  9. Cloud Security Concerns- Authentication Example • Most vendors use a web-based admin console to control server instances • Console accounts use username/password • Doesn’t matter how secure the service is if attacker can get console credentials • Phishing/spearfishing • Sharing credentials • Guessing • Sniffing

  10. Cloud Security Concerns: Target Example • As more institutions move to popular Cloud services – will attacks change? • CSRF (cross-site request forgery) example • Can bad guys exploit that many users will be logged in to the same application ? • Facebook CSRF • Or more relevant- Banner CSRF • (http://www.browndailyherald.com/campus-news/hickey-08-squashes-banner-bug-1.1673319)

  11. Cloud Security Concerns:Vendor processes • Limited auditing: Many vendor AUPs prohibit performing security tests against cloud services • Minimal understanding of back-end security • What can cloud companies access? • What controls do they have in place? (HR, assessments, physical)

  12. Risks to customers – Data retention/e-discovery • Few published policies on how Cloud providers handle e-discovery requests • What about internal investigations? • What remains when data is deleted? • Do Cloud providers perform their own backups? What is their retention policy? • Do providers collect and retain access logs?

  13. Cloud Legal concerns:Privacy • Hosted e-mail… • “We will not monitor your use of the online service, …track, view, … your subscriber data that are processed … by the online service except to…improve xxx products or online services” –not from who you think!

  14. Cloud Legal concerns:Compliance and regulation trends • All trends indicate that institution’s will be increasingly responsible for protecting data? • Who will be responsible for protection? • Breach? Even if it is not the institution’s fault, whose name is in the paper?

  15. Cloud Legal concerns:Contracted services • What happens to your data when contracts end? • What happens if a vendor goes under! • Putting data in the cloud is easy- how about getting it back?

  16. Cloud Legal concerns:Contracted services • We may suspend the online service: • if we believe that your use of the online service represents a threat… • We may cancel the online service: • if we believe that your use of the online service violates the scope of use terms; • “After we suspend or cancel the online service, you may not be able to access your data through the online service.”

  17. Securing data on the move?Addressing the dilemma • Institutional data security policies • Required controls for vendors • Technical solutions • Understanding the true “cost” of cloud services • And perhaps most important: • What is your institutional stance on balancing security and mobility?

  18. Additional Info:Contract Addendum for Vendors • Data Protection • Encryption (in-transit and at-rest) • Network Security • Secure Disposal • Software Development • Access Control • Vulnerability Management • Incident Response

  19. Thanks! Adam Goldstein IT Security Engineer Peter Kiewit Computing Services Adam.goldstein@dartmouth.edu

More Related