1 / 17

Global Challenges in Cloud Security Sadie Creese Joint work with Paul Hopkins

Global Challenges in Cloud Security Sadie Creese Joint work with Paul Hopkins International Digital Laboratory. Overview. Why What Drivers and Barriers Sources of Future Risk Maturity and Vulnerability Future Threats Global Security Challenges Questions for debate. Why.

tymon
Download Presentation

Global Challenges in Cloud Security Sadie Creese Joint work with Paul Hopkins

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Global Challenges in Cloud Security Sadie Creese Joint work with Paul Hopkins International Digital Laboratory

  2. Overview • Why • What • Drivers and Barriers • Sources of Future Risk • Maturity and Vulnerability • Future Threats • Global Security Challenges • Questions for debate

  3. Why • How do we protect our digital assets both data and function when using the clouds? • How might malicious entities use the cloud? • How might current security practice not scale up? • What will require a collaborative response? Services market currently at $56b, $150b in 2013 (Gartner March 09) Services market to be worth $160b in 2011 (Merril Lynch May 08) Services market currently worth $16.2b, $42b in 2012 (IDC Dec 08) Hosted apps market currently at $6.4b, $14.8b in 2012 (Gartner Dec 08)

  4. What – the technology model • Utility / Pay-Per-Use, on-demand access, shared resources, rapid provisioning, agile, responsive Gmail, Google Docs Google App Engine Amazon S3/SimpleDB VMWare/XEN Amazon EC2 4

  5. What - system User Broker VM VM VM VM VM VM VM VM VM 5

  6. What - applications • Repackaging of products for deployment in clouds • Existing data centres expanding market offerings to include utility services • MS, Google, salesforce.com offering rich application frameworks but with little portability • Market analysts predict enterprise apps for niche/common. • Archiving & eDiscovery, Collaboration (Secure), ERP, Online backup, Supply chain mgt, Web content mgt & conferencing…. • Lock-in and lack of interoperability key issue • Web mash-ups composing 3rd party apps

  7. What– application ecosystem Extract from slides : “Prophet a Path out of the cloud”, Best Practical, Presented at O’Reilly Open Source Conf, 2008 7

  8. Cloud Drivers • Enterprise Drivers • Compression of deployment cycles • Instant upgrade and try-it-out • Elasticity • Cost alignment • Reduction of IT team costs • Accessibility and sharing • Dependability • Waste reduction and carbon footprint • Consumer drivers • Up to speed with latest apps • Pay-as-you-use • Accessibility and sharing • Dependability

  9. Enterprise Cloud Drivers Stats

  10. Cloud Barriers • Data security concerns • Privacy compromise/ practice • Service dependability and QoS • Loss of control over IT and data • Management difficulties around performance, support and maintenance • Service integration • Lock-in • Usability • Lack of market maturity

  11. Cloud Barriers Stats

  12. Future Risk - maturity and vulnerability Initially aligning enterprise processes with cloud focused process will be beyond best practice Dynamic SLAs could become a focus for automated DoS Vulnerable external facing applications potentially cause cascade failures across integrated processes Meta-data offers potential for aggregation and enhanced intelligence gathering

  13. Future Risk – Scenarios High Cost/High Payback for an attacker. Most successful threat agent, likely to be insider managing resource distribution or a malicious service provider. High Cost/Low Payback for an attacker. Most successful threat agents, likely to be insider’s within the silo Low Cost/Low Payback for an attacker. Threat agents will include external attackers utilising mixture of technology and social engineering. Low Cost/High Payback for an attacker. External attackers using the distributed scale to attack multiple systems and users simultaneously. E.G Bot and application framework based attacks.

  14. Future Risk - think like an attacker? • Denial of service • resource consumption, traffic redirection, inter-cloud and user to cloud communications vulnerabilities • Trojan Clouds • Imitate providers, infiltrate supply chains, sympathetic cloud • Inference attacks due to privileged access • Application Framework attacks • Repeatable, pervasive • Sticky Clouds • Lack of responsiveness, complex portability • Onion storage • Moving global location, fragmenting, encrypting • Covert channels within the cloud network across services • Can’t be monitored externally

  15. Global Security Challenges • Risk Management Practice • Interoperable tools, controls, language, dependence on service providers, standardisation for mobility in market, temporal relationships • Attack Surface Reduction • Dynamic service composition could propagate vulns, systemic application based failures • Attack Detection • Distributed, collaborative for large scale events, inter and intra cloud, dynamism resulting in fluctuating traffic • Response and Recovery • Legal, Regulatory, Compliance and Audit • Portable identity – federated / user centric / interoperability • Privacy Controls

  16. Global Security Challenges - 2 • Pace, agile response, interoperability across clouds, mobility, secure portability, cross jurisdiction collaboration

  17. Questions for debate • Should we be taking an intrusion tolerance approach? • Should we be considering self-healing bio-inspired cloud ecosystems? • How could we construct collaborative defence mechanisms which integrated at a technology and process level? Which span multiple organisations and jurisdictions? • What would happen if we did not construct a global response to cloud security challenges? • Can it all be done by industry alone? What role should government and regulation have? • Cloud is global – standards must be global – should / can regulation be global? If not can it work?

More Related