170 likes | 304 Views
Global Challenges in Cloud Security Sadie Creese Joint work with Paul Hopkins International Digital Laboratory. Overview. Why What Drivers and Barriers Sources of Future Risk Maturity and Vulnerability Future Threats Global Security Challenges Questions for debate. Why.
E N D
Global Challenges in Cloud Security Sadie Creese Joint work with Paul Hopkins International Digital Laboratory
Overview • Why • What • Drivers and Barriers • Sources of Future Risk • Maturity and Vulnerability • Future Threats • Global Security Challenges • Questions for debate
Why • How do we protect our digital assets both data and function when using the clouds? • How might malicious entities use the cloud? • How might current security practice not scale up? • What will require a collaborative response? Services market currently at $56b, $150b in 2013 (Gartner March 09) Services market to be worth $160b in 2011 (Merril Lynch May 08) Services market currently worth $16.2b, $42b in 2012 (IDC Dec 08) Hosted apps market currently at $6.4b, $14.8b in 2012 (Gartner Dec 08)
What – the technology model • Utility / Pay-Per-Use, on-demand access, shared resources, rapid provisioning, agile, responsive Gmail, Google Docs Google App Engine Amazon S3/SimpleDB VMWare/XEN Amazon EC2 4
What - system User Broker VM VM VM VM VM VM VM VM VM 5
What - applications • Repackaging of products for deployment in clouds • Existing data centres expanding market offerings to include utility services • MS, Google, salesforce.com offering rich application frameworks but with little portability • Market analysts predict enterprise apps for niche/common. • Archiving & eDiscovery, Collaboration (Secure), ERP, Online backup, Supply chain mgt, Web content mgt & conferencing…. • Lock-in and lack of interoperability key issue • Web mash-ups composing 3rd party apps
What– application ecosystem Extract from slides : “Prophet a Path out of the cloud”, Best Practical, Presented at O’Reilly Open Source Conf, 2008 7
Cloud Drivers • Enterprise Drivers • Compression of deployment cycles • Instant upgrade and try-it-out • Elasticity • Cost alignment • Reduction of IT team costs • Accessibility and sharing • Dependability • Waste reduction and carbon footprint • Consumer drivers • Up to speed with latest apps • Pay-as-you-use • Accessibility and sharing • Dependability
Cloud Barriers • Data security concerns • Privacy compromise/ practice • Service dependability and QoS • Loss of control over IT and data • Management difficulties around performance, support and maintenance • Service integration • Lock-in • Usability • Lack of market maturity
Future Risk - maturity and vulnerability Initially aligning enterprise processes with cloud focused process will be beyond best practice Dynamic SLAs could become a focus for automated DoS Vulnerable external facing applications potentially cause cascade failures across integrated processes Meta-data offers potential for aggregation and enhanced intelligence gathering
Future Risk – Scenarios High Cost/High Payback for an attacker. Most successful threat agent, likely to be insider managing resource distribution or a malicious service provider. High Cost/Low Payback for an attacker. Most successful threat agents, likely to be insider’s within the silo Low Cost/Low Payback for an attacker. Threat agents will include external attackers utilising mixture of technology and social engineering. Low Cost/High Payback for an attacker. External attackers using the distributed scale to attack multiple systems and users simultaneously. E.G Bot and application framework based attacks.
Future Risk - think like an attacker? • Denial of service • resource consumption, traffic redirection, inter-cloud and user to cloud communications vulnerabilities • Trojan Clouds • Imitate providers, infiltrate supply chains, sympathetic cloud • Inference attacks due to privileged access • Application Framework attacks • Repeatable, pervasive • Sticky Clouds • Lack of responsiveness, complex portability • Onion storage • Moving global location, fragmenting, encrypting • Covert channels within the cloud network across services • Can’t be monitored externally
Global Security Challenges • Risk Management Practice • Interoperable tools, controls, language, dependence on service providers, standardisation for mobility in market, temporal relationships • Attack Surface Reduction • Dynamic service composition could propagate vulns, systemic application based failures • Attack Detection • Distributed, collaborative for large scale events, inter and intra cloud, dynamism resulting in fluctuating traffic • Response and Recovery • Legal, Regulatory, Compliance and Audit • Portable identity – federated / user centric / interoperability • Privacy Controls
Global Security Challenges - 2 • Pace, agile response, interoperability across clouds, mobility, secure portability, cross jurisdiction collaboration
Questions for debate • Should we be taking an intrusion tolerance approach? • Should we be considering self-healing bio-inspired cloud ecosystems? • How could we construct collaborative defence mechanisms which integrated at a technology and process level? Which span multiple organisations and jurisdictions? • What would happen if we did not construct a global response to cloud security challenges? • Can it all be done by industry alone? What role should government and regulation have? • Cloud is global – standards must be global – should / can regulation be global? If not can it work?