380 likes | 494 Views
CLOUD SECURITY: Concerns, Complications and Considerations. Dr. Susan Cole, CISSP, CCSK scole@faculty.ctuonline.edu. Agenda. What is it? Definition Deployment Models Service Models Benefits Concerns Complications Risks Improvements Considerations. December 10, 2013.
E N D
CLOUD SECURITY:Concerns, Complications and Considerations Dr. Susan Cole, CISSP, CCSK scole@faculty.ctuonline.edu
Agenda • What is it? • Definition • Deployment Models • Service Models • Benefits • Concerns • Complications • Risks • Improvements • Considerations December 10, 2013
What is it? - Definition Cloud computing is a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. What goes “into” the Cloud? • Data/information • Applications/functions/processes (Grance and Mell, 2011)
What is it? - Definition Essential Characteristics: • On-demand self-service. • Broad network access. • Resource pooling. • Rapid elasticity. • Measured Service. (NIST and CSA, 2009)
What is it? – Deployment Models • Private - operated solely for an organization. • Community - shared by several organizations and supports a specific community that has shared concerns • Public - made available to the general public or a large industry group and is owned by an organization selling cloud services. • Hybrid - a composition of two or more clouds (NIST and CSA, 2009)
What is it? – Service Models • Software as a Service (SaaS) • Delivers applications hosted on cloud as internet-based services • Does not require installing apps on customers’ computers • Example: Salesforce • Platform as a Service (PaaS) • Delivers platforms, tools, services • Without installing any of these platforms or support tools on local machines • Example: Google Apps • Infrastructure as a Service (IaaS) • Delivers “computation resources,” network and storage as internet-based service • Example: Amazon EC2
What is it? – Service Models x (CSA, 2009)
Benefits • Availability! • Economic benefits! • Cost Reduction • Scalable • Easier to collaborate (long-distance) • Small and mid-size business access to tech at lower prices • There’s a chance security will be as good or better if cloud provider is a quality service provider.
Benefits Ways to Use the Cloud • Social Media • Business Applications • Productivity Applications • Email as a service • Infrastructure • Website hosting • Storage • Empower Mobile Devices (BYOD)
Benefits http://info.apps.gov/content/state-and-local-cloud-computing-case-studies
Benefits http://cloud.cio.gov/step-step/cloud-computing-success-stories
Benefits http://cloud.cio.gov/step-step/cloud-computing-success-stories
Benefits http://cloud.cio.gov/step-step/cloud-computing-success-stories
Concerns • Migration Costs • Additional training for staff • New monitoring systems (Ashford, 2012)
Concerns Security is “arguably the most significant barrier to faster and more widespread adoption of cloud computing.” (Chen, et al, 2010)
Concerns Shared Risks • Outsourcing security to a 3rd party = loss of control • Coexistence of different tenants using same instance of service but unaware of strength of the other’s security controls • Lack of security guarantees in SLAs • Hosting on publicly available infrastructure increases probability of attacks
Concerns Shared Risks • “Cloud providers priorities do not always align with the customer’s objectives.” • Self-preservation • Reporting to customer or externally… • Is your cloud provider using services from yet another cloud provider? • Need to protect not only data… but activity patterns • Possible reverse engineering by others in the cloud to find out customer base, revenue, etc.
Concerns Shared Risks • Auditability in the cloud… • Already required for banking and health sectors • Should be “mutual” for provider and customer • “Sharing of resources violates the confidentiality of tenants’ IT assets which leads to the need for secure multi-tenancy.” (Morsey, et al, 2010)
Complications BYOD • Can’t avoid! • Saves $ if employees provide devices • Single device solution • No need to carry multiple devices • Improves morale • Increases productivity • Employees willing to work after-hours; always connected • Federal Agencies have Pilot BYOD Programs • NSA (mobile for classified by not BYOD yet) • NIST 800-124
Complications Penetration of Mobile Devices by Ownership (Osterman, 2012)
Complications • Beyond the device… • What does access with a device like this mean? • Next generation has to have technology tools! • Recruitment
Complications (Osterman, 2012)
Risks Application control Data Loss Labor laws Privacy Issues Regulatory requirements Lost and stolen devices Data recovery Expectation of Cloud Providers to manage security
Risks (CSA, 2009)
Improvements • Cloud is becoming more secure • FedRAMP • Cloud Security Alliance • STAR • Cloud Service Providers • Built in versus added on
Improvements • Standards and Regulations • http://cloud.cio.gov/action/manage-your-cloud • 25 Point Implementation Plan to Reform Information Technology Management • Download: http://cloud.cio.gov/document/25-point-implementaton-plan-reform-information-technology-management • Federal Cloud Computing Strategy • Download: http://cloud.cio.gov/document/federal-cloud-computing-strategy • Federal IT Shared Services Strategy • Download: http://cloud.cio.gov/document/federal-it-shared-services-strategy
Improvements • Federal Data Center Consolidation Initiative (FDCCI) • https://cio.gov/deliver/data-center-consolidation/ • That could affect Cloud Security: • Legislation • TPM chips • Self-Encrypting Drives (SEDs)
Considerations • Identity Management • Remote Management • Virtualization • Data-at-Rest • Portability
Considerations How to Apply Security • Determine what needs to go (data and/or functions) • Evaluate importance to organization • Evaluate deployment models • Evaluate service models • Evaluate cloud provider (CSA, 2009)
Considerations Three Options • Accept whatever assurances the service provider offers • Evaluate the service provider yourself • Use a neutral 3rd party to conduct a security assessment The cloud provider should perform regular security assessment and provide reports to their clients.
Considerations Security Assessments • “Traditional service providers submit to external audits and security certifications, providing their customers with information on the specific controls that were evaluated. • A cloud-computing provider that is unwilling or unable to do this is signaling that customers can only use them for the most trivial functions.” (Heiser and Nicolett, 2008)
Considerations How to Take Control • Decide what (data and/or functions) should be migrated to the cloud… • Cost/benefit analysis: not all are good choice • Risk Assessment • Investigate physical security of where data will be housed… • Encrypt
Considerations How to take control • Schedule monthly meeting with security personnel of the cloud provider. • Employ legal experts (experienced with “cloud”) early to formulate contract. • Much easier than bringing in lawyers after the fact to fight • Get definitions and procedures outlined in advance… (incidents, disasters, etc)
References • Almond, Carl. (2009). “A Practical Guide to Cloud Computing Security: What you need to know now about your business and cloud security.” Avanade Inc. • Al Morsey, M., Grundy, J., and I. Muller. (2010). “An Analysis of The Cloud Computing Security Problem.” APSEC 2010 Cloud Workshop, Sydney, Australia. • Ashford, W. (2012). “Cloud Computing: Could it Cost More?” TechTarget. http://www.computerweekly.com/news/2240163197/Cloud-computing-Could-it-cost-more • Ashford, W. (2011). “Self-encrypting drives: SED the best-kept secret in hard drive encryption security” TechTarget. http://www.computerweekly.com/feature/Self-encrypting-drives-SED-the-best-kept-secret-in-hard-drive-encryption-security • Avanade (2012). “Global Survey: Dispelling Six Myths of Consumerization of IT.” http://www.avanade.com/Documents/Resources/consumerization-of-it-executive-summary.pdf • Chen, Y., Paxson, V., and R. Katz. (2010). “What’s New About Cloud Computing Security?” Electrical Engineering and Computer Sciences, University of California at Berkeley. • Cloud Security Alliance (CSA) (2009). “Security Guidance for Critical Areas of Focus in Cloud Computing V2.1” • Cox, P. (2010). “Remote management threatens Infrastructure as a Service security” TechTarget. http://searchcloudcomputing.techtarget.com/tip/How-to-use-Infrastructure-as-a-Service-securely-part-2 • Grance, T. and P. Mell (2011). “The NIST Definition of Cloud Computing (Draft).” NIST Special Publication 800-145 (Draft).
References • Grance, T. and P. Mell (2011). “The NIST Definition of Cloud Computing (Draft).” NIST Special Publication 800-145 (Draft). • Heiser, J. and M. Nicolett. (2008). “Assessing the Security Risks of Cloud Computing.” Gartner. • Hess, K, (2012). “BYOD busted? It's OK we know you're doing it.” ZDNet. http://www.zdnet.com/blog/consumerization/byod-busted-its-ok-we-know-youre-doing-it/169 • Holland, K. (2011). “Pros and Cons of Cloud Computing.” Beckon. http://www.thebeckon.com/pros-and-cons-of-cloud-computing/ • Iyengar, G. (2011). “Cloud Computing – Maze in the Haze.” SANS: GIAC (GSEC) Gold Certification Paper. • Jacobs, D. (2013). “The TPM chip: An unexploited resource for network security.” TechTarget. http://searchnetworking.techtarget.com/tip/The-TPM-chip-An-unexploited-resource-for-network-security • Mimosa, M. (2012). “TPM Chip in Windows 8 Lays Foundation for Widespread Enhancements to Hardware-Based Security.” Threatpost. http://threatpost.com/en_us/blogs/tpm-chip-windows-8-lays-foundation-widespread-enhancements-hardware-based-security-102612 • Osterman (2012), sponsored by Accellion. “Putting IT Back in Control of BYOD: An Osterman Research White Paper”
References • Reed, J. (2010). “Following Incident into the Cloud.” SANS: GIAC (GCIH) Gold Certification Paper. • Rouse, M. (2012). “Identity as a Service.” TechTarget. http://searchconsumerization.techtarget.com/definition/identity-as-a-Service-IDaaS • Sinclair, J. (2010). “Auditing in Cloud Computing.” SAP RESEARCH. http://www.slideshare.net/jonathansinclair86/cloud-auditing • Tutti, C. (2011). “NIST Cloud Roadmap: Too much too fast?” Federal Computer Week. • Vizard, M. (2012) “The Keys to the Cloud Security Kingdom.” IT Business Edge. http://www.itbusinessedge.com/cm/blogs/vizard/the-keys-to-the-cloud-security-kingdom/?cs=49788&utm_source=feedburner&utm_medium=twitter&utm_campaign=Feed%3A+MikeVizard+%28Mike+Vizard%29 • Winkler, V. (2011). “Cloud Computing: Virtual Cloud Security Concerns.” TechNet. http://technet.microsoft.com/en-us/magazine/hh641415.aspx