Cloud Computing Issues

Cloud Computing IssuesCloud Computing Issues

Why Is "Security" Everywhere on That Slide?• Security is generally perceived as a huge issue

for the cloud:During a keynote speech to the Brookings Institution

policy forum, “Cloud Computing for Business and Society,” [Microsoft General Counsel Brad] Smith also highlighted data

from a survey commissioned by Microsoft measuring attitudes on cloud computing among business leaders and the general

population.The survey found that while 58 percent of the general

population and 86 percent of senior business leaders are excited about the potential of cloud computing, more than 90 percent of these same people are concerned about the security, access and

privacy of their own data in the cloud.

http://www.microsoft.com/presspass/press/2010/jan10/1-20BrookingsPR.mspx

Security Concerns of Cloud Computing

1. Where’s the data? Different countries have different requirements

and controls placed on access. Because your data is in the cloud, you may not realize that the data must reside in a physical location. Your cloud provider should agree in writing to provide the level of security required for

your customers.

Security Concerns of Cloud Security Concerns of Cloud ComputingComputing

2. Who has access? Access control is a key concern, because insider

attacks are a huge risk. A potential hacker is someone who has been entrusted with approved

access to the cloud. If anyone doubts this, consider that in early 2009 an insider was accused of

planting a logic bomb on Fanny Mae servers that, if launched, would have caused massive damage.

Anyone considering using the cloud needs to look at who is managing their data and what types of

controls are applied to these individuals.


3. What are your regulatory requirements? Organizations operating in the US, Canada, or the European Union have many regulatory requirements that they must abide by (e.g., ISO 27002, Safe Harbor, ITIL, and COBIT). You must ensure that your cloud provider is able to meet these requirements and is willing to undergo certification, accreditation, and review.


4. Do you have the right to audit? This particular item is no small matter; the cloud provider should agree in writing to the terms of audit.


5. What type of training does the provider offer their employees? This is actually a rather important item, because

people will always be the weakest link in security. Knowing how your provider trains their

employees is an important item to review.


6. What type of data classification system does the provider use?

Questions you should be concerned with here include: Is the data classified? How is your data

separated from other users? Encryption should also be discussed. Is it being used while the data is at

rest and in transit? You will also want to know what type of encryption is being used. As an example,

there is a big difference between WEP and WPA2.


7. What are the service level agreement (SLA) terms? The SLA serves as a contracted level of guaranteed ervice between the cloud provider and the customer that specifies what level of services will be provided.


8. What is the long-term viability of the provider? How long has the cloud provider been in business

and what is their track record. If they go out of business, what happens to your data? Will your

data be returned, and if so, in what format? As an example, in 2007, online storage service MediaMax

went out of business following a system administration error that deleted active customer

data. The failed company left behind unhappy users and focused concerns on the reliability of cloud

computing.


9. What happens if there is a security breach? If a security incident occurs, what support will

you receive from the cloud provider? While many providers promote their services as being

unhackable, cloudbased services are an attractive target to hackers.


10. What is the disaster recovery/business continuity plan (DR/BCP)?

While you may not know the physical location of your services, it is physically located somewhere. All physical

locations face threats such as fire, storms, natural disasters, and loss of power. In case of any of these

events, how will the cloud provider respond, and what guarantee of continued services are they promising? As an example, in February 2009, Nokia’s Contacts On Ovi

servers crashed. The last reliable backup that Nokia could recover was dated January 23rd, meaning anything

synced and stored by users between January 23rd and February 9th was lost completely.

Cloud Computing AttacksCloud Computing Attacks

• Denial of Service (DoS) attacks - Some security professionals have argued that the cloud is more vulnerable to DoS attacks, because it is shared by many users, which makes DoS attacks much more damaging. Twitter suffered a devastating DoS attack during 2009.


• Side Channel attacks – An attacker could attempt to compromise the cloud by placing a malicious virtual machine in close proximity to

a target cloud server and then launching a side channel attack.


• Authentication attacks – Authentication is a weak point in hosted and virtual services and

is frequently targeted. There are many different ways to authenticate users; for

example, based on what a person knows, has, or is. The mechanisms used to secure the

authentication process and the methods used are a frequent target of attackers.


• Man-in-the-middle cryptographic attacks – This attack is carried out when an attacker

places himself between two users. Anytime attackers can place themselves in the

communication’s path, there is the possibility that they can intercept and modify

communications.

Streamlined Security Analysis Process

• Identify Assets• Which assets are we trying to protect?• What properties of these assets must be maintained?

• Identify Threats• What attacks can be mounted?• What other threats are there (natural disasters, etc.)?

• Identify Countermeasures• How can we counter those attacks?

• Appropriate for Organization-Independent Analysis• We have no organizational context or policies

Identify Assets

• Customer Data• Customer Applications• Client Computing Devices

Information Security Principles (Triad)

C I A• Confidentiality

• Prevent unauthorized disclosure

• Integrity• Preserve information integrity

• Availability• Ensure information is available when needed

Identify Assets & Principles

• Customer Data• Confidentiality, integrity, and availability

• Customer Applications• Confidentiality, integrity, and availability

• Client Computing Devices• Confidentiality, integrity, and availability

Cloud Computing Model

Identify Threats

• Failures in Provider Security• Attacks by Other Customers• Availability and Reliability Issues• Legal and Regulatory Issues• Perimeter Security Model Broken• Integrating Provider and Customer Security

Systems

Failures in Provider Security

• Explanation• Provider controls servers, network, etc.• Customer must trust provider’s security• Failures may violate CIA principles

• Countermeasures• Verify and monitor provider’s security

• Notes• Outside verification may suffice• For SMB, provider

Attacks by Other Customers

• Threats• Provider resources shared with untrusted parties• CPU, storage, network• Customer data and applications must be separated• Failures will violate CIA principles

• Countermeasures• Hypervisors for compute separation• MPLS, VPNs, VLANs, firewalls for network separation• Cryptography (strong)• Application-layer separation (less strong)

Availability and Reliability Issues• Threats

• Clouds may be less available than in-house IT• Complexity increases chance of failure• Clouds are prominent attack targets• Internet reliability is spotty• Shared resources may provide attack vectors• BUT cloud providers focus on availability

• Countermeasures• Evaluate provider measures to ensure availability• Monitor availability carefully• Plan for downtime• Use public clouds for less essential applications

Legal and Regulatory Issues

• Threats• Laws and regulations may prevent cloud computing• Requirements to retain control• Certification requirements not met by provider• Geographical limitations – EU Data Privacy• New locations may trigger new laws and regulations

• Countermeasures• Evaluate legal issues• Require provider compliance with laws and regulations• Restrict geography as needed

Perimeter Security with Cloud Computing?

Perimeter Security Model Broken

• Threats• Including the cloud in your perimeter• Lets attackers inside the perimeter• Prevents mobile users from accessing the cloud directly• Not including the cloud in your perimeter• Essential services aren’t trusted• No access controls on cloud

• Countermeasures• Drop the perimeter model!

Integrating Provider and Customer Security

• Threat• Disconnected provider and customer security systems• Fired employee retains access to cloud• Misbehavior in cloud not reported to customer

• Countermeasures• At least, integrate identity management• Consistent access controls• Better, integrate monitoring and notifications

Bottom Line on Cloud Computing Bottom Line on Cloud Computing SecuritySecurity

• Engage in full risk management process for each case• For small and medium organizations

• Cloud security may be a big improvement!• Cost savings may be large (economies of scale)

• For large organizations• Already have large, secure data centers• Main sweet spots:• Elastic services• Internet-facing services

• Employ countermeasures listed above

Security Analysis Skills Reviewed Today

• Information Security Risk Management Process• Variations used throughout IT industry

• ISO 27005, NIST SP 800-30, etc.• Requires thorough knowledge of threats and controls• Bread and butter of InfoSec – Learn it!• Time-consuming but not difficult

• Streamlined Security Analysis Process• Many variations

• RFC 3552, etc.• Requires thorough knowledge of threats and controls• Useful for organization-independent analysis• Practice this on any RFC or other standard• Become able to do it in 10 minutes

Q&AQ&A

Documents

Cloud Computing Issues