Cloud Computing Issues

Why Is "Security" Everywhere on That Slide?Security is generally perceived as a huge issue for the cloud:During a keynote speech to the Brookings Institution policy forum, Cloud Computing for Business and Society, [Microsoft General Counsel Brad] Smith also highlighted data from a survey commissioned by Microsoft measuring attitudes on cloud computing among business leaders and the general population.The survey found that while 58 percent of the general population and 86 percent of senior business leaders are excited about the potential of cloud computing, more than 90 percent of these same people are concerned about the security, access and privacy of their own data in the cloud.http://www.microsoft.com/presspass/press/2010/jan10/1-20BrookingsPR.mspx

Security Concerns of Cloud ComputingWheres the data? Different countries have different requirements and controls placed on access. Because your data is in the cloud, you may not realize that the data must reside in a physical location. Your cloud provider should agree in writing to provide the level of security required for your customers.

Security Concerns of Cloud Computing2. Who has access? Access control is a key concern, because insider attacks are a huge risk. A potential hacker is someone who has been entrusted with approved access to the cloud. If anyone doubts this, consider that in early 2009 an insider was accused of planting a logic bomb on Fanny Mae servers that, if launched, would have caused massive damage. Anyone considering using the cloud needs to look at who is managing their data and what types of controls are applied to these individuals.

Security Concerns of Cloud Computing3. What are your regulatory requirements? Organizations operating in the US, Canada, or the European Union have many regulatory requirements that they must abide by (e.g., ISO 27002, Safe Harbor, ITIL, and COBIT). You must ensure that your cloud provider is able to meet these requirements and is willing to undergo certification, accreditation, and review.

Security Concerns of Cloud Computing4. Do you have the right to audit? This particular item is no small matter; the cloud provider should agree in writing to the terms of audit.

Security Concerns of Cloud Computing5. What type of training does the provider offer their employees? This is actually a rather important item, because people will always be the weakest link in security. Knowing how your provider trains their employees is an important item to review.

Security Concerns of Cloud Computing6. What type of data classification system does the provider use? Questions you should be concerned with here include: Is the data classified? How is your data separated from other users? Encryption should also be discussed. Is it being used while the data is at rest and in transit? You will also want to know what type of encryption is being used. As an example, there is a big difference between WEP and WPA2.

Security Concerns of Cloud Computing7. What are the service level agreement (SLA) terms? The SLA serves as a contracted level of guaranteed ervice between the cloud provider and the customer that specifies what level of services will be provided.

Security Concerns of Cloud Computing8. What is the long-term viability of the provider? How long has the cloud provider been in business and what is their track record. If they go out of business, what happens to your data? Will your data be returned, and if so, in what format? As an example, in 2007, online storage service MediaMax went out of business following a system administration error that deleted active customer data. The failed company left behind unhappy users and focused concerns on the reliability of cloud computing.

Security Concerns of Cloud Computing9. What happens if there is a security breach? If a security incident occurs, what support will you receive from the cloud provider? While many providers promote their services as being unhackable, cloudbased services are an attractive target to hackers.

Security Concerns of Cloud Computing10. What is the disaster recovery/business continuity plan (DR/BCP)? While you may not know the physical location of your services, it is physically located somewhere. All physical locations face threats such as fire, storms, natural disasters, and loss of power. In case of any of these events, how will the cloud provider respond, and what guarantee of continued services are they promising? As an example, in February 2009, Nokias Contacts On Ovi servers crashed. The last reliable backup that Nokia could recover was dated January 23rd, meaning anything synced and stored by users between January 23rd and February 9th was lost completely.

Cloud Computing AttacksDenial of Service (DoS) attacks - Some security professionals have argued that the cloud is more vulnerable to DoS attacks, because it is shared by many users, which makes DoS attacks much more damaging. Twitter suffered a devastating DoS attack during 2009.

Cloud Computing AttacksSide Channel attacks An attacker could attempt to compromise the cloud by placing a malicious virtual machine in close proximity to a target cloud server and then launching a side channel attack.

Cloud Computing AttacksAuthentication attacks Authentication is a weak point in hosted and virtual services and is frequently targeted. There are many different ways to authenticate users; for example, based on what a person knows, has, or is. The mechanisms used to secure the authentication process and the methods used are a frequent target of attackers.

Cloud Computing AttacksMan-in-the-middle cryptographic attacks This attack is carried out when an attacker places himself between two users. Anytime attackers can place themselves in the communications path, there is the possibility that they can intercept and modify communications.

Streamlined Security Analysis Process

Identify Assets Which assets are we trying to protect? What properties of these assets must be maintained?Identify Threats What attacks can be mounted? What other threats are there (natural disasters, etc.)?Identify Countermeasures How can we counter those attacks?Appropriate for Organization-Independent Analysis We have no organizational context or policies

Identify AssetsCustomer DataCustomer ApplicationsClient Computing Devices

Information Security Principles (Triad)C I A Confidentiality Prevent unauthorized disclosure Integrity Preserve information integrity Availability Ensure information is available when needed

Identify Assets & PrinciplesCustomer Data Confidentiality, integrity, and availabilityCustomer Applications Confidentiality, integrity, and availabilityClient Computing Devices Confidentiality, integrity, and availability

Cloud Computing Model

Identify ThreatsFailures in Provider SecurityAttacks by Other CustomersAvailability and Reliability IssuesLegal and Regulatory IssuesPerimeter Security Model BrokenIntegrating Provider and Customer Security Systems

Failures in Provider SecurityExplanation Provider controls servers, network, etc. Customer must trust providers security Failures may violate CIA principlesCountermeasures Verify and monitor providers securityNotes Outside verification may suffice For SMB, provider

Attacks by Other CustomersThreats Provider resources shared with untrusted parties CPU, storage, network Customer data and applications must be separated Failures will violate CIA principlesCountermeasures Hypervisors for compute separation MPLS, VPNs, VLANs, firewalls for network separation Cryptography (strong) Application-layer separation (less strong)

Availability and Reliability IssuesThreats Clouds may be less available than in-house IT Complexity increases chance of failure Clouds are prominent attack targets Internet reliability is spotty Shared resources may provide attack vectors BUT cloud providers focus on availabilityCountermeasures Evaluate provider measures to ensure availability Monitor availability carefully Plan for downtime Use public clouds for less essential applications

Legal and Regulatory IssuesThreats Laws and regulations may prevent cloud computing Requirements to retain control Certification requirements not met by provider Geographical limitations EU Data Privacy New locations may trigger new laws and regulationsCountermeasures Evaluate legal issues Require provider compliance with laws and regulations Restrict geography as needed

Perimeter Security with Cloud Computing?

Perimeter Security Model BrokenThreats Including the cloud in your perimeter Lets attackers inside the perimeter Prevents mobile users from accessing the cloud directly Not including the cloud in your perimeter Essential services arent trusted No access controls on cloudCountermeasures Drop the perimeter model!

Integrating Provider and Customer SecurityThreat Disconnected provider and customer security systems Fired employee retains access to cloud Misbehavior in cloud not reported to customerCountermeasures At least, integrate identity management Consistent access controls Better, integrate monitoring and notifications

Bottom Line on Cloud Computing SecurityEngage in full risk management process for each caseFor small and medium organizations Cloud security may be a big improvement! Cost savings may be large (economies of scale)For large organizations Already have large, secure data centers Main sweet spots: Elastic services Internet-facing servicesEmploy countermeasures listed above

Security Analysis Skills Reviewed Today Information Security Risk Management Process Variations used throughout IT industry ISO 27005, NIST SP 800-30, etc. Requires thorough knowledge of threats and controls Bread and butter of InfoSec Learn it! Time-consuming but not difficultStreamlined Security Analysis Process Many variations RFC 3552, etc. Requires thorough knowledge of threats and controls Useful for organization-independent analysis Practice this on any RFC or other standard Become able to do it in 10 minutes

Q&A