Cloud Computing Security

Security in the CloudPresented By:

Bryan Miller

VCU Cybersecurity Fair

Security in the Cloud


Speaker Introduction What is the “Cloud” SaaS, PaaS, IaaS Public, Private and Hybrid Clouds Vendor Offerings Security Issues Wrap-Up

10/4/2011 1

Agenda



B.S. Information Systems – VCU M.S. Computer Science – VCU President, Syrinx Technologies, 2007 Member of ISSA, HIMSS, InfraGard, ILTA Adjunct Faculty Member in Information Systems

and Computer Science @ VCU, FTEMS lecturer CISSP, former Cisco CCIE in R/S Published author Over 25 years in the industry

10/4/2011 2

Speaker Introduction



Convenient, on-demand network access to a shared pool of configurable resources: Networks Servers Storage Applications Services

Rapid and minimal management effort or service provider interaction (based on NIST)

10/4/2011 3

What is the “Cloud”?



NIST SP 800-145 definition:

"Cloud computing is a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. This cloud model promotes availability and is composed of five essential characteristics, three service models, and four deployment models.”

10/4/2011 4

The NIST Standard for Cloud Computing



IDC – 2008 Security was the factor most likely to

discourage the use of cloud computing? 72% of small (<100 employees) businesses 63% of mid-sized (100-199 employees)

businesses

IDC – 2011 50% of small businesses 47% of mid-sized businesses

10/4/2011 5

First, Some Statistics



By 2014, the conservative estimate is that the “cloud business” will be approximately $100 billion dollars.

By 2012, approximately 20% of businesses will not own any IT resources.

10/4/2011 6



10/4/2011 7



10/4/2011 8



Examples Salesforce.com Office 365

Applications delivered over the web

Vendor handles software updates and patches

Application Programming Interfaces (APIs) integration among S/W

10/4/2011 9

Software as a Service (SaaS)



Examples Google Apps

Engine Microsoft Azure Force.com

Architectural tools to build systems

Platform managed and monitored

Web-based user interface tools

10/4/2011 10

Platform as a Service (PaaS)



Examples Amazon Web

Services (AWS) OpenStack Dell

Outsource storage, hardware, servers

Typically charged on a per-use basis

Hardware can be multi-tenant or dedicated

10/4/2011 11

Infrastructure as a Service (IaaS)



Public Shared resources, usually multi-tenant Off-premise

Private Resources dedicated to client On-premise or off-premise

Hybrid Combination of on-premise and cloud-based services Growing in popularity as companies slowly transition

applications

10/4/2011 12

Public vs. Private vs. Hybrid Cloud Models



Amazon Web Services EC2 - IaaS Data centers (Regions)

Virginia Northern California Ireland Singapore Tokyo

Within each region, services are divided into Availability Zones

AWS GovCloud – Accessible by US only, allows government agencies to store data Currently used by NASA

10/4/2011 13

Vendor Offerings



Microsoft Azure – PaaS Windows Azure – OS providing scalable compute and

storage facilities Windows SQL Azure – Cloud-based, scalable version of

SQL Server

OpenStack - IaaS Open source software Over 100 partner companies

Rackspace Dell Citrix Cisco

10/4/2011 14



Dell – IaaS Built on VMware technology (vCloud family of products) Adding support for Azure and OpenStack 3 models:

Pay as you go Reserved Dedicated

Apple iCloud - SaaS Stores music, photos, applications, calendars,

documents 5 GB of free storage

10/4/2011 15



Take into account the following: Response times Data corruption Service degradation/outage Data breach Backup/Restore issues What happens if the company closes or is sold Regulatory issues

HIPAA – do you have a BA agreement in place? PCI – are you sure your provider is compliant?

10/4/2011 16

What about SLAs?



Bloomberg News reported that hackers used AWS’s EC2 to launch an attack against Sony’s PlayStation Network.

The attack reportedly compromised the personal accounts of more than 100 million Sony customers.

Prices for EC2 range from 3 cents to $2.48 an hour for users on the East coast of the U.S. Dual GPU setups are currently priced at $2.10/hr.

Network World magazine reported that Exploits as a Service (EaaS) is becoming a profitable business.

10/4/2011 17

Security Issues



Definition: The point at which cloud computing causes a catastrophic failure. Intellectual property is the lifeblood of an organization. IP can get lost in the shuffle of VM sprawl, data sprawl,

technology sprawl or the speed at which business is performed.

How can things go wrong? A salesperson mails himself a report to Gmail for home access. A customer service team uses Dropbox1 to transfer client files. A PM is frustrated by IT policies and stands up a free server in

the Amazon EC2 cloud

1 June 2011: Passwords optional for 4 hours, approximately 100 accounts were affected

10/4/2011 18

Cloudpocalypse



Amazon EC2 Outages July, 2008

Affected multiple Availability Zones Affected US and EU

April, 2011 Affected Reddit, Foursquare, Quora Elastic Book Store went offline (provides mountable disk volumes to EC2) 3 days of outage for some users Why? During maintenance the data traffic was moved to a secondary, low-

capacity network instead of the proper backup networks

August, 2011 Why: Lightning strike in Dublin, Ireland Knocked European cloud services offline for 2 days Affected Netflix, Quora, Foursquare

10/4/2011 19

When the Cloud Dissipates



Gmail Outages 2008:

July 16 – “long outage” August 6 – up to 15 hours August 11 – 2 hours August 15 – up to 24 hours October 16 – 30 hours

2009: February 24 – 2 hours September 1 – 2 hours

2011: February 27 – several hours August 8 – several hours

10/4/2011 20



Decide if the cloud is appropriate for the given business model

Choose the vendor and precisely define the SLA

Test thoroughly before moving into production Migrate slowly and carefully watch the metrics Make sure the users/clients are happy Routinely test the backup and restore process Don’t forget about DR and BCP

10/4/2011 21

Wrap-Up

Documents

Cloud Computing Security