Upload
others
View
10
Download
0
Embed Size (px)
Citation preview
10/25/2012
1
BY VORAPOJ LOOKMAIPUNCISSP, CISA, CISM, CRISC, CEH
• Security Cases
• What is Cloud?
• Road Map
• Security Concerns
Agenda
10/25/2012
2
• Data Protection
- Two arrested in iPad Security Breach (Jan 2011)- 2 computer hackers gathered 120,000 Apple iPad users email addresses and
personal information.- Epsilon Breach (April 2011)
- Epsilon, email marketing company,(for Best Buy, Ethan Allen, Walgreens, Target) hackers compromised 50 clients ‘ email address, and send out phishing emails masquerading the client to their customers.
- Data Availability
- Hotmail (Jan 2011)- 17,355 customers impacted temporarily lost the mail contents through the course of
mailbox load balancing between servers- Amazon EC2 (web hosting) offline (April, 2011)
- Foursquare, Reddit and Quora were among the sites went offline.
Security Cases on Cloud
10/25/2012
3
- Denial of Service
- Bot herders hid master control Channel in Google cloud (October 2009)- Google’s App Engine was tapped to act as the master control channel, by
download malicious program to infected PC for making part of botnet.• Data breach
– Gawker news site compromised (Dec 2010)• Gawker news site (Gizmodo, Lifehacker, Kotaku, io9 or Jezebel) were stolen 1.3
million passwords and uploaded via torrent file.– Microsoft BPOS hacked (Dec 2010)
• Microsoft Business Productivity Online Suite was accesses and company data was downloaded. BPOS includes Exchange online, SharePoint Online, Office communications Online and Office Live meeting.
• MS BPOS standard customer could be downloaded by other customers of the service.
Security Cases on Cloud
10/25/2012
4
• Data breaches are the main concern for business moving to
cloud
• More than 40% respondents report that their organization uses cloud computing
– 69 % SaaS
– 47% IaaS
– 55% PaaS
Survey – Cloud computing
Source: The 2012 Global State of Information Security Survey by pwc
10/25/2012
5
• Has the cloud improved security?
– 54% Yes
– 23% Believe the security has “weakened”
– 18% No change
– 5% Don’t know
Survey – Cloud computing
Source: The 2012 Global State of Information Security Survey by pwc
• What about the greatest risks to cloud computing strategies?
– 32% Uncertain ability to enforce provider site security policies
– 19% Inadequate training and IT auditing
– 15% Questionable privileged access control at provider site
– 11% Proximity of data to someone else’s
– 9% Uncertain ability to recover data
Survey – Cloud computing
Source: The 2012 Global State of Information Security Survey by pwc
10/25/2012
6
WHAT IS CLOUD?
10/25/2012
7
Cloud Computing Economies of Scale
• NITS SP 800-145 – The NIST Definition of Cloud Computing (2011)
“A model for enabling, ubiquitous, convenient, on-demand
network access to shared pool of configuration computing
resources (e.g. networks, servers, storage, applications, and
services) that can be rapidly provisioned and released with
minimal management effort or service provider interaction.”
What is Cloud?
10/25/2012
8
Composed of
–5 Essential characteristics
–3 Service models
–4 Deployment models.
What is Cloud Computing?
• 5 Essential Characteristics
1. On-demand self service
2. Broad network access
3. Resources pooling
4. Rapid elasticity
5. Measured service
Essential Characteristics
10/25/2012
9
1. On-demand self service
A consumer can unilaterally provision computing capabilities, such as server time and network storage, as needed automatically without requiring human interaction with each service provider
Essential Characteristics
เชา่เป็นชว่งเวลา (นาท)ี
2. Broad network access
Capabilities are available over the network and access through standard mechanisms that promote use by heterogeneous thin or thick client platform (e.g.) mobile phones, tablets, laptops, and workstations)
Essential Characteristics
จากอุปกรณ์ไหน จากทีไ̂หน กไ็ด้
10/25/2012
10
3. Resource pooling
The provider’s computing resources are pooled to serve multiple consumers using a multi-tenant model, with different physical and virtual resources dynamically assigned and reassigned according to consumer demand. There is a sense of location independence in that the customer generally has no control or knowledge over the exact location of the provided resources but may be able to specify location at a higher level of abstraction (e.g. country, state, or datacenter). Examples of resources include storage, processing, memory, and network bandwidth.
Essential Characteristics
Essential Characteristics
ลดคา่ใชจ้่าย
10/25/2012
11
4. Rapid elasticity
Capabilities can be elastically provisioned and released, in some cases automatically, to scale rapidly outward and inward commensurate with demand. To the consumer, the capabilities available for provisioning often appear to be unlimited and can be appropriated in any quantity at any time.
Essential Characteristics
มคีวามยดืหยุ่นสงู และรวดเรว็
5. Measured service
Cloud systems automatically control and optimize resource use by leveraging a metering capabilities at some level of abstraction appropriate to the type of service (e.g. storage, processing, bandwidth, and active user accounts). Resource usage can be monitored, controlled, and reported, providing transparency for both the provider and consumer of the utilized service.
Essential Characteristics
10/25/2012
12
• 3 Service Models
1. Infrastructure as a Service (IaaS)
2. Platform as a Service (PaaS)
3. Software as a Service (SaaS)
Service Models
1. Infrastructure as a Service (IaaS)
The provider suppliers hardware and network connectivity. The tenant is responsible for the virtual machine and everything that run within it.
Service Models
10/25/2012
13
2. Platform as a Service (PaaS)
The tenant suppliers the application they wish to deploy, and the provider supplies all the components required to run the application.
Service Models
3. Software as a Service (SaaS)
The provider suppliers the application and all the components required to run it. SaaS is designed to be a turnkey solution for the tenant
Service Models
10/25/2012
14
Cloud Service Models
API/GUI
Application
Solution Stack
Network
Hypervisor
Virtual Machine
Compute & Storage
Facility
API/GUI
Application
Solution Stack
Network
Hypervisor
Virtual Machine
Compute & Storage
Facility
API/GUI
Application
Solution Stack
Network
Hypervisor
Virtual Machine
Compute & Storage
Facility
Tenant
Provider
SaaSSaaSSaaSSaaS PPPPaaSaaSaaSaaS IIIIaaSaaSaaSaaS
Cloud Service Models
API/GUI
Application
Solution Stack
Network
Hypervisor
Virtual Machine
Compute & Storage
Facility
API/GUI
Application
Solution Stack
Network
Hypervisor
Virtual Machine
Compute & Storage
Facility
API/GUI
Application
Solution Stack
Network
Hypervisor
Virtual Machine
Compute & Storage
Facility
Tenant
Provider
SaaSSaaSSaaSSaaS PPPPaaSaaSaaSaaS IIIIaaSaaSaaSaaS
API/GUI
Application
Solution Stack
Network
Hypervisor
Virtual Machine
Compute & Storage
Facility
Private Private Private Private
CloudCloudCloudCloud
10/25/2012
15
SAAS
PAAS
IAAS
STRUCTURE OF SERVICE MODEL
GOOGLE DOCSSALESFORCE CRMDeskAway, GMAIL
FORCE.COMAPP ENGINEMS AZURE
RACKSPACE.COMGO GRIDEC2
• 4 Deployment Models
1. Private cloud
2. Community cloud
3. Public cloud
4. Hybrid cloud
Deployment Models
10/25/2012
16
1. Private cloud
The cloud infrastructure is provisioned for exclusive use by a single organization comprising multiple consumers (e.g. business units). It may be owned, managed, and operated by the organization, 3rd party, or some combination of them, and it may exist on or off premises.
Deployment Models
2. Community Cloud
The cloud infrastructure is provisioned for exclusive use by a specific community of consumers from organizations that have shared concerns (e.g., mission, security requirements, policy, and compliance considerations). It may be owned, managed, and operated by one or more of the organizations in the community, a third party, or some combination of them, and it may exist on or off premises.
Deploy Models
10/25/2012
17
3. Public cloud
The cloud infrastructure is provisioned for open use by the general public. It may be owned, managed, and operated by a business, academic, or government organization, or some combination of them. It exists on the premises of the cloud provider.
Deploy Models
4. Hybrid cloud
The cloud infrastructure is a composition of two or more distinct cloud infrastructures (private, community, or public) that remain unique entities, but are bound together by standardized or proprietary technology that enables data and application portability (e.g. cloud bursting for load balancing between clouds)
Deploy Models
10/25/2012
18
• Model Provider Data Center Consumer Data Center
Deployment Models
Private
Community
Public
Hybrid
ROAD MAP ON CLOUD
10/25/2012
19
The Virtualization Tipping Point in 2012
Road Map on Cloud Computing
10/25/2012
20
Road Map on Cloud - 2010
Road Map on Cloud - 2011
10/25/2012
21
Hype Cycle for Cloud Computing
Hype Cycle for Security Tools
10/25/2012
22
SECURITY CONCERNS ON CLOUD
1. Abuse and Nefarious Use of Cloud Computing (IaaS, Paas)
2. Insecure interfaces and APIs (IaaS, PaaS, SaaS)
3. Malicious Insiders (IaaS, PaaS, SaaS)
4. Shared Technology Issues (IaaS)
5. Data Loss or Leakage (IaaS, PaaS, SaaS)
6. Account or Service Hijacking (IaaS, PaaS, SaaS)
7. Unknown Risk Profile (IaaS, PaaS, SaaS)
Top 7 Threats to Cloud Computing (CSA)
10/25/2012
23
• Firewall
– No longer reply on the premise firewall.
• Antimalware
– Deploy the Antimalware used for Hypervisor Layer instead of on VMOS.
• IPS/IDS
– Implement IPS/IDS as an added security layer within infrastructure in detecting potential intrusion, misuse, or insider threat, especially in Hypervisor layer.
Security Concerns on Cloud
• Identity Management
– Ensure all ID’s meet password management and complexity policy
– Passwords are stored in an encrypted format along with encrypted transmission of password between systems and applications
– Management has a key role to help meeting the compliance and regulatory requirements.
Security Concerns on Cloud
10/25/2012
24
• Access Management
– Minimum 2-factor authentication to all applications and systems
– Using VPN based connection
– If VPN access is unavailable use a secure network protocol such as IPSEC, SSH and SSL
Security Concerns on Cloud
• Logging including
– System logs
– Network IPS logs
– Identity Access log
Security Concerns on Cloud
10/25/2012
25
• Your logging solution captures
– Failed login attempts
– Privileged access attempts
– Privileged activities
– Access attempts to sensitive data
– Access attempts to audit trail data
– Start and stop of services or applications
– System shutdown or start up
Security Concerns on Cloud
• Logging
– Each event should contain at minimum
• User ID
• Date and Timestamp
• Event description
• Event source
• Event success or failure
Security Concerns on Cloud
10/25/2012
26
Security Concerns on Cloud
• Data Security
– Data loss is a primary concern of IT managers across the globe.
– Your data protection solution address both internal and external threats
– Most standards required the organizations protect their data at rest – data encryption
• Data at Rest includes files stored on servers and removable media
• Data in Process includes real time transactional data such as data processed in a database
• Data in Transit focuses on network protocols and data passing over wired and wifi networks
• If possible, store keys outside of your cloud environment
• Application Security
– Create a website risk management plan that will heighten awarenessand will protect valuable corporate and customer data from attackers
Security Concerns on Cloud
10/25/2012
27
• Access Controls
• Incident Response and Management
• System and Network Configuration Backups
• Security Testing
• Data and Communications Encryption
• Password Standards
• Continuous Monitoring
Standards and Policies
• Get security right in private cloud first, then extend to hybrid and public cloud
• Map workloads to the right “style” of cloud security
• Being planning for augmenting existing security delivery mechanisms with security as a Service options
• Separation and auditability are key issues in maintaining security
• Don’t trust the infrastructure to secure the infrastructure
Recommendations
10/25/2012
28
1. Cloud Computing Architectural Framework
2. Governance and Enterprise Risk Management
3. Legal Issues: Contracts and Electronic Discovery
4. Compliance and Audit Management
5. Information Management and Data Security
6. Interoperability and Portability
7. Traditional Security, Business Continuity, and Disaster Recovery
8. Data Center Operations
9. Incident Response
10. Application Security
Security Guidance for Critical Area Focus in
Cloud Computing V3.0
11. Encryption and Key Management
12. Identify, Entitlement, and Access Management
13. Virtualization
14. Security as a Service
Security Guidance for Critical Area Focus in
Cloud Computing V3.0
10/25/2012
29
• Identity Services and Access Management Services
• Data Loss Prevention (DLP)
• Web Security
• Email Security
• Security Assessments
• Intrusion Management, Detection, and Prevention (IDS/IPS)
• Security Information and Event Management (SIEM)
• Encryption
• Business Continuity and Disaster Recovery
• Network Security
Interested Security as a Service (SaaS)
Additional Information
• Proactively Hardening Your cloud
– NIST
• http://csrc.nist.gov/publications/nistpubs/800-125/SP800-125-final.pdf
• http://collaborate.nist.gov/twiki-cloud-computing/bin/view/CloudComputing/
– Cloud Security Alliance
• https://cloudsecurityalliance.org/
• http://www.cloudsecurityalliance.org/guidance/csaguide.v3.0.pdf
10/25/2012
30