Embed Size (px)
DESCRIPTION
Handout of a presentation given at the InfoSec 2010 Conference in Manila, Philippines last 25 August 2010.
Citation preview
Possibilities and Security
Challenges of Cloud Computing
InfoSec Conference 2010
Hotel Intercontinental
Makati City, Philippines
25 August 2010
Pierre U. Tagle, Ph.D., [email protected]
2
Introduction
What is Cloud Computing?
Possibilities and Security Challenges
Critical Areas for Cloud Implementations
1
2
3
4
Outline
3
IntroductionWe offer services to:
• EVALUATE and understand
your business needs;
• Recommend ways to
ENHANCE how technology,
people and processes fits
into your business;
• INTEGRATE new and
existing technology to better
suit your business;
• MAINTAIN your technology
investments; and
• Help you PRESERVE your
investment to carry your
business into the future.
Mobiliance Incorporated is an
INDEPENDENT technology
consulting and software services
firm which partners with
commercial and government
establishments/organisations to
solve their toughest Information
Technology problems and issues.
4
Our Services• Security Assessment and
Design
– Security Architecture
Assessment / Design
– Vulnerability
Assessment
• Network Assessment and
Design
– Alignment with
business
requirements
– Performance,
reliability and
availability analysis
• Technology Assessment and Design
• IT Governance / Risk Management
– Disaster Recovery / Business Continuity
– IT Governance
– IT Risk Assessments
• Technology Management Advice (Virtual CIO/CTO)
• Software Development
– From complete SDLC or to assist in specific phases
5
What is Cloud Computing?
• Virtually every vendor or provider has jumped on the cloud
computing bandwagon and has slapped the “cloud” label on it,
e.g. hosting, outsourcing, ASP, on-demand computing, grid
computing, utility computing, etc.
– Some reports indicate that there were at least 22 different
definitions of the cloud in use.
• Cloud computing is NOT a technology revolution, but
rather a process and business evolution – on how many
technologies and services are used in enabling what is referred
to as Cloud Computing.
• A simplified definition can be that cloud computing allows
businesses to increase IT capacity on the fly without investing
in new infrastructure, training new personnel and/or licensing
new software, and are able to use it as a pay-per-use service.
6
NIST Cloud Definition Framework
“Cloud computing is a
model for enabling
convenient, on-
demand network
access to a shared
pool of configurable
computing resources
that can be rapidly
provisioned and
released with minimal
management effort or
service provider
interaction.”The NIST cloud model promotes availability
and is composed of 5 essential
characteristics, 3 service models and 4
deployment models.
7
5 Essential Characteristics
• On-demand self-service
• Broad network access
• Resource pooling
– Location
independence
• Rapid elasticity
• Measure serviceSource: Techmixer.com
8
3 Cloud Service / Delivery Models
• Cloud Software as a Service
(SaaS)
– Use provider’s apps
over a network
• Cloud Platform as a Service
(PaaS)
– Deploy customer-
created applications to
a cloud
• Cloud Infrastructure as a
Service (IaaS)
– Rent processing,
storage, network
capacity, etc.Note: To be considered “cloud” these must be
deployed on top of a cloud infrastructure
with the key characteristics.
Source: NIST Presentations
9
Cloud Services Examples• SaaS
– Salesforce.com
– Google Apps
• PaaS
– Google AppsEngine, Force.com, IBM IT Factory
• IaaS
– Amazon Elastic Compute Cloud (Amazon EC2), IBM Blue Cloud, Sun Grid
– Amazon Simple Storage Service (Amazon S3)
10
Cloud Deployment Models
• Private cloud
– Enterprise owned or leased
• Community cloud
– Shared infrastructure for specific communitiy
• Public cloud
– Available to the public, typically mega-scale
infrastructure
• Hybrid cloud
– Composition of 2 or more clouds
11
Possibilities and Benefits
12
Adoption Areas
13
Cloud Computing Challenges & Risks• Data Protection
– Where is my data?
– How does my data securely enter/exit the cloud? (and how is it protected during transit?)
– Who has access to my data?
• Risk / Incident Management
– Who is accountable if something goes wrong?
– What’s the disaster recovery plan?
– What happens if my cloud provider disappears?
– How is the environment monitored? How are we notified in the event of failures/outages?
• Integration and Cost
– How easy is it to integrate with in-house IT?
– Are there customization options to suit my needs?
– Will on-demand cost more?
– How difficult to migrate back to an in-house system? (if possible)
• Compliance
– Are there any regulatory requirements?
14
Challenges and Risks
Security remains the top concern and was raised by 87.5% of
respondents in IDC 2009 survey (up from 74.6% in 2008)
15
Service Provider Requirements• Pricing is
key area
BUTC
• C security
and related
concerns
can be
“seen” in
user wish-list
of the
service
features
SLAs, option to move back on-premise, allow
managing on-premiseC, offer both on-premise and
public cloud services, have local presenceC
16
Security in the Cloud• Security controls in cloud
computing are no different than security controls in an IT environment BUT...
– the various cloud service models, operational models, and technologies used to enable cloud services may present different risks to the organisation.
• Understanding the differences between service models and their implementation is critical to the management of risk to the organisation.
“Cloud computing is about gracefully losing control while maintaining accountability even if the operational responsibility falls upon one or more third parties.”
– Cloud Security Alliance
Source: Cloud Security Alliance
17
Security Advantages
• Reduction of exposure of internal sensitive data with
move to external cloud
– Data fragmentation and dispersal are
managed by unbiased party (cloud vendor
assertion)
– Various studies show that a large amount of
abuse are done by internal IT professionals
• Cloud homogeneity makes security auditing / testing
simpler
• Clouds enable automated security management
• Redundancy / Disaster Recovery
18
Security Challenges
• Trusting vendor’s security model
• Customer inability to respond to audit findings
• Indirect administrator accountability
• Obtaining support for investigations
• Indirect administrator accountability
• Proprietary implementations cannot be examined
• Loss of physical control
• Data dispersal and international privacy laws
• Logging challenges
• Quality of service guarantees
19
Ensuring Compliance in the Cloud
• The use of cloud computing by itself does not provide for or prevent achieving compliance.
• Cloud services must be mapped against compensating controls to determine which exists and which do not – either by the end user, service provider or a third party.
• Gaps analysis results are fed into the risk assessment framework – accept, transfer or mitigate.
Source: Cloud Security Alliance
20
Cloud Implementation Use Case Taxonomy• Service Consumer
– SaaS is consumed
by end users, e.g.
employees, clients,
partners
– PaaS is consumed
by software
developers
– IaaS is consumed by
IT managers
• The various components
must be managed by the
company or a third party
solution provider.
Source: Cloud Computing Use Case Discussion Group
21
Determining Candidates for the Cloud• Review applications and IT
resources / systems
• Categorise into:
– Mission-critical, i.e.
business will not
survive without it
– Non-mission critical
• Sub-categorise into:
– Core business
practices, i.e. provides
service differentiation
– Non-core, i.e. internal
activities
• Typical Rules of Thumb:
– If mission-critical and
non-core then possibly
good candidate for the
cloud
– If mission-critical and
core, possibly keep
internal or in private
cloud
– If non-mission critical
and non-core then okay
for public clouds
– If non-mission critical
and core, possibly keep
internal or in private
cloud
22
Candidates for the Public CloudGOOD
• Applications used by mobile workers, particularly those used to manage time, activities, etc.
• Software development environments
• Applications that require hardware/software not normally available within the company
• Applications that run infrequently but require considerable resources, e.g. test and pre-production systems
• Backup for critical applications
• Distributed server and data centre locations
BAD
• Applications with very sensitive data (with possible regulatory or legal risk)
• Applications that require very intensive data workloads or very performance sensitive applications
– Possible cost issue
• Applications that require extensive or high customization
23
Cloud Adoption Model Example• Prepare IT portfolio
– Virtualization not necessary but can simplify migration, updates, etc.
• Cloud experimentation
– Usage, experimentation and laying of groundwork
• Cloud foundations
– Finalize application architecture and platform
• Cloud exploitation
– Deployment (either private or public) in the cloud
– Get apps into production, along with processes, policies and procedures
• Cloud actualization / HyperCloud
– Fully dynamic and autonomic compute environment
Source: eWeek.com
24
Cloud Usage Examples• Nasdaq – uses Amazon S3 to deliver historical
stock and mutual fund information, rather than add load to its database/computing infra
• Animoto – start-up used Amazon’s cloud services was able to keep up with soaring demand and scale up from 50 to 3,500 instances over a three-day period
• Times – wanted to place 60-year period worth of images (i.e. 15-million news stories) moved 4-TB into Amazon S3, ran the software on EC2 then launched the product
• Mogulus – streams 120,000 live TV channels over the Internet but owns no hardware except for its laptops.
25
Recommended Areas of Critical Focus
GOVERNANCE DOMAINS
• Governance & Enterprise
Risk Management
• Legal
• Compliance and Audit
• Information Life Cycle
Management
• Portability and
Interoperability
OPERATIONAL DOMAINS
• Security, Business
Continuity & Disaster
Recovery
• Data Centre Operations
• Incident Management
• Application Security
• Encryption & Key
Management
• Identity & Access
Management
• Virtualisation
Governance Domains
27
Governance & Enterprise Risk
Management• Ability of an organisation to govern and measure enterprise risk
introduced with the use of Cloud Computing
– Legal precedence for agreements
– Assess risk of a cloud provider
– Responsibility to protect data
– How international boundaries affects issues
• Risk management approaches
– Include provider’s security governance, risk management and compliance structures and processes
– Consistency between provider and end user risk assessment approaches
• provider’s design of the cloud service vs. user’s assessment of the cloud service risk.
– Adjust DRP/BCP to include new scenarios, e.g. loss of provider services
RECOMMENDATIONS
28
Legal AspectsPotential legal issues with the use of Cloud Computing
– Protection requirements for information & computer systems
– Security disclosure laws
– Regulatory requirements
– Privacy requirements
– International laws
RECOMMENDATIONS
29
Compliance and Audit• Ensuring and proving compliance when using Cloud
Computing
– Company security policies
– Industry standards and/or certifications
– Regulatory, legislative and other compliance requirements
• The end user must understand:
– Regulatory application for the use of a cloud service
– Division of compliance responsibilities (vs. provider)
– Provider’s ability to produce evidence needed for compliance
– End user’s role in bridging the gap between provider and audit requirements RECOMMENDATIONS
30
Information Lifecycle Management• Management of data that
is placed within the Cloud.
– Identification and
control of data
– Compensating
controls to deal with
loss of physical
control
– Data confidentiality,
integrity and
availability
• The Data Security Lifecycle
• Maps to the more general Information
Lifecycle Management (ILM)
Source: Cloud Security Alliance
RECOMMENDATIONS
31
Portability and Interoperability• Ability to move data and/or services from one
cloud provider to another, or move it back in-house
– Portability
– Interoperability
• Companies may need to switch providers due to:
– Unacceptable increase in cost
– Provider ceases operation
– Provider ceases one or more services
– Unacceptable decrease in service quality
– Business disputes
RECOMMENDATIONS
Operational Domains
33
Security, Business Continuity and
Disaster Recovery
• How does cloud computing
affect the current operational
processes and procedures in
relation to security, business
continuity and disaster recovery
• How does cloud computing
assist in diminishing risks in
certain areas? While possibly
increasing in others?
RECOMMENDATIONS
34
Data Centre Operations
• Identifying common data centre characteristics that
are:
– Disadvantageous to on-going services and/or
– Fundamental to long-term stability.
• Technology architectures will differ across providers
but they all must support compartmentalization with
controls segregating each layer of the infrastructure
– Note that some cloud providers may be users
of other cloud services, e.g. a SaaS vendor
uses PaaS or IaaS vendor(s).
RECOMMENDATIONS
35
Incident Management• Proper and adequate incident
detection, response, notification and remediation.
– Includes processes and procedures at both provider and end user levels
• Does the cloud bring about complexities to current incident management procedures?
RECOMMENDATIONS
36
SDLC
Application
Security
Architecture
Compliance
Tools
&
Services
Cloud
Apps
Vulnerabilities
Application Security
• What type of
cloud platform to
use? SaaS,
PaaS, or IaaS?
• Cloud
applications will
both impact and
be impacted by
various factors
• Migrate existing
app or design a
new app for cloud
deployment?
RECOMMENDATIONS
37
Encrypt data
in transit
Encrypt data
at rest
Encrypt data
on backup
media
Differences in implementation from
IaaS to PaaS to SaaS
Protect against misuse of
lost/stolen media.
Secure sensitive information even
within provider’s environment.
Encryptio
n
for C
onfid
entia
lity
and In
tegrity
Encryption and Key Management
• Cloud environments are shared, and providers generally have privileged access
• Encryption offers benefits of less reliance on provider
• Identifying proper encryption usage and key management
RECOMMENDATIONS
38
Identity Provisioning
Authorization and User
Profile Management
Authentication
Federation
Authenticate users of
cloud services using the
organisation’s chosen
identity provider.
• Secure and time
management of provisioning
and deprovisioning of users
in the cloud.
• Extension of current user
management processes to
the cloud.
Address authentication related
challenges, e.g. strong authentication
(multi-factor), delegated
authentication, and trust management
across cloud services.
Establishment of trusted user
profile and policy information,
using it to control access within
the cloud, and using this in an
auditable way.
Identity and Access Management• Even without the cloud, the management of identities and access control
remains one of the key challenges facing IT in any organisation.
• Management of identities to provide access control when extending the
organisation into the cloud.
RECOMMENDATIONS
39
IDaaS• Identity as a Service (IDaaS) should follow the same best
practices used for internal IAM implementations
• For internal users:
– Review provider’s options to provide secure access to the cloud
– Review cost reduction vs. risk mitigation measures to address risks of having employee information with IDaaS.
• For external users (e.g. partners) the information owners need to incorporate interactions with IAM providers into the SDLC and in threat assessments
• PaaS users should review use of industry standards by IDaaSvendors
• Proprietary solutions represent a significant risk, the use of open standards is recommended.
40
Virtualisation
• Use of virtualisation technology in cloud computing, particularly the security issues related to the system/hardware virtualisation.
RECOMMENDATIONS
41
Conclusion
• In any move towards an emerging technology and business
model, you need in-depth understanding of:
– Your IT team (whether in-house or 3rd party including
consultants / partners) and capabilities
– The Solutions, and
– The Service Providers and/or Vendors
• No difference with cloud computingC any decision to move to
the cloud should involve at least the enterprise architects,
developers, product/service owners and stakeholders, IT
management and if needed, outsourcing partners.
• Concerns with cloud computing are valid but not
insurmountable. Credible solutions do exist and continuously
being improved / fine-tuned to meet the perceived challenges
and user requirements.
