Insert presenter logo here on slide master 1 WHAT IS CLOUD COMPUTING REALLY? Scott Clark Chicago Chapter President Cloud Security Alliance

Insert presenter logo here on slide master

1

WHAT IS CLOUD COMPUTING REALLY?

Scott ClarkChicago Chapter PresidentCloud Security Alliance

The Blind Men and the Cloud

It was six men of Info Tech

To learning much inclined,

Who went to see the Cloud

(Though all of them were blind),

That each by observation

Might satisfy his mind

2


The First approached the Cloud,

So sure that he was boasting

“I know exactly what this is…

This Cloud is simply Hosting.”

3


The Second grasped within the Cloud,

Saying, “No it’s obvious to me,

This Cloud is grid computing…

Servers working together in harmony!”

4


The Third, in need of an answer,

Cried, "Ho! I know its source of power

It’s a utility computing solution

Which charges by the hour.”

5


The Fourth reached out to touch it,

It was there, but it was not

“Virtualization,” said he.

“That’s precisely what we’ve got!”

6


The Fifth, so sure the rest were wrong

Declared “It’s SaaS you fools,

Applications with no installation

It’s breaking all the rules!"

7


The Sixth (whose name was Benioff),

Felt the future he did know,

He made haste in boldly stating,

“This *IS* Web 3.0.”

8


And so these men of Info Tech

Disputed loud and long,

Each in his own opinion

Exceeding stiff and strong,

Though each was partly in the right,

And all were partly wrong!

Sam Charrington & Noreen Barczweski

© 2009, Appistry, Inc

9


Agenda

10

Introduction to Cloud Computing

What is Different in the Cloud?

CSA Guidance

Additional Resources

“This Cloud is simply Hosting”

11

12

Evolution of “Hosting”

13

CUSTOM“Co-Location”

COMMODITY“Cloud Service Providers”

Evolution of Data Centers

Closest to power plants Google Data Center

• State of Oregon

• Columbia River

• 103 Mega Watt Data Center on 30 acres

• Near 1.8 GW Hydropower Station

14

Data Center is the new “Server”

15

POD Computing

16

17

Google’s low cost commodity server

18

Is This New??

• Berkeley credited

• Cluster of Servers

• Started in 1994

19

20

21

22

23

Broadband Network Access

24

25

Rapid Elasticity

26

27

Unused resources

Measured Service

• Risk of over-provisioning: underutilization

Static data center

Demand

Capacity

Time

28

Measured Service

• Heavy penalty for under-provisioning

Lost revenue

Lost users

Demand

Capacity

Time (days)1 2 3

Demand

Capacity

Time (days)1 2 3

Demand

Capacity

Time (days)1 2 3

29

Unused resources

Measured Service

• Pay by use instead of provisioning for peak

Static data center Data center in the cloud

Demand

Capacity

Time

Demand

Capacity

Time

Source: “Above The Clouds”

31

Resource Pooling =Virtualization

Hardware

Operating System

App App App

Traditional Stack

Hardware

OS

App App App

Hypervisor

OS OS

Virtualized Stack

Server Virtualization

33

Storage Virtualization

34

Platform-Independent Razor-Thin CapEx

SuperioNetwork Virtualization

Application

Application

Application

Application

Application

Application

Application

Application

ToR Switch ToR Switch

Application VMs

☒ High CapEx☒ Low Utilization☒ High Complexity☒ Change-Resistant

Deploy anywhere

Elastic scalability

Interfaces with provisioning & orchestration systems

Evolves with rapidly changing network architectures

Utility licensing model

36

Case Study

• Created 10,000 Core-Cluster

• Leveraged Amazon’s EC2

• Genentech needed a super computer to examine how proteins bind together

• Using Genentech’s resources would have taken weeks or months to gain access & run program

37

Completed in 8 Hours! Genentech’s Cost = $8,480!

• Infrastructure: 1250 instances with 8-core / 7-GB RAM

• Cluster Size: 10,000 cores, 8.75 TB RAM, 2 PB of disk space total

• Scale: Comparable to #114 of Top 500 Supercomputer list

• Security: Engineered with HTTPS & 128/256-bit AES encryption

• User Effort: Single click to start the cluster

• Start-up Time: Thousands of cores in minutes, full cluster in 45-minutes

• Up-front Capital Investment/Licensing Fees: $0

• Total CycleCloud and Infrastructure Cost: $1,060/hour

38

39

Delivery Models

• Utility computing (IaaS)– Why buy machines when you can rent cycles?– Examples: Amazon’s EC2, GoGrid, AppNexus

• Platform as a Service (PaaS)– Give me nice API and take care of the implementation– Example: Google App Engine, Force.com

• Software as a Service (SaaS)– Just run it for me!– Example: Gmail, Salesforce.com and NetSuite

“Why do it yourself if you can pay someone to do it for you?”

41

Forrester: Cloud Market To Reach $241 Billion By 2020

42

Case Study – Hybrid Cloud

• June 25, 2009

• 1 Million visits in 24/hrs

• Twitter stood still

• Ticket Master crawled

• Yahoo! 16.4 million site visitors in 24 hours more that Election Day of 15.1

• Sony.com couldn’t sell music – 200 sites down

43

Private to Public Burst

44

45

What About Service Oriented Architecture???

46

BREAK

47

48


• Many concepts “in the cloud” are similar to concepts in standard outsourcing

• There are at least four themes which require a different mindset when working on security for cloud services:– Role clarity for security controls– Legal / jurisdictional / cross-border data movement– Virtualization concentration risk– Virtualization network security control parity.

49




Role Clarity

IaaSInfrastructure as a

Service

PaaSPlatform as a Service

SaaSSoftware as a Service

Security ~ YOU

Security ~ THEM



Legal / Jurisdictional Issues Amplified

“Cloud” Provider Datacenter in San Francisco, USA

“Cloud” Provider Datacenter in Tokyo, Japan

“Cloud” Provider Datacenter in Geneva, Switzerland

“Cloud” Provider Datacenter in Sao Paolo, Brazil

“Cloud” Provider Datacenter in London, U.K.

Yo

ur C

orp

ora

te D

ata?



Virtualization Concentration Risks“Old Way – Hack a

System”“New Way – Hack a

Datacenter”

Hypervisor


Virtualized N-Tier Control Equivalence


“Current Way” “New Way”

HypervisorInternet

Users

Presentation Layer

Data Layer

How do we ensure control

parity?

Internet

Users

•FW•WAF•NIDS / IPS

•FW•WAF•NIDS / IPS


Key Cloud Security Problems

From CSA Top Threats Research:–Trust: Lack of Provider transparency, impacts Governance,

Risk Management, Compliance

–Data: Leakage, Loss or Storage in unfriendly geography

–Insecure Cloud software

–Malicious use of Cloud services

–Account/Service Hijacking

–Malicious Insiders

–Cloud-specific attacks

Cloud Security Alliance Guidance

55


Cloud Security Alliance Guidance

Available at http://www.cloudsecurityalliance.org/Research.html

Governance and Enterprise Risk ManagementGovernance and Enterprise Risk Management

Legal and Electronic DiscoveryLegal and Electronic Discovery

Compliance and AuditCompliance and Audit

Information Lifecycle ManagementInformation Lifecycle Management

Portability and InteroperabilityPortability and Interoperability

Security, Bus. Cont,, and Disaster RecoverySecurity, Bus. Cont,, and Disaster Recovery

Data Center OperationsData Center Operations

Incident Response, Notification, RemediationIncident Response, Notification, Remediation

Application SecurityApplication Security

Encryption and Key ManagementEncryption and Key Management

Identity and Access ManagementIdentity and Access Management

VirtualizationVirtualization

Cloud ArchitectureCloud Architecture

Op

erat

ing

in t

he

Clo

ud

Go

vernin

g th

e Clo

ud

http://www.cloudsecurityalliance.org/Research.html


Defining Cloud

• On demand provisioning

• Elasticity

• Multi-tenancy

• Key types

– Infrastructure as a Service (IaaS): basic O/S & storage

– Platform as a Service (PaaS): IaaS + rapid dev

– Software as a Service (SaaS): complete application

– Public, Private, Community & Hybrid Cloud deployments


Governance and Enterprise Risk Management

• Due Diligence of Due Diligence of providers governance providers governance structure and process in structure and process in addition to security addition to security controls. SLA’scontrols. SLA’s

• Risk Assessment Risk Assessment approaches between approaches between provider and user should provider and user should be consistent. be consistent. Consistency in Impact Consistency in Impact Analysis and definition of Analysis and definition of likelihoodlikelihood














Op

erat

ing

in t

he

Clo

ud

Go

vernin

g th

e Clo

ud


Legal and Electronic Discovery

• Mutual understanding of Mutual understanding of roles related to litigation, roles related to litigation, discovery searches and discovery searches and expert testimonyexpert testimony

• Data in custody of Data in custody of provider must receive provider must receive equivalent guardianship equivalent guardianship as original owner as original owner

• Unified process for Unified process for responding to subpoenas responding to subpoenas and service of process, and service of process, etcetc














Op

erat

ing

in t

he

Clo

ud

Go

vernin

g th

e Clo

ud


Compliance and Audit

• Right to Audit ClauseRight to Audit Clause

• Analyze Impact or Analyze Impact or Regulations on data Regulations on data securitysecurity

• Prepare evidence of Prepare evidence of how each requirement is how each requirement is being metbeing met

• Auditor qualification and Auditor qualification and selectionselection














Op

erat

ing

in t

he

Clo

ud

Go

vernin

g th

e Clo

ud


Information Lifecycle Management

• How is Integrity How is Integrity maintained? maintained?

• If compromised how its If compromised how its detected and reported?detected and reported?

• Identify all controls used Identify all controls used during date lifecycleduring date lifecycle

• Know where you data is!Know where you data is!

• Understand provider’s Understand provider’s data search capabilities data search capabilities and limitations and limitations














Op

erat

ing

in t

he

Clo

ud

Go

vernin

g th

e Clo

ud


Portability and Interoperability

• IaaS - Understand VM IaaS - Understand VM capture and porting to capture and porting to new provider especially if new provider especially if different technologies different technologies used.used.

• PaaS – Understand how PaaS – Understand how logging, monitoring and logging, monitoring and audit transfers to another audit transfers to another providerprovider

• SaaS – perform regular SaaS – perform regular backups into useable form backups into useable form without SaaS. without SaaS.














Op

erat

ing

in t

he

Clo

ud

Go

vernin

g th

e Clo

ud


Security, Business Continuity and Disaster Recovery

• Conduct an onsite Conduct an onsite inspection whenever inspection whenever possiblepossible

• Inspect cloud providers Inspect cloud providers disaster recovery and disaster recovery and business continuity plansbusiness continuity plans

• Ask for documentation of Ask for documentation of external and internal external and internal security controls – security controls – adherence to industry adherence to industry standards?standards?














Op

erat

ing

in t

he

Clo

ud

Go

vernin

g th

e Clo

ud


Data Center Operations

• Demonstration of Demonstration of Compartmentalization of Compartmentalization of systems, networks, systems, networks, management, management, provisioning and provisioning and personnelpersonnel

• Understanding of Understanding of providers patch providers patch management policies management policies and procedures – should and procedures – should be reflected in the be reflected in the contract! contract!














Op

erat

ing

in t

he

Clo

ud

Go

vernin

g th

e Clo

ud


Incident Response, Notification and Remediation

• May have limited May have limited involvement in Incident involvement in Incident Response, understand Response, understand prearranged prearranged communicated path to communicated path to providers incident providers incident response teamresponse team

• What incident detection What incident detection and analysis tools used? and analysis tools used? Will proprietary tools Will proprietary tools make joint investigations make joint investigations difficult? difficult?














Op

erat

ing

in t

he

Clo

ud

Go

vernin

g th

e Clo

ud


Application Security

• S-P-I creates different S-P-I creates different trust boundaries in SDLC trust boundaries in SDLC – account for in dev, test – account for in dev, test and productionand production

• Obtain contractual Obtain contractual permission before permission before performing remote performing remote vulnerability and vulnerability and application assessmentsapplication assessments– provider inability to provider inability to

distinguish testing from an distinguish testing from an actual attackactual attack














Op

erat

ing

in t

he

Clo

ud

Go

vernin

g th

e Clo

ud


Encryption and Key Management

• Separate key management Separate key management from provider hosting the data from provider hosting the data creating a chain of separationcreating a chain of separation

• Understand provider’s key Understand provider’s key management lifecycle: how management lifecycle: how keys are generated, used, keys are generated, used, stored, backed up, rotated and stored, backed up, rotated and deleteddeleted

• Ensure encryption adheres to Ensure encryption adheres to industry and government industry and government standards when stipulated in standards when stipulated in the contractthe contract














Op

erat

ing

in t

he

Clo

ud

Go

vernin

g th

e Clo

ud


Identity and Access Management

• IAM is a big challenge today in IAM is a big challenge today in secure cloud computingsecure cloud computing

• Identity – avoid providers Identity – avoid providers proprietary solutions unique to proprietary solutions unique to cloud providercloud provider

• Local authentication service Local authentication service offered by provider should be offered by provider should be OATH compliantOATH compliant














Op

erat

ing

in t

he

Clo

ud

Go

vernin

g th

e Clo

ud


Virtualization

• Understand internal security Understand internal security controls to VM other than built controls to VM other than built in Hypervisor isolation – IDS, in Hypervisor isolation – IDS, AV, vulnerability scanning etc. AV, vulnerability scanning etc.

• Understand external security Understand external security controls to protect controls to protect administrative interfaces administrative interfaces exposed (Web-based, API’s)exposed (Web-based, API’s)

• Reporting mechanisms that Reporting mechanisms that provides evidence of isolation provides evidence of isolation and raises alerts if a breach of and raises alerts if a breach of isolation occurs.isolation occurs.














Op

erat

ing

in t

he

Clo

ud

Go

vernin

g th

e Clo

ud

Additional Cloud Security Alliance Resources

70


Cloud Security Alliance Initiatives

1. GRC Stack

2. Security Guidance for Critical Areas of Focus in Cloud Computing

3. Cloud Controls Matrix (CCM)

4. Consensus Assessments Initiative

5. Cloud Metrics

6. Trusted Cloud Initiative

7. Top Threats to Cloud Computing

8. CloudAudit

9. Common Assurance Maturity Model

10. CloudSIRT

11. Security as a Service

71


Cloud Controls Matrix Tool

• Controls derived from guidance

• Rated as applicable to S-P-I

• Customer vs Provider role

• Mapped to COBIT, HIPAA, ISO/IEC 27002-2005, NIST SP800-53 and PCI DSS

• Help bridge the gap for IT & IT auditors

www.cloudsecurityalliance.org/cm.html

http://www.cloudsecurityalliance.org/cm.html


Contact

• Help us secure cloud computing

• www.cloudsecurityalliance.org

• Cloud Security Alliance, Chicago Chapter

• [email protected]

• LinkedIn: http://www.linkedin.com/groups?gid=3755674

http://www.cloudsecurityalliance.org/

http://www.linkedin.com/groups?gid=3755674

Questions?

74

Documents

Insert presenter logo here on slide master 1 WHAT IS CLOUD COMPUTING REALLY? Scott Clark Chicago Chapter President Cloud Security Alliance