Security & Privacy in Cloud Computing

  • Published on

  • View

  • Download

Embed Size (px)


Dr. John D. Johnson presents on security and privacy surrounding cloud computing at the 2009 InfraGard conference in Springfield, IL.


  • 1. Security & Privacy Issues in
  • 2. The Hype The interesting thing about cloud computing is that weve redefined cloud computing to include everything that we already do. I cant think of anything that isnt cloud computing with all of these announcements. The computer industry is the only industry that is more fashion- driven than womens fashion. Maybe Im an idiot, but I have no idea what anyone is talking about. What is it? Its complete gibberish. Its insane. When is this idiocy going to stop?Larry Ellison, CEO, Oracle (WSJ 9/25/08)
  • 3. Video
  • 4. Closer to Earth Lets presume that Cloud Compu>ng is real. What is it? Lets try to cut through the hyperbole and dene Cloud Compu>ng and see what it has to oer consumers and organiza>ons.
  • 5. Example: MicrosoK
  • 6. Sor>ng things out U>lity or Infrastructure PlaMorm SoKware
  • 7. Infrastructure as a Service Amazon sells compu>ng power in a way similar to how we get electricity from the power company. Uses a pay-as-you-go model for oering VM instances, compu>ng power and storage on demand.
  • 8. PlaMorm as a Service One step above the u>lity, you nd the PaaS providers, like Google App Engine, Salesforce, and the recently announced MicrosoK Azure plaMorm. Here you develop apps and leverage a common development framework and plaMorm for delivery.
  • 9. SoKware as a Service SoKware as a Service (SaaS) is what most people are familiar with. This is where many of the common Web 2.0 applica>ons are, like: Flickr, Gmail, Google Apps, Facebook, TwiZer.... There are also enterprise applica>ons, such as SAP, Oracle, MicrosoK and others aZemp>ng to gain market share here.
  • 10. Terminology Lets face it, the use of all these acronyms can get confusing! SOA and SaaS oKen get confused. The u>lity and plaMorm services are oKen called nothing more than the evolu>on of third-party hos>ng services that companies have used for years. There are good reasons these assump>ons are incorrect.
  • 11. SOA is dead? SOA met its demise on January 1, 2009, when it was wiped out by the catastrophic impact of the economic recession. SOA is survived by its offspring: mashups, BPM, SaaS, Cloud Computing, and all other architectural approaches that depend on services. Manes real point, to quote her is that we should not be talking about an architectural concept that has no universally accepted definition and an indefensible value proposition. Instead we should be talking about concrete things (like services) and concrete architectural practices (like application portfolio management) that deliver real value to the business.Anne Thomas Manes, Burton Group
  • 12. Consumers Cloud Compu>ng is a new name for things consumers are already doing. Consumers are >red of being IT techs. Consumers want to DO things online, and have the Internet cloud I dont care be as whats up there, as long simple as as it WORKS! Cable TV.
  • 13. The Business Case Cost Savings from economies of scale Scalability Elas>city Reliability (and in some cases, they enjoy a transfer of liability by outsourcing services)
  • 14. 2007 Source: 109706
  • 15. Source:
  • 16. Where does it make sense? Start-ups Apps that are not processing key data Apps that benet greatly from economies of scale, and that require high availability and DRP Apps that need periodic, huge capacity or CPU processing
  • 17. Where does it not make sense? Key apps that are earning your bread and buZer Apps that touch personal data or process high-value/consumer transac>ons should be considered carefully Most cloud compu>ng works well for highly paralell, but not serial apps
  • 18. On-site vs. O-site PaaS can be hosted at your data center, outsourced, or hosted in a hybrid environment like this example. Source:
  • 19. Concern in the Cloud Security Control Performance Support Vendor Lock-In Speed of Scaling Congurability
  • 20. Security Concerns CIA + Privacy Can you extend your policies to the cloud? Regulatory compliance Managing data on shared systems Forensics Audi>ng Segrega>on of data Portability & Interoperability Reliability & Manageability
  • 21. In The News Breach May Preface Targeted Attacks Admits Data Loss Millions of Gmail Users Left in the Lurch Gmail is down, down, down
  • 22. More United Airlines Flight Opera>ons Computer System Failure San Francisco Power Grid Failure PayPal Subscrip>on Processing Fails Skype Down for Days LAX TSA Screening System Failure What if Google were to disappear for a few days? Or, Facebook? Yahoo?
  • 23. Compliance in the Cloud Let me just list some common U.S. regula>ons and speak to them: PCI SOX HIPAA GLB California Breach Law (SB1386)
  • 24. Future Trends The Web as a Par>cipatory Worldwide Communica>ons Media (Wikipedia, Facebook, YouTube) The Need to Use Less Energy Innova>on Impera>ve Quest for Simplicity Structure Out of Chaos Source: Cloud_Computing_Hype_Versus_Reality
  • 25. Grinch in the Cloud The Grinch: It came without segrega>on. It came without recovery goals. It came without adequate physical, logical, or personnel access controls. It could have been high, it could have been low, I just have no clue where the data may ow! Narrator: Then the Grinch thought of something he hadnt before. The Grinch: Maybe the perfect solu>on doesnt come from a store. Maybe solving business problems securely... Narrator: He thought The Grinch: ...means a liZle bit more.
  • 26. Useful Resources World Privacy Forum, Security Monks Blog, hZp:// recent-cloud-pos>ngs/ Ra>onal Survivability Blog, hZp://ra>