Embed Size (px)
Citation preview
Threats and Risks to Cloud Computing
April, 2011
Page 1
Threats and Risk #1 Malicious Insiders
Abuse and nefarious users may be next to you
� Many other users in same cloud
� Spammer
� Cracker
� Botnet Commander
� Normal users with low security literacy
� Be affected from malicious users
� Confiscation of resources due to neighbor
activities
� Hardware resources
� Network resources (A range of IP , Traffic)
� Damage to business reputation
� Direct attacking by malicious cloud customer
� Steal secret data within shared storage
� Malware spreading
� Virus chain infection
For Could Customer
� More difficult to identify the CC
� Increase personal users
� Auto application on WEB
� With no credit, no validation process
� Separate each resources for each CCs in virtual
� How does CC resources be separating?
� How does each CCs keep independency?
� How is it proven?
� Need to prepare for incident
� How do malicious users keep out?
� How does CP detect the incident?
� How does CP make response to incident?
For Could Provider
Page 3
Threats and Risk #2 Resource Shortage
“Prediction of demand“ and “planning Cloud Service expantion“
� Controlling resources is up to CP
� How does CC verify stock of cloud resources?
� That’s impossible
� Cloud is invisible
� Have you conceived ever?
� CP may say “No” when you order new resources
� CP may say “Too much traffic”
For Could Customer
� How do you predict demand?
� When do you decide to expand cloud resources?
� Surplus stock is nightmare
� market demand is changing very rapidly
� Unpredictable demand
� Does CP’s infrastructure expand permanently?
� How about design of infrastructure?
� How about capacity of traffic?
For Could Provider
Page 4
Threats and Risk #3 Loss of direct control over systems
System design is ristricted by cloud‘s specification
� Need to know what is restricted by CP
� Network Design
� Hardware spec
� Capacity of storage (NAS, DAS, SAN …etc.)
� Connectivity between office and cloud
� CC can not adjust corporate governance to Cloud
� SLA , SLO
� MTBF , MTTR
For Could Customer
� How does CP make response to CC request?
� Requirement to SLA
� Guarantee to MTBF , MTTR
� One cloud One regulation
� Difficult to commit Special accord with CC
� Does CP’s infrastructure expand permanently?
� How about design of infrastructure?
� How about capacity of traffic?
For Could Provider
Page 5
Threats and Risk #4 Data Loss or Leakage
Your important data may be traveling around the world
� Security connection with Cloud
� Encrypt and protect data
� Strong API access control
� Backup and replicate data
� No tape drive on Cloud, Of course !
� Disk to disk data backup is mainly method
� Backup data is on same cloud space?
� Cloud to Cloud backup
� Recent Cloud has location free architecture
� Can’t specify the physical location of data
� In US , Europe , Asia or … ?
� In China ? It’s not impossible
� Secret data may travel around the world
For Could Customer
� CC data is depend on CP
� In the case of termination or failure
� CP has to know how to protect CC data
� CP has to know how to restore CC data
� What does CP do when CC data leak or lost?
� Responsibility of data protection
� Contract sentence about data
� CP should not know what data is
� Its data placement worldwide is legality?
� Patent information
� Personal information
� Government information
� Can CP do data placement without consent?
For Could Provider
Page 6
Threats and Risk #5 Unknowable Risks
You don‘t know what you don‘t know
� Which Cloud is the best to adapt your requirement?
� No efficient guideline to select CP
� Service continuity
� Administration stability
� Cost performance effectiveness
� No methods to compare Clouds
� Virtual resources performance
� Seamless connectivity
� Sufficient scalability
� To begin with, do you really need Cloud?
� Utilizing Cloud is not one way but one of many
� Judge calmly without swaying by trend
For Could Customer
� Technical risks
� Various third party product in Cloud
� Insufficient validation
� Complex architecture
� Business Risks
� New law to affect CPs
� USA PATRIOT Act …etc
� Price competition
� Cloud scale competition
For Could Provider
Page 7
If you do not know where you are going ,
every road will get you nowhere
Henry Alfred Kissinger
