Cloud computing and Cloud security fundamentals

  • Published on
    11-Feb-2017

  • View
    635

  • Download
    0

Embed Size (px)

Transcript

PowerPoint Presentation

Fundamentals of Cloud & Cloud Security

Viresh SuriGlobalLogic16th December 2015 | DelhiInnerve - 2015

Next generation 1

Cloud Computing Fundamentals of

What is Cloud Computing?

3

Evolution of IT Computing Models

http://mydocumentum.wordpress.com/2011/05/14/monday-may-9-2011/

Next generation 4

The NIST Definition of Cloud ComputingCloud computing is a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction.

National Institute of Standards and Technology (NIST) www.nist.gov

Cloud Computing Taxonomy - NIST

http://www.csrc.nist.gov/groups/SNS/cloud-computing/index.html

Private(On-Premise)Infrastructure(as a Service)Platform(as a Service)Service ModelsStorageServer HWNetworkingServersDatabasesVirtualizationRuntimesApplicationsSecurity & IntegrationStorageServer HWNetworkingServersDatabasesVirtualizationRuntimesApplicationsSecurity & IntegrationStorageServer HWNetworkingServersDatabasesVirtualizationRuntimesApplicationsSecurity & IntegrationSoftware(as a Service)StorageServer HWNetworkingServersDatabasesVirtualizationRuntimesSecurity & IntegrationApplications

Managed by youManaged by vendor

7

Virtualization The Cloud Backbone

Hypervisor

Cloud Architecture

What is driving Cloud adoption ?

Enterprise challengesSpeed of provisioning constraints business executionDisaster Recovery, Fault Tolerance, High AvailabilityExisting hardware has reached end of serviceable life

Datacenter capacity limits are being reachedApplications & processes have variable demand

High Maintenance CostsSoftware License Costs

How Cloud helps Elastic CapacityInfinitely Scalable (Almost)Quick and Easy DeploymentProvisioning in MinutesBusiness Agility

No CapEx, only OpEx., Fine grained billing (hourly)Pay as You go

Leverage Global Scalability& DR

Be Free from IT Management Hassles

Metering, Monitoring, Alerts

Cloud ChallengesLegal & Compliance Security

Lack of Standards, Compatibility Reliability & Performance

A Snapshot of Cloud Providers

Azure + System Center + Windows Server gives a hybtid solutionOpenshift : PaaS from RedHatOffice 365 integration with existing on-prem directory services, Lync, Exchange Server, Sharepoint ServerNext generation 14

Holistic Migration Process

Public v/s Private Cloud DecisionKey QuestionPrivate Cloud PreferablePublic Cloud PreferableDemandConstantVariableGrowthPredictableUnpredictableUsersConcentratedDispersedCustomizationHighMinimal to noneData Privacy & SecurityStringent RequirementModerate RequirementPerformanceVery HighModerate to High

Cloud SecurityFundamentals of

Important Points to know Top cyberattack methods aimed at cloud deployments grew 45 per cent (Application Attacks), 36 per cent (Suspicious Activity) and 27 per cent (Brute Force attacks) respectively over the previous year, while top attacks aimed at on-premises deployments remained relatively flat.

Read more:http://www.itproportal.com/2015/11/16/interview-charting-the-cloud-security-landscape/#ixzz3uT1S7EQ8

As per 2014 KPMG Cloud Security Report

When it comes to selecting a cloud solution, Security is the no. 1 concern

Compared to 2012 survey, security and data privacy are greater concerns than cost efficiency

Security is a lesser challenge now, compared to 2012. Cloud providers better prepared to secure data, and manage security breaches when they occur

Cyber attacks, Regulatory norms Next generation 18

CSAs Notorious 9 Security ThreatsData Breaches

Data Loss

Account or Service Hijacking

Insecure APIs

Denial of Service

Malicious Insiders

Abuse of Cloud Services

Insufficient Due Diligence

Shared Technology

Cyber attacks, Regulatory norms Next generation 19

Key Security Considerations in a Public Cloud

Network SecurityBuilt-in firewalls, control of network access to instances and subnets

Private / Dedicated Connectivity options from office / on-premises environments

Encryption in transit

DDoS mitigation

Configuration Management

Inventory and Configuration Management tools to identify resources, track to manage them

Template definition and management tools to create standard / pre-configured VMs

Deployment Tools to manage creation and decommissioning of resources as per org. standard

Data EncryptionAvailable for data at rest in Storage services

Flexible Key Management options, including Cloud Managed keys / self-managed keys

Hardware based cryptographic key storage options

APIs for you to integrate encryption and data protection with any service developed / deployed on the cloud

Access ControlCapabilities to define, enforce and manage user access policies across services

Identity and Access Management

Multifactor authentication, including hardware based authentication options

Integration and federation with corporate directories

Monitoring and LoggingDeep visibility into API calls, including Who ? What ? When ? From Where ?

Log aggregation, streamlining investigations, compliance reporting

Alert notifications

Cloud Security Landscape

http://www.josephfloyd.com/blog/cloud-security-landscape

Cloud Security Comparison

http://fortycloud.com/iaas-security-state-of-the-industry/

state-of-the-industry public IaaS security research examines the following features:Shared Cloud Network: public IaaS environment where different cloud customers share the same cloud service subnet. In this model, each cloud server (VM) usually has a public IP address (permanent or temporary) as well as service IP address for the internal cloud service networkVirtual Private Cloud (VPC) Network: the IaaS provider supports an isolation of customers cloud deployments, such that a customer can have a private subnet that is not reachable from other customers cloud servers or from the public InternetFirewall: Collection of policies and rules to control the traffic allowed to and from a group of cloud servers or static IP AddressesIdentity-based accessmanagement: these are firewall rules based on user identity, allowing access of specific users to specific set of compute resourcesSecure extension: ability to securely connect enterprise sites to the cloud deployment (usually a virtual private network) via static IPSec connectionsSecure remote accessto individual server:the ability to access an individual machine (VM) using a secure protocol (like SSH or RDP); this type of remote access is usually based on credentials that are specific to a single user and a single serverRemote VPN access:the ability of the organizations employees to securely connect on demand to the cloud deployment remotely using VPN clients; this includes central authentication of the employees identity prior to gaining access to the cloud deployment (part or all of cloud servers)

Next generation 27

The Road AheadClouds are more prone to security attacks than on-perm deployments

Doesnt mean that those attacks are successful

Cloud Providers are better enabled to handle security now

2016 will be the first year when people choose cloud because of security benefits, and not elasticity / cost

However, stay cautious ! More serious attacks could be expected as well

Security in AWS

Standards Supported

GxPISO 13485AS9100ISO/TS 16949

Shared Responsibility

AWS Foundation ServicesComputeStorageDatabaseNetworking

AWS Global InfrastructureRegionsAvailability ZonesEdge LocationsClient-side Data EncryptionServer-side Data EncryptionNetwork Traffic ProtectionPlatform, Applications, Identity & Access ManagementOperating System, Network, & Firewall ConfigurationCustomer applications & contentCustomers

AWS CloudTrailCloudTrail records API calls on services, delivers detailed logs

Use Cases supported :Security Analysis : Use log files as an input into log management and analysis solutions to perform security analysis and to detect user behavior patterns

Track Changes to AWS Resources : Track creation, modification, and deletion of AWS resources such as Amazon EC2 instances, Amazon VPC security groups and Amazon EBS volumes

Troubleshoot Operational Issues : Identify the most recent actions made to resources in your AWS account

Compliance Aid : Easier to demonstrate compliance with internal policies and regulatory standards

AWS ConfigAWS Config is a fully managed service that provides you with an inventory of your AWS resources, lets you audit the resource configuration history and notifies you of resource configuration changes.

Use Cases :Am I safe ? : Continuously monitor the configurations of your resources and evaluate these configurations for potential security weaknessesWhere is the evidence ? : A complete inventory of all resources and their configuration attributes is available for any point in timeWhat will this change effect ? : Relationships between resources are understood, so that you can proactively assess change impactWhat has changed ? : You can quickly identify the recent configuration changes to your resources by using the console or by building custom integrations with the regularly exported resource history files

AWS Key Management ServiceA managed service that makes it easy for you to create, control, and use your encryption keys

Centralized view of all key usage in the organization

Uses HSMs to protect Key Security

Integrated with AWS CloudTrial to provide logs for all key usage for regulatory and compliance requirements

AWS IAMCentrally manage users, security credentials such as passwords, access keys, permissions, policies that control which AWS services and resources users can access

Allows creation of multiple AWS users, give them their own user name, password, access keys

AWS CloudHSMAllows protection of encryption keys within HSMs designed and validated to government standards for secure key management

Keys can be generated, managed and stored cryptographic keys such that they are accessible only by us

Allows regulatory compliance without compromising on application performance

CloudHSM instances are provisioned inside your VPC with an IP address that you specify, providing simple and private network connectivity to your Amazon Elastic Compute Cloud (EC2) instances

AWS VPCAllows provisioning of logically isolated section of AWS cloud, where AWS resources can be launched in a virtual network defined by you

You have complete control over your virtual networking environment, including selection of your own IP address range, creation of subnets, and configuration of route tables and network gateways

You can leverage multiple layers of security, including security groups and network access control lists, to help control access to Amazon EC2 instances in each subnet

Additionally, you can create a Hardware Virtual Private Network (VPN) connection between your corporate datacenter and your VPC and leverage the AWS cloud as an extension of your corporate datacenter.

AWS WAFAWS WAF is a web application firewall that helps protect your webapplications from common web exploits that could affect applicationavailability, compromise security, or consume excessive resources.

Gives you control over which traffic to allow or block to your webapplication by defining customizable web security rules.

You can use AWSWAF to create custom rules that block common attack patterns, such as SQLinjection or cross-site scripting, and rules that are designed for your specific application.

New rules can be deployed within minutes, letting you respondquickly to changing traffic patterns. Also, AWS WAF includes a full-featuredAPI that you can use to automate the creation, deployment, and maintenanceof web security rules.

AWS Inspector (Preview)Automated security assessment service that helps improve the security and compliance of applications deployed on AWS.

Automatically assesses applications for vulnerabilities or deviations from best practices.

After performing an assessment, Amazon Inspector produces a detailed report with prioritized steps for remediation.

Includes a knowledge base of hundreds of rules mapped to common security compliance standards (e.g. PCI DSS) and vulnerability definitions. Examples of built-in rules include checking for remote root login being enabled, or vulnerable software versions installed. These rules are regularly updated by AWS security researchers.

viresh.suri@globallogic.com

http://www.linkedin.com/in/vireshsuri

Thank You

40Next generation

Recommended

View more >