Upload
antonio-sanz-alcober
View
1.064
Download
2
Embed Size (px)
DESCRIPTION
A talk about Cloud computing and the risks and benefits that such an squema presents to our IT operations
Citation preview
Cloud Computing & Security: Are there clouds in our sky ?
> Antonio Sanz
> I3A - IT Manager
> Security Expert
> http://i3a.unizar.es
> @antoniosanzalc
Cloud Computing
Tema 1: Diseño de software seguro
4
Cloud Computing Security
Index
> Cloud Computing
> Opportunities
> Cloud Computing risks
> Migrating to a Cloud Infraestructure
“Cloud computing is a model for enabling ubiquitous, convenient, on-demand network access to a
shared pool of configurable computing resources (e.g., networks, servers, storage,
applications, and services) that can be rapidly provisioned and
released with minimal management effort or service provider
interaction”
[*First & last boring slide. Promise]
Tema 1: Diseño de software seguro
6
Cloud Computing Security
Cloud Computing: Main point
>On demand
>Ubiquous
>Resource pool
>Elastic
>Measureable
Service Types
Tema 1: Diseño de software seguro
8
Cloud Computing Security
IaaS – Infrastructure as a Service
> Raw infrastructure
> Storage, network & servers
> We do the rest
> Flexible but costly
> Ej: Amazon AWS
Tema 1: Diseño de software seguro
9
Cloud Computing Security
PaaS – Platform as a Service
> You’ve got the OS but no apps
> IaaS + OS + Base services
> App deploying ok (.jar)
> Less control but less cost
> Ej: Google App Engine
Tema 1: Diseño de software seguro
10
Cloud Computing Security
SaaS – Software as a Service
> You’ve got everything
> Iaas + Paas + Apps
> Ready to go
> Minimal control / Minimaleffort
> Ej: Salesforce.com (CRM)
Tema 1: Diseño de software seguro
11
Cloud Computing Security
Public, Private Clouds
>Públic: Public access, sharedresources, (-security, -cost)
Ej: Amazon AWS
>Private: Private access, dedicated resources (+security, +cost)
Ej: NASA Nebula � OpenStack
Tema 1: Diseño de software seguro
12
Cloud Computing Security
Community , Hybrid
>Community: Group that shares a private cloud
Ej: Business holding
>Hybrid: Mix some of the others
Technology
Tema 1: Diseño de software seguro
14
Cloud Computing Security
Technologies
> Virtualization
> Shared storage
> High speed networks
> Multidevice access
> Advanced Middleware (access, monitoring, provisioning)
Advantages
Tema 1: Diseño de software seguro
16
Cloud Computing Security
Cloud Computing Pros
> Elasticity / Scalability
> Availability
> Performance
> Ubiquous access
> Very low CAPEX
> OPEX savings
Success Case
Tema 1: Diseño de software seguro
18
Cloud Computing Security
Amazon AWS - http://aws.amazon.com/
> Amazon Web Services
> EC2 (Elastic Cloud Computing)
> S3 (Simple Storage Service)
> You can do … almost everything
> Others: Rackspace, vCloud, Azure, IBM (great, too)
Tema 1: Diseño de software seguro
19
Cloud Computing Security
NetFlix - http://www.netflix.com/
> Video streaming (Films, serials, shows)
> Almost 20% of EEUU bandwidth
> Uses Amazon AWS
> Benefits: Escalability + Availability
> Video transcoding “on the fly” with EC2
> Video storage in EC3 with S3
> Usage data analysis with EC2
Tema 1: Diseño de software seguro
20
Cloud Computing Security
Dropbox - http://www.dropbox.com/
> Backup in the cloud
> Around 12Pb (12.000 Tb)
> Uses Amazon S3
> Benefit: Escalability
> Business model (VIP): http://www.w2lessons.com/2011/04/economics-of-dropbox.html
Technology
Cloud Is
Good!
Cloud Computing Risks
Business Risks
Vendor Lock-In
Vendor Lock-In
= To have you
by the balls
Vendor Lock-In
Tema 1: Diseño de software seguro
27
Cloud Computing Security
Vendor lock-in
> It’s hard to say goodbye
> SaaS : No “export” option
> PaaS : API interoperability
> IaaS : Different technologies
> Defsense: Right CP (Cloud Provider) choice
Lack of IT Governance
Tema 1: Diseño de software seguro
29
Cloud Computing Security
Lack of IT Governance
> IT Governance != Cloud ComputingGovernance
> Limited funcionalities / High costs
> Loss of Control of our IT
> Defense: Clear objectives & design, Right CP choice
Compliance & Laws
Tema 1: Diseño de software seguro
31
Cloud Computing Security
Compliance & Laws
> We need to comply with all theregulations (PCI DSS, LOPD)
> Imposes transitive compliance onthe CP
> Legal lapses
> Defense: Good analysis, right CP choice
SLAs
Tema 1: Diseño de software seguro
33
Cloud Computing Security
SLA (Service Level Agreements)
> Contract signed with CP
> Services offered
> Warranties offered
> Service metrics & compensations/penalties
> Defense: SLA study & tuning
Provider Failures
Tema 1: Diseño de software seguro
35
Cloud Computing Security
Provider failures
> “Errare machina est”
> Starting security standards
> CP Business Continuity plan
> OUR Business Continuity plan
> Defense: Business continuitydefinition, right CP choice
Third party failures
Tema 1: Diseño de software seguro
37
Cloud Computing Security
Third party failures
> CP = Service & Technologies Integrator
> But … what about electricity, connectivity, HVAC ?
> We have to take care of ourfacilities too
> Defense: Right CP choice, third party evaluation (CP and proper)
Technical risks
Resource Starvation
Tema 1: Diseño de software seguro
40
Cloud Computing Security
Resource starvation
> Resources are assigned on demand
> CP scales up … but how ?
> Situation: No more resourcesavailable when they were mostneeded !!
> Defense: Resource reservation, rightCP choice
Isolation Faults
Tema 1: Diseño de software seguro
42
Cloud Computing Security
Isolation Faults
> Cloud = Shared Resources = Shared flat
> How secure is your neighbour ?
> Third party security failure � Everybodyis compromised
> Defense: Private Clouds, right CP choice
Data leaks
Tema 1: Diseño de software seguro
44
Cloud Computing Security
Data leaks
> Lots of sensitive info in our CP
> Disgruntled employees
> Wrong service configuration
> Defense: Right CP choice, cipher use, log reviews
Data Transit
Tema 1: Diseño de software seguro
46
Cloud Computing Security
Data Transit
> Network � Information flows
> Local interception
> On transit interception
> In-Cloud Intercepcion
> Defense: SSL, cipher use
Cloud Provider Compromise
Tema 1: Diseño de software seguro
48
Cloud Computing Security
CP Compromise
> Cloud = Technology mesh = Lots ofpossible security flaws
> Cloud interface management attacks
> Cloud user management attacks
> Infrastructure attacks
> Defense: Right CP choice, SLAs, incidentresponse planning
DDOS
Tema 1: Diseño de software seguro
50
Cloud Computing Security
DDOS / EDOS
> DDOS (Distributed Denial Of Service)
> Intended to take down an infrastructure �
Attack to availability
> Cloud � Neighbour are collateral damage
> EDOS (Economic Denial of Service)
> Intended to cause economic damage
> Defense: SLAs, charge limits, incidentresponse
Cipher & Backup
Tema 1: Diseño de software seguro
52
Cloud Computing Security
Cipher
> Sensible info � Cipher
> Secure information deletion (wipe)
> Defensas: Strong ciphers, guardar claves, SLA
Tema 1: Diseño de software seguro
53
Cloud Computing Security
Backups
> Info is EVERYTHING � Backups
> Don’t forget your backups (even ifthe CP does … you too)
> Automated procedure
> Defensa: Procedure design, right CP choice
Tema 1: Diseño de software seguro
54
Cloud Computing Security
Logs Access
> Logs = Activity of our IT
> Needed to do debugging
> Critic if a security incident arises
> How can access my logs ?
> Defense: SLA, right CP choice
Disaster Recovery
Tema 1: Diseño de software seguro
56
Cloud Computing Security
Disaster Recovery
> Shit happens (Murphy’s Law)
> Earthquakes, fires, floods, alien invasions…
> Our CP must have a Business Continuityplan
> We must have ours !!
> Defense: Business Continuity plan
Tema 1: Diseño de software seguro
57
Cloud Computing Security
Legal Risks
Tema 1: Diseño de software seguro
58
Cloud Computing Security
Compliance & Laws
> Lots of laws & regulations
> Is our CP compliant ?
> National & International laws
> Defense: Preliminary analysis, right CP choice
Tema 1: Diseño de software seguro
59
Cloud Computing Security
Data protection
> LOPD (Ley Orgánica de Protecciónde Datos)
> Cloud implies sometimes international data transfers �Complicated issues
> Safe Harbour � Amazon, Google
> Defense: Preliminary analysis, right CP choice
Tema 1: Diseño de software seguro
60
Cloud Computing Security
Computer Forensic
> Security incident in our CP �Someone has set up a child pornography site
> Maybe anyone in our cloud !!
> Possible result = Server seizure
> Defense: Right CP choice, SLA, Business Continuity plan
Using Cloud Computing
Analyze
Tema 1: Diseño de software seguro
63
Cloud Computing Security
Identify Services
> Services that can benefit most fromCloud Computing
> Main benefits: Scalability, Availability & Elasticity
> Intermitent but heavy resource use services (Ej: Sports newspapers onmondays)
Tema 1: Diseño de software seguro
64
Cloud Computing Security
Evaluate CC models
> IaaS, PaaS, SaaS ?
> ¿Public, Private, Hybrid, Community?
> See what others like us are doing
> Decide which model fits our needsbest
Know
Tema 1: Diseño de software seguro
66
Cloud Computing Security
Defining security needs
> Know our service throughly
> Define the information flows
> Identify sensitive info
> Measure how critical the service is
> Assign a value to the srevice
Tema 1: Diseño de software seguro
67
Cloud Computing Security
Risk Analysis
> Know the existing risks when usingcloud computing
> Apply them to our service
> Define a maximum risk level
> Important!: Be utterly objective
Plan
Tema 1: Diseño de software seguro
69
Cloud Computing Security
Evaluate cloud providers
> Read carefully the SLA (ServiceLevel Agreements)
> Read it again
> Evaluate security compliance
> Added value services
> Price !
Tema 1: Diseño de software seguro
70
Cloud Computing Security
Security controls
> Define security controls
> Controls in the cloud & our IT
> Technical & procedural control
> Target: Lower our real risk
Decide
Tema 1: Diseño de software seguro
72
Cloud Computing Security
Bean counting …
> Migration costs
> Cloud operation costs
> Current operation costs
> Troubleshooting costs (both cloud& current)
> Make money talk …
Tema 1: Diseño de software seguro
73
Cloud Computing Security
Make a decision
> Evaluate pros & cons of our currentIT model & cloud computing
> It’s not all about money …
> Informed decision taking
> You always should have a plan B
CC offers great
opportunities
CC has risks
There has to
be a planplanplanplan
Tema 1: Diseño de software seguro
75
Cloud Computing Security
Conclusiones
>Cloud computing is here
>Lots of business models & opportunities
>Must know all the risks
>Must have a sensible business plan
Conclusiones
I love itwhen a
cloudplan
comes together
Don’t be under a cloud !
Tema 1: Diseño de software seguro
78
Cloud Computing Security
More info?. Press here !
Cloud Security Alliance
https://cloudsecurityalliance.org/
Cloud Computing Security Guide - CSA
http://cloudsecurityalliance.org/guidance/csaguide.v2.1.pdf
ENISA – Cloud Computing Security Risks
http://www.enisa.europa.eu/act/rm/files/deliverables/cloud-computing-risk-assessment
Australia Gov. - Cloud Computing Risk Analysis Report
http://www.dsd.gov.au/publications/Cloud_Computing_Security_Considerations.pdf
Antonio Sanz / [email protected] / @antoniosanzalc
Have a plan and jump into the sky !
$slides = http://www.slideshare.net/ansanz