29
Cloud Security Issues and Cloud Security Issues and Cloud Security Issues and Cloud Security Issues and Adoption Guideline for Thai Adoption Guideline for Thai Adoption Guideline for Thai Adoption Guideline for Thai Government Agencies Government Agencies Government Agencies Government Agencies July 26, 2016 Dr. Sudsanguan Ngamsuriyaroj Faculty of ICT, Mahidol University

Cloud security and adoption

Embed Size (px)

Citation preview

Page 1: Cloud security and adoption

Cloud Security Issues and Cloud Security Issues and Cloud Security Issues and Cloud Security Issues and Adoption Guideline for Thai Adoption Guideline for Thai Adoption Guideline for Thai Adoption Guideline for Thai Government AgenciesGovernment AgenciesGovernment AgenciesGovernment Agencies

July 26, 2016

Dr. Sudsanguan Ngamsuriyaroj

Faculty of ICT, Mahidol University

Page 2: Cloud security and adoption

About Me� Assistant Professor

Faculty of ICT, Mahidol University

� Teaching

Parallel computing, Cloud computing

Security

Computer Ethics

� Research

Security (network, cloud, database)

Parallel computing

Healthcare applications

SIPA TECHNOLOGY MEETUP 2016 - HIGH PERFORMANCE COMPUTING TRENDS AND TECHNOLOGY 2

[email protected]

Page 3: Cloud security and adoption

AgendaCloud Adoption

General Security Concepts

Cloud Security Model

Cloud Security Issues

3SIPA TECHNOLOGY MEETUP 2016 - HIGH PERFORMANCE COMPUTING TRENDS AND TECHNOLOGY

Page 4: Cloud security and adoption

Cloud Adoptionfrom Data Center to Cloud

4

http://www.stratoscale.com/blog/cloud/the-journey-from-virtualization-to-cloud-computing/

SIPA TECHNOLOGY MEETUP 2016 - HIGH PERFORMANCE COMPUTING TRENDS AND TECHNOLOGY

Page 5: Cloud security and adoption

Cloud Adoption – Why?

5SIPA TECHNOLOGY MEETUP 2016 - HIGH PERFORMANCE COMPUTING TRENDS AND TECHNOLOGY

Page 6: Cloud security and adoption

Cloud Adoption – Why?Cost Reduction

6

http://www.opengroup.org/cloud/whitepapers/ccroi/roi.htm

SIPA TECHNOLOGY MEETUP 2016 - HIGH PERFORMANCE COMPUTING TRENDS AND TECHNOLOGY

Page 7: Cloud security and adoption

Are you ready for Cloud?Which applications will be moved to cloud

Readiness of existing infrastructure

Development of IT personnel (infrastructure and developers)

How to migrate to cloud◦ Which cloud model/platform (public, private, hybrid) to use

Budget / ROI

Application users

Schedule to deliver products/services

7SIPA TECHNOLOGY MEETUP 2016 - HIGH PERFORMANCE COMPUTING TRENDS AND TECHNOLOGY

Page 8: Cloud security and adoption

Categories of Applications

1. Public applications: for everyone: web sites

2. External based applications: for customers/ partners

3. Internal based applications: for staff only - emails

4. Private applications: for administration: ERP, HR

8

Which applications will be moved to Cloud

SIPA TECHNOLOGY MEETUP 2016 - HIGH PERFORMANCE COMPUTING TRENDS AND TECHNOLOGY

Page 9: Cloud security and adoption

�Network infrastructure

�System infrastructure

�Application platforms

�BCP – Business Continuity Plan

�Infrastructure Maintenance

�Audit process

9

Readiness of Existing Infrastructure

SIPA TECHNOLOGY MEETUP 2016 - HIGH PERFORMANCE COMPUTING TRENDS AND TECHNOLOGY

Page 10: Cloud security and adoption

� Physical / Logical network diagram (latest update?)

� All existing equipment and their capacity

� Report of network usage◦ Bandwidth enough?

◦ Any usage abuse?

� What links needed to be updated

10

Readiness of Existing Infrastructure:Network Ready?

SIPA TECHNOLOGY MEETUP 2016 - HIGH PERFORMANCE COMPUTING TRENDS AND TECHNOLOGY

Page 11: Cloud security and adoption

�List of all servers and the applications running

�List of all servers no longer used

�How long a server will be used

�Is there any maintenance?

�What workload running and how much the utilization is?

�If there is a new server, a plan to use VM ?

11

Readiness of Existing Infrastructure:System Ready?

SIPA TECHNOLOGY MEETUP 2016 - HIGH PERFORMANCE COMPUTING TRENDS AND TECHNOLOGY

Page 12: Cloud security and adoption

Workload Forecasted

12

http://www.americanis.net/2013/shift-your-risk-in-the-cloud/

SIPA TECHNOLOGY MEETUP 2016 - HIGH PERFORMANCE COMPUTING TRENDS AND TECHNOLOGY

Page 13: Cloud security and adoption

Workload Analysis

13SIPA TECHNOLOGY MEETUP 2016 - HIGH PERFORMANCE COMPUTING TRENDS AND TECHNOLOGY

Page 14: Cloud security and adoption

What would be Barriers?

�Data security and privacy

�People with effective skills

�Different cloud service providers and platforms

�Vendor lock-in

�Cloud providers’ reliability and availability

�Risks

14

http://www.slideshare.net/ISS-NUS/security-in-smart-city-implementation-infrastructure-and-people

SIPA TECHNOLOGY MEETUP 2016 - HIGH PERFORMANCE COMPUTING TRENDS AND TECHNOLOGY

Page 15: Cloud security and adoption

General Security Concept

15

http://www.slideshare.net/dr_edw777/chapter-1-overview-11741038

SIPA TECHNOLOGY MEETUP 2016 - HIGH PERFORMANCE COMPUTING TRENDS AND TECHNOLOGY

Page 16: Cloud security and adoption

NIST Reference Architecture

16

Source: NIST Special Publication 500-292, NIST Cloud Computing Reference Architecture

SIPA TECHNOLOGY MEETUP 2016 - HIGH PERFORMANCE COMPUTING TRENDS AND TECHNOLOGY

Page 17: Cloud security and adoption

Cloud Security Model

17

http://www.softwaretestpro.com/ItemAssets/5590/Fig4.jpg

SIPA TECHNOLOGY MEETUP 2016 - HIGH PERFORMANCE COMPUTING TRENDS AND TECHNOLOGY

Page 18: Cloud security and adoption

1. Data breaches/ leaks

2. Data loss

3. Account or service traffic hijacking

4. Insecure interfaces and APIs

5. Denial of services

6. Malicious Insiders

7. Cloud abuse

8. Insufficient due diligence

9. Shared technology vulnerabilities

CSA Notorious 9 CSA Notorious 9 CSA Notorious 9 CSA Notorious 9 Cloud Top Threats in 2013

18

https://downloads.cloudsecurityalliance.org/initiatives/top_

threats/The_Notorious_Nine_Cloud_Computing_Top_Threats_in_2013.pdf

SIPA TECHNOLOGY MEETUP 2016 - HIGH PERFORMANCE COMPUTING TRENDS AND TECHNOLOGY

Page 19: Cloud security and adoption

CSA Treacherous CSA Treacherous CSA Treacherous CSA Treacherous 12 12 12 12 Cloud Top Threats in 2016

1. Data Breaches

2. Weak Identity, Credential and Access Management

3. Insecure APIs

4. System and Application Vulnerabilities

5. Account Hijacking

6. Malicious Insiders

19

7. Advanced Persistent Threats (APTs)

8. Data Loss

9. Insufficient Due Diligence

10.Abuse and Nefarious Use of Cloud Services

11.Denial of Service

12.Shared Technology Issues

https://cloudsecurityalliance.org/download/the-treacherous-twelve-cloud-computing-top-threats-in-2016/

SIPA TECHNOLOGY MEETUP 2016 - HIGH PERFORMANCE COMPUTING TRENDS AND TECHNOLOGY

Page 20: Cloud security and adoption

Data BreachesWorld's Biggest Data BreachesSelected losses greater than 30,000 records (updated 11th July 2016)

20

http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/

SIPA TECHNOLOGY MEETUP 2016 - HIGH PERFORMANCE COMPUTING TRENDS AND TECHNOLOGY

Page 21: Cloud security and adoption

Data Loss

21

http://www.theregister.co.uk

/2016/05/13/salesforcecom_crash_caused_data_loss/

http://www.computerworld.com/a

rticle/2973600/cloud-

computing/google-cloud-loses-data-belgium-itbwcw.html

SIPA TECHNOLOGY MEETUP 2016 - HIGH PERFORMANCE COMPUTING TRENDS AND TECHNOLOGY

Page 22: Cloud security and adoption

Data Security on Cloud

How to protect your data from being observed?

�Data Encryption

what about KEY? and Key Management?

encryption algorithm?

How about “homomorphic encryption”?

�Data Masking for Sensitive data like bank accounts

maintain a mapping between real and masked data

22SIPA TECHNOLOGY MEETUP 2016 - HIGH PERFORMANCE COMPUTING TRENDS AND TECHNOLOGY

Page 23: Cloud security and adoption

Data Life Cycle

23

https://securosis.com/tag/data+security+lifecycle

SIPA TECHNOLOGY MEETUP 2016 - HIGH PERFORMANCE COMPUTING TRENDS AND TECHNOLOGY

Page 24: Cloud security and adoption

Cloud Threats and Vulnerabilities

24

Adopted from “Realizing the Benefits of Vulnerability Management in the Cloud” by Gordon MacKay, CTO, Digital Defense, Inc.

SIPA TECHNOLOGY MEETUP 2016 - HIGH PERFORMANCE COMPUTING TRENDS AND TECHNOLOGY

Page 25: Cloud security and adoption

Cloud Security Issues

25

https://www.eitdigital.eu/fileadmin/files/docs/documents_helsinki/TheoDimitrakos-EIT_ICT_Labs_Symposium_on_Trusted_Cloud_and_Future_Enterprises-email-no-demo.pdf

SIPA TECHNOLOGY MEETUP 2016 - HIGH PERFORMANCE COMPUTING TRENDS AND TECHNOLOGY

Page 26: Cloud security and adoption

Cloud Security Issues

26

https://www.eitdigital.eu/fileadmin/files/docs/documents_helsinki/TheoDimitrakos-EIT_ICT_Labs_Symposium_on_Trusted_Cloud_and_Future_Enterprises-email-no-demo.pdf

SIPA TECHNOLOGY MEETUP 2016 - HIGH PERFORMANCE COMPUTING TRENDS AND TECHNOLOGY

Page 27: Cloud security and adoption

Cloud Security Issues

27

https://www.eitdigital.eu/fileadmin/files/docs/documents_helsinki/TheoDimitrakos-EIT_ICT_Labs_Symposium_on_Trusted_Cloud_and_Future_Enterprises-email-no-demo.pdf

SIPA TECHNOLOGY MEETUP 2016 - HIGH PERFORMANCE COMPUTING TRENDS AND TECHNOLOGY

Page 28: Cloud security and adoption

Cloud Security Issues

28

https://www.eitdigital.eu/fileadmin/files/docs/documents_helsinki/TheoDimitrakos-EIT_ICT_Labs_Symposium_on_Trusted_Cloud_and_Future_Enterprises-email-no-demo.pdf

SIPA TECHNOLOGY MEETUP 2016 - HIGH PERFORMANCE COMPUTING TRENDS AND TECHNOLOGY

Page 29: Cloud security and adoption

Q&AThank you

SIPA TECHNOLOGY MEETUP 2016 - HIGH PERFORMANCE COMPUTING TRENDS AND TECHNOLOGY 29