Upload
ulf-mattsson
View
160
Download
1
Embed Size (px)
DESCRIPTION
Gartner did an Audience survey at the Gartner US data center conference Dec 2013 showing that the No. 1 Issue Slowing Adoption of Public Cloud Computing was Security. Cloud is a place where 82% of organization will store sensitive data in the next 2 years according to a study from Ponemon Institute. The Ponemon Institute concluded that Cloud security is an oxymoron for many companies. Sixty-two percent of respondents do not agree or are unsure that cloud services are thoroughly vetted before deployment. Sixty-nine percent believe there is a failure to be proactive in assessing information that is too sensitive to be stored in the cloud. 46 percent of IT professionals in this study say their organizations have stopped or slowed the adoption of cloud services because of security concerns, indicating there is still work to be done to continue advancing cloud adoption. Cloud Security Alliance (CSA) showed that reported cloud outages due to “Insecure Interfaces & APIs”accounted for 29% of all threats; and “Data Loss & Leakage” accounted for 25% of all threats reported. 25% of reported cloud outages did not reveal the causes of the outages. The aim of this report is to encourage transparency and accountability from cloud service providers. Consumers have no control over security once data is inside the public cloud. Completely reliant on provider for application and storage security. A private cloud gives a single Cloud Consumers organization the exclusive access to and usage of the infrastructure and computational resources. But Consumer has limited capability to manage security within outsourced IaaS private cloud. Depending upon the type of Cloud Deployment Model additional threats vectors (that would have not come into the equation for a non-cloud deployment) could be induced. An example of such a threat vector in a SAAS deployment would be induced by multi-tenancy when the same application run time is being used to service multiple tenants and their segregated data. Cloud computing may present different risks to an organization than traditional IT solutions. Examples from Cloud Security Alliance highlighting concerns that Virtualization is bringing. This is one of the key elements of Infrastructure as a Service (IaaS) cloud offerings and private clouds, and it is increasingly used in portions of the back-end of Platform as a Service (PaaS) and SaaS (Software as a Service) providers as well. Just to mention a few examples: A few exmples of Hypervisor Architecture Concerns include: VM Encryption - Virtual machine images are vulnerable to theft or modification when they are dormant or running. The solution to this problem is to encrypt virtual machine images at all times, but there are performance concerns at this time. For high security or regulated environments, the performance cost is worth it. Encryption must be combined with administrative controls, DLP, and audit trails to prevent a snapshot of a running VM from “escaping into the wild,” which
Citation preview
Concerns with Cloud ComputingConcerns with Cloud ComputingUlf Mattsson
CTO, Protegrity
What Is Your No. 1 Issue Slowing Adoption of Public Cloud Computing?
2
Sensitive Data in the Cloud
3
Of organizations currently (or plan to) transfer sensitive/confidential data to the cloud in the next
24 mo.
Lack of Cloud Confidence
4
Number of survey respondents that either agree or are unsure that the cloud services used by their organization are
NOT thoroughly vetted for security.
Stopped or Slowed Adoption
5
Source: The State of Cloud Security
Blue: Most recent data
Data Loss & Insecure Interfaces
6
Number of Cloud Vulnerability Incidents by Threat Ca tegory
Computing as a Service:
• Software as a Service (SaaS)
• Platform as a Service (PaaS)
• Infrastructure as a Service (IaaS)
What is Cloud Computing?
Delivered Internally or Externally to the Enterprise:
• Public
• Private
• Community
• Hybrid
7
Software as a Service (SaaS)
Typically web accessed internet-based applications (“on-demand software”)
Platform as a Service (PaaS)
An internet-based computing platform and solution stack. Facilitates deployment of
Service Orchestration
Applications
8
solution stack. Facilitates deployment of applications at much lower cost and complexity
Infrastructure as a Service (IaaS)
Delivers computer infrastructure (typically a virtualized environment) along with raw storage and networking built-in
Public Cloud
9
Public Cloud
10
Public Cloud – No Control
11
Consumers have no control over security once data is inside the public cloud. Completely reliant on provider for application and storage security.
Private Cloud
Outsourced Private Cloud
12
On-sitePrivate Cloud
Private Cloud – Limited Control
Outsourced Private Cloud
Consumer has limited capability to manage security within outsourced
13
On-sitePrivate Cloud
within outsourced IaaS private cloud.
Threat Vector Inheritance
14
Virtual machine guest hardening
Hypervisor security
Inter-VM attacks and blind spots
Performance concerns
Operational complexity from VM sprawl
Instant-on gaps
Virtualization Concerns in Cloud
Instant-on gaps
Virtual machine encryption
Data comingling
Virtual machine data destruction
Virtual machine image tampering
In-motion virtual machines
15