Post on 20-Aug-2015
www.securityforum.org ISF 20th Annual World Congress 2009 Copyright © 2009 Information Security Forum Limited 1 Cloud Security and privacy – Subra Kumaraswamy
“Headintheclouds,feetontheground‐thebusinesssideof
securityinthecloud”
SubraKumaraswamysubra.k@gmail.comTwi=er‐@Subrak
Dec07,2009 1
www.securityforum.org ISF 20th Annual World Congress 2009 Copyright © 2009 Information Security Forum Limited 2 Cloud Security and privacy – Subra Kumaraswamy 2
Cloud Computing: Evolution
www.securityforum.org ISF 20th Annual World Congress 2009 Copyright © 2009 Information Security Forum Limited 3 Cloud Security and privacy – Subra Kumaraswamy
3
5 Essential Cloud Characteristics
• On-demand self-service
• Broad network access
• Resource pooling - Location independence
• Rapid elasticity
• Measured service
www.securityforum.org ISF 20th Annual World Congress 2009 Copyright © 2009 Information Security Forum Limited 4 Cloud Security and privacy – Subra Kumaraswamy
4
3 Cloud Service Models
• Cloud Software as a Service (SaaS) - Use provider’s applications over a network
• Cloud Platform as a Service (PaaS) - Deploy customer-created applications to a cloud
• Cloud Infrastructure as a Service (IaaS) - Rent processing, storage, network capacity, and other
fundamental computing resources
• To be considered “cloud” they must be deployed on top of cloud infrastructure that has the key characteristics
www.securityforum.org ISF 20th Annual World Congress 2009 Copyright © 2009 Information Security Forum Limited 5 Cloud Security and privacy – Subra Kumaraswamy 5
Cloud Pyramid of Flexibility
www.securityforum.org ISF 20th Annual World Congress 2009 Copyright © 2009 Information Security Forum Limited 6 Cloud Security and privacy – Subra Kumaraswamy
6
4 Cloud Deployment Models • Private cloud
- enterprise owned or leased
• Community cloud - shared infrastructure for specific community
• Public cloud - Sold to the public, mega-scale infrastructure
• Hybrid cloud - composition of two or more clouds
www.securityforum.org ISF 20th Annual World Congress 2009 Copyright © 2009 Information Security Forum Limited 7 Cloud Security and privacy – Subra Kumaraswamy 7
The Cloud: How are people using it?
www.securityforum.org ISF 20th Annual World Congress 2009 Copyright © 2009 Information Security Forum Limited 8 Cloud Security and privacy – Subra Kumaraswamy
Changing IT Relationships
www.securityforum.org ISF 20th Annual World Congress 2009 Copyright © 2009 Information Security Forum Limited 9 Cloud Security and privacy – Subra Kumaraswamy 9
What Not a Cloud?
www.securityforum.org ISF 20th Annual World Congress 2009 Copyright © 2009 Information Security Forum Limited 10 Cloud Security and privacy – Subra Kumaraswamy
Focusing the Security Discussion
Software as a Service
Platform as a Service
Infrastructure as a Service
Pub
lic
Priv
ate
Hyb
rid
Application Domains X
aaS
Lay
ers
IaaS, Hybrid, HPC/
Analytics SaaS, Public, CRM
IaaS, Public, Transcoding
www.securityforum.org ISF 20th Annual World Congress 2009 Copyright © 2009 Information Security Forum Limited 11 Cloud Security and privacy – Subra Kumaraswamy
Components of Information Security
Network-level Host-level
Application-level
Encryption, Data masking, Content protection
www.securityforum.org ISF 20th Annual World Congress 2009 Copyright © 2009 Information Security Forum Limited 12 Cloud Security and privacy – Subra Kumaraswamy
Analyzing Cloud Security • Some key issues:
- Trust, multi-tenancy, encryption, key management compliance
• Clouds are massively complex systems can be reduced to simple primitives that are replicated thousands of times and common functional units
• Cloud security is a tractable problem - There are both advantages and challenges
www.securityforum.org ISF 20th Annual World Congress 2009 Copyright © 2009 Information Security Forum Limited 13 Cloud Security and privacy – Subra Kumaraswamy
Balancing Threat Exposure and Cost Effectiveness • Private clouds may have less threat exposure than
community or hosted clouds which have less threat exposure than public clouds.
• Massive public clouds may be more cost effective than large community clouds which may be more cost effective than small private clouds.
www.securityforum.org ISF 20th Annual World Congress 2009 Copyright © 2009 Information Security Forum Limited 14 Cloud Security and privacy – Subra Kumaraswamy
General Security Advantages • Democratization of security capabilities
• Shifting public data to a external cloud reduces the exposure of the internal sensitive data
• Forcing functions to add security controls
• Clouds enable automated security management
• Redundancy / Disaster Recovery
www.securityforum.org ISF 20th Annual World Congress 2009 Copyright © 2009 Information Security Forum Limited 15 Cloud Security and privacy – Subra Kumaraswamy
General Security Challenges
• Trusting vendor’s security model
• Customer inability to respond to audit findings
• Obtaining support for investigations
• Indirect administrator accountability
• Proprietary implementations can’t be examined
• Loss of physical control
www.securityforum.org ISF 20th Annual World Congress 2009 Copyright © 2009 Information Security Forum Limited 16 Cloud Security and privacy – Subra Kumaraswamy 16
Infrastructure Security
Trust boundaries have moved • Specifically, customers are unsure where those trust
boundaries have moved to • Established model of network tiers or zones no
longer exists - Domain model does not fully replicate previous model
• No viable (scalable) model for host-to-host trust • Data labeling/tagging required at application-level
- Data separation is logical, not physical
www.securityforum.org ISF 20th Annual World Congress 2009 Copyright © 2009 Information Security Forum Limited 17 Cloud Security and privacy – Subra Kumaraswamy 17
Data Security • Provider’s data collection efforts and monitoring
of such (e.g., IPS, NBA) • Use of encryption
— Point-to-multipoint data-in-transit an issue — Data-at-rest possibly not encrypted — Data being processed definitely not encrypted — Key management is a significant issue — Advocated alternative methods (e.g., obfuscation,
redaction, truncation) are not adequate • Data lineage, provenance • Data remanence
www.securityforum.org ISF 20th Annual World Congress 2009 Copyright © 2009 Information Security Forum Limited 18 Cloud Security and privacy – Subra Kumaraswamy 18
Identity and Access Management (IAM)
Generally speaking, poor situation today: • Provisioning of user access is proprietary to
provider
• Strong authentication available only through
delegation
• Federated identity widely not available
• User profiles are limited to “administrator” and
“user”
• Privilege management is coarse, not granular
www.securityforum.org ISF 20th Annual World Congress 2009 Copyright © 2009 Information Security Forum Limited 19 Cloud Security and privacy – Subra Kumaraswamy 19
Privacy Considerations Transborder data issues may be exacerbated
• Specifically, where are cloud computing activities occurring?
Data governance is weak • Encryption is not pervasive • Data remanence receives inadequate attention • CSPs absolve themselves of privacy concerns:
“We don’t look at your data”
www.securityforum.org ISF 20th Annual World Congress 2009 Copyright © 2009 Information Security Forum Limited 20 Cloud Security and privacy – Subra Kumaraswamy 20
Audit & Compliance Considerations
• Effectiveness of current audit frameworks questionable (e.g., SAS 70 Type II)
• CSP users need to define: - their control requirements - understand their CSP’s internal control
monitoring processes - analyze relevant external audit reports
• Issue is assurance of compliance
www.securityforum.org ISF 20th Annual World Congress 2009 Copyright © 2009 Information Security Forum Limited 21 Cloud Security and privacy – Subra Kumaraswamy 21
Impact on Role of Corporate IT
• Governance issue as internal IT becomes “consultants” and business analysts to business units
• Delineation of responsibilities between providers and customers much more nebulous than between customers and outsourcers, collocation facilities, or ASPs
• Cloud computing likely to involve much more direct business unit interaction with CSPs than with other providers previously
www.securityforum.org ISF 20th Annual World Congress 2009 Copyright © 2009 Information Security Forum Limited 22 Cloud Security and privacy – Subra Kumaraswamy
Getting Ready – IT Security • Governance framework that can be aligned with partners
• Federation of Identity, strong authentication, privileged access and key management
• Classification of data and privacy policy for data in cloud
• Security Automation – Image standardization, user/network policy template
• Understand the cloud service provider security architecture, SLA, policies, security feature and interfaces
• Understand the ephemeral nature of compute and storage cloud and plan for archival of security logs
www.securityforum.org ISF 20th Annual World Congress 2009 Copyright © 2009 Information Security Forum Limited 23 Cloud Security and privacy – Subra Kumaraswamy 23
Conclusions • Part of customers’ infrastructure security
moves beyond their control • Provider’s infrastructure security may
(enterprise) or may not (SMB) be less robust than customers’ expectations
• Data security becomes significantly more important – yet provider capabilities are inadequate (except for simple storage which can be encrypted, and processing of non-sensitive (unregulated and unclassified) data
www.securityforum.org ISF 20th Annual World Congress 2009 Copyright © 2009 Information Security Forum Limited 24 Cloud Security and privacy – Subra Kumaraswamy 24
Conclusions (continued)
• IAM is less than adequate for enterprises – weak management of weak credentials unless (authentication) delegated back to customers
• Because of above, expect significant business unit pressure to desensitize or anonymize data; expect this to become a chokepoint - No established standards for obfuscation,
redaction, or truncation
www.securityforum.org ISF 20th Annual World Congress 2009 Copyright © 2009 Information Security Forum Limited 25 Cloud Security and privacy – Subra Kumaraswamy 25
Conclusions (continued)
• Relationship between business units and corporate IT departments vis-à-vis CSPs will shift greater power to business units from IT
• Number of functions performed today by corporate IT departments will shift to CSPs, along with corresponding job positions
www.securityforum.org ISF 20th Annual World Congress 2009 Copyright © 2009 Information Security Forum Limited 26 Cloud Security and privacy – Subra Kumaraswamy 26
What’s Good about the Cloud?
• A lot! Both for enterprises and SMBs – for handling of non-sensitive (unregulated and unclassified) data
• Cost
• Flexibility
• Scalability
• Speed
www.securityforum.org ISF 20th Annual World Congress 2009 Copyright © 2009 Information Security Forum Limited 27 Cloud Security and privacy – Subra Kumaraswamy Dec7th,2009 27
DisclaimerTheviewsandopinionsexpressedduringthisconferencearethoseofthespeakersanddonotnecessarilyreflecttheviewsand
opinionsheldbySunMicrosystems.NothinginthisconferenceshouldbeconstruedasprofessionalorlegaladviceorascreaGngaprofessional‐customerora=orney‐clientrelaGonship.Ifprofessional,legal,orotherexpertassistanceisrequired,theservicesofa
competentprofessionalshouldbesought.
Thankyou
subra.k@gmail.com
Twi=er‐@subrak