Post on 21-Oct-2014
description
Tomi Järvinen
Aalto-university IT
Twitter/tomppaj
How to be safe in the cloud
“AaltoCloud” • Cloud as a concept
Workshop
• Good to know before using cloud
• Selecting the best suitable cloud
• Using cloud safely
• What Aalto can offer for cloud users
What is ”Cloud”?
•nothing new, really… –news groups, IRC, forums, web hosting...
–marketing term, services are now in a fancy, easy to use package
–IBM new product ”Blue Cloud” came 2007 *
•there is no universally accepted definition –concept or metaphor, which refers to the services available through network
–"only" a concept that combines old and new services
–Cloud conputing Guru Simon Wardley found 67 marketing definitions for Cloud **
4/26
* IBM, 2007 http://www-03.ibm.com/press/us/en/pressrelease/22613.wss
** http://www.slideshare.net/CloudCampFRA/simon-wardley-cloud-computing-why-it-matters
Simon Wardley, Cloud Guru, technology thinker, researcher at CSC Leading Edge Forum
elastic , dynamic
resources
accessible
from
everywhere
typically via
browser
scalable “pay only for
what you use”
• IaaS (Infrastructure as a Service) “IT” is outsourced, customer
pays only for the use.
• PaaS (Platform as a Service) typically software development
using tools and/or libraries from the provider.
• SaaS (Software as a service ) application can be used with
the browser.
– For corporates, e.g. Office 365
– For consumers, e.g. Facebook, Gmail, Twitter
• Today ‘anything as a service' (NaaS, SaaS...)
Definitions depend on the provider (remember, just marketing term...)
4/26
”Cloud” - corporate vs. individual users
4
http://blog.gardeviance.org/2012/07/adoption-cycles.html
Why people like to use Cloud
services?
Magnificent
new
”DropBox”
service
share.aalto.fi/
5
Plenty to choose from
6
Pros and cons - “consumer tools”
• where is the data?
• who gets it?
• provider employees?
• network traffic?
• bottlenecks?
• privacy policy?
• Data collection and
destruction?
• terms of service?
• investigation?
(illegal content
,copyright etc.)
• lock-in? *
• ready to use/clientless
• scalable
• no IT help needed
• all possible bells and whistles
• low cost ,
free of charge
(not really free, privacy,
addvertisement..)
No Google Maps for Windows Phone 8? http://www.t3.com/news/no-google-maps-for-windows-phone-8
(at the moment 7.1.2013) seems that Maps WILL be available on Windows phone.
7
Discussion
• What kind of cloud services are you using?
• Which are the best ones and why?
• Do you have any concerns about cloud services?
15 min
Part 2
• Good to know before using cloud,
risks, material, providers, other issues
• Selecting the best suitable cloud service
• Using cloud safely
• What Aalto can offer for cloud users
Risk is not a question, it is a fact
9
2006 Major USA credit card processor leaked millions of credit card numbers
http://www.ftc.gov/opa/2006/02/cardsystems_r.shtm
2011 The Register UK Magazine :“Amazon cloud fell from sky”
http://www.theregister.co.uk/2011/04/29/amazon_ec2_outage_post_mortem/
personal details of 77 million PlayStation users leaked
http://www.guardian.co.uk/technology/2011/apr/27/playstation-users-identity-
theft-data-leak
LinkedIn passwords leaked by hackers
http://www.bbc.co.uk/news/technology-18338956
Microsoft Windows Live Hotmail (Four days outage for 17 000)
http://blogs.windows.com/windows_live/b/windowslive/archive/2011/01/03/hotma
il-email-access-issue-now-resolved.aspx
http://datalossdb.org/index/largest
Privacy costs
10
Some services are collecting huge amount of data about user. However, the
user does not know what provider is collecting:
• what data is being collected
• for how long the data is stored,
• for what purpose the data is being collected etc.
– and the service provider usually is claiming right to use the data for future
purposes. Sell data to other company in case of acquisition
hardware model, operating system version, unique device identifiers, mobile
network information, details of how you use the service, search queries, phone
number, calling-party number, forwarding numbers, time and date of calls,
duration of calls, SMS routing information and types of calls, system activity,
hardware settings, browser type, browser language, the date and time of your
request and referral URL, migth collect and store information (including personal
information) from your device using mechanisms such as browser and
application data caches…(these are from one service)
11
”Patriot act”, do I have to care?
USA PATRIOT Act (commonly known as the Patriot Act) Law for
fighting against terrorism. Government can ask data from any
USA based company, including data located outside of USA.
(Microsoft, Gmail, Facebook, Dropbox...)
• 1,271 government organizations and 1,931 private companies
• 854,000 people have security clearances
• Data “for government use” might end to a third party
Take into consideration if you are working with the goverment,
with something very innovative or when co-operating with external
partners.
http://projects.washingtonpost.com/top-secret-america
http://www.webanalyticsworld.net/2012/03/eu-data-protection-law-and-the-patriot-act-in-the-cloud.html
Wikimedia commons
Material not suitable for cloud (1/3)
12
Think about your work and information you are processing!
All the material is not suitable for a public service.
University data,
• study attainments, student evaluations
• research plans, development work
• or, e.g., information which the university is obligated to retain long
term in its records should not be processed using external services
Published intellectual property
• copyright (e.g., digital-rights management, media)
• patent (e.g., designs, processes)•
• trademark (e.g., graphics, URLs, even Logos might need approval)
Material not suitable for cloud (2/3)
13
Regulated information
• HR and employment
• medical
• financial
• technology and telecommunications data (usage)
• other regulated information
IT information
• activity and access logs (dynamic monitoring, audits)
• policy, rules, and authorizations (some of those)
• identity and authentication
Material not suitable for cloud (3/3)
14
Confidential business information • trade secrets
• financial, tax, and insurance records
• operations data (e.g., enterprise resource planning, supply-chain
management
• other commercial information (e.g., marketing plans, customer lists,
contracts, IT architecture)
• three basic models: Free – Advertisement – Freemium (business)
• free service (often end up to advertisement or freemium model)
• advertisement:, what is the motivation of the service provider?
– money, money, money (Facebook)
• Freemium, light free version, full with paying something (Yammer)
• And, stay focused, service for one purpose usually fits the user needs
better and lasts longer
– users learn how to use
– service does what it is supposed to do
– probably easier to find alternative solution when needed
First: choose the right service (1/3)
15
pay attention!
• Documentation, widely used API:s
• standard and multiple formats
• anonymity (option to study without giving personal details to external
marketing company)
• EULA, terms of service, privacy policy (Good or Bad?)
• integration to other same provider services (lock in vs. easy exit)
More information about EULAs:
open community http://tos-dr.info/ ”Terms of service - didn’t read”
First: choose the right service (2/3)
16
Security is not provider top priority
(3/3)
17
Context Information Security, 3- 2011; Assessing Cloud Node Security, White paper
http://www.contextis.com/research/white-papers/assessing-cloud-node-security/
Cloud provider security audit 2011
audit test result
18
Second: use service wisely (1/2)
• you cannot get anything “back”
• services may claim ownership of the information
• “free” services often collect and disclose information to
third parties such as advertisers or collaboration
partners. So, think what you share
• malicious links, think before clicking
• think where you buy from
• "fakeware / scareware“, think before buying
• be accurate, how and what you write
• please do not comment on behalf of
the University, unless it belongs to the job
description :)
• be careful, and specially with Android - > http://www.sophos.com/en-us/security-news-trends/reports/security-threat-report/android-
malware/android-risk-mitigation.aspx
Trend micro
19
Second: use service wisely (2/2)
• keep your password / username combination safe, if the worst happens
(serious illness, even death, or matters related to legislation)
• material may be financially or for some other reason valuable
(university or relatives, e.g. script, photos, new 7 brothers:)
• use different password and user id, mnemonic?, software like "KeePass“
http://keepass.info/ for password management
• use "alias", Teemu courseX2012, etc... check if this is not against TOS.
• keep copies of everything on your own computer
• do not accept all friend requests!
• if necessary, clear the browser cache
• only "Sure" way to store files securely is an encryption
http://www.makeuseof.com/tag/5-ways-to-securely-encrypt-your-files-in-the-
cloud/
Special cloud case, email in the cloud
• actually the biggest real life risk, most incidents are related to email.
• phishing emails/malware on a daily basis
• identity thefts happen (monday mornings, stress, hurry)
• proposals to make money
• With ”SingleSignOn” Aalto-password , access to ALL you data
• Aalto IT will NEVER close your account because of full disk space or
malware, so don’t click those emails.
• Aalto IT will NEVER ask your password, neither by phone nor by email
• You will NEVER get any sanctions about accidental mistakes
If you suspect something, contact immediately Aalto service
desk or security team. Don’t panic! Don’t be afraid to contact
Special case, email
• Actually biggest real life risk
• On daily basis phishing emails
• Identity theft
• Proposals to make money
• SingleSignOn Aalto-password provide access to ALL you data
• IT will NEWER close you account becaouse of full disk space or
malware, so don’t be scared and click those emails.
• IT will NEWER ask your password, not by phone, not by email
• You will NEWER get any sanctions about accidents
If you suspect something contact immediately Servicedesk or Security@aalto.fi
22
Aalto Cloud portal http://Pilvi.aalto.fi
Why we made it:
• Aalto users were asking a lot about various kind of applications and
providers
• Users had concerns
• Questions, which systems could be used for certain needs, policy?
• recommend good/ secure/ reliable/ tested services to Aalto users
Who made it:
• Aalto VIPU team* , Information security team, Aalto Web-team
23
Need is something for light use or for
small group, just choose the
appropriate service and start using!
Grouped by Categories:
•”Web presence”
•collaboration
•file synchronising
•blogging
•media share...
You can also find:
•feedback page
•request form, for a new services
•list about recommended and
approved services
•instructions
http://Pilvi.aalto.fi –
”just use” cloud services for light use
24
the service use involves:
• processing of personal data
• processing of secret material
• processing of bank details
• administration requirements
• requirements for high 24/7 usability
• licences
• large costs
• a large number of users or several units involved
Please, contact the account managers
http://www.aalto.fi/fi/about/contact/services/it/ - “asiakkuuspäälliköt”
Instructions about heavier use (1/2)
IF
THEN
25
Instructions about heavier use (2/2)
Accessibility
Accessibility, big yes!
(from everywhere, with all the platforms, all needs)
So USE cloud services.
But, think first
27
Questions?
Thank you!
security(at)aalto.fi, tomi.jarvinen(at)aalto.fi