Cloud Security
-
Upload
mitesh-soni -
Category
Technology
-
view
1.076 -
download
1
Transcript of Cloud Security
http://clean-clouds.com
Cloud Securityhttp://clean-clouds.com
http://clean-clouds.com
Objectives
Security Objectives Cloud Characteristics & Security
Implications Cloud Security Challenges Control & Cloud Service Model Roles & Responsibilities Security Guidelines Documents & Checklists
Security Objectives
Cloud security is about 3 objectives: ◦ Confidentiality (C): keeping data
private ◦ Integrity (I): data in the cloud is
what is supposed to be ◦ Availability (A): availability of
Information
http://clean-clouds.com
Cloud Computing~ Economy of Scale & Security
All kinds of security measures, are cheaper when implemented on a larger scale.◦(e.g. filtering, backup patch management,
hardening of virtual machine instances and hypervisors, etc)
The same amount of investment in security buys better protection.
Cloud Security - Overview
Cloud computing presents an added level of risk
◦Services are outsourced to a third party.
◦Off-Premise◦Multi-tenant architecture◦Loss of Governance -
Less control over data and operations
◦Legal and Contractual Risks
Source: Unknown / Missing
http://clean-clouds.com
Cloud Characteristics -> Outsourced
Source: Unknown / Missing
http://clean-clouds.com
Cloud Characteristics -> Off-Premise
Source: Unknown / Missing
http://clean-clouds.com
Multi-Tenant Architecture~ Shared Resources
Source: Unknown / Missing
Loss of Governance
The client cedes control to the Provider on a number of issues effecting security: External pen testing not permitted.◦ Very limited logs available.◦ Usually no forensics service offered◦ Not possible to inspect hardware◦ No information on
location/jurisdiction of data.◦ Outsource or sub-contract services
to third-parties (fourth parties?)
Source: Unknown / Missing
Legal and Contractual Risks
Data in multiple jurisdictions, some of which may be risky.◦ Multiple transfers of data exacerbate
the problem Subpoena and e-discovery Intellectual Property Risk Allocation and limitation of
liability Compliance challenges–how to
provide evidence of compliance.
Source: Unknown / Missing
11
Cloud Security Challenges - Part 1
Data dispersal and international privacy laws◦ Exposure of data to foreign
government and data subpoenas◦ Data retention issues
Need for isolation management Multi-tenancy Logging challenges Data ownership issues Quality of service guarantees
Source: Unknown / Missing
12
Cloud Security Challenges - Part 2
Dependence on secure hypervisors
Attraction to hackers (high value
target)
Security of virtual OSs in the cloud
Possibility for massive outages
Encryption needs for cloud computing
◦ Encrypting administrative access to OS
instances
◦ Encrypting application data at rest
◦ Encrypting application data at transits
Public cloud vs internal cloud security
Source: Unknown / Missing
http://clean-clouds.com13
Additional Issues
Issues with moving PII and sensitive data to the cloud◦ Privacy impact assessments
Using SLAs to obtain cloud security◦ Suggested requirements for cloud SLAs◦ Issues with cloud forensics
Contingency planning and disaster recovery for cloud implementations Handling compliance
◦ FISMA ◦ HIPAA ◦ FDA◦ PCI ◦ SAS 70 Audits
http://clean-clouds.com
Control & Cloud Service ModelSource: Unknown / Missing
http://clean-clouds.com
Responsibilities
http://clean-clouds.com
CIA & Cloud Service ModelSource: Unknown / Missing
http://clean-clouds.com
Why Security is “X” factor for Cloud Service Provider?
Skin in the Game & Cloud Service Provider
Skin in the Game is term by investor “warren buffet” referring to situation in which high ranking insiders uses their own money to buy stock in the company they are running.
Source: Unknown / Missing
http://clean-clouds.com
Security Guidelines for Application Migration on Cloud
http://clean-clouds.com
How Security Guidelines can help?
Source: Unknown / Missing
http://clean-clouds.com
Cloud Security Areas
http://clean-clouds.com
Identity & Access Management
Authentication◦ Existing authentication or Cloud providers’
authentication service?SSO
◦Single sign on for applications on cloud and on premise?
Authorization◦User Provision and De-Provisioning Service
User directory & Federation Services◦How trust is maintained across cloud and on
premise domain?
Directory Services
Fedreration Service like ADFS 2.0 implements standards such as WS-Trust, WS-Federation which is useful.
Using the WS-Federation standard, Novell Access Manager supports multiple identity stores out of the box, including Novell eDirectory, Microsoft Active Directory and Sun ONE Directory Server.
IBM Tivoli Federated Identity Manager is used for federation services.
Source: Unknown / Missing
Data Security
Hardware, database, memory, etc... –like buying a hotel room or booking an aircraft.
Source: Unknown / Missing
http://clean-clouds.com
Information Security Life-Cycle
Data Confidentiality Data Integrity Availability Backup & Archive Key Management
Encryption is sufficient?
Encryption technique e.g. 128/256-bit AES symmetric/Asymmetric encryption
File system or disk encryption techniques
Does the encryption meet FIPS 140-2?
Practical processing operations on encrypted data are not possible
Source: Unknown / Missing
Network Security
Concerns
◦Security for Data in transit
◦Perimeter Security◦N/W Security Threats
(DoS, Man in the middle , Packet sniffing)
Solutions
◦Virtual Private Cloud◦IPSec networks ◦Stateful firewall
Source: Unknown / Missing
http://clean-clouds.com
Virtualization Security
Virtualization / Hypervisor Threats - How is your data and application isolated from
other customers?
Host Operating System - How to protect Host Operating System?
OS hardening - How OS level security like OS hardening are maintained?
Anti-virus - ensure security from Malware & Spyware?
Physical Security
Environmental Safeguards - (SAS70) Type II
audit procedures
◦ Redundancy
◦ Climate and Temperature
◦ Fire Detection and Suppression
Physical Security - (SAS70) Type II audit
procedures
◦ Professional security staff utilizing video
surveillance,
◦ Authorized staff must pass two-factor
authentication
◦ Access to datacenters by employees must be
logged and audited routinely
Source: Unknown / Missing
http://clean-clouds.com
Incident response in the Cloud
What constitutes a cloud-based incident?
◦ Customer vs. Provider definitions
What technologies play a key role in incident detection and response?
◦ Network security, host controls, monitoring/alerting
What do cloud customers need to ask/know about provider incident
response?
◦ Will consumer organizations be provided an audit trail? Maybe.
http://clean-clouds.com
Download with Linkedin Username/Password
http://clean-clouds.com
Download with Linkedin Username/Password
http://clean-clouds.com
Download with Linkedin Username/Password
http://clean-clouds.com
Download with Linkedin Username/Password
http://clean-clouds.com
Download with Linkedin Username/Password
http://clean-clouds.com
Thank You