Cloud Security - non vendor perspectives
Transcript of Cloud Security - non vendor perspectives
![Page 1: Cloud Security - non vendor perspectives](https://reader031.fdocuments.us/reader031/viewer/2022030320/586b65101a28aba47b8bfd3e/html5/thumbnails/1.jpg)
Copyright © 2010, Oracle and/or its affiliates. All rights reserved. 1
Cloud Security
Patrick McLaughlin, CISSP
Oracle Fellow
Content from late 2010
![Page 2: Cloud Security - non vendor perspectives](https://reader031.fdocuments.us/reader031/viewer/2022030320/586b65101a28aba47b8bfd3e/html5/thumbnails/2.jpg)
Copyright © 2010, Oracle and/or its affiliates. All rights reserved. 2
This document is for informational purposes. It is not a commitment to
deliver any material, code, or functionality, and should not be relied upon in
making purchasing decisions. The development, release, and timing of any
features or functionality described in this document remains at the sole
discretion of Oracle. This document in any form, software or printed matter,
contains proprietary information that is the exclusive property of
Oracle. This document and information contained herein may not be
disclosed, copied, reproduced or distributed to anyone outside Oracle
without prior written consent of Oracle. This document is not part of your
license agreement nor can it be incorporated into any contractual
agreement with Oracle or its subsidiaries or affiliates.
![Page 3: Cloud Security - non vendor perspectives](https://reader031.fdocuments.us/reader031/viewer/2022030320/586b65101a28aba47b8bfd3e/html5/thumbnails/3.jpg)
Copyright © 2010, Oracle and/or its affiliates. All rights reserved. 3
Agenda
• Cloud Standardisation efforts (incl security)
• NIST – National Institute of standards and Tech
• DMTF – Distributed Management Task Force
• Cloudcases.org,
• CSA – Cloud Security Alliance
• ENISA – European Network and Info Sec Agency
![Page 4: Cloud Security - non vendor perspectives](https://reader031.fdocuments.us/reader031/viewer/2022030320/586b65101a28aba47b8bfd3e/html5/thumbnails/4.jpg)
Copyright © 2010, Oracle and/or its affiliates. All rights reserved. 4
NIST Definition of Cloud Computing
Cloud computing is a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction.
This cloud model promotes availability and is composed of:
Source: NIST Definition of Cloud Computing v15
3 Service Models
• SaaS
• PaaS
• IaaS
4 Deployment Models
• Public Cloud
• Private Cloud
• Community Cloud
• Hybrid Cloud
5 Essential Characteristics
• On-demand self-service
• Resource pooling
• Rapid elasticity
• Measured service
• Broad network access
![Page 5: Cloud Security - non vendor perspectives](https://reader031.fdocuments.us/reader031/viewer/2022030320/586b65101a28aba47b8bfd3e/html5/thumbnails/5.jpg)
Copyright © 2010, Oracle and/or its affiliates. All rights reserved. 6
NIST Presentation on Effective and
Secure Use of Cloud Computing http://csrc.nist.gov/groups/SNS/cloud-computing/cloud-computing-v26.ppt
![Page 6: Cloud Security - non vendor perspectives](https://reader031.fdocuments.us/reader031/viewer/2022030320/586b65101a28aba47b8bfd3e/html5/thumbnails/6.jpg)
Copyright © 2010, Oracle and/or its affiliates. All rights reserved. 7
Analyzing Cloud Security
• Some key issues:
• trust, multi-tenancy, encryption, compliance
• Clouds are massively complex systems can be
reduced to simple primitives that are replicated
thousands of times and common functional units
• Cloud security is a tractable problem
• There are both advantages and challenges
Former Intel CEO, Andy Grove: “only the paranoid survive”
http://csrc.nist.gov/groups/SNS/cloud-computing/cloud-computing-v26.ppt
![Page 7: Cloud Security - non vendor perspectives](https://reader031.fdocuments.us/reader031/viewer/2022030320/586b65101a28aba47b8bfd3e/html5/thumbnails/7.jpg)
Copyright © 2010, Oracle and/or its affiliates. All rights reserved. 8
General Security Advantages
• Shifting public data to an external cloud reduces the
exposure of the internal sensitive data
• Cloud homogeneity makes security auditing/testing
simpler
• Clouds enable automated security management
• Redundancy / Disaster Recovery
http://csrc.nist.gov/groups/SNS/cloud-computing/cloud-computing-v26.ppt
![Page 8: Cloud Security - non vendor perspectives](https://reader031.fdocuments.us/reader031/viewer/2022030320/586b65101a28aba47b8bfd3e/html5/thumbnails/8.jpg)
Copyright © 2010, Oracle and/or its affiliates. All rights reserved. 9
General Security Challenges
• Trusting vendor’s security model
• Customer inability to respond to audit findings
• Obtaining support for investigations
• Indirect administrator accountability
• Proprietary implementations can’t be examined
• Loss of physical control
http://csrc.nist.gov/groups/SNS/cloud-computing/cloud-computing-v26.ppt
![Page 9: Cloud Security - non vendor perspectives](https://reader031.fdocuments.us/reader031/viewer/2022030320/586b65101a28aba47b8bfd3e/html5/thumbnails/9.jpg)
Copyright © 2010, Oracle and/or its affiliates. All rights reserved. 10
Security Relevant Cloud Components
• Cloud Provisioning Services
• Cloud Data Storage Services
• Cloud Processing Infrastructure
• Cloud Support Services
• Cloud Network and Perimeter Security
• Elastic Elements: Storage, Processing, and Virtual
Networks
http://csrc.nist.gov/groups/SNS/cloud-computing/cloud-computing-v26.ppt
![Page 10: Cloud Security - non vendor perspectives](https://reader031.fdocuments.us/reader031/viewer/2022030320/586b65101a28aba47b8bfd3e/html5/thumbnails/10.jpg)
Copyright © 2010, Oracle and/or its affiliates. All rights reserved. 11
Cloud Security Advantages
Part 1
• Data Fragmentation and Dispersal
• Dedicated Security Team
• Greater Investment in Security Infrastructure
• Fault Tolerance and Reliability
• Greater Resiliency
• Hypervisor Protection Against Network Attacks
• Possible Reduction of C&A Activities (Access to Pre-
Accredited Clouds)
http://csrc.nist.gov/groups/SNS/cloud-computing/cloud-computing-v26.ppt
![Page 11: Cloud Security - non vendor perspectives](https://reader031.fdocuments.us/reader031/viewer/2022030320/586b65101a28aba47b8bfd3e/html5/thumbnails/11.jpg)
Copyright © 2010, Oracle and/or its affiliates. All rights reserved. 12
• Simplification of Compliance Analysis
• Data Held by Unbiased Party (cloud vendor assertion)
• Low-Cost Disaster Recovery and Data Storage Solutions
• On-Demand Security Controls
• Real-Time Detection of System Tampering
• Rapid Re-Constitution of Services
• Advanced Honeynet Capabilities
Cloud Security Advantages
Part 2 http://csrc.nist.gov/groups/SNS/cloud-computing/cloud-computing-v26.ppt
![Page 12: Cloud Security - non vendor perspectives](https://reader031.fdocuments.us/reader031/viewer/2022030320/586b65101a28aba47b8bfd3e/html5/thumbnails/12.jpg)
Copyright © 2010, Oracle and/or its affiliates. All rights reserved. 13
Cloud Security Challenges
Part 1
• Data dispersal and international privacy laws • EU Data Protection Directive and U.S. Safe Harbor
program
• Exposure of data to foreign government and data subpoenas
• Data retention issues
• Need for isolation management
• Multi-tenancy
• Logging challenges
• Data ownership issues
• Quality of service guarantees
http://csrc.nist.gov/groups/SNS/cloud-computing/cloud-computing-v26.ppt
![Page 13: Cloud Security - non vendor perspectives](https://reader031.fdocuments.us/reader031/viewer/2022030320/586b65101a28aba47b8bfd3e/html5/thumbnails/13.jpg)
Copyright © 2010, Oracle and/or its affiliates. All rights reserved. 14
Cloud Security Challenges
Part 2
• Dependence on secure hypervisors
• Attraction to hackers (high value target)
• Security of virtual OSs in the cloud
• Possibility for massive outages
• Encryption needs for cloud computing • Encrypting access to the cloud resource control interface
• Encrypting administrative access to OS instances
• Encrypting access to applications
• Encrypting application data at rest
• Public cloud vs internal cloud security
• Lack of public SaaS version control
http://csrc.nist.gov/groups/SNS/cloud-computing/cloud-computing-v26.ppt
![Page 14: Cloud Security - non vendor perspectives](https://reader031.fdocuments.us/reader031/viewer/2022030320/586b65101a28aba47b8bfd3e/html5/thumbnails/14.jpg)
Copyright © 2010, Oracle and/or its affiliates. All rights reserved. 15
Putting it Together
• Most clouds will require very strong security controls
• All models of cloud may be used for differing tradeoffs
between threat exposure and efficiency
• There is no one “cloud”. There are many models and
architectures.
• How does one choose?
http://csrc.nist.gov/groups/SNS/cloud-computing/cloud-computing-v26.ppt
![Page 15: Cloud Security - non vendor perspectives](https://reader031.fdocuments.us/reader031/viewer/2022030320/586b65101a28aba47b8bfd3e/html5/thumbnails/15.jpg)
Copyright © 2010, Oracle and/or its affiliates. All rights reserved. 16
Migration Paths for Cloud Adoption
• Use public clouds
• Develop private clouds • Build a private cloud
• Procure an outsourced private cloud
• Migrate data centers to be private clouds (fully virtualized)
• Build or procure community clouds • Organization wide SaaS
• PaaS and IaaS
• Disaster recovery for private clouds
• Use hybrid-cloud technology • Workload portability between clouds
http://csrc.nist.gov/groups/SNS/cloud-computing/cloud-computing-v26.ppt
![Page 16: Cloud Security - non vendor perspectives](https://reader031.fdocuments.us/reader031/viewer/2022030320/586b65101a28aba47b8bfd3e/html5/thumbnails/16.jpg)
Copyright © 2010, Oracle and/or its affiliates. All rights reserved. 17
DMTF and Cloud Computing
http://dmtf.org/sites/default/files/standards/documents/DSP-IS0102_1.0.0.pdf
![Page 17: Cloud Security - non vendor perspectives](https://reader031.fdocuments.us/reader031/viewer/2022030320/586b65101a28aba47b8bfd3e/html5/thumbnails/17.jpg)
Copyright © 2010, Oracle and/or its affiliates. All rights reserved. 18
DMTF IAAS Management Centricity
![Page 18: Cloud Security - non vendor perspectives](https://reader031.fdocuments.us/reader031/viewer/2022030320/586b65101a28aba47b8bfd3e/html5/thumbnails/18.jpg)
Copyright © 2010, Oracle and/or its affiliates. All rights reserved. 19
DMTF Interaction Patterns
• Identity: A person or entity that interacts with the cloud service provider establishes their identity
and receives appropriate credentials, such as a session token. An identity token may also be
obtained through an external identity provider that has a trust relationship with the cloud service
provider. Operations and data are made accessible to the connection authenticated by the
credentials or identity token.
![Page 19: Cloud Security - non vendor perspectives](https://reader031.fdocuments.us/reader031/viewer/2022030320/586b65101a28aba47b8bfd3e/html5/thumbnails/19.jpg)
Copyright © 2010, Oracle and/or its affiliates. All rights reserved. 20
DMTF Security Architecture
![Page 20: Cloud Security - non vendor perspectives](https://reader031.fdocuments.us/reader031/viewer/2022030320/586b65101a28aba47b8bfd3e/html5/thumbnails/20.jpg)
Copyright © 2010, Oracle and/or its affiliates. All rights reserved. 21
DMTF: Policy Examples
![Page 21: Cloud Security - non vendor perspectives](https://reader031.fdocuments.us/reader031/viewer/2022030320/586b65101a28aba47b8bfd3e/html5/thumbnails/21.jpg)
Copyright © 2010, Oracle and/or its affiliates. All rights reserved. 22
DMTF:Policy
Examples
![Page 22: Cloud Security - non vendor perspectives](https://reader031.fdocuments.us/reader031/viewer/2022030320/586b65101a28aba47b8bfd3e/html5/thumbnails/22.jpg)
Copyright © 2010, Oracle and/or its affiliates. All rights reserved. 25
http://cloudusecases.org (version 4 July 2010)
![Page 23: Cloud Security - non vendor perspectives](https://reader031.fdocuments.us/reader031/viewer/2022030320/586b65101a28aba47b8bfd3e/html5/thumbnails/23.jpg)
Copyright © 2010, Oracle and/or its affiliates. All rights reserved. 26
htt
p:/
/clo
ud
us
ec
as
es
.org
![Page 24: Cloud Security - non vendor perspectives](https://reader031.fdocuments.us/reader031/viewer/2022030320/586b65101a28aba47b8bfd3e/html5/thumbnails/24.jpg)
Copyright © 2010, Oracle and/or its affiliates. All rights reserved. 27
htt
p:/
/clo
ud
us
ec
as
es
.org
![Page 25: Cloud Security - non vendor perspectives](https://reader031.fdocuments.us/reader031/viewer/2022030320/586b65101a28aba47b8bfd3e/html5/thumbnails/25.jpg)
Copyright © 2010, Oracle and/or its affiliates. All rights reserved. 32
htt
p:/
/clo
ud
us
ec
as
es
.org
![Page 26: Cloud Security - non vendor perspectives](https://reader031.fdocuments.us/reader031/viewer/2022030320/586b65101a28aba47b8bfd3e/html5/thumbnails/26.jpg)
Copyright © 2010, Oracle and/or its affiliates. All rights reserved. 35
htt
p:/
/clo
ud
us
ec
as
es
.org
![Page 27: Cloud Security - non vendor perspectives](https://reader031.fdocuments.us/reader031/viewer/2022030320/586b65101a28aba47b8bfd3e/html5/thumbnails/27.jpg)
Copyright © 2010, Oracle and/or its affiliates. All rights reserved. 36
http://cloudusecases.org
![Page 28: Cloud Security - non vendor perspectives](https://reader031.fdocuments.us/reader031/viewer/2022030320/586b65101a28aba47b8bfd3e/html5/thumbnails/28.jpg)
Copyright © 2010, Oracle and/or its affiliates. All rights reserved. 37
http://cloudusecases.org
![Page 29: Cloud Security - non vendor perspectives](https://reader031.fdocuments.us/reader031/viewer/2022030320/586b65101a28aba47b8bfd3e/html5/thumbnails/29.jpg)
Copyright © 2010, Oracle and/or its affiliates. All rights reserved. 38
![Page 30: Cloud Security - non vendor perspectives](https://reader031.fdocuments.us/reader031/viewer/2022030320/586b65101a28aba47b8bfd3e/html5/thumbnails/30.jpg)
Copyright © 2010, Oracle and/or its affiliates. All rights reserved. 39
![Page 31: Cloud Security - non vendor perspectives](https://reader031.fdocuments.us/reader031/viewer/2022030320/586b65101a28aba47b8bfd3e/html5/thumbnails/31.jpg)
Copyright © 2010, Oracle and/or its affiliates. All rights reserved. 40
Governance Domains
![Page 32: Cloud Security - non vendor perspectives](https://reader031.fdocuments.us/reader031/viewer/2022030320/586b65101a28aba47b8bfd3e/html5/thumbnails/32.jpg)
Copyright © 2010, Oracle and/or its affiliates. All rights reserved. 41
Operational Domains
![Page 33: Cloud Security - non vendor perspectives](https://reader031.fdocuments.us/reader031/viewer/2022030320/586b65101a28aba47b8bfd3e/html5/thumbnails/33.jpg)
Copyright © 2010, Oracle and/or its affiliates. All rights reserved. 42
Op
era
tio
na
l D
om
ain
s
![Page 34: Cloud Security - non vendor perspectives](https://reader031.fdocuments.us/reader031/viewer/2022030320/586b65101a28aba47b8bfd3e/html5/thumbnails/34.jpg)
Copyright © 2010, Oracle and/or its affiliates. All rights reserved. 43
Op
era
tio
na
l D
om
ain
s
![Page 35: Cloud Security - non vendor perspectives](https://reader031.fdocuments.us/reader031/viewer/2022030320/586b65101a28aba47b8bfd3e/html5/thumbnails/35.jpg)
Copyright © 2010, Oracle and/or its affiliates. All rights reserved. 44
ENISA
![Page 36: Cloud Security - non vendor perspectives](https://reader031.fdocuments.us/reader031/viewer/2022030320/586b65101a28aba47b8bfd3e/html5/thumbnails/36.jpg)
Copyright © 2010, Oracle and/or its affiliates. All rights reserved. 45
ENISA
![Page 37: Cloud Security - non vendor perspectives](https://reader031.fdocuments.us/reader031/viewer/2022030320/586b65101a28aba47b8bfd3e/html5/thumbnails/37.jpg)
Copyright © 2010, Oracle and/or its affiliates. All rights reserved. 46
ENISA
![Page 38: Cloud Security - non vendor perspectives](https://reader031.fdocuments.us/reader031/viewer/2022030320/586b65101a28aba47b8bfd3e/html5/thumbnails/38.jpg)
Copyright © 2010, Oracle and/or its affiliates. All rights reserved. 47
ENISA
![Page 39: Cloud Security - non vendor perspectives](https://reader031.fdocuments.us/reader031/viewer/2022030320/586b65101a28aba47b8bfd3e/html5/thumbnails/39.jpg)
Copyright © 2010, Oracle and/or its affiliates. All rights reserved. 48
ENISA
![Page 40: Cloud Security - non vendor perspectives](https://reader031.fdocuments.us/reader031/viewer/2022030320/586b65101a28aba47b8bfd3e/html5/thumbnails/40.jpg)
Copyright © 2010, Oracle and/or its affiliates. All rights reserved. 49
ENISA
![Page 41: Cloud Security - non vendor perspectives](https://reader031.fdocuments.us/reader031/viewer/2022030320/586b65101a28aba47b8bfd3e/html5/thumbnails/41.jpg)
Copyright © 2010, Oracle and/or its affiliates. All rights reserved. 50
ENISA
![Page 42: Cloud Security - non vendor perspectives](https://reader031.fdocuments.us/reader031/viewer/2022030320/586b65101a28aba47b8bfd3e/html5/thumbnails/42.jpg)
Copyright © 2010, Oracle and/or its affiliates. All rights reserved. 51
ENISA
![Page 43: Cloud Security - non vendor perspectives](https://reader031.fdocuments.us/reader031/viewer/2022030320/586b65101a28aba47b8bfd3e/html5/thumbnails/43.jpg)
Copyright © 2010, Oracle and/or its affiliates. All rights reserved. 52
Th
e r
ea
l w
orl
d
![Page 44: Cloud Security - non vendor perspectives](https://reader031.fdocuments.us/reader031/viewer/2022030320/586b65101a28aba47b8bfd3e/html5/thumbnails/44.jpg)
Copyright © 2010, Oracle and/or its affiliates. All rights reserved. 53