Deadly Sins of Cloud Computing (and how to avoid them)
52
Deadly Sins of Cloud Computing (and how to avoid them) Mike Small CEng, FBCS, CITP Senior Analyst KuppingerCole
Transcript of Deadly Sins of Cloud Computing (and how to avoid them)
Deadly Sins of Cloud Computing
(and how to avoid them)
Mike Small CEng, FBCS, CITP
Senior Analyst
KuppingerCole
Agenda
• The Seven Deadly sins
• Ten Key Questions for Cloud Computing
• Summary
3
SEVEN CARDINAL VICES
4
Seven Cardinal Vices used by the Christian church to teach the origins of sin: Wrath, Greed, Pride, Lust, Envy, Gluttony and Sloth
Cloud Computing Deadly Sins
• Sloth
– Not knowing you are using the Cloud
– Not assuring legal and regulatory compliance
– Not knowing what data is in the cloud
– Not managing identity and access to the cloud
– Not managing business continuity and the cloud
– Becoming Locked-in to one provider.
– Not managing your Cloud provider.
5
TEN KEY QUESTIONS
FOR CLOUD COMPUTING
6
#1 Do you know that you are using
the Cloud?
7
Loss of Governance
• Is your organization already using the Cloud?
You only need a credit card
– Is there a process for getting the Cloud?
8
Probability Very High
Impact High
#2 How can you ensure governance
of the Cloud?
Governance Frameworks Used
0
10
20
30
40
50
60
70
80
ISO 2700x COBIT ITIL TOGAF Other CustomFrameworks
None
Governance Frameworks and Security Standards Used
10
ENISA Survey of SLAs across EU Public Sector, Dec 2011
Provider Standards
Yes, 22%
Yes, some, 46%
No, 19%
Don't know, 13%
Are your IT service providers obliged to adhere to these standards too?
11
ENISA Survey of SLAs across EU Public Sector, Dec 2011
Cloud Governance
12
Assure and Monitor Delivery of Cloud Service
Clarify who is responsible for what
Assess Risk Probability and Impact and Risk Response
Specify Service to meet business needs
Identify Business Requirements
#3 Which is the right Cloud for my
business needs?
Choose the Right Cloud
Service Model
IaaS
PaaS
SaaS
Deployment Model
Private
Community
Public
Hybrid
Management Considerations
Governance
Security
Integration
Orchestration
14
Infrastructure Delivery
Application Delivery
Cloud Service Models
15
In House IT
Platform
Commercial
Platform
Platform as a
Service
In House IT
Deployment
Managed IT
Service
Infrastructure
as a Service
In House
Developed
Applications
Commercial
Applications
Software as a
Service
Functional
Flexibility
Bespoke
Highest Cost
Speed of
Deployment
Elasticity of
Supply
Commodity
Lowest Cost
Service Characteristics
In House Cloud
Service Models - Strengths and Weaknesses
Strength Weakness
General • No capital investment
• Fast deployment
• Fast response to increasing
demand
• Compliance issues like
geographic location
• Confidentiality, Integrity and
Availability
• Price may not go down when
demand falls
• You may pay more over time
IaaS • Runs Existing Workload and
applications
• Your application must conform
• You have to manage your own
environment
PaaS • When developed the
application is immediately
ready for Cloud deployment
• Locked into PaaS APIs and
environment
SaaS • Application ready to use • Functionality may not meet your
precise needs.
• Ownership and return of data
16
Cloud Delivery Model
17
Public Cloud You are sharing with
everyone and anyone
Community Cloud
You are sharing with selected others
Hybrid Cloud You may be sharing
sometimes
Private Cloud You are not sharing
Community/Private Cloud
• Secure – approved for the transmission of patient data. Government
accredited to 'RESTRICTED' status.
• Resilient - based in two data centres - disaster recovery design has been
fully tested and proved.
• Available - via secured encrypted devices. It is available over the NHS N3
network and the internet.
18
http://www.connectingforhealth.nhs.uk/systemsandservices/nhsmail
Delivery Models - Strengths and Weaknesses
Strength Weakness
Public • Availability and reliability
• Tolerance and Elasticity
• Physical security
• Patch & vulnerability Mgt.
• Intrusion prevention and
detection
• Legal and regulatory compliance
• Control over the supply chain
• Logging capabilities
• Auditing
• Accessing forensic data
• Data Location
Private • Control over policies,
logging, auditing, etc.
• Granular access control
• Control over legal
compliance
• Less economy of scale, tolerance
to attack, less flexibility to meet
peak demand and resilience
Community • Similar benefits of scale of
the public cloud while
retaining greater control
over compliance and data
privacy
• Similar to private Cloud
19
#4 How can I assure compliance?
Compliance Example
21
EU Data Protection Laws to include large fines Firms face being fined up to 2% of their global annual turnover if they breach proposed EU
data laws.
The European Commission has put forward the suggestion as part of a
new directive and regulation. These include:
A right to be forgotten
Explicit consent
Right of data portability
Breach notification – within 24 hours
Single set of rules across the EU
Companies governed by a single DPA
EU rules apply to non EU organizations
Unnecessary administrative burdens removed
National Data Protection Authorities strengthened
http://ec.europa.eu/justice/newsroom/data-protection/news/120125_en.htm
Probability High
Impact High
Compliance Responsibilities – Data Privacy Example
• Data protection and privacy should be ensured as
required in relevant legislation, regulations, and, if
applicable, contractual clauses.
ISO 27001 Control 15.1.4:
22
Customer
Responsibility
Identify legal and
regulatory requirements
and ensure these are in
contract/SLAs.
Provider
Responsibility
Hold and process data in
accordance with legal and
regulatory requirements.
Compliance Checklist – Data Privacy Example
• Metrics/SLA Checklist
– CO-01 to CO-03 Cloud Provider provides evidence of
meeting compliance requirements.
– Geographic Location of data and Cloud Provider
Infrastructure: EU, US Safe Harbor.
– Cloud provider does not use other companies whose
infrastructure is located outside that of the cloud
provider.
– Cloud provider’s services are not subcontracted or
outsourced.
ISO 27001 Control 15.1.4:
23
CCM Control references
#5 How can I assure information
security
Industrialized Cyber Threats
25
RSA Offers to Replace Secure ID Tokens http://www.bbc.co.uk/news/technology-13681566
June 7th, 2011
Security firm RSA has offered to replace the SecurID tokens used by its customers to log into
company systems and banks. It follows a hack against the company in March where information
related to the tokens was stolen.
RSA has now revealed that some of that information was used
during the hack attack on defence firm Lockheed Martin.
It is estimated that there are around 40 million SecurID tokens
in circulation around the world.
In an open letter to customers, RSA executive chairman
Art Coviello confirmed that "information taken from RSA in
March had been used as an element of an attempted broader
attack on Lockheed Martin".
Probability Medium
Impact High
X
Data Classification – The Essential Foundation
26
• Information should be classified in terms of its value,
legal requirements, sensitivity, and criticality to the
organization.
ISO 27001 Control 7.2:
Customer
Responsibility
Classify data being moved to
the Cloud in terms of its value
to the business and the impact
of loss.
Provider
Responsibility
To ensure the confidentiality,
integrity and availability of
customer data.
Internet Security Responsibilities
27
• Networks should be adequately managed and
controlled, in order to be protected from threats,
and to maintain security for the systems and
applications using the network.
Customer
Responsibility
To protect own systems and
infrastructure.
To configure and patch the guest
(IaaS) systems.
Provider
Responsibility
To protect the provider services
and infrastructure against
internet threats.
ISO 27001 Control 10.6
Internet Security Checklist
28
• Metrics
– SA-08 Network Security Architecture
– SA-14 Intrusion Detection Controls
– Controls to mitigate DDoS attacks.
– Defences against internal as well as external threats.
– Network architecture supports continuous operation
– Network infrastructure secured to best practice
• SLA Checklist
– Metrics and reporting on vulnerability detection and
management
– Metrics and reporting on isolation (e.g. penetration
testing)?
ISO 27001 Control 10.6
#6 Who is responsible for Identity
and Access?
Impersonating the User
30
Carbon Thieves Force European Union to Improve
Security, Close Spot Market www.bloomberg.com
January 21st, 2011
The European Union, whose decision to suspend registries halted the region’s spot carbon-
emissions market following the theft of permits, said it won’t lift restrictions until member states
step up identification checks.
It suspended most operations at Europe’s 30 registries
for greenhouse-gas emissions on Jan. 19 after a Czech
trader reviewing his $9 million account found “nothing
was there.” The EU estimates permits worth as many
as 29 million Euros may be missing.
“At minimum they need to have second authorization in
place, such as electronic certificates or ID cards,” said
Simone Ruiz, European policy director of the
Geneva-based IETA.
Probability Medium
Impact High
Impersonating the Service
31
Google users targeted by forged security certificate http://www.telegraph.co.uk/technology/google/8730785/Google-users-targeted-by-forged-security-certificate.html
August 30th, 2011
Security researchers have discovered a forged internet security certificate designed to allow
hackers to spy on Google users’ private emails and other communications.
The forgery was first reported by an Iranian web user, which has
raised fears it may be part of efforts by the government in Tehran
to monitor dissidents....
The forgery was issued to the unknown attackers on 10 July by DigiNotar,
a Dutch SSL certificate authority. For more than two months it would
have allowed them to set up fake versions of Google websites that
appeared genuine to users and their web browsers.
This would in turn have allowed the hackers to collect usernames and
passwords for their targets’ genuine Google accounts. The forged certificate
was valid for google.com and all its sub-domains, including mail.google.com.
Probability Medium
Impact High
X
Identity Management Responsibilities
32
• To ensure authorized user access and to prevent
unauthorized access to information systems.
ISO 27001 Control 11.2
Customer
Responsibility
To vet, manage and control
identity and access of users to
their guest services and
systems.
Provider
Responsibility
To vet, manage and control the
systems administrators who
manage the service, host
systems and infrastructure.
#7 How can I avoid breaches of
privilege?
Insider Abuse of Privilege
34
Probability Medium
Impact Very High
Houston Computer Administrator Sentenced to 12 Months Prison http://www.justice.gov/opa/pr/2010/July/10-crm-775.html
July 6, 2010
WASHINGTON – A former senior database administrator for GEXA Energy in Houston was sentenced
today to 12 months in prison for hacking into his former employer’s computer network,
announced Assistant Attorney General Lanny A. Breuer of the Criminal Division and U.S. Attorney
Jose Angel Moreno for the Southern District of Texas….
According to court documents.. In pleading guilty, Kim admitted that in the early hours of April
30, 2008, he used his home computer to connect to the GEXA Energy computer network and a
database that contained information on approximately 150,000 GEXA Energy customers. While
connected to the computer network, Kim recklessly caused damage to the computer network and
the customer database by inputting various Oracle database commands. Kim also copied and
saved to his home computer a database file containing personal information on the GEXA Energy
customers, including names, billing addresses, social security numbers, dates of birth and drivers
license numbers.
According to court documents, Kim’s actions caused a $100,000 loss to GEXA Energy.
Privileged User Mgt
Privilege Management Checklist
35
• Metrics/SLA Checklist
– HR-01 Background checks on infrastructure
administrators.
– IS-08 Privileges are only allocated to users only
when required.
– IS-07 Authorization process for privileges and
record kept of privileges allocated.
– IS-34 Steps taken to minimize the need for
privileged access.
– Tamper proof log of privileged activities.
ISO 27001 Control 11.2.2:
#8 How can I ensure Business
Continuity?
Business Continuity
37
Probability Low
Impact High
Lightning Strike in Dublin Downs Amazon,
Microsoft Clouds http://www.pcworld.com/businesscenter/article/237476/lightning_strike_in_dublin_downs_amazon_microsoft_cl
ouds.html/
August 8th, 2011
A lightning strike in Dublin on August 8th caused a power failure in data centers
belonging to Amazon and Microsoft, causing the companies' cloud services to go
offline.
Lightning struck a transformer, sparking an explosion and fire which caused the
power outage at 10:41 AM PDT, according to preliminary information, Amazon wrote
on its Service Health Dashboard. Under normal circumstances, backup generators
would seamlessly kick in, but the explosion also managed to knock out some of those
generators.
By 1:56 PM PDT, power to the majority of network devices had been restored,
allowing Amazon to focus on bringing EC2 (Elastic Compute Cloud) instances and EBS
(Elastic Block Storage) volumes back online. But progress was slower than expected,
Amazon said a couple of hours later.
Business Continuity Responsibilities
38
• A business continuity management process should be
implemented to minimize the impact on the organization
and recover from loss of information assets to an
acceptable level.
ISO 27001 Control 14:
Customer
Responsibility
Prepare and test business
continuity plan based on
business need.
Provider
Responsibility
Prepare and test service
continuity plans for hosted
services.
#9 How can I avoid becoming
“Locked-in” to one provider?
Lock in
40
• “…to offer a true utility in a truly competitive digital
single market, users must be able to change their
cloud provider easily. It must be as fast and easy as
changing one’s internet or mobile phone provider has
become in many places…”
– Neelie Kroes, Vice-President of the European Commission
responsible for Digital Agenda European Cloud Computing
Strategy
Probability High
Impact Medium
Lock in Example – Data Return
41
• All employees, contractors and third party users
should return all of the organization’s assets in their
possession upon termination of their employment,
contract or agreement.
ISO 27001 Control 8.3.2
Customer
Responsibility
Ensure that the service contract
specifies data ownership and
return
Provider
Responsibility
Provide mechanisms for customer
to upload and download data to
and from hosted systems.
#10 How can I Manage the Cloud
Service Provider?
Many Assurance Frameworks
• Which Assurance Framework is right for you?
– COBIT
– ISO/IEC 27001-27005
– AICPA Service Organization Control Reports
– AICPA/CICA Trust Services (SysTrust and WebTrust)
– Cloud Security Alliance Controls Matrix
– BITS Shared Assessment Program
– Jericho Forum® Self-Assessment Scheme (SAS)
– CSA Shared Assessments
– ENISA Procuresecure
– German BSI Security Recommendations for Cloud Computing Providers.
– NIST Cloud Computing Synopsis and recommendations
43
SSAE 16 Service Organizational Controls Reports
SOC Type 1 Report SOC Type 2 Report
• Auditor opinion:
– Description is fairly
presented. (i.e. Describes
what exists)
– Whether controls are
suitably designed. (i.e.
Controls are able to achieve
described objectives)
• Auditor opinion:
– As type 1 plus:
– Whether Controls were
operating effectively.
(i.e.do achieve control
objectives)
– Describes auditors tests and
results
44
http://www.aicpa.org/Research/Standards/AuditAttest/Pages/SSAE.aspx
Statement on Standards for Attestation Engagements No. 16
IaaS Example - Amazon Web Services
• SOC 1 Attestation:
Control Objectives Attested:
– Security Organization
– Amazon Employee Lifecycle
– Logical Security
– Secure Data Handling
– Physical Security
– Environmental Safeguards
– Change Management
– Data Integrity, Availability and Redundancy
– Incident Handling
45
http://aws.amazon.com/security/
AICPA Trust Services (SysTrust/WebTrust)
• Criteria established by AICPA for use when providing
attestation services on following areas of systems:
– Security Principle and Criteria
– Availability Principle and Criteria
– Processing Integrity Principle and Criteria
– Confidentiality Principle and Criteria
– Privacy Principles and Criteria
46
http://www.webtrust.org/principles-and-criteria/item27818.pdf
SaaS Example - SalesForce.com
• Example based on AICPA
Trust Services principles and
criteria for:
– Confidentiality,
– Availability and
– Security.
47
https://trust.salesforce.com/trust/assets/pdf/Misc_SysTrust.pdf
ISO/IEC 27002
• Code of practice for information security management
• 134 Controls covering:
– Organization and Information Security
– Asset Management
– Human Resources Security
– Physical and Environmental Security
– Communications and Operations Management
– Access Control
– Information Systems Acquisition, Maintenance and Control
– Information Security Incident Management
– Business Continuity Management
48
http://www.iso.ch
Confidentiality
Availability Integrity
Information
PaaS Example - Microsoft Azure
• Confidentiality assured by:
– Identity and access
management
– Isolation – logical and physical
containers
– Encryption of internal channels
– User must encrypt own data
– Destruction of storage media
• Integrity
– Fabric protected from
unauthorized change
– Secure Development Lifecycle
• Availability
– Worldwide data centres
– Data triplication
• Compliance
– ISO 27001 certification of parts
of infrastructure
– Safe Harbor signatory
– Choice data being located
within EU
– New contracts for Office 365
customers in Germany to end
uncertainty about the Patriot
Act.
49
http://www.globalfoundationservices.com/security/
SUMMARY
Summary
• To Avoid the Seven Deadly Sins of Cloud Computing follow the ten commandments: 1. Know that you are using the Cloud
2. Use Good Governance for the Cloud and other IT Services
3. Choose the right Cloud for your needs
4. Assure Compliance
5. Assure Information Security
6. Manage Identity and Access
7. Assure privilege management
8. Include the Cloud in your Business Continuity Plan
9. Avoid Lock-in
10. Manage the Cloud Service Provider
51
QUESTIONS?
53
Mike Small CEng, FBCS, CITP Senior Analyst, KuppingerCole
www.kuppingercole.com
Email: [email protected]
Mobile: +44 7777 697 300
