Feeling safe in the cloud

CANHEIT 2012

Feeling safe in the cloudPete HickeyUniversit dOttawaEverybody talks about clouds

Not all are happy

History of confusion1967 The Saskatoon Connection

Joni Mitchel, 1967Ive looked at clouds from both sides nowFrom up and downAnd still somehowIts cloud illusions I recallI really dont know clouds at all

CloudsSome people think the moving student e-mail to Google/Microsoft is moving to the cloud.Much more than that.

Jean-Philippes mountain cloud



Jean-Philippes mountain cloudNot everyone has the same ideaCant see what is there.

What goes around comes aroundEarly days, mainframes.Move to PCs and distributed processingAt one time we had 37 Novell servers on campusMove to centralizeEconomics : economy of scaleManageabilityMove to the cloud is the same thing on a larger scale.

It will comeJust because something is not a good fit does not stop us.Look at the InternetNot designed for how we use itWe change in spite of the issues.

Clouds are attractive!Somebody Elses Problem(SEP) is a condition where individuals/populations of individuals choose to decentralize themselves from an issue that may be in critical need of recognition Everyone offering cloud servicesWhatever you want, you can get it.You can even get things you dont want.

Clouds are attractive!Can provide something you dont have the resources forBroad network accessAvailable from anywhereAccessible from any platformCan be provided FAST!Rapid elasticity.

Clouds are attractive!Reduce or eliminate need for YOUR tech support. Get rid of your skilled geeks

Trust the company to provide the service.

Trust me!!!!!

New skillsets required!Contract negotiation more important!You must have a thorough understanding of your process/systemYou must have a thorough understanding of their systemYou must ensure everything is clear in the contract.

Replace your geeks with lawyers!

Planning is essentialWhen providing something in-house, you can react to changes, unrealized needs.In theory, an project is well planned in advance.In reality, not always true.

Lets get it going, then fix it after.

The UnknownAs we know,There are known knowns.There are things we know we know.We also knowThere are known unknowns.That is to sayWe know there are some thingsWe do not know.But there are also unknown unknowns,The ones we don't knowWe don't know.Feb. 12, 2002, US Department of Defense news briefing

Trust the companyEveryone is getting into the cloud.Do you have confidence in the companys ability to deliver the product?Or are they just getting the product out the doorAreas of trust to considerThe ability of the company to provide what you wantThe integrity of the employees of that company.Trust PeopleIn general, people are trustworthy.Trust should make you think of this:

Trust

TrustStatistics tell us that, the larger the population, the greater the number at the end of the bell curve.As we increase the size of the population we trust, the probability of an untrustworthy individual increases.

TrustDataloss.org states that data loss is from22% inside accidental10% inside malicious.Malicious insider is HIGH RISKDue to their access to sensitive data.You have more insiders

TrustIn the past, we would trust our staff because we knew them.The cloud brings a new style of trust.

Trust by Contract!

TrustYou cant trust a population you dont know.Get it in the contract!Job for the future Cloud Contracting Engineer.

Kinds of cloudsIAAS Infrastructure as a Service. EG Amazons E2CHardware provided for youQuick to create new machinesAttractive for seasonal growth and un-growth.Attractive if space is expensiveOS and hardware maintained for you.

Kinds of cloudsPAAS Platform as a service. The OS and middleware there for youDevelop custom applications without worrying about the rest.

Kinds of cloudsSAAS Software as a service EG GoogleDocs, emailVery rapid deployment.No maintenance/upgrades/patching.Just about everything imaginable is out there

Kinds of cloudsSAASPAASIAASThe lower Security responsibility : youThe higher Security responsibility : them.

Things to think aboutYour neighborsBreachesYour data/processesAuthenticationAuthorisationMonitoringAuditingE-discovery

Things to think aboutimagePhysical SecurityDNS issuesLaws regulationsRisk evaluationBusiness continuity

Welcome to my Neighborhood!

Your Neighbors

Your NeighborsIn house, would you run your business systems on the same VMWare cluster which has open student shell access?Why? why not?Defense in depth?

Your NeighborsDo you know your neighborsDo you care?Do you know how you are kept separate from them?First recognizable group to use IAAS were the spammers. Your neighbors may not be your friends

Breaches and attacksAll the OWASP things still holdOther concerns as well

Breaches and attacks

Breaches and attacksWhat if your neighbor is breached?Will you be notified?What if the cloud infrastructure is breached?Will you be notified.What about an attack from a neighbor?What does a vulnerability in VMWare mean?

Collateral DamageWhat if your neighbor is DoS attractive?

What if your neighbor is hacking attractive?

Collateral damage?

Know your data well!

Know your data?Understand what it is, and any regulations/lawsKnow how it may changeRelatively easy with a databaseMore difficult with something like GoogleDocs.Similar for processesPeople have a way of using things in a way which was never intended.

New exposure risksTo the worldCloud employeesOther cloud customers. Data or process changedLack of access for a period of time

Where is your data?US? France? Japan? North Korea?Many only worry about data in US.Will it always stay where it is now?Do you have any way to verify?

Termination of contract.Intentional/unintentionalData retrieved?Data will be destroyed?

Destruction of data !Do you have a legal obligation to destroy data after X years?After being required to keep data for Y years do you want to destroy it.What is in the cloud providers backups?Destruction of data should be a cloud suppliers responsibility.

Backups/archives!Will you maintain your own as well?What is the effect of total loss of data? Careful about that locallyAll backups usually handled similarlyConcerns about multiple cloud providers.

It has happenedSEP example

Who owns the data

E-discoveryYou?Them?What tools do you have?You and the provider SHOULD be aligned here.

Can the cloud use your data?For advertising?In advertising?Facebook using users pictures in ads.

Facebook picture

PCI-DSSGives some areas to think about

Build a secure networkExistence of firewalls?Their networks security is probably classified.

Do not use vendor supplied passwordsServers hardened?Not much to say hereYou HOPE!


EncryptionSecure channels to data even more important.Can you store your data in the cloud with your own encryption?Could solve a lot of problemsCan you encrypt it on your own?Can the provider provide the infrastructure to let you encrypt with your keys?


Vulnerability managementEnsure cloud provider does itHow soon are patches applied?


Regularly monitor and testLogs? What can you see?What tools do you haveRaw data or canned reports?Can you increase details if necessaryAudit logs?

Monitor traffic

Monitor trafficTraffic blocked by firewall or unseen by the app may give an idea of threats.Do you have any idea of what is there that you dont see?

Test and MonitorPen testing and vulnerability scanning may be disallowed by contract.Other neighbors may view it as an attackCloud provider may view it as an attack.Be PCI compliant by buying a PCI compliant service.


PolicyCheck their security policiesDo you need cloud security policies?With SaaS (or any other) you may have users going out to the cloud without central approvalUniversities tend to be bad for this (eg DropBox)

AuthenticationWho are you?

AuthenticationAre accounts local or at cloud providers?Tends to vary with size of system.Are you giving your cloud provider access to your credentials.Users tend to have similar passwords for multiple sites.Hint. Think ShibbolethIf accounts are in the cloud how are former employees accounts deleted?

AuthenticationWhat if laws/regulations require 2-factor authentication in the future?

AuthenticationStolen credentials may be more of a riskLack of defense in depthCompensate somehow

Administrative accessHow are admin accounts handled?Defense in depth: In house, VPN first.In the cloud everyone can poke.Essential to protect admin access!Can you see failed logon attempts?

Can you go back?If things go wrong?Move to another provider if theirs is better?

Business continuityDont forget it.May be more difficult if not planned.

DNS issuesPhishing may be more of a threat.Yourname.cloud.com?How would outsiders see that?Reverse lookup?

How do you measure their security?Certifications, 3rd party auditsGlobal Payments was PCI compliant March 29.

What about your image?What if the Armed Forces use cloud services?What if Canada Revenue Agency did?

If you would not feel good about them in the cloud, ask yourself why?

Previous examples of things gone wrongThey can happen in-house as wellJust be aware that they can also happen out there.Its not a SEP its YOUR problm.

Bottom lineIts all in the contract.You need a very good understanding of the data, processes and the systems.Advance planning is even more important.You probably still need your geek as an architect for your cloud contracting team.

Cloud contracting team!

The flight here was specular. Like hovering all the way inside a jewel. We are the first generation to see the clouds from both sides. Sal Bellow, Henderson the rain kingTrust me!!!!!

Feeling safe in the cloudPete HickeyUniversit dOttawa

Feeling safe in the cloud

Documents

Transcript of Feeling safe in the cloud