1 / 42

virtual techdays

INDIA │ 9-11 February 2011. virtual techdays. SECURING THE CLOUD. Manu Zacharia │ Information Security Evangelist MVP (Enterprise Security), C|EH, ISLA-2010 (ISC)², C|HFI, CCNA, MCP Certified ISO 27001:2005 Lead Auditor. INDIA │ 9-11 February 2011. virtual techdays.

apu
Download Presentation

virtual techdays

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. INDIA │ 9-11 February 2011 virtual techdays SECURING THE CLOUD Manu Zacharia│ Information Security Evangelist MVP (Enterprise Security), C|EH, ISLA-2010 (ISC)², C|HFI, CCNA, MCP Certified ISO 27001:2005 Lead Auditor

  2. INDIA │ 9-11 February 2011 virtual techdays • Cloud Architecture • NIST Working Definition of Cloud Computing • Some Myths • C-RISK (Cloud Based Security RISKs) • Security Issues • Cloud Transparency • Ensuring Security & Privacy • Risk Based Approach • Risk Assessment for Cloud S E S S I O N A G E N D A

  3. INDIA │ 9-11 February 2011 virtual techdays • The opinion here represented are my personal ones and do not necessary reflect my employers views. • Registered brands belong to their legitimate owners. • The information contained in this presentation does not break any intellectual property, nor does it provide detailed information that may be in conflict with any laws (hopefully...) :) • Information and resources from Internet (including publications from Cloud Security Alliance, NIST, etc) were used as references for the creation of this presentation. DISCLAIMER & REFERENCES

  4. INDIA │ 9-11 February 2011 virtual techdays • cloud is loud • Headline stealer • Everybody is concerned about Cloud Security • Privacy concerns • Why handle cloud differently? • Simple – power of cloud • With any new technology comes new risks • New vectors - that we need to be aware of WHY THIS TALK?

  5. INDIA │ 9-11 February 2011 virtual techdays • Barack Obama's Technology Innovation and Government Reform Team (TIGR) describe the use of cloud computing as "one of the most important transformations the federal government will go through in the next decade." • 102 billion objects as of March 2010 in Amazon Cloud • The New York Times stores PDF's of 15M scanned news articles. • NASDAQ uses cloud to deliver historical stock information. • A 64 node server cluster can be online in just five minutes • Forget about those sleepless nights in your data centers POWER OF CLOUD

  6. INDIA │ 9-11 February 2011 virtual techdays • Providing a collection of • services, • applications, • information, and • infrastructure comprised of pools of • compute, • network, • information, and • storage resources. CLOUD In Simple Terms

  7. INDIA │ 9-11 February 2011 virtual techdays • From an architectural perspective; there is much confusion • How cloud is both similar to and different from existing models of computing? • Same old, Same old - Marcus Ranum • Same Client / Server paradigm from Mainframe days – Bruce Schneier • If we don’t understand these similarities and differences, it will impact the • organizational, • operational, and • technological approaches to information security practices. CLOUD CONFUSION In Simple Terms

  8. INDIA │ 9-11 February 2011 virtual techdays • Current Working Draft 15 / Current Working Defenition 15 • “Cloud computing is a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. This cloud model promotes availability and is composed of : • five essential characteristics, • three service models, and • four deployment models.” • Ref: http://csrc.nist.gov/groups/SNS/cloud-computing/cloud-def-v15.doc CLOUD ARCHITECTURE NIST Working Definition of Cloud Computing

  9. INDIA │ 9-11 February 2011 virtual techdays • Five essential characteristics • On-demand self-service • Broad network access • Resource pooling • Rapid elasticity • Measured service CLOUD ARCHITECTURE NIST Working Definition of Cloud Computing

  10. INDIA │ 9-11 February 2011 virtual techdays • Divided into three archetypal models. • The three fundamental classifications are known as the SPI Model. • Various other derivative combinations are also available. • Three Cloud Service Models • Cloud Software as a Service (SaaS). • Cloud Platform as a Service (PaaS). • Cloud Infrastructure as a Service (IaaS). CLOUD ARCHITECTURE NIST Working Definition of Cloud Computing

  11. INDIA │ 9-11 February 2011 virtual techdays • Regardless of the service model, there are four cloud deployment models: • Public Cloud • Private Cloud • Community Cloud • Hybrid Cloud • Derivative cloud deployment models are emerging due to the maturation of market offerings and customer demand. • Example - Virtual Private Clouds - Public cloud infrastructure in a private or semi-private manner using VPN. CLOUD ARCHITECTURE NIST Working Definition of Cloud Computing

  12. INDIA │ 9-11 February 2011 virtual techdays • Myth 1 - Virtualization is mandatory • Answer is No • Cloud services are often but not always utilized in conjunction with, and enabled by, virtualization technologies • There is no requirement that ties the abstraction of resources to virtualization technologies • In many offerings virtualization by hypervisor or operating system container is not utilized. CLOUD - MYTHS Myths about Cloud Computing Essential Characteristics

  13. INDIA │ 9-11 February 2011 virtual techdays • Myth 2 - Multi-tenancy as an essential cloud characteristic • Multi-tenancy is not called out as an essential cloud characteristic by NIST but is often discussed as such. CLOUD - MYTHS Myths about Cloud Computing Essential Characteristics

  14. INDIA │ 9-11 February 2011 virtual techdays • New twist on an old concept :) • Bursting into the cloud when necessary, or • using the cloud when additional compute resources are required temporarily CLOUD JARGONS Cloud Bursting

  15. INDIA │ 9-11 February 2011 virtual techdays • How it is different from the traditional bursting? • Traditionally been applied to resource allocation and automated provisioning / de-provisioning of resources, mainly focused on bandwidth. • In the cloud, it is being applied to resources such as: • servers, • application servers, application delivery systems, and • other infrastructure… required to provide on-demand computing environments that expand and contract as necessary, without manual intervention. CLOUD JARGONS Cloud Bursting

  16. INDIA │ 9-11 February 2011 virtual techdays • Without manual intervention means? • We generally call it - automation • But is automation sufficient for cloud? or • Is it the right thing for cloud? CLOUD JARGONS Cloud Bursting

  17. INDIA │ 9-11 February 2011 virtual techdays • Orchestration describes the automated • arrangement, • coordination, and • management of complex computer systems, middleware, and services. CLOUD JARGONS Cloud Orchestration

  18. INDIA │ 9-11 February 2011 virtual techdays • Open and proprietary APIs are evolving which seek to enable things such as • management, • security and • inter-operatibility for cloud. Examples include: • Windows Azure Storage Services REST API • Open Cloud Computing Interface Working Group, • Amazon EC2 API, • VMware’s DMTF-submitted vCloud API, • Sun’s Open Cloud API, • Rackspace API, and GoGrid’s API. CLOUD API OPEN & PROPRIETARY

  19. INDIA │ 9-11 February 2011 virtual techdays • Understanding the relationships and dependencies between Cloud Computing models is critical to understanding Cloud Computing security risks. • IaaS is the foundation of all cloud services, with PaaS building upon IaaS, and SaaS in turn building upon PaaS • As the capabilities are inherited, so are information security issues and risk. CLOUD REFERENCE MODEL RELATIONSHIPS & DEPENDENCIES

  20. INDIA │ 9-11 February 2011 virtual techdays CLOUD REFERENCE MODEL RELATIONSHIPS & DEPENDENCIES

  21. INDIA │ 9-11 February 2011 virtual techdays • From an attackers point of view: • The boxes, • Storage, • Applications • Cloud based security issues • Also commonly know as Cloud Based Risk or C-RISK CLOUD SECURITY WHAT COULD BE TARGETTED?

  22. INDIA │ 9-11 February 2011 virtual techdays • Cloud user decides to migrate (due to various reasons including poor SLA) to another cloud service provider or to in-house IT • Different cloud service providers use different API – not compatible with each other for migrating the data  • Lack of: • Tools, • Procedures, • Standard data formats, and • Interfaces, can considerably delay or prevent a successful migration. CLOUD SECURITY LOCK-IN

  23. INDIA │ 9-11 February 2011 virtual techdays • Any kind of intentional and un-intentional malicious activity carried out or executed on a shared platform • May affect the other tenants and associated stake holders. • Examples - Shared Service Consequences: • Blocking of IP ranges • Confiscation of resources as part of an investigation - the availability is in question. • The diversity of application running on the cloud platform and a sudden increase in the resource usage by one application can drastically affect the performance and availability of other applications shared in the same cloud infrastructure. CLOUD SECURITY Shared Service Consequences

  24. INDIA │ 9-11 February 2011 virtual techdays • Cloud is upcoming and promising domain for organizations to venture and expand. • Sudden take over can result in a deviation from the agreed Terms of Use & SLA which may also lead to a Lock-In situation. CLOUD SECURITY Sudden Acquisitions and Take-overs

  25. INDIA │ 9-11 February 2011 virtual techdays • Similar to the conventional run on the bank concept. • Bankruptcy and catastrophes does not come with an early warning. • What happens if the majority clients withdraw the associated services from a cloud infrastructure? • The cloud service providers may try to prevent that move through direct and indirect methods – which may include a lock-in also. CLOUD SECURITY Run-on-the-cloud

  26. INDIA │ 9-11 February 2011 virtual techdays • Organizations need to ensure that they can maintain the same when moving to cloud. • Generally - ToU prohibits VA/PT • This may introduce security vulnerabilities and gaps • Result – Loose your certification. • Example - Maintaining Certifications: • In general scenario, the PCI DSS compliance cannot be achieved with most of the cloud service. • Major downfall in performance and quality metrics may affect your certifications. CLOUD SECURITY Maintaining Certifications & Compliance

  27. INDIA │ 9-11 February 2011 virtual techdays • Vulnerabilities applicable to the conventional systems & networks are also applicable to cloud infrastructure. • Lack of could based security standards and non-adherence to procedures may affect the CIA of customer data. CLOUD SECURITY Technical and Procedural Vulnerability

  28. INDIA │ 9-11 February 2011 virtual techdays • The information deleted by the customer may be available to the cloud solution provider as part of their regular backups. • Insecure and inefficient deletion of data where true data wiping is not happening, exposing the sensitive information to other cloud users. CLOUD SECURITY Confidentiality is @ Risk

  29. INDIA │ 9-11 February 2011 virtual techdays • The service provider may be following good security procedures, but it is not visible to the customers and end users. • May be due to security reasons. • But end user is finally in the dark. • End user questions remains un-answered: • how the data is backed up, • who back up the data, • whether the cloud service provider does it or has they outsourced to some third party, CLOUD SECURITY Lack of transparency in cloud

  30. INDIA │ 9-11 February 2011 virtual techdays • how the backup is transferred to a remote site as part of the backup policy, • is it encrypted and send, • is the backup properly destroyed after the specified retention period or • is it lying somewhere in the disk, • what kind of data wiping technologies are used. • The lists of questions are big and the cloud users are in dark CLOUD SECURITY Lack of transparency in cloud

  31. INDIA │ 9-11 February 2011 virtual techdays • Problems testing the cloud? • Permission • How do you get permission to test your application running on a cloud when the results of your testing probably could show you data from another client completely? • Getting black hole or getting kicked-off • "In networking, black holes refer to places in the network where incoming traffic is silently discarded (or "dropped"), without informing the source that the data did not reach its intended recipient." - From Wikipedia CLOUD SECURITY (Security) Testing in Cloud

  32. INDIA │ 9-11 February 2011 virtual techdays • How do you track version? • How do you do regression testing? • How do you know what version of the application is currently running on the cloud? • If you test an application today and find it vulnerable or not vulnerable, how do you know that the app you testing tomorrow is the same one that you tested yesterday? – Chances are very less  CLOUD SECURITY (Security) Testing in Cloud

  33. INDIA │ 9-11 February 2011 virtual techdays • Adopt a risk based approach • Evaluate your tolerance for moving an asset to cloud • Have a framework to evaluate cloud risks. CLOUD SECURITY Addressing Security Issues in Cloud

  34. INDIA │ 9-11 February 2011 virtual techdays • Identify the asset for cloud. • Evaluate the asset • Map the asset to cloud deployment models • Evaluate cloud service models & providers • Sketch the potential data flow CLOUD SECURITY Risk Assessment Framework for Cloud

  35. INDIA │ 9-11 February 2011 virtual techdays • Step 1 - Determine exactly what data or function is being considered for the cloud. • Include potential use of the asset once it moves to the cloud • This will help you account for scope creep • Note: Data and transaction volumes are often higher than expected. CLOUD SECURITY Identify the asset for cloud.

  36. INDIA │ 9-11 February 2011 virtual techdays • Determine how important the data or function is to the organization. • An assessment of the following is recommended: • how sensitive an asset is? and • how important an application / function / process is? • How do we do it? CLOUD SECURITY Evaluate the asset

  37. INDIA │ 9-11 February 2011 virtual techdays • For each asset, ask the following questions: • How would we be harmed if the asset became widely public and widely distributed? • How would we be harmed if an employee of our cloud provider accessed the asset? • How would we be harmed if the process or function were manipulated by an outsider? • How would we be harmed if the process or function failed to provide expected results? • How would we be harmed if the information/data were unexpectedly changed? • How would we be harmed if the asset were unavailable for a period of time? • By doing the above we are • Assessing confidentiality, integrity, and availability requirements for the asset; and • how those are affected if all or part of the asset is handled in the cloud? CLOUD SECURITY Evaluate the asset

  38. INDIA │ 9-11 February 2011 virtual techdays • Map the asset to potential cloud deployment models • Determine which deployment model is good for the organizational requirement. • For the asset, determine if you are willing to accept the following options: • Public. • Private, internal/on-premises. • Private, external (including dedicated or shared infrastructure). • Community • Hybrid CLOUD SECURITY Map the asset to cloud deployment models

  39. INDIA │ 9-11 February 2011 virtual techdays • Focus on the degree of control you’ll have at each SPI tier to implement any required risk management. CLOUD SECURITY Evaluate cloud service models & providers

  40. INDIA │ 9-11 February 2011 virtual techdays • Map out the data flow between: • your organization, • the cloud service, and • any customers/other nodes. CLOUD SECURITY Sketch the potential data flow

  41. INDIA │ 9-11 February 2011 virtual techdays • You should have a clear understanding of the following: • the importance of what you are considering moving to the cloud, • risk tolerance, • which combinations of deployment and service models are acceptable, and • potential exposure points for sensitive information and operations. CLOUD SECURITY Conclusion

  42. THANKS│9-11 February 2011 virtual techdays m@hackit.co │ http://manuzacharia.blogspot.com

More Related