slide1 n.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
Global Challenges in Cloud Security Sadie Creese Joint work with Paul Hopkins PowerPoint Presentation
Download Presentation
Global Challenges in Cloud Security Sadie Creese Joint work with Paul Hopkins

Loading in 2 Seconds...

play fullscreen
1 / 17

Global Challenges in Cloud Security Sadie Creese Joint work with Paul Hopkins - PowerPoint PPT Presentation


  • 121 Views
  • Uploaded on

Global Challenges in Cloud Security Sadie Creese Joint work with Paul Hopkins International Digital Laboratory. Overview. Why What Drivers and Barriers Sources of Future Risk Maturity and Vulnerability Future Threats Global Security Challenges Questions for debate. Why.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Global Challenges in Cloud Security Sadie Creese Joint work with Paul Hopkins' - tymon


Download Now An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
slide1

Global Challenges in Cloud Security

Sadie Creese

Joint work with Paul Hopkins

International Digital Laboratory

slide2

Overview

  • Why
  • What
  • Drivers and Barriers
  • Sources of Future Risk
    • Maturity and Vulnerability
    • Future Threats
  • Global Security Challenges
  • Questions for debate
slide3

Why

  • How do we protect our digital assets both data and function when using the clouds?
  • How might malicious entities use the cloud?
  • How might current security practice not scale up?
  • What will require a collaborative response?

Services market currently at $56b, $150b in 2013 (Gartner March 09)

Services market to be worth $160b in 2011 (Merril Lynch May 08)

Services market currently worth $16.2b, $42b in 2012 (IDC Dec 08)

Hosted apps market currently at $6.4b, $14.8b in 2012 (Gartner Dec 08)

slide4

What – the technology model

  • Utility / Pay-Per-Use, on-demand access, shared resources, rapid provisioning, agile, responsive

Gmail, Google Docs

Google App Engine

Amazon S3/SimpleDB

VMWare/XEN

Amazon EC2

4

slide5

What - system

User

Broker

VM

VM

VM

VM

VM

VM

VM

VM

VM

5

slide6

What - applications

  • Repackaging of products for deployment in clouds
  • Existing data centres expanding market offerings to include utility services
  • MS, Google, salesforce.com offering rich application frameworks but with little portability
  • Market analysts predict enterprise apps for niche/common.
    • Archiving & eDiscovery, Collaboration (Secure), ERP, Online backup, Supply chain mgt, Web content mgt & conferencing….
  • Lock-in and lack of interoperability key issue
  • Web mash-ups composing 3rd party apps
slide7

What– application ecosystem

Extract from slides : “Prophet a Path out of the cloud”, Best Practical, Presented at O’Reilly Open Source Conf, 2008

7

slide8

Cloud Drivers

  • Enterprise Drivers
    • Compression of deployment cycles
    • Instant upgrade and try-it-out
    • Elasticity
    • Cost alignment
    • Reduction of IT team costs
    • Accessibility and sharing
    • Dependability
    • Waste reduction and carbon footprint
  • Consumer drivers
    • Up to speed with latest apps
    • Pay-as-you-use
    • Accessibility and sharing
    • Dependability
slide10

Cloud Barriers

  • Data security concerns
  • Privacy compromise/ practice
  • Service dependability and QoS
  • Loss of control over IT and data
  • Management difficulties around performance, support and maintenance
  • Service integration
  • Lock-in
  • Usability
  • Lack of market maturity
slide12

Future Risk - maturity and vulnerability

Initially aligning enterprise processes with cloud focused process will be beyond best practice

Dynamic SLAs could become a focus for automated DoS

Vulnerable external facing applications potentially cause cascade failures across integrated processes

Meta-data offers potential for aggregation and enhanced intelligence gathering

slide13

Future Risk – Scenarios

High Cost/High Payback for an attacker.

Most successful threat agent, likely to be insider managing resource distribution or a malicious service provider.

High Cost/Low Payback for an attacker.

Most successful threat agents, likely to be insider’s within the silo

Low Cost/Low Payback for an attacker.

Threat agents will include external attackers utilising mixture of technology and social engineering.

Low Cost/High Payback for an attacker.

External attackers using the distributed scale to attack multiple systems and users simultaneously. E.G Bot and application framework based attacks.

slide14

Future Risk - think like an attacker?

  • Denial of service
    • resource consumption, traffic redirection, inter-cloud and user to cloud communications vulnerabilities
  • Trojan Clouds
    • Imitate providers, infiltrate supply chains, sympathetic cloud
    • Inference attacks due to privileged access
  • Application Framework attacks
    • Repeatable, pervasive
  • Sticky Clouds
    • Lack of responsiveness, complex portability
  • Onion storage
    • Moving global location, fragmenting, encrypting
  • Covert channels within the cloud network across services
    • Can’t be monitored externally
slide15

Global Security Challenges

  • Risk Management Practice
    • Interoperable tools, controls, language, dependence on service providers, standardisation for mobility in market, temporal relationships
  • Attack Surface Reduction
      • Dynamic service composition could propagate vulns, systemic application based failures
  • Attack Detection
      • Distributed, collaborative for large scale events, inter and intra cloud, dynamism resulting in fluctuating traffic
  • Response and Recovery
  • Legal, Regulatory, Compliance and Audit
  • Portable identity – federated / user centric / interoperability
  • Privacy Controls
slide16

Global Security Challenges - 2

  • Pace, agile response, interoperability across clouds, mobility, secure portability, cross jurisdiction collaboration
slide17

Questions for debate

  • Should we be taking an intrusion tolerance approach?
  • Should we be considering self-healing bio-inspired cloud ecosystems?
  • How could we construct collaborative defence mechanisms which integrated at a technology and process level? Which span multiple organisations and jurisdictions?
  • What would happen if we did not construct a global response to cloud security challenges?
  • Can it all be done by industry alone? What role should government and regulation have?
  • Cloud is global – standards must be global – should / can regulation be global? If not can it work?