Upload
syrinxtech
View
340
Download
3
Tags:
Embed Size (px)
DESCRIPTION
This is a presentation I recently gave at the VCU Cybersecurity Fair on Cloud Computing Security.
Citation preview
Security in the CloudPresented By:
Bryan Miller
VCU Cybersecurity Fair
Security in the Cloud
VCU Cybersecurity Fair
Speaker Introduction What is the “Cloud” SaaS, PaaS, IaaS Public, Private and Hybrid Clouds Vendor Offerings Security Issues Wrap-Up
10/4/2011 1
Agenda
Security in the Cloud
VCU Cybersecurity Fair
B.S. Information Systems – VCU M.S. Computer Science – VCU President, Syrinx Technologies, 2007 Member of ISSA, HIMSS, InfraGard, ILTA Adjunct Faculty Member in Information Systems
and Computer Science @ VCU, FTEMS lecturer CISSP, former Cisco CCIE in R/S Published author Over 25 years in the industry
10/4/2011 2
Speaker Introduction
Security in the Cloud
VCU Cybersecurity Fair
Convenient, on-demand network access to a shared pool of configurable resources: Networks Servers Storage Applications Services
Rapid and minimal management effort or service provider interaction (based on NIST)
10/4/2011 3
What is the “Cloud”?
Security in the Cloud
VCU Cybersecurity Fair
NIST SP 800-145 definition:
"Cloud computing is a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. This cloud model promotes availability and is composed of five essential characteristics, three service models, and four deployment models.”
10/4/2011 4
The NIST Standard for Cloud Computing
Security in the Cloud
VCU Cybersecurity Fair
IDC – 2008 Security was the factor most likely to
discourage the use of cloud computing? 72% of small (<100 employees) businesses 63% of mid-sized (100-199 employees)
businesses
IDC – 2011 50% of small businesses 47% of mid-sized businesses
10/4/2011 5
First, Some Statistics
Security in the Cloud
VCU Cybersecurity Fair
By 2014, the conservative estimate is that the “cloud business” will be approximately $100 billion dollars.
By 2012, approximately 20% of businesses will not own any IT resources.
10/4/2011 6
Security in the Cloud
VCU Cybersecurity Fair
10/4/2011 7
Security in the Cloud
VCU Cybersecurity Fair
10/4/2011 8
Security in the Cloud
VCU Cybersecurity Fair
Examples Salesforce.com Office 365
Applications delivered over the web
Vendor handles software updates and patches
Application Programming Interfaces (APIs) integration among S/W
10/4/2011 9
Software as a Service (SaaS)
Security in the Cloud
VCU Cybersecurity Fair
Examples Google Apps
Engine Microsoft Azure Force.com
Architectural tools to build systems
Platform managed and monitored
Web-based user interface tools
10/4/2011 10
Platform as a Service (PaaS)
Security in the Cloud
VCU Cybersecurity Fair
Examples Amazon Web
Services (AWS) OpenStack Dell
Outsource storage, hardware, servers
Typically charged on a per-use basis
Hardware can be multi-tenant or dedicated
10/4/2011 11
Infrastructure as a Service (IaaS)
Security in the Cloud
VCU Cybersecurity Fair
Public Shared resources, usually multi-tenant Off-premise
Private Resources dedicated to client On-premise or off-premise
Hybrid Combination of on-premise and cloud-based services Growing in popularity as companies slowly transition
applications
10/4/2011 12
Public vs. Private vs. Hybrid Cloud Models
Security in the Cloud
VCU Cybersecurity Fair
Amazon Web Services EC2 - IaaS Data centers (Regions)
Virginia Northern California Ireland Singapore Tokyo
Within each region, services are divided into Availability Zones
AWS GovCloud – Accessible by US only, allows government agencies to store data Currently used by NASA
10/4/2011 13
Vendor Offerings
Security in the Cloud
VCU Cybersecurity Fair
Microsoft Azure – PaaS Windows Azure – OS providing scalable compute and
storage facilities Windows SQL Azure – Cloud-based, scalable version of
SQL Server
OpenStack - IaaS Open source software Over 100 partner companies
Rackspace Dell Citrix Cisco
10/4/2011 14
Security in the Cloud
VCU Cybersecurity Fair
Dell – IaaS Built on VMware technology (vCloud family of products) Adding support for Azure and OpenStack 3 models:
Pay as you go Reserved Dedicated
Apple iCloud - SaaS Stores music, photos, applications, calendars,
documents 5 GB of free storage
10/4/2011 15
Security in the Cloud
VCU Cybersecurity Fair
Take into account the following: Response times Data corruption Service degradation/outage Data breach Backup/Restore issues What happens if the company closes or is sold Regulatory issues
HIPAA – do you have a BA agreement in place? PCI – are you sure your provider is compliant?
10/4/2011 16
What about SLAs?
Security in the Cloud
VCU Cybersecurity Fair
Bloomberg News reported that hackers used AWS’s EC2 to launch an attack against Sony’s PlayStation Network.
The attack reportedly compromised the personal accounts of more than 100 million Sony customers.
Prices for EC2 range from 3 cents to $2.48 an hour for users on the East coast of the U.S. Dual GPU setups are currently priced at $2.10/hr.
Network World magazine reported that Exploits as a Service (EaaS) is becoming a profitable business.
10/4/2011 17
Security Issues
Security in the Cloud
VCU Cybersecurity Fair
Definition: The point at which cloud computing causes a catastrophic failure. Intellectual property is the lifeblood of an organization. IP can get lost in the shuffle of VM sprawl, data sprawl,
technology sprawl or the speed at which business is performed.
How can things go wrong? A salesperson mails himself a report to Gmail for home access. A customer service team uses Dropbox1 to transfer client files. A PM is frustrated by IT policies and stands up a free server in
the Amazon EC2 cloud
1 June 2011: Passwords optional for 4 hours, approximately 100 accounts were affected
10/4/2011 18
Cloudpocalypse
Security in the Cloud
VCU Cybersecurity Fair
Amazon EC2 Outages July, 2008
Affected multiple Availability Zones Affected US and EU
April, 2011 Affected Reddit, Foursquare, Quora Elastic Book Store went offline (provides mountable disk volumes to EC2) 3 days of outage for some users Why? During maintenance the data traffic was moved to a secondary, low-
capacity network instead of the proper backup networks
August, 2011 Why: Lightning strike in Dublin, Ireland Knocked European cloud services offline for 2 days Affected Netflix, Quora, Foursquare
10/4/2011 19
When the Cloud Dissipates
Security in the Cloud
VCU Cybersecurity Fair
Gmail Outages 2008:
July 16 – “long outage” August 6 – up to 15 hours August 11 – 2 hours August 15 – up to 24 hours October 16 – 30 hours
2009: February 24 – 2 hours September 1 – 2 hours
2011: February 27 – several hours August 8 – several hours
10/4/2011 20
Security in the Cloud
VCU Cybersecurity Fair
Decide if the cloud is appropriate for the given business model
Choose the vendor and precisely define the SLA
Test thoroughly before moving into production Migrate slowly and carefully watch the metrics Make sure the users/clients are happy Routinely test the backup and restore process Don’t forget about DR and BCP
10/4/2011 21
Wrap-Up