45
Cloud Assurance Information Assurance in the Cloud by William McBorrough MSIA, CISSP, CISA, CEH Security Principal, Secure Intervention

Cloud Computing - Security Benefits and Risks

Embed Size (px)

DESCRIPTION

Presentation exploring security benefits and risks of Cloud Computing.

Citation preview

Page 1: Cloud Computing - Security Benefits and Risks

Cloud Assurance

Information Assurance in the Cloudby William McBorrough MSIA, CISSP, CISA, CEH

Security Principal, Secure Intervention

Page 2: Cloud Computing - Security Benefits and Risks

Agenda

Understand Cloud Computing– Characteristics– Service Models– Deployment Models

Benefits of Cloud Computing Risks of Cloud Computing Security Benefits of Cloud Computing

Page 3: Cloud Computing - Security Benefits and Risks

What is Cloud Computing?

“Your applications and data are always there, consumed according to business and pricing models that are based upon what you use while the magic serving it up remains transparent. This is Cloud in a nutshell; the computing equivalent to classical Greek theater’s Deus Ex Machina.” --Christopher Hoff

Page 4: Cloud Computing - Security Benefits and Risks

So….what is the ‘cloud”

It is a “new” way of delivering computing resources that is highly available, commitment-free and on-demand.

There is no one cloud. There are many models and architectures depending on the particular services provided.

Page 5: Cloud Computing - Security Benefits and Risks

Technology Still Evolving

Cloud computing is still an evolving paradigm. Its definitions, use cases, underlying technologies, issues, risks, and benefits will be refined in a spirited debate by the public and private sectors. These definitions, attributes, and characteristics will evolve and change over time.

The cloud computing industry represents a large ecosystem of many models, vendors, and market niches. This definition attempts to encompass all of the various cloud approaches.

Page 6: Cloud Computing - Security Benefits and Risks

NIST’s Working Definition

Cloud computing is a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction.

This cloud model is composed of • 5 essential characteristics• 3 service models• 4 deployment models.

Page 7: Cloud Computing - Security Benefits and Risks

Characteristics

On-demand self-service. Broad network access. Resource pooling. Rapid elasticity. Measured Service.

Page 8: Cloud Computing - Security Benefits and Risks

On Demand Self Service

A consumer can unilaterally provision computing capabilities, such as server time and network storage, as needed automatically without requiring human interaction with each service’s provider.

Page 9: Cloud Computing - Security Benefits and Risks

Broad network access

Capabilities are available over the network and accessed through standard mechanisms that promote use by heterogeneous thin or thick client platforms (e.g., mobile phones, laptops, and PDAs).

Page 10: Cloud Computing - Security Benefits and Risks

Resource pooling

The provider’s computing resources are pooled to serve multiple consumers using a multi-tenant model, with different physical and virtual resources dynamically assigned and reassigned according to consumer demand. There is a sense of location independence in that the customer generally has no control or knowledge over the exact location of the provided resources but may be able to specify location at a higher level of abstraction (e.g., country, state, or datacenter). Examples of resources include storage, processing, memory, network bandwidth, and virtual machines.

Page 11: Cloud Computing - Security Benefits and Risks

Rapid elasticity

Capabilities can be rapidly and elastically provisioned, in some cases automatically, to quickly scale out and rapidly released to quickly scale in. To the consumer, the capabilities available for provisioning often appear to be unlimited and can be purchased in any quantity at any time.

Page 12: Cloud Computing - Security Benefits and Risks

Measured Service

Cloud systems automatically control and optimize resource use by leveraging a metering capability at some level of abstraction appropriate to the type of service (e.g., storage, processing, bandwidth, and active user accounts). Resource usage can be monitored, controlled, and reported providing transparency for both the provider and consumer of the utilized service

Page 13: Cloud Computing - Security Benefits and Risks

Delivery Models

Levels of abstraction– Software as a Service (SaaS)– Platform as a Service (PaaS)– Infrastructure as a Service (IaaS)

Page 14: Cloud Computing - Security Benefits and Risks

Software as a Service (SaaS)

The capability provided to the consumer is to use the provider’s applications running on a cloud infrastructure. The applications are accessible from various client devices through a thin client interface such as a web browser (e.g., web-based email). The consumer does not manage or control the underlying cloud infrastructure including network, servers, operating systems, storage, or even individual application capabilities, with the possible exception of limited user-specific application configuration settings.

Page 15: Cloud Computing - Security Benefits and Risks

In other words…

SaaS is software offered by a third party provider, available on demand, usually via the Internet and configurable remotely.

Examples include online word processing and spreadsheet tools, CRM services, and web content delivery services.

Eg. Google Docs, Salesforce CRM, etc

Page 16: Cloud Computing - Security Benefits and Risks

SaaS Responsibilities

CustomerCompliance with customer privacy and data protection lawsMaintenance and management of identity management systemsManagement of authentication platform ( including enforcing password policy)

ProviderPhysical support of infrastructurePhysical infrastructure security and availabilityOS patch management and hardening proceduresSecurity platform configuration, maintenance and monitoring

Page 17: Cloud Computing - Security Benefits and Risks

Platform as a Service (PaaS)

The capability provided to the consumer is to deploy onto the cloud infrastructure consumer-created or acquired applications created using programming languages and tools supported by the provider. The consumer does not manage or control the underlying cloud infrastructure including network, servers, operating systems, or storage, but has control over the deployed applications and possibly application hosting environment configurations.

Page 18: Cloud Computing - Security Benefits and Risks

In other words…

PaaS allows customers to develop new applications use APIs deployed and configured remotely. The platforms offered include development tools, configuration management, and deployment platforms.

Examples include Microsoft Azure, Force and Google App Engine

Page 19: Cloud Computing - Security Benefits and Risks

PaaS Responsibilities

CustomerCompliance with customer privacy and data protection lawsMaintenance and management of identity management systemsManagement of authentication platform ( including enforcing password policy)

ProviderPhysical support of infrastructurePhysical infrastructure security and availabilityOS patch management and hardening proceduresSecurity platform configuration, maintenance and monitoring

Page 20: Cloud Computing - Security Benefits and Risks

Infrastructure as a Service (IaaS)

The capability provided to the consumer is to provision processing, storage, networks, and other fundamental computing resources where the consumer is able to deploy and run arbitrary software, which can include operating systems and applications. The consumer does not manage or control the underlying cloud infrastructure but has control over operating systems, storage, deployed applications, and possibly limited control of select networking components (e.g., host firewalls).

Page 21: Cloud Computing - Security Benefits and Risks

In other words…

IaaS provides virtual machines and other abstracted hardware and operating systems which may be controlled through a service.

Examples include Amazon EC2 and S3, Terremark Enterprise Cloud and Rackspace Cloud.

Page 22: Cloud Computing - Security Benefits and Risks

IaaS Responsibilities

CustomerCompliance with customer privacy and data protection lawsMaintenance and management of identity management systemsManagement of authentication platform ( including enforcing password policy)

ProviderPhysical support of infrastructurePhysical infrastructure security and availabilityHost systems (eg. hypervisor)

Page 23: Cloud Computing - Security Benefits and Risks

IaaS Responsibilities – cont’d

CustomerOS patch management and hardening proceduresSecurity platform configuration, maintenance and monitoring Guest systems monitoring

Page 24: Cloud Computing - Security Benefits and Risks

Deployment Models

Public Private Hybrid Community

Page 25: Cloud Computing - Security Benefits and Risks

Public

The cloud infrastructure is made available to the general public or a large industry group and is owned by an organization selling cloud services.

Page 26: Cloud Computing - Security Benefits and Risks

Private

The cloud infrastructure is operated solely for an organization. It may be managed by the organization or a third party and may exist on premise or off premise.

Page 27: Cloud Computing - Security Benefits and Risks

Community

The cloud infrastructure is shared by several organizations and supports a specific community that has shared concerns (e.g., mission, security requirements, policy, and compliance considerations). It may be managed by the organizations or a third party and may exist on premise or off premise.

Page 28: Cloud Computing - Security Benefits and Risks

Hybrid

The cloud infrastructure is a composition of two or more clouds (private, community, or public) that remain unique entities but are bound together by standardized or proprietary technology that enables data and application portability (e.g., cloud bursting for load-balancing between clouds).

Page 29: Cloud Computing - Security Benefits and Risks

That’s great…

… so what does it do for me?

Page 30: Cloud Computing - Security Benefits and Risks

Advantages

Reduced Cost Highly Automated Flexibility More Mobility Availability Data Storage Services DDoS Protection Allows IT to Shift Focus Lower computer costs Improved performance Reduced software costs

Instant software updates Improved document

format compatibility Unlimited storage capacity Increased data reliability Universal document

access Latest version availability Easier group collaboration Device independence

Page 31: Cloud Computing - Security Benefits and Risks

So what’s the downside?

Security– Always the stick in the mud

Page 32: Cloud Computing - Security Benefits and Risks

Just to be clear….

“If your security sucks [before the cloud], you will be pleasantly surprised by the lack of change when you move to cloud.”

--Christopher Hoff

Page 33: Cloud Computing - Security Benefits and Risks

Understanding Risk

Risk should always be understood in relation to overall business opportunity and appetite for risk—sometimes risk is compensated by opportunity

Therefore, the risk of using cloud computing should be compared with staying with traditional solutions

Page 34: Cloud Computing - Security Benefits and Risks

ENISA’s Top Cloud Risk

Loss of Governance Vendor Lock-in Isolation Failure Compliance Risks Management Interface Compromise Data Protection Insecure or Incomplete Data Deletion Malicious Insider

Page 35: Cloud Computing - Security Benefits and Risks

Risk Categories

Policy and Organizational Risks Technical Risks Legal Risks General Risks (not specific to cloud)

Page 36: Cloud Computing - Security Benefits and Risks

Vendor lock-in Loss of governance Compliance challenges Loss of business reputation due to co-tenant

activities Cloud services termination or failure Cloud provider acquisition Supply chain failure

Policy and Organizational Risks

Page 37: Cloud Computing - Security Benefits and Risks

Resource exhaustion(under or over provisioning) Isolation failure Cloud provider malicious insider (abuse of high

privilege roles) Management interface compromise

(manipulation, availability of infrastructure) Intercepting data in transit Data leakage on up/download, Intracloud

Technical Risks

Page 38: Cloud Computing - Security Benefits and Risks

Insecure or ineffective deletion of data Distributed denial of service (DDOS) Economic denial of service (EDOS) Loss of encryption keys Malicious probes and scans Compromise service engines Conflict between customer hardening

procedures and cloud environment

Technical Risks – cont’d

Page 39: Cloud Computing - Security Benefits and Risks

Subpoena and e-discovery Risk of challenges of jurisdiction Data protection risks Licensing risks

Legal Risks

Page 40: Cloud Computing - Security Benefits and Risks

Network outage Network management (congestion, non-optimal

use, etc) Modifying network traffic Privilege escalation Social engineering Loss or compromise of operational logs Loss or compromise of security logs

General Risks ( not cloud specific)

Page 41: Cloud Computing - Security Benefits and Risks

Backups lost or stolen Unauthorized access to premise (including

physical access to machines or other facilities)

Theft of computer equipment Natural disasters

General Risks – cont’d

Page 42: Cloud Computing - Security Benefits and Risks

Fair and Balanced?

Any examination of the security risks of cloud computing must be balanced with a review of its specific security benefits

Cloud computing has significant potential to improve security and resilience

Page 43: Cloud Computing - Security Benefits and Risks

Security Benefits of Cloud

Security measures are cheaper when implemented on a large scale

Better security provides a competitive advantage to providers

Increased standardization and collaboration Improved evidence gathering and forensic

investigations Improved resource scaling

Page 44: Cloud Computing - Security Benefits and Risks

References

National Institute of Standards and Technology (NIST)

European Network and Information Security Agency (EINSA)

Cloud Security Alliance (CSA)

Page 45: Cloud Computing - Security Benefits and Risks

Questions?