Cloud SecurityCloud SecurityCloud SecurityCloud Security

sameer paradiasameer paradiasameer paradiasameer paradia

Goals

1. Brief on Cloud Computing2 Security Threats2. Security Threats 3. Framework 4. Controls4. Controls  

http://www.flickr.com/photos/tomhaymes/321292834/

Cl dUnderstand Cloud

Essential CharacteristicOn‐Demand

Lowered requirement to forecastsLowered requirement to  forecastsDemand trends are predicted by the provider

Usage meteredUsage‐metered Pay‐by‐the‐realtime use 

Self‐service from pool of resourcesResources managed by consumerResources managed by consumer with a GUI or API

Elastic ScalabilityGrow or shrink resources as requiredGrow or shrink resources as required

Ubiquitous  NetworkThe network is essential to use the ser i eservice

Beyond basic..

S i S i Modes of Deployment

Services Services TypesTypes

p

Compute

Network Datacentre 

Storage

IaaSDeployment Deployment

modelsmodels

Web 2.0 Applications Runtime Development toolsSPublic cloudPublic cloud

modelsmodels

Runtime

Business Middleware Database Java Runtime

PaaS

Public cloudPublic cloud

P i t l dP i t l dHybrid cloudHybrid cloud

Collaboration ERP / CRM

aS

Private cloudPrivate cloudCommunity cloudCommunity cloud

Business Processes

Enterprise ApplicationsSa

a

Thr tSecurity Threat

Lots of noise on....

Cloud Security?Cloud Security?how do we simplify it...how do we simplify it...

http://www.flickr.com/photos/purpleslog/2870445256/in/photostream/

It isIt is

samesame As current InfoSecAs current InfoSecpractice

You ha e to take theYou have to take the same approach as current ISMS

http://www.flickr.com/photos/pheckaboolala/3410638119

Cloud SecurityCloud Security

• What is it?– Protection of your information inProtection of your information in 

cloud• Why is critical?

– Your information is at central unknown place in cloud

– No visibility of security measures inNo visibility of security measures in Public cloud

• Impact of breach  on business?k f li– Lack of Compliance 

– Legal issue– Breach of privacyBreach of privacy

http://www.flickr.com/photos/nigeljohnson73/6788941421

Threats in XaaS ModelsThreats in XaaS Models• SaaS: 

Built in security functionality– Built in security functionality– Least consumer extensibility– Relatively high level of integrated security

• PaaS– Enable developers to build their own applications on top of the platform

M ibl h S S h f d f– More extensible than SaaS, at the expense of customer ready features– Built in capabilities are less complete, but there is more flexibility to layer on additional 

security

• IaaS – Few  application‐like features, – Enormous extensibility– Less integrated security capabilities and functionality beyond protecting the 

infrastructure itself – Assets to be managed and secured by the cloud consumer

Fr rkSecurity Framework

1. Identify asset to cloudify

2. Assess impact of transferring 

3. Map the asset to potentialto c oud y

a) Datab) Applications

o t a s e gassets on cloud on business in case of breach

to potential cloud deployment 

case of breach  models

Security FrameworkSecurity Framework

4. Evaluate controls in 

5. Evaluate the Dataflow , to 

each of Iaas/ Paas/ Saaslayer 

ata o , tounderstand the flow 

ydepending upon asset

C tr lCloud Controls

3 Dimensions of cloud security3 Dimensions of cloud security

IT Assets i l d

Risk A t

Business C iti lit in cloud AssessmentCriticality 

For achieving robust and practical security consider all 3 perspective

Types of ControlsTypes of ControlsG O ti lGovernance(Strategic) 

Operational(Tactical) 

• Risk Management • Legal & Electronic 

• BCP/ DR• Data centre 

Discovery• Compliance/ Audit

Operations• Incident M t• Information Life 

cycle management • Portability and

Management • Application security• Encryption• Portability and 

Interoperability• Encryption • Identity & Access ManagementManagement 

• Virtualization 

Implement ControlsImplement Controls

• Possible controls – Layered security – facilities (physical security)

t k i f t t ( t k– network infrastructure(network security)

– IT systems (system security)– information and applications 

(application security).• IaaS Cloud provider :• IaaS Cloud provider : 

– address security controls such as physical security, environmental 

it d i t li ti itsecurity, and virtualization security• SaaS

– Addresses upto Application layer– Addresses upto Application layer

http://www.flickr.com/photos/telstar/2816038167

SummarySummary• Consider three perspective‐

Assets, Risk management and Business criticality 

• Cloud as an operational model neither  provide for nor prevent p pachieving compliance 

• Selection of control depends on the service and deployment modelthe service and deployment model

• Control varies depending on  the design, deployment, and 

f hmanagement of the resources• Most of Security controls in cloud 

are, same as normal IT environment

http://www.flickr.com/photos/isadocafe/2095153000/

Sameer Paradia – CGEIT, CISM, CISSP(sameer_m_paradia@yahoo.com)Practicing IT Security for 12+ years out of 20+ years of IT Services/ Outsourcing work experience.g y y y g p

http://www.flickr.com/photos/forgetmeknottphotography/7003899183/sizes/l/in/photostream/