Cloud Computing - Security Issues

Published on May 2016 | Categories: Documents | Downloads: 53 | Comments: 0 | Views: 670
of x
Download PDF   Embed   Report

Comments

Content

Cloud Computing
Security Issues

5 Cloud Essentials
On-demand self service –Users able to provision, monitor, manage computing resources without administrators help Broad network access – Computing services are delivered over standard networks and heterogeneous devices Rapid elasticity – IT resources are able to scale out and in quickly and on an as needed basis Resource pooling – IT resources are shared across multiple applications and tenants in a non-dedicated manner Measured service – IT resource utilization is tracked for each application and tenant

3 Service Models
Software as a Service (SaaS) – Applications delivered as a service to end-users typically through a Web
Platform as a Service (PaaS) – An application development and deployment platform delivered as a service to developers who use the platform to build, deploy and manage SaaS applications Infrastructure as a Service (IaaS) – Compute servers, storage, networking hardware delivered as a service

4 Deployment Process
Private Clouds – Exclusively use by a single organization and typically controlled, managed and hosted in private DC Public Clouds – Use by multiple organizations (tenants) on a shared basis hosted managed 3rd party service provider

Community Clouds – Use by a group of related organizations who wish to make use of common cloud
Hybrid Clouds – A single organization adopts both private and public clouds for an application to maximize advantage

Public / Private Benefit
High efficiency – Based on a grid computing and virtualization, offer high efficiency and high utilization due to the sharing of pooled resources, enabling better workload balancing across multiple applications High availability – Architecture that minimizes or eliminates planned and unplanned downtime, improving user service levels and BCP Elastic scalability – Provides elastic scalability, add/remove computing capacity on demand (significant advantage for apps with highly variable workload or unpredictable growth, or for temporary apps) Fast deployment – Provide self-service access to a shared pool of computing resources, software and hardware components are standard, re-usable and shared, application deployment is greatly accelerated

Public Benefit
Low upfront costs – Faster and cheaper to get started, provide low barrier to entry, no need to procure, install and configure hardware Economic of scale – No equipment purchase, maintenance free/management efficiencies

Simpler to manage – Not require IT to manage, administer, update, patch, etc.
Operating expense – No operating expense budget, often times by the users’ line of business, not the IT department. Capital expense can be avoided

Private Benefit
Greater control of security, compliance and quality of service – Enable IT to maintain control of security (data loss, privacy), compliance (data handling policies, data retention, audit, regulations governing data location), QoS (optimize networks in ways that public clouds not allow) Easier integration – Apps in private clouds are easier to integrate with other in-house applications, such as identity management systems Lower total costs – May be cheaper over the long term (owning vs renting). According to several analyses, the breakeven period is 2-3 yrs Capital expense and operating expense – Private clouds are funded by a combination of capital (with depreciation) and operating expense

Optimizing Benefit
Unlimited infrastructure and capacity
Minimized CAPEX and OPEX Location and Device independence

Utilization and efficiency improvement
Very high Scalability, High Computing power On Demand Pay per Usage

Overall Benefit
Faster, simpler, cheaper to use cloud apps
No upfront capital required for servers and storage No ongoing operational expenses for running DC

Applications can be accessed anywhere, anytime
BUT, is it secure?

Pro’s and Con’s
PRO’S Reduced overall cost, no ownership CON’S Compliance/regulatory, low mandate on site, data ownership issues, cross law jurisdiction Security and privacy

Resource sharing is more efficient

Management move to cloud provider Latency and bandwidth guarantees, availability and reliability Faster time to roll out new services Absence of robust SLA’s (depending on many uncertain factors/controlled by another 3rd party providers) Uncertainty around interoperability, portability and lock in Can’t switch from existing legacy apps, no equivalent cloud apps exist

Dynamic resoures availability

Major Concern
Both data and source code are in provider premises
Security concern on Open System Architecture Dangers: disruption, data/privacy theft, data damage

Vulnerabilities: malware, hostile user, bad guys
Confidentiality, Integrity, Availability, N-Repudiation Level of Access: Physical, Server, Net, Data, Program

Disaster Recovery Management, Law & Jurisdiction

Streamline Analysis
Identify Assets
Which assets are we trying to protect? What properties of these assets must be maintained?

Identify Threats
What attacks can be mounted? What other threats are there (natural disasters, etc.)?

Identify Countermeasures
How can we counter those attacks?

Appropriate for Organization-Independent Analysis
We have no organizational context or policies

Auth and Encrypt
User credential security and access authentication
Data in transit/storage encryption and secure VPN

Virtualization Security
Instance isolation within VMM and root secure
VMM Vulnerability and Risk Prevention / Inspection Ensure security standard compliance and audit

Avoid single point of failure and protection
Incident Mitigation Management and Investigation Forensic and system/data recovery technology

Others Legal Issues
Due diligence, auditability, contractual obligation
No security procedures standards yet (i.e. ISO 27005) including for data/storage disposal procedures to prevent leakage/trashing collection by attacker

Cloud espionage, data lock in, transitive nature in order the cloud provider might have another sub contractor that provide another technology and services not 100% controllable by the users

Bottom Line
Engage in full risk management process for each case For small and medium organizations
Cloud security may be a big improvement! Cost savings may be large (economies of scale)

For large organizations
Already have large, secure data centers Main sweet spots: Elastic services, Internet-facing services

Employ countermeasures

Security Skills and Standard (still) Needed
Information Security Risk Management Process
IT industry : ISO 27005, NIST SP 800-30, etc. Requires thorough knowledge of threats and controls Bread and butter of InfoSec – Learn it! Time-consuming but not difficult

Streamlined Security Analysis Process
Many variations (RFC 3552, etc.) Requires thorough knowledge of threats and controls Useful for organization-independent analysis Practice this on any RFC or other standard Become able to do it in 10 minutes

Thank You
Ravindo Tower 17th Floor
Kebon Sirih Raya, Kav. 75 Central Jakarta, 10340

Phone +62 21 3192 5551 ; Fax +62 21 3193 5556
[email protected] ; www.idsirtii.or.id

Sponsor Documents

Recommended

No recommend documents

Or use your account on DocShare.tips

Hide

Forgot your password?

Or register your new account on DocShare.tips

Hide

Lost your password? Please enter your email address. You will receive a link to create a new password.

Back to log-in

Close