Cloud Computing
Security Issues
5 Cloud Essentials
On-demand self service –Users able to provision, monitor, manage computing resources without administrators help Broad network access – Computing services are delivered over standard networks and heterogeneous devices Rapid elasticity – IT resources are able to scale out and in quickly and on an as needed basis Resource pooling – IT resources are shared across multiple applications and tenants in a non-dedicated manner Measured service – IT resource utilization is tracked for each application and tenant
3 Service Models
Software as a Service (SaaS) – Applications delivered as a service to end-users typically through a Web
Platform as a Service (PaaS) – An application development and deployment platform delivered as a service to developers who use the platform to build, deploy and manage SaaS applications Infrastructure as a Service (IaaS) – Compute servers, storage, networking hardware delivered as a service
4 Deployment Process
Private Clouds – Exclusively use by a single organization and typically controlled, managed and hosted in private DC Public Clouds – Use by multiple organizations (tenants) on a shared basis hosted managed 3rd party service provider
Community Clouds – Use by a group of related organizations who wish to make use of common cloud
Hybrid Clouds – A single organization adopts both private and public clouds for an application to maximize advantage
Public / Private Benefit
High efficiency – Based on a grid computing and virtualization, offer high efficiency and high utilization due to the sharing of pooled resources, enabling better workload balancing across multiple applications High availability – Architecture that minimizes or eliminates planned and unplanned downtime, improving user service levels and BCP Elastic scalability – Provides elastic scalability, add/remove computing capacity on demand (significant advantage for apps with highly variable workload or unpredictable growth, or for temporary apps) Fast deployment – Provide self-service access to a shared pool of computing resources, software and hardware components are standard, re-usable and shared, application deployment is greatly accelerated
Public Benefit
Low upfront costs – Faster and cheaper to get started, provide low barrier to entry, no need to procure, install and configure hardware Economic of scale – No equipment purchase, maintenance free/management efficiencies
Simpler to manage – Not require IT to manage, administer, update, patch, etc.
Operating expense – No operating expense budget, often times by the users’ line of business, not the IT department. Capital expense can be avoided
Private Benefit
Greater control of security, compliance and quality of service – Enable IT to maintain control of security (data loss, privacy), compliance (data handling policies, data retention, audit, regulations governing data location), QoS (optimize networks in ways that public clouds not allow) Easier integration – Apps in private clouds are easier to integrate with other in-house applications, such as identity management systems Lower total costs – May be cheaper over the long term (owning vs renting). According to several analyses, the breakeven period is 2-3 yrs Capital expense and operating expense – Private clouds are funded by a combination of capital (with depreciation) and operating expense
Optimizing Benefit
Unlimited infrastructure and capacity
Minimized CAPEX and OPEX Location and Device independence
Utilization and efficiency improvement
Very high Scalability, High Computing power On Demand Pay per Usage
Overall Benefit
Faster, simpler, cheaper to use cloud apps
No upfront capital required for servers and storage No ongoing operational expenses for running DC
Applications can be accessed anywhere, anytime
BUT, is it secure?
Pro’s and Con’s
PRO’S Reduced overall cost, no ownership CON’S Compliance/regulatory, low mandate on site, data ownership issues, cross law jurisdiction Security and privacy
Resource sharing is more efficient
Management move to cloud provider Latency and bandwidth guarantees, availability and reliability Faster time to roll out new services Absence of robust SLA’s (depending on many uncertain factors/controlled by another 3rd party providers) Uncertainty around interoperability, portability and lock in Can’t switch from existing legacy apps, no equivalent cloud apps exist
Dynamic resoures availability
Major Concern
Both data and source code are in provider premises
Security concern on Open System Architecture Dangers: disruption, data/privacy theft, data damage
Vulnerabilities: malware, hostile user, bad guys
Confidentiality, Integrity, Availability, N-Repudiation Level of Access: Physical, Server, Net, Data, Program
Disaster Recovery Management, Law & Jurisdiction
Streamline Analysis
Identify Assets
Which assets are we trying to protect? What properties of these assets must be maintained?
Identify Threats
What attacks can be mounted? What other threats are there (natural disasters, etc.)?
Identify Countermeasures
How can we counter those attacks?
Appropriate for Organization-Independent Analysis
We have no organizational context or policies
Auth and Encrypt
User credential security and access authentication
Data in transit/storage encryption and secure VPN
Virtualization Security
Instance isolation within VMM and root secure
VMM Vulnerability and Risk Prevention / Inspection Ensure security standard compliance and audit
Avoid single point of failure and protection
Incident Mitigation Management and Investigation Forensic and system/data recovery technology
Others Legal Issues
Due diligence, auditability, contractual obligation
No security procedures standards yet (i.e. ISO 27005) including for data/storage disposal procedures to prevent leakage/trashing collection by attacker
Cloud espionage, data lock in, transitive nature in order the cloud provider might have another sub contractor that provide another technology and services not 100% controllable by the users
Bottom Line
Engage in full risk management process for each case For small and medium organizations
Cloud security may be a big improvement! Cost savings may be large (economies of scale)
For large organizations
Already have large, secure data centers Main sweet spots: Elastic services, Internet-facing services
Employ countermeasures
Security Skills and Standard (still) Needed
Information Security Risk Management Process
IT industry : ISO 27005, NIST SP 800-30, etc. Requires thorough knowledge of threats and controls Bread and butter of InfoSec – Learn it! Time-consuming but not difficult
Streamlined Security Analysis Process
Many variations (RFC 3552, etc.) Requires thorough knowledge of threats and controls Useful for organization-independent analysis Practice this on any RFC or other standard Become able to do it in 10 minutes
Thank You
Ravindo Tower 17th Floor
Kebon Sirih Raya, Kav. 75 Central Jakarta, 10340
Phone +62 21 3192 5551 ; Fax +62 21 3193 5556
[email protected] ; www.idsirtii.or.id