Vic Winkler's 2011 FOSE presentation in Washington DC. The talk was based on the book: "Securing the Cloud" (Elsevier 2011).
Highlights:
--Top 10 Cloud Security Concerns;
--Is organizational control good for cloud security?;
--Architectural examples for cloud security
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Cloud Security ("securing the cloud")
1. NGI-4: Cloud
The Technical Foundations of Security and Interoperability
Overview
Vic Winkler
July 2011
Washington, DC
Booz | Allen | Hamilton
2. The Technical Foundations of Security and Interoperability
This presentation is based on my book:
“Securing the Cloud: Cloud Computer Security Techniques and Tactics”
Vic Winkler (Elsevier/Syngress May 2011)
Graphics are Copywrited by Elsevier/Syngress 2011
My experiences in designing, implementing and operating the security for:
“SunGrid” (2004+), “Network.com” (2006+) and “The Sun Public Cloud”
(2007+)
…And research into best practices in cloud security (2008-2011)
Previously, I:
Was a pioneer in network and systems based intrusion detection
Designed a B1 trusted Unix system
Graphics copyright Elsevier/Syngress 2011 Booz | Allen | Hamilton 2
3. A Brief, Distorted View of History
Overview
Continuing
Technology
Evolution
Graphics copyright Elsevier/Syngress 2011 Booz | Allen | Hamilton 3
4. More “Evolution” than “Revolution”
So,
what
is
“cloud”?
Graphics copyright Elsevier/Syngress 2011 Booz | Allen | Hamilton 4
5. A Minor Problem With Words…
Most common question: Is “cloud” secure?
Booz | Allen | Hamilton 5
6. Booz Allen:
Cloud Computing “Quick Look” Assessment
The QLA approach analyzes the organization and its potential cloud candidate functions and applications
across eight Cloud Computing Factors, providing an in-depth assessment and suitability rating for each.
Business/Mission Technology Economics Security
Governance &
Policy IT Management Organization
Change Management
Booz | Allen | Hamilton 6
7. Cloud:
A Model for Computing,
A Model for Service Delivery
• “Cloud Services" – IT model for
service delivery: Expressed,
delivered and consumed over the
Internet or private network
– Infrastructure-as-a-Service (IaaS)
– Platform-as-a-Service (PaaS)
– Software-as-a-Service (SaaS)
• “Cloud Computing”– IT model for
computing
– Environment composed of IT components
necessary to develop & deliver "cloud
services”
Graphics copyright Elsevier/Syngress 2011 Booz | Allen | Hamilton 7
8. The Services Stack
Two Perspectives
What about security?
…“Confidentiality”, “Integrity” and
“Availability”?
Graphics copyright Elsevier/Syngress 2011 Booz | Allen | Hamilton 8
9. The NIST Cloud Model
Graphics copyright Elsevier/Syngress 2011 Booz | Allen | Hamilton 9
10. Security Concerns?
• 10. Unknown Risks: Concern that cloud computing brings new classes of risks and
vulnerabilities
• 9. Control over Data: User data may be comingled with data belonging to others.
• 8. Legal and Regulatory Compliance: It may be difficult (unrealistic?) to utilize public clouds
when data is subject to legal restrictions or regulatory compliance
• 7. Disaster Recovery and Business Continuity: Cloud tenants and users require confidence
that their operations and services will continue despite a disaster
• 6. Security Incidents: Tenants and users need to be informed and supported by a provider
• 5. Transparency: Trust in a cloud provider’s security claims entails provider transparency
• 4. Cloud Provider Viability: Since cloud providers are relatively new to the business, there are
questions about provider viability and commitment
• 3. Privacy and Data concerns with public or community clouds: Data may not remain in the
same system, raising multiple legal concerns
• 2. User Error: A user may inadvertently leak highly sensitive or classified information into a
public cloud
• 1. Network Availability: The cloud must be available whenever you need it
Graphics copyright Elsevier/Syngress 2011 Booz | Allen | Hamilton 10
37. What are the BIG Lessons?
• Provider
– Model T approach: Any color the customer wants …as long as it’s “black”
• Special requests undercut profits
– Plan ahead: Focus on eventual operations costs and on the certainty of change to the infrastructure
– Seek to automate almost everything:
• Identify procedures/processes to drive down costs
• Identify and refine patterns
– Segregate information
• Don’t mix infrastructure management information
• …with security information
• …with customer data …etc.
– Architect for completely separate paths:
• (Public) (Infrastructure control) (Network device control) (Security management)
• Entails a differentiated set of networks
• Isolate, Isolate, Isolate
• Encrypt, Encrypt, Encrypt
• Consumer
– Who is the provider?
– What are you really buying? Transparency, independent verification, indemnification?
Booz | Allen | Hamilton 37
38. Thank You
Business: Winkler_Joachim@BAH.Com
Personal: Vic@VicWinkler.Com
Phone: 703.622.7111
“Securing the Cloud: Cloud Computer Security
Techniques and Tactics”
Vic Winkler (Elsevier/Syngress 2011)
Graphics copyright Elsevier/Syngress 2011 Booz | Allen | Hamilton 38