Cloud computing - Risks and Mitigation - GTS

Cloud Computing
Enterprise Risks and Mitigation

Anchises M. G. de Paula
iDefense Intelligence Analyst
Nov. 2009
GTS - 14

Agenda

source: sxc.hu
Overview of cloud computing

Cloud computing risks and
generic mitigation strategies

Cloud Computing for Malicious
Intent

Questions and answers

GTS - 14 2

22
Copyright iDefense 2009

Overview of cloud
computing

3
GTS - 14 3


Overview

The term “cloud computing” is poorly defined

GTS - 14 4

44

Overview


“Cloud computing is a model for enabling convenient,
on-demand network access to a shared pool of
configurable computing resources (e.g., networks,
servers, storage, applications, and services) that can
be rapidly provisioned and released with minimal
management effort or service provider interaction.”
Source: http://csrc.nist.gov/groups/SNS/cloud-computing/index.html

GTS - 14 5

55

Overview


“Essential Cloud Characteristics:
• On-demand self-service
• Broad network access
• Resource pooling
• Location independence
• Rapid elasticity
• Measured service”

GTS - 14 6

66

Overview


GTS - 14 7

77

Overview


Multiple vendors, multiple definitions

Utility pricing model

Cloud-based Service Provider (CSP) handle burden of resources

GTS - 14 8

88

Overview

Three basic categories for cloud computing technologies:
– Infrastructure as a Service (IaaS)

Resource Abstraction
– Platform as a Service (PaaS)

– Software as a Service (SaaS)

GTS - 14 9

99

Variations on a Theme

Public Cloud

10
GTS - 14 10

10


Public Cloud
Private Cloud

11
GTS - 14 11

11


Public Cloud
Private Cloud
Hybrid Cloud

12
GTS - 14 12

12

Cloud computing risks and
generic mitigation
strategies

13
GTS - 14 13


Areas of Risk

▪ Privileged User Access
▪ Data Segregation
▪ Regulatory Compliance
▪ Physical Location of Data
▪ Availability
▪ Recovery
▪ Investigative Support
▪ Viability and Longevity

14
GTS - 14 14

14

Mitigation Strategies

Understand the risks

Evaluate any potential
cloud-based solution and CSP

Unique solution, generic risks

source: sxc.hu

15
GTS - 14 15

15

Risks

Privileged User Access:
• CSP must have access
• Improper access -> Data Exposure
• HR policies
• 3rd party of a 3rd party

16
GTS - 14 16

16

Mitigation

Privileged User Access:
• CSP must have access
• Improper access -> Data Exposure
• HR policies
• 3rd party of a 3rd party

Privilege Access Control Mitigation:
– Support to HR and data policies
– Outsourcing involved?
– Evaluate the access controls

17
GTS - 14 17

17

Risks

Data Segregation:
• Shared common resources
• Multiple consumers, same physical machine
• Failure to segregate data: data exposure, loss
or corruption

18
GTS - 14 18

18

Risks

Data Segregation:
or corruption

19
GTS - 14 19

19

Risks

Data Segregation:
or corruption

20
GTS - 14 20

20

Mitigation

Data Segregation:
or corruption

Data Segregation Mitigation:
– What’s the risk of data segregation failure?
– Encryption of data: shifting of risks
– Understand the “how, where, when”
of consumer data storage

21
GTS - 14 21

21

Risks

Regulatory Compliance:
– Regulations for sensitive information and outsourcing
– Conflicting regulations and laws
– Failure to comply: significant legal risks

22
GTS - 14 22

22

Mitigation

Regulatory Compliance:
– Regulations for sensitive information and outsourcing
– Conflicting regulations and laws
– Failure to comply: significant legal risks

Regulatory Control Mitigation: FISMA
– Know your regulatory obligation HIPAA
– Know your CSP’s regulatory obligations SOX
PCI
– Understand your liabilities
SAS 70
– Location may change regulatory obligations Audits

23
GTS - 14 23

23

Risks

Physical Location of Data:
– Location, location, location
– Location tied to regulatory issues
– Volatile regions introduce a higher
degree of risk
– Hostile/Unethical governments have unforeseen risk of data exposure

24
GTS - 14 24

24

Risks

degree of risk

10/9/09
SA pigeon 'faster than
broadband'
BBC News
Cyber A Durban IT company pitted an 11-month-
old bird armed with a 4GB memory stick against
the ADSL service from the country's biggest web
firm, Telkom.
Winston the pigeon took two hours to carry the
data 60 miles - in the same time the ADSL had
sent 4% of the data. computers.

25
GTS - 14 25

25

Mitigation

degree of risk

Physical Location of Data Mitigation:
– Identify your data’s location
– Avoid CSPs that cannot guarantee the location
– Avoid CSPs that use data centers in hostile countries
– Use CSPs that reside in consumer’s country

26
GTS - 14 26

26

Risks

Availability:
– Constant connectivity required
– Any failure terminating connectivity
is a risk
– Data loss and downtime risks

27
GTS - 14 27

27

Risks

Availability:
– Constant connectivity required
– Any failure terminating connectivity
is a risk
– Data loss and downtime risks

28
GTS - 14 28

28

Mitigation

Service Availability Mitigation:
– Availability is the greatest risk !
– Understand the CSP’s infrastructure:
avoid single points of failure
– Private clouds may reduce the
availability risk, but introduce additional
cost and overhead
– Establish service-level agreements
(SLAs) with their CSPs
– Balance the risk introduced by using
multiple data centers with the risk of a
single site failure
– Assume at least one outage, what’s the
impact to you?

29
GTS - 14 29

29

Risks

Recovery:
– Improper backups or system failure
– The more data, more data loss risk
– Recovery time is operational downtime

30
GTS - 14 30

30

Mitigation

Recovery:
– Improper backups or system failure
– The more data, more data loss risk
– Recovery time is operational downtime

Recovery Mitigation:
– Understand backed up systems
(Encrypted? Multiple sites?)
– Identify the time required to completely
recover data
– Practice a full recovery to test the
CSP’s response time

31
GTS - 14 31

31

Risks

Investigative Support:
– Multiple consumers, aggregated logs
– CSPs may hinder incident responses
– Uncooperative CSPs: lost forensic data
and investigation hindrances

32
GTS - 14 32

32

Mitigation

Investigative Support:
– Multiple consumers, aggregated logs
– CSPs may hinder incident responses
– Uncooperative CSPs: lost forensic data
and investigation hindrances

Investigative Support Mitigation:
– Establish policies and procedures with the CSP
– Avoid CSPs unwilling to participate in incident

33
GTS - 14 33

33

Risks

Viability and Longevity:
– CSP failure can occur at any time, for any reason
– Risk of data loss and operational downtime
– Large companies sometimes terminate services
– Abrupt shutdowns are a more significant risk

34
GTS - 14 34

34

Mitigation

Viability and Longevity:
– CSP failure can occur at any time, for any reason
– Risk of data loss and operational downtime
– Large companies sometimes terminate services
– Abrupt shutdowns are a more significant risk

Viability and Longevity Mitigation:
– Understand the way a CSP can “going dark”
– Have a secondary CSP in mind
– Review the history and financial stability of
any CSP prior to engaging

35
GTS - 14 35

35

Cloud Computing for
Malicious Intent

36
GTS - 14 36


Malicious use

source: sxc.hu
Bad guys are already using such technology ;)
– Botnets
– Hacking as a Service, SPAM

37
GTS - 14 37

37

Malicious use

source: sxc.hu
Bad guys are already using such technology
– Botnets
– Hacking as a Service, SPAM 11/9/09
Bot herders hide master
control channel in Google
cloud
by Dan Goodin, The Register
Cyber criminals' love affair with cloud computing
Malicious use of Cloud Services just got steamier with the discovery that Google's
AppEngine was tapped to act as the master
control channel that feeds commands to large
– C&C Server on the cloud networks of infected computers.

– Storage of malicious data
– Cracking passwords

38
GTS - 14 38

38

Conclusion

39
GTS - 14 39


Conclusions

Understanding the risk of cloud-based solutions
Understand the level of sensitivity of your data
Perform due diligence when evaluating a CSP
Identify the location of your data
Get assurance that your data will remain where
it is placed.

Cloud computing is a new technology still experiencing growing pains.
Enterprises must be aware of this and anticipate the risks the
technology introduces.

40
GTS - 14 40

40

Additional Reading

Cloud Security Alliance (CSA): “Security Guidance for
Critical Areas of Focus in Cloud Computing”
http://www.cloudsecurityalliance.org/guidance/csaguide.pdf

NIST Cloud Computing Project
http://csrc.nist.gov/groups/SNS/cloud-computing/index.html

ENISA report on “Cloud Computing: Benefits, risks
and recommendations for information security”
http://www.enisa.europa.eu/act/rm/files/deliverables/cloud-computing-risk-
assessment

iDefense Topical Research Paper: “Cloud Computing”

41
GTS - 14 41

41

Q&A

GTS - 14 42


Thank You

Anchises M. G. de Paula
iDefense Intelligence Analyst

43

Cloud computing - Risks and Mitigation - GTS

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Viewers also liked

Viewers also liked (20)

Similar to Cloud computing - Risks and Mitigation - GTS

Similar to Cloud computing - Risks and Mitigation - GTS (20)

More from Anchises Moraes

More from Anchises Moraes (20)

Recently uploaded

Recently uploaded (20)

Cloud computing - Risks and Mitigation - GTS