1. 5/22/2011
Session: Cloud Security Overview!
y
Speaker: Mohamed El‐Refaey
Mohamed@egyptcloudforum.com
http://twitter.com/#!/melrefaey
http://twitter.com/#!/egyptcloudforum
http://www.facebook.com/?ref=home#!/pages/Egypt‐Cloud‐
Forum/111055065588154
http://eg.linkedin.com/in/mohamedelrefaey
Agenda
• Cloud Security Overview
• Operating in the cloud & Security.
• Standards, Initiatives and Certifications
• Take Aways
1
2. 5/22/2011
Cloud Security
Open
Security
Architecture
Actor-centric
Actor centric view of
cloud architecture
CSA Areas of Focus
Security, Buss Cont., DR
ing in the Cloud
Data Center Operations
Incident Response, Notification, Remediation
Application Security
Operati
Encryption & Key Management
Identity & Access Management
Virtualization
2
3. 5/22/2011
CSA Areas of Focus
Cloud Architecture
ance the Cloud
Governance & Enterprise Risk Management
Legal & Electronic Discovery
Compliance & Audit
p
Governa
Information lifecycle Management
Portability & Interoperability
Top Threats (As defined by CSA)
• Abuse and Nefarious Use of Cloud
Abuse and Nefarious Use of Cloud
Computing
• Insecure Application Programming
Interfaces
• Malicious Insiders
• Shared Technology Vulnerabilities
Shared Technology Vulnerabilities
• Data Loss/Leakage
• Account, Service & Traffic Hijacking
• Unknown Risk Profile
3
4. 5/22/2011
Cloud Threat Model Threats
• Risk 1: Resource Exhaustion
• Risk 2: Customer Isolation Failure
• Risk 3: Management Interface Compromise
• Risk 4: Interception of Data in Transmission
• Risk 5: Data leakage on Upload/Download, Intra‐cloud
• Risk 6: Insecure or Ineffective Deletion of Data
• Risk 7: Distributed Denial of Service (DDoS)
• Risk 8 Economic Denial of Service
Risk 8: Economic Denial of Service
• Risk 9: Loss or Compromise of Encryption Keys
• Risk 10: Malicious Probes or Scans
…
• Risk 25 … Check ENISA document for the rest …
Is my data safe in the cloud?
4
6. 5/22/2011
Some Take Aways
• Beware the trap of trusting the cloud vendors too
Beware the trap of trusting the cloud vendors too
much
• Centralized cloud model puts huge power and control
in the hands of cloud players.
• Wikileaks and Amazon!
• Cloud computing is a harkening back to centralizing
everything (Just not as the Internet engineered
distributed model)
• Cloud Computing is not a problem‐free panacea for
businesses
Thank
Th k you
Now, it is time for Q&A
6