SlideShare ist ein Scribd-Unternehmen logo

Cloud security and privacy

Subra Kumaraswamy CISSP CISM
Subra Kumaraswamy CISSP CISM

This presentation captures the essence and highlights of the book "Cloud Security and Privacy" - http://www.amazon.com/gp/product/0596802765/

TechnologieNews & Politik
1 von 27
Downloaden Sie, um offline zu lesen
“Head
in
the
clouds,
feet
on
the
 ground
‐
the
business
side
of
 security
in
the
cloud”

 Subra
Kumaraswamy
 subra.k@gmail.com
 Twi=er
‐
@Subrak

 Dec
07,
2009
 www.securityforum.org Cloud ISF 20th Annual World Subra Kumaraswamy Security and privacy – Congress 2009 1
 Copyright © 2009 Information Security Forum Limited 1
Cloud Computing: Evolution www.securityforum.org Cloud ISF 20th Annual World Subra Kumaraswamy Security and privacy – Congress 2009 Copyright © 2009 Information Security Forum Limited 2 2
5 Essential Cloud Characteristics •  On-demand self-service •  Broad network access •  Resource pooling -  Location independence •  Rapid elasticity •  Measured service www.securityforum.org Cloud ISF 20th Annual World Subra Kumaraswamy Security and privacy – Congress 2009 Copyright © 2009 Information Security Forum Limited 3 3
3 Cloud Service Models •  Cloud Software as a Service (SaaS) -  Use provider’s applications over a network •  Cloud Platform as a Service (PaaS) -  Deploy customer-created applications to a cloud •  Cloud Infrastructure as a Service (IaaS) -  Rent processing, storage, network capacity, and other fundamental computing resources •  To be considered “cloud” they must be deployed on top of cloud infrastructure that has the key characteristics www.securityforum.org Cloud ISF 20th Annual World Subra Kumaraswamy Security and privacy – Congress 2009 Copyright © 2009 Information Security Forum Limited 4 4
Cloud Pyramid of Flexibility www.securityforum.org Cloud ISF 20th Annual World Subra Kumaraswamy Security and privacy – Congress 2009 Copyright © 2009 Information Security Forum Limited 5 5
4 Cloud Deployment Models •  Private cloud -  enterprise owned or leased •  Community cloud -  shared infrastructure for specific community •  Public cloud -  Sold to the public, mega-scale infrastructure •  Hybrid cloud -  composition of two or more clouds www.securityforum.org Cloud ISF 20th Annual World Subra Kumaraswamy Security and privacy – Congress 2009 Copyright © 2009 Information Security Forum Limited 6 6
The Cloud: How are people using it? 7 www.securityforum.org Cloud ISF 20th Annual World Subra Kumaraswamy Security and privacy – Congress 2009 Copyright © 2009 Information Security Forum Limited 7
Changing IT Relationships www.securityforum.org Cloud ISF 20th Annual World Subra Kumaraswamy Security and privacy – Congress 2009 Copyright © 2009 Information Security Forum Limited 8
What Not a Cloud? 9 www.securityforum.org Cloud ISF 20th Annual World Subra Kumaraswamy Security and privacy – Congress 2009 Copyright © 2009 Information Security Forum Limited 9
Focusing the Security Discussion IaaS, Hybrid, Application Domains HPC/ SaaS, Analytics Public, CRM Private Software as a Service Hybrid Public XaaS Layers Platform as a Service Infrastructure as a Service IaaS, Public, Transcoding www.securityforum.org Cloud ISF 20th Annual World Subra Kumaraswamy Security and privacy – Congress 2009 Copyright © 2009 Information Security Forum Limited 10
Components of Information Security Encryption, Data masking, Content protection Application-level Host-level Network-level www.securityforum.org Cloud ISF 20th Annual World Subra Kumaraswamy Security and privacy – Congress 2009 Copyright © 2009 Information Security Forum Limited 11
Analyzing Cloud Security •  Some key issues: -  Trust, multi-tenancy, encryption, key management compliance •  Clouds are massively complex systems can be reduced to simple primitives that are replicated thousands of times and common functional units •  Cloud security is a tractable problem -  There are both advantages and challenges www.securityforum.org Cloud ISF 20th Annual World Subra Kumaraswamy Security and privacy – Congress 2009 Copyright © 2009 Information Security Forum Limited 12
Balancing Threat Exposure and Cost Effectiveness •  Private clouds may have less threat exposure than community or hosted clouds which have less threat exposure than public clouds. •  Massive public clouds may be more cost effective than large community clouds which may be more cost effective than small private clouds. www.securityforum.org Cloud ISF 20th Annual World Subra Kumaraswamy Security and privacy – Congress 2009 Copyright © 2009 Information Security Forum Limited 13
General Security Advantages •  Democratization of security capabilities •  Shifting public data to a external cloud reduces the exposure of the internal sensitive data •  Forcing functions to add security controls •  Clouds enable automated security management •  Redundancy / Disaster Recovery www.securityforum.org Cloud ISF 20th Annual World Subra Kumaraswamy Security and privacy – Congress 2009 Copyright © 2009 Information Security Forum Limited 14
General Security Challenges •  Trusting vendor’s security model •  Customer inability to respond to audit findings •  Obtaining support for investigations •  Indirect administrator accountability •  Proprietary implementations can’t be examined •  Loss of physical control www.securityforum.org Cloud ISF 20th Annual World Subra Kumaraswamy Security and privacy – Congress 2009 Copyright © 2009 Information Security Forum Limited 15
Infrastructure Security Trust boundaries have moved •  Specifically, customers are unsure where those trust boundaries have moved to •  Established model of network tiers or zones no longer exists - Domain model does not fully replicate previous model •  No viable (scalable) model for host-to-host trust •  Data labeling/tagging required at application-level - Data separation is logical, not physical www.securityforum.org Cloud ISF 20th Annual World Subra Kumaraswamy Security and privacy – Congress 2009 Copyright © 2009 Information Security Forum Limited 16 16
Data Security •  Provider’s data collection efforts and monitoring of such (e.g., IPS, NBA) •  Use of encryption —  Point-to-multipoint data-in-transit an issue —  Data-at-rest possibly not encrypted —  Data being processed definitely not encrypted —  Key management is a significant issue —  Advocated alternative methods (e.g., obfuscation, redaction, truncation) are not adequate •  Data lineage, provenance •  Data remanence www.securityforum.org Cloud ISF 20th Annual World Subra Kumaraswamy Security and privacy – Congress 2009 Copyright © 2009 Information Security Forum Limited 17 17
Identity and Access Management (IAM) Generally speaking, poor situation today: •  Provisioning of user access is proprietary to provider •  Strong authentication available only through delegation •  Federated identity widely not available •  User profiles are limited to “administrator” and “user” •  Privilege management is coarse, not granular www.securityforum.org Cloud ISF 20th Annual World Subra Kumaraswamy Security and privacy – Congress 2009 Copyright © 2009 Information Security Forum Limited 18 18
Privacy Considerations Transborder data issues may be exacerbated •  Specifically, where are cloud computing activities occurring? Data governance is weak •  Encryption is not pervasive •  Data remanence receives inadequate attention •  CSPs absolve themselves of privacy concerns: “We don’t look at your data” www.securityforum.org Cloud ISF 20th Annual World Subra Kumaraswamy Security and privacy – Congress 2009 Copyright © 2009 Information Security Forum Limited 19 19
Audit & Compliance Considerations •  Effectiveness of current audit frameworks questionable (e.g., SAS 70 Type II) •  CSP users need to define: - their control requirements - understand their CSP’s internal control monitoring processes -  analyze relevant external audit reports •  Issue is assurance of compliance www.securityforum.org Cloud ISF 20th Annual World Subra Kumaraswamy Security and privacy – Congress 2009 Copyright © 2009 Information Security Forum Limited 20 20
Impact on Role of Corporate IT •  Governance issue as internal IT becomes “consultants” and business analysts to business units •  Delineation of responsibilities between providers and customers much more nebulous than between customers and outsourcers, collocation facilities, or ASPs •  Cloud computing likely to involve much more direct business unit interaction with CSPs than with other providers previously www.securityforum.org Cloud ISF 20th Annual World Subra Kumaraswamy Security and privacy – Congress 2009 Copyright © 2009 Information Security Forum Limited 21 21
Getting Ready – IT Security •  Governance framework that can be aligned with partners •  Federation of Identity, strong authentication, privileged access and key management •  Classification of data and privacy policy for data in cloud •  Security Automation – Image standardization, user/ network policy template •  Understand the cloud service provider security architecture, SLA, policies, security feature and interfaces •  Understand the ephemeral nature of compute and storage cloud and plan for archival of security logs www.securityforum.org Cloud ISF 20th Annual World Subra Kumaraswamy Security and privacy – Congress 2009 Copyright © 2009 Information Security Forum Limited 22
Conclusions •  Part of customers’ infrastructure security moves beyond their control •  Provider’s infrastructure security may (enterprise) or may not (SMB) be less robust than customers’ expectations •  Data security becomes significantly more important – yet provider capabilities are inadequate (except for simple storage which can be encrypted, and processing of non-sensitive (unregulated and unclassified) data www.securityforum.org Cloud ISF 20th Annual World Subra Kumaraswamy Security and privacy – Congress 2009 Copyright © 2009 Information Security Forum Limited 23 23
Conclusions (continued) •  IAM is less than adequate for enterprises – weak management of weak credentials unless (authentication) delegated back to customers •  Because of above, expect significant business unit pressure to desensitize or anonymize data; expect this to become a chokepoint -  No established standards for obfuscation, redaction, or truncation www.securityforum.org Cloud ISF 20th Annual World Subra Kumaraswamy Security and privacy – Congress 2009 Copyright © 2009 Information Security Forum Limited 24 24
Conclusions (continued) •  Relationship between business units and corporate IT departments vis-à-vis CSPs will shift greater power to business units from IT •  Number of functions performed today by corporate IT departments will shift to CSPs, along with corresponding job positions www.securityforum.org Cloud ISF 20th Annual World Subra Kumaraswamy Security and privacy – Congress 2009 Copyright © 2009 Information Security Forum Limited 25 25
What’s Good about the Cloud? •  A lot! Both for enterprises and SMBs – for handling of non-sensitive (unregulated and unclassified) data •  Cost •  Flexibility •  Scalability •  Speed www.securityforum.org Cloud ISF 20th Annual World Subra Kumaraswamy Security and privacy – Congress 2009 Copyright © 2009 Information Security Forum Limited 26 26
Thank
you
 subra.k@gmail.com
 Twi=er
‐
@subrak

 Disclaimer

 The
views
and
opinions
expressed
during
this
conference
are
those
of
the
speakers
and
do
not
necessarily
reflect
the
views
and
 opinions
held
by
Sun
Microsystems.

Nothing
in
this
conference
should
be
construed
as
professional
or
legal
advice
or
as
creaGng
a
 professional‐customer
or
a=orney‐client
relaGonship.

If
professional,
legal,
or
other
expert
assistance
is
required,
the
services
of
a
 competent
professional
should
be
sought.
 Dec
7th,
2009
 www.securityforum.org Cloud ISF 20th Annual World Subra Kumaraswamy Security and privacy – Congress 2009 27
 Copyright © 2009 Information Security Forum Limited 27

Empfohlen

Oded Tsur - Ca Cloud Security
Oded Tsur - Ca Cloud SecurityOded Tsur - Ca Cloud Security
Oded Tsur - Ca Cloud SecurityCSAIsrael
 
Cloud Computing: usos e tendências
Cloud Computing: usos e tendênciasCloud Computing: usos e tendências
Cloud Computing: usos e tendênciasCezar Taurion
 
Vr storm cips_03nov2010
Vr storm cips_03nov2010Vr storm cips_03nov2010
Vr storm cips_03nov2010National Research Council Canada
 
Build 4 The Cloud By Cisco V Mware2
Build 4 The Cloud By Cisco V Mware2Build 4 The Cloud By Cisco V Mware2
Build 4 The Cloud By Cisco V Mware2Azlan NL
 
IAPP Atlanta Chapter Meeting 2013 February
IAPP Atlanta Chapter Meeting 2013 FebruaryIAPP Atlanta Chapter Meeting 2013 February
IAPP Atlanta Chapter Meeting 2013 FebruaryPhil Agcaoili
 
Take Control of End User Security
Take Control of End User SecurityTake Control of End User Security
Take Control of End User Securityanniebrowny
 
Public, Private and Hybrid: For Enterprise, It's All About the Cloud
Public, Private and Hybrid: For Enterprise, It's All About the CloudPublic, Private and Hybrid: For Enterprise, It's All About the Cloud
Public, Private and Hybrid: For Enterprise, It's All About the CloudOpSource
 
Cloud computing
Cloud computingCloud computing
Cloud computingsaralaanuj
 

Empfohlen

Oded Tsur - Ca Cloud Security
Oded Tsur - Ca Cloud SecurityOded Tsur - Ca Cloud Security
Oded Tsur - Ca Cloud SecurityCSAIsrael
 
Cloud Computing: usos e tendências
Cloud Computing: usos e tendênciasCloud Computing: usos e tendências
Cloud Computing: usos e tendênciasCezar Taurion
 
Vr storm cips_03nov2010
Vr storm cips_03nov2010Vr storm cips_03nov2010
Vr storm cips_03nov2010National Research Council Canada
 
Build 4 The Cloud By Cisco V Mware2
Build 4 The Cloud By Cisco V Mware2Build 4 The Cloud By Cisco V Mware2
Build 4 The Cloud By Cisco V Mware2Azlan NL
 
IAPP Atlanta Chapter Meeting 2013 February
IAPP Atlanta Chapter Meeting 2013 FebruaryIAPP Atlanta Chapter Meeting 2013 February
IAPP Atlanta Chapter Meeting 2013 FebruaryPhil Agcaoili
 
Take Control of End User Security
Take Control of End User SecurityTake Control of End User Security
Take Control of End User Securityanniebrowny
 
Public, Private and Hybrid: For Enterprise, It's All About the Cloud
Public, Private and Hybrid: For Enterprise, It's All About the CloudPublic, Private and Hybrid: For Enterprise, It's All About the Cloud
Public, Private and Hybrid: For Enterprise, It's All About the CloudOpSource
 
Cloud computing
Cloud computingCloud computing
Cloud computingsaralaanuj
 
Hints and Tips for Monitoring Cisco UCS
Hints and Tips for Monitoring Cisco UCSHints and Tips for Monitoring Cisco UCS
Hints and Tips for Monitoring Cisco UCSCA Nimsoft
 
IBM SmartCloudEnterprise use of IBM Rational Solutions
IBM SmartCloudEnterprise use of IBM Rational SolutionsIBM SmartCloudEnterprise use of IBM Rational Solutions
IBM SmartCloudEnterprise use of IBM Rational SolutionsAlex Amies
 
Neupart Isaca April 2012
Neupart Isaca April 2012Neupart Isaca April 2012
Neupart Isaca April 2012Lars Neupart
 
State Of The Cloud - Lightning Talk
State Of The Cloud - Lightning TalkState Of The Cloud - Lightning Talk
State Of The Cloud - Lightning TalkRandy Bias
 
MISA Cloud workshop - Cloud 101
MISA Cloud workshop - Cloud 101MISA Cloud workshop - Cloud 101
MISA Cloud workshop - Cloud 101MISA Ontario Cloud SIG
 
Windows Azure Platfrom App Fabric
Windows Azure Platfrom App FabricWindows Azure Platfrom App Fabric
Windows Azure Platfrom App FabricWes Yanaga
 
Trend micro v2
Trend micro v2Trend micro v2
Trend micro v2JD Sherry
 
VMware and Trend Micro, partnering to revolutionise virtualised security
VMware and Trend Micro, partnering to revolutionise virtualised securityVMware and Trend Micro, partnering to revolutionise virtualised security
VMware and Trend Micro, partnering to revolutionise virtualised securityArrow ECS UK
 
Taiye Lambo - Auditing the cloud
Taiye Lambo - Auditing the cloudTaiye Lambo - Auditing the cloud
Taiye Lambo - Auditing the cloudnooralmousa
 
T1 05 emc forum track introductions manoj chugh final
T1 05 emc forum track introductions manoj chugh finalT1 05 emc forum track introductions manoj chugh final
T1 05 emc forum track introductions manoj chugh finalEMC Forum India
 
Presentation cloud, the whole offer
Presentation cloud, the whole offerPresentation cloud, the whole offer
Presentation cloud, the whole offerxKinAnx
 
Keeping IT Real Webinar
Keeping IT Real WebinarKeeping IT Real Webinar
Keeping IT Real Webinarjohnworthington
 
Green IT/Cloud Computing
Green IT/Cloud ComputingGreen IT/Cloud Computing
Green IT/Cloud ComputingCenter for Sustainable Energy
 
SIOS Private Cloud
SIOS Private CloudSIOS Private Cloud
SIOS Private CloudJim Kaskade
 
Ibm Smart Business Overview Jimmy Mills
Ibm Smart Business Overview Jimmy MillsIbm Smart Business Overview Jimmy Mills
Ibm Smart Business Overview Jimmy MillsJimmy Mills
 
IBM Mobile Foundation POT - Overview of ibm endpoint manager for mobile devic...
IBM Mobile Foundation POT - Overview of ibm endpoint manager for mobile devic...IBM Mobile Foundation POT - Overview of ibm endpoint manager for mobile devic...
IBM Mobile Foundation POT - Overview of ibm endpoint manager for mobile devic...AIP Foundation
 
Cloud circle Simon Withers
Cloud circle Simon WithersCloud circle Simon Withers
Cloud circle Simon WithersSunGard Availability Services UK
 
Cloud Computing - Jan 2011 - Chandna
Cloud Computing - Jan 2011 - ChandnaCloud Computing - Jan 2011 - Chandna
Cloud Computing - Jan 2011 - ChandnaAsheem Chandna
 
Zsl cloud-management-made-easier-with-scm
Zsl cloud-management-made-easier-with-scmZsl cloud-management-made-easier-with-scm
Zsl cloud-management-made-easier-with-scmzslmarketing
 
How to effectively use ISO 27001 Certification and SOC 2 Reports
How to effectively use ISO 27001 Certification and SOC 2 ReportsHow to effectively use ISO 27001 Certification and SOC 2 Reports
How to effectively use ISO 27001 Certification and SOC 2 ReportsSalvi Jansen
 
BCP Awareness
BCP Awareness BCP Awareness
BCP Awareness Imad Almurib
 
ISO 27001 2013 isms final overview
ISO 27001 2013 isms final overviewISO 27001 2013 isms final overview
ISO 27001 2013 isms final overviewNaresh Rao
 

Weitere ähnliche Inhalte

Was ist angesagt?

Hints and Tips for Monitoring Cisco UCS
Hints and Tips for Monitoring Cisco UCSHints and Tips for Monitoring Cisco UCS
Hints and Tips for Monitoring Cisco UCSCA Nimsoft
 
IBM SmartCloudEnterprise use of IBM Rational Solutions
IBM SmartCloudEnterprise use of IBM Rational SolutionsIBM SmartCloudEnterprise use of IBM Rational Solutions
IBM SmartCloudEnterprise use of IBM Rational SolutionsAlex Amies
 
Neupart Isaca April 2012
Neupart Isaca April 2012Neupart Isaca April 2012
Neupart Isaca April 2012Lars Neupart
 
State Of The Cloud - Lightning Talk
State Of The Cloud - Lightning TalkState Of The Cloud - Lightning Talk
State Of The Cloud - Lightning TalkRandy Bias
 
Windows Azure Platfrom App Fabric
Windows Azure Platfrom App FabricWindows Azure Platfrom App Fabric
Windows Azure Platfrom App FabricWes Yanaga
 
Trend micro v2
Trend micro v2Trend micro v2
Trend micro v2JD Sherry
 
VMware and Trend Micro, partnering to revolutionise virtualised security
VMware and Trend Micro, partnering to revolutionise virtualised securityVMware and Trend Micro, partnering to revolutionise virtualised security
VMware and Trend Micro, partnering to revolutionise virtualised securityArrow ECS UK
 
Taiye Lambo - Auditing the cloud
Taiye Lambo - Auditing the cloudTaiye Lambo - Auditing the cloud
Taiye Lambo - Auditing the cloudnooralmousa
 
T1 05 emc forum track introductions manoj chugh final
T1 05 emc forum track introductions manoj chugh finalT1 05 emc forum track introductions manoj chugh final
T1 05 emc forum track introductions manoj chugh finalEMC Forum India
 
Presentation cloud, the whole offer
Presentation cloud, the whole offerPresentation cloud, the whole offer
Presentation cloud, the whole offerxKinAnx
 
SIOS Private Cloud
SIOS Private CloudSIOS Private Cloud
SIOS Private CloudJim Kaskade
 
Ibm Smart Business Overview Jimmy Mills
Ibm Smart Business Overview Jimmy MillsIbm Smart Business Overview Jimmy Mills
Ibm Smart Business Overview Jimmy MillsJimmy Mills
 
IBM Mobile Foundation POT - Overview of ibm endpoint manager for mobile devic...
IBM Mobile Foundation POT - Overview of ibm endpoint manager for mobile devic...IBM Mobile Foundation POT - Overview of ibm endpoint manager for mobile devic...
IBM Mobile Foundation POT - Overview of ibm endpoint manager for mobile devic...AIP Foundation
 
Cloud Computing - Jan 2011 - Chandna
Cloud Computing - Jan 2011 - ChandnaCloud Computing - Jan 2011 - Chandna
Cloud Computing - Jan 2011 - ChandnaAsheem Chandna
 
Zsl cloud-management-made-easier-with-scm
Zsl cloud-management-made-easier-with-scmZsl cloud-management-made-easier-with-scm
Zsl cloud-management-made-easier-with-scmzslmarketing
 

Was ist angesagt? (19)

Hints and Tips for Monitoring Cisco UCS
Hints and Tips for Monitoring Cisco UCSHints and Tips for Monitoring Cisco UCS
Hints and Tips for Monitoring Cisco UCS
 
IBM SmartCloudEnterprise use of IBM Rational Solutions
IBM SmartCloudEnterprise use of IBM Rational SolutionsIBM SmartCloudEnterprise use of IBM Rational Solutions
IBM SmartCloudEnterprise use of IBM Rational Solutions
 
Neupart Isaca April 2012
Neupart Isaca April 2012Neupart Isaca April 2012
Neupart Isaca April 2012
 
State Of The Cloud - Lightning Talk
State Of The Cloud - Lightning TalkState Of The Cloud - Lightning Talk
State Of The Cloud - Lightning Talk
 
MISA Cloud workshop - Cloud 101
MISA Cloud workshop - Cloud 101MISA Cloud workshop - Cloud 101
MISA Cloud workshop - Cloud 101
 
Windows Azure Platfrom App Fabric
Windows Azure Platfrom App FabricWindows Azure Platfrom App Fabric
Windows Azure Platfrom App Fabric
 
Trend micro v2
Trend micro v2Trend micro v2
Trend micro v2
 
VMware and Trend Micro, partnering to revolutionise virtualised security
VMware and Trend Micro, partnering to revolutionise virtualised securityVMware and Trend Micro, partnering to revolutionise virtualised security
VMware and Trend Micro, partnering to revolutionise virtualised security
 
Taiye Lambo - Auditing the cloud
Taiye Lambo - Auditing the cloudTaiye Lambo - Auditing the cloud
Taiye Lambo - Auditing the cloud
 
T1 05 emc forum track introductions manoj chugh final
T1 05 emc forum track introductions manoj chugh finalT1 05 emc forum track introductions manoj chugh final
T1 05 emc forum track introductions manoj chugh final
 
Presentation cloud, the whole offer
Presentation cloud, the whole offerPresentation cloud, the whole offer
Presentation cloud, the whole offer
 
Keeping IT Real Webinar
Keeping IT Real WebinarKeeping IT Real Webinar
Keeping IT Real Webinar
 
Green IT/Cloud Computing
Green IT/Cloud ComputingGreen IT/Cloud Computing
Green IT/Cloud Computing
 
SIOS Private Cloud
SIOS Private CloudSIOS Private Cloud
SIOS Private Cloud
 
Ibm Smart Business Overview Jimmy Mills
Ibm Smart Business Overview Jimmy MillsIbm Smart Business Overview Jimmy Mills
Ibm Smart Business Overview Jimmy Mills
 
IBM Mobile Foundation POT - Overview of ibm endpoint manager for mobile devic...
IBM Mobile Foundation POT - Overview of ibm endpoint manager for mobile devic...IBM Mobile Foundation POT - Overview of ibm endpoint manager for mobile devic...
IBM Mobile Foundation POT - Overview of ibm endpoint manager for mobile devic...
 
Cloud circle Simon Withers
Cloud circle Simon WithersCloud circle Simon Withers
Cloud circle Simon Withers
 
Cloud Computing - Jan 2011 - Chandna
Cloud Computing - Jan 2011 - ChandnaCloud Computing - Jan 2011 - Chandna
Cloud Computing - Jan 2011 - Chandna
 
Zsl cloud-management-made-easier-with-scm
Zsl cloud-management-made-easier-with-scmZsl cloud-management-made-easier-with-scm
Zsl cloud-management-made-easier-with-scm
 

Andere mochten auch

How to effectively use ISO 27001 Certification and SOC 2 Reports
How to effectively use ISO 27001 Certification and SOC 2 ReportsHow to effectively use ISO 27001 Certification and SOC 2 Reports
How to effectively use ISO 27001 Certification and SOC 2 ReportsSalvi Jansen
 
ISO 27001 2013 isms final overview
ISO 27001 2013 isms final overviewISO 27001 2013 isms final overview
ISO 27001 2013 isms final overviewNaresh Rao
 
ISO 27001 Implementation_Documentation_Mandatory_List
ISO 27001 Implementation_Documentation_Mandatory_ListISO 27001 Implementation_Documentation_Mandatory_List
ISO 27001 Implementation_Documentation_Mandatory_ListSriramITISConsultant
 
7 Key Problems to Avoid in ISO 27001 Implementation
7 Key Problems to Avoid in ISO 27001 Implementation7 Key Problems to Avoid in ISO 27001 Implementation
7 Key Problems to Avoid in ISO 27001 ImplementationPECB
 
ISO 27001 - information security user awareness training presentation -part 2
ISO 27001 - information security user awareness training presentation -part 2ISO 27001 - information security user awareness training presentation -part 2
ISO 27001 - information security user awareness training presentation -part 2Tanmay Shinde
 
What is ISO 27001 ISMS
What is ISO 27001 ISMSWhat is ISO 27001 ISMS
What is ISO 27001 ISMSBusiness Beam
 
Iso 27001 transition to 2013 03202014
Iso 27001 transition to 2013 03202014Iso 27001 transition to 2013 03202014
Iso 27001 transition to 2013 03202014DQS Inc.
 
ISO 27001:2013 Implementation procedure
ISO 27001:2013 Implementation procedureISO 27001:2013 Implementation procedure
ISO 27001:2013 Implementation procedureUppala Anand
 
Iso 27001 2013 Standard Requirements
Iso 27001 2013 Standard RequirementsIso 27001 2013 Standard Requirements
Iso 27001 2013 Standard RequirementsUppala Anand
 
ISO 27001 - Information security user awareness training presentation - part 3
ISO 27001 - Information security user awareness training presentation - part 3ISO 27001 - Information security user awareness training presentation - part 3
ISO 27001 - Information security user awareness training presentation - part 3Tanmay Shinde
 
ISO/IEC 27001:2013 An Overview
ISO/IEC 27001:2013 An Overview ISO/IEC 27001:2013 An Overview
ISO/IEC 27001:2013 An Overview Ahmed Riad .
 

Andere mochten auch (14)

How to effectively use ISO 27001 Certification and SOC 2 Reports
How to effectively use ISO 27001 Certification and SOC 2 ReportsHow to effectively use ISO 27001 Certification and SOC 2 Reports
How to effectively use ISO 27001 Certification and SOC 2 Reports
 
BCP Awareness
BCP Awareness BCP Awareness
BCP Awareness
 
ISO 27001 2013 isms final overview
ISO 27001 2013 isms final overviewISO 27001 2013 isms final overview
ISO 27001 2013 isms final overview
 
ISO 27001:2013 - Changes
ISO 27001:2013 - ChangesISO 27001:2013 - Changes
ISO 27001:2013 - Changes
 
Infosec Audit Lecture_4
Infosec Audit Lecture_4Infosec Audit Lecture_4
Infosec Audit Lecture_4
 
ISO 27001 Implementation_Documentation_Mandatory_List
ISO 27001 Implementation_Documentation_Mandatory_ListISO 27001 Implementation_Documentation_Mandatory_List
ISO 27001 Implementation_Documentation_Mandatory_List
 
7 Key Problems to Avoid in ISO 27001 Implementation
7 Key Problems to Avoid in ISO 27001 Implementation7 Key Problems to Avoid in ISO 27001 Implementation
7 Key Problems to Avoid in ISO 27001 Implementation
 
ISO 27001 - information security user awareness training presentation -part 2
ISO 27001 - information security user awareness training presentation -part 2ISO 27001 - information security user awareness training presentation -part 2
ISO 27001 - information security user awareness training presentation -part 2
 
What is ISO 27001 ISMS
What is ISO 27001 ISMSWhat is ISO 27001 ISMS
What is ISO 27001 ISMS
 
Iso 27001 transition to 2013 03202014
Iso 27001 transition to 2013 03202014Iso 27001 transition to 2013 03202014
Iso 27001 transition to 2013 03202014
 
ISO 27001:2013 Implementation procedure
ISO 27001:2013 Implementation procedureISO 27001:2013 Implementation procedure
ISO 27001:2013 Implementation procedure
 
Iso 27001 2013 Standard Requirements
Iso 27001 2013 Standard RequirementsIso 27001 2013 Standard Requirements
Iso 27001 2013 Standard Requirements
 
ISO 27001 - Information security user awareness training presentation - part 3
ISO 27001 - Information security user awareness training presentation - part 3ISO 27001 - Information security user awareness training presentation - part 3
ISO 27001 - Information security user awareness training presentation - part 3
 
ISO/IEC 27001:2013 An Overview
ISO/IEC 27001:2013 An Overview ISO/IEC 27001:2013 An Overview
ISO/IEC 27001:2013 An Overview
 

Ähnlich wie Cloud security and privacy

Nils Puhlmann Ncoic Slides
Nils Puhlmann Ncoic SlidesNils Puhlmann Ncoic Slides
Nils Puhlmann Ncoic SlidesGovCloud Network
 
Envisioning the cloud_presentation deck
Envisioning the cloud_presentation deckEnvisioning the cloud_presentation deck
Envisioning the cloud_presentation deckdrjunwang
 
Lss implementing cyber security in the cloud, and from the cloud-feb14
Lss implementing cyber security in the cloud, and from the cloud-feb14Lss implementing cyber security in the cloud, and from the cloud-feb14
Lss implementing cyber security in the cloud, and from the cloud-feb14L S Subramanian
 
The evolution of continuous cloud security and compliance - DEM05-S - New Yor...
The evolution of continuous cloud security and compliance - DEM05-S - New Yor...The evolution of continuous cloud security and compliance - DEM05-S - New Yor...
The evolution of continuous cloud security and compliance - DEM05-S - New Yor...Amazon Web Services
 
Security Building Blocks of the IBM Cloud Computing Reference Architecture
Security Building Blocks of the IBM Cloud Computing Reference ArchitectureSecurity Building Blocks of the IBM Cloud Computing Reference Architecture
Security Building Blocks of the IBM Cloud Computing Reference ArchitectureStefaan Van daele
 
Appistry Cloud Computing for Government Featuring FedEx
Appistry Cloud Computing for Government Featuring FedExAppistry Cloud Computing for Government Featuring FedEx
Appistry Cloud Computing for Government Featuring FedExAppistry
 
Csa about-threats-june-2010-ibm
Csa about-threats-june-2010-ibmCsa about-threats-june-2010-ibm
Csa about-threats-june-2010-ibmSergio Loureiro
 
Cloud Security: What you need to know about IBM SmartCloud Security
Cloud Security: What you need to know about IBM SmartCloud SecurityCloud Security: What you need to know about IBM SmartCloud Security
Cloud Security: What you need to know about IBM SmartCloud SecurityIBM Security
 
Symantec Webinar | Tips for Successful CASB Projects
Symantec Webinar | Tips for Successful CASB ProjectsSymantec Webinar | Tips for Successful CASB Projects
Symantec Webinar | Tips for Successful CASB ProjectsSymantec
 
Cloud Security Strategy
Cloud Security StrategyCloud Security Strategy
Cloud Security StrategyCapgemini
 
Security Concerns in Cloud Computing
Security Concerns in Cloud ComputingSecurity Concerns in Cloud Computing
Security Concerns in Cloud Computingijtsrd
 
The Practitioner's Guide to Cloud Security
The Practitioner's Guide to Cloud SecurityThe Practitioner's Guide to Cloud Security
The Practitioner's Guide to Cloud SecurityZohar Alon
 
Public Cloud vs Private Cloud vs Hybrid Cloud - What's The Difference.pdf
Public Cloud vs Private Cloud vs Hybrid Cloud - What's The Difference.pdfPublic Cloud vs Private Cloud vs Hybrid Cloud - What's The Difference.pdf
Public Cloud vs Private Cloud vs Hybrid Cloud - What's The Difference.pdfRiya Soni
 
Cloud Computing Security
Cloud Computing SecurityCloud Computing Security
Cloud Computing SecurityPiyush Mittal
 
IBM Global Technology Services - Resilience - The Silver Lining to Cloud Comp...
IBM Global Technology Services - Resilience - The Silver Lining to Cloud Comp...IBM Global Technology Services - Resilience - The Silver Lining to Cloud Comp...
IBM Global Technology Services - Resilience - The Silver Lining to Cloud Comp...Vincent Kwon
 
Delivering infrastructure, security, and operations as code with AWS - DEM10-...
Delivering infrastructure, security, and operations as code with AWS - DEM10-...Delivering infrastructure, security, and operations as code with AWS - DEM10-...
Delivering infrastructure, security, and operations as code with AWS - DEM10-...Amazon Web Services
 

Ähnlich wie Cloud security and privacy (20)

Nils Puhlmann Ncoic Slides
Nils Puhlmann Ncoic SlidesNils Puhlmann Ncoic Slides
Nils Puhlmann Ncoic Slides
 
Cloud Security Alliance - Guidance
Cloud Security Alliance - GuidanceCloud Security Alliance - Guidance
Cloud Security Alliance - Guidance
 
Envisioning the cloud_presentation deck
Envisioning the cloud_presentation deckEnvisioning the cloud_presentation deck
Envisioning the cloud_presentation deck
 
Zubair
ZubairZubair
Zubair
 
Lss implementing cyber security in the cloud, and from the cloud-feb14
Lss implementing cyber security in the cloud, and from the cloud-feb14Lss implementing cyber security in the cloud, and from the cloud-feb14
Lss implementing cyber security in the cloud, and from the cloud-feb14
 
The evolution of continuous cloud security and compliance - DEM05-S - New Yor...
The evolution of continuous cloud security and compliance - DEM05-S - New Yor...The evolution of continuous cloud security and compliance - DEM05-S - New Yor...
The evolution of continuous cloud security and compliance - DEM05-S - New Yor...
 
Security Building Blocks of the IBM Cloud Computing Reference Architecture
Security Building Blocks of the IBM Cloud Computing Reference ArchitectureSecurity Building Blocks of the IBM Cloud Computing Reference Architecture
Security Building Blocks of the IBM Cloud Computing Reference Architecture
 
Appistry Cloud Computing for Government Featuring FedEx
Appistry Cloud Computing for Government Featuring FedExAppistry Cloud Computing for Government Featuring FedEx
Appistry Cloud Computing for Government Featuring FedEx
 
Csa about-threats-june-2010-ibm
Csa about-threats-june-2010-ibmCsa about-threats-june-2010-ibm
Csa about-threats-june-2010-ibm
 
Cloud Security: What you need to know about IBM SmartCloud Security
Cloud Security: What you need to know about IBM SmartCloud SecurityCloud Security: What you need to know about IBM SmartCloud Security
Cloud Security: What you need to know about IBM SmartCloud Security
 
Symantec Webinar | Tips for Successful CASB Projects
Symantec Webinar | Tips for Successful CASB ProjectsSymantec Webinar | Tips for Successful CASB Projects
Symantec Webinar | Tips for Successful CASB Projects
 
Cloud Security Strategy
Cloud Security StrategyCloud Security Strategy
Cloud Security Strategy
 
Security Concerns in Cloud Computing
Security Concerns in Cloud ComputingSecurity Concerns in Cloud Computing
Security Concerns in Cloud Computing
 
Slides 530 a2
Slides 530 a2Slides 530 a2
Slides 530 a2
 
The Practitioner's Guide to Cloud Security
The Practitioner's Guide to Cloud SecurityThe Practitioner's Guide to Cloud Security
The Practitioner's Guide to Cloud Security
 
Public Cloud vs Private Cloud vs Hybrid Cloud - What's The Difference.pdf
Public Cloud vs Private Cloud vs Hybrid Cloud - What's The Difference.pdfPublic Cloud vs Private Cloud vs Hybrid Cloud - What's The Difference.pdf
Public Cloud vs Private Cloud vs Hybrid Cloud - What's The Difference.pdf
 
Cloud Computing Security
Cloud Computing SecurityCloud Computing Security
Cloud Computing Security
 
IBM Global Technology Services - Resilience - The Silver Lining to Cloud Comp...
IBM Global Technology Services - Resilience - The Silver Lining to Cloud Comp...IBM Global Technology Services - Resilience - The Silver Lining to Cloud Comp...
IBM Global Technology Services - Resilience - The Silver Lining to Cloud Comp...
 
Cloud Computing
Cloud ComputingCloud Computing
Cloud Computing
 
Delivering infrastructure, security, and operations as code with AWS - DEM10-...
Delivering infrastructure, security, and operations as code with AWS - DEM10-...Delivering infrastructure, security, and operations as code with AWS - DEM10-...
Delivering infrastructure, security, and operations as code with AWS - DEM10-...
 

Kürzlich hochgeladen

A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024Results
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEarley Information Science
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessPixlogix Infotech
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?Igalia
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)wesley chun
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 

Kürzlich hochgeladen (20)

A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your Business
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 

Cloud security and privacy

  • 1. “Head
in
the
clouds,
feet
on
the
 ground
‐
the
business
side
of
 security
in
the
cloud”

 Subra
Kumaraswamy
 subra.k@gmail.com
 Twi=er
‐
@Subrak

 Dec
07,
2009
 www.securityforum.org Cloud ISF 20th Annual World Subra Kumaraswamy Security and privacy – Congress 2009 1
 Copyright © 2009 Information Security Forum Limited 1
  • 2. Cloud Computing: Evolution www.securityforum.org Cloud ISF 20th Annual World Subra Kumaraswamy Security and privacy – Congress 2009 Copyright © 2009 Information Security Forum Limited 2 2
  • 3. 5 Essential Cloud Characteristics •  On-demand self-service •  Broad network access •  Resource pooling -  Location independence •  Rapid elasticity •  Measured service www.securityforum.org Cloud ISF 20th Annual World Subra Kumaraswamy Security and privacy – Congress 2009 Copyright © 2009 Information Security Forum Limited 3 3
  • 4. 3 Cloud Service Models •  Cloud Software as a Service (SaaS) -  Use provider’s applications over a network •  Cloud Platform as a Service (PaaS) -  Deploy customer-created applications to a cloud •  Cloud Infrastructure as a Service (IaaS) -  Rent processing, storage, network capacity, and other fundamental computing resources •  To be considered “cloud” they must be deployed on top of cloud infrastructure that has the key characteristics www.securityforum.org Cloud ISF 20th Annual World Subra Kumaraswamy Security and privacy – Congress 2009 Copyright © 2009 Information Security Forum Limited 4 4
  • 5. Cloud Pyramid of Flexibility www.securityforum.org Cloud ISF 20th Annual World Subra Kumaraswamy Security and privacy – Congress 2009 Copyright © 2009 Information Security Forum Limited 5 5
  • 6. 4 Cloud Deployment Models •  Private cloud -  enterprise owned or leased •  Community cloud -  shared infrastructure for specific community •  Public cloud -  Sold to the public, mega-scale infrastructure •  Hybrid cloud -  composition of two or more clouds www.securityforum.org Cloud ISF 20th Annual World Subra Kumaraswamy Security and privacy – Congress 2009 Copyright © 2009 Information Security Forum Limited 6 6
  • 7. The Cloud: How are people using it? 7 www.securityforum.org Cloud ISF 20th Annual World Subra Kumaraswamy Security and privacy – Congress 2009 Copyright © 2009 Information Security Forum Limited 7
  • 8. Changing IT Relationships www.securityforum.org Cloud ISF 20th Annual World Subra Kumaraswamy Security and privacy – Congress 2009 Copyright © 2009 Information Security Forum Limited 8
  • 9. What Not a Cloud? 9 www.securityforum.org Cloud ISF 20th Annual World Subra Kumaraswamy Security and privacy – Congress 2009 Copyright © 2009 Information Security Forum Limited 9
  • 10. Focusing the Security Discussion IaaS, Hybrid, Application Domains HPC/ SaaS, Analytics Public, CRM Private Software as a Service Hybrid Public XaaS Layers Platform as a Service Infrastructure as a Service IaaS, Public, Transcoding www.securityforum.org Cloud ISF 20th Annual World Subra Kumaraswamy Security and privacy – Congress 2009 Copyright © 2009 Information Security Forum Limited 10
  • 11. Components of Information Security Encryption, Data masking, Content protection Application-level Host-level Network-level www.securityforum.org Cloud ISF 20th Annual World Subra Kumaraswamy Security and privacy – Congress 2009 Copyright © 2009 Information Security Forum Limited 11
  • 12. Analyzing Cloud Security •  Some key issues: -  Trust, multi-tenancy, encryption, key management compliance •  Clouds are massively complex systems can be reduced to simple primitives that are replicated thousands of times and common functional units •  Cloud security is a tractable problem -  There are both advantages and challenges www.securityforum.org Cloud ISF 20th Annual World Subra Kumaraswamy Security and privacy – Congress 2009 Copyright © 2009 Information Security Forum Limited 12
  • 13. Balancing Threat Exposure and Cost Effectiveness •  Private clouds may have less threat exposure than community or hosted clouds which have less threat exposure than public clouds. •  Massive public clouds may be more cost effective than large community clouds which may be more cost effective than small private clouds. www.securityforum.org Cloud ISF 20th Annual World Subra Kumaraswamy Security and privacy – Congress 2009 Copyright © 2009 Information Security Forum Limited 13
  • 14. General Security Advantages •  Democratization of security capabilities •  Shifting public data to a external cloud reduces the exposure of the internal sensitive data •  Forcing functions to add security controls •  Clouds enable automated security management •  Redundancy / Disaster Recovery www.securityforum.org Cloud ISF 20th Annual World Subra Kumaraswamy Security and privacy – Congress 2009 Copyright © 2009 Information Security Forum Limited 14
  • 15. General Security Challenges •  Trusting vendor’s security model •  Customer inability to respond to audit findings •  Obtaining support for investigations •  Indirect administrator accountability •  Proprietary implementations can’t be examined •  Loss of physical control www.securityforum.org Cloud ISF 20th Annual World Subra Kumaraswamy Security and privacy – Congress 2009 Copyright © 2009 Information Security Forum Limited 15
  • 16. Infrastructure Security Trust boundaries have moved •  Specifically, customers are unsure where those trust boundaries have moved to •  Established model of network tiers or zones no longer exists - Domain model does not fully replicate previous model •  No viable (scalable) model for host-to-host trust •  Data labeling/tagging required at application-level - Data separation is logical, not physical www.securityforum.org Cloud ISF 20th Annual World Subra Kumaraswamy Security and privacy – Congress 2009 Copyright © 2009 Information Security Forum Limited 16 16
  • 17. Data Security •  Provider’s data collection efforts and monitoring of such (e.g., IPS, NBA) •  Use of encryption —  Point-to-multipoint data-in-transit an issue —  Data-at-rest possibly not encrypted —  Data being processed definitely not encrypted —  Key management is a significant issue —  Advocated alternative methods (e.g., obfuscation, redaction, truncation) are not adequate •  Data lineage, provenance •  Data remanence www.securityforum.org Cloud ISF 20th Annual World Subra Kumaraswamy Security and privacy – Congress 2009 Copyright © 2009 Information Security Forum Limited 17 17
  • 18. Identity and Access Management (IAM) Generally speaking, poor situation today: •  Provisioning of user access is proprietary to provider •  Strong authentication available only through delegation •  Federated identity widely not available •  User profiles are limited to “administrator” and “user” •  Privilege management is coarse, not granular www.securityforum.org Cloud ISF 20th Annual World Subra Kumaraswamy Security and privacy – Congress 2009 Copyright © 2009 Information Security Forum Limited 18 18
  • 19. Privacy Considerations Transborder data issues may be exacerbated •  Specifically, where are cloud computing activities occurring? Data governance is weak •  Encryption is not pervasive •  Data remanence receives inadequate attention •  CSPs absolve themselves of privacy concerns: “We don’t look at your data” www.securityforum.org Cloud ISF 20th Annual World Subra Kumaraswamy Security and privacy – Congress 2009 Copyright © 2009 Information Security Forum Limited 19 19
  • 20. Audit & Compliance Considerations •  Effectiveness of current audit frameworks questionable (e.g., SAS 70 Type II) •  CSP users need to define: - their control requirements - understand their CSP’s internal control monitoring processes -  analyze relevant external audit reports •  Issue is assurance of compliance www.securityforum.org Cloud ISF 20th Annual World Subra Kumaraswamy Security and privacy – Congress 2009 Copyright © 2009 Information Security Forum Limited 20 20
  • 21. Impact on Role of Corporate IT •  Governance issue as internal IT becomes “consultants” and business analysts to business units •  Delineation of responsibilities between providers and customers much more nebulous than between customers and outsourcers, collocation facilities, or ASPs •  Cloud computing likely to involve much more direct business unit interaction with CSPs than with other providers previously www.securityforum.org Cloud ISF 20th Annual World Subra Kumaraswamy Security and privacy – Congress 2009 Copyright © 2009 Information Security Forum Limited 21 21
  • 22. Getting Ready – IT Security •  Governance framework that can be aligned with partners •  Federation of Identity, strong authentication, privileged access and key management •  Classification of data and privacy policy for data in cloud •  Security Automation – Image standardization, user/ network policy template •  Understand the cloud service provider security architecture, SLA, policies, security feature and interfaces •  Understand the ephemeral nature of compute and storage cloud and plan for archival of security logs www.securityforum.org Cloud ISF 20th Annual World Subra Kumaraswamy Security and privacy – Congress 2009 Copyright © 2009 Information Security Forum Limited 22
  • 23. Conclusions •  Part of customers’ infrastructure security moves beyond their control •  Provider’s infrastructure security may (enterprise) or may not (SMB) be less robust than customers’ expectations •  Data security becomes significantly more important – yet provider capabilities are inadequate (except for simple storage which can be encrypted, and processing of non-sensitive (unregulated and unclassified) data www.securityforum.org Cloud ISF 20th Annual World Subra Kumaraswamy Security and privacy – Congress 2009 Copyright © 2009 Information Security Forum Limited 23 23
  • 24. Conclusions (continued) •  IAM is less than adequate for enterprises – weak management of weak credentials unless (authentication) delegated back to customers •  Because of above, expect significant business unit pressure to desensitize or anonymize data; expect this to become a chokepoint -  No established standards for obfuscation, redaction, or truncation www.securityforum.org Cloud ISF 20th Annual World Subra Kumaraswamy Security and privacy – Congress 2009 Copyright © 2009 Information Security Forum Limited 24 24
  • 25. Conclusions (continued) •  Relationship between business units and corporate IT departments vis-à-vis CSPs will shift greater power to business units from IT •  Number of functions performed today by corporate IT departments will shift to CSPs, along with corresponding job positions www.securityforum.org Cloud ISF 20th Annual World Subra Kumaraswamy Security and privacy – Congress 2009 Copyright © 2009 Information Security Forum Limited 25 25
  • 26. What’s Good about the Cloud? •  A lot! Both for enterprises and SMBs – for handling of non-sensitive (unregulated and unclassified) data •  Cost •  Flexibility •  Scalability •  Speed www.securityforum.org Cloud ISF 20th Annual World Subra Kumaraswamy Security and privacy – Congress 2009 Copyright © 2009 Information Security Forum Limited 26 26
  • 27. Thank
you
 subra.k@gmail.com
 Twi=er
‐
@subrak

 Disclaimer

 The
views
and
opinions
expressed
during
this
conference
are
those
of
the
speakers
and
do
not
necessarily
reflect
the
views
and
 opinions
held
by
Sun
Microsystems.

Nothing
in
this
conference
should
be
construed
as
professional
or
legal
advice
or
as
creaGng
a
 professional‐customer
or
a=orney‐client
relaGonship.

If
professional,
legal,
or
other
expert
assistance
is
required,
the
services
of
a
 competent
professional
should
be
sought.
 Dec
7th,
2009
 www.securityforum.org Cloud ISF 20th Annual World Subra Kumaraswamy Security and privacy – Congress 2009 27
 Copyright © 2009 Information Security Forum Limited 27