Cloud Computing And Soa Convergence Linthicum 02 09 10
Info Sec 2010 Possibilities And Security Challenges Of Cloud Computing (Handout)
1. Possibilities and Security
Challenges of Cloud Computing
InfoSec Conference 2010
Hotel Intercontinental
Makati City, Philippines
25 August 2010
Pierre U. Tagle, Ph.D., CISA
pierre.tagle@mobiliance.com
Outline
1 Introduction
2 What is Cloud Computing?
3 Possibilities and Security Challenges
4 Critical Areas for Cloud Implementations
2
2. Introduction
Mobiliance Incorporated is an We offer services to:
INDEPENDENT technology • EVALUATE and understand
consulting and software services your business needs;
firm which partners with
• Recommend ways to
commercial and government
ENHANCE how technology,
establishments/organisations to
people and processes fits
solve their toughest Information
into your business;
Technology problems and issues.
• INTEGRATE new and
existing technology to better
suit your business;
• MAINTAIN your technology
investments; and
• Help you PRESERVE your
investment to carry your
business into the future.
3
Our Services
• Security Assessment and • Technology Assessment
Design and Design
– Security Architecture • IT Governance / Risk
Assessment / Design Management
– Disaster Recovery /
– Vulnerability
Business Continuity
Assessment
– IT Governance
• Network Assessment and
– IT Risk Assessments
Design
• Technology Management
– Alignment with Advice (Virtual CIO/CTO)
business • Software Development
requirements
– From complete SDLC
– Performance, or to assist in
reliability and specific phases
availability analysis
4
3. What is Cloud Computing?
• Virtually every vendor or provider has jumped on the cloud
computing bandwagon and has slapped the “cloud” label on it,
e.g. hosting, outsourcing, ASP, on-demand computing, grid
computing, utility computing, etc.
– Some reports indicate that there were at least 22 different
definitions of the cloud in use.
• Cloud computing is NOT a technology revolution, but
rather a process and business evolution – on how many
technologies and services are used in enabling what is referred
to as Cloud Computing.
• A simplified definition can be that cloud computing allows
businesses to increase IT capacity on the fly without investing
in new infrastructure, training new personnel and/or licensing
new software, and are able to use it as a pay-per-use service.
5
NIST Cloud Definition Framework
“Cloud computing is a
model for enabling
convenient, on-
demand network
access to a shared
pool of configurable
computing resources
that can be rapidly
provisioned and
released with minimal
management effort or
service provider
The NIST cloud model promotes availability
interaction.”
and is composed of 5 essential
characteristics, 3 service models and 4
deployment models. 6
4. 5 Essential Characteristics
• On-demand self-service
• Broad network access
• Resource pooling
– Location
independence
• Rapid elasticity
• Measure service
Source: Techmixer.com
7
3 Cloud Service / Delivery Models
• Cloud Software as a Service
(SaaS)
– Use provider’s apps
over a network
• Cloud Platform as a Service
(PaaS)
– Deploy customer-
created applications to
a cloud
• Cloud Infrastructure as a
Service (IaaS)
Source: NIST Presentations
– Rent processing,
storage, network Note: To be considered “cloud” these must be
capacity, etc. deployed on top of a cloud infrastructure
with the key characteristics.
8
5. Cloud Services Examples
• SaaS
– Salesforce.com
– Google Apps
• PaaS
– Google AppsEngine,
Force.com, IBM IT
Factory
• IaaS
– Amazon Elastic
Compute Cloud
(Amazon EC2), IBM
Blue Cloud, Sun Grid
– Amazon Simple
Storage Service
(Amazon S3)
9
Cloud Deployment Models
• Private cloud
– Enterprise owned or leased
• Community cloud
– Shared infrastructure for specific communitiy
• Public cloud
– Available to the public, typically mega-scale
infrastructure
• Hybrid cloud
– Composition of 2 or more clouds
10
7. Cloud Computing Challenges & Risks
• Data Protection
– Where is my data?
– How does my data
securely enter/exit the
cloud? (and how is it
protected during transit?)
– Who has access to my • Integration and Cost
data? – How easy is it to integrate
• Risk / Incident Management with in-house IT?
– Who is accountable if – Are there customization
something goes wrong? options to suit my needs?
– What’s the disaster – Will on-demand cost
recovery plan? more?
– What happens if my cloud – How difficult to migrate
provider disappears? back to an in-house
– How is the environment system? (if possible)
monitored? How are we • Compliance
notified in the event of – Are there any regulatory
failures/outages? requirements?
13
Challenges and Risks
Security remains the top concern and was raised by 87.5% of
respondents in IDC 2009 survey (up from 74.6% in 2008)
14
8. Service Provider Requirements
• Pricing is
key area
BUT
• security
and related
concerns
can be
“seen” in
user wish-list
of the
service
features
SLAs, option to move back on-premise, allow
managing on-premise , offer both on-premise and
public cloud services, have local presence 15
Security in the Cloud
• Security controls in cloud
computing are no different
than security controls in an IT
environment BUT...
– the various cloud
service models,
operational models,
and technologies used
to enable cloud
services may present
different risks to the
Source: Cloud Security Alliance
organisation.
• Understanding the “Cloud computing is about gracefully losing
differences between service control while maintaining accountability
models and their even if the operational responsibility
implementation is critical to falls upon one or more third parties.”
the management of risk to – Cloud Security Alliance
the organisation.
16
9. Security Advantages
• Reduction of exposure of internal sensitive data with
move to external cloud
– Data fragmentation and dispersal are
managed by unbiased party (cloud vendor
assertion)
– Various studies show that a large amount of
abuse are done by internal IT professionals
• Cloud homogeneity makes security auditing / testing
simpler
• Clouds enable automated security management
• Redundancy / Disaster Recovery
17
Security Challenges
• Trusting vendor’s security model
• Customer inability to respond to audit findings
• Indirect administrator accountability
• Obtaining support for investigations
• Indirect administrator accountability
• Proprietary implementations cannot be examined
• Loss of physical control
• Data dispersal and international privacy laws
• Logging challenges
• Quality of service guarantees
18
10. Ensuring Compliance in the Cloud
• The use of cloud
computing by itself does
not provide for or
prevent achieving
compliance.
• Cloud services must be
mapped against
compensating controls
to determine which
exists and which do not
– either by the end user,
service provider or a
third party.
• Gaps analysis results
are fed into the risk
assessment framework
– accept, transfer or Source: Cloud Security Alliance
mitigate.
19
Cloud Implementation Use Case Taxonomy
• Service Consumer
– SaaS is consumed
by end users, e.g.
employees, clients,
partners
– PaaS is consumed
by software
developers
– IaaS is consumed by
IT managers
Source: Cloud Computing Use Case Discussion Group
• The various components
must be managed by the
company or a third party
solution provider. 20
11. Determining Candidates for the Cloud
• Review applications and IT • Typical Rules of Thumb:
resources / systems – If mission-critical and
• Categorise into: non-core then possibly
– Mission-critical, i.e. good candidate for the
business will not cloud
survive without it – If mission-critical and
– Non-mission critical core, possibly keep
• Sub-categorise into: internal or in private
cloud
– Core business
practices, i.e. provides – If non-mission critical
service differentiation and non-core then okay
for public clouds
– Non-core, i.e. internal
activities – If non-mission critical
and core, possibly keep
internal or in private
cloud
21
Candidates for the Public Cloud
GOOD BAD
• Applications used by mobile • Applications with very
workers, particularly those sensitive data (with possible
used to manage time, regulatory or legal risk)
activities, etc. • Applications that require very
• Software development intensive data workloads or
environments very performance sensitive
• Applications that require applications
hardware/software not – Possible cost issue
normally available within the • Applications that require
company extensive or high
• Applications that run customization
infrequently but require
considerable resources, e.g.
test and pre-production
systems
• Backup for critical
applications
• Distributed server and data
centre locations
22
12. Cloud Adoption Model Example
• Prepare IT portfolio
– Virtualization not
necessary but can simplify
migration, updates, etc.
• Cloud experimentation
– Usage, experimentation
and laying of groundwork
• Cloud foundations
– Finalize application
architecture and platform
• Cloud exploitation
– Deployment (either private
or public) in the cloud
– Get apps into production,
along with processes,
policies and procedures
Source: eWeek.com
• Cloud actualization / HyperCloud
– Fully dynamic and
autonomic compute
environment 23
Cloud Usage Examples
• Nasdaq – uses Amazon S3 to deliver historical
stock and mutual fund information, rather than
add load to its database/computing infra
• Animoto – start-up used Amazon’s cloud
services was able to keep up with soaring
demand and scale up from 50 to 3,500 instances
over a three-day period
• Times – wanted to place 60-year period worth of
images (i.e. 15-million news stories) moved 4-TB
into Amazon S3, ran the software on EC2 then
launched the product
• Mogulus – streams 120,000 live TV channels
over the Internet but owns no hardware except
for its laptops.
24
13. Recommended Areas of Critical Focus
GOVERNANCE DOMAINS OPERATIONAL DOMAINS
• Governance & Enterprise • Security, Business
Risk Management Continuity & Disaster
• Legal Recovery
• Compliance and Audit • Data Centre Operations
• Information Life Cycle • Incident Management
Management • Application Security
• Portability and • Encryption & Key
Interoperability Management
• Identity & Access
Management
• Virtualisation
25
Governance Domains
14. Governance & Enterprise Risk
Management
• Ability of an organisation to govern and measure enterprise risk
introduced with the use of Cloud Computing
– Legal precedence for agreements
– Assess risk of a cloud provider
– Responsibility to protect data
– How international boundaries affects issues
• Risk management approaches
– Include provider’s security governance, risk management and
compliance structures and processes
– Consistency between provider and end user risk assessment
approaches
• provider’s design of the cloud service
vs. user’s assessment of the cloud
service risk.
– Adjust DRP/BCP to include new
scenarios, e.g. loss of provider
services
RECOMMENDATIONS 27
Legal Aspects
Potential legal issues with the use of Cloud
Computing
– Protection requirements for information &
computer systems
– Security disclosure laws
– Regulatory requirements
– Privacy requirements
– International laws
RECOMMENDATIONS 28
15. Compliance and Audit
• Ensuring and proving compliance when using Cloud
Computing
– Company security policies
– Industry standards and/or certifications
– Regulatory, legislative and other compliance
requirements
• The end user must understand:
– Regulatory application for
the use of a cloud service
– Division of compliance
responsibilities (vs. provider)
– Provider’s ability to produce
evidence needed for compliance
– End user’s role in bridging the
gap between provider and audit
requirements RECOMMENDATIONS 29
Information Lifecycle Management
• Management of data that • The Data Security Lifecycle
is placed within the Cloud.
– Identification and
control of data
– Compensating
controls to deal with
loss of physical
control
– Data confidentiality,
integrity and
availability
Source: Cloud Security Alliance
• Maps to the more general Information
Lifecycle Management (ILM)
RECOMMENDATIONS 30
16. Portability and Interoperability
• Ability to move data and/or services from one
cloud provider to another, or move it back in-
house
– Portability
– Interoperability
• Companies may need to switch providers due to:
– Unacceptable increase in cost
– Provider ceases operation
– Provider ceases one or more services
– Unacceptable decrease in service quality
– Business disputes
RECOMMENDATIONS 31
Operational Domains
17. Security, Business Continuity and
Disaster Recovery
• How does cloud computing
affect the current operational
processes and procedures in
relation to security, business
continuity and disaster recovery
• How does cloud computing
assist in diminishing risks in
certain areas? While possibly
increasing in others?
RECOMMENDATIONS 33
Data Centre Operations
• Identifying common data centre characteristics that
are:
– Disadvantageous to on-going services and/or
– Fundamental to long-term stability.
• Technology architectures will differ across providers
but they all must support compartmentalization with
controls segregating each layer of the infrastructure
– Note that some cloud providers may be users
of other cloud services, e.g. a SaaS vendor
uses PaaS or IaaS vendor(s).
RECOMMENDATIONS 34
18. Incident Management
• Proper and adequate incident
detection, response, notification and
remediation.
– Includes processes and
procedures at both provider and
end user levels
• Does the cloud bring about
complexities to current incident
management procedures?
RECOMMENDATIONS 35
Application Security
• What type of
Application cloud platform to
Security Compliance use? SaaS,
Architecture PaaS, or IaaS?
Cloud • Cloud
Apps applications will
Tools both impact and
SDLC & be impacted by
Services various factors
• Migrate existing
app or design a
new app for cloud
deployment?
Vulnerabilities
RECOMMENDATIONS 36
19. Encryption and Key Management
• Cloud
environments Encrypt data Secure sensitive information even
are shared, within provider’s environment.
and providers in transit
for Confidentiality
generally have
privileged
and Integrity
access
Encryption
• Encryption
offers benefits Encrypt data Differences in implementation from
of less reliance at rest IaaS to PaaS to SaaS
on provider
• Identifying
proper
encryption
usage and Encrypt data
Protect against misuse of
key on backup lost/stolen media.
management media
RECOMMENDATIONS 37
Identity and Access Management
• Even without the cloud, the management of identities and access control
remains one of the key challenges facing IT in any organisation.
• Management of identities to provide access control when extending the
organisation into the cloud.
Identity Provisioning
Authentication
• Secure and time
management of provisioning Address authentication related
and deprovisioning of users challenges, e.g. strong authentication
in the cloud. (multi-factor), delegated
• Extension of current user authentication, and trust management
management processes to across cloud services.
the cloud.
Authorization and User
Profile Management
Federation Establishment of trusted user
profile and policy information,
Authenticate users of using it to control access within
cloud services using the the cloud, and using this in an
organisation’s chosen auditable way.
identity provider.
RECOMMENDATIONS 38
20. IDaaS
• Identity as a Service (IDaaS) should follow the same best
practices used for internal IAM implementations
• For internal users:
– Review provider’s options to provide secure access to
the cloud
– Review cost reduction vs. risk mitigation measures to
address risks of having employee information with
IDaaS.
• For external users (e.g. partners) the information owners need
to incorporate interactions with IAM providers into the SDLC
and in threat assessments
• PaaS users should review use of industry standards by IDaaS
vendors
• Proprietary solutions represent a significant risk, the use of
open standards is recommended.
39
Virtualisation
• Use of virtualisation technology in cloud
computing, particularly the security issues
related to the system/hardware
virtualisation.
RECOMMENDATIONS 40
21. Conclusion
• In any move towards an emerging technology and business
model, you need in-depth understanding of:
– Your IT team (whether in-house or 3rd party including
consultants / partners) and capabilities
– The Solutions, and
– The Service Providers and/or Vendors
• No difference with cloud computing any decision to move to
the cloud should involve at least the enterprise architects,
developers, product/service owners and stakeholders, IT
management and if needed, outsourcing partners.
• Concerns with cloud computing are valid but not
insurmountable. Credible solutions do exist and continuously
being improved / fine-tuned to meet the perceived challenges
and user requirements.
41