Security of Cloud Computing

Topic Overview
 Introduction
 Cloud Basics
 Securing the Cloud
 Leveraging the Cloud
Introduction
 Cloud Computing Industry is growing
 According to Gartner, worldwide cloud services revenue is
leading
 Businesses are increasing Cloud adoption
 "We expect a great deal of migration towards cloud computing
worldwide

 How can IT leaders ensure security in the cloud?

Cloud Basics
 Cloud Characteristics
 Service Models
 SaaS
 IaaS
 PaaS
 Deployment Models
 Public
 Private
 Community
 Hybrid
Cloud Characteristics
Cloud Service Models

 Software as a Service
(SaaS)

 Platform as a Service
(PaaS)

 Infrastructure as a Service
(IaaS)
 Natural Evolution of the Web

Source: Lew Tucker, Introduction to Cloud Computing for Enterprise Users

Four Deployment Models
Four Deployment Models
Four Deployment Models
Four Deployment Models
Securing the Cloud

 Security Interaction Model

 Top Security Threats

 Cloud Provider Security Practices –

Security Interaction Model
Top Security Threats
 Abuse and nefarious use of cloud computing
 Insecure interfaces & API’s
 Unknown risk profile
 Malicious insiders
 Shared technology issues
 Data loss or leakage
 Account or service hijacking
 Threat Mitigation
Abuse and nefarious  Stricter initial registration and validation processes.
 Enhanced credit card fraud monitoring and
use of cloud coordination.
computing  Comprehensive introspection of customer network
traffic.
 Monitoring public blacklists for one’s own network
blocks.
Insecure interfaces &  Analyze the security model of cloud provider
interfaces.
API’s  Ensure strong authentication and access controls
are
implemented in concert with encrypted transmission.
 Understand the dependency chain associated with
the API.
Unknown risk profile  Disclosure of applicable logs and data.
Partial/full disclosure of infrastructure details
 Monitoring and alerting on necessary information.
 Threat Mitigation
Malicious insiders  Enforce strict supply chain management and conduct
a comprehensive supplier assessment.
 Specify human resource requirements as part of
legal contracts.
 Require transparency into overall information security
and management practices, as well as compliance
reporting.
 Determine security breach notification processes.
Shared technology  Implement security best practices for installation and
configuration.
issues  Monitor environment for unauthorized
changes/activity.
 Promote strong authentication and access control for
administrative access and operations.
 Enforce service level agreements for patching and
vulnerability remediation.
 Conduct vulnerability scanning and configuration
audits.
 Threat Mitigation
Data loss or  Implement strong API access control.
 Encrypt and protect integrity of data in transit.
leakage  Analyze data protection at both design and run time.
 Implement strong key generation, storage and
management, and destruction practices.
 Contractually demand providers wipe persistent
media before it is released into the pool.
 Contractually specify provider backup and retention
strategies.
Account or  Prohibit the sharing of account credentials between
users and services.
service  Leverage strong two-factor authentication
hijacking techniques where possible.
 Employ proactive monitoring to detect unauthorized
activity.
 Understand cloud provider security policies and
SLAs.
Security Practices

 Organizational and Operational Security

 Data Security
 Threat Evasion
 Safe Access
 Privacy
Organizational and Operational
Security

 Holistic approach to security

 Security team
 Develop with security in mind
 Regularly performs security audits and threat assessments
 Employees screened, trained
 Works with security community and advisors
Data Security

 Google Code of Conduct – “Don’t be evil.”

 Physical security
 Logical Security
 Accessibility
 Redundancy
Threat Evasion

 Spam and virus protection built into products

 Protects against application & network attacks
Safe Access

 Avoids local storage

 Access controls
 Encrypted connections
 Integrated security
Privacy

 Privacy policy
 Does not access confidential user data
 Does not alter data
 Maintain own IP rights
 Indemnification, liability
 End of use
Leveraging the Cloud

 Decision Making Process

 Clan Wars Case Study

Decision Making Process
 Identify the asset for cloud deployment
 Evaluate the asset requirements for confidentiality, integrity,
and availability
 Map the asset to potential cloud deployment models
 Evaluate potential cloud service models and providers
 Sketch the potential data flow
 Draw conclusions
Rackspace Security Practices
 Physical Security
 System Security
 Operational Infrastructure Security
 Client Application Security
Cloud Consumer Best Practices
Governance Domains Operational Domains
• Governance & Enterprise • Traditional Security,
Risk Mgmt Business Continuity, and
• Legal and Electronic Disaster Recovery
Discovery • Data Center operations
• Compliance and Audit • Incident Management
• Information Life Cycle • Application security
Management • Encryption & Key Mgmt
• Portability and • Identity & access Mgmt
Interoperability • Virtualization