Insert presenter logo here on slide master 1 WHAT IS CLOUD COMPUTING REALLY? Scott Clark Chicago...

Insert presenter logo here on slide master

WHAT IS CLOUD COMPUTING REALLY?

Scott ClarkChicago Chapter PresidentCloud Security Alliance

The Blind Men and the Cloud

It was six men of Info Tech

To learning much inclined,

Who went to see the Cloud

(Though all of them were blind),

That each by observation

Might satisfy his mind

The First approached the Cloud,

So sure that he was boasting

“I know exactly what this is…

This Cloud is simply Hosting.”

The Second grasped within the Cloud,

Saying, “No it’s obvious to me,

This Cloud is grid computing…

Servers working together in harmony!”

The Third, in need of an answer,

Cried, "Ho! I know its source of power

It’s a utility computing solution

Which charges by the hour.”

The Fourth reached out to touch it,

It was there, but it was not

“Virtualization,” said he.

“That’s precisely what we’ve got!”

The Fifth, so sure the rest were wrong

Declared “It’s SaaS you fools,

Applications with no installation

It’s breaking all the rules!"

The Sixth (whose name was Benioff),

Felt the future he did know,

He made haste in boldly stating,

“This *IS* Web 3.0.”

And so these men of Info Tech

Disputed loud and long,

Each in his own opinion

Exceeding stiff and strong,

Though each was partly in the right,

And all were partly wrong!

Sam Charrington & Noreen Barczweski

Agenda

Introduction to Cloud Computing

What is Different in the Cloud?

CSA Guidance

Additional Resources

“This Cloud is simply Hosting”

Evolution of “Hosting”

CUSTOM“Co-Location”

COMMODITY“Cloud Service Providers”

Evolution of Data Centers

Closest to power plants Google Data Center

• State of Oregon

• Columbia River

• 103 Mega Watt Data Center on 30 acres

• Near 1.8 GW Hydropower Station

Data Center is the new “Server”

POD Computing

Google’s low cost commodity server

Is This New??

• Berkeley credited

• Cluster of Servers

• Started in 1994

Broadband Network Access

Rapid Elasticity

Unused resources

Measured Service

• Risk of over-provisioning: underutilization

Static data center

Demand

Capacity

Measured Service

• Heavy penalty for under-provisioning

Lost revenue

Lost users

Demand

Capacity

Time (days)1 2 3

Demand

Capacity

Time (days)1 2 3

Demand

Capacity

Time (days)1 2 3

Unused resources

Measured Service

• Pay by use instead of provisioning for peak

Static data center Data center in the cloud

Demand

Capacity

Demand

Capacity

Source: “Above The Clouds”

Resource Pooling =Virtualization

Hardware

Operating System

App App App

Traditional Stack

Hardware

App App App

Hypervisor

Virtualized Stack

Server Virtualization

Storage Virtualization

Platform-Independent Razor-Thin CapEx

SuperioNetwork Virtualization

Application

ToR Switch ToR Switch

Application VMs

☒ High CapEx☒ Low Utilization☒ High Complexity☒ Change-Resistant

Deploy anywhere

Elastic scalability

Interfaces with provisioning & orchestration systems

Evolves with rapidly changing network architectures

Utility licensing model

Case Study

• Created 10,000 Core-Cluster

• Leveraged Amazon’s EC2

• Genentech needed a super computer to examine how proteins bind together

• Using Genentech’s resources would have taken weeks or months to gain access & run program

Completed in 8 Hours! Genentech’s Cost = $8,480!

• Infrastructure: 1250 instances with 8-core / 7-GB RAM

• Cluster Size: 10,000 cores, 8.75 TB RAM, 2 PB of disk space total

• Scale: Comparable to #114 of Top 500 Supercomputer list

• Security: Engineered with HTTPS & 128/256-bit AES encryption

• User Effort: Single click to start the cluster

• Start-up Time: Thousands of cores in minutes, full cluster in 45-minutes

• Up-front Capital Investment/Licensing Fees: $0

• Total CycleCloud and Infrastructure Cost: $1,060/hour

Delivery Models

• Utility computing (IaaS)– Why buy machines when you can rent cycles?– Examples: Amazon’s EC2, GoGrid, AppNexus

• Platform as a Service (PaaS)– Give me nice API and take care of the implementation– Example: Google App Engine, Force.com

• Software as a Service (SaaS)– Just run it for me!– Example: Gmail, Salesforce.com and NetSuite

“Why do it yourself if you can pay someone to do it for you?”

Forrester: Cloud Market To Reach $241 Billion By 2020

Case Study – Hybrid Cloud

• June 25, 2009

• 1 Million visits in 24/hrs

• Twitter stood still

• Ticket Master crawled

• Yahoo! 16.4 million site visitors in 24 hours more that Election Day of 15.1

• Sony.com couldn’t sell music – 200 sites down

Private to Public Burst

What About Service Oriented Architecture???

• Many concepts “in the cloud” are similar to concepts in standard outsourcing

• There are at least four themes which require a different mindset when working on security for cloud services:– Role clarity for security controls– Legal / jurisdictional / cross-border data movement– Virtualization concentration risk– Virtualization network security control parity.

Role Clarity

IaaSInfrastructure as a

Service

PaaSPlatform as a Service

SaaSSoftware as a Service

Security ~ YOU

Security ~ THEM

Legal / Jurisdictional Issues Amplified

“Cloud” Provider Datacenter in San Francisco, USA

“Cloud” Provider Datacenter in Tokyo, Japan

“Cloud” Provider Datacenter in Geneva, Switzerland

“Cloud” Provider Datacenter in Sao Paolo, Brazil

“Cloud” Provider Datacenter in London, U.K.

Virtualization Concentration Risks“Old Way – Hack a

System”“New Way – Hack a

Datacenter”

Hypervisor

Virtualized N-Tier Control Equivalence

“Current Way” “New Way”

HypervisorInternet

Presentation Layer

Data Layer

How do we ensure control

parity?

Internet

•FW•WAF•NIDS / IPS

Key Cloud Security Problems

From CSA Top Threats Research:–Trust: Lack of Provider transparency, impacts Governance,

Risk Management, Compliance

–Data: Leakage, Loss or Storage in unfriendly geography

–Insecure Cloud software

–Malicious use of Cloud services

–Account/Service Hijacking

–Malicious Insiders

–Cloud-specific attacks

Cloud Security Alliance Guidance

Available at http://www.cloudsecurityalliance.org/Research.html

Governance and Enterprise Risk ManagementGovernance and Enterprise Risk Management

Legal and Electronic DiscoveryLegal and Electronic Discovery

Compliance and AuditCompliance and Audit

Information Lifecycle ManagementInformation Lifecycle Management

Portability and InteroperabilityPortability and Interoperability

Security, Bus. Cont,, and Disaster RecoverySecurity, Bus. Cont,, and Disaster Recovery

Data Center OperationsData Center Operations

Incident Response, Notification, RemediationIncident Response, Notification, Remediation

Application SecurityApplication Security

Encryption and Key ManagementEncryption and Key Management

Identity and Access ManagementIdentity and Access Management

VirtualizationVirtualization

Cloud ArchitectureCloud Architecture

vernin

Defining Cloud

• On demand provisioning

• Elasticity

• Multi-tenancy

• Key types

– Infrastructure as a Service (IaaS): basic O/S & storage

– Platform as a Service (PaaS): IaaS + rapid dev

– Software as a Service (SaaS): complete application

– Public, Private, Community & Hybrid Cloud deployments

Governance and Enterprise Risk Management

• Due Diligence of Due Diligence of providers governance providers governance structure and process in structure and process in addition to security addition to security controls. SLA’scontrols. SLA’s

• Risk Assessment Risk Assessment approaches between approaches between provider and user should provider and user should be consistent. be consistent. Consistency in Impact Consistency in Impact Analysis and definition of Analysis and definition of likelihoodlikelihood

vernin

Legal and Electronic Discovery

• Mutual understanding of Mutual understanding of roles related to litigation, roles related to litigation, discovery searches and discovery searches and expert testimonyexpert testimony

• Data in custody of Data in custody of provider must receive provider must receive equivalent guardianship equivalent guardianship as original owner as original owner

• Unified process for Unified process for responding to subpoenas responding to subpoenas and service of process, and service of process, etcetc

vernin

Compliance and Audit

• Right to Audit ClauseRight to Audit Clause

• Analyze Impact or Analyze Impact or Regulations on data Regulations on data securitysecurity

• Prepare evidence of Prepare evidence of how each requirement is how each requirement is being metbeing met

• Auditor qualification and Auditor qualification and selectionselection

vernin

Information Lifecycle Management

• How is Integrity How is Integrity maintained? maintained?

• If compromised how its If compromised how its detected and reported?detected and reported?

• Identify all controls used Identify all controls used during date lifecycleduring date lifecycle

• Know where you data is!Know where you data is!

• Understand provider’s Understand provider’s data search capabilities data search capabilities and limitations and limitations

vernin

Portability and Interoperability

• IaaS - Understand VM IaaS - Understand VM capture and porting to capture and porting to new provider especially if new provider especially if different technologies different technologies used.used.

• PaaS – Understand how PaaS – Understand how logging, monitoring and logging, monitoring and audit transfers to another audit transfers to another providerprovider

• SaaS – perform regular SaaS – perform regular backups into useable form backups into useable form without SaaS. without SaaS.

vernin

Security, Business Continuity and Disaster Recovery

• Conduct an onsite Conduct an onsite inspection whenever inspection whenever possiblepossible

• Inspect cloud providers Inspect cloud providers disaster recovery and disaster recovery and business continuity plansbusiness continuity plans

• Ask for documentation of Ask for documentation of external and internal external and internal security controls – security controls – adherence to industry adherence to industry standards?standards?

vernin

Data Center Operations

• Demonstration of Demonstration of Compartmentalization of Compartmentalization of systems, networks, systems, networks, management, management, provisioning and provisioning and personnelpersonnel

• Understanding of Understanding of providers patch providers patch management policies management policies and procedures – should and procedures – should be reflected in the be reflected in the contract! contract!

vernin

Incident Response, Notification and Remediation

• May have limited May have limited involvement in Incident involvement in Incident Response, understand Response, understand prearranged prearranged communicated path to communicated path to providers incident providers incident response teamresponse team

• What incident detection What incident detection and analysis tools used? and analysis tools used? Will proprietary tools Will proprietary tools make joint investigations make joint investigations difficult? difficult?

vernin

Application Security

• S-P-I creates different S-P-I creates different trust boundaries in SDLC trust boundaries in SDLC – account for in dev, test – account for in dev, test and productionand production

• Obtain contractual Obtain contractual permission before permission before performing remote performing remote vulnerability and vulnerability and application assessmentsapplication assessments– provider inability to provider inability to

distinguish testing from an distinguish testing from an actual attackactual attack

vernin

Encryption and Key Management

• Separate key management Separate key management from provider hosting the data from provider hosting the data creating a chain of separationcreating a chain of separation

• Understand provider’s key Understand provider’s key management lifecycle: how management lifecycle: how keys are generated, used, keys are generated, used, stored, backed up, rotated and stored, backed up, rotated and deleteddeleted

• Ensure encryption adheres to Ensure encryption adheres to industry and government industry and government standards when stipulated in standards when stipulated in the contractthe contract

vernin

Identity and Access Management

• IAM is a big challenge today in IAM is a big challenge today in secure cloud computingsecure cloud computing

• Identity – avoid providers Identity – avoid providers proprietary solutions unique to proprietary solutions unique to cloud providercloud provider

• Local authentication service Local authentication service offered by provider should be offered by provider should be OATH compliantOATH compliant

vernin

Virtualization

• Understand internal security Understand internal security controls to VM other than built controls to VM other than built in Hypervisor isolation – IDS, in Hypervisor isolation – IDS, AV, vulnerability scanning etc. AV, vulnerability scanning etc.

• Understand external security Understand external security controls to protect controls to protect administrative interfaces administrative interfaces exposed (Web-based, API’s)exposed (Web-based, API’s)

• Reporting mechanisms that Reporting mechanisms that provides evidence of isolation provides evidence of isolation and raises alerts if a breach of and raises alerts if a breach of isolation occurs.isolation occurs.

vernin

Additional Cloud Security Alliance Resources

Cloud Security Alliance Initiatives

1. GRC Stack

2. Security Guidance for Critical Areas of Focus in Cloud Computing

3. Cloud Controls Matrix (CCM)

4. Consensus Assessments Initiative

5. Cloud Metrics

6. Trusted Cloud Initiative

7. Top Threats to Cloud Computing

8. CloudAudit

9. Common Assurance Maturity Model

10. CloudSIRT

11. Security as a Service

Cloud Controls Matrix Tool

• Controls derived from guidance

• Rated as applicable to S-P-I

• Customer vs Provider role

• Mapped to COBIT, HIPAA, ISO/IEC 27002-2005, NIST SP800-53 and PCI DSS

• Help bridge the gap for IT & IT auditors

www.cloudsecurityalliance.org/cm.html

Contact

• Help us secure cloud computing

• www.cloudsecurityalliance.org

• Cloud Security Alliance, Chicago Chapter

• scott.clark@vyatta.com

• LinkedIn: http://www.linkedin.com/groups?gid=3755674

Questions?

Insert presenter logo here on slide master 1 WHAT IS CLOUD COMPUTING REALLY? Scott Clark Chicago...

Documents

Bringing cloud technology to distributed data infrastructures EGI CF 2013 Martin Hellmich (presenter) Jedrzej Rybicki Maciej Brzeźniak Date :

Community Context Audits And Public Involvement Plans Rickie Clark, INDOT Joyce Newland, FHWA Presenter Title, INDOT Event Date

Cloud Computing for Attorneys 2017 Herbert W. …...Cloud Computing for Attorneys 2017 Herbert W. Walton Bench Bar Conference Peter C. Simonsen, Presenter 1.What is “the Cloud”

SALES Overview Presenter Name Presenter Title Presenter Date

Kimberly-Clark Relies on Saba Cloud to Crowd- source ... · Scott, Huggies, Pull-Ups, Kotex and Depend. In 2012, total sales reached $21.2 billion. Kimberly-Clark operates across

Networking the Cloud Presenter: b97901184 電機三姜慧如

The Role of XML in Cloud Data Integration Presenter: David RR Webber, Oracle Corporation October 15th, 2010

Achieving High Performance on AWS HPC Cloud using …mvapich.cse.ohio-state.edu/static/media/talks/slide/AWS_SC19_Talk… · AWS HPC Cloud using MVAPICH2-AWS. Presenter: Dhabaleswar

Presenter: Charles Kamhoua, Ph.D. - Assured Cloud …assured-cloud-computing.illinois.edu/files/2015/09/IEEE...second, and confirm co-residency with a target VM instance in less than

An Overview of Cloud Security and Privacy CS 590, Fall 2010 Presenter: YounSun Cho Sep. 9, 2010

OpenStack in Action 4! Alan Clark - The fundation for openstack Cloud

Design Firm: Clark Patterson Lee Owner: Erie County ......Design Firm: Clark Patterson Lee Owner: Erie County Contractor: Union concrete corp. Presenter: Jason Havens, P.E. Understand

SCT XML COD files for Pell with SICAS Vouchering Presenter: Shirley Clark, SICAS Center Presenter: Shirley Clark, SICAS Center

Welcome to Oracle Service Cloud Ask the Experts › euf › assets › blog_preview_images › ChatReports.pdfWelcome to Oracle Service Cloud Ask the Experts Chat Reporting Presenter:

Name of Presenter Presenter’s Title Presenter Disclosure text here presenter disclosure text here presenter disclosure text here Presenter Disclosure

Clark & Clark

SPRINT: A RANDOMIZED TRIAL OF INTENSIVE … A RANDOMIZED TRIAL OF INTENSIVE VERSUS STANDARD BLOOD-PRESSURE CONTROL Presenter: Mackenzie Clark, PharmD, BCPS University of California,

Demystifying Private Cloud Practical Approaches x · Demystifying Private Cloud-Practical Approaches November 25, 2011Proprietary and Confidential - 1 - Name of the Presenter: Amit

Presenter Biography - SCAHU...Presenter Biography Conrad Clark is a Regional Sales Manager with Proliant. Conrad is an active speaker within the Payroll, HR, and CPA community, and

What classroom assessment techniques make the difference? School beginnings with an end in mind. Dardanup PS Presenter- Principal Melanie Clark