View
6
Download
0
Category
Tags:
Preview:
DESCRIPTION
Show notes: The cloud is a service model that entails great benefits for its new entrants. However its risks are not particularly well understood. This report identifies some of the more prevalent risks of the cloud and suggests basic ways that executives can protect themselves in it.
Citation preview
Cloud Security: Risks and Recommendations for New Entrants
A Report by Irvin ChooACC 626
What is the Cloud?Type Description ExamplesSaaS -Software coded by the
Cloud service provider- accessed through “thin clients” (e.g. Web browsers)
Salesforce CRM, Gmail
PaaS - Development platform supplied by the CSP
Google App Engine, Microsoft Azure
IaaS - Raw processing power provided by the CSP
Amazon EC2
What is the Cloud?
Cloud Characteristics Elasticity
Automatic Provisioning/De-provisioning Accessibility
Anywhere and everywhere Multi-tenancy
Know your neighbour Pay-as-you-go
Cloud Security Risks Old risks vs. New risks
Cloud Dependency Stack
Expanding Attack Surfaces
Cloud Cartography and Side Channels
Cloud Security Risks Old Risks vs. New Risks
Some risks (e.g. Phishing often attributed to cloud) – not a cloud specific risk
New risks should span from the inherent properties of cloud computing models
Can have a hybrid of both Distributed Denial of Service vs. Economic Denial of
Service EDoS: using elasticity aspect to provision resources
beyond sustainable capacities
Cloud Security Risks Expanding Attack surfaces
Hypervisors (IaaS) Allocate resources to virtual environment within the
physical server
Application Program Interfaces (PaaS) Proprietary Communicates between developer’s program and
underlying platform
Cloud Security Risks The Cloud Dependency Stack
Compatibility concerns Misconfiguration of
software
High integration, high risk
Compromise at any level can undermine the entire infrastructure
SaaS
PaaS
IaaS
Cloud Physical Infrastructure
Cloud Security Risks Cloud Cartography
Multi-tenancy issue Locating VM’s in the cloud Random Distribution?
Hey, you, get off of my Cloud! (Amazon EC2 study) 50% success rate Even brute force methods
fairly successful Inexpensive
Cloud Security Risks Side Channel Attacks
Primary risk from multi-tenant environment Indirect form of spying Listening through the cache
Can infer information rather than directly intercepting it
Researchers were able to guess passwords by monitoring spikes in cache activity
Can change face of corporate espionage
Controls and Recommendations
First Steps
Responsibilities and the SLA
Security Frameworks
Controls and Recommendations
First Steps Why is encryption important?
Ensure authorize access Provides base level protection over information
Basic encryption policies Authentication data Data for archiving/storage
Limitations Not suited for data in transit/rapid processing (e.g. SaaS) Gmail struggled with encryption until 2010
Controls and Recommendations
Responsibilities and the SLA Ponemon: 69% of cloud service providers
believe security to be responsibility of the users Continuous monitoring
CSP may be hesitant to give access data/logs Generally secretive security policies
Securing ownership of data in case of security breaches
Controls and Recommendations
Recommended Security Frameworks Strong response to lack of cloud-based security
risk framework ISACA COBIT Framework for IT Governance of
control International Organization for Standardization
ISO 27001 ENISA Cloud Computing Assurance Framework Cloud Security Alliance Cloud Controls Matrix
Controls and Recommendations
Recommended Security FrameworksOrganization Title URL
ISACA COBIT www.isaca.org/Knowledge-Center/COBIT/Pages/Overview.aspx
International Organization for Standardization
ISO 27001/27002 http://www.27000.org/
Cloud Security Alliance (CSA) Cloud Controls Matrix https://cloudsecurityalliance.org/research/projects/cloud-controls-matrix-ccm/
U.S. Department of Commerce
National Institute of Standards and Technology (NIST)
http://csrc.nist.gov/publications/drafts/800-144/Draft-SP-800-144_cloud-computing.pdf
Implications for CA’s Assurance Opportunities
Certificate of Cloud Security Knowledge
Implications for CA’s Cloud Computing is an opportunity for CAs
Executives require stronger cloud-based assurance model
5970/CSAE 3416 is inadequate Cloud risks extend far beyond financial
reporting considerations Distinguishing between Cloud service
providers
Implications for CAs CSA Certificate of Cloud Security Knowledge
“The Certificate of Cloud Security Knowledge provides individuals with a solid foundation in cloud security issues and best practices. Organizations that leverage this training will be better positioned to get the most out of their investments in cloud computing. In addition, the certification can be a large help with recruitment efforts as organizations can easily qualify the experience of an individual in cloud security if they have earned the CCSK certificate.”~ Gary Phillips, senior director, technology assurance and
standards research, Symantec Corp
Conclusions Cloud entails new risks
Expansion of attack surfaces Evolution of old threats
Risks can be mitigated by Implementing client-side controls Strong Service level agreement Unified risk assessment process
Thank you!!
Works Cited Al Morsy, M., Grundy, J., & Müller, I. (2010, Nov 30). An Analysis of The Cloud Computing Security Problem. Retrieved
June 15, 2011, from Swinburne University of Technology: http://www.ict.swin.edu.au/personal/malmorsy/Pubs/cloud2010_1.pdf
Brenner, B. (2009). Why Security Matters Again. Retrieved May 28, 2011, from CIO Online. Brodkin, J. (2010). 5 Problems with SaaS Security. Network World , 28 (18), pp. 1-2. CA Technologies and the Ponemon Institute Roll out Study on Cloud Providers and Consumers. (2011, May 31).
Entertainment Close-up . Choo, R. (2010). Cloud Computing: Challenges and Future Directions. Retrieved May 24, 2011, from Trends & Issues in
Crime and Criminal Justice: http://www.aic.gov.au/documents/C/4/D/%7BC4D887F9-7D3B-4CFE-9D88-567C01AB8CA0%7Dtandi400.pdf
Cloud Computing Information Assurance Framework. (2009, November 2009). Retrieved June 15, 2011, from European Network and Information Security Agency: http://www.enisa.europa.eu/act/rm/files/deliverables/cloud-computing-information-assurance-framework
Cloud Computing: Benefits, Risks and Recommendations for Information Security. (2009). Retrieved May 28, 2011, from European Network and Information Security Agency: http://www.enisa.europa.eu/act/rm/files/deliverables/cloud-computing-risk-assessment
Cloud Computing: Business Benefits. (2009). Retrieved June 17, 2011, from ISACA: http://www.isaca.org/Knowledge-Center/Research/Documents/Cloud-Computing-28Oct09-Research.pdf?id=91d6e1d8-4d4f-4b13-b039-6488b36b3da5
Cloud Computing: Business Benefits With Security, Governance. (2009). Retrieved June 20, 2011, from ISACA: http://www.isaca.org/Knowledge-Center/Research/Documents/Cloud-Computing-28Oct09-Research.pdf?id=91d6e1d8-4d4f-4b13-b039-6488b36b3da5
Works Cited Cloud Controls Matrix. (2010, December 15). Retrieved June 16, 2011, from Cloud Security Alliance:
https://cloudsecurityalliance.org/research/projects/cloud-controls-matrix-ccm/ COBIT Framework for IT Governance and Control. (2011). Retrieved June 15, 2011, from ISACA:
http://www.isaca.org/Knowledge-Center/COBIT/Pages/Overview.aspx Farrell, R. (2010). Securing the Cloud. Information Security Journal , 6 (19), pp. 310-319. Friedman, A. A., & West, D. M. (2010, October). Issues in Technology Innovation. Retrieved June 14, 2011, from
Connections Magazine: http://www.connectionsmagazine.com/papers/10/29.pdf Greengard, S. (2010). Weaving a Web 2.0 Security Strategy. Baseline , 1 (106), pp. 20-24. Greenwald, J. (2010). Savings Cloud Risks of Outsourcing Tech. Business Insurance , 1 (1247), pp. 4-5. Gregg, M. (2011). 10 Security Concerns for Cloud Computing. Retrieved June 1, 2011, from Global Knowledge:
http://www.globalknowledge.ae/knowledge%20centre/white%20papers/virtualisation%20white%20papers/10%20security%20concerns%20for%20cloud.aspx
Hoff, C. (2009). The Economic Denial of Sustainability Concept. Retrieved June 1, 2011, from Rational Security: http://rationalsecurity.typepad.com/blog/edos/
Jarabek, C. (2010). A Review of Cloud computing Security: Virtualization, Side-Channel Attacks and Management. Retrieved May 31, 2011, from University of Calgary: http://people.ucalgary.ca/~cjjarabe/papers/jarabek_cloud_security.pdf
Lempereur, C., & Cimpean, D. (2011, May 12). An assurance framework for cloud computing(. Retrieved June 18, 2011, from ISACA Berlin: http://www.isaca.be/media/files/an_assurance_framework_for_cloud_computing_12may2011
Loveland, G. (2010). Security Among the clouds. Compliance Week , 8 (83). Mather, T., Kumaraswamy, S., & Latif, S. (2009). Cloud Security and Privacy: An Enterprise Perspective on Risks and
Compliance.
Works Cited McMillon, M. (2010). Deconstructing Cloud Computing. Retrieved June 1, 2011, from ISACA Denver:
http://www.isaca-denver.org/Chapter-Resources/Cloud_Computing_Security_Public_v1.3.ppt Mullins, R. J. (2010). New Cloud Security Certification Launched. Infromation Week , 1 (1277), p. 16. Peterson, R. (2008, September 11). What You Need to Know About Cloud Computing. Retrieved June 15, 2011, from PC
Magazine: http://www.pcmag.com/article2/0,2817,2330239,00.asp Ristenpart, T., Tromer, E., Shacham, H., & Savage, S. (2009). Hey, You, Get off of My Cloud: Exploring Information
Leakage in Third-Party Compute Clouds. Retrieved June 1, 2011, from Massachusetts Institute of Technology: http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.150.681&rep=rep1&type=pdf
Shipley, G. (2010). Cloud Computing: Risks. Information Week , 1 (1262), pp. 20-23. The Cloudy Prognosis for Data Security in Virtual Enterprises. (2011). Database Trends and Applications , 25 (1), pp.
7-9. Todd, B. (2000, February 18). Distributed Denial of Service Attacks. Retrieved June 14, 2011, from Linux Security:
http://www.linuxsecurity.com/resource_files/intrusion_detection/ddos-whitepaper.html Top Threats to Cloud Computing. (2010). Retrieved May 24, 2011, from Cloud Security Alliance:
http://www.cloudsecurityalliance.org/topthreats Transitioning from Section 5970 to CSAE 3416. (2011, March 29). Retrieved June 16, 2011, from
PricewaterhouseCoopers: http://www.pwc.com/ca/en/financial-reporting/newsletter/2011-03-29-transitioning-from-section-5970-to-csae-3416.jhtml
Urquhart, J. (2010, November 22). Cloud security is dependent on the law. Retrieved June 16, 2011, from CNET News: http://news.cnet.com/8301-19413_3-20023507-240.html?part=rss&tag=feed&subj=TheWisdomofClouds
Zetter, K. (2009, April 7). FBI Defends Disruptive Raids on Texas Data Centers. Retrieved June 16, 2011, from Wired: http://www.wired.com/threatlevel/2009/04/data-centers-ra/
Recommended