Cloud Computing and Security - ISACA Hyderabad Chapter Presentation

dare to dream; care to win

Venkateswar Reddy Melachervu 2013. All rights reserved.

Venkateswar Reddy MelachervuAssociate Vice President IT

www.linkedin.com/in/vmelachervu

vmelachervu@gmail.com

Cloud Computing and SafetyLets Secure Cloud!

20th July 2013

In God we trust; All others, we virus scan

2010. All rights reserved.

Cloud Computing and Security Venkateswar Reddy Melachervu 2013. All rights reserved.

The only truly secure system is one that is powered off, cast in a block of concrete and sealed in a lead-lined room with armed guards

- Unknown

Only the Paranoid Survive- Andy Grove, Former Chairman, Intel Inc.

2010. All rights reserved.

Cloud Computing and Security Venkateswar Reddy Melachervu 2013. All rights reserved.

Some of the generally available information in the cloud on computing and cloud security is the inspiration and source for few topics - for the fear of re-inventing the wheel. I hereby thankfully acknowledge those sources

Disclaimer

2010. All rights reserved.

Cloud Computing and Security Venkateswar Reddy Melachervu 2013. All rights reserved.

Agenda

Global Cyber Attacks Stats

What is Computing Security?

Cloud Computing, Models and Security Demystified

New Security Challenges of Cloud Computing

Security Dimensions The CIA Triad

Scope of Cloud Computing Security

Security Challenge Eco-system

Vulnerabilities, Threats and Exposure Points

Attacks Modes and Types

The Notorious Nine Cloud Security Threats

Methods of Defence

Tenets of Security Control

Security Life Cycle

Cloud Security Components and Governance

Tiered Cloud Security Handling Framework

Bottom-line

Take-aways

2010. All rights reserved.

Cloud Computing and Security Venkateswar Reddy Melachervu 2013. All rights reserved.

In 1988 a "worm program Morris Worm -written by a college student - Robert T. Morris, Jr. of Cornell University - shut down about 10 percent of computers connected to the Internet. This was the beginning of the era of cyber/Cloud attacks

First National Bank of Chicago is the victim of $70-million computer theft

Cyber Crime The Beginning

2010. All rights reserved.

Cloud Computing and Security Venkateswar Reddy Melachervu 2013. All rights reserved.

Heartland Payment Systems

Impact: 134 million credit cards exposed through SQL injection to install spyware on Heartland's data systems.

March 2008

Incident Few Years Back

2010. All rights reserved.

Cloud Computing and Security Venkateswar Reddy Melachervu 2013. All rights reserved.

2012 Global Cyber Attacks Stats

2010. All rights reserved.

Cloud Computing and Security Venkateswar Reddy Melachervu 2013. All rights reserved.

Revenue loss

Customer data loss and liabilities

Embarrassment to yourself and/or the University

Having to recreate lost data

Identity theft

Data corruption or destruction

Loss of patient, employee, and public trust

Costly reporting requirements and penalties

Disciplinary action (up to expulsion or termination)

Unavailability of vital data

Security Violation Consequences

2010. All rights reserved.

Cloud Computing and Security Venkateswar Reddy Melachervu 2013. All rights reserved.

Whats Computing Security?

2010. All rights reserved.

Cloud Computing and Security Venkateswar Reddy Melachervu 2013. All rights reserved.

Protection of computing systems and the data that they store or access

To prevent theft of or damage to the hardware, Software etc. - Confidentiality

To prevent theft of or damage to the information and to protect privacy Privacy and Integrity

To prevent disruption of service -Availability/Denial of Service

What Is Computing/IT Security?

2010. All rights reserved.

Cloud Computing and Security Venkateswar Reddy Melachervu 2013. All rights reserved.

Isnt this just an IT Problem?

Why Do I Need to Learn About Computer Security?

Everyone who uses a computer needs to understand how to keep his or her computer and data secure

IT Security is a not a product, but a process

2010. All rights reserved.

Cloud Computing and Security Venkateswar Reddy Melachervu 2013. All rights reserved.

No major operating system has ever worked perfectly

No OS vendor has dared offer a warranty against malfunctions

It is far easier to build a secure system than to build a correct system

You might be able to live in a house with a few holes in the walls, but you will not be able to keep burglars out

Securing a system has traditionally been a battle of wits

The problem is people/exploitation - not computers

Why Computers Are Not Secure?

2010. All rights reserved.

Cloud Computing and Security Venkateswar Reddy Melachervu 2013. All rights reserved.

Cloud Computing NIST Definition

Cloud computing is a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction

13

2010. All rights reserved.

Cloud Computing and Security Venkateswar Reddy Melachervu 2013. All rights reserved.

Cloud Computing - Business Definition

A large-scale distributed computing paradigm that is driven by economies of scale, in which a pool of abstracted, virtualized, dynamically-scalable, managed computing power, storage, platforms, and services are delivered on demand to external customers over the Internet

2010. All rights reserved.

Cloud Computing and Security Venkateswar Reddy Melachervu 2013. All rights reserved.

On demand computational services over web

Spiky compute needs of the scientists

Horizontal and dynamic scaling with no additional cost

Increased throughput

Multi-tenant

Accessed over a network

Only pay for what you use

Shared internally or with other customers

Resources - storage, computing, services, etc.

Internal network or Internet

Similar to Timesharing

Rent IT resources vs. buy

Cloud Computing Demystified

2010. All rights reserved.

Cloud Computing and Security Venkateswar Reddy Melachervu 2013. All rights reserved.

Multi-Tenancy

16

2010. All rights reserved.

Cloud Computing and Security Venkateswar Reddy Melachervu 2013. All rights reserved.

Cloud Service Layers and Models

17

IaaS

PaaS

SaaSModelsLayers

AutonomousMore Control/ Flexibility

IaaS PaaS

2010. All rights reserved.

Cloud Computing and Security Venkateswar Reddy Melachervu 2013. All rights reserved.

Conventional Data Centre

2010. All rights reserved.

Cloud Computing and Security Venkateswar Reddy Melachervu 2013. All rights reserved.

Cloud Modelled Data Centre

2010. All rights reserved.

Cloud Computing and Security Venkateswar Reddy Melachervu 2013. All rights reserved.

Public, Private, Hybrid Clouds

20

2010. All rights reserved.

Cloud Computing and Security Venkateswar Reddy Melachervu 2013. All rights reserved.

Cloud ComputingEnablers and Inhibitors

2010. All rights reserved.

Cloud Computing and Security Venkateswar Reddy Melachervu 2013. All rights reserved.

Why Cloud Computing Brings New Security Challenges?

Data, applications, resources are located with provider

User identity management is handled by the cloud provider

User access control rules, security policies and enforcement are managed by the cloud provider

Multi-tenancy

Consumer relies on provider to ensure Data security and privacy

Resource availability

Monitoring and repairing of services/resources

Self-managed or Private Clouds overcome most of the above new threats

22

2010. All rights reserved.

Cloud Computing and Security Venkateswar Reddy Melachervu 2013. All rights reserved.

Security Dimensions The CIA Triad

Secured

Hardware

2010. All rights reserved.

Cloud Computing and Security Venkateswar Reddy Melachervu 2013. All rights reserved.

Confidentiality

The need for keeping information secret Protecting proprietary designs from

competitors

Protecting a companys personnel records

Protecting personal financial/ID info against ID theft

Applies to resource hiding System configuration data

Resources - Systems, Equipment, Services etc.

2010. All rights reserved.

Cloud Computing and Security Venkateswar Reddy Melachervu 2013. All rights reserved.

Integrity

Preventing improper or unauthorized change or access

Data integrity and system integrity

Non-repudiation Example : Digital Cert of the Origin Source

2010. All rights reserved.

Cloud Computing and Security Venkateswar Reddy Melachervu 2013. All rights reserved.

Availability Reliability and system design

To prevent Denial of Service Attacks - The attempts to block the availability of systems or services

System designs usually assume a statistical model to analyze expected patterns of use

2010. All right