Cloud Computing and Security - ISACA Hyderabad Chapter Presentation

  • View
    2.099

  • Download
    1

Embed Size (px)

DESCRIPTION

Global Cyber Attacks Stats What is Computing Security? Cloud Computing, Models and Security Demystified New Security Challenges of Cloud Computing Security Dimensions – The CIA Triad Scope of Cloud Computing Security Security Challenge Eco-system Vulnerabilities, Threats and Exposure Points Attacks – Modes and Types The Notorious Nine – Cloud Security Threats Methods of Defence Tenets of Security Control Security Life Cycle Cloud Security Components and Governance Tiered Cloud Security Handling Framework Bottom-line Take-aways

Text of Cloud Computing and Security - ISACA Hyderabad Chapter Presentation

  • dare to dream; care to win

    Venkateswar Reddy Melachervu 2013. All rights reserved.

    Venkateswar Reddy MelachervuAssociate Vice President IT

    www.linkedin.com/in/vmelachervu

    vmelachervu@gmail.com

    Cloud Computing and SafetyLets Secure Cloud!

    20th July 2013

    In God we trust; All others, we virus scan

  • 2010. All rights reserved.

    Cloud Computing and Security Venkateswar Reddy Melachervu 2013. All rights reserved.

    The only truly secure system is one that is powered off, cast in a block of concrete and sealed in a lead-lined room with armed guards

    - Unknown

    Only the Paranoid Survive- Andy Grove, Former Chairman, Intel Inc.

  • 2010. All rights reserved.

    Cloud Computing and Security Venkateswar Reddy Melachervu 2013. All rights reserved.

    Some of the generally available information in the cloud on computing and cloud security is the inspiration and source for few topics - for the fear of re-inventing the wheel. I hereby thankfully acknowledge those sources

    Disclaimer

  • 2010. All rights reserved.

    Cloud Computing and Security Venkateswar Reddy Melachervu 2013. All rights reserved.

    Agenda

    Global Cyber Attacks Stats

    What is Computing Security?

    Cloud Computing, Models and Security Demystified

    New Security Challenges of Cloud Computing

    Security Dimensions The CIA Triad

    Scope of Cloud Computing Security

    Security Challenge Eco-system

    Vulnerabilities, Threats and Exposure Points

    Attacks Modes and Types

    The Notorious Nine Cloud Security Threats

    Methods of Defence

    Tenets of Security Control

    Security Life Cycle

    Cloud Security Components and Governance

    Tiered Cloud Security Handling Framework

    Bottom-line

    Take-aways

  • 2010. All rights reserved.

    Cloud Computing and Security Venkateswar Reddy Melachervu 2013. All rights reserved.

    In 1988 a "worm program Morris Worm -written by a college student - Robert T. Morris, Jr. of Cornell University - shut down about 10 percent of computers connected to the Internet. This was the beginning of the era of cyber/Cloud attacks

    First National Bank of Chicago is the victim of $70-million computer theft

    Cyber Crime The Beginning

  • 2010. All rights reserved.

    Cloud Computing and Security Venkateswar Reddy Melachervu 2013. All rights reserved.

    Heartland Payment Systems

    Impact: 134 million credit cards exposed through SQL injection to install spyware on Heartland's data systems.

    March 2008

    Incident Few Years Back

  • 2010. All rights reserved.

    Cloud Computing and Security Venkateswar Reddy Melachervu 2013. All rights reserved.

    2012 Global Cyber Attacks Stats

  • 2010. All rights reserved.

    Cloud Computing and Security Venkateswar Reddy Melachervu 2013. All rights reserved.

    Revenue loss

    Customer data loss and liabilities

    Embarrassment to yourself and/or the University

    Having to recreate lost data

    Identity theft

    Data corruption or destruction

    Loss of patient, employee, and public trust

    Costly reporting requirements and penalties

    Disciplinary action (up to expulsion or termination)

    Unavailability of vital data

    Security Violation Consequences

  • 2010. All rights reserved.

    Cloud Computing and Security Venkateswar Reddy Melachervu 2013. All rights reserved.

    Whats Computing Security?

  • 2010. All rights reserved.

    Cloud Computing and Security Venkateswar Reddy Melachervu 2013. All rights reserved.

    Protection of computing systems and the data that they store or access

    To prevent theft of or damage to the hardware, Software etc. - Confidentiality

    To prevent theft of or damage to the information and to protect privacy Privacy and Integrity

    To prevent disruption of service -Availability/Denial of Service

    What Is Computing/IT Security?

  • 2010. All rights reserved.

    Cloud Computing and Security Venkateswar Reddy Melachervu 2013. All rights reserved.

    Isnt this just an IT Problem?

    Why Do I Need to Learn About Computer Security?

    Everyone who uses a computer needs to understand how to keep his or her computer and data secure

    IT Security is a not a product, but a process

  • 2010. All rights reserved.

    Cloud Computing and Security Venkateswar Reddy Melachervu 2013. All rights reserved.

    No major operating system has ever worked perfectly

    No OS vendor has dared offer a warranty against malfunctions

    It is far easier to build a secure system than to build a correct system

    You might be able to live in a house with a few holes in the walls, but you will not be able to keep burglars out

    Securing a system has traditionally been a battle of wits

    The problem is people/exploitation - not computers

    Why Computers Are Not Secure?

  • 2010. All rights reserved.

    Cloud Computing and Security Venkateswar Reddy Melachervu 2013. All rights reserved.

    Cloud Computing NIST Definition

    Cloud computing is a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction

    13

  • 2010. All rights reserved.

    Cloud Computing and Security Venkateswar Reddy Melachervu 2013. All rights reserved.

    Cloud Computing - Business Definition

    A large-scale distributed computing paradigm that is driven by economies of scale, in which a pool of abstracted, virtualized, dynamically-scalable, managed computing power, storage, platforms, and services are delivered on demand to external customers over the Internet

  • 2010. All rights reserved.

    Cloud Computing and Security Venkateswar Reddy Melachervu 2013. All rights reserved.

    On demand computational services over web

    Spiky compute needs of the scientists

    Horizontal and dynamic scaling with no additional cost

    Increased throughput

    Multi-tenant

    Accessed over a network

    Only pay for what you use

    Shared internally or with other customers

    Resources - storage, computing, services, etc.

    Internal network or Internet

    Similar to Timesharing

    Rent IT resources vs. buy

    Cloud Computing Demystified

  • 2010. All rights reserved.

    Cloud Computing and Security Venkateswar Reddy Melachervu 2013. All rights reserved.

    Multi-Tenancy

    16

  • 2010. All rights reserved.

    Cloud Computing and Security Venkateswar Reddy Melachervu 2013. All rights reserved.

    Cloud Service Layers and Models

    17

    IaaS

    PaaS

    SaaSModelsLayers

    AutonomousMore Control/ Flexibility

    IaaS PaaS

  • 2010. All rights reserved.

    Cloud Computing and Security Venkateswar Reddy Melachervu 2013. All rights reserved.

    Conventional Data Centre

  • 2010. All rights reserved.

    Cloud Computing and Security Venkateswar Reddy Melachervu 2013. All rights reserved.

    Cloud Modelled Data Centre

  • 2010. All rights reserved.

    Cloud Computing and Security Venkateswar Reddy Melachervu 2013. All rights reserved.

    Public, Private, Hybrid Clouds

    20

  • 2010. All rights reserved.

    Cloud Computing and Security Venkateswar Reddy Melachervu 2013. All rights reserved.

    Cloud ComputingEnablers and Inhibitors

  • 2010. All rights reserved.

    Cloud Computing and Security Venkateswar Reddy Melachervu 2013. All rights reserved.

    Why Cloud Computing Brings New Security Challenges?

    Data, applications, resources are located with provider

    User identity management is handled by the cloud provider

    User access control rules, security policies and enforcement are managed by the cloud provider

    Multi-tenancy

    Consumer relies on provider to ensure Data security and privacy

    Resource availability

    Monitoring and repairing of services/resources

    Self-managed or Private Clouds overcome most of the above new threats

    22

  • 2010. All rights reserved.

    Cloud Computing and Security Venkateswar Reddy Melachervu 2013. All rights reserved.

    Security Dimensions The CIA Triad

    Secured

    Hardware

  • 2010. All rights reserved.

    Cloud Computing and Security Venkateswar Reddy Melachervu 2013. All rights reserved.

    Confidentiality

    The need for keeping information secret Protecting proprietary designs from

    competitors

    Protecting a companys personnel records

    Protecting personal financial/ID info against ID theft

    Applies to resource hiding System configuration data

    Resources - Systems, Equipment, Services etc.

  • 2010. All rights reserved.

    Cloud Computing and Security Venkateswar Reddy Melachervu 2013. All rights reserved.

    Integrity

    Preventing improper or unauthorized change or access

    Data integrity and system integrity

    Non-repudiation Example : Digital Cert of the Origin Source

  • 2010. All rights reserved.

    Cloud Computing and Security Venkateswar Reddy Melachervu 2013. All rights reserved.

    Availability Reliability and system design

    To prevent Denial of Service Attacks - The attempts to block the availability of systems or services

    System designs usually assume a statistical model to analyze expected patterns of use

  • 2010. All right