View
2.099
Download
1
Tags:
Embed Size (px)
DESCRIPTION
Global Cyber Attacks Stats What is Computing Security? Cloud Computing, Models and Security Demystified New Security Challenges of Cloud Computing Security Dimensions – The CIA Triad Scope of Cloud Computing Security Security Challenge Eco-system Vulnerabilities, Threats and Exposure Points Attacks – Modes and Types The Notorious Nine – Cloud Security Threats Methods of Defence Tenets of Security Control Security Life Cycle Cloud Security Components and Governance Tiered Cloud Security Handling Framework Bottom-line Take-aways
dare to dream; care to win
Venkateswar Reddy Melachervu 2013. All rights reserved.
Venkateswar Reddy MelachervuAssociate Vice President IT
www.linkedin.com/in/vmelachervu
vmelachervu@gmail.com
Cloud Computing and SafetyLets Secure Cloud!
20th July 2013
In God we trust; All others, we virus scan
2010. All rights reserved.
Cloud Computing and Security Venkateswar Reddy Melachervu 2013. All rights reserved.
The only truly secure system is one that is powered off, cast in a block of concrete and sealed in a lead-lined room with armed guards
- Unknown
Only the Paranoid Survive- Andy Grove, Former Chairman, Intel Inc.
2010. All rights reserved.
Cloud Computing and Security Venkateswar Reddy Melachervu 2013. All rights reserved.
Some of the generally available information in the cloud on computing and cloud security is the inspiration and source for few topics - for the fear of re-inventing the wheel. I hereby thankfully acknowledge those sources
Disclaimer
2010. All rights reserved.
Cloud Computing and Security Venkateswar Reddy Melachervu 2013. All rights reserved.
Agenda
Global Cyber Attacks Stats
What is Computing Security?
Cloud Computing, Models and Security Demystified
New Security Challenges of Cloud Computing
Security Dimensions The CIA Triad
Scope of Cloud Computing Security
Security Challenge Eco-system
Vulnerabilities, Threats and Exposure Points
Attacks Modes and Types
The Notorious Nine Cloud Security Threats
Methods of Defence
Tenets of Security Control
Security Life Cycle
Cloud Security Components and Governance
Tiered Cloud Security Handling Framework
Bottom-line
Take-aways
2010. All rights reserved.
Cloud Computing and Security Venkateswar Reddy Melachervu 2013. All rights reserved.
In 1988 a "worm program Morris Worm -written by a college student - Robert T. Morris, Jr. of Cornell University - shut down about 10 percent of computers connected to the Internet. This was the beginning of the era of cyber/Cloud attacks
First National Bank of Chicago is the victim of $70-million computer theft
Cyber Crime The Beginning
2010. All rights reserved.
Cloud Computing and Security Venkateswar Reddy Melachervu 2013. All rights reserved.
Heartland Payment Systems
Impact: 134 million credit cards exposed through SQL injection to install spyware on Heartland's data systems.
March 2008
Incident Few Years Back
2010. All rights reserved.
Cloud Computing and Security Venkateswar Reddy Melachervu 2013. All rights reserved.
2012 Global Cyber Attacks Stats
2010. All rights reserved.
Cloud Computing and Security Venkateswar Reddy Melachervu 2013. All rights reserved.
Revenue loss
Customer data loss and liabilities
Embarrassment to yourself and/or the University
Having to recreate lost data
Identity theft
Data corruption or destruction
Loss of patient, employee, and public trust
Costly reporting requirements and penalties
Disciplinary action (up to expulsion or termination)
Unavailability of vital data
Security Violation Consequences
2010. All rights reserved.
Cloud Computing and Security Venkateswar Reddy Melachervu 2013. All rights reserved.
Whats Computing Security?
2010. All rights reserved.
Cloud Computing and Security Venkateswar Reddy Melachervu 2013. All rights reserved.
Protection of computing systems and the data that they store or access
To prevent theft of or damage to the hardware, Software etc. - Confidentiality
To prevent theft of or damage to the information and to protect privacy Privacy and Integrity
To prevent disruption of service -Availability/Denial of Service
What Is Computing/IT Security?
2010. All rights reserved.
Cloud Computing and Security Venkateswar Reddy Melachervu 2013. All rights reserved.
Isnt this just an IT Problem?
Why Do I Need to Learn About Computer Security?
Everyone who uses a computer needs to understand how to keep his or her computer and data secure
IT Security is a not a product, but a process
2010. All rights reserved.
Cloud Computing and Security Venkateswar Reddy Melachervu 2013. All rights reserved.
No major operating system has ever worked perfectly
No OS vendor has dared offer a warranty against malfunctions
It is far easier to build a secure system than to build a correct system
You might be able to live in a house with a few holes in the walls, but you will not be able to keep burglars out
Securing a system has traditionally been a battle of wits
The problem is people/exploitation - not computers
Why Computers Are Not Secure?
2010. All rights reserved.
Cloud Computing and Security Venkateswar Reddy Melachervu 2013. All rights reserved.
Cloud Computing NIST Definition
Cloud computing is a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction
13
2010. All rights reserved.
Cloud Computing and Security Venkateswar Reddy Melachervu 2013. All rights reserved.
Cloud Computing - Business Definition
A large-scale distributed computing paradigm that is driven by economies of scale, in which a pool of abstracted, virtualized, dynamically-scalable, managed computing power, storage, platforms, and services are delivered on demand to external customers over the Internet
2010. All rights reserved.
Cloud Computing and Security Venkateswar Reddy Melachervu 2013. All rights reserved.
On demand computational services over web
Spiky compute needs of the scientists
Horizontal and dynamic scaling with no additional cost
Increased throughput
Multi-tenant
Accessed over a network
Only pay for what you use
Shared internally or with other customers
Resources - storage, computing, services, etc.
Internal network or Internet
Similar to Timesharing
Rent IT resources vs. buy
Cloud Computing Demystified
2010. All rights reserved.
Cloud Computing and Security Venkateswar Reddy Melachervu 2013. All rights reserved.
Multi-Tenancy
16
2010. All rights reserved.
Cloud Computing and Security Venkateswar Reddy Melachervu 2013. All rights reserved.
Cloud Service Layers and Models
17
IaaS
PaaS
SaaSModelsLayers
AutonomousMore Control/ Flexibility
IaaS PaaS
2010. All rights reserved.
Cloud Computing and Security Venkateswar Reddy Melachervu 2013. All rights reserved.
Conventional Data Centre
2010. All rights reserved.
Cloud Computing and Security Venkateswar Reddy Melachervu 2013. All rights reserved.
Cloud Modelled Data Centre
2010. All rights reserved.
Cloud Computing and Security Venkateswar Reddy Melachervu 2013. All rights reserved.
Public, Private, Hybrid Clouds
20
2010. All rights reserved.
Cloud Computing and Security Venkateswar Reddy Melachervu 2013. All rights reserved.
Cloud ComputingEnablers and Inhibitors
2010. All rights reserved.
Cloud Computing and Security Venkateswar Reddy Melachervu 2013. All rights reserved.
Why Cloud Computing Brings New Security Challenges?
Data, applications, resources are located with provider
User identity management is handled by the cloud provider
User access control rules, security policies and enforcement are managed by the cloud provider
Multi-tenancy
Consumer relies on provider to ensure Data security and privacy
Resource availability
Monitoring and repairing of services/resources
Self-managed or Private Clouds overcome most of the above new threats
22
2010. All rights reserved.
Cloud Computing and Security Venkateswar Reddy Melachervu 2013. All rights reserved.
Security Dimensions The CIA Triad
Secured
Hardware
2010. All rights reserved.
Cloud Computing and Security Venkateswar Reddy Melachervu 2013. All rights reserved.
Confidentiality
The need for keeping information secret Protecting proprietary designs from
competitors
Protecting a companys personnel records
Protecting personal financial/ID info against ID theft
Applies to resource hiding System configuration data
Resources - Systems, Equipment, Services etc.
2010. All rights reserved.
Cloud Computing and Security Venkateswar Reddy Melachervu 2013. All rights reserved.
Integrity
Preventing improper or unauthorized change or access
Data integrity and system integrity
Non-repudiation Example : Digital Cert of the Origin Source
2010. All rights reserved.
Cloud Computing and Security Venkateswar Reddy Melachervu 2013. All rights reserved.
Availability Reliability and system design
To prevent Denial of Service Attacks - The attempts to block the availability of systems or services
System designs usually assume a statistical model to analyze expected patterns of use
2010. All right