Upload
vnu-exhibitions-europe
View
441
Download
0
Tags:
Embed Size (px)
Citation preview
Atos, Atos and fish symbol, Atos Origin and fish symbol, Atos Consulting, and the fish itself are registered trademarks of Atos Origin SA. August 2006
© 2006 Atos Origin. Confidential information owned by Atos Origin, to be used by the recipient only. This document or any part of it, may not be reproduced, copied,
circulated and/or distributed nor quoted without prior written approval from Atos Origin.
Cloud Computing and Security
Frans van Leuven
Storage Expo: 03-10-2010
Not a trivial aspect
Cloud Computing and Security Risks
Intro
What is cloud computing?» Working Cloud Definitions
» What’s new
Risk Assessments
» Change or roles
Cloud Computing and Security Risks – Slide 2
» Change or roles» Methods
Cloud related Security Issues & Risks
» Cloud Security Risk Assessment, and Risk Management Methodologies
» Threat Vector » Identity Management (IAAA)
» Federated Identity Management
» The need for Data Classification
Short Intro
Atos Origin
Systems
Integration
Consulting
8%
Utilities &Public Sector
27%
Retail
10%
Telecoms Managed
France
31%
AP 3%Americas 4%
Italy 5%
Spain 6%
Atos Origin in a nutshellCompany Profile
Cloud Computing and Security Risks – Slide 4
Integration
42%
(*)
Others (incl. Transport) 6%
27%
Financial
Services
21%Manufacturing
19%
Telecoms
& Media
21%
(*) of which 16% recurringactivities in Application Management
ManagedOperations
50%11%
UK
19%
31%
Benelux
21%
Germany& CE
What is cloud computing?
Working Definitions
Cloud Is not a new technology but rather a new delivery model
Definition 1: NIST
“Cloud describes the use of a collection of services, applications, information, and infrastructure comprised of pools of compute, network, information, and storage resources. These components can be rapidly orchestrated, provisioned, implemented and decommissioned, and scaled up or down; providing for an on-demand utility-like model of allocation and consumption
Cloud Computing and Security Risks – Slide 6
allocation and consumption
Definition 2: Gartner
The set of disciplines, technologies, and business models used to deliver IT capabilities (software, platforms, hardware) as an on-demand, scalable, elastic service
Definition 3: Atos Origin
» Cloud as a general concept, sometimes described as Cloud Culture, encompasses all sorts
of recent business and social phenomena, many of which are triggered and enabled by the
advent of the internet, the World Wide Web and pervasive computing
NIST Visual Model of Cloud Computing Definition
Cloud Computing and Security Risks – Slide 7
Source: NIST
Cloud Deployment Models
Various deployment models exist
– Public • Available to the general public or a large industry group and is owned by an
organization selling cloud services
– Private • Operated solely for a single organization. It may be managed by the organization or
a third party, and may exist on-premises or off premises
Cloud Computing and Security Risks – Slide 8
a third party, and may exist on-premises or off premises
– Community (Partner) • Cloud infrastructure is shared by several organizations and supports a specific
community that has shared concerns (e.g., mission, security requirements, policy, or
compliance considerations) for example Health care Industry
– Hybrid • Any combination of the above with a components or functionality closing the model
boundaries (private cloud (order processing) with public cloud ( product catalogue
presentation)
Cloud Essential and common Characteristics
» Five essential Characteristics:
» On-demand self-service. - Consumer can self provision computing automatically
» Broad network access.- Available over the network accessed by any client
» Resource pooling
Cloud Computing and Security Risks – Slide 9
» Resource pooling - Resources are pooled to serve multiple consumers
» Rapid elasticity.- Resources and their capabilities can be rapidly made available and decommissioned
after usage
» Measured service.- Cloud systems automatically control and optimize resource usage by measuring use
– monitor, control and report in a transparent manner
» Not essential NIST characteristic but an important one from a supplier perspective- Virtualization- Multi-tenancy
What is needed to run an application today!How is this model affected by cloud?
WAN
and
Internet
IPSFW L3-R
L2-SLB / ADCR
Single Data Center
Cloud Computing and Security Risks – Slide 10
Internet
SAN-SSAN-D
All other NL DC’sTo other Data Center(s)
� Traditional Services
� Technology Silos inclusive Tooling
� Optimized / Standardized per Silo
� Cloud Services
� Optimized per application type
� Dedicated chains are not uncommon
Cloud Security Issues
&
Risk Assessments
Risk Assessment Definition of terms
» Risk - a risk is a possible event which could cause a loss » Risk is a function of the likelihood of a given threat-source’s exercising a particular
potential vulnerability, and the resulting impact of that adverse event on the organization
(NIST)
» “The potential that a given threat will exploit vulnerabilities of an asset or group of assets
and thereby cause harm to the organization” (ISO 27005)
» Threat - a threat is a method of triggering a risk event that is dangerous
Cloud Computing and Security Risks – Slide 12
» Threat - a threat is a method of triggering a risk event that is dangerous
» Vulnerability - a weakness in a target that can potentially be exploited by a threat
» Exploit - a vulnerability that has been triggered by a threat
» Countermeasure - a countermeasure is a way to stop a threat from triggering a risk event
» Assurance - assurance is the level of guarantee that a security system will behave as expected
Cloud Services Risk Assessments
» The boundary of responsibility shift with the stack» SaaS
- Provider is responsible for the whole cloud service stack
- Customer is both liable and accountable for the changes in the software interfaces and
functionality
» PaaS
- Provider is responsible for the underlying infrastructure and the platform API’s for the
PaaS offering
- Customer assumes the risk for all the software developments that occur
Cloud Computing and Security Risks – Slide 13
- Customer assumes the risk for all the software developments that occur
- Customer retains accountability and is liable for the output of developments
» IaaS
- Provider is responsible for the underlying infrastructure
- Customer is liable and accountable for the platform and software infrastructure
- Customer assumes most of the cloud risks , management of operating systems
applications and content
» Essential characteristics of cloud computing require a replacement , redesign or reorientation of perimeter security
Cloud Risks Assessment and Management
» Next we will see that moving in to cloud services entails:- Reorienting our security postures
- Assessing cloud security risks and threats
- Mitigating them by:
- Transferring Risk to the provider but retaining accountability
- Implement or put in place mitigating controls by applying countermeasures
yourself
» Businesses may not adopt cloud services despite the benefits that they can realize
Cloud Computing and Security Risks – Slide 14
» Businesses may not adopt cloud services despite the benefits that they can realize due to:
- Lack of trust that cloud providers will meet their security needs
- Lack of trust that cloud service providers are ready to assume the risks that
enterprises would encounter in the cloud
- Provider lock-in through proprietary standards
- Standards not mature enough to mitigate issues of data portability
- Lack of uniform cloud standards in respective regulatory domains
Risk AssessmentsA far from trivial job when deploying cloud
» Threat Assessment - Identify the threats
- Analyze and evaluate these threats
- Determine the vulnerabilities related to each threat
- The likelihood of happening
- Understand and measure the impact of the risk involved
- Decide on the appropriate measures and controls to manage them.
» Determine the probability of a future adverse event occurrence (likelihood)
Cloud Computing and Security Risks – Slide 15
» Determine the probability of a future adverse event occurrence (likelihood)
» Determine the impact/magnitude to the business and the commensurate
response- Analyze threats and scrutinize potential vulnerabilities
- The controls in place to reduce or mitigate the impact
- Impact here refers to the magnitude of harm that could be caused by a threats
source exploiting the vulnerability
- Impact in turn is directly proportional to the business impact
Risk Assessment Methodologies
» Several industry IT risk management standards and methodologies with varying
efficacy» Some have tools to automate the risk scoring methods
» Can be quantitative (subjective) relying on the collective knowledge within the
organization; output indicates degrees. High Medium Low
» Can be qualitative relying on a large data set that is then taken through an algorithm
that provides a criticality score (numerical minimum - maximum ranges)
Cloud Computing and Security Risks – Slide 16
» Some well-known examples» NIST 800-30 (superseded by 800-53a)
» ISO 27005
» Information Risk Analysis Methodology (IRAM)
» ISACA - RISK IT
Cloud Security Issues
and
What is New and what to Do
Specific Risks Related to the Cloud
» Examine the risk factors changed by using cloud infrastructure replacing the
traditional infrastructure» Customer perspective – All current risks remain, new ones are added
- Breach of confidence, reputation, Competitive advantage, Legal/ Regulatory
- Loss of control - governance
» Cloud Service Provider perspective – Will try to limit liability as much as possible
- Exploits with Cloud service have a considerably larger impact as they affect all
Cloud Computing and Security Risks – Slide 18
- Exploits with Cloud service have a considerably larger impact as they affect all
customers concurrently
» SLA’s and Contracts only cover some type of Cloud related risks» They typically cover Risks with High Likelihood and Low impact
» Often liability is limited to the contract value or even the duration of the outage
» Match enterprise risk analysis findings with the vendor offering – discuss your
risk concerns within the contract – evaluate cloud services offering against
established controls/mitigation
Specific New Risks Related to the Cloud
Essential characteristics and cloud impeding conditions.» Internet Centric communication for most or all communication instances
- Some dependencies may be well hidden
- Major outages on the Internet will have a disastrous impact (DDOS etc)
- Insufficient network controls –ubiquitous (omnipresent) network availability
- Network quality is much harder to monitor and predict
» Virtualization and Multi-tenancy have new weaknesses resulting in potential exploits
- Require new countermeasures just being developed
Cloud Computing and Security Risks – Slide 19
- Require new countermeasures just being developed
- ILM – data deletion – remanance, degaussing (electronic file shredding)
» Cloud Services are often Global Resource based
- Off-shoring support and remote help desk –natural or technical issues
- Multi-level sub contracting invisible to the Service Involved
» Shadow IT may result in undermining Governance
- Units contracting their own ICT facilities
» Countermeasures may be outdated (for profit or other reasons)
- Session Riding & Session Hijacking –Stateless HTTP
- Insecure / Obsolete Cryptography & Weak Authentication mechanisms
» Complexity of Identity Provisioning and de-provisioning increases
- Who controls resources as required by AAA processes?
Cloud Governance Issues
» Cloud Provider problems» Going out of business
» Provider not achieving SLA’s or Contracts
» Provider having poor business continuity planning/Disaster Recovery
» Data Centers in countries with unfriendly laws or undesired political/economical conditions» Cheap countries are cost wise attractive but typically have higher risks of multiple natures
»
Cloud Computing and Security Risks – Slide 20
» Cheap countries are cost wise attractive but typically have higher risks of multiple natures
» Conditions may literally change overnight
» Doing Risk assessments and impact analysis is a far from trivial job » Increasingly complex to cope with Disasters
- More types, more places, increased likelihood etc
» The number of parties involved increases, many will have no relation/compassion with the
organization impacted by mayhem
» Many eggs go into one basket. Domino effects not to be excluded
Identification, Authentication, Authorizationand Accounting (IAAA)
» Identification, Authentication, Authorization and Accounting (Access Control)- A particular challenge in cloud service offerings
- IAAA infrastructure in most enterprises is evolving and will not fulfill the demands of
cloud services
» Asks for some type of Federated Identity (single source for Identity)
Cloud Computing and Security Risks – Slide 21
» Asks for some type of Federated Identity (single source for Identity)» Governments are reluctant to play this role
» Increasingly becomes yet another Cloud Services
» Data Classification is almost becoming a mandatory strategy!» Which type of Cloud Service meets regulations and contractual obligations?
» Which application may be run under various degrees of sharing?
» Which data may be stored over the border?
» The one security approach fits all services may soon become very expensive (as it must
meet the hardest conditions)
Digital Rights Management
» Controlling DRM aspects never have been easy» A whole new dimension is being added making it more complex
- Varies with SAAS, PAAS, IAAS» How do audits work with these models?
» Where is your data stored and how is it protected?
Cloud Computing and Security Risks – Slide 22
» Where is your data stored and how is it protected?
» In-transit and stationary conditions» What is the decision process to change these conditions?
» Who has access to your data» This includes access at the database as a whole
» Where are these people located
» What is reported to you?
Current Enterprise IAAA Infrastructure
Cloud Computing and Security Risks – Slide 23
Federated Identity management within clouds
Cloud Computing and Security Risks – Slide 24
Cloud Services Data Classification and Security
» Organizations will need to classify data based on:
» Importance of data to the organization - Business Impact–
- High - Authenticate and Encrypt (at rest, in motion and during compute)
- Medium – Watermark and Proxy Ids
- Low – In-house, Internal, local use (Leverage enterprise directory services)» Accessibility by whom and why – Authentication, Authorization Access Control
- Secret ? , Confidential?, Public?
Cloud Computing and Security Risks – Slide 25
- Secret ? , Confidential?, Public?
» Network Zoning – Virtual instances with IP range IDs and VLANS containers authentication Proxies deployed at the perimeter
» Organization control- Identity creation and validation
- Identity provisioning and de-provisioning
- Identity validation and traceability –Organization HR
- Identity proxy validation – Partner HR
- Identity self creation -internet customers
Identity and Access Management (IAM)
» Identity provisioning/de-provisioning » Secure and timely management of provisioning & de-provisioning of users in the cloud
Identity profiles » Guaranteed – HR (enterprise directory services)
» Trusted Validity can be assured (partners, suppliers etc)
» Untrusted Self created online customers (lowest trust)
Cloud Computing and Security Risks – Slide 26
» Authentication» Enterprise Authenticate with local AD and establish trust with IdP through federation –
secure exchange of user attributes
» Users authenticating themselves – un-trusted – but can consider yahoo, hotmail or gmail
ID’s (initiate a discussion on this with the attendants)
» Authorization & user profile management
» Federation
Data Classification essential in the Cloud
» Data Classification impacts the total ICT-Chain» How Data is stored
» How Data is transported
» How Data is marked according its class
» Conditions of applications accessing the data
» Conditions of applications used for transfer
» Rights of the owner
» Authorizations of Users
Cloud Computing and Security Risks – Slide 27
» Authorizations of Users
» The potential impact of compromised Data must be mitigated by matching
Countermeasures» As complexity grows this becomes a big cost item
» The volume of Data almost doubles yearly
» Network Zoning often helps to simplify countermeasures
Sources & References
» Live Link» MOD-GPM-1822 - Security Classification and Network Zoning v0.1.pdf
» NIST CLOUD RISK Assessment sp800-30.pdf» http://csrc.nist.gov/publications/nistpubs/800-30/sp800-30.pdf» http://csrc.nist.gov/publications/nistpubs/800-53-Rev2/sp800-53-rev2-final.pdf
» ENISA_RM-Deliverable1-Final-version-v1.0-2006-03-30.pdf
Cloud Computing and Security Risks – Slide 28
» ENISA_RM-Deliverable1-Final-version-v1.0-2006-03-30.pdf
» http://www.enisa.europa.eu/act/rm/files/deliverables/inventory-of-risk-assessment-and-risk-management-methods
» Security Guidance for Critical Areas of Focus in Cloud Computing
» http://www.cloudsecurityalliance.org/csaguide.pdf
» http://srmsblog.burtongroup.com/2009/06/cloud-computing-who-is-in-control.html
» http://www.27000.org/iso-27005.htm
» http://srmsblog.burtongroup.com/cloud-security/
Atos, Atos and fish symbol, Atos Origin and fish symbol, Atos Consulting, and the fish itself are registered trademarks of Atos Origin SA. August 2006
© 2006 Atos Origin. Confidential information owned by Atos Origin, to be used by the recipient only. This document or any part of it, may not be reproduced, copied,
circulated and/or distributed nor quoted without prior written approval from Atos Origin.
For more information please [email protected]
+31 (0) 630439248
+31 (0) 882656477
Atos Origin Netherlands BVHTC 51
5656 AB Eindhovenwww.atosorigin.com