Upload
anchises-moraes
View
3.991
Download
0
Tags:
Embed Size (px)
DESCRIPTION
Cloud Computing Risks and Mitigation presentation at GTS 14, São Paulo, Brazil, November 2009
Citation preview
Cloud Computing Enterprise Risks and Mitigation
Anchises M. G. de PaulaiDefense Intelligence AnalystNov. 2009 GTS GTS GTS GTS ---- 14141414
2
2GTS GTS GTS GTS ---- 14141414
Copyright iDefense 20092
Agenda
� Overview of cloud computing
� Cloud computing risks and generic mitigation strategies
� Cloud Computing for Malicious Intent
�Questions and answers
sour
ce: s
xc.h
u
3GTS GTS GTS GTS ---- 14141414
Copyright iDefense 20093
Overview of cloud computing
4
4GTS GTS GTS GTS ---- 14141414
Copyright iDefense 20094
Overview
� The term “cloud computing” is poorly defined
5
5GTS GTS GTS GTS ---- 14141414
Copyright iDefense 20095
Overview
� The term “cloud computing” is poorly defined
“ Cloud computing is a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimalmanagement effort or service provider interaction.”Source: http://csrc.nist.gov/groups/SNS/cloud-computing/index.html
6
6GTS GTS GTS GTS ---- 14141414
Copyright iDefense 20096
Overview
� The term “cloud computing” is poorly defined
“ Essential Cloud Characteristics:• On-demand self-service • Broad network access• Resource pooling• Location independence• Rapid elasticity• Measured service”
7
7GTS GTS GTS GTS ---- 14141414
Copyright iDefense 20097
Overview
� The term “cloud computing” is poorly defined
8
8GTS GTS GTS GTS ---- 14141414
Copyright iDefense 20098
Overview
� The term “cloud computing” is poorly defined
� Multiple vendors, multiple definitions
� Utility pricing model
� Cloud-based Service Provider (CSP) handle burden of resources
9
9GTS GTS GTS GTS ---- 14141414
Copyright iDefense 2009
Overview
� Three basic categories for cloud computing technologies:– Infrastructure as a Service (IaaS)
– Platform as a Service (PaaS)
– Software as a Service (SaaS)
9
Resource A
bstraction
10
10GTS GTS GTS GTS ---- 14141414
Copyright iDefense 2009
Variations on a Theme
� Public Cloud
10
11
11GTS GTS GTS GTS ---- 14141414
Copyright iDefense 2009
Variations on a Theme
� Public Cloud
� Private Cloud
11
12
12GTS GTS GTS GTS ---- 14141414
Copyright iDefense 2009
Variations on a Theme
� Public Cloud
� Private Cloud
� Hybrid Cloud
12
13GTS GTS GTS GTS ---- 14141414
Copyright iDefense 200913
Cloud computing risks and generic mitigation strategies
14
14GTS GTS GTS GTS ---- 14141414
Copyright iDefense 200914
Areas of Risk
▪ Privileged User Access
▪ Data Segregation
▪ Regulatory Compliance
▪ Physical Location of Data
▪ Availability
▪ Recovery
▪ Investigative Support
▪ Viability and Longevity
15
15GTS GTS GTS GTS ---- 14141414
Copyright iDefense 2009
Mitigation Strategies
� Understand the risks
� Evaluate any potential cloud-based solution and CSP
� Unique solution, generic risks
15
source: sxc.hu
16
16GTS GTS GTS GTS ---- 14141414
Copyright iDefense 2009
Risks
� Privileged User Access:• CSP must have access
• Improper access -> Data Exposure
• HR policies
• 3rd party of a 3rd party
16
17
17GTS GTS GTS GTS ---- 14141414
Copyright iDefense 2009
Mitigation
� Privileged User Access:• CSP must have access
• Improper access -> Data Exposure
• HR policies
• 3rd party of a 3rd party
� Privilege Access Control Mitigation:– Support to HR and data policies
– Outsourcing involved?
– Evaluate the access controls
17
18
18GTS GTS GTS GTS ---- 14141414
Copyright iDefense 2009
Risks
� Data Segregation:• Shared common resources
• Multiple consumers, same physical machine
• Failure to segregate data: data exposure, loss
or corruption
18
19
19GTS GTS GTS GTS ---- 14141414
Copyright iDefense 2009
Risks
� Data Segregation:• Shared common resources
• Multiple consumers, same physical machine
• Failure to segregate data: data exposure, loss
or corruption
19
20
20GTS GTS GTS GTS ---- 14141414
Copyright iDefense 2009
Risks
� Data Segregation:• Shared common resources
• Multiple consumers, same physical machine
• Failure to segregate data: data exposure, loss
or corruption
20
21
21GTS GTS GTS GTS ---- 14141414
Copyright iDefense 2009
Mitigation
� Data Segregation:• Shared common resources
• Multiple consumers, same physical machine
• Failure to segregate data: data exposure, loss
or corruption
� Data Segregation Mitigation:– What’s the risk of data segregation failure?
– Encryption of data: shifting of risks
– Understand the “how, where, when”of consumer data storage
21
22
22GTS GTS GTS GTS ---- 14141414
Copyright iDefense 2009
Risks
� Regulatory Compliance:– Regulations for sensitive information and outsourcing
– Conflicting regulations and laws
– Failure to comply: significant legal risks
22
23
23GTS GTS GTS GTS ---- 14141414
Copyright iDefense 2009
Mitigation
� Regulatory Compliance:– Regulations for sensitive information and outsourcing
– Conflicting regulations and laws
– Failure to comply: significant legal risks
� Regulatory Control Mitigation:– Know your regulatory obligation
– Know your CSP’s regulatory obligations
– Understand your liabilities
– Location may change regulatory obligations
23
FISMA HIPAA SOXPCI SAS 70 Audits
24
24GTS GTS GTS GTS ---- 14141414
Copyright iDefense 2009
Risks
� Physical Location of Data:– Location, location, location
– Location tied to regulatory issues
– Volatile regions introduce a higher degree of risk
– Hostile/Unethical governments have unforeseen risk of data exposure
24
25
25GTS GTS GTS GTS ---- 14141414
Copyright iDefense 2009
Risks
� Physical Location of Data:– Location, location, location
– Location tied to regulatory issues
– Volatile regions introduce a higher degree of risk
– Hostile/Unethical governments have unforeseen risk of data exposure
25
10/9/09SA pigeon 'faster than broadband'BBC NewsCyber A Durban IT company pitted an 11-month-old bird armed with a 4GB memory stick against the ADSL service from the country's biggest web firm, Telkom. Winston the pigeon took two hours to carry the data 60 miles - in the same time the ADSL had sent 4% of the data. computers.
26
26GTS GTS GTS GTS ---- 14141414
Copyright iDefense 2009
Mitigation
� Physical Location of Data:– Location, location, location
– Location tied to regulatory issues
– Volatile regions introduce a higher degree of risk
– Hostile/Unethical governments have unforeseen risk of data exposure
� Physical Location of Data Mitigation:– Identify your data’s location
– Avoid CSPs that cannot guarantee the location
– Avoid CSPs that use data centers in hostile countries
– Use CSPs that reside in consumer’s country
26
27
27GTS GTS GTS GTS ---- 14141414
Copyright iDefense 2009
Risks
� Availability:– Constant connectivity required
– Any failure terminating connectivity is a risk
– Data loss and downtime risks
27
28
28GTS GTS GTS GTS ---- 14141414
Copyright iDefense 2009
Risks
� Availability:– Constant connectivity required
– Any failure terminating connectivity is a risk
– Data loss and downtime risks
28
29
29GTS GTS GTS GTS ---- 14141414
Copyright iDefense 2009
Mitigation
� Service Availability Mitigation:– Availability is the greatest risk !
– Understand the CSP’s infrastructure: avoid single points of failure
– Private clouds may reduce the availability risk, but introduce additional cost and overhead
– Establish service-level agreements (SLAs) with their CSPs
– Balance the risk introduced by using multiple data centers with the risk of a single site failure
– Assume at least one outage, what’s the impact to you?
29
30
30GTS GTS GTS GTS ---- 14141414
Copyright iDefense 2009
Risks
� Recovery:– Improper backups or system failure
– The more data, more data loss risk
– Recovery time is operational downtime
30
31
31GTS GTS GTS GTS ---- 14141414
Copyright iDefense 2009
Mitigation
� Recovery:– Improper backups or system failure
– The more data, more data loss risk
– Recovery time is operational downtime
� Recovery Mitigation:– Understand backed up systems
(Encrypted? Multiple sites?)
– Identify the time required to completely recover data
– Practice a full recovery to test the CSP’s response time
31
32
32GTS GTS GTS GTS ---- 14141414
Copyright iDefense 2009
Risks
� Investigative Support:– Multiple consumers, aggregated logs
– CSPs may hinder incident responses
– Uncooperative CSPs: lost forensic data
and investigation hindrances
32
33
33GTS GTS GTS GTS ---- 14141414
Copyright iDefense 2009
Mitigation
� Investigative Support:– Multiple consumers, aggregated logs
– CSPs may hinder incident responses
– Uncooperative CSPs: lost forensic data
and investigation hindrances
� Investigative Support Mitigation:– Establish policies and procedures with the CSP
– Avoid CSPs unwilling to participate in incident
33
34
34GTS GTS GTS GTS ---- 14141414
Copyright iDefense 2009
Risks
� Viability and Longevity:– CSP failure can occur at any time, for any reason
– Risk of data loss and operational downtime
– Large companies sometimes terminate services
– Abrupt shutdowns are a more significant risk
34
35
35GTS GTS GTS GTS ---- 14141414
Copyright iDefense 2009
Mitigation
� Viability and Longevity:– CSP failure can occur at any time, for any reason
– Risk of data loss and operational downtime
– Large companies sometimes terminate services
– Abrupt shutdowns are a more significant risk
� Viability and Longevity Mitigation:– Understand the way a CSP can “going dark”
– Have a secondary CSP in mind
– Review the history and financial stability of any CSP prior to engaging
35
36GTS GTS GTS GTS ---- 14141414
Copyright iDefense 200936
Cloud Computing for Malicious Intent
37
37GTS GTS GTS GTS ---- 14141414
Copyright iDefense 2009
Malicious use
� Bad guys are already using such technology ;)– Botnets
– Hacking as a Service, SPAM
37
sour
ce: s
xc.h
u
38
38GTS GTS GTS GTS ---- 14141414
Copyright iDefense 2009
Malicious use
� Bad guys are already using such technology– Botnets
– Hacking as a Service, SPAM
� Malicious use of Cloud Services– C&C Server on the cloud
– Storage of malicious data
– Cracking passwords
38
11/9/09Bot herders hide master control channel in Google cloudby Dan Goodin, The RegisterCyber criminals' love affair with cloud computing just got steamier with the discovery that Google's AppEngine was tapped to act as the master control channel that feeds commands to large networks of infected computers.
sour
ce: s
xc.h
u
39GTS GTS GTS GTS ---- 14141414
Copyright iDefense 200939
Conclusion
40
40GTS GTS GTS GTS ---- 14141414
Copyright iDefense 2009
Conclusions
� Understanding the risk of cloud-based solutions
� Understand the level of sensitivity of your data
� Perform due diligence when evaluating a CSP
� Identify the location of your data
� Get assurance that your data will remain where it is placed.
40
Cloud computing is a new technology still experiencing growing pains. Enterprises must be aware of this and anticipate the risks the technology introduces.
41
41GTS GTS GTS GTS ---- 14141414
Copyright iDefense 2009
Additional Reading
� Cloud Security Alliance (CSA): “Security Guidance for Critical Areas of Focus in Cloud Computing”
http://www.cloudsecurityalliance.org/guidance/csaguide.pdf
� NIST Cloud Computing Project
http://csrc.nist.gov/groups/SNS/cloud-computing/index.html
� ENISA report on “Cloud Computing: Benefits, risks and recommendations for information security”
http://www.enisa.europa.eu/act/rm/files/deliverables/cloud-computing-risk-assessment
� iDefense Topical Research Paper: “Cloud Computing”
41
42
Q&A
GTS GTS GTS GTS ---- 14141414
Copyright iDefense 2009
43
Thank You
Anchises M. G. de PaulaiDefense Intelligence Analyst