Cloud computing security

Cloud Computing & Security: Are there clouds in our sky ?

> Antonio Sanz

> I3A - IT Manager

> Security Expert

> http://i3a.unizar.es

> [email protected]

> @antoniosanzalc

Cloud Computing

Tema 1: Diseño de software seguro

4

Cloud Computing Security

Index

> Cloud Computing

> Opportunities

> Cloud Computing risks

> Migrating to a Cloud Infraestructure

“Cloud computing is a model for enabling ubiquitous, convenient, on-demand network access to a

shared pool of configurable computing resources (e.g., networks, servers, storage,

applications, and services) that can be rapidly provisioned and

released with minimal management effort or service provider

interaction”

[*First & last boring slide. Promise]


6


Cloud Computing: Main point

>On demand

>Ubiquous

>Resource pool

>Elastic

>Measureable

Service Types


8


IaaS – Infrastructure as a Service

> Raw infrastructure

> Storage, network & servers

> We do the rest

> Flexible but costly

> Ej: Amazon AWS


9


PaaS – Platform as a Service

> You’ve got the OS but no apps

> IaaS + OS + Base services

> App deploying ok (.jar)

> Less control but less cost

> Ej: Google App Engine


10


SaaS – Software as a Service

> You’ve got everything

> Iaas + Paas + Apps

> Ready to go

> Minimal control / Minimaleffort

> Ej: Salesforce.com (CRM)


11


Public, Private Clouds

>Públic: Public access, sharedresources, (-security, -cost)

Ej: Amazon AWS

>Private: Private access, dedicated resources (+security, +cost)

Ej: NASA Nebula � OpenStack


12


Community , Hybrid

>Community: Group that shares a private cloud

Ej: Business holding

>Hybrid: Mix some of the others

Technology


14


Technologies

> Virtualization

> Shared storage

> High speed networks

> Multidevice access

> Advanced Middleware (access, monitoring, provisioning)

Advantages


16


Cloud Computing Pros

> Elasticity / Scalability

> Availability

> Performance

> Ubiquous access

> Very low CAPEX

> OPEX savings

Success Case


18


Amazon AWS - http://aws.amazon.com/

> Amazon Web Services

> EC2 (Elastic Cloud Computing)

> S3 (Simple Storage Service)

> You can do … almost everything

> Others: Rackspace, vCloud, Azure, IBM (great, too)


19


NetFlix - http://www.netflix.com/

> Video streaming (Films, serials, shows)

> Almost 20% of EEUU bandwidth

> Uses Amazon AWS

> Benefits: Escalability + Availability

> Video transcoding “on the fly” with EC2

> Video storage in EC3 with S3

> Usage data analysis with EC2


20


Dropbox - http://www.dropbox.com/

> Backup in the cloud

> Around 12Pb (12.000 Tb)

> Uses Amazon S3

> Benefit: Escalability

> Business model (VIP): http://www.w2lessons.com/2011/04/economics-of-dropbox.html

Technology

Cloud Is

Good!

Cloud Computing Risks

Business Risks

Vendor Lock-In

Vendor Lock-In

= To have you

by the balls

Vendor Lock-In


27


Vendor lock-in

> It’s hard to say goodbye

> SaaS : No “export” option

> PaaS : API interoperability

> IaaS : Different technologies

> Defsense: Right CP (Cloud Provider) choice

Lack of IT Governance


29


Lack of IT Governance

> IT Governance != Cloud ComputingGovernance

> Limited funcionalities / High costs

> Loss of Control of our IT

> Defense: Clear objectives & design, Right CP choice

Compliance & Laws


31


Compliance & Laws

> We need to comply with all theregulations (PCI DSS, LOPD)

> Imposes transitive compliance onthe CP

> Legal lapses

> Defense: Good analysis, right CP choice

SLAs


33


SLA (Service Level Agreements)

> Contract signed with CP

> Services offered

> Warranties offered

> Service metrics & compensations/penalties

> Defense: SLA study & tuning

Provider Failures


35


Provider failures

> “Errare machina est”

> Starting security standards

> CP Business Continuity plan

> OUR Business Continuity plan

> Defense: Business continuitydefinition, right CP choice

Third party failures


37


Third party failures

> CP = Service & Technologies Integrator

> But … what about electricity, connectivity, HVAC ?

> We have to take care of ourfacilities too

> Defense: Right CP choice, third party evaluation (CP and proper)

Technical risks

Resource Starvation


40


Resource starvation

> Resources are assigned on demand

> CP scales up … but how ?

> Situation: No more resourcesavailable when they were mostneeded !!

> Defense: Resource reservation, rightCP choice

Isolation Faults


42


Isolation Faults

> Cloud = Shared Resources = Shared flat

> How secure is your neighbour ?

> Third party security failure � Everybodyis compromised

> Defense: Private Clouds, right CP choice

Data leaks


44


Data leaks

> Lots of sensitive info in our CP

> Disgruntled employees

> Wrong service configuration

> Defense: Right CP choice, cipher use, log reviews

Data Transit


46


Data Transit

> Network � Information flows

> Local interception

> On transit interception

> In-Cloud Intercepcion

> Defense: SSL, cipher use

Cloud Provider Compromise


48


CP Compromise

> Cloud = Technology mesh = Lots ofpossible security flaws

> Cloud interface management attacks

> Cloud user management attacks

> Infrastructure attacks

> Defense: Right CP choice, SLAs, incidentresponse planning

DDOS


50


DDOS / EDOS

> DDOS (Distributed Denial Of Service)

> Intended to take down an infrastructure �

Attack to availability

> Cloud � Neighbour are collateral damage

> EDOS (Economic Denial of Service)

> Intended to cause economic damage

> Defense: SLAs, charge limits, incidentresponse

Cipher & Backup


52


Cipher

> Sensible info � Cipher

> Secure information deletion (wipe)

> Defensas: Strong ciphers, guardar claves, SLA


53


Backups

> Info is EVERYTHING � Backups

> Don’t forget your backups (even ifthe CP does … you too)

> Automated procedure

> Defensa: Procedure design, right CP choice


54


Logs Access

> Logs = Activity of our IT

> Needed to do debugging

> Critic if a security incident arises

> How can access my logs ?

> Defense: SLA, right CP choice

Disaster Recovery


56


Disaster Recovery

> Shit happens (Murphy’s Law)

> Earthquakes, fires, floods, alien invasions…

> Our CP must have a Business Continuityplan

> We must have ours !!

> Defense: Business Continuity plan


57


Legal Risks


58


Compliance & Laws

> Lots of laws & regulations

> Is our CP compliant ?

> National & International laws

> Defense: Preliminary analysis, right CP choice


59


Data protection

> LOPD (Ley Orgánica de Protecciónde Datos)

> Cloud implies sometimes international data transfers �Complicated issues

> Safe Harbour � Amazon, Google

> Defense: Preliminary analysis, right CP choice


60


Computer Forensic

> Security incident in our CP �Someone has set up a child pornography site

> Maybe anyone in our cloud !!

> Possible result = Server seizure

> Defense: Right CP choice, SLA, Business Continuity plan

Using Cloud Computing

Analyze


63


Identify Services

> Services that can benefit most fromCloud Computing

> Main benefits: Scalability, Availability & Elasticity

> Intermitent but heavy resource use services (Ej: Sports newspapers onmondays)


64


Evaluate CC models

> IaaS, PaaS, SaaS ?

> ¿Public, Private, Hybrid, Community?

> See what others like us are doing

> Decide which model fits our needsbest

Know


66


Defining security needs

> Know our service throughly

> Define the information flows

> Identify sensitive info

> Measure how critical the service is

> Assign a value to the srevice


67


Risk Analysis

> Know the existing risks when usingcloud computing

> Apply them to our service

> Define a maximum risk level

> Important!: Be utterly objective

Plan


69


Evaluate cloud providers

> Read carefully the SLA (ServiceLevel Agreements)

> Read it again

> Evaluate security compliance

> Added value services

> Price !


70


Security controls

> Define security controls

> Controls in the cloud & our IT

> Technical & procedural control

> Target: Lower our real risk

Decide


72


Bean counting …

> Migration costs

> Cloud operation costs

> Current operation costs

> Troubleshooting costs (both cloud& current)

> Make money talk …


73


Make a decision

> Evaluate pros & cons of our currentIT model & cloud computing

> It’s not all about money …

> Informed decision taking

> You always should have a plan B

CC offers great

opportunities

CC has risks

There has to

be a planplanplanplan


75


Conclusiones

>Cloud computing is here

>Lots of business models & opportunities

>Must know all the risks

>Must have a sensible business plan

Conclusiones

I love itwhen a

cloudplan

comes together

Don’t be under a cloud !


78


More info?. Press here !

Cloud Security Alliance

https://cloudsecurityalliance.org/

Cloud Computing Security Guide - CSA

http://cloudsecurityalliance.org/guidance/csaguide.v2.1.pdf

ENISA – Cloud Computing Security Risks

http://www.enisa.europa.eu/act/rm/files/deliverables/cloud-computing-risk-assessment

Australia Gov. - Cloud Computing Risk Analysis Report

http://www.dsd.gov.au/publications/Cloud_Computing_Security_Considerations.pdf

Antonio Sanz / [email protected] / @antoniosanzalc

Have a plan and jump into the sky !

$slides = http://www.slideshare.net/ansanz