View
1.167
Download
0
Tags:
Embed Size (px)
Citation preview
Cloud SecurityCloud SecurityCloud SecurityCloud Security
sameer paradiasameer paradiasameer paradiasameer paradia
Goals
1. Brief on Cloud Computing2 Security Threats2. Security Threats 3. Framework 4. Controls4. Controls
http://www.flickr.com/photos/tomhaymes/321292834/
Cl dUnderstand Cloud
Essential CharacteristicOn‐Demand
Lowered requirement to forecastsLowered requirement to forecastsDemand trends are predicted by the provider
Usage meteredUsage‐metered Pay‐by‐the‐realtime use
Self‐service from pool of resourcesResources managed by consumerResources managed by consumer with a GUI or API
Elastic ScalabilityGrow or shrink resources as requiredGrow or shrink resources as required
Ubiquitous NetworkThe network is essential to use the ser i eservice
Beyond basic..
S i S i Modes of Deployment
Services Services TypesTypes
p
Compute
Network Datacentre
Storage
IaaSDeployment Deployment
modelsmodels
Web 2.0 Applications Runtime Development toolsSPublic cloudPublic cloud
modelsmodels
Runtime
Business Middleware Database Java Runtime
PaaS
Public cloudPublic cloud
P i t l dP i t l dHybrid cloudHybrid cloud
Collaboration ERP / CRM
aS
Private cloudPrivate cloudCommunity cloudCommunity cloud
Business Processes
Enterprise ApplicationsSa
a
Thr tSecurity Threat
Lots of noise on....
Cloud Security?Cloud Security?how do we simplify it...how do we simplify it...
http://www.flickr.com/photos/purpleslog/2870445256/in/photostream/
It isIt is
samesame As current InfoSecAs current InfoSecpractice
You ha e to take theYou have to take the same approach as current ISMS
http://www.flickr.com/photos/pheckaboolala/3410638119
Cloud SecurityCloud Security
• What is it?– Protection of your information inProtection of your information in
cloud• Why is critical?
– Your information is at central unknown place in cloud
– No visibility of security measures inNo visibility of security measures in Public cloud
• Impact of breach on business?k f li– Lack of Compliance
– Legal issue– Breach of privacyBreach of privacy
http://www.flickr.com/photos/nigeljohnson73/6788941421
Threats in XaaS ModelsThreats in XaaS Models• SaaS:
Built in security functionality– Built in security functionality– Least consumer extensibility– Relatively high level of integrated security
• PaaS– Enable developers to build their own applications on top of the platform
M ibl h S S h f d f– More extensible than SaaS, at the expense of customer ready features– Built in capabilities are less complete, but there is more flexibility to layer on additional
security
• IaaS – Few application‐like features, – Enormous extensibility– Less integrated security capabilities and functionality beyond protecting the
infrastructure itself – Assets to be managed and secured by the cloud consumer
Fr rkSecurity Framework
1. Identify asset to cloudify
2. Assess impact of transferring
3. Map the asset to potentialto c oud y
a) Datab) Applications
o t a s e gassets on cloud on business in case of breach
to potential cloud deployment
case of breach models
Security FrameworkSecurity Framework
4. Evaluate controls in
5. Evaluate the Dataflow , to
each of Iaas/ Paas/ Saaslayer
ata o , tounderstand the flow
ydepending upon asset
C tr lCloud Controls
3 Dimensions of cloud security3 Dimensions of cloud security
IT Assets i l d
Risk A t
Business C iti lit in cloud AssessmentCriticality
For achieving robust and practical security consider all 3 perspective
Types of ControlsTypes of ControlsG O ti lGovernance(Strategic)
Operational(Tactical)
• Risk Management • Legal & Electronic
• BCP/ DR• Data centre
Discovery• Compliance/ Audit
Operations• Incident M t• Information Life
cycle management • Portability and
Management • Application security• Encryption• Portability and
Interoperability• Encryption • Identity & Access ManagementManagement
• Virtualization
Implement ControlsImplement Controls
• Possible controls – Layered security – facilities (physical security)
t k i f t t ( t k– network infrastructure(network security)
– IT systems (system security)– information and applications
(application security).• IaaS Cloud provider :• IaaS Cloud provider :
– address security controls such as physical security, environmental
it d i t li ti itsecurity, and virtualization security• SaaS
– Addresses upto Application layer– Addresses upto Application layer
http://www.flickr.com/photos/telstar/2816038167
SummarySummary• Consider three perspective‐
Assets, Risk management and Business criticality
• Cloud as an operational model neither provide for nor prevent p pachieving compliance
• Selection of control depends on the service and deployment modelthe service and deployment model
• Control varies depending on the design, deployment, and
f hmanagement of the resources• Most of Security controls in cloud
are, same as normal IT environment
http://www.flickr.com/photos/isadocafe/2095153000/
Sameer Paradia – CGEIT, CISM, CISSP([email protected])Practicing IT Security for 12+ years out of 20+ years of IT Services/ Outsourcing work experience.g y y y g p
http://www.flickr.com/photos/forgetmeknottphotography/7003899183/sizes/l/in/photostream/