Cloud computing security

Cloud Computing & Security: Are
there clouds in our sky ?

> Antonio Sanz
> I3A - IT Manager
> Security Expert
> http://i3a.unizar.es
> ansanz@unizar.es
> @antoniosanzalc

Index 4

> Cloud Computing

> Opportunities

> Cloud Computing risks

> Migrating to a Cloud Infraestructure

Tema 1: Diseño de software seguro
Cloud Computing Security

“Cloud computing is a model for
enabling ubiquitous, convenient,
on-demand network access to a
shared pool of configurable
computing resources (e.g.,
networks, servers, storage,
applications, and services) that can
be rapidly provisioned and
released with minimal management
effort or service provider
interaction”

[*First & last boring slide. Promise]

Cloud Computing: Main point 6

>On demand
>Ubiquous
>Resource pool
>Elastic
>Measureable

IaaS – Infrastructure as a Service 8

> Raw infrastructure

> Storage, network & servers

> We do the rest

> Flexible but costly

> Ej: Amazon AWS


PaaS – Platform as a Service 9

> You’ve got the OS but no
apps

> IaaS + OS + Base services

> App deploying ok (.jar)

> Less control but less cost

> Ej: Google App Engine


SaaS – Software as a Service 10

> You’ve got everything

> Iaas + Paas + Apps

> Ready to go

> Minimal control / Minimal
effort

> Ej: Salesforce.com (CRM)


Public, Private Clouds 11

> Públic: Public access, shared
resources, (-security, -cost)
Ej: Amazon AWS

> Private: Private access,
dedicated resources (+security,
+cost)
Ej: NASA Nebula OpenStack


Community , Hybrid 12

> Community: Group that shares
a private cloud
Ej: Business holding

> Hybrid: Mix some of the others


Technologies 14

> Virtualization

> Shared storage

> High speed networks

> Multidevice access

> Advanced Middleware (access,
monitoring, provisioning)


Cloud Computing Pros 16

> Elasticity / Scalability

> Availability

> Performance

> Ubiquous access

> Very low CAPEX

> OPEX savings


Amazon AWS - http://aws.amazon.com/ 18

> Amazon Web Services

> EC2 (Elastic Cloud Computing)

> S3 (Simple Storage Service)

> You can do … almost everything

> Others: Rackspace, vCloud, Azure,
IBM (great, too)


NetFlix - http://www.netflix.com/ 19

> Video streaming (Films, serials, shows)

> Almost 20% of EEUU bandwidth

> Uses Amazon AWS

> Benefits: Escalability + Availability

> Video transcoding “on the fly” with EC2

> Video storage in EC3 with S3

> Usage data analysis with EC2


Dropbox - http://www.dropbox.com/ 20

> Backup in the cloud

> Around 12Pb (12.000 Tb)

> Uses Amazon S3

> Benefit: Escalability

> Business model (VIP):
http://www.w2lessons.com/2011/04/econo
mics-of-dropbox.html


Technology

Cloud
Is
Good!

= To have you
by the balls

Vendor Lock-In

Vendor lock-in 27

> It’s hard to say goodbye

> SaaS : No “export” option

> PaaS : API interoperability

> IaaS : Different technologies

> Defsense: Right CP (Cloud Provider) choice


Lack of IT Governance 29

> IT Governance != Cloud Computing
Governance

> Limited funcionalities / High costs

> Loss of Control of our IT

> Defense: Clear objectives & design,
Right CP choice


Compliance & Laws 31

> We need to comply with all the
regulations (PCI DSS, LOPD)

> Imposes transitive compliance on
the CP

> Legal lapses

> Defense: Good analysis, right CP
choice


SLA (Service Level Agreements) 33

> Contract signed with CP

> Services offered

> Warranties offered

> Service metrics &
compensations/penalties

> Defense: SLA study & tuning


Provider failures 35

> “Errare machina est”

> Starting security standards

> CP Business Continuity plan

> OUR Business Continuity plan

> Defense: Business continuity
definition, right CP choice


Third party failures 37

> CP = Service & Technologies
Integrator

> But … what about electricity,
connectivity, HVAC ?

> We have to take care of our
facilities too

> Defense: Right CP choice, third party
evaluation (CP and proper)


Resource starvation 40

> Resources are assigned on demand

> CP scales up … but how ?

> Situation: No more resources
available when they were most
needed !!

> Defense: Resource reservation, right
CP choice


Isolation Faults 42

> Cloud = Shared Resources = Shared flat

> How secure is your neighbour ?

> Third party security failure Everybody
is compromised

> Defense: Private Clouds, right CP choice


Data leaks 44

> Lots of sensitive info in our CP

> Disgruntled employees

> Wrong service configuration

> Defense: Right CP choice, cipher use,
log reviews


Data Transit 46

> Network Information flows

> Local interception

> On transit interception

> In-Cloud Intercepcion

> Defense: SSL, cipher use


CP Compromise 48

> Cloud = Technology mesh = Lots of
possible security flaws

> Cloud interface management attacks

> Cloud user management attacks

> Infrastructure attacks

> Defense: Right CP choice, SLAs, incident
response planning


DDOS / EDOS 50

> DDOS (Distributed Denial Of Service)

> Intended to take down an infrastructure
Attack to availability

> Cloud Neighbour are collateral damage

> EDOS (Economic Denial of Service)

> Intended to cause economic damage

> Defense: SLAs, charge limits, incident
response


Cipher 52

> Sensible info Cipher

> Secure information deletion (wipe)

> Defensas: Strong ciphers, guardar
claves, SLA


Backups 53

> Info is EVERYTHING Backups

> Don’t forget your backups (even if
the CP does … you too)

> Automated procedure

> Defensa: Procedure design, right CP
choice


Logs Access 54

> Logs = Activity of our IT

> Needed to do debugging

> Critic if a security incident arises

> How can access my logs ?

> Defense: SLA, right CP choice


Disaster Recovery 56

> Shit happens (Murphy’s Law)

> Earthquakes, fires, floods, alien invasions…

> Our CP must have a Business Continuity
plan

> We must have ours !!

> Defense: Business Continuity plan


57
Legal Risks


Compliance & Laws 58

> Lots of laws & regulations

> Is our CP compliant ?

> National & International laws

> Defense: Preliminary analysis, right
CP choice


Data protection 59

> LOPD (Ley Orgánica de Protección
de Datos)

> Cloud implies sometimes
international data transfers
Complicated issues

> Safe Harbour Amazon, Google

> Defense: Preliminary analysis, right
CP choice


Computer Forensic 60

> Security incident in our CP
Someone has set up a child
pornography site

> Maybe anyone in our cloud !!

> Possible result = Server seizure

> Defense: Right CP choice, SLA,
Business Continuity plan


Identify Services 63

> Services that can benefit most from
Cloud Computing

> Main benefits: Scalability,
Availability & Elasticity

> Intermitent but heavy resource use
services (Ej: Sports newspapers on
mondays)


Evaluate CC models 64

> IaaS, PaaS, SaaS ?

> ¿Public, Private, Hybrid,
Community?

> See what others like us are doing

> Decide which model fits our needs
best


Defining security needs 66

> Know our service throughly

> Define the information flows

> Identify sensitive info

> Measure how critical the service is

> Assign a value to the srevice


Risk Analysis 67

> Know the existing risks when using
cloud computing

> Apply them to our service

> Define a maximum risk level

> Important!: Be utterly objective


Evaluate cloud providers 69

> Read carefully the SLA (Service
Level Agreements)

> Read it again

> Evaluate security compliance

> Added value services

> Price !


Security controls 70

> Define security controls

> Controls in the cloud & our IT

> Technical & procedural control

> Target: Lower our real risk


Bean counting … 72

> Migration costs

> Cloud operation costs

> Current operation costs

> Troubleshooting costs (both cloud
& current)

> Make money talk …


Make a decision 73

> Evaluate pros & cons of our current
IT model & cloud computing

> It’s not all about money …

> Informed decision taking

> You always should have a plan B


CC offers great
opportunities
CC has risks
There has to
be a plan

Conclusiones 75

>Cloud computing is here

>Lots of business models &
opportunities

>Must know all the risks

>Must have a sensible business plan


Conclusiones

I love it
when a
cloud
plan
comes
together

More info?. Press here ! 78

Cloud Security Alliance
https://cloudsecurityalliance.org/

Cloud Computing Security Guide - CSA
http://cloudsecurityalliance.org/guidance/csaguide.v2.1.pdf

ENISA – Cloud Computing Security Risks
http://www.enisa.europa.eu/act/rm/files/deliverables/cloud-computing-
risk-assessment

Australia Gov. - Cloud Computing Risk Analysis Report
http://www.dsd.gov.au/publications/Cloud_Computing_Security_Consid
erations.pdf


Have a plan and jump into the sky !

Antonio Sanz / ansanz@unizar.es / @antoniosanzalc
$slides = http://www.slideshare.net/ansanz

Cloud computing security

More Related Content

What's hot (20)

Viewers also liked (20)

Similar to Cloud computing security (20)

More from Antonio Sanz Alcober (20)

Recently uploaded (20)

Cloud computing security