Security & Privacy in Cloud Computing
1 like1,286 views
The document discusses the complexities and misconceptions surrounding cloud computing, including its various models like IaaS, PaaS, and SaaS. It highlights consumer expectations and concerns, particularly regarding security, compliance, and vendor lock-in. Additionally, it emphasizes the importance of understanding concrete services rather than abstract architectural concepts in the context of cloud technology.
Security & Privacy in Cloud Computing
- 1. Security & Privacy Issues in
- 2. The Hype “The interesting thing about cloud computing is that we’ve redefined cloud computing to include everything that we already do. I can’t think of anything that isn’t cloud computing with all of these announcements. The computer industry is the only industry that is more fashion- driven than women’s fashion. Maybe I’m an idiot, but I have no idea what anyone is talking about. What is it? It’s complete gibberish. It’s insane. When is this idiocy going to stop?” Larry Ellison, CEO, Oracle (WSJ 9/25/08)
- 3. Video
- 4. Closer to Earth • Let’s presume that Cloud Compu>ng is real. • What is it? • Let’s try to cut through the hyperbole and define Cloud Compu>ng and see what it has to offer consumers and organiza>ons.
- 7. Sor>ng things out… U>lity or Infrastructure PlaMorm SoKware
- 8. Infrastructure as a Service • Amazon sells compu>ng power in a way similar to how we get electricity from the power company. • Uses a pay-‐as-‐you-‐go model for offering VM instances, compu>ng power and storage on demand.
- 9. PlaMorm as a Service • One step above the u>lity, you find the PaaS providers, like Google App Engine, Salesforce’ force.com, and the recently announced MicrosoK Azure plaMorm. • Here you develop apps and leverage a common development framework and plaMorm for delivery.
- 10. SoKware as a Service • SoKware as a Service (SaaS) is what most people are familiar with. This is where many of the common Web 2.0 applica>ons are, like: Flickr, Gmail, Google Apps, Facebook, TwiZer.... • There are also enterprise applica>ons, such as SAP, Oracle, MicrosoK and others aZemp>ng to gain market share here.
- 11. Terminology • Let’s face it, the use of all these acronyms can get confusing! • SOA and SaaS oKen get confused. • The u>lity and plaMorm services are oKen called nothing more than the evolu>on of third-‐party hos>ng services that companies have used for years. • There are good reasons these assump>ons are incorrect.
- 12. SOA is dead…? “SOA met its demise on January 1, 2009, when it was wiped out by the catastrophic impact of the economic recession. SOA is survived by its offspring: mashups, BPM, SaaS, Cloud Computing, and all other architectural approaches that depend on “services.” Manes’ real point, to quote her is that “we should not be talking about an architectural concept that has no universally accepted definition and an indefensible value proposition. Instead we should be talking about concrete things (like services) and concrete architectural practices (like application portfolio management) that deliver real value to the business.” Anne Thomas Manes, Burton Group
- 13. Consumers • Cloud Compu>ng is a new name for things consumers are already doing. • Consumers are >red of being IT techs. • Consumers want to DO things online, and have the Internet cloud I don’t care be as what’s up there, as long simple as as it WORKS! Cable TV.
- 14. The Business Case • Cost Savings from economies of scale • Scalability • Elas>city • Reliability • (and in some cases, they enjoy a transfer of liability by outsourcing services)
- 15. 2007 Source: www.cio.com/article/print/ 109706
- 17. Where does it make sense? • Start-‐ups • Apps that are not processing key data • Apps that benefit greatly from economies of scale, and that require high availability and DRP • Apps that need periodic, huge capacity or CPU processing
- 19. Where does it not make sense? • Key apps that are earning your bread and buZer • Apps that touch personal data or process high-‐value/consumer transac>ons should be considered carefully • Most cloud compu>ng works well for highly paralell, but not serial apps
- 20. On-‐site vs. Off-‐site • PaaS can be hosted at your data center, outsourced, or hosted in a hybrid environment like this example. Source: cohesiveft.com/vpncubed
- 21. Concern in the Cloud • Security • Control • Performance • Support • Vendor Lock-‐In • Speed of Scaling • Configurability
- 22. Security Concerns • CIA + Privacy • Can you extend your policies to the cloud? • Regulatory compliance • Managing data on shared systems • Forensics • Audi>ng • Segrega>on of data • Portability & Interoperability • Reliability & Manageability
- 23. In The News • Monster.com Breach May Preface Targeted Attacks • Salesforce.com Admits Data Loss • Millions of Gmail Users Left in the Lurch • Gmail is down, down, down
- 24. More… • United Airlines Flight Opera>ons Computer System Failure • San Francisco Power Grid Failure • PayPal Subscrip>on Processing Fails • Skype Down for Days • LAX TSA Screening System Failure • What if Google were to disappear for a few days? Or, Facebook? Yahoo?
- 25. Compliance in the Cloud • Let me just list some common U.S. regula>ons and speak to them: • PCI • SOX • HIPAA • GLB • California Breach Law (SB1386)
- 26. Future Trends • The Web as a Par>cipatory Worldwide Communica>ons Media (Wikipedia, Facebook, YouTube…) • The Need to Use Less Energy • Innova>on Impera>ve • Quest for Simplicity • Structure Out of Chaos Source: www.cio.com/article/438371/ Cloud_Computing_Hype_Versus_Reality
- 27. Grinch in the Cloud • The Grinch: It came without segrega>on. It came without recovery goals. It came without adequate physical, logical, or personnel access controls. It could have been high, it could have been low, I just have no clue where the data may flow! • Narrator: Then the Grinch thought of something he hadn't before. • The Grinch: Maybe the perfect solu>on doesn't come from a store. Maybe solving business problems securely... • Narrator: He thought • The Grinch: ...means a liZle bit more.
- 28. Useful Resources • World Privacy Forum, www.worldprivacyforum.org • Security Monks Blog, hZp://blog.securitymonks.com/2009/01/25/ recent-‐cloud-‐pos>ngs/ • Ra>onal Survivability Blog, hZp://ra>onalsecurity.typepad.com/