4. Overview
The term “cloud computing” is poorly defined
GTS - 14 4
44
Copyright iDefense 2009
5. Overview
The term “cloud computing” is poorly defined
“Cloud computing is a model for enabling convenient,
on-demand network access to a shared pool of
configurable computing resources (e.g., networks,
servers, storage, applications, and services) that can
be rapidly provisioned and released with minimal
management effort or service provider interaction.”
Source: http://csrc.nist.gov/groups/SNS/cloud-computing/index.html
GTS - 14 5
55
Copyright iDefense 2009
6. Overview
The term “cloud computing” is poorly defined
“Essential Cloud Characteristics:
• On-demand self-service
• Broad network access
• Resource pooling
• Location independence
• Rapid elasticity
• Measured service”
GTS - 14 6
66
Copyright iDefense 2009
7. Overview
The term “cloud computing” is poorly defined
GTS - 14 7
77
Copyright iDefense 2009
8. Overview
The term “cloud computing” is poorly defined
Multiple vendors, multiple definitions
Utility pricing model
Cloud-based Service Provider (CSP) handle burden of resources
GTS - 14 8
88
Copyright iDefense 2009
9. Overview
Three basic categories for cloud computing technologies:
– Infrastructure as a Service (IaaS)
Resource Abstraction
– Platform as a Service (PaaS)
– Software as a Service (SaaS)
GTS - 14 9
99
Copyright iDefense 2009
10. Variations on a Theme
Public Cloud
10
GTS - 14 10
10
Copyright iDefense 2009
11. Variations on a Theme
Public Cloud
Private Cloud
11
GTS - 14 11
11
Copyright iDefense 2009
12. Variations on a Theme
Public Cloud
Private Cloud
Hybrid Cloud
12
GTS - 14 12
12
Copyright iDefense 2009
14. Areas of Risk
▪ Privileged User Access
▪ Data Segregation
▪ Regulatory Compliance
▪ Physical Location of Data
▪ Availability
▪ Recovery
▪ Investigative Support
▪ Viability and Longevity
14
GTS - 14 14
14
Copyright iDefense 2009
15. Mitigation Strategies
Understand the risks
Evaluate any potential
cloud-based solution and CSP
Unique solution, generic risks
source: sxc.hu
15
GTS - 14 15
15
Copyright iDefense 2009
16. Risks
Privileged User Access:
• CSP must have access
• Improper access -> Data Exposure
• HR policies
• 3rd party of a 3rd party
16
GTS - 14 16
16
Copyright iDefense 2009
17. Mitigation
Privileged User Access:
• CSP must have access
• Improper access -> Data Exposure
• HR policies
• 3rd party of a 3rd party
Privilege Access Control Mitigation:
– Support to HR and data policies
– Outsourcing involved?
– Evaluate the access controls
17
GTS - 14 17
17
Copyright iDefense 2009
18. Risks
Data Segregation:
• Shared common resources
• Multiple consumers, same physical machine
• Failure to segregate data: data exposure, loss
or corruption
18
GTS - 14 18
18
Copyright iDefense 2009
19. Risks
Data Segregation:
• Shared common resources
• Multiple consumers, same physical machine
• Failure to segregate data: data exposure, loss
or corruption
19
GTS - 14 19
19
Copyright iDefense 2009
20. Risks
Data Segregation:
• Shared common resources
• Multiple consumers, same physical machine
• Failure to segregate data: data exposure, loss
or corruption
20
GTS - 14 20
20
Copyright iDefense 2009
21. Mitigation
Data Segregation:
• Shared common resources
• Multiple consumers, same physical machine
• Failure to segregate data: data exposure, loss
or corruption
Data Segregation Mitigation:
– What’s the risk of data segregation failure?
– Encryption of data: shifting of risks
– Understand the “how, where, when”
of consumer data storage
21
GTS - 14 21
21
Copyright iDefense 2009
22. Risks
Regulatory Compliance:
– Regulations for sensitive information and outsourcing
– Conflicting regulations and laws
– Failure to comply: significant legal risks
22
GTS - 14 22
22
Copyright iDefense 2009
23. Mitigation
Regulatory Compliance:
– Regulations for sensitive information and outsourcing
– Conflicting regulations and laws
– Failure to comply: significant legal risks
Regulatory Control Mitigation: FISMA
– Know your regulatory obligation HIPAA
– Know your CSP’s regulatory obligations SOX
PCI
– Understand your liabilities
SAS 70
– Location may change regulatory obligations Audits
23
GTS - 14 23
23
Copyright iDefense 2009
24. Risks
Physical Location of Data:
– Location, location, location
– Location tied to regulatory issues
– Volatile regions introduce a higher
degree of risk
– Hostile/Unethical governments have unforeseen risk of data exposure
24
GTS - 14 24
24
Copyright iDefense 2009
25. Risks
Physical Location of Data:
– Location, location, location
– Location tied to regulatory issues
– Volatile regions introduce a higher
degree of risk
– Hostile/Unethical governments have unforeseen risk of data exposure
10/9/09
SA pigeon 'faster than
broadband'
BBC News
Cyber A Durban IT company pitted an 11-month-
old bird armed with a 4GB memory stick against
the ADSL service from the country's biggest web
firm, Telkom.
Winston the pigeon took two hours to carry the
data 60 miles - in the same time the ADSL had
sent 4% of the data. computers.
25
GTS - 14 25
25
Copyright iDefense 2009
26. Mitigation
Physical Location of Data:
– Location, location, location
– Location tied to regulatory issues
– Volatile regions introduce a higher
degree of risk
– Hostile/Unethical governments have unforeseen risk of data exposure
Physical Location of Data Mitigation:
– Identify your data’s location
– Avoid CSPs that cannot guarantee the location
– Avoid CSPs that use data centers in hostile countries
– Use CSPs that reside in consumer’s country
26
GTS - 14 26
26
Copyright iDefense 2009
27. Risks
Availability:
– Constant connectivity required
– Any failure terminating connectivity
is a risk
– Data loss and downtime risks
27
GTS - 14 27
27
Copyright iDefense 2009
28. Risks
Availability:
– Constant connectivity required
– Any failure terminating connectivity
is a risk
– Data loss and downtime risks
28
GTS - 14 28
28
Copyright iDefense 2009
29. Mitigation
Service Availability Mitigation:
– Availability is the greatest risk !
– Understand the CSP’s infrastructure:
avoid single points of failure
– Private clouds may reduce the
availability risk, but introduce additional
cost and overhead
– Establish service-level agreements
(SLAs) with their CSPs
– Balance the risk introduced by using
multiple data centers with the risk of a
single site failure
– Assume at least one outage, what’s the
impact to you?
29
GTS - 14 29
29
Copyright iDefense 2009
30. Risks
Recovery:
– Improper backups or system failure
– The more data, more data loss risk
– Recovery time is operational downtime
30
GTS - 14 30
30
Copyright iDefense 2009
31. Mitigation
Recovery:
– Improper backups or system failure
– The more data, more data loss risk
– Recovery time is operational downtime
Recovery Mitigation:
– Understand backed up systems
(Encrypted? Multiple sites?)
– Identify the time required to completely
recover data
– Practice a full recovery to test the
CSP’s response time
31
GTS - 14 31
31
Copyright iDefense 2009
32. Risks
Investigative Support:
– Multiple consumers, aggregated logs
– CSPs may hinder incident responses
– Uncooperative CSPs: lost forensic data
and investigation hindrances
32
GTS - 14 32
32
Copyright iDefense 2009
33. Mitigation
Investigative Support:
– Multiple consumers, aggregated logs
– CSPs may hinder incident responses
– Uncooperative CSPs: lost forensic data
and investigation hindrances
Investigative Support Mitigation:
– Establish policies and procedures with the CSP
– Avoid CSPs unwilling to participate in incident
33
GTS - 14 33
33
Copyright iDefense 2009
34. Risks
Viability and Longevity:
– CSP failure can occur at any time, for any reason
– Risk of data loss and operational downtime
– Large companies sometimes terminate services
– Abrupt shutdowns are a more significant risk
34
GTS - 14 34
34
Copyright iDefense 2009
35. Mitigation
Viability and Longevity:
– CSP failure can occur at any time, for any reason
– Risk of data loss and operational downtime
– Large companies sometimes terminate services
– Abrupt shutdowns are a more significant risk
Viability and Longevity Mitigation:
– Understand the way a CSP can “going dark”
– Have a secondary CSP in mind
– Review the history and financial stability of
any CSP prior to engaging
35
GTS - 14 35
35
Copyright iDefense 2009
37. Malicious use
source: sxc.hu
Bad guys are already using such technology ;)
– Botnets
– Hacking as a Service, SPAM
37
GTS - 14 37
37
Copyright iDefense 2009
38. Malicious use
source: sxc.hu
Bad guys are already using such technology
– Botnets
– Hacking as a Service, SPAM 11/9/09
Bot herders hide master
control channel in Google
cloud
by Dan Goodin, The Register
Cyber criminals' love affair with cloud computing
Malicious use of Cloud Services just got steamier with the discovery that Google's
AppEngine was tapped to act as the master
control channel that feeds commands to large
– C&C Server on the cloud networks of infected computers.
– Storage of malicious data
– Cracking passwords
38
GTS - 14 38
38
Copyright iDefense 2009
40. Conclusions
Understanding the risk of cloud-based solutions
Understand the level of sensitivity of your data
Perform due diligence when evaluating a CSP
Identify the location of your data
Get assurance that your data will remain where
it is placed.
Cloud computing is a new technology still experiencing growing pains.
Enterprises must be aware of this and anticipate the risks the
technology introduces.
40
GTS - 14 40
40
Copyright iDefense 2009
41. Additional Reading
Cloud Security Alliance (CSA): “Security Guidance for
Critical Areas of Focus in Cloud Computing”
http://www.cloudsecurityalliance.org/guidance/csaguide.pdf
NIST Cloud Computing Project
http://csrc.nist.gov/groups/SNS/cloud-computing/index.html
ENISA report on “Cloud Computing: Benefits, risks
and recommendations for information security”
http://www.enisa.europa.eu/act/rm/files/deliverables/cloud-computing-risk-
assessment
iDefense Topical Research Paper: “Cloud Computing”
41
GTS - 14 41
41
Copyright iDefense 2009