1 ENISA Cloud Computing Security Strategy Dr Giles Hogben European Network and Information Security Agency (ENISA)
2 What is Cloud Computing? Isn t it just old hat?
3 What is cloud computing ENISA s understanding Cloud computing is not a new technology. Cloud computing is a new business model It is a way of delivering computing resources
4 50,000 Machines for 1 Minute cost ~ the same as 1 machine for 1 year 4
9 What is cloud computing ENISA s understanding Near instant scalability and flexibility Near instantaneous provisioning Service On demand, usually with a pay as you go billing system Programmatic management (e.g. through Web Services API) Highly abstracted hardware and software resources Shared resources (hardware, database, memory, etc...)
10 LOTS AND LOTS of old hat, put together with some very clever resource distribution algorithms To make NEW Hat
11 Which you can rent by the hour
12 Which can resize (up and down) to your requirements
13 Types of cloud
14 What is cloud computing ENISA s understanding Cloud computing is a new business model o It is a way of delivering computing resources Cloud computing is not a new technology.
15 ENISA Cloud Computing Objectives Help business and governments to gain the cost benefits of cloud computing. While avoiding exposure to excessive NIS risks. 15
16 Reaching the objectives ENISA Deliverables and Ongoing Activities Cloud Computing: Benefits, Risks and Recommendations for Information security Assurance framework 2009 Research Recommendations 2009 Common Assurance Maturity Model (CAMM) consortium 2010 Gov-cloud security and resilience analysis (2010) 2011 (proposed) procurement and monitoring guidance for government cloud contracts. 16
17 Cloud Computing: Benefits, Risks and Recommendations for Information security 17
18 Security Benefits 18
19 Economy of Scale
20 Economies of scale and Security o All kinds of security measures are cheaper when implemented on a larger scale. o (e.g. filtering, patch management, hardening of virtual machine instances and hypervisors, etc) o The same amount of investment in security buys better protection.
21 Other benefits of scale o Multiple locations by default -> redundancy and failure independence. o Edge networks: content delivered or processed closer to its destination. o Staff specialization & experience Cloud providers big enough to hire specialists in dealing with specific security threats.
22 Improved management of updates and defaults o Updates can be rolled out much more rapidly across a homogenous platform o Default VM images and software modules can be updated with the latest patches and security settings. o Snapshots of virtual infrastructure (in IaaS) to be taken regularly and compared with a security baseline.
23 The Risks
24 Very high value assets Most risks are not new, but they are amplified by resource concentration o Trustworthiness of insiders. o Hypervisors - hypervisor layer attacks on virtual machines are very attractive. o More Data in transit (Without encryption?) o Management interfaces big juicy targets
25 Isolation failure o Storage (e.g. Side channel attacks see o Memory o Virtual machines o Entropy pools (http://bit.ly/41siin) o Resource use (e.g. Bandwidth)
26 RESOURCE EXHAUSTION o Overbooking Underbooking Caused by: Resource allocation algos Denial of Service Freak events
27 Key management o Key management is (currently) the responsibility of the cloud customer. o Key provisioning and storage is usually off-cloud o One key-pair per machine doesn t scale to multiple account holders/rbac. o Credential recovery sometimes available through management interface (protected by UN/PWD by) o Copies of VM images may contain keys if not wellmanaged.
28 Key management 1 o Key storage and provisioning almost impossible to do on-cloud with current technologies o HSM s don t scale to the cloud o PKCS#10,11 don t talk cloud o Revocation is even more complicated.
29 Encryption: Data must be processed in cleartext (most operations). o Alternative 1. HARD TO IMPLEMENT! Customer Cloud => If you want to do anything useful with cloud computing, you have to trust the provider.
30 Data storage and processing without security guarantees? o Alternative 2. Customer In the cloud provider (and their SLA) we trust... Trust the cloud provider
31 Lock in o Few tools, procedures or standard formats for data and service portability. o Difficult to migrate from one provider to another, or to migrate data and services to or from an in-house IT environment. o Potential dependency of service provision on a particular CP.
32 Loss of Governance o The client cedes control to the Provider e.g.: o External pen testing not permitted. o Very limited logs available. o Usually no forensics service offered o No information on location/jurisdiction of data. o Outsource or sub-contract services to third-parties (fourth parties?)
33 Legal and contractual risks o Lack of compliance with EU Data Protection Directive o Potentially difficult for the customer (data controller) to check the data handling practices of the provider o Multiple transfers of data exacerbated the problem o Data in multiple jurisdictions, some of which may be risky.. o Subpoena and e-discovery o Risk Allocation and limitation of liability o Confidentiality and Non-disclosure o Intellectual Property
34 Somebody else s problem (SEP) syndrome Appirio Cloud Storage fully encrypts each piece of data as it passes from your computer to the Amazon S3 store. Once there, it is protected by the same strong security mechanisms that protect thousands of customers using Amazon s services (Thanks to Craig Balding, cloudsecurity.org for spotting this)
35 Amazon AWS ToS o YOU ARE SOLELY RESPONSIBLE FOR APPLYING APPROPRIATE SECURITY MEASURES TO YOUR DATA, INCLUDING ENCRYPTING SENSITIVE DATA. o You are personally responsible for all Applications running on and traffic originating from the instances you initiate within Amazon EC2. As such, you should protect your authentication keys and security credentials. Actions taken using your credentials shall be deemed to be actions taken by you.
36 Compliance Challenges Cloud Provider cannot provide evidence of their own compliance to the relevant requirements. Cloud Provider does not permit audit by the Cloud Customer. In certain cases, using a cloud implies certain kind of compliance cannot be achieved
37 Assurance Overload
38 Common Assurance Maturity Model (CAMM) A minimum baseline for: o Comparing cloud (and 3 rd party) offers o Assessing the risk to go Cloud o Reducing audit burden and security risks
39 Common Assurance Maturity Model (CAMM) An example o o o o Network architecture controls Well-defined controls are in place to mitigate DDoS (distributed denial of-service) attacks e.g. o o Defence in depth (traffic throttling, packet black-holing, etc..) Defences are in place against internal (originating from the cloud providers networks) attacks as well as external (originating from the Internet or customer networks) attacks. Measures are specified to isolate resource usage between accounts for virtual machines, physical machines, network, storage (e.g., storage area networks), management networks and management support systems, etc. The architecture supports continued operation from the cloud when the customer is separated from the service provider and vice versa (e.g., there is no critical dependency on the customer LDAP system).
40 2010 CAM framework aims at provider benchmarking on security
41 Governments and the Cloud DK UK... USA Gov Agencies and Public Organizations around the globe are moving non critical applications towards a "cloud approach". Some governments (e.g. Korea) are even offering public cloud infrastructure as an innovation platform. In Europe we have some fast adopters, i.e. Denmark and UK, announcing/planning to move into the cloud. Australia Japan Singapore 41
43 Supporting EU Governments in Cloud Migration Government towards the Cloud: impact on service security & resilience ENISA aims to: analyze and evaluate the impact of cloud computing on the resilience and security of GOV services. provide recommendations and good practices for European Members State planning to migrate to cloud computing. 43
44 2011 procurement and monitoring guidelines Procurement Criteria CERT, ISAC Monitoring and Supervision
45 Conclusions Cloud computing can represent an improvement in security for non-critical applications and data. But transparency is crucial: customers must be given a means to assess and compare provider security practices Much more effort is required to achieve security levels required for higher assurance applications in the cloud For once we can build security in by design, let s not miss the chance
46 Contact Dr Giles Hogben Secure Services Programme Manager European Network and Information Security Agency
November 09 Benefits, risks and recommendations for information security ABOUT ENISA The European Network and Information Security Agency (ENISA) is an EU agency created to advance the functioning of the
Cloud Service Level Agreement Standardisation Guidelines Brussels 24/06/2014 1 Table of Contents Preamble... 4 1. Principles for the development of Service Level Agreement Standards for Cloud Computing...
Data Protection Act 1998 Guidance on the use of cloud computing Contents Overview... 2 Introduction... 2 What is cloud computing?... 3 Definitions... 3 Deployment models... 4 Service models... 5 Layered
Standard: Version: 2.0 Date: June 2011 Author: PCI Data Security Standard (PCI DSS) Virtualization Special Interest Group PCI Security Standards Council Information Supplement: PCI DSS Virtualization Guidelines
Special Publication 800-125 Guide to Security for Full Virtualization Technologies Recommendations of the National Institute of Standards and Technology Karen Scarfone Murugiah Souppaya Paul Hoffman NIST
Top Threats to Cloud Computing V1.0 Prepared by the Cloud Security Alliance March 2010 Top Threats to Cloud Computing V1.0 Introduction The permanent and official location for the Cloud Security Alliance
Risk perception and risk management in cloud computing: Results from a case study of Swiss companies Nathalie Brender Haute Ecole de Gestion de Genève Campus de Battelle, Bâtiment F 7 route de Drize, 1227
WHITEPAPER CLOUD Possible Use of Cloud Technologies in Public Administration Version 1.0.0 2012 Euritas THE BEST WAY TO PREDICT THE FUTURE IS TO CREATE IT. [Willy Brandt] 2 PUBLISHER'S IMPRINT Publisher:
Institute of Architecture of Application Systems University of Stuttgart Universittsstrae 38 D 70569 Stuttgart Diplomarbeit Nr. 3538 Risk assessment-based decision support for the migration of applications
1 October 2013 Cloud Security Whitepaper A Briefing on Cloud Security Challenges and Opportunities SINTEF ICT Software Engineering, Safety and Security Martin Gilje Jaatun, Per Håkon Meland, Karin Bernsmed
A new Breed of Managed Hosting for the Cloud Computing Age A Neovise Vendor White Paper, Prepared for SoftLayer Executive Summary Traditional managed hosting providers often suffer from issues that cause
RSA Security Brief March 2010 Infrastructure Security: Getting to the Bottom of Compliance in the Cloud Authors Sam Curry CTO, Marketing RSA, the Security Division of EMC Jon Darbyshire President & CEO,
INTRODUCTION Legal practices are increasingly using cloud storage and software systems as an alternative to in-house data storage and IT programmes. The cloud has a number of advantages particularly flexibility
ARTICLE 29 DATA PROTECTION WORKING PARTY 01037/12/EN WP 196 Opinion 05/2012 on Cloud Computing Adopted July 1 st 2012 This Working Party was set up under Article 29 of Directive 95/46/EC. It is an independent
Reducing the Cyber Risk in 10 Critical Areas Information Risk Management Regime Establish a governance framework Enable and support risk management across the organisation. Determine your risk appetite
Best Practices for Cloud-Based Information Governance Autonomy White Paper Index Introduction 1 Evaluating Cloud Deployment 1 Public versus Private Clouds 2 Better Management of Resources 2 Overall Cloud
Institute of Parallel and Distributed Systems University of Stuttgart Universitätsstraße 38 D 70569 Stuttgart Diplomarbeit Nr. 3242 Data security in multi-tenant environments in the cloud Tim Waizenegger
Thought Leadership Paper Cloud Computing in the Hedge Fund Industry About Eze Castle Integration Eze Castle Integration is the leading provider of IT solutions and private cloud services to more than 600
Security Threats in Cloud Computing Environments 1 Kangchan Lee Electronics and Telecommunications Research Institute firstname.lastname@example.org Abstract Cloud computing is a model for enabling service user s ubiquitous,
IT@Intel White Paper Intel IT IT Best Practices Cloud Computing and Information Security January 2012 Virtualizing High-Security Servers in a Private Cloud Executive Overview Our HTZ architecture and design
Firewall Strategies June 2003 (Updated May 2009) 1 Table of Content Executive Summary...4 Brief survey of firewall concepts...4 What is the problem?...4 What is a firewall?...4 What skills are necessary
Special Publication 800-146 DRAFT Cloud Computing Synopsis and Recommendations Recommendations of the National Institute of Standards and Technology Lee Badger Tim Grance Robert Patt-Corner Jeff Voas NIST
CHECKLIST FOR THE CLOUD ADOPTION IN THE HEALTHCARE PROVISIONING INDUSTRY CHECKLIST FOR THE CLOUD ADOPTION IN THE HEALTHCARE PROVISIONING INDUSTRY SHOULD MY HOSPITAL MOVE TO THE CLOUD? A synopsis of questions
WHITE PAPER Securing Your Cloud-Based Data Integration A Best Practices Checklist A Report on Secure Integration Techniques Targeted at the Information Technology Executive Prepared by Mercury Consulting,
The Critical Security Controls for Effective Cyber Defense Version 5.0 1 Introduction... 3 CSC 1: Inventory of Authorized and Unauthorized Devices... 8 CSC 2: Inventory of Authorized and Unauthorized Software...
Cloud Software Services for Schools Supplier self-certification statements with service and support commitments Please insert supplier details below Supplier name Address Contact name Contact email Contact
CLOUD COMPUTING: IS YOUR COMPANY WEIGHING BOTH BENEFITS & RISKS? Toby Merrill CLOUD COMPUTING: IS YOUR COMPANY WEIGHING BOTH BENEFITS & RISKS? Toby Merrill Toby Merrill, Thomas Kang April 2014 Cloud computing
Consumerization of IT: Risk Mitigation Strategies [Deliverable 2012-12-19] Consumerization of IT: Risk Mitigation Strategies I Acknowledgements This report has been produced by ENISA using input and comments
Putting the cloud to work for your organization. A buyers guide to cloud solutions. What s in this guide for you? If you re thinking about bringing the cloud into your business but aren t sure where to