How To Secure Cloud Computing

Transcription

1 A hole in the cloud: Is cloud secure? N. Vijaykumar Infosys Technologies Limited, Bangalore presented at

2 Security in cloud is a key challenge! 70% 60% 50% 40% 30% 20% 10% 0% Data integrity tampering Hacker / Data breach Interruption of availability Loss of data due to system failure Business Continuity / DR Source: CSO Forum, 2010 Some highlights include SMBs' concerns regarding security and privacy with cloud environments, topping the list, at 51%, as a reason for not being interested in pay-per-use hosting of virtual servers, also known as cloud computing Source: Forrester Research, The State Of Emerging SMB Hardware: 2009 To 2010 Business Data Services North America And Europe All these only goes to suggest that Cloud security is being viewed as a critical parameter for cloud adoption! 2

3 Security is a common thread, whatever flavor of cloud be For accessing SaaS enabled applications over public internet Public Cloud (SaaS model) Private Cloud IaaS PaaS For private cloud access For supporting capacity burst from Private to public clouds Public Cloud (for usage burst) 3

4 How different is security in cloud, from an on-premise datacenter? 1 3 rd party service provider 2 Multi-tenancy 3 Geographical Distribution 4 Compliance & Standards 4

5 Breaking down security concerns in cloud Manageability Provisioning of users Identity & access management Policy based management Data Security Data privacy Data protection & leakage prevention Data availability Compliance Compliance to standards (HIPPA, GLBA ) Monitor & enforce compliance GRC requirements Contractual SLA management Business services management Audit & reporting Above all, TRUST 5

6 In cloud, these become very critical Host Security Network Security Data Security & Protection Compliance & Audits 6

7 Host Security: server hardware is still at risk Virtualization is the key building block of any cloud environment Virtual instances are vulnerable There have been such instances in most of the Hypervisors Underlying hardware is susceptible to attacks using Hypervisor Virtualization software is not a kind of security layer, hence secure it.. Check how cloud service provider has implemented host security before signing up (IaaS) 7

8 Network Security: The attack area gets only bigger in cloud Cloud being implemented and accessed over internet, provides a much bigger network security risk as compared to on-premise Enterprise and cloud are disconnected A conventional perimeter security model would not suffice for cloud Identity and access management is a concern area in cloud. Enterprises might not have control of end users logging on to cloud 8

9 Concern-in-chief: Data security How secure is the data? How secure is the application? Data life cycle management: in rest, transition etc. Data (of multiple customers ) are co-located!!! How does a public cloud provider, provides segmentation and ensure data security, integrity? Levels of encryption and data protection offered by public clouds Assumes criticality in a Paas and Iaas models 9

10 Compliance and audits: Only Trust can help Adherence to security standards (SAS, HIPPA) by the provider Where is my data? requirement for data to be within the country s geographical boundaries Is the cloud auditable? Ensure that contract includes everything qualitative Trust, but verify!!! 10

11 Cloud Information Assurance Framework by ENISA Aims at increasing transparency by defining a a minimum baseline for: Comparing cloud offers Assessing the risk to go Cloud Legal and compliance requirements Asset Management Personnel security Score Provider 1 Score Provider 2 Supply chain security Operational Security Reducing audit burden and security risks Physical and Environmental Controls Business Continuity Management Data and Service Portability Identity and Access Management Applicable to both public and private clouds Example Provider Comparison Chart Source: 11

12 Key questions that you should ask your cloud provider Do I have a control over where my information will be stored? Where is my data stored? Is your cloud operations open for physical and 3 rd party inspections Will you share the audit results of the ISMS audits in your infrastructure? What are your policies concerning my sensitive information? What are the anti-theft and anti-hacking mechanisms that you have implemented? And the list goes long 12

13 The last word Cloud means different things to different people "Cloud Computing Security is no different than "Regular Security, in some ways Security is perhaps one of the weakest link in the cloud lifecycle. Identify the weakest security mechanism and increase the lines of defenses Such issues can be tackled with a combination of technology and management So the only weapon we have is mutual TRUST, backed by complex set of contractual & legal documentation 13

14 THANK YOU