Cloud Computing: Opportunities, Challenges, and Solutions. Jungwoo Ryoo, Ph.D., CISSP, CISA The Pennsylvania State University

Size: px

Start display at page:

Download "Cloud Computing: Opportunities, Challenges, and Solutions. Jungwoo Ryoo, Ph.D., CISSP, CISA The Pennsylvania State University"

Miles Bryan
8 years ago
Views:

1 Cloud Computing: Opportunities, Challenges, and Solutions Jungwoo Ryoo, Ph.D., CISSP, CISA The Pennsylvania State University

2 What is cloud computing? What are some of the keywords? How many of you cannot think of anything? 10/28/2015 2

3 Essential Characteristics Rapid provisioning Minimal o Management effort o Service provider interaction Scalability but o Multi-tenancy 10/28/2015 jryoo@psu.edu 3

4 Essential Characteristics II On-demand self-service Rapid elasticity Broad network access Measured service o Metering Resource pooling 10/28/2015 jryoo@psu.edu 4

5 What is cloud computing? A Model for enabling o Ubiquitous o Convenient o On-demand network access to A shared pool of configurable computing resources Source: SP by National Institute of Standards and Technology (NIST), /28/2015 jryoo@psu.edu 5

6 Types of Clouds According to Uses Software as a Service o SaaS Platform as a Service o PaaS Infrastructure as a Service o IaaS 10/28/2015 jryoo@psu.edu 6

7 Types of Clouds Public cloud Private cloud Community cloud 10/28/2015 7

8 The Bad News Many of the characteristics that make cloud computing great also o Make it less secure o Present extra security challenges 10/28/2015 jryoo@psu.edu 8

9 The Bad News II Problems o Countermeasures Traditional security controls are ineffective o Evaluation of the security of cloud services Conventional security auditing approaches are insufficient 10/28/2015 jryoo@psu.edu 9

security of cloud services Conventional security

10 Goals Security challenges specific to cloud computing What is available for cloud security o Standards o Technologies Guidance for Cloud Service Users (CSUs) o What to look out for 10/28/2015 jryoo@psu.edu 10

Standards o Technologies Guidance for Cloud Service

11 Cloud Security Challenges 10/28/

12 Root Causes Scale o The sheer number of VMs Scope o New types of technologies Security of hypervisors o Intangible and logical Virtual switches Virtual routers 10/28/2015 jryoo@psu.edu 12

13 Root Causes Complexity more time and resources to properly manage security o Scale + scope o Third-party involvement o Colocation via multi-tenancy o Cross-border concerns the importance of physical location of data Compliance requirements for varying laws and regulations 10/28/2015 jryoo@psu.edu 13

Cross-border concerns the importance of physical location of data

14 Financial Industry-Specific Causes More end user traffic o Online banking Diversity of devices o PC, mobile, tablet, etc. Various network types o Public Wi-Fi, 4G, etc. 10/28/2015 jryoo@psu.edu 14

15 More Stringent Requirements Availability o 24/7 Accessibility o End user-driven access control Confidentiality o Encryption 10/28/2015 jryoo@psu.edu 15

16 Bottom Line Knowing what to look for is critical! o In addition to the traditional IT security checklist 10/28/2015 jryoo@psu.edu 16

17 Transparency Quality of Service (QoS) information o Availability? Incidents Certifications Policies Controls 10/28/2015 jryoo@psu.edu 17

18 Transparency II Subcontractors Location of data Privacy o Government surveillance Legal and liability issues o For example, service outages 10/28/2015 jryoo@psu.edu 18

19 Transparency III Does the contract or Service-Level Agreement (SLA) include a transparency clause? Proper propagation of risk knowledge is the key! 10/28/2015 jryoo@psu.edu 19

20 Encryption Who encrypts the data? o CSU o CSP By default (e.g., Amazon S3) o Third party encryption service Who keeps the key? How much to encrypt? 10/28/2015 jryoo@psu.edu 20

21 Encryption II Tradeoffs o Security vs. cost Fully homomorphic encryption o Security vs. usability o Security vs. performance o Security vs. complications associated with external auditing efforts 10/28/2015 jryoo@psu.edu 21

22 Colocation Sharing cost savings but Sharing more security vulnerabilities o Access to the physical hardware Especially, in the context of IaaS o Hypervisor vulnerabilities Xen, VMWare, virtual server, Kernel-based Virtual Machines (KVM), PowerVM, etc. 10/28/2015 jryoo@psu.edu 22

23 Colocation II Countermeasures o Proper cloud segmentation environments Separate physical servers Dedicated virtual servers Logical partitions and separate database servers on the same VM without sharing a disk storage 10/28/2015 jryoo@psu.edu 23

24 Cloud Security Solutions 10/28/

25 The Good News Newly emerging standards and guidelines to evaluate CSPs o How well they are dealing with Cloud-specific security challenges 10/28/2015 jryoo@psu.edu 25

26 Cloud Security Standards Standards Type Strength Sponsoring Organization SOC Audit for outsourced services Technology-neutral ISO/IEC Cloud-specific Technologyneutral Cloud Security Alliance PCI-DSS Cloud-specific PCI-qualified security assessor cloud supplement Dedicated to cloud security auditing NIST Cloud-specific Technologyneutral Technologyneutral but still providing guidance AICPA ISO NIST CSA PCI-DSS 10/28/

27 Additional Reading J. Ryoo, Rizvi, S., Aiken, W., and Kissell, J., Cloud Security Auditing: Challenges and Emerging Approaches, IEEE Security and Privacy, vol. 12, no. 6, pp , /28/

28 Any Questions? Contact information o jryoo@psu.edu 10/28/2015 jryoo@psu.edu 28

Cloud computing, as defi ned by the National Institute

Cloud computing, as defi ned by the National Institute Cloud Security Auditing: Challenges and Emerging Approaches Jungwoo Ryoo, Syed Rizvi, William Aiken, and John Kissell Pennsylvania State University IT security audits determine whether an information system