Cloud Computing and Security Risk Analysis Qing Liu Technology Architect STREAM Technology Lab

Transcription

1 Cloud Computing and Security Risk Analysis Qing Liu Technology Architect STREAM Technology Lab 1

2 Disclaimers This presentation provides education on Cloud Computing and its security risks. Any mention of a vendor or product is NOT an endorsement or recommendation 2

3 Agenda What is Cloud Computing? Vulnerabilities, security risks and risk controls 3

4 Cloud Computing - Module 1 What Is Cloud Computing? 5

5 Business Drivers 6

6 End User Drivers 7

7 Defining Cloud Computing Cloud Computing is a new consumption and delivery model inspired by consumer Internet services. It enables convenient, on-demand network access to a shared pool of configurable computing resources with minimal management effort or service provider interaction. 8

8 Benefit of Cloud Helps to address rising IT costs Focuses enterprises on core business processes and expertise Focuses more on business value, less on technology costs Leverages external services and infrastructure capabilities Helps solve legacy investment issues Provides for scalability, and flexibility Pay for what you use, not pay for equipment, skills and other resources you may not want or need 9

9 Cons of Cloud Asset becomes widely public and widely distributed. An employee of cloud provider can access the asset. The process or function can be manipulated by an outsider. The process or function can fail to provide expected results. The information / data can unexpectedly changed. Asset can be unavailable for a period of time. 10

10 5 Essential Cloud Characteristics On-demand self-services Ubiquitous network access Location independent resource pooling Rapid elasticity Measured service as pay per use 11

11 3 Cloud Service Models Cloud Software as a Service (SaaS) - Use provider s applications over a network Cloud Platform as a Service (PaaS) Deploy customer-created applications to a cloud Cloud Infrastructure as a Service(IaaS) Rent processing, storage, network capacity, and other fundamental computing resources 12

12 4 Cloud Deployment Models Private cloud enterprise owned or leased Community cloud shared infrastructure for specific community Public cloud Sold to the public, mega-scale infrastructure Hybrid cloud composition of two or more clouds 13

13 Feature Indication 14

14 Cloud Computing Example AMAZON Elastic Compute Cloud (EC2) 15

15 16

16 Standards and Test Bed Groups Cloud Security Alliance (CSA) Distributed Management Task Force (DMTF) Storage Networking Industry Association (SNIA) Open Grid Forum (OGF) Open Cloud Consortium (OCC) Organization for the Advancement of Structured Information Standards (OASIS) TM Forum Internet Engineering Task Force (IETF) International Telecommunications Union (ITU) European Telecommunications Standards Institute (ETSI) Object Management Group (OMG) 17

17 CSA Research Initiatives Security Guidance for Critical Areas of Focus in Cloud Computing v 2.1 (12/17/2009) Controls Matrix 1.01 ( 10/20/2010) Consensus Assessments Initiative ( 10/12/2010) Top Threats to Cloud Computing ( twice yearly) Trusted Cloud Initiative CloudAudit ( 10/20/2010) Common Assurance maturity Model ( partner project) 18

18 Security for Cloud Computing Cloud computing is about gracefully losing control while maintaining accountability even if the operational responsibility falls upon one ore more third parties. Security controls in cloud computing are no different than security controls in any IT environment. However the operational models and the technologies used to enable cloud services, cloud computing may present different risks to an organization than traditional IT solution. 19

19 What We Know So Far 20

20 Module 2 Cloud Computing Risks, Vulnerabilities and Risk Remediation 21

21 Regulatory Issue Can a financial institution properly carry out due diligence, ascertain what risk management and security practices exist, and be able to rely on specific security measures to ensure the safety and soundness of their systems, data and customer records in the cloud? 22

22 Top Six High Risks 1. Loss of Governance 2. Compliance Challenge 3. Lock-in 4. Cloud Provider Malicious Insider 5. Subpoena and E-discovery 6. Data Protection Risks 23

23 1. Loss of Governance Probability Impact Vulnerabilities Affected assets VERY HIGH VERY HIGH ( IaaS VERY HIGH, SaaS Low) Unclear asset ownership Unclear roles and responsibilities SLA clauses with conflicting promises to different stakeholders Cross-cloud applications creating hidden dependency Lack of standard technologies and solutions Certification schemes not adapted to cloud infrastructures Company reputation Personal sensitive data Service delivery Risk HIGH 24

24 RACKSPACE SEC 10-Q Filing (May 2010) We are the world s leader in the hosting and cloud computing industry. The majority of our customers do not elect to pay the additional fees required to have disaster recovery services store their backup data offsite in a separate facility.. We have experienced interruptions in the past due to such things as power outages, power equipment failures, cooling equipment failures, routing problems, hard drive failures, database corruption, systems failures, software failures and other computer failures. The services we offer involve the transmission of large amounts of sensitive and proprietary information over public communication networks, as well as the processing and storage of confidential customer information. Unauthorized access, computer viruses and other disruptions can occur that could comprise the security of our infrastructure 25

25 Risk control 1- Division of Liabilities Cloud Provider Cloud Customer Law Status Data Processor Data Controller Data Content Intermediary liability Full Liability Security Incidents ( including data leakage, user account compromise, etc) Responsible for due diligence for what is under its control Responsible for due diligence for what is under its control 26

26 Division of Responsibilities 27

27 Division of Responsibilities 28

28 2. Compliance Challenges Probability Impact Vulnerabilities VERY HIGH HIGH Lack of completeness and transparency in terms of use Lack of standard technologies and solutions, Audit or certification not available to customers Certification schemes not adapted to cloud infrastructures Affected assets Certification Risk HIGH 29

29 Risk control 2 Security Analysis Process 1. Classify a cloud service against the cloud architecture model 2. Map business, regulatory and other compliance requirements to security controls 3. Gap analysis of security controls to cloud services 4. Determine the general security posture of a service and relate to an asset s assurance and protection requirements. 30

30 Model Mapping in Gap Analysis APIs Applications Software as a Service (SaaS) Platform as a Service (PaaS) Infrastructure as a Service (IaaS) 31

31 3. Lock-in Probability Impact Vulnerabilities Affected assets HIGH MEDIUM Lack of standard technologies and solutions Poor provider selection Lack of supplier redundancy Lack of completeness and transparency in terms of use Company reputation Personal sensitive data Service delivery Risk HIGH 32

32 Risk control 3-1. Assess the risk of adopting cloud services 2. Compare different provider offers 3. Obtain assurance from the selected cloud providers 4. Exit strategy Migration Path Requirements 33

33 4. Cloud Provider Malicious Insider Probability Impact Vulnerabilities Affected assets Risk MEDIUM ( Lower than traditional) VERY HIGH (Higher than traditional) Unclear roles and responsibilities Poor enforcement of role definitions Need-to-know principle not applied AAA vulnerabilities System or OS vulnerabilities Inadequate physical security procedures Impossibility of processing data in encrypted form Application vulnerabilities or poor patch management Company reputation Customer trust Employee loyalty and experience Intellectual property Personal sensitive data / HR data Service delivery HIGH 34

34 Risk Control 4 - Information Assurance Requirements - Personnel security - Supply-chain assurance - Operational security Software assurance Patch management Network architecture controls Host architecture Application security Resource provision 35

35 Information Assurance Requirements - Identity and access management - Authorization - Identity provisioning - Management of personal data - Key management - Encryption - Authentication - Asset management - Physical security - Environmental controls 36

36 5. Subpoena and E-discovery Probability Impact Vulnerabilities HIGH MEDIUM Lack of resource isolation Storage of data in multiple jurisdictions and lack of transparency Affected assets Company reputation Customer trust Personal sensitive data Service delivery Risk HIGH 37

37 6. Data Protection Risks Probability Impact Vulnerabilities HIGH HIGH Failed to comply with data protection law Failed to notify the data controller about the data leakage Affected assets Company reputation Customer trust Personal sensitive data Service delivery Risk HIGH 38

38 Risk control 5 & 6 Legal Requirements 1. Data protection 2. Data security 3. Data transfer 4. Law enforcement access 5. Confidentiality and Non-disclosure 6. Intellectual property 7. Risk allocation and limitation of liability 8. Change of control 39

39 Conclusion Cloud Computing is an emerging business model with a lot of promises Waiting for more development on Cloud standardization, security control framework, interoperability, cloud audit and common assurance Premature solution for core banking functions 40

40 Q & A 41

41 Reference 1. Cloud Security Alliance 2. NIST cloud computing 3. Amazon EC2 and S Cloud Standards Organization wiki/index.php?title=main_page 42

42 43