Cyber Security and Cloud Computing Dr Daniel Prince Course Director MSc in Cyber Security d.prince@lancaster.ac.uk
Scope of Today SME Attractors for Cloud Switching to the Cloud Public Private Hybrid Big issues to consider Summary
SME Space 2.1m companies registered for VAT and or PAYE in March 2010 98% of these businesses have less than 50 employees Only 0.4% have more than 250 employee (Source: Office for National Statistics) Drivers Reduce expenditure on IT systems Maintain capabilities Flexibility to expand or reduce requirements Data sharing
SME Security View Lack in-house IT and infosec expertise Already used to outsourced IT service model Traditionally neglected by security vendors Few SMEs have any formal security policy Fewer have implemented ISMS or certification Mostly dependent on IT contractor advice. 66% of all security breaches occur within organisations with less 100 employees
Switch to Cloud Computing Considerations Security and Privacy Issues Public data Personal data (citizens sensitivities) Compliance Government security policies Legal requirements Need to protect assets to succeed Confidentiality, Integrity, Availability, Reputation Financial loss, loss of output, damage to reputation
Switch to Cloud Computing Compromise of personal data Damage to customers Damage to organisational reputation Information Security Management System (ISMS) ISO/IEC 27001:2005 ITIL Policies and procedures Legal and regulatory systems
Legislation affecting the Cloud Official Secrets Act 1989 Freedom of Information Act 2000 Data Protection Act 1998 Data Protection Act 1998 European Directive 95/46/EC European Convention on Human Rights Human Rights Act 1998 (www.arborcentre.co.uk)
Legislation affecting the Cloud Conflicting demands of privacy and freedom Use of meta data what to keep? Requires comprehensive procedures Storage Cataloguing Auditing Retrieval (www.staynalive.com)
Public Cloud Challenges Maintaining security and sovereignty Where are servers located? Data sovereignty which country is data in What security is in place? Data segregation in virtual environment Compliance with legal and government policies Audit and compliance Visibility of audit results and security logs Disaster recovery plans What business continuity is in place
Public Cloud Challenges Deletion of data Can all copies be removed? Standards for purging data/memory Risks from other customers business Attack against another customer could impact Highest customer security controls for all Maintaining compliance Span several jurisdictions Different legal requirements
Private Cloud Challenges Does not have security by default Policies and standards have to be applied Off Premise (3rd Party provider) Service Level Agreements (SLA s) required Vetting of staff Bearer bandwidth and availability On Premise Control of security management Maintaining compliance simpler
Hybrid Cloud Challenges All advantages/disadvantages of Public/Private Clouds Separate public/personal data Public non-sensitive data in Public Cloud Personal and sensitive data in Private Cloud Help to gain trust of citizens Maintaining compliance Need to maintain compliance of both Extra workload
Loss of Physical Control ENISA (2009) - non-cloud attack vectors translate with the same or a lower probability of occurrence in their cloud counterparts. HOWEVER, malicious insiders... Counter arguments cite information security standards (e.g., ISO27001), however, there remains a lack of clarity as to whom will be managing data.
Exposing Sensitive Data First, legal liability under current Data Protection Laws within the European Union? ENISA has advised public bodies in member states against using the cloud for anything other than non-sensitive and non-mission critical data. Second, what types of data can legally be stored in the cloud? Compliance requires proof of certain activities. PCI DSS requirement 10.2 for tracking and monitoring all access to network resources"
Exposing Sensitive Data Third, the transfer and storage of data in nondomestic and potentially unknown jurisdictions. EU Data Protection Directive -Data must be stored within the 27 member states or 3 of the EEA member countries, unless "sufficient" levels of protection can be proved. Review of 31 T&Cs found 15 to make no mention of data location or transit protection. Data Protection Laws between member states -the Directive may sometimes provide inadequate protection (e.g., Germany)!
Exposing Sensitive Data Cross-border movement of data and the impact of changing jurisdictions, associated legal obligations, and law enforcement practices (e.g., the USA's PATRIOT Act). Some T&Cs state the willingness to disclose data without court orders upon request from law-enforcement agencies, or if it's in the immediate "public interest".
Other Implications What are the implications of CSP acquisition or failure? Acquisition and the possibility of sudden changes in CSP policies and non-binding agreements? Review of 27 T&Cs found: 8 to mention no process for varying terms. 13 to state amendments could be posted on their website, and continued use is acceptance. Only 3 to state changes must be in writing with the agreement of both parties. Cloud-based IAM solution are comparatively inadequate to their non-cloud alternatives. Lack of widespread CSP support for open APIs and federation standards, e.g., SAML, XACML, and SPML.
Multi-tenancy First, negative consequences from co-tenant activities. Second, isolation failure through compromising the underlying privileged architecture. Third, there's a correlation between the increasing complexity of cloud offerings (especially inter-cloud), and the ambiguity over the division of security responsibilities between CSPs and their customers.
Take Away 1. Start by thinking about your information 2. What legal requirements cover you? 3. Think about Threat and Risk 4. Think about how you can get out of the Cloud cleanly 5. Scour the Terms and Conditions
Summary It's not just a new technology, but a new business model. Does the cloud provide a false sense of security? Why holding back: Risks not fully understood Lack of trust in security Lack of confidence in technology Risks to data security and privacy need to mature
CSC 2011