East African Information Conference 13-14 th August, 2013, Kampala, Uganda. Security and Privacy: Can we trust the cloud?

Similar documents
Clouds on the Horizon Cloud Security in Today s DoD Environment. Bill Musson Security Analyst

OWASP Chapter Meeting June Presented by: Brayton Rider, SecureState Chief Architect

Cloud Computing. Course: Designing and Implementing Service Oriented Business Processes


See Appendix A for the complete definition which includes the five essential characteristics, three service models, and four deployment models.

IS PRIVATE CLOUD A UNICORN?

Managing Cloud Computing Risk

Cloud Security Introduction and Overview

Capability Paper. Today, aerospace and defense (A&D) companies find

What is Cloud Computing? First, a little history. Demystifying Cloud Computing. Mainframe Era ( ) Workstation Era ( ) Xerox Star 1981!

Cloud Computing; What is it, How long has it been here, and Where is it going?

The NIST Definition of Cloud Computing (Draft)

Security & Trust in the Cloud

The NIST Definition of Cloud Computing

INTRODUCTION TO CLOUD COMPUTING CEN483 PARALLEL AND DISTRIBUTED SYSTEMS

Perspectives on Moving to the Cloud Paradigm and the Need for Standards. Peter Mell, Tim Grance NIST, Information Technology Laboratory

The Cloud vs. the Back-Office. Which is right for you?

Cloud Computing Submitted By : Fahim Ilyas ( ) Submitted To : Martin Johnson Submitted On: 31 st May, 2009

Kent State University s Cloud Strategy

Securing and Auditing Cloud Computing. Jason Alexander Chief Information Security Officer

Cloud Computing Guide & Handbook. SAI USA Madhav Panwar

IT Risk and Security Cloud Computing Mike Thomas Erie Insurance May 2011

Cloud & Security. Dr Debabrata Nayak Debu.nayak@huawei.com

The HIPAA Security Rule: Cloudy Skies Ahead?

OVERVIEW Cloud Deployment Services

CLOUD COMPUTING GUIDELINES FOR LAWYERS

ITL BULLETIN FOR JUNE 2012 CLOUD COMPUTING: A REVIEW OF FEATURES, BENEFITS, AND RISKS, AND RECOMMENDATIONS FOR SECURE, EFFICIENT IMPLEMENTATIONS

10/25/2012 BY VORAPOJ LOOKMAIPUN CISSP, CISA, CISM, CRISC, CEH Agenda. Security Cases What is Cloud? Road Map Security Concerns

Business Cloud Systems Challenges and Uncertainty

Lecture 10 Cloud Security. modified from slides of Lawrie Brown, Ragib Hasan, YounSun Cho, Anya Kim

Cloud Computing: The Next Computing Paradigm

Enhancing Operational Capacities and Capabilities through Cloud Technologies

White Paper on CLOUD COMPUTING

Running head: TAKING A DEEPER LOOK AT THE CLOUD: SOLUTION OR 1

Cloud Security Implications for Financial Institutions By Scott Galyk Director of Software Development FIMAC Solutions, LLC

The Magical Cloud. Lennart Franked. Department for Information and Communicationsystems (ICS), Mid Sweden University, Sundsvall.

CHAPTER 8 CLOUD COMPUTING

PRIVATE CLOUD PLATFORM OPTIONS. Stephen Lee CEO, ArkiTechs Inc.

Goals. What is Cloud Computing? 11/11/2010. Understand what cloud computing is and how. Understand the challenges and advantages of cloud computing

The Cloud in Regulatory Affairs - Validation, Risk Management and Chances -

Data Security In The Cloud

The Hybrid Cloud: Bringing Cloud-Based IT Services to State Government

Technology & Business Overview of Cloud Computing

Cloud definitions you've been pretending to understand. Jack Daniel, Reluctant CISSP, MVP Community Development Manager, Astaro

Security and Privacy in Cloud Computing

Cloud Computing for SCADA

Architecting the Cloud

Cloud Computing. What is Cloud Computing?

Security Issues in Cloud Computing

Tamanna Roy Rayat & Bahra Institute of Engineering & Technology, Punjab, India talk2tamanna@gmail.com

SURVEY OF ADAPTING CLOUD COMPUTING IN HEALTHCARE

CLOUD SECURITY SECURITY ASPECTS IN GEOSPATIAL CLOUD. Guided by Prof. S. K. Ghosh Presented by - Soumadip Biswas

How To Protect Your Cloud Computing Resources From Attack

AskAvanade: Answering the Burning Questions around Cloud Computing

Essential Characteristics of Cloud Computing: On-Demand Self-Service Rapid Elasticity Location Independence Resource Pooling Measured Service

ITSM in the Cloud. An Overview of Why IT Service Management is Critical to The Cloud. Presented By: Rick Leopoldi RL Information Consulting LLC

Business Intelligence (BI) Cloud. Prepared By: Pavan Inabathini

Clinical Trials in the Cloud: A New Paradigm?

Why Private Cloud? Nenad BUNCIC VPSI 29-JUNE-2015 EPFL, SI-EXHEB

NETWORK ACCESS CONTROL AND CLOUD SECURITY. Tran Song Dat Phuc SeoulTech 2015

Information Technology: This Year s Hot Issue - Cloud Computing

CLOUD COMPUTING PHYSIOGNOMIES A 1.1 CLOUD COMPUTING BENEFITS

Student's Awareness of Cloud Computing: Case Study Faculty of Engineering at Aden University, Yemen

IBM Cloud Security Draft for Discussion September 12, IBM Corporation

ICSA Labs Risk and Privacy Cloud Computing Series Part I : Balancing Risks and Benefits of Public Cloud Services for SMBs

Cloud Computing. Karan Saxena * & Kritika Agarwal**

Cloud Computing and Security Risk Analysis Qing Liu Technology Architect STREAM Technology Lab

THE CLOUD- CHANGING THE INDIAN HEALTHCARE SYSTEM

Standardizing Cloud Services for Financial Institutions through the provisioning of Service Level Agreements (SLAs)

CLOUD COMPUTING. A Primer

6 Cloud computing overview

CLOUD COMPUTING AND ITS SECURITY ASPECTS

Soft Computing Models for Cloud Service Optimization

A Cloud Computing Handbook for Business

Strategic Compliance & Securing the Cloud. Annalea Sharack-Ilg, CISSP, AMBCI Technical Director of Information Security

A white paper from Fordway on CLOUD COMPUTING. Why private cloud should be your first step on the cloud computing journey - and how to get there

Cloud computing is a marketing term for technologies that provide servers, outside of the firewall, for:

RE Think. IT & Business. Invent. IBM SmartCloud Security. Dr. Khaled Negm, SMIEEE, ACM Fellow IBM SW Global Competency Center Leader GCC

Cloud Models and Platforms

Cloud Computing Thunder and Lightning on Your Horizon?

Verifying Correctness of Trusted data in Clouds

Cloud Courses Description

What Every User Needs To Know Before Moving To The Cloud. LawyerDoneDeal Corp.

Cloud Computing Overview

REQUEST FOR INFORMATION FLORIDA AGENCY FOR STATE TECHNOLOGY CLOUD SERVICES AND SOLUTIONS RFI NO.:

CS573 Data privacy and security in the cloud. Slide credits: Ragib Hasan, Johns Hopkins University

Topics. Images courtesy of Majd F. Sakr or from Wikipedia unless otherwise noted.

1. From the CIO Strategic Direction for Cloud Computing at Kent State Cloud Computing at Kent State University 5

Cloud Security: Evaluating Risks within IAAS/PAAS/SAAS

Cloud Security considerations for business adoption. Ricci IEONG CSA-HK&M Chapter

Healthcare: La sicurezza nel Cloud October 18, IBM Corporation

International Research Journal of Engineering and Technology (IRJET) e-issn: Volume: 02 Issue: 05 Aug p-issn:

journey to a hybrid cloud

Plant Software in the Cloud Fact vs. Myth

Security Management of Cloud-Native Applications. Presented By: Rohit Sharma MSc in Dependable Software Systems (DESEM)

Cloud Computing Governance & Security. Security Risks in the Cloud

Transcription:

East African Information Conference 13-14 th August, 2013, Kampala, Uganda Security and Privacy: Can we trust the cloud? By Dr. David Turahi Director, Information Technology and Information Management Services Ministry of Information and Communications Technology (ICT)

What is a Cloud Computing? NIST defines cloud computing by: 5 essential characteristics 3 cloud service models 4 cloud deployment models Cloud computing is a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. 2

Essential Characteristics On-demand service Consumer can unilaterally provision computing capabilities (e.g. server time &network storage) as needed automatically without human interaction with each service provider Broad Network Access Services available over the net and accessed through standard mechanisms that promote use by heterogeneous thin or thick client platforms (e.g. workstations, tablets, laptop, mobile phones) 3

Essential Characteristics Resource pooling Provider s computing resources pooled to serve multiple clients using a multi-tenant model Different physical and virtual resources dynamically assigned and reassigned according to client demand Rapid Elasticity Unlimited capabilities (from a clients view) can be elastically provisioned and released to scale rapidly outward and inward according to demand, in any quantity and at any time Measured service Automatic control and optimization of resource use by leveraging a metering capability (e.g. storage, bandwidth 4 and active user accounts

Cloud Service Models Software as a Service (SaaS) We use the provider apps User doesn t manage or control the network, servers, OS, storage or applications Platform as a Service (PaaS) User deploys their apps on the cloud Controls their apps User doesn t manage servers, IS, storage 5

Cloud Service Models Infrastructure as a Service (IaaS) Consumers gets access to the infrastructure to deploy their stuff Doesn t manage or control the infrastructure Does manage or control the OS, storage, apps, selected network components 6

Deployment Models Public Cloud infrastructure is available to the general public, owned by org selling cloud services Private Cloud infrastructure for single org only, may be managed by the org or a 3 rd party, on or off premise 7

Deployment Models Community Cloud infrastructure shared by several orgs that have shared concerns, managed by org or 3 rd party Hybrid Combination of 2 or more clouds bound by standard or proprietary technology 8

The US National Institute of Standards and Technology (NIST) Cloud Definition Framework Hybrid Clouds Deployment Models Private Cloud Community Cloud Public Cloud Service Models Software as a Service (SaaS) Platform as a Service (PaaS) Infrastructure as a Service (IaaS) Essential Characteristics On Demand Self-Service Broad Network Access Rapid Elasticity Resource Pooling Measured Service Massive Scale Resilient Computing Common Characteristics Homogeneity Virtualization Geographic Distribution Service Orientation Low Cost Software Advanced Security Based upon original chart created by Alex Dowbor - http://ornot.wordpress.com 9

Cloud Computing Security 10

Cloud Computing: A Massive Concentration of Resources Also a massive concentration of risk expected loss from a single breach can be significantly larger concentration of users represents a concentration of threats Ultimately, you can outsource responsibility but you can t outsource accountability. From John McDermott, ACSAC 09

Cloud Computing: who should use it? Cloud computing definitely makes sense if your own security is weak, missing features, or below average. Ultimately, if the cloud provider s security people are better than yours (and leveraged at least as efficiently), the web-services interfaces don t introduce too many new vulnerabilities, and the cloud provider aims at least as high as you do, at security goals, then cloud computing has better security. From John McDermott, ACSAC 09

Security Services Confidentiality Availability Integrity 13

Cloud Security!! A major Concern Security concerns arising because both customer data and program are residing at Provider Premises. Security is always a major concern in Open System Architectures Customer Data Customer Customer Code Provider Premises 14

Security is the Major Issue 15

General Security Advantages Shifting public data to an external cloud reduces the exposure of the internal sensitive data Cloud homogeneity makes security auditing/testing simpler Clouds enable automated security management Redundancy / Disaster Recovery 16

General Security Challenges Trusting vendor s security model Customer inability to respond to audit findings Obtaining support for investigations Indirect administrator accountability Proprietary implementations can t be examined Loss of physical control 17

A framework for understanding security and privacy issues facing the cloud 18 Source: Addressing security challenges on a global scale, ITU

Why Cloud Computing brings new threats? Traditional system security mostly means keeping bad guys out The attacker needs to either compromise the authentication/access control system, or impersonate existing users 19

Why Cloud Computing brings new threats? Cloud Security problems are coming from : Loss of control Lack of trust (mechanisms) Multi-tenancy These problems exist mainly in 3rd party management models Self-managed clouds still have security issues, but not related to above 20

Why Cloud Computing brings new threats? Consumer s loss of control Data, applications, resources are located with provider User identity management is handled by the cloud User access control rules, security policies and enforcement are managed by the cloud provider Consumer relies on provider to ensure Data security and privacy Resource availability Monitoring and repairing of services/resources 21

Multi-tenancy Issues in the Cloud Conflict between tenants opposing goals Tenants share a pool of resources and have opposing goals How does multi-tenancy deal with conflict of interest? Can tenants get along together and play nicely? If they can t, can we isolate them? How to provide separation between tenants? Cloud Computing brings new threats Multiple independent users share the same physical infrastructure Thus an attacker can legitimately be in the same physical machine as the target

What are the concerns? Confidentiality Fear of loss of control over data Will the sensitive data stored on a cloud remain confidential? Will cloud compromises leak confidential client data Will the cloud provider itself be honest and won t peek into the data? Integrity How do I know that the cloud provider is doing the computations correctly? How do I ensure that the cloud provider really stored my data without tampering with it? 23 www.cs.jhu.edu/~ragib/sp10/cs412

What are the concerns? Availability 24 Will critical systems go down at the client, if the provider is attacked in a Denial of Service attack? What happens if cloud provider goes out of business? Would cloud scale well-enough? Often-voiced concern Although cloud providers argue their downtime compares well with cloud user s own data centers www.cs.jhu.edu/~ragib/sp10/cs412

What are the concerns? Privacy issues raised via massive data mining Cloud now stores data from a lot of clients, and can run data mining algorithms to get large amounts of information on clients Increased attack surface 25 Entity outside the organization now stores and computes data, and so Attackers can now target the communication link between cloud provider and client Cloud provider employees can be phished From [5] www.cs.jhu.edu/~ragib/sp10/cs412

What are the concerns? Auditability and forensics (out of control of data) Difficult to audit data held outside organization in a cloud Forensics also made difficult since now clients don t maintain data locally Legal quagmire and transitive trust issues 26 Who is responsible for complying with regulations? If cloud provider subcontracts to third party clouds, will the data still be secure? www.cs.jhu.edu/~ragib/sp10/cs412

Conclusion Cloud computing is sometimes viewed as a reincarnation of the classic mainframe client-server model However, resources are ubiquitous, scalable, highly virtualized Contains all the traditional threats, as well as new ones The cloud acts as a big black box, nothing inside the cloud is visible to the clients; Clients have no idea or control over what happens inside a cloud In developing solutions to cloud computing security issues it may be helpful to identify the problems and approaches in terms of Loss of control Lack of trust Multi-tenancy problems

Thank You 28

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information