Cloud computing: benefits, risks and recommendations for information security

Similar documents
ENISA Cloud Computing Security Strategy

How to procure a secure cloud service

Cloud Computing Security ENISA. Daniele Catteddu, CISM, CISA. DigitPA egovernment e Cloud computing.

Cloud Computing Security ENISA. Daniele Catteddu, CISM, CISA. Convegno Associazione Italiana Information Systems Auditors.

Privacy, Security and Identity in the Cloud. Giles Hogben ENISA


Cloud Computing Governance & Security. Security Risks in the Cloud

Benefits, risks and recommendations for information security

How cloud computing can transform your business landscape

Cloud Computing November 09. Benefits, risks and recommendations for information security

Cloud-Security: Show-Stopper or Enabling Technology?

Cloud Computing for SCADA

Lecture 02a Cloud Computing I

How to ensure control and security when moving to SaaS/cloud applications

CLOUD COMPUTING SECURITY ISSUES

INTRODUCTION TO CLOUD COMPUTING CEN483 PARALLEL AND DISTRIBUTED SYSTEMS

Cloud Computing. What is Cloud Computing?

Clouds on the Horizon Cloud Security in Today s DoD Environment. Bill Musson Security Analyst

IBM Cloud Security Draft for Discussion September 12, IBM Corporation

Residual risk. 3 Compliance challenges (i.e. right to examine, exit clause, privacy acy etc.)

Security Issues In Cloud Computing And Their Solutions

International Journal of Innovative Technology & Adaptive Management (IJITAM) ISSN: , Volume-1, Issue-5, February 2014

What Cloud computing means in real life

How cloud computing can transform your business landscape.

SECURITY CONCERNS AND SOLUTIONS FOR CLOUD COMPUTING

Cloud Computing Flying High (or not) Ben Roper IT Director City of College Station

The Cloud is Not Enough Why Hybrid Infrastructure is Shaping the Future of Cloud Computing

Cloud Computing November 09. Benefits, risks and recommendations for information security

Cloud Computing. Cloud computing:

Overview of Cloud Computing and Cloud Computing s Use in Government Justin Heyman CGCIO, Information Technology Specialist, Township of Franklin

Cloud Computing; What is it, How long has it been here, and Where is it going?

Assessing Risks in the Cloud

Cloud Courses Description

Tufts University. Department of Computer Science. COMP 116 Introduction to Computer Security Fall 2014 Final Project. Guocui Gao

White Paper: Cloud Security. Cloud Security

Virtualization Impact on Compliance and Audit

SMS. Cloud Computing. Systems Management Specialists. Grupo SMS option 3 for sales

Information Security: Cloud Computing

Cloud Computing Security Issues

Security of Cloud Computing

security in the cloud White Paper Series

Lecture 02b Cloud Computing II

Virginia Government Finance Officers Association Spring Conference May 28, Cloud Security 101

Public Clouds. Krishnan Subramanian Analyst & Researcher Krishworld.com. A whitepaper sponsored by Trend Micro Inc.

Cloud Computing and Security Risk Analysis Qing Liu Technology Architect STREAM Technology Lab

Cloud Computing. Cloud Computing An insight in the Governance & Security aspects

Top 10 Cloud Risks That Will Keep You Awake at Night

INTRODUCTION THE CLOUD

ENISA and Cloud Security

An SME perspective on Cloud Computing November 09. Survey

Cloud Security. Peter Jopling IBM UK Ltd Software Group Hursley Labs. peterjopling IBM Corporation

A Survey on Cloud Security Issues and Techniques

White Paper on CLOUD COMPUTING

OWASP Chapter Meeting June Presented by: Brayton Rider, SecureState Chief Architect

CLOUD COMPUTING. When It's smarter to rent than to buy

Cloud Computing. Bringing the Cloud into Focus

Cloud, Community and Collaboration Airline benefits of using the Amadeus community cloud

Study on Cloud security in Japan

Security Management of Cloud-Native Applications. Presented By: Rohit Sharma MSc in Dependable Software Systems (DESEM)

DISTRIBUTED SYSTEMS [COMP9243] Lecture 9a: Cloud Computing WHAT IS CLOUD COMPUTING? 2

On Premise Vs Cloud: Selection Approach & Implementation Strategies

Cloud Computing Submitted By : Fahim Ilyas ( ) Submitted To : Martin Johnson Submitted On: 31 st May, 2009

NETWORK ACCESS CONTROL AND CLOUD SECURITY. Tran Song Dat Phuc SeoulTech 2015

Cloud Security Who do you trust?

Cloud Courses Description

International Research Journal of Engineering and Technology (IRJET) e-issn: Volume: 02 Issue: 05 Aug p-issn:

Cloud Computing An Auditor s Perspective

FACING SECURITY CHALLENGES

Keyword: Cloud computing, service model, deployment model, network layer security.

Securing and Auditing Cloud Computing. Jason Alexander Chief Information Security Officer

What Is It? Business Architecture Research Challenges Bibliography. Cloud Computing. Research Challenges Overview. Carlos Eduardo Moreira dos Santos

Cloud Infrastructure Security

CLOUD COMPUTING PHYSIOGNOMIES A 1.1 CLOUD COMPUTING BENEFITS

Office of the Government Chief Information Officer The Government of the Hong Kong Special Administrative Region

Troux Hosting Options

Cloud Computing and Records Management

GETTING THE MOST FROM THE CLOUD. A White Paper presented by

What Is The Cloud And How Can Your Agency Use It. Tom Konop Mark Piontek Cathleen Christensen

Cloud Models and Platforms

Security & Cloud Services IAN KAYNE

Cloud Computing An Elephant In The Dark

Private Clouds. Krishnan Subramanian Analyst & Researcher Krishworld.com. A whitepaper sponsored by Trend Micro Inc.

1 The intersection of IAM and the cloud

Data Centers and Cloud Computing. Data Centers

Outline. What is cloud computing? History Cloud service models Cloud deployment forms Advantages/disadvantages

Transcription:

Cloud computing: benefits, risks and recommendations for information security Dr Giles Hogben Secure Services Programme Manager European Network and Information Security Agency (ENISA)

Goals of my presentation Introduction to cloud computing and how it differs from other technologies. Explain the security benefits and risks of cloud computing Help you make an informed risk decision on whether to use cloud computing Explain an efficient way of selecting secure cloud services Propose criteria to help you select the most secure services.

Non goals of my presentation Persuade you to use cloud computing Sell you a cloud computing service Explain technicalities of migrating to cloud computing Tell you that IT departments are not needed any more

What is cloud computing Cloud computing is an on-demand service model for IT provision usually based on virtualization and distributed computing technologies. Computational resources are provided on demand as a service, much like a public utility

50,000 Machines for 1 Minute same investment and level of commitment 1 machine for 1 year 5

What is cloud computing ENISA s understanding Service On demand, usually with a pay as you go billing system Near instant scalability and flexibility Near instantaneous provisioning and deprovisioning.

Example traditional IT investment Resources used/purchased Investment in Infrastructure Wasted investment Demand for infrastructure 2010 2011 2012 2013 2014 2015 2016 2017 2018 2019

Resources used/purchased Investment in Infrastructure Demand for infrastructure 2010 2011 2012 2013 2014 2015 2016 2017 2018 2019

What is cloud computing ENISA s understanding Shared resources (hardware, database, memory, etc...) like buying a hotel room

Efficiency -Non-cloud utilisation

Cloud utilisation

What is cloud computing ENISA s understanding Highly abstracted hardware and software resources No need to understand what s going on behind the scenes

What is cloud computing ENISA s understanding Programmatic management (e.g. through Web Services API)

Summary Near instant scalability and flexibility Near instantaneous provisioning Service On demand, usually with a pay as you go billing system Highly abstracted hardware and software resources Shared resources (hardware, database, memory, etc...) Programmatic Management (through an API)

SaaS: Software as a service (e.g. Google Apps) PaaS: Platform as a service (e.g. Salesforce build your own CRM) IaaS: Infrastructure as a service (e.g. Amazon) (also storage, database) Types of cloud

Types of Cloud

Types of cloud 4 3 2 1 0 Commodity Cost Assurance Liability Cost Commodity Liability Assurance Public Partner Private Non-cloud

Typical Small Government Agency/SME Use-cases

SaaS Web content delivery (portals etc ) Docs/office in a browser Email Stakeholder management Etc...

PaaS Stakeholder Relations (e.g. Salesforce) Web based APIs e.g. build your own survey tool

IaaS Application hosting Desktops via remote desktop Storage Backup Web hosting Research and Development Media hosting On-demand work force

24

ENISA Cloud Computing Objectives Help business and governments to gain the cost benefits of cloud computing. While maintaining service availability, data confidentiality and integrity, privacy, transparency, accountability and responsibility. 25

Reaching the objectives ENISA Deliverables and Ongoing Activities Cloud Computing: Benefits, Risks and Recommendations for Information security 2009 http://is.gd/cem9h Assurance framework 2009 Research Recommendations 2009 Gov-Cloud security and resilience analysis (2010) Common Assurance Maturity Model (CAMM) consortium 2010 2011 (proposed) procurement and monitoring guidance for government cloud contracts. 26

Benefits and Risks

SMEs Main Concerns

Cloud Computing: Benefits, Risks and Recommendations for Information security 29

Security Benefits of Cloud Computing 30

Economies of Scale

Economies of scale and Security All kinds of security measures are cheaper when implemented on a larger scale. (e.g. filtering, patch management, hardening of virtual machine instances and hypervisors, etc) The same amount of investment in security buys better protection.

Other benefits of scale Cloud providers Big enough to do background checks on their IT staff Staff specialization & experience Cloud providers big enough to hire specialists in dealing with specific security threats. Multiple locations by default -> redundancy and failure independence. Edge networks: content delivered or processed closer to its destination.

Improved management of updates and defaults Updates can be rolled out much more rapidly across a homogenous platform Default VM images and software modules can be updated with latest patches and security settings. Snapshots of virtual infrastructure (in IaaS) to be taken regularly and compared with a security baseline.

Is your current setup really better from a security standpoint? 35

The Risks

Very high value assets Most risks are not new, but they are amplified by resource concentration the asset values are high. o Trustworthiness of insiders. o Hypervisors- hypervisor layer attacks on virtual machines are very attractive. o More Data in transit (Without encryption?) o Management interfaces big juicy targets

Lock in o Few tools, procedures or standard formats for data and service portability. o Difficult to migrate from one provider to another, or to migrate data and services to or from an in-house IT environment. o Potential dependency of service provision on a particular CP.

Loss of Governance o The client cedes control to the Provider on a number of issues effecting security: o External pen testing not permitted. o Very limited logs available. o Usually no forensics service offered o Not possible to inspect hardware o No information on location/jurisdiction of data. o Outsource or sub-contract services to third-parties (fourth parties?)

Somebody else s problem (SEP) syndrome Appirio Cloud Storage fully encrypts each piece of data as it passes from your computer to the Amazon S3 store. Once there, it is protected by the same strong security mechanisms that protect thousands of customers using Amazon s services

Amazon AWS ToS o YOU ARE SOLELY RESPONSIBLE FOR APPLYING APPROPRIATE SECURITY MEASURES TO YOUR DATA, INCLUDING ENCRYPTING SENSITIVE DATA. o You are personally responsible for all Applications running on and traffic originating from the instances you initiate within Amazon EC2. As such, you should protect your authentication keys and security credentials. Actions taken using your credentials shall be deemed to be actions taken by you.

Legal and contractual risks Data in multiple jurisdictions, some of which may be risky. Lack of compliance with EU Data Protection Directive o Potentially difficult for the customer (data controller) to check the data handling practices of the provider o Multiple transfers of data exacerbate the problem Risk Allocation and limitation of liability Compliance challenges how to provide evidence of compliance.

Co-tenancy and Isolation failure o Like a Hotel (California?) you may be able to hear your neighbours if the walls are not well insulated Storage (e.g. Side channel attacks) see http://bit.ly/12h5yh Virtual machines Entropy pools (http://bit.ly/41siin) Resource use (e.g. Bandwidth)

RESOURCE EXHAUSTION Overbooking Underbooking Caused by: Resource allocation algos Denial of Service Freak events

Credential management Key management is (currently) the responsibility of the cloud customer. Key provisioning and storage is usually off-cloud One key-pair per machine doesn t scale to multiple account holders/rbac. Credential recovery sometimes available through management interface (protected by UN/PWD by default).

Just encrypt your data in the cloud and you don t have to worry about a thing? Data processing on cloud Customer Cloud provider Unfortunately not... Practical processing operations on encrypted data are not possible

Example incident o First 3 days of having account, management interface down for 2 whole days with no reporting (resource exhaustion, isolation failure? High value assets) o Account compromised because forced to share credentials between multiple parties. (key/credential management) o Account cancelled without notice (loss of governance) o Could not get data out including backups (lock-in) o Customers lose data (legal risks)

So how do I figure out which provider to trust? 48

Cloud Information Assurance Framework Increasing transparency through a minimum baseline for: Comparing cloud offers Assessing the risk to go Cloud Reducing audit burden and security risks

From Cloud Information Assurance Framework Comparing Offerings To CAMM: Common Assurance Maturity Model

ENISA Assurance Framework/ Common Assurance Maturity Model MISSION An objective framework to rate the capability of a solution to deliver information security across the supply chain

Common Assurance Maturity Model A minimum baseline for: o Comparing cloud offers o Assessing the risk to go Cloud o Reducing audit/procurement burden and security risks

Example controls 6.1 Network architecture controls 6.1.1. Well-defined controls are in place to mitigate DDoS (distributed denial of-service) attacks e.g. o o Defence in depth (traffic throttling, packet black-holing, etc..) Defences are in place against internal (originating from the cloud providers networks) attacks as well as external (originating from the Internet or customer networks) attacks. 6.1.2 Measures are specified to isolate resource usage between accounts for virtual machines, physical machines, network, storage (e.g., storage area networks), management networks and management support systems, etc. o The architecture supports continued operation from the cloud when the customer is separated from the service provider and vice versa (e.g., there is no critical dependency on the customer LDAP system).

In practice Our framework is being used For applying common procurement guidelines among European Agencies. See next presentation for other government usecases Next year we will expand it to other use cases. 55

ENISA materials ENISA Deliverables and Ongoing Activities Cloud Computing: Benefits, Risks and Recommendations for Information security 2009 http://is.gd/cem9h Assurance framework 2009 Research Recommendations 2009 Common Assurance Maturity Model (CAMM) consortium 2010 Gov-cloud security and resilience analysis (2010) 2011 (proposed) procurement and monitoring guidance for government cloud contracts. 56

Contact and Questions Email: Giles.hogben[?]enisa.europa.eu?

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information