Cloud Computing Business, Technology & Security. Subra Kumaraswamy Director, Security Architecture, ebay

Cloud Computing Business, Technology & Security Subra Kumaraswamy Director, Security Architecture, ebay COT2010 29 June 2010

Cloud Computing: Evolution not a Revolution 2

What s Driving Interest in Clouds Lower Costs Business Agility

Cloud Virtues Economics Developer Centric Flexibility Pay As-You-Go Op-ex vs. Cap-ex SLA Virtualization Rapid, Self Provisioning Faster Deployment API-Driven Standard Services Elastic On-Demand Multi-Tenant

What is Cloud Computing? Compute as a utility: third major era of computing Cloud enabled by Moore s Law Hyperconnectivity SOA Provider scale Key characteristics Elastic & on-demand Multi-tenancy Metered service Disrupts Everything!

Cloud computing goals at ebay 1. Increase business agility and innovation and reduce time to market by providing a deployment environment in minutes. 2. Reduce the infrastructure cost by improving efficiency through resource sharing and automation. 3. Provide a scalable e-commerce platform to ebay developer community to deploy applications leveraging ebay commerce services. 6

The Private/Public Cloud Dilemma Enterprises under pressure to act now in pre-standards era Risk of lost investment, inability to securely manage multiple clouds Need for standards and guidance Orchestration of VMs Federation between hybrid clouds Comprehensive hardening

Cloud Adoption Trend 8 Source: Sand Hill Group Leaders in the Cloud" research study

Cloud Pyramid of Flexibility Security Controls move up the stack and embedded! Less Control = Less Responsibility More Control = More Responsibility 9

Cloud Security Remains a Significant Rogue Cloud Administrator Concern Drive-By Malware Melted Perimeter Controls not Portable Data Leakage & IP theft DDOS Attacks Multi-Tenancy & data Mingling No Transparency Compliance Governance Man-in-the-Browser OWASP Top 10 Sources: VeriSign, Computerworld

Business Want To Be Agile! Faster Pace of Innovation Agile and Secure! Consolidate services Customer Self Service Rapidly meet evolving business requirements Iterative in hours Deliver more robust customer service within budget constraints Empowered - Devops

Potent Combination Mobile + Cloud Cloud Services Accessed Authorized Public Cloud Services 21% Private Cloud Service 22% Unauthorized Public Cloud Services 28% Private Cloud Services 29% Risk Areas Corporate Owned Devices Personally Owned Devices * Cloud Services = Information stored in SaaS, PaaS, IaaS

Key Cloud Security Problems From CSA Top Threats Research: Trust: Lack of Provider transparency, impacts Governance, Risk Management, Compliance Data: Leakage, Loss or Storage in unfriendly geography Insecure Cloud software Malicious use of Cloud services Account/Service Hijacking Malicious Insiders Cloud-specific attacks

What do you mean by Cloud Security? Infrastructure security? Virtualization security? Application security? Threats? Compliance? Risks? It s all about the Confidentiality, Integrity and Availability of data assets and Intellectual property in the cloud

Components of Information Security Security Management Services Our Responsibility Identity services AAA, federation, delegation, provisioning Management patching, hygiene, controls governance, policy Information Security Data Encryption (transit, rest, processing), lineage, provenance, remanence Information Security Infrastructure Application-level PaaS IaaS OS-level Host-level Network-level 15

Rights for Cloud Computing Services- Gartner 1. The right to retain ownership, use and control one's own data 2. The right to service-level agreements that address liabilities, remediation and business outcomes 3. The right to notification and choice about changes that affect the service consumers' business processes 4. The right to know what security processes the provider follows 5. The right to understand the technical limitations or requirements of the service up front 6. The right to understand the legal requirements of jurisdictions in which the provider operates

Security-as-a-Service Why? Allows to focus on core business Subscription model (pay as you go, per user, per time) Lower rollout cost No additional IT overhead Rapid deployment and implementation Compliance requirements (audit trails, archiving, logging) Manage risk with Audit, SLA, Standards

Security-as-a-Service Threat Management-as-a-Service- Antivirus, Malware, Spam, Vulnerability Mgmt, Web content filtering in Cloud Intelligence-as-a-Service Identity-as-a-Service (IdaaS) In progress o o o o o Key management as a Service Attribute as a Service (Attribute provider) Data Masking/Encryption as a Service Business Continuity as a Service Data Leak Prevention as a Service

Security Considerations Data storage model and architecture (encryption User account management (provisioning, roles, permissions) Identity management (single-sign-on) Security process and certifications (SAS 70, SSAE 16, ISO) Backup, recovery & Business continuity Security Controls o Authentication, Access Control, Encryption, Data Leakage Prevention, Data Masking, Integrity Checking and Secure Deletion

Cloud Security Reference Arch Security Layers Network Network Security Host Application Policies Cloud Provider You Control Definitions Operational Effectiveness DoS Protection Transport Security Load Balancer Hypervisor Security Host Isolation IDS Configuration management IDM Monitoring and Incident response Web Application Firewall Encrypt/ Tokenization to protect regulatory data User Mgmt App Patch Information Security Management system Risk Mgmt Application patch mgmt Audit Certification

Move Away from One- Size-Fits-All- Risk Model Agility Vs Risk High Risk Risk Strategy Govern Monitor Pen Testing Compliance Low Agility Security Consulting Controls reviewed and Certified Ticket based Bolt-on Security Pre-approved patterns and libraries Automate Security Controls Data driven High Agility Low Risk Self certified Periodic Audit Coarse Policy Items in ellipse are actions that mitigate Risk while maintaining Agility

Security Life Cycle in Cloud SDLC White Box tester Infrastructure/Platform Security Architect Ops Security Access Control Engineer Design Deploy Common Model Manage Pen Test Engineer Forensics Engineer Self-service security automation defined by Architecture Security controls (preventive, detective) verification based on data sensitivity Reduce human errors by enabling automation Access controls assigned to apps, users in an automatic fashion Cloud Identity & Access Architect Cloud Governance Manager Whitebox and Pen testing of applications during development Threat Modeler Security Operations SIEM, Investigation support via self-service tools

Next Steps? 1. Evaluate the feasibility of a Cloud based approach for your applications based on security, privacy, compliance and availability requirements 2. Understand cloud provider protection methods used to secure data in transit and at rest 3. Define security boundaries, responsibilities, identify the risks and success factors of a cloud based service delivery to your organization 4.

Goal Enable Trust Security Privacy Policy Reputation Auditability Reliability Compliance Assurance Sources: VeriSign, Computerworld

Q&A Subra Kumaraswamy ebay Twitter - @subrak 25

Keeping It Real What are the realistic threats to cloud services? Operational security breakdown o Scaling security processes to various deployment models o Need to plan from the start your security process ü Hardening ü Identity and access management ü Policy based on data sensitivity and other compliance requirements ü Logging ü Rate limiting ü Application identification ü Distribution of secure files ü Forensics and IR

Keeping It Real Cloud computing collapse technology and functional layers o Automation and shared responsibility can cause anxiety for governance, residency and compliancy o Lack of transparency from the provider ü Where is your data? ü Who has access? ü Who controls and manages keys? ü How is sensitive data accessed User->App, App->App? Human errors and misuse of new cloud technologies o o ü ü ü Security models of new technologies aren t well understood i.e. Access control in Hadoop Downgrade security via change Intentional or Unintentional Security zones in AWS vshield zones in VMW based cloud

Keeping It Real What are the realistic threats to cloud services? Loss of credentials via attacks against individuals and services ü Spear-Phishing Insider victimized ü Malware, rubber hose Gain access to cloud resources: ü Unprotected VM ü Weak access control of - Persistent Storage (EBS, SDB and S3) ü Cloud Management Consoles Keys to the Kingdom ü Bad guys get access to cloud resources to launch attack ü Less granular access privileges Don t automatically get access to: ü Running machine state/memory ü Non-persistent storage

4 Cloud Deployment Models 1. Private cloud (E.g. Azure Private Cloud) enterprise owned or leased 2. Community cloud ( E.g. Google Govt. Cloud) shared infrastructure for specific community 3. Public cloud (E.g. Azure Public Cloud, Amazon, Salesforce, Google) Sold to the public, mega-scale infrastructure 4. Hybrid cloud (E.g. Azure Private + Public Clouds) composition of two or more clouds

3 Cloud Service Models 1. Cloud Software as a Service (SaaS) Use provider s applications over a network 2. Cloud Platform as a Service (PaaS) Deploy customer-created applications to a cloud 3. Cloud Infrastructure as a Service (IaaS) Rent processing, storage, network capacity, and other fundamental computing resources To be considered cloud they must be deployed on top of cloud infrastructure that has the key characteristics

Barriers to Cloud? 31

Cloud Deployment Technical Considerations Service Provider Architecture SLA - Latency o Protocols Supported, Communication overhead o Bandwidth availability Data Security, Privacy, Compliance o Encryption of data in transit o Encryption and masking of data at rest o Can service provider meet the compliance? Availability and Business Continuity o Redundancy

The Capability Delivery Road Map 2 years 3 years Repeatability and Scalability Strategize & Architect Deliver a security automation strategy Security Architecture for standalone public, private & hybrid cloud use cases Developer awareness 1 year Enable & Automate Security automation for cloud use cases Deliver security standards, procedures for private, hybrid and public cloud use cases Pilot security tools in self-service models Core security services defined Integration with 3 rd party services for SSO Security-as-a- Service All operational and governance processes well defined for cloud operations in public and private models Self-service portals for vulnerability mgmt, app risk assessment API for Security Services Security testing integrated SDLC in cloud Today Tools & process Gap analysis Security in Cloud portal Capability 33