Privacy, Security and Identity in the Cloud. Giles Hogben ENISA

Similar documents
ENISA Cloud Computing Security Strategy

Cloud computing: benefits, risks and recommendations for information security

How to procure a secure cloud service

Cloud-Security: Show-Stopper or Enabling Technology?

Cloud Computing An Elephant In The Dark

EXIN Cloud Computing Foundation

Security and Privacy in Cloud Computing

IT Risk and Security Cloud Computing Mike Thomas Erie Insurance May 2011

Cloud Computing for SCADA

Cloud Computing Governance & Security. Security Risks in the Cloud

How cloud computing can transform your business landscape

Cloud Courses Description

Overview of Cloud Computing and Cloud Computing s Use in Government Justin Heyman CGCIO, Information Technology Specialist, Township of Franklin

How To Protect Your Cloud Computing Resources From Attack

Cloud Computing. Benefits and Risks. Bill Wells, CISSP, CISM, CISA, CRISC, CIPP/IT

Information Security Basic Concepts

Cloud Security: Evaluating Risks within IAAS/PAAS/SAAS

Cloud Computing Security ENISA. Daniele Catteddu, CISM, CISA. DigitPA egovernment e Cloud computing.

Cloud Courses Description

Cloud Security Through Threat Modeling. Robert M. Zigweid Director of Services for IOActive

Electronic Records Storage Options and Overview

Expert Reference Series of White Papers. Understanding NIST s Cloud Computing Reference Architecture: Part II

Security and Data Protection for Online Document Management Software

Data In The Cloud: Who Owns It, and How Do You Get it Back?

A SURVEY OF CLOUD COMPUTING: NETWORK BASED ISSUES PERFORMANCE AND ANALYSIS

Cloud and Security (Cloud hacked via Cloud) Lukas Grunwald

Proactively Secure Your Cloud Computing Platform

Clouds on the Horizon Cloud Security in Today s DoD Environment. Bill Musson Security Analyst

A Survey on Cloud Security Issues and Techniques

Security Management of Cloud-Native Applications. Presented By: Rohit Sharma MSc in Dependable Software Systems (DESEM)

THE POWER OF THE CLOUD IS CLOSER THAN YOU THINK. Michael Lee Aaron Saposnik SWC Technology Partners

white paper Using WAN Optimization to support strategic cloud initiatives

How cloud computing can transform your business landscape.

The NREN s core activities are in providing network and associated services to its user community that usually comprises:

What Is It? Business Architecture Research Challenges Bibliography. Cloud Computing. Research Challenges Overview. Carlos Eduardo Moreira dos Santos

How to ensure control and security when moving to SaaS/cloud applications

Security Issues In Cloud Computing And Their Solutions

Seminar: Security Metrics in Cloud Computing ( se)

The Elephant in the Room: What s the Buzz Around Cloud Computing?

NCTA Cloud Architecture

CS573 Data privacy and security in the cloud. Slide credits: Ragib Hasan, Johns Hopkins University

Cloud Security. Peter Jopling IBM UK Ltd Software Group Hursley Labs. peterjopling IBM Corporation

SHARPCLOUD SECURITY STATEMENT

What Cloud computing means in real life

Cloud Computing. What is Cloud Computing?

Cloud Security considerations for business adoption. Ricci IEONG CSA-HK&M Chapter

Building Blocks of the Private Cloud

Cloud Computing. Cloud Computing An insight in the Governance & Security aspects

THE BLUENOSE SECURITY FRAMEWORK

Evaluating IaaS security risks

10 Hidden IT Risks That Threaten Your Practice

How To Understand Cloud Computing

Sky high translation technology Balázs Kis Kilgray Translation Technologies

Cloud Security Who do you trust?

Course 20533: Implementing Microsoft Azure Infrastructure Solutions

Cloud Computing An Auditor s Perspective

AskAvanade: Answering the Burning Questions around Cloud Computing

Secure Identity in Cloud Computing

CLOUD COMPUTING. DAV University, Jalandhar, Punjab, India. DAV University, Jalandhar, Punjab, India

Fujitsu Managed Hosting Delivers your Cloud Infrastructure as a Service environment with confidence

FEDERATED CLOUD: A DEVELOPMENT IN CLOUD COMPUTING AND A SOLUTION TO EDUCATIONAL NEEDS

IBM EXAM QUESTIONS & ANSWERS

WHITEPAPER. SECUREAUTH 2-FACTOR AS A SERVICE 2FaaS

Top 10 Cloud Risks That Will Keep You Awake at Night

About me & Submission details

Managing Cloud Computing Risk

Security Threat Risk Assessment: the final key piece of the PIA puzzle

Enterprise level security, the Huddle way.

WhitePaper. Private Cloud Computing Essentials

Secure Cloud Computing through IT Auditing

RE Think. IT & Business. Invent. IBM SmartCloud Security. Dr. Khaled Negm, SMIEEE, ACM Fellow IBM SW Global Competency Center Leader GCC

Cloud computing. Examples

IBM Cloud Security Draft for Discussion September 12, IBM Corporation

SMS. Cloud Computing. Systems Management Specialists. Grupo SMS option 3 for sales

Computer Forensics and Incident Response in the Cloud. Stephen Coty AlertLogic, AlertLogic_ACID

Demystifying Cloud Computing Graham McLean

Credit Unions and The Cloud. By: Chris Sachse

IBM Cognos TM1 on Cloud Solution scalability with rapid time to value

Transcription:

Privacy, Security and Identity in the Cloud Giles Hogben ENISA

What s new about Cloud Computing? Isn t it just old hat?

Larry Ellison, CEO, Oracle The interesting thing about cloud computing is that we ve redefined cloud computing to include everything that we already do... The computer industry is the only industry that is more fashion-driven than women s fashion. I don t understand what we would do differently in the light of cloud computing other than change the wording of some of our ads. Maybe I m an idiot, but I have no idea what anyone is talking about. What is it? It s complete gibberish. It s insane. When is this idiocy going to stop?

Of course it s OLD HAT!

LOTS AND LOTS of old hat, put together with some very clever resource distribution algorithms To make NEW Hat

What is Cloud Computing? A service model for IT provision based on virtualization and distributed computing technologies: Highly abstracted resources Scalability and Flexibility Shared resources (hardware, database,memory, etc...) Service On demand with a pay as you go billing system Key points - on-demand, pay-as-you-go resources + *aas

Overview What is it? What is ENISA doing with it? SME migration egovernment/ehealth Resilience What are the implications for eidentity? Where can I go for dinner?

Is it all hype?

ENISA Study Risk Assessment of Cloud Computing Technologies Aimed At: European Policymakers: research policy. European Policymakers: economic incentives, legislation, awareness-raising. Business leaders to evaluate the risks and mitigation strategies. Individuals/citizens to evaluate the cost/benefit of using consumer cloud apps.

Process Scenario description - selected scenarios: SME Migration Resilience Government ehealth Analysis of risks (Assets, Vulnerabilities, Threats) Recommendations Using ENISA Emerging and Future Risk Framework

Our Expert Group Amazon Avenade BT Bologna University Cisco Systems Cloudsecurity.org (Craig Balding) Fujitsu Labs Europe Spire Security Google HP IBM Microsoft Reservoir Project Symantec Cloudsecurity.org (Craig Balding) The Israeli Association of GRID Technologies (IGT) UCL Virtualisation.info + Liason with CSA (Cloud Security Alliance)

SME Scenario Security risks for an SME migrating to the cloud. Important concern for many SME s. Scenario based on a rough survey of the concerns and cloud usage pattern of SME s.

SME s - Reasons for adoption

SME s - Business Processes Considered

SME s: Main Concerns

Clean Future: Company Profile Name: Clean Future Business Sector: photovoltaic business. The company produces and supplies complete solar and photovoltaic systems and key components for solar systems and heating Base in Germany with 3 branch offices in Europe Clean Future employs 93 people and a variable number (between 10 and 30) of contractors (interim agents, sales representatives, consultants, trainees, etc.).

IT and Security requirements More flexibility and scalability: Variable needs for IT services, employees, partners/suppliers Sudden changes in the market Possible cooperation with Research Centre, enlargement. Business Continuity and Disaster Recovery A test-bed for assessing new applications Business efficiency and innovation capacity

Federated ID Management Clean Future Cloud Provider 3 IaaS Cloud Provider 2 PaaS Cloud Provider 1 SaaS Customers Contractors Partners Service Request Authentication Authorization Service Delivery Service Request C-C-P Authentication 2 Authorization Service Delivery C-C-P

Progress so far: Resilience Scenario Resilience: The ability of a system to provide & maintain an acceptable level of service in the face of faults (unintentional, intentional, or naturally caused) affecting normal operation.

Resilience Scenario Effects of using a cloud computing infrastructure on resilience of a service where high availability, reliability, integrity and confidentiality are crucial to the business model. Focus on resilience against DDoS Natural Disaster Misuse of platform

XK-Ord Real-time price data and charts for goods in purchasing portals Historical data for use in price-prediction and analysis Order histories and stock control reports for companies. Real-time currency conversion and FX histories Provides up to date SOX & EU anti-monopoly trading reports Financial data for more complex applications.

Requires High reliability of: Latency Request fulfilment Database queries and result presentation Web server fulfilment of http requests. TCP/IP infrastructure. Data integrity Confidentiality

Scenario characteristics 2007 traditional infrastructure Typical data centre managed by XK Multi-homed SAN off-site backup No SLA 2012 cloud infrastructure Shared resources (including network, filtering etc...) with smart management algorithms. Faster and cheaper scaling of resources SLA of XK and cloud provider Cloud disaster recovery

Stratocumulus XK Cumulonimbus Client Financial Data Provider Security Sevices Payment info Authentication request Authorisation Control Message Service request Service provision Service violation reports Data request State Backup Data response Logs Control Messages Tickets

ehealth Scenario In partnership with UK National Health Service (Connecting for Health) Special requirements for egovernment/sensitive data. E.g. Data must not leave the UK. Initial scenario remote monitoring: Home devices are running on the cloud using IaaS. The services running at the monitoring center are running on the cloud using IaaS. Monitored data is also stored in the cloud using Database as a Service (DaaS). The various ehealth service providers are using cloud computing infrastructures.

ehealth Scenario Home Patient with Multiple Chronic Disease b. Personalised ehealth Prevention and Intervention Service Composition ehealth Service Providers a. Monitoring c. Interaction Multimodal and Adaptable user interface Cloud Computing Infrastructure and services Federation Cloud Computing Infrastructure and services

Cloud Identity Food for Thought Who Am I?

Identity provisioning and deprovisioning Multiple cloud providers synching with the enterprise directory is not scalable. Connection to enterprise leaves a single point of failure. De-provisioning of identities is even less scalable since time lags are a window of opportunity for attackers.

A driver for Federated Identity FIM is the only solution which scales to the cloud. FIM providers can also manage key distribution. FIM applications themselves (except key storage) can be run using cloud infrastructure. Cloud-based IdP gives more resilience of overall system.

Key Management (and data security) Key management is (currently) the responsibility of the cloud customer. Key provisioning and storage is usually offcloud Encrypting data on-cloud so that the cloud provider can t read it is (very) hard!

Data storage and processing without security guarantees? Alternative 1. HARD TO IMPLEMENT! Customer Cloud Try to encrypt all operations to hide them from the untrusted hardware

Data storage and processing without security guarantees? Alternative 2. Customer Cloud Secure area guaranteed by cloud provider Use a secure area with security guarantees provided by cloud provider

Data storage and processing without security guarantees? Alternative 3. Customer In the cloud provider we trust... (maybe using 3 rd party certificates) Trust the cloud provider

Key management 2 Key storage and provisioning almost impossible to do on-cloud with current technologies HSM s don t scale to the cloud PKCS#10,11 don t talk cloud Revocation is even more complicated... Need new crypto and key management standards and solutions adapted to cloud paradigm.

Drawbacks of current implementations Amazon One Key per account doesn t scale to multiple accounts/account holders. Data security - no alternative but trusting the brand. External pen testing not permitted. External audit not permitted. Very limited logs available. Usually no forensics offered (ghosting a ghost Craig Balding). No idea of actual location/jurisdiction of data.

The cloud as an anonymous attack platform Poor identity verification makes cloud platforms vulnerable to use as attack platforms. This affects all users. Password cracking DDoS Captcha breaking. IP ranges blocked for other users.

Other Data protection issues Jurisdiction hell (E.g. UK NHS has a requirement that data does not LEAVE the UK) Hunt the Data Controller Vulnerable to hypervisor layer attacks on virtual machines. No known compromise without access to the hypervisor at this time. BUT any attacks on hypervisor (even internally) are extremely high impact. (See http://invisiblethingslab.com/bh08/part3.pdf)

Somebody else s problem (SEP) Appirio Cloud Storage fully encrypts each piece of data as it passes from your computer to the Amazon S3 store. Once there, it is protected by the same strong security mechanisms that protect thousands of customers using Amazon s services (Thanks to Craig Balding for spotting this)

Amazon AWS ToS YOU ARE SOLELY RESPONSIBLE FOR APPLYING APPROPRIATE SECURITY MEASURES TO YOUR DATA, INCLUDING ENCRYPTING SENSITIVE DATA. You are personally responsible for all Applications running on and traffic originating from the instances you initiate within Amazon EC2. As such, you should protect your authentication keys and security credentials. Actions taken using your credentials shall be deemed to be actions taken by you.

Key take-aways Watch out for the results of ENISA s cloud security study out in Oct/Nov (http://www.enisa.europa.eu) The cloud cannot work without federated identity providers. Data protection in the cloud be careful and read our recommendations! Key management in the cloud needs a new approach.

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information