IT Risk and Security Cloud Computing Mike Thomas Erie Insurance May 2011
Cloud Basics
Cloud Basics The interesting thing about cloud computing is that we've redefined cloud computing to include everything that we already do. I don't understand what we would do differently in the light of cloud computing other than change the wording of some of our ads. Larry Ellison CEO Oracle
Cloud Basics Cloud Computing NIST Definition: A model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction There are Public and Private clouds
Cloud Basics Five Key Cloud Attributes: 1. Shared / pooled resources 2. Broad network access 3. On-demand self-service 4. Scalable and elastic 5. Metered by use
Cloud Basics One of the most distinguishing characteristics of cloud computing architecture is its close dependency on the hardware components. An online application is just a simple application that could be launched in different servers but when the application is considered with cloud computing, it will require massive data centers that will ensure the processes are done as expected and timely. Exforsys Inc. Large Requirements for Dependability, Availability, and Performance Bandwidth Housing Hardware and Software Performance Competency of the Service Provider Certified Security
Cloud Basics Have to have acronyms: SaaS (Software as a Service): Are applications that are used in the cloud by different enterprise. They already have predefined functions and the enterprise would only need to adapt to these functions. PaaS (Platforms as a Service): Provides the basic platform wherein developers and the enterprise have to design from the scratch or the preloaded functions. IaaS (Infrastructure as a Service): Consumer can provision computing resources within provider's infrastructure upon which they can deploy and run arbitrary software, including OS and applications
Cloud Basics IBM Cloud Service Reference Architecture [2]
Cloud Risk Components...Providers Many companies are uncomfortable with the idea of their information located on systems they do not control. Providers must offer a high degree of security transparency to help put customers at ease. Customers want to outsource IT Security to cloud provider Migrating workloads to a shared network and compute infrastructure increases the potential for unauthorized exposure. Authentication and access technologies become increasingly important. Providers must supply easy, visual controls to manage firewall and security settings for applications and runtime environments in the cloud. IT Security is not brought into the decision of how & when the company uses clouds High availability will be a key concern.
Cloud Risk Components...Users Above everything else, cloud computing must protect its users. There are two ways to ensure cloud computing security: restrictive user access and certifications. Restrictive access Applications in cloud computing should use more than private infrastructure access controls. Like what? Certifications are also important for user certification. Developers have to open their application to security specialists or companies that provide certifications for security to assure users that the application has been fully tested against different types of attacks.
Cloud Risk Components...Developers Vision - Security as a Service Goal - Automate compliance through security services provided by cloud provider Security APIs/tools mapped to specific controls Customers could subscribe to tools/services to meet compliance requirements When setting up new project in cloud Customers assert nature of data they will use Cloud responds with list of APIs/tools for customers to use
Cloud Security Architecture Cloud architecture abstracts resources at several levels Application and operating system level via images and hypervisors Hardware location level via compute manager and compute nodes Network level (via virtual networks, VLANs, VPNs) Each cloud service type needs an architecture that will optimize that type of service delivery
Hybrid Cloud Management, Security and Integration From the Enterprise Client s perspective: Management of workloads running offpremise on clouds Trusted Cloud Security for Hybrids Public Cloud Control security and resilience of services (identity management, compliance, isolation) Integration (Connectivity) of hybrid applications & information On-premise to off-premise business application connectivity & governance Information exchange across the enterprise and clouds Enterprise Resources Enterprise Management, & Governance of Cloud software, applications, workload
Cloud Security Architecture Identity Management and Provisioning Network security services Secure by default User/process rights management Fine-grained application privileges Role-based access control (RBAC) for administration Multi-level security and Mandatory Access Control Cryptographic service (for traffic and data when necessary)
Cloud Security Architecture With cloud, you lose a little bit of physical control but not your ownership Design with Security in mind Create distinct Security Groups for each application layer Use group-based rules for controlling access between layers Restrict external access to specific IP ranges Encrypt data at-rest if needed Encrypt data in-transit (SSL) Consider encrypted file systems for sensitive data Use MultiFactor Authentication
Cloud Foundations - Internet Network technologies are making the cloud concept a viable computing model Comes from the early days of the Internet where we drew the network as a cloud we didn t care where the messages went the cloud hid it from us Kevin Marks, Google It is what we might really want the cloud to be. We don t really want to care what or how it happens as long as we get our services and information.
Cloud Model Best Fit Private cloud - enterprise owned or leased Community cloud - shared infrastructure for specific community Public cloud - Sold to the public, mega-scale infrastructure Hybrid cloud - composition of two or more clouds
Part 2
Cloud Inevitability Dan Farber, Editor in Chief CNET News We are at the beginning of the age of planetary computing. Billions of people will be wirelessly interconnected, and the only way to achieve that kind of massive scale usage is by massive scale, brutally efficient cloud-based infrastructure. Tim O Reilly, CEO O Reilly Media I think it is one of the foundations of the next generation of computing The network of networks is the platform for all computing Everything we think of as a computer today is really just a device that connects to the big computer that we are all collectively building
Cloud Components Controls and Security OSA IT security architecture patterns
Cloud Outsourcing (www.jerichoforum.org)
Cloud Outsourcing Security Relevant Cloud Components Cloud Provisioning Services Cloud Data Storage Services Cloud Processing Infrastructure Cloud Support Services Cloud Network and Perimeter Security Elastic Elements: Storage, Processing, and Virtual Networks
Cloud Outsourcing Advantages Rapid reconstitution of services Enables availability - Provision in multiple data centers / multiple instances (you might not be able to afford that on your own) Advanced honey net capabilities Challenges Impact of compromising the provisioning service
Cloud Outsourcing If you are not an IT company why spend so much on it? Negotiate your IT Infrastructure services in the cloud And maybe your applications too ( if they are out of the box) Just pay for what you need (can you really afford a firewall guy?) Do only what you have to internally (custom applications or trade secrets) You have to trust someone else for most of your IT Security services (but maybe they can do it better and more efficiently than you?)
Cloud In sourcing High density virtual systems are proving to be more efficient and cost effective than banks of hundreds or thousands of servers Private clouds are proving to be easier to manage (if well understood) and very flexible They are still only as secure as your security skill sets allow
Cloud Risk Expectations Sun Microsystems CTO Greg Papadopoulos Users will trust service providers with their data like they trust banks with their money Hosting providers [will] bring brutal efficiency for utilization, power, security, service levels, and idea- todeploy time CNET article Becoming cost ineffective to build data centers Organizations will rent computing resources Envisions grid of 6 cloud infrastructure providers linked to 100 regional providers (ha ha ha ha ha!!!!!) a little too optimistic for me
Cloud Risk Expectations https://cloudsecurityalliance.org/csaguide.pdf
Cloud Privacy and Compliance Issues with moving PII and sensitive data to the cloud Privacy impact assessments Using SLAs to obtain cloud security Suggested requirements for cloud SLAs Issues with cloud forensics Contingency planning and disaster recovery for cloud implementations Handling compliance FISMA HIPAA SOX PCI SAS 70 Audits
Cloud Privacy and Compliance
Cloud IT Architecture for Security
Cloud IT Architecture for Security
Cloud IT Architecture for Security Some key issues: trust, multi-tenancy, encryption, compliance Clouds are massively complex systems can be reduced to simple primitives that are replicated thousands of times and common functional units Cloud security is a tractable problemthere are both advantages and challenges Former Intel CEO, Andy Grove: only the paranoid survive
Cloud IT Architecture for Security General Security Advantages Shifting public data to a external cloud reduces the exposure of the internal sensitive data Cloud homogeneity makes security auditing/testing simpler Clouds enable automated security management Redundancy / Disaster Recovery
Cloud IT Architecture for Security General Security Challenges Trusting vendor s security model Customer inability to respond to audit findings Obtaining support for investigations Indirect administrator accountability Proprietary implementations can t be examined Loss of physical control