Cloud Computing: Opportunities, Challenges, and Solutions. Jungwoo Ryoo, Ph.D., CISSP, CISA The Pennsylvania State University

Cloud Computing: Opportunities, Challenges, and Solutions Jungwoo Ryoo, Ph.D., CISSP, CISA The Pennsylvania State University

What is cloud computing? What are some of the keywords? How many of you cannot think of anything? 10/28/2015 jryoo@psu.edu 2

Essential Characteristics Rapid provisioning Minimal o Management effort o Service provider interaction Scalability but o Multi-tenancy 10/28/2015 jryoo@psu.edu 3

Essential Characteristics II On-demand self-service Rapid elasticity Broad network access Measured service o Metering Resource pooling 10/28/2015 jryoo@psu.edu 4

What is cloud computing? A Model for enabling o Ubiquitous o Convenient o On-demand network access to A shared pool of configurable computing resources Source: SP 800-145 by National Institute of Standards and Technology (NIST), 2011 10/28/2015 jryoo@psu.edu 5

Types of Clouds According to Uses Software as a Service o SaaS Platform as a Service o PaaS Infrastructure as a Service o IaaS 10/28/2015 jryoo@psu.edu 6

Types of Clouds Public cloud Private cloud Community cloud 10/28/2015 jryoo@psu.edu 7

The Bad News Many of the characteristics that make cloud computing great also o Make it less secure o Present extra security challenges 10/28/2015 jryoo@psu.edu 8

The Bad News II Problems o Countermeasures Traditional security controls are ineffective o Evaluation of the security of cloud services Conventional security auditing approaches are insufficient 10/28/2015 jryoo@psu.edu 9

Goals Security challenges specific to cloud computing What is available for cloud security o Standards o Technologies Guidance for Cloud Service Users (CSUs) o What to look out for 10/28/2015 jryoo@psu.edu 10

Cloud Security Challenges 10/28/2015 jryoo@psu.edu 11

Root Causes Scale o The sheer number of VMs Scope o New types of technologies Security of hypervisors o Intangible and logical Virtual switches Virtual routers 10/28/2015 jryoo@psu.edu 12

Root Causes Complexity more time and resources to properly manage security o Scale + scope o Third-party involvement o Colocation via multi-tenancy o Cross-border concerns the importance of physical location of data Compliance requirements for varying laws and regulations 10/28/2015 jryoo@psu.edu 13

Financial Industry-Specific Causes More end user traffic o Online banking Diversity of devices o PC, mobile, tablet, etc. Various network types o Public Wi-Fi, 4G, etc. 10/28/2015 jryoo@psu.edu 14

More Stringent Requirements Availability o 24/7 Accessibility o End user-driven access control Confidentiality o Encryption 10/28/2015 jryoo@psu.edu 15

Bottom Line Knowing what to look for is critical! o In addition to the traditional IT security checklist 10/28/2015 jryoo@psu.edu 16

Transparency Quality of Service (QoS) information o Availability? Incidents Certifications Policies Controls 10/28/2015 jryoo@psu.edu 17

Transparency II Subcontractors Location of data Privacy o Government surveillance Legal and liability issues o For example, service outages 10/28/2015 jryoo@psu.edu 18

Transparency III Does the contract or Service-Level Agreement (SLA) include a transparency clause? Proper propagation of risk knowledge is the key! 10/28/2015 jryoo@psu.edu 19

Encryption Who encrypts the data? o CSU o CSP By default (e.g., Amazon S3) o Third party encryption service Who keeps the key? How much to encrypt? 10/28/2015 jryoo@psu.edu 20

Encryption II Tradeoffs o Security vs. cost Fully homomorphic encryption o Security vs. usability o Security vs. performance o Security vs. complications associated with external auditing efforts 10/28/2015 jryoo@psu.edu 21

Colocation Sharing cost savings but Sharing more security vulnerabilities o Access to the physical hardware Especially, in the context of IaaS o Hypervisor vulnerabilities Xen, VMWare, virtual server, Kernel-based Virtual Machines (KVM), PowerVM, etc. 10/28/2015 jryoo@psu.edu 22

Colocation II Countermeasures o Proper cloud segmentation environments Separate physical servers Dedicated virtual servers Logical partitions and separate database servers on the same VM without sharing a disk storage 10/28/2015 jryoo@psu.edu 23

Cloud Security Solutions 10/28/2015 jryoo@psu.edu 24

The Good News Newly emerging standards and guidelines to evaluate CSPs o How well they are dealing with Cloud-specific security challenges 10/28/2015 jryoo@psu.edu 25

Cloud Security Standards Standards Type Strength Sponsoring Organization SOC Audit for outsourced services Technology-neutral ISO/IEC 27017 Cloud-specific Technologyneutral Cloud Security Alliance PCI-DSS Cloud-specific PCI-qualified security assessor cloud supplement Dedicated to cloud security auditing NIST 800-144 Cloud-specific Technologyneutral Technologyneutral but still providing guidance AICPA ISO NIST CSA PCI-DSS 10/28/2015 jryoo@psu.edu 26

Additional Reading J. Ryoo, Rizvi, S., Aiken, W., and Kissell, J., Cloud Security Auditing: Challenges and Emerging Approaches, IEEE Security and Privacy, vol. 12, no. 6, pp. 68-74, 2014. 10/28/2015 jryoo@psu.edu 27

Any Questions? Contact information o jryoo@psu.edu 10/28/2015 jryoo@psu.edu 28