Information Security: Cloud Computing Simon Taylor MSc CLAS CISSP CISMP PCIRM Director & Principal Consultant All Rights Reserved. Taylor Baines Limited is a Registered Company in England & Wales. Registration No. 07272922 Registered Office Southgate House 88 Town Square Basildon SS14 1BN.
Cloud Computing 2 Cloud computing is relatively new as a business concept but already organisations are converting to cloud computing architecture. As with any new concept, business or technological risks arise that must be considered. So what is cloud computing? Client-server model using web browser protocols The Cloud provides server-based applications The cloud provides all data services to the user Output is provided to the user client device via web browser. For example: User wants to create a word-processing document User starts a browser session and logs into the cloud service and selects wordprocessing Cloud service application server starts word-processing session Users machine is only used for input and output via the browser All computations, changes and data storage are done in The Cloud Service provider may pool resources of many computers in the cloud to achieve resource intensive tasks
Cloud Computing Layers 3 There are three layers of cloud computing that are commonly referred to which are: Infrastructure as a Service (IaaS) Delivers computer infrastructure Typically a platform virtualisation environment Organisation purchases a fully outsourced service Platform as a Service (Paas) Typically delivers a platform and solution stack Offers deployment of applications without hardware cost & complexity of management May include application design and implementation Software as a Service (SaaS) Provides on-demand software Application & data hosted centrally Accessed by browser (often on thin-client device)
Cloud Computing Models 4 In addition to layers of cloud computing there are different models: Public Cloud Community Cloud Hybrid Cloud Private Cloud Resources dynamically provided, self-service basis over the internet Delivered from an offsite third party provider Billed on a utilitycomputing basis Established when several organisations have similar computing requirements & seek to share infrastructure May offer better levels of security (C & I) than public cloud (e.g. Google s Gov.Cloud) Use part public and part private clouds Often used for archiving and backup solutions Organisation still ahs to build & manage the private cloud A simple extension of existing client-server architecture managed by a single organisation Typically uses a shared services model (see earlier section)
Cloud Computing Definitions 5 "Cloud Computing" - Internet based computing whereby shared infrastructure, resources, software and information are provided to computers on demand [source: Wikipedia] "Provider" - The organisation(s) providing cloud computing services. "Organisation" - The organisation receiving and utilising cloud computing services from a "provider". "Infrastructure as a Service (IaaS)" - Capability to provision processing, storage, networks and other fundamental computing resources, offering the customer organisation the ability to deploy and run arbitrary software including operating systems and applications. IaaS puts these IT operations into the hands of a third party. [source: ISACA Across Cloud Computing Governance & Risks - May 2010] "Platform as a Service (PaaS)" - Capability to deploy onto the cloud infrastructure customer-created or acquired applications created using programming languages and tools supported by the provider. [source: ISACA Across Cloud Computing Governance & Risks - May 2010] "Software as a Service (SaaS)" - Capability to use the provider's applications running on cloud infrastructure. The applications are accessible from various client devices through a thin-client interface such as a web browser (e.g. web-based e-mail). [source: ISACA Across Cloud Computing Governance & Risks - May 2010]
Cloud Computing Security Issues 6 There are a number of issues relating to cloud computing: Privacy - Infrastructure, platform, applications & data controlled and managed by third party service providers who can monitor (lawfully or unlawfully) the communications and data. Compliance In order to comply with legislation & regulation, community or hybrid models may need to be used that are typically more expensive and may offer restricted benefits. US FISMA, HIPAA, SOX EU DPD UK DPA, OSA Global PCI DSS Legal Increase in trademarking of cloud computing terminology, use of proprietary platforms & restrictive business practices (e.g. Google Vs US Dept Interior relating to public sector procurement). Also issues exist around intellectual property rights (IPR) modelling within the cloud. Security Traditional protection mechanisms need to be reconsidered. Unease around letting go of control of security to a third party. These Concerns are delaying its wider adoption as organisations seek to understand all the implications
Cloud Computing Provider Selection 7 In 2008 Gartner identified the following 7 risks organisations should consider when selecting a cloud computing provider: 1. Privileged user access. Outsourced services bypass the "physical, logical and personnel controls" IT departments exert over in-house programs. Get as much information as you can about the people who manage your data. "Ask providers to supply specific information on the hiring and oversight of privileged administrators, and the controls over their access," 2. Regulatory compliance. Customers are ultimately responsible for the security and integrity of their own data, even when it is held by a service provider. Traditional service providers are subjected to external audits and security certifications. Cloud computing providers who refuse to undergo this scrutiny are "signalling that customers can only use them for the most trivial functions," Source: Gartner: Seven cloud-computing security risks (July 2008)
Cloud Computing Provider Selection 8 3. Data location. When you use the cloud, you probably won't know exactly where your data is hosted (even which country) In fact, you might not even know what country it will be stored in. Ask providers if they will commit to storing and processing data in specific jurisdictions, and whether they will make a contractual commitment to obey local privacy requirements on behalf of their customers. 4. Data segregation Data in the cloud is typically in a shared environment alongside data from other customers. Encryption is effective but isn't a cure-all. Find out what is done to segregate data at rest. The cloud provider should provide evidence that encryption schemes were designed and tested by experienced specialists. Source: Gartner: Seven cloud-computing security risks (July 2008)
Cloud Computing Provider Selection 9 5. Recovery. A cloud provider should tell you what will happen to your data and service in case of a disaster. Any offering that does not replicate the data and application infrastructure across multiple sites is vulnerable to a total failure. Ask your provider if it has "the ability to do a complete restoration, and how long it will take." 6. Investigative support. Investigating inappropriate or illegal activity may be impossible in cloud computing. Cloud services are especially difficult to investigate, because logging and data for multiple customers may be co-located and may also be spread across an ever-changing set of hosts and data centres. If you cannot get a contractual commitment to support specific forms of investigation, along with evidence that the vendor has already successfully supported such activities, then your only safe assumption is that investigation and discovery requests will be impossible Source: Gartner: Seven cloud-computing security risks (July 2008)
Cloud Computing Provider Selection 10 7. Long-term viability. Ideally, your cloud computing provider will never go broke or get acquired and swallowed up by a larger company but you must be sure your data will remain available even after such an event. Ask potential providers how you would get your data back and if it would be in a format that you could import into a replacement application. Gartner Says: Smart customers will ask tough questions and consider getting a security assessment from a neutral third party before committing to a cloud vendor Cloud computing has "unique attributes that require risk assessment in areas such as data integrity, recovery, and privacy, and an evaluation of legal issues in areas such as e-discovery, regulatory compliance, and auditing Demand transparency avoiding vendors that refuse to provide detailed information on security programs. Ask questions related to the qualifications of policy makers, architects, coders and operators; risk-control processes and technical mechanisms and about the level of testing that's been done to verify that service and control processes are functioning as intended, and that vendors can identify unanticipated vulnerabilities. Source: Gartner: Seven cloud-computing security risks (July 2008)
Cloud Computing Risk Comparison 5-11 Many of the risks that exist around a classical organisational IT infrastructure and service provision exist in a cloud computing environment They are just out there instead of in here Confidentiality The same issues around confidentiality exist with the added concern as above that there is some degree of loss of control. Data stored and/or processed in the cloud still needs to be classified, segregated and handled according to it protection requirements. Controlling this relies on the security processes of the cloud provider and access to and audit of these processes is vital in maintaining a degree of control and assurance. Confidentiality issues are generally considered the number one concern for organisations when considering using cloud services. Integrity Integrity within the cloud is generally perceived to be on a par, if not better, than most classical organisational architectures. Cloud providers tend to be large, experienced, IT providers with
Cloud Computing Risk Comparison 12 Integrity Integrity within the cloud is generally perceived to be on a par, if not better, than most classical organisational architectures. Cloud providers tend to be large, experienced, IT providers with experience in resilient IT technologies that protect integrity. However, due to the ubiquitous nature of access to the cloud, there is always the potential for attackers, posing as legitimate service users, to try to affect the integrity of your organisation s data. Availability Availability is at the same time one of the strengths and one of the weaknesses of cloud computing. The size and scalability of cloud computing environments reduces risk of availability issues due to capacity management problems The resilient architectures of cloud providers also help to provide assurance around issues such as DDOS attacks and others. However, cloud computing is entirely dependent on the user connection into the cloud if this is compromised then the organisation may be powerless to effect recovery.
Provider / Customer Risk 13 It is important to differentiating between the commercial risk of the provider and the risk to the customer. Whilst the cloud services supplier will naturally want to provide a quality (and hopefully) secure service to your organisation as a customer there are some important considerations to be made: The provider is a business looking to make money They will perceive the risks differently to your organisation and make decisions based on the risks to their organisation as a priority over yours Depending on the size and nature of your organisation, they may prioritise your concerns and issues higher or lower than other customers Realised risks to the cloud provider may only be low impact to them, but it could shut down your organisation completely. Service providers are not usually held up as the main culprit if an incident becomes news: HMRC data loss suspected that discs were lost in transit by a courier company but the headlines were all around the poor security practices of HMRC not the courier company. Remember under DPA, the data controller is ultimately responsible for the security of data, not the data processor
Information Security: Cloud Computing Simon Taylor MSc CLAS CISSP CISMP PCIRM Director & Principal Consultant All Rights Reserved. Taylor Baines Limited is a Registered Company in England & Wales. Registration No. 07272922 Registered Office Southgate House 88 Town Square Basildon SS14 1BN.