Cloud Computing and Security Risk Analysis Qing Liu Technology Architect STREAM Technology Lab Qing.Liu@chi.frb.org

Similar documents
Securing and Auditing Cloud Computing. Jason Alexander Chief Information Security Officer

Perspectives on Moving to the Cloud Paradigm and the Need for Standards. Peter Mell, Tim Grance NIST, Information Technology Laboratory

Securing The Cloud. Foundational Best Practices For Securing Cloud Computing. Scott Clark. Insert presenter logo here on slide master

Cloud Computing Security Issues

Perspectives on Cloud Computing and Standards. Peter Mell, Tim Grance NIST, Information Technology Laboratory

White Paper on CLOUD COMPUTING

Cloud Computing Standards: Overview and ITU-T positioning

Security & Trust in the Cloud

Security Issues in Cloud Computing

Cloud Computing; What is it, How long has it been here, and Where is it going?

A HYPE-FREE STROLL THROUGH CLOUD STORAGE SECURITY

Architecting the Cloud

What Cloud computing means in real life

Cloud Computing. Cloud Computing An insight in the Governance & Security aspects

LEGAL ISSUES IN CLOUD COMPUTING

Cloud Security & Standardization. Markku Siltanen Tietoturvakonsultti CISA, CGEIT, CRISC

Cloud Security considerations for business adoption. Ricci IEONG CSA-HK&M Chapter

CLOUD COMPUTING SECURITY ISSUES

Strategic Compliance & Securing the Cloud. Annalea Sharack-Ilg, CISSP, AMBCI Technical Director of Information Security

Cloud Computing in the Federal Sector: What is it, what to worry about, and what to negotiate.

Cloud Computing: Background, Risks and Audit Recommendations

Cloud Computing: Risks and Auditing

Cloud Computing Governance & Security. Security Risks in the Cloud

International Journal of Innovative Technology & Adaptive Management (IJITAM) ISSN: , Volume-1, Issue-5, February 2014

OWASP Chapter Meeting June Presented by: Brayton Rider, SecureState Chief Architect

Running head: TAKING A DEEPER LOOK AT THE CLOUD: SOLUTION OR 1

Orchestrating the New Paradigm Cloud Assurance

Key Considerations of Regulatory Compliance in the Public Cloud

Cloud Security Alliance New Zealand Contribution to the Privacy Commissioner. 23 February 2012

Cloud Computing. Bringing the Cloud into Focus

Cloud Computing: What needs to Be Validated and Qualified. Ivan Soto

Managing Cloud Computing Risk

Virginia Government Finance Officers Association Spring Conference May 28, Cloud Security 101

CLOUD STORAGE SECURITY INTRODUCTION. Gordon Arnold, IBM

ITU- T Focus Group Cloud Compu2ng

The Magical Cloud. Lennart Franked. Department for Information and Communicationsystems (ICS), Mid Sweden University, Sundsvall.

Assessing Risks in the Cloud

Private & Hybrid Cloud: Risk, Security and Audit. Scott Lowry, Hassan Javed VMware, Inc. March 2012

CPNI VIEWPOINT 01/2010 CLOUD COMPUTING

Anatomy of a Cloud Computing Data Breach

STORAGE SECURITY TUTORIAL With a focus on Cloud Storage. Gordon Arnold, IBM

Cloud Security Implications for Financial Institutions By Scott Galyk Director of Software Development FIMAC Solutions, LLC

Top 10 Cloud Risks That Will Keep You Awake at Night

SECURITY MODELS FOR CLOUD Kurtis E. Minder, CISSP

NETWORK ACCESS CONTROL AND CLOUD SECURITY. Tran Song Dat Phuc SeoulTech 2015

East African Information Conference th August, 2013, Kampala, Uganda. Security and Privacy: Can we trust the cloud?

Residual risk. 3 Compliance challenges (i.e. right to examine, exit clause, privacy acy etc.)

Cloud Security and Managing Use Risks

IT Audit in the Cloud

Attacking the roadblocks preventing aggressive adoption of Cloud Standards:

Cloud & Security. Dr Debabrata Nayak Debu.nayak@huawei.com

The Push and Pull of the Cloud. TPI Cloud Computing Overview. April 5 th 2011

BUSINESS MANAGEMENT SUPPORT

Cloud Computing Submitted By : Fahim Ilyas ( ) Submitted To : Martin Johnson Submitted On: 31 st May, 2009

Storage Clouds. Enterprise Architecture and the Cloud. Author and Presenter: Marty Stogsdill, Oracle

SECURE CLOUD COMPUTING

Cloud Security Introduction and Overview

Topics. Images courtesy of Majd F. Sakr or from Wikipedia unless otherwise noted.

Cloud Computing--Efficiency and Security

INFORMATION TECHNOLOGY SECURITY STANDARDS

Clouds on the Horizon Cloud Security in Today s DoD Environment. Bill Musson Security Analyst

Information Security: Cloud Computing

INTRODUCTION TO CLOUD COMPUTING CEN483 PARALLEL AND DISTRIBUTED SYSTEMS

Security Threats in Cloud Computing Environments 1


Data Security Issues in Cloud Computing

journey to a hybrid cloud

Trust but Verify. Vincent Campitelli. VP IT Risk Management

Security Considerations for Public Mobile Cloud Computing

How To Protect Your Cloud Computing Resources From Attack

ITL BULLETIN FOR JUNE 2012 CLOUD COMPUTING: A REVIEW OF FEATURES, BENEFITS, AND RISKS, AND RECOMMENDATIONS FOR SECURE, EFFICIENT IMPLEMENTATIONS

HIPAA CRITICAL AREAS TECHNICAL SECURITY FOCUS FOR CLOUD DEPLOYMENT

AskAvanade: Answering the Burning Questions around Cloud Computing

Cloud Infrastructure Planning. Chapter Six

The Cloud in Regulatory Affairs - Validation, Risk Management and Chances -

Assessing, Evaluating and Managing Cloud Computing Security

Services Providers. Ivan Soto

The Elephant in the Room: What s the Buzz Around Cloud Computing?

Security, Compliance & Risk Management for Cloud Relationships. Adnan Dakhwe, MS, CISA, CRISC, CRMA Safeway Inc. In-Depth Seminars D32

Adopting Cloud Computing with a RISK Mitigation Strategy

6 Cloud computing overview

Transcription:

Cloud Computing and Security Risk Analysis Qing Liu Technology Architect STREAM Technology Lab Qing.Liu@chi.frb.org 1

Disclaimers This presentation provides education on Cloud Computing and its security risks. Any mention of a vendor or product is NOT an endorsement or recommendation 2

Agenda What is Cloud Computing? Vulnerabilities, security risks and risk controls 3

Cloud Computing - Module 1 What Is Cloud Computing? 5

Business Drivers 6

End User Drivers 7

Defining Cloud Computing Cloud Computing is a new consumption and delivery model inspired by consumer Internet services. It enables convenient, on-demand network access to a shared pool of configurable computing resources with minimal management effort or service provider interaction. 8

Benefit of Cloud Helps to address rising IT costs Focuses enterprises on core business processes and expertise Focuses more on business value, less on technology costs Leverages external services and infrastructure capabilities Helps solve legacy investment issues Provides for scalability, and flexibility Pay for what you use, not pay for equipment, skills and other resources you may not want or need 9

Cons of Cloud Asset becomes widely public and widely distributed. An employee of cloud provider can access the asset. The process or function can be manipulated by an outsider. The process or function can fail to provide expected results. The information / data can unexpectedly changed. Asset can be unavailable for a period of time. 10

5 Essential Cloud Characteristics On-demand self-services Ubiquitous network access Location independent resource pooling Rapid elasticity Measured service as pay per use 11

3 Cloud Service Models Cloud Software as a Service (SaaS) - Use provider s applications over a network Cloud Platform as a Service (PaaS) Deploy customer-created applications to a cloud Cloud Infrastructure as a Service(IaaS) Rent processing, storage, network capacity, and other fundamental computing resources 12

4 Cloud Deployment Models Private cloud enterprise owned or leased Community cloud shared infrastructure for specific community Public cloud Sold to the public, mega-scale infrastructure Hybrid cloud composition of two or more clouds 13

Feature Indication 14

Cloud Computing Example AMAZON Elastic Compute Cloud (EC2) 15

16

Standards and Test Bed Groups Cloud Security Alliance (CSA) Distributed Management Task Force (DMTF) Storage Networking Industry Association (SNIA) Open Grid Forum (OGF) Open Cloud Consortium (OCC) Organization for the Advancement of Structured Information Standards (OASIS) TM Forum Internet Engineering Task Force (IETF) International Telecommunications Union (ITU) European Telecommunications Standards Institute (ETSI) Object Management Group (OMG) 17

CSA Research Initiatives Security Guidance for Critical Areas of Focus in Cloud Computing v 2.1 (12/17/2009) Controls Matrix 1.01 ( 10/20/2010) Consensus Assessments Initiative ( 10/12/2010) Top Threats to Cloud Computing ( twice yearly) Trusted Cloud Initiative CloudAudit ( 10/20/2010) Common Assurance maturity Model ( partner project) 18

Security for Cloud Computing Cloud computing is about gracefully losing control while maintaining accountability even if the operational responsibility falls upon one ore more third parties. Security controls in cloud computing are no different than security controls in any IT environment. However the operational models and the technologies used to enable cloud services, cloud computing may present different risks to an organization than traditional IT solution. 19

What We Know So Far 20

Module 2 Cloud Computing Risks, Vulnerabilities and Risk Remediation 21

Regulatory Issue Can a financial institution properly carry out due diligence, ascertain what risk management and security practices exist, and be able to rely on specific security measures to ensure the safety and soundness of their systems, data and customer records in the cloud? 22

Top Six High Risks 1. Loss of Governance 2. Compliance Challenge 3. Lock-in 4. Cloud Provider Malicious Insider 5. Subpoena and E-discovery 6. Data Protection Risks 23

1. Loss of Governance Probability Impact Vulnerabilities Affected assets VERY HIGH VERY HIGH ( IaaS VERY HIGH, SaaS Low) Unclear asset ownership Unclear roles and responsibilities SLA clauses with conflicting promises to different stakeholders Cross-cloud applications creating hidden dependency Lack of standard technologies and solutions Certification schemes not adapted to cloud infrastructures Company reputation Personal sensitive data Service delivery Risk HIGH 24

RACKSPACE SEC 10-Q Filing (May 2010) We are the world s leader in the hosting and cloud computing industry. The majority of our customers do not elect to pay the additional fees required to have disaster recovery services store their backup data offsite in a separate facility.. We have experienced interruptions in the past due to such things as power outages, power equipment failures, cooling equipment failures, routing problems, hard drive failures, database corruption, systems failures, software failures and other computer failures. The services we offer involve the transmission of large amounts of sensitive and proprietary information over public communication networks, as well as the processing and storage of confidential customer information. Unauthorized access, computer viruses and other disruptions can occur that could comprise the security of our infrastructure 25

Risk control 1- Division of Liabilities Cloud Provider Cloud Customer Law Status Data Processor Data Controller Data Content Intermediary liability Full Liability Security Incidents ( including data leakage, user account compromise, etc) Responsible for due diligence for what is under its control Responsible for due diligence for what is under its control 26

Division of Responsibilities 27

Division of Responsibilities 28

2. Compliance Challenges Probability Impact Vulnerabilities VERY HIGH HIGH Lack of completeness and transparency in terms of use Lack of standard technologies and solutions, Audit or certification not available to customers Certification schemes not adapted to cloud infrastructures Affected assets Certification Risk HIGH 29

Risk control 2 Security Analysis Process 1. Classify a cloud service against the cloud architecture model 2. Map business, regulatory and other compliance requirements to security controls 3. Gap analysis of security controls to cloud services 4. Determine the general security posture of a service and relate to an asset s assurance and protection requirements. 30

Model Mapping in Gap Analysis APIs Applications Software as a Service (SaaS) Platform as a Service (PaaS) Infrastructure as a Service (IaaS) 31

3. Lock-in Probability Impact Vulnerabilities Affected assets HIGH MEDIUM Lack of standard technologies and solutions Poor provider selection Lack of supplier redundancy Lack of completeness and transparency in terms of use Company reputation Personal sensitive data Service delivery Risk HIGH 32

Risk control 3-1. Assess the risk of adopting cloud services 2. Compare different provider offers 3. Obtain assurance from the selected cloud providers 4. Exit strategy Migration Path Requirements 33

4. Cloud Provider Malicious Insider Probability Impact Vulnerabilities Affected assets Risk MEDIUM ( Lower than traditional) VERY HIGH (Higher than traditional) Unclear roles and responsibilities Poor enforcement of role definitions Need-to-know principle not applied AAA vulnerabilities System or OS vulnerabilities Inadequate physical security procedures Impossibility of processing data in encrypted form Application vulnerabilities or poor patch management Company reputation Customer trust Employee loyalty and experience Intellectual property Personal sensitive data / HR data Service delivery HIGH 34

Risk Control 4 - Information Assurance Requirements - Personnel security - Supply-chain assurance - Operational security Software assurance Patch management Network architecture controls Host architecture Application security Resource provision 35

Information Assurance Requirements - Identity and access management - Authorization - Identity provisioning - Management of personal data - Key management - Encryption - Authentication - Asset management - Physical security - Environmental controls 36

5. Subpoena and E-discovery Probability Impact Vulnerabilities HIGH MEDIUM Lack of resource isolation Storage of data in multiple jurisdictions and lack of transparency Affected assets Company reputation Customer trust Personal sensitive data Service delivery Risk HIGH 37

6. Data Protection Risks Probability Impact Vulnerabilities HIGH HIGH Failed to comply with data protection law Failed to notify the data controller about the data leakage Affected assets Company reputation Customer trust Personal sensitive data Service delivery Risk HIGH 38

Risk control 5 & 6 Legal Requirements 1. Data protection 2. Data security 3. Data transfer 4. Law enforcement access 5. Confidentiality and Non-disclosure 6. Intellectual property 7. Risk allocation and limitation of liability 8. Change of control 39

Conclusion Cloud Computing is an emerging business model with a lot of promises Waiting for more development on Cloud standardization, security control framework, interoperability, cloud audit and common assurance Premature solution for core banking functions 40

Q & A 41

Reference 1. Cloud Security Alliance http://www.cloudsecurityalliance.org/ 2. NIST cloud computing http://csrc.nist.gov/groups/sns/cloud-computing/ 3. Amazon EC2 and S3 http://aws.amazon.com/ 4. Cloud Standards Organization http://cloud-standards.org/ wiki/index.php?title=main_page 42

43

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information