Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Cloud Security - Security Aspects of Cloud Comp...

Cloud Security - Security Aspects of Cloud Computing

Jim Geovedi

August 05, 2010
Tweet

More Decks by Jim Geovedi

Other Decks in Technology

Transcript

  1. Bellua Asia Pacific Bellua Asia Pacific — Graha Mandiri 9th

    floor, Jalan Imam Bonjol No. 61, Jakarta 10310. T: +6221-39834116 F: +6221-39834114 E: [email protected] JIM GEOVEDI Director, Bellua Asia Pacific [email protected] @geovedi SECURITY ASPECTS OF CLOUD COMPUTING CLOUD SECURITY
  2. Bellua Asia Pacific Bellua Asia Pacific — Graha Mandiri 9th

    floor, Jalan Imam Bonjol No. 61, Jakarta 10310. T: +6221-39834116 F: +6221-39834114 E: [email protected] 2 Essential characteristics • On-demand Service - Get computing capabilities as needed automatically • Broad Network Access - Services available over the net • Resource Pooling - Provider resources pooled to server multiple clients • Rapid Elasticity - Ability to quickly scale in/out service • Measured Service - Control, optimise services based on metering
  3. Bellua Asia Pacific Bellua Asia Pacific — Graha Mandiri 9th

    floor, Jalan Imam Bonjol No. 61, Jakarta 10310. T: +6221-39834116 F: +6221-39834114 E: [email protected] Service models 3 Infrastructure as a Service Platform as a Service Software as a Service Presentation Modality Presentation Platform APIs Applications Data Metadata Content Integration and Middleware APIs Core Connectivity and Delivery Abstraction Hardware Facilities
  4. Bellua Asia Pacific Bellua Asia Pacific — Graha Mandiri 9th

    floor, Jalan Imam Bonjol No. 61, Jakarta 10310. T: +6221-39834116 F: +6221-39834114 E: [email protected] Deployment models • Public - Cloud infrastructure is available to the general public, owned by org selling cloud services • Private - Cloud infrastructure for single organisation only, may be managed by the organisation or a 3rd party, on or off premise • Community - Cloud infrastructure shared by several organisations that have shared concerns, managed by org or 3rd party • Hybrid - Combinations of more than clouds bound by standard or proprietary technology 4
  5. Bellua Asia Pacific Bellua Asia Pacific — Graha Mandiri 9th

    floor, Jalan Imam Bonjol No. 61, Jakarta 10310. T: +6221-39834116 F: +6221-39834114 E: [email protected] Cloud examples 5
  6. Bellua Asia Pacific Bellua Asia Pacific — Graha Mandiri 9th

    floor, Jalan Imam Bonjol No. 61, Jakarta 10310. T: +6221-39834116 F: +6221-39834114 E: [email protected] Move to the cloud? • Identify the asset(s) for cloud deployment - Data - Applications/Functions/Process • Evaluate the asset - Determine how important the data or function is to the organisation 6
  7. Bellua Asia Pacific Bellua Asia Pacific — Graha Mandiri 9th

    floor, Jalan Imam Bonjol No. 61, Jakarta 10310. T: +6221-39834116 F: +6221-39834114 E: [email protected] Top CIO concerns 7 Security Availability Performance Cost Standards
  8. Bellua Asia Pacific Bellua Asia Pacific — Graha Mandiri 9th

    floor, Jalan Imam Bonjol No. 61, Jakarta 10310. T: +6221-39834116 F: +6221-39834114 E: [email protected] Cloud security threats 1. Abuse and nefarious use 2. Insecure interfaces and APIs 3. Malicious insiders 4. Shared technology issues 5. Data loss or leakage 6. Account or service hijacking 7. Unknown risk profile 8 source: http://www.cloudsecurityalliance.org/topthreats
  9. Bellua Asia Pacific Bellua Asia Pacific — Graha Mandiri 9th

    floor, Jalan Imam Bonjol No. 61, Jakarta 10310. T: +6221-39834116 F: +6221-39834114 E: [email protected] Threat #1: Abuse and Nefarious Use • Criminals continue to leverage new technologies to improve their reach, avoid detection, and improve the effectiveness of their activities. • Cloud Computing providers are actively being targeted, partially because their relatively weak registration systems facilitate anonymity, and providers’ fraud detection capabilities are limited. 9
  10. Bellua Asia Pacific Bellua Asia Pacific — Graha Mandiri 9th

    floor, Jalan Imam Bonjol No. 61, Jakarta 10310. T: +6221-39834116 F: +6221-39834114 E: [email protected] Threat #2: Insecure Interfaces and APIs • While most providers strive to ensure security is well integrated into their service models, it is critical for consumers of those services to understand the security implications associated with the usage, management, orchestration and monitoring of cloud services. • Reliance on a weak set of interfaces and APIs exposes organisations to a variety of security issues related to confidentiality, integrity, availability and accountability. 10
  11. Bellua Asia Pacific Bellua Asia Pacific — Graha Mandiri 9th

    floor, Jalan Imam Bonjol No. 61, Jakarta 10310. T: +6221-39834116 F: +6221-39834114 E: [email protected] Threat #3: Malicious Insiders • The impact that malicious insiders can have on an organisation is considerable, given their level of access and ability to infiltrate organisations and assets. • Brand damage, financial impact, and productivity losses are just some of the ways a malicious insider can affect an operation. • As organisations adopt cloud services, the human element takes on an even more profound importance. It is critical therefore that consumers of cloud services understand what providers are doing to detect and defend against the malicious insider threat. 11
  12. Bellua Asia Pacific Bellua Asia Pacific — Graha Mandiri 9th

    floor, Jalan Imam Bonjol No. 61, Jakarta 10310. T: +6221-39834116 F: +6221-39834114 E: [email protected] Threat #4: Shared Technology Issues • Attacks have surfaced in recent years that target the shared technology inside Cloud Computing environments. Disk partitions, CPU caches, GPUs, and other shared elements were never designed for strong compartmentalisation. • As a result, attackers focus on how to impact the operations of other cloud customers, and how to gain unauthorised access to data. 12
  13. Bellua Asia Pacific Bellua Asia Pacific — Graha Mandiri 9th

    floor, Jalan Imam Bonjol No. 61, Jakarta 10310. T: +6221-39834116 F: +6221-39834114 E: [email protected] Threat #5: Data Loss or Leakage • Data loss or leakage can have a devastating impact on a business. Beyond the damage to one’s brand and reputation, a loss could significantly impact employee, partner, and customer morale and trust. • Loss of core intellectual property could have competitive and financial implications. Worse still, depending upon the data that is lost or leaked, there might be compliance violations and legal ramifications. 13
  14. Bellua Asia Pacific Bellua Asia Pacific — Graha Mandiri 9th

    floor, Jalan Imam Bonjol No. 61, Jakarta 10310. T: +6221-39834116 F: +6221-39834114 E: [email protected] Threat #6: Account or Service Hijacking • Account and service hijacking, usually with stolen credentials, remains a top threat. With stolen credentials, attackers can often access critical areas of deployed cloud computing services, allowing them to compromise the confidentiality, integrity and availability of those services. • Organisations should be aware of these techniques as well as common defence in depth protection strategies to contain the damage (and possible litigation) resulting from a breach. 14
  15. Bellua Asia Pacific Bellua Asia Pacific — Graha Mandiri 9th

    floor, Jalan Imam Bonjol No. 61, Jakarta 10310. T: +6221-39834116 F: +6221-39834114 E: [email protected] Threat #7: Unknown Risk Profile • When adopting a cloud service, the features and functionality may be well advertised, but... - What about details or compliance of the internal security procedures, configuration hardening, patching, auditing, and logging? - How are your data and related logs stored and who has access to them? - What information if any will the vendor disclose in the event of a security incident? • Often such questions are not clearly answered or are overlooked, leaving customers with an unknown risk profile that may include serious threats. 15
  16. Bellua Asia Pacific Bellua Asia Pacific — Graha Mandiri 9th

    floor, Jalan Imam Bonjol No. 61, Jakarta 10310. T: +6221-39834116 F: +6221-39834114 E: [email protected] Security guidance Security guidance for critical areas of focus in cloud computing source: http://www.cloudsecurityalliance.org/guidance.html 16 Cloud Architecture Governing in the Cloud Operating in the Cloud Cloud Computing Architectural Framework Governance and Enterprise Risk Management Legal and Electronic Discovery Compliance and Audit Information Lifecycle Management Portability and Interoperability Traditional Security, Business Continuity and Disaster Recovery Data Centre Operations Incident Response, Notification, and Remediation Application Security Encryption and Key Management Identity and Access Management Virtualisation