cloud security alliance the cloud computing threat vector

Download Cloud Security Alliance The Cloud Computing Threat Vector

Post on 20-Aug-2015




2 download

Embed Size (px)


  1. 1. Cloud Security Alliance
        • The Cloud Computing Threat Vector
        • Jim Reavis, Executive Director
        • September 2009
  2. 2. About the Cloud Security Alliance
    • Global, not-for-profit organization
    • Inclusive membership, supporting broad spectrum of subject matter expertise: cloud experts, security, legal, compliance, virtualization, and on and on
    • We believe Cloud Computing has a robust future, we want to make it better
    • To promote the use of best practices for providing security assurance within Cloud Computing, and provide education on the uses of Cloud Computing to help secure all other forms of computing.
  3. 3. Getting Involved
    • Individual Membership (free)
      • Subject matter experts for research
      • Interested in learning about the topic
      • Administrative & organizational help
    • Corporate Members
      • Help fund outreach, events
      • Participate in Solution Provider Advisory Council
    • Affiliated Organizations (free)
      • Joint projects in the community interest
  4. 4. Members
    • Over 4,000 members
    • Broad Geographical Distribution
    • Active Working Groups
      • Editorial
      • Educational Outreach
      • Architecture
      • Governance, Risk Mgt, Compliance, Business Continuity
      • Legal & E-Discovery
      • Portability, Interoperability and Application Security
      • Identity and Access Mgt, Encryption & Key Mgt
      • Data Center Operations and Incident Response
      • Information Lifecycle Management & Storage
      • Virtualization and Technology Compartmentalization
    • New Working Groups
      • Healthcare
      • Cloud Threat Analysis
      • Government
      • Financial Services
  5. 5. Project Roadmap
    • April 2009: Security Guidance for Critical Areas of Focus for Cloud Computing Version 1
    • October 2009: Security Guidance for Critical Areas of Focus for Cloud Computing Version 2
    • October 2009: Top Ten Cloud Threats (monthly)
    • November 2009: Provider & Customer Checklists
    • December 2009: eHealth Guidance
    • December 2009: Cloud Threat Whitepaper
    • Global CSA Executive Summits
      • Q1 2010 Europe
      • Q1 or Q2 2010 - US
  6. 6. What is Cloud Computing?
    • Not One Cloud: Nuanced definition critical to understanding risks & mitigation
    • Working definition:
      • Cloud describes the evolutionary development of many existing technologies and approaches to computing that separates application and information resources from the underlying infrastructure and mechanisms used to deliver them.This separation of resources from infrastructure combined with a utility-like, elastic allocation model creates a compelling model for Internet scale computing.
  7. 7. Defining the Cloud
    • On demand usage of compute and storage
    • 5 principal characteristics (abstraction, sharing, SOA, elasticity, consumption/allocation)
    • 3 delivery models
          • Infrastructure as a Service (IaaS)
          • Platform as a Service (PaaS)
          • Software as a Service (SaaS)
    • 4 deployment models: Public, Private, Hybrid, Community
  8. 8. S-P-I Model
    • IaaS
    • Infrastructure as a Service
    You build security in You RFP security in PaaS Platform as a Service SaaS Software as a Service
  9. 9. Key Challenges
    • We arent moving to the cloud..We are reinventing within the cloud
    • Confluence of technology and economic innovation
      • Disrupting technology and business relationships
      • Pressure on traditional organizational boundaries
    • Gold Rush mentality, backing into 20 year platform choice
    • Challenges traditional thinking
      • How do we build standards?
      • How do we create architectures?
      • What is the ecosystem required to managed, operate, assess and audit cloud systems?
  10. 10. Lots of Governance Issues
    • Cloud Provider going out of business
    • Provider not achieving SLAs
    • Provider having poor business continuity planning
    • Data Centers in countries with unfriendly laws
    • Proprietary lock-in with technology, data formats
    • Mistakes made by internal IT security several orders of magnitude more serious
  11. 11. Thinking about Threats
    • Technology
      • Unvetted innovations within the S-P-I stack
      • Well known cloud architectures
    • Business
      • How cloud dynamism is leveraged by customers/providers
      • E.g. provisioning, elasticity, load management
    • Old threats reinvented: must defend against the accumulation of all vulnerabilities ever recorded, Dan Geer-ism
    • Malware in the cloud, for the cloud
    • Lots of blackbox testing
  12. 12. Evolving Threats 1/2
    • Unprotected APIs / Insecure Service Oriented Architecture
    • Hypervisor Attacks
    • L1/L2 Attacks (Cache Scraping)
    • Trojaned AMI Images
    • VMDK / VHD Repurposing
    • Key Scraping
    • Infrastructure DDoS
  13. 13. Evolving Threats 2/2
    • Web application (mgt interface!)
      • XSRF
      • XSS
      • SQL Injection
    • Data leakage
    • Poor account provisioning
    • Cloud provider insider abuse
    • Financial DDoS
    • "Click Fraud
  14. 14. CSA Guidance Domains
    • Governing in the Cloud
      • Governance & Risk Mgt
      • Legal
      • Electronic Discovery
      • Compliance & Audit
      • Information Lifecycle Mgt
      • Portability & Interoperability
    • Operating in the Cloud
      • Traditional, BCM, DR
      • Data Center Operations
      • Incident Response
      • Application Security
      • Encryption & Key Mgt
      • Identity & Access Mgt
      • Storage
      • Virtualisation
    • Understand Cloud Architecture
  15. 15. Governance & ERM
    • A portion of cloud cost savings must be invested into provider scrutiny
    • Third party transparency of cloud provider
    • Financial viability of cloud provider.
    • Alignment of key performance indicators
    • Increased frequency of 3 rdparty risk assessments
  16. 16. Legal
    • Plan for both an expected and unexpected termination of the relationship and an orderly return of your assets.
    • Find conflicts between the laws the cloud provider must comply with and those governing the cloud customer
    • Gain a clear expectation of the cloud providers response to legal requests for information.
    • Secondary uses of data
    • Cross-border data transfers
  17. 17. Electronic Discovery
    • Cloud Computing challenges the presumption that organizations have control over the data they are legally responsible for.
    • Cloud providers must assure their information security systems are capable to preserve data as authentic and reliable.Metadata, logfiles, etc.
    • Mutual understanding of roles and responsibilities: litigation hold, discovery searches, expert testimony, etc.
  18. 18. Compliance & Audit
    • Classify data and systems to understand compliance requirements
    • Understand data locations, copies
    • Maintain a right to audit on demand
    • Need uniformity in comprehensive certification scoping to beef up SAS 70 II, ISO 2700X
  19. 19. Information Lifecycle Mgt
    • Understand the logical segregation of information and protective controls implemented
    • Understand the privacy restric


View more >