cloud security and privacy

www.securityforum.org ISF 20th Annual World Congress 2009 Copyright © 2009 Information Security Forum Limited 1 Cloud Security and privacy – Subra Kumaraswamy

“Headintheclouds,feetontheground‐thebusinesssideof

securityinthecloud”

[email protected]=er‐@Subrak

Dec07,2009 1

www.securityforum.org ISF 20th Annual World Congress 2009 Copyright © 2009 Information Security Forum Limited 2 Cloud Security and privacy – Subra Kumaraswamy 2

Cloud Computing: Evolution


3

5 Essential Cloud Characteristics

• On-demand self-service

• Broad network access

• Resource pooling - Location independence

• Rapid elasticity

• Measured service


4

3 Cloud Service Models

• Cloud Software as a Service (SaaS) - Use provider’s applications over a network

• Cloud Platform as a Service (PaaS) - Deploy customer-created applications to a cloud

• Cloud Infrastructure as a Service (IaaS) - Rent processing, storage, network capacity, and other

fundamental computing resources

• To be considered “cloud” they must be deployed on top of cloud infrastructure that has the key characteristics


Cloud Pyramid of Flexibility


6

4 Cloud Deployment Models • Private cloud

- enterprise owned or leased

• Community cloud - shared infrastructure for specific community

• Public cloud - Sold to the public, mega-scale infrastructure

• Hybrid cloud - composition of two or more clouds


The Cloud: How are people using it?


Changing IT Relationships


What Not a Cloud?


Focusing the Security Discussion

Software as a Service

Platform as a Service

Infrastructure as a Service

Pub

lic

Priv

ate

Hyb

rid

Application Domains X

aaS

Lay

ers

IaaS, Hybrid, HPC/

Analytics SaaS, Public, CRM

IaaS, Public, Transcoding


Components of Information Security

Network-level Host-level

Application-level

Encryption, Data masking, Content protection


Analyzing Cloud Security • Some key issues:

- Trust, multi-tenancy, encryption, key management compliance

• Clouds are massively complex systems can be reduced to simple primitives that are replicated thousands of times and common functional units

• Cloud security is a tractable problem - There are both advantages and challenges


Balancing Threat Exposure and Cost Effectiveness • Private clouds may have less threat exposure than

community or hosted clouds which have less threat exposure than public clouds.

• Massive public clouds may be more cost effective than large community clouds which may be more cost effective than small private clouds.


General Security Advantages • Democratization of security capabilities

• Shifting public data to a external cloud reduces the exposure of the internal sensitive data

• Forcing functions to add security controls

• Clouds enable automated security management

• Redundancy / Disaster Recovery


General Security Challenges

• Trusting vendor’s security model

• Customer inability to respond to audit findings

• Obtaining support for investigations

• Indirect administrator accountability

• Proprietary implementations can’t be examined

• Loss of physical control


Infrastructure Security

Trust boundaries have moved • Specifically, customers are unsure where those trust

boundaries have moved to • Established model of network tiers or zones no

longer exists - Domain model does not fully replicate previous model

• No viable (scalable) model for host-to-host trust • Data labeling/tagging required at application-level

- Data separation is logical, not physical


Data Security • Provider’s data collection efforts and monitoring

of such (e.g., IPS, NBA) • Use of encryption

— Point-to-multipoint data-in-transit an issue — Data-at-rest possibly not encrypted — Data being processed definitely not encrypted — Key management is a significant issue — Advocated alternative methods (e.g., obfuscation,

redaction, truncation) are not adequate • Data lineage, provenance • Data remanence


Identity and Access Management (IAM)

Generally speaking, poor situation today: • Provisioning of user access is proprietary to

provider

• Strong authentication available only through

delegation

• Federated identity widely not available

• User profiles are limited to “administrator” and

“user”

• Privilege management is coarse, not granular


Privacy Considerations Transborder data issues may be exacerbated

• Specifically, where are cloud computing activities occurring?

Data governance is weak • Encryption is not pervasive • Data remanence receives inadequate attention • CSPs absolve themselves of privacy concerns:

“We don’t look at your data”


Audit & Compliance Considerations

• Effectiveness of current audit frameworks questionable (e.g., SAS 70 Type II)

• CSP users need to define: - their control requirements - understand their CSP’s internal control

monitoring processes - analyze relevant external audit reports

• Issue is assurance of compliance


Impact on Role of Corporate IT

• Governance issue as internal IT becomes “consultants” and business analysts to business units

• Delineation of responsibilities between providers and customers much more nebulous than between customers and outsourcers, collocation facilities, or ASPs

• Cloud computing likely to involve much more direct business unit interaction with CSPs than with other providers previously


Getting Ready – IT Security • Governance framework that can be aligned with partners

• Federation of Identity, strong authentication, privileged access and key management

• Classification of data and privacy policy for data in cloud

• Security Automation – Image standardization, user/network policy template

• Understand the cloud service provider security architecture, SLA, policies, security feature and interfaces

• Understand the ephemeral nature of compute and storage cloud and plan for archival of security logs


Conclusions • Part of customers’ infrastructure security

moves beyond their control • Provider’s infrastructure security may

(enterprise) or may not (SMB) be less robust than customers’ expectations

• Data security becomes significantly more important – yet provider capabilities are inadequate (except for simple storage which can be encrypted, and processing of non-sensitive (unregulated and unclassified) data


Conclusions (continued)

• IAM is less than adequate for enterprises – weak management of weak credentials unless (authentication) delegated back to customers

• Because of above, expect significant business unit pressure to desensitize or anonymize data; expect this to become a chokepoint - No established standards for obfuscation,

redaction, or truncation


Conclusions (continued)

• Relationship between business units and corporate IT departments vis-à-vis CSPs will shift greater power to business units from IT

• Number of functions performed today by corporate IT departments will shift to CSPs, along with corresponding job positions


What’s Good about the Cloud?

• A lot! Both for enterprises and SMBs – for handling of non-sensitive (unregulated and unclassified) data

• Cost

• Flexibility

• Scalability

• Speed

www.securityforum.org ISF 20th Annual World Congress 2009 Copyright © 2009 Information Security Forum Limited 27 Cloud Security and privacy – Subra Kumaraswamy Dec7th,2009 27

DisclaimerTheviewsandopinionsexpressedduringthisconferencearethoseofthespeakersanddonotnecessarilyreflecttheviewsand

opinionsheldbySunMicrosystems.NothinginthisconferenceshouldbeconstruedasprofessionalorlegaladviceorascreaGngaprofessional‐customerora=orney‐clientrelaGonship.Ifprofessional,legal,orotherexpertassistanceisrequired,theservicesofa

competentprofessionalshouldbesought.

Thankyou

[email protected]

Twi=er‐@subrak

cloud security and privacy

Technology

cloud security

cloud cloud infrastructure

cloud isf

cloud computing

privacy congress

network cloud platform

cloud pyramid of flexibility

security discussion