Cloud Computing = .COM 2.0?

Predrag Mitrovic, CISSP, CISM, Authorpredrag@mynethouse.se

2 minute bio

www.cloudadvisor.se

www.cloudadvisor.se

www.cloudadvisor.se

1990 Botkyrka kommun

www.cloudadvisor.se

www.cloudadvisor.se

1995 IDG Nätverk & Kommunikation

1997 NetHouse Konsult & Media

www.cloudadvisor.se

www.cloudadvisor.se

1999 Novell EMEA

2000 Microsoft

www.cloudadvisor.se

www.cloudadvisor.se

2007 LabCenter

www.cloudadvisor.se

October 1st

MyNethouse

www.cloudadvisor.se

www.cloudadvisor.se

•www.cloudadvisor.se

www.cloudadvisor.se

Secu

rity-a

s-a

-Serv

ice

Storage-as-a-Service

Inte

gra

tion

-as-a

-Serv

ice Database-as-a-Service

Information-as-a-Service

Process-as-a-Service

Application-as-a-Service

Pla

tform

-as-a

-Serv

ice

Management/Governance-as-a-Service

Testing-as-a-Service

Trends behind the hype CPU Speed doubled

every 24 months Memory capacity

doubles every 18 months

Bandwidth explosion OSS The programmable

web Virtualization

Information explosion (+50% growth YoY)

70 % of ICT budgets for maintenance

Up to 85% of capacity idle

Unclear value perception from business side

www.cloudadvisor.se

www.cloudadvisor.se

• Ge

eka

nd

po

ke.c

om

un

de

r e

n c

rea

tive

co

mm

on

s-lic

en

sG

ee

kan

dp

oke

.co

m u

nd

er

en

cre

ativ

e c

om

mo

ns-

lice

ns

Definition

Clouds are hardware-based services offering compute, network and storage capacity where: Hardware management is highly abstracted from

the buyer Buyers incur infrastructure costs as variable OPEX Infrastructure capacity is highly elastic (up or

down)

McKinsey & Company

www.cloudadvisor.se

The idea

Shared infrastructure

Server

OS

Database

App Server

Storage

Network

App 1

Server

OS

Database

App Server

Storage

Network

App 2

Server

OS

Database

App Server

Storage

Network

App 100

www.cloudadvisor.se

CPU, RAM, Networking

Storage

SW Kernel (OS & VM)

Virtualized resources

Cloud applications

Virtuell

Image 1

Virtual

Image.. n

Virtual

Image 1

Security

Risk Governanc

e

Lifecyclemgmt

AAA

Auditing

Security in-

depth

Incident mgmt

Mgmt

Reporting

Use monitor

KapacityplanningNetwork

management

Automati-zation

Billing

www.cloudadvisor.se

•IaaS

CPU, RAM, Networking

Storage

SW Kernel (OS & VM)

Virtualized resources

Cloud applications

Virtuell

Image 1

Virtual

Image.. n

Virtual

Image 1

Security

Risk Governanc

e

Lifecyclemgmt

AAA

Auditing

Security in-

depth

Incident mgmt

Mgmt

Reporting

Use monitor

KapacityplanningNetwork

management

Automati-zation

Billing

www.cloudadvisor.se

•PaaS

CPU, RAM, Networking

Storage

SW Kernel (OS & VM)

Virtualized resources

Cloud applications

Virtuell

Image 1

Virtual

Image.. n

Virtual

Image 1

Security

Risk Governanc

e

Lifecyclemgmt

AAA

Auditing

Security in-

depth

Incident mgmt

Mgmt

Reporting

Use monitor

KapacityplanningNetwork

management

Automati-zation

Billing

www.cloudadvisor.se

•SaaS

IaaS example

www.cloudadvisor.se

PaaS examples

www.cloudadvisor.se

SaaS examples

www.cloudadvisor.se

www.cloudadvisor.se

www.cloudadvisor.se

www.cloudadvisor.se

Security in the clouds

CPU, RAM, Networking

Storage

SW Kernel (OS & VM)

Virtualized resources

Cloud applications

Virtuell

Image 1

Virtual

Image.. n

Virtual

Image 1

Security

Risk Governanc

e

Lifecyclemgmt

AAA

Auditing

Security in-

depth

Incident mgmt

www.cloudadvisor.se

Security in depth - facility Physical perimeter

protected Guards CCTV Fire safety Location against

natural disasters Secure logistics

www.cloudadvisor.se

CPU, RAM, Networking

www.cloudadvisor.se

Environment & climate secured Physical access control Redundancy Automated supervision – CPU, RAM, fans, disc

etc Enterprise FW NIDS/NIPS

Security in depth - hardware

www.cloudadvisor.se

Patch management: Host OS & virtual hosts Hostbased FW HIDS/HIPS Filesystem encryption OS & VM hardening Routines for provisioning/de-provisioning of

VM´s

SW Kernel (OS & VM)

Security in depth – SW Kernel

www.cloudadvisor.se

DLP Integrity auditing Filesystem encryption Personal FW Activity monitor DB Hardening Authorization & Auditing

Storage

Virtualized resourcesVirtual

Image

Security in depth – virtualized resources

Security in depth – applications

www.cloudadvisor.se

Authentication & Authorization Code quality Least privilige SDL

Applications

Soft side of security Security Practice

Statement? Control of compliance? How do I map my

demands? How about ”damage

control”? …

www.cloudadvisor.se

Security

Risk Governance

Lifecyclemgmt

AAA

Auditing

Security in-depth

Incident mgmt

Enter due diligence Insiders? High ”administrator power”? Stress test of plans/abilities business

continuity and disaster recovery My penetration testing?

www.cloudadvisor.se

Risk management

www.cloudadvisor.se

Risk management Vendors KRI/KPI + my KRI/KPI = ? Regular audits on vendors security policy,

processes and procedures. Ownership and partnering?

www.cloudadvisor.se

Governance

www.cloudadvisor.se

Governance Recurring auditing by trusted third party to

validate SPS & SLA Declaration of partnerships with third party Who is financing the vendor?

www.cloudadvisor.se

Legal

www.cloudadvisor.se

Legal Plan for expected/unexpected exit: Assurance

of secure delivery and destruction of data. Clause for information not traversing

geographical boundaries. Rights to reuse my information?

www.cloudadvisor.se

Compliance & Audit

www.cloudadvisor.se

Compliance & audit Classification:

Which systems are handling regulated information?

What data is handled within the systems? SAS 70 type II audits? Demand ISO 27001 certification?

www.cloudadvisor.se

ILM

www.cloudadvisor.se

ILM Logical segregation of information – What

control mechanisms do we implement for parts outside of our control?

Verify backup & restore of segregated information & simulate how the information is assimilated ”in-house” in case of termination.

www.cloudadvisor.se

Portability & Interoperability

www.cloudadvisor.se

P & I SaaS

Process for continuous extraction in open formats IaaS

Develop ”binaries” not tied to Virtual Machine Images specific to the vendor

PaaS Developer platform in the cloud allows portability

with platform in-house

www.cloudadvisor.se

Identity

www.cloudadvisor.se

Identity Federation schema

SAML (version?) WS-Federation Liberty ID-FF

Multiple authentication factors? Authorization and governing of rights on

application/data?

www.cloudadvisor.se

Datacenter operations

www.cloudadvisor.se

Datacenter operations Maintenance schemas Process for misconfigurations (fallbacks) Versioning Helpdesk

www.cloudadvisor.se

Incident handling

www.cloudadvisor.se

Incident handling Common definition of an incident? Roles under an incident? When/how am I notified? Can I use my own CSIRT? Police? Dawn-raid on another tenant – consequence?

www.cloudadvisor.se

Conclusions

www.cloudadvisor.se

Cloud Computing is built on known technology – but the risks are definitively virgin territory!

www.cloudadvisor.se

There are loads of exciting opportunities – open to all!

www.cloudadvisor.se

Business demands results without ”whining and but´s” – handle it or be bypassed and marginalized!

www.cloudadvisor.se

Why not implement the philosophy of the cloud in your IT?

www.cloudadvisor.se

DISCUSSION

www.cloudadvisor.se

Nice links http://cloudforum.org http://cloudsecurityalliance.org http://cloudcamp.org http://opencloudmanifesto.org http://opencrowd.com http://eucalyptus.com http://aws.amazon.com/ec2 http://www.ibm.com/ibm/cloud/labs/ http://www.hpl.hp.com/research/cloud.html

www.cloudadvisor.se

Thank you!

Predrag Mitrovic, predrag@mynethouse.se+46 (0) 709 – 200 350 or on the net: http://mynethouse.se

Blogs (in Swedish only): http://blogg.idg.se/itperspektiv http://cloudadvisor.se

www.cloudadvisor.se