cyber security and cloud computing

21
Cyber Security and Cloud Computing Dr Daniel Prince Course Director MSc in Cyber Security [email protected]

Upload: oakley

Post on 23-Feb-2016

48 views

Category:

Documents


0 download

DESCRIPTION

Cyber Security and Cloud Computing. Dr Daniel Prince Course Director MSc in Cyber Security [email protected]. Scope of Today. SME Attractors for Cloud Switching to the Cloud Public Private Hybrid Big issues to consider Summary. SME Space. - PowerPoint PPT Presentation

TRANSCRIPT

Page 1: Cyber Security and Cloud Computing

Cyber Security and Cloud Computing

Dr Daniel PrinceCourse Director MSc in Cyber Security

[email protected]

Page 2: Cyber Security and Cloud Computing

Scope of Today• SME Attractors for Cloud• Switching to the Cloud

– Public– Private– Hybrid

• Big issues to consider• Summary

Page 3: Cyber Security and Cloud Computing

SME Space• 2.1m companies registered for VAT and or PAYE in

March 2010• 98% of these businesses have less than 50 employees• Only 0.4% have more than 250 employee• (Source: Office for National Statistics)• Drivers

– Reduce expenditure on IT systems– Maintain capabilities– Flexibility to expand or reduce requirements– Data sharing

Page 4: Cyber Security and Cloud Computing

SME Security View• Lack in-house IT and infosec expertise• Already used to outsourced IT service model• Traditionally neglected by security vendors• Few SMEs have any formal security policy

– Fewer have implemented ISMS or certification• Mostly dependent on IT contractor advice.• 66% of all security breaches occur within

organisations with less 100 employees

Page 5: Cyber Security and Cloud Computing

Switch to Cloud Computing• Considerations

– Security and Privacy Issues• Public data• Personal data (citizens sensitivities)

– Compliance• Government security policies• Legal requirements

• Need to protect assets to succeed– Confidentiality, Integrity, Availability, Reputation

• Financial loss, loss of output, damage to reputation

Page 6: Cyber Security and Cloud Computing

Switch to Cloud Computing…• Compromise of personal data

– Damage to customers– Damage to organisational reputation

• Information Security Management System (ISMS)– ISO/IEC 27001:2005– ITIL– Policies and procedures– Legal and regulatory systems

Page 7: Cyber Security and Cloud Computing

Legislation affecting the Cloud

Official Secrets Act 1989

Data Protection Act 1998

Data Protection Act 1998

Keeping Data In Letting Data Out

European Directive 95/46/EC

European Conventionon Human Rights

Human Rights Act 1998

Freedom of Information Act 2000

(www.arborcentre.co.uk)

Page 8: Cyber Security and Cloud Computing

Legislation affecting the Cloud• Conflicting demands of privacy and freedom• Use of meta data – what to keep?• Requires comprehensive procedures

– Storage– Cataloguing– Auditing– Retrieval

(www.staynalive.com)

Page 9: Cyber Security and Cloud Computing

Public Cloud Challenges• Maintaining security and sovereignty

– Where are servers located?• Data sovereignty – which country is data in

– What security is in place?• Data segregation in virtual environment• Compliance with legal and government policies

– Audit and compliance• Visibility of audit results and security logs

– Disaster recovery plans• What business continuity is in place

Page 10: Cyber Security and Cloud Computing

Public Cloud Challenges…• Deletion of data

– Can all copies be removed?– Standards for purging data/memory

• Risks from other customers business– Attack against another customer could impact– Highest customer security controls for all

• Maintaining compliance– Span several jurisdictions– Different legal requirements

Page 11: Cyber Security and Cloud Computing

Private Cloud Challenges• Does not have security by default

– Policies and standards have to be applied• Off Premise (3rd Party provider)

– Service Level Agreements (SLA’s) required– Vetting of staff– Bearer bandwidth and availability

• On Premise– Control of security management– Maintaining compliance simpler

Page 12: Cyber Security and Cloud Computing

Hybrid Cloud Challenges• All advantages/disadvantages of Public/Private

Clouds• Separate public/personal data

– Public non-sensitive data in Public Cloud– Personal and sensitive data in Private Cloud

• Help to gain trust of citizens

• Maintaining compliance– Need to maintain compliance of both

• Extra workload

Page 13: Cyber Security and Cloud Computing

Loss of Physical Control• ENISA (2009) - non-cloud attack vectors

translate with the same or a lower probability of occurrence in their cloud counterparts.

• HOWEVER, malicious insiders...– Counter arguments cite information security

standards (e.g., ISO27001), however, there remains a lack of clarity as to whom will be managing data.

Page 14: Cyber Security and Cloud Computing

Exposing Sensitive Data• First, legal liability under current Data Protection

Laws within the European Union? – ENISA has advised public bodies in member states

against using the cloud for anything other than non-sensitive and non-mission critical data.

• Second, what types of data can legally be stored in the cloud?– Compliance requires proof of certain activities. – PCI DSS requirement 10.2 for “tracking and monitoring

all access to network resources"

Page 15: Cyber Security and Cloud Computing

Exposing Sensitive Data• Third, the transfer and storage of data in non-

domestic and potentially unknown jurisdictions.– EU Data Protection Directive - Data must be stored within

the 27 member states or 3 of the EEA member countries, unless "sufficient" levels of protection can be proved.

– Review of 31 T&Cs found 15 to make no mention of data location or transit protection.

– Data Protection Laws between member states - the Directive may sometimes provide inadequate protection (e.g., Germany)!

Page 16: Cyber Security and Cloud Computing

Exposing Sensitive Data• Cross-border movement of data and the

impact of changing jurisdictions, associated legal obligations, and law enforcement practices (e.g., the USA's PATRIOT Act).

• Some T&Cs state the willingness to disclose data without court orders upon request from law-enforcement agencies, or if it's in the immediate "public interest".

Page 17: Cyber Security and Cloud Computing

Other Implications• What are the implications of CSP acquisition or failure?• Acquisition and the possibility of sudden changes in CSP policies and

non-binding agreements?• Review of 27 T&Cs found:

– 8 to mention no process for varying terms.– 13 to state amendments could be posted on their website, and continued

use is acceptance.– Only 3 to state changes must be in writing with the agreement of both

parties.• Cloud-based IAM solution are comparatively inadequate to their

non-cloud alternatives.– Lack of widespread CSP support for open APIs and federation standards,

e.g., SAML, XACML, and SPML.

Page 18: Cyber Security and Cloud Computing

Multi-tenancy• First, negative consequences from co-tenant

activities.• Second, isolation failure through compromising

the underlying privileged architecture.• Third, there's a correlation between the

increasing complexity of cloud offerings (especially inter-cloud), and the ambiguity over the division of security responsibilities between CSPs and their customers.

Page 19: Cyber Security and Cloud Computing

Take Away1. Start by thinking about your information2. What legal requirements cover you?3. Think about Threat and Risk4. Think about how you can get out of the Cloud

cleanly5. Scour the Terms and Conditions

Page 20: Cyber Security and Cloud Computing

Summary• It's not just a new technology, but a new

business model.• Does the cloud provide a false sense of

security?• Why holding back:

– Risks not fully understood• Lack of trust in security• Lack of confidence in technology• Risks to data security and privacy need to mature

Page 21: Cyber Security and Cloud Computing

CSC 2011