security & privacy in cloud computing
DESCRIPTION
Dr. John D. Johnson presents on security and privacy surrounding cloud computing at the 2009 InfraGard conference in Springfield, IL.TRANSCRIPT
Security & Privacy Issues in
The Hype “The interesting thing about cloud
computing is that we’ve redefined cloud computing to include everything that we already do. I can’t think of anything that isn’t cloud computing with all of these announcements. The computer industry is the only industry that is more fashion-driven than women’s fashion. Maybe I’m an idiot, but I have no idea what anyone is talking about. What is it? It’s complete gibberish. It’s insane. When is this idiocy going to stop?”
Larry Ellison, CEO, Oracle (WSJ 9/25/08)
Video
Closer to Earth
• Let’s presume that Cloud Compu>ng is real.
• What is it? • Let’s try to cut through the hyperbole and define Cloud Compu>ng and see what it has to offer consumers and organiza>ons.
Example: MicrosoK
Sor>ng things out…
PlaMorm
U>lity or Infrastructure
SoKware
Infrastructure as a Service
• Amazon sells compu>ng power in a way similar to how we get electricity from the power company.
• Uses a pay-‐as-‐you-‐go model for offering VM instances, compu>ng power and storage on demand.
PlaMorm as a Service
• One step above the u>lity, you find the PaaS providers, like Google App Engine, Salesforce’ force.com, and the recently announced MicrosoK Azure plaMorm.
• Here you develop apps and leverage a common development framework and plaMorm for delivery.
SoKware as a Service
• SoKware as a Service (SaaS) is what most people are familiar with. This is where many of the common Web 2.0 applica>ons are, like: Flickr, Gmail, Google Apps, Facebook, TwiZer....
• There are also enterprise applica>ons, such as SAP, Oracle, MicrosoK and others aZemp>ng to gain market share here.
Terminology
• Let’s face it, the use of all these acronyms can get confusing!
• SOA and SaaS oKen get confused. • The u>lity and plaMorm services are oKen called nothing more than the evolu>on of third-‐party hos>ng services that companies have used for years.
• There are good reasons these assump>ons are incorrect.
SOA is dead…? “SOA met its demise on January 1, 2009, when it was
wiped out by the catastrophic impact of the economic recession. SOA is survived by its offspring: mashups, BPM, SaaS, Cloud Computing, and all other architectural approaches that depend on “services.” Manes’ real point, to quote her is that “we should not be talking about an architectural concept that has no universally accepted definition and an indefensible value proposition. Instead we should be talking about concrete things (like services) and concrete architectural practices (like application portfolio management) that deliver real value to the business.”
Anne Thomas Manes, Burton Group
Consumers • Cloud Compu>ng is a new name for things consumers are already doing.
• Consumers are >red of being IT techs. • Consumers want to DO things online, and have the Internet cloud be as simple as Cable TV.
I don’t care what’s up
there, as long as it WORKS!
The Business Case
• Cost Savings from economies of scale • Scalability • Elas>city • Reliability • (and in some cases, they enjoy a transfer of liability by outsourcing services)
Source: www.cio.com/article/print/109706
2007
Source: www.cio.com/article/print/109706
Where does it make sense?
• Start-‐ups • Apps that are not processing key data
• Apps that benefit greatly from economies of scale, and that require high availability and DRP
• Apps that need periodic, huge capacity or CPU processing
Where does it not make sense?
• Key apps that are earning your bread and buZer
• Apps that touch personal data or process high-‐value/consumer transac>ons should be considered carefully
• Most cloud compu>ng works well for highly paralell, but not serial apps
On-‐site vs. Off-‐site • PaaS can be hosted at your data center,
outsourced, or hosted in a hybrid environment like this example.
Source: cohesiveft.com/vpncubed
Concern in the Cloud
• Security • Control • Performance • Support • Vendor Lock-‐In • Speed of Scaling • Configurability
Security Concerns • CIA + Privacy • Can you extend your policies to the cloud?
• Regulatory compliance • Managing data on shared systems • Forensics • Audi>ng • Segrega>on of data • Portability & Interoperability • Reliability & Manageability
In The News
• Monster.com Breach May Preface Targeted Attacks
• Salesforce.com AdmitsData Loss
• Millions of GmailUsers Left in theLurch
• Gmail is down,down, down
More…
• United Airlines Flight Opera>ons Computer System Failure
• San Francisco Power Grid Failure • PayPal Subscrip>on Processing Fails • Skype Down for Days • LAX TSA Screening System Failure
• What if Google were to disappear for a few days? Or, Facebook? Yahoo?
Compliance in the Cloud
• Let me just list some common U.S. regula>ons and speak to them:
• PCI • SOX • HIPAA • GLB • California Breach Law (SB1386)
Future Trends
• The Web as a Par>cipatory Worldwide Communica>ons Media (Wikipedia, Facebook, YouTube…)
• The Need to Use Less Energy • Innova>on Impera>ve • Quest for Simplicity • Structure Out of Chaos
Source: www.cio.com/article/438371/Cloud_Computing_Hype_Versus_Reality
• The Grinch: It came without segrega>on. It came without recovery goals. It came without adequate physical, logical, or personnel access controls. It could have been high, it could have been low, I just have no clue where the data may flow!
• Narrator: Then the Grinch thought of something he hadn't before.
• The Grinch: Maybe the perfect solu>on doesn't come from a store. Maybe solving business problems securely...
• Narrator: He thought • The Grinch: ...means a liZle bit more.
Grinch in the Cloud
Useful Resources
• World Privacy Forum, www.worldprivacyforum.org
• Security Monks Blog, hZp://blog.securitymonks.com/2009/01/25/recent-‐cloud-‐pos>ngs/
• Ra>onal Survivability Blog, hZp://ra>onalsecurity.typepad.com/