security & privacy in cloud computing

28
Security & Privacy Issues in

Upload: john-johnson

Post on 18-Dec-2014

311 views

Category:

Documents


0 download

DESCRIPTION

Dr. John D. Johnson presents on security and privacy surrounding cloud computing at the 2009 InfraGard conference in Springfield, IL.

TRANSCRIPT

Page 1: Security & Privacy in Cloud Computing

Security  &  Privacy  Issues  in  

Page 2: Security & Privacy in Cloud Computing

The  Hype  “The interesting thing about cloud

computing is that we’ve redefined cloud computing to include everything that we already do. I can’t think of anything that isn’t cloud computing with all of these announcements. The computer industry is the only industry that is more fashion-driven than women’s fashion. Maybe I’m an idiot, but I have no idea what anyone is talking about. What is it? It’s complete gibberish. It’s insane. When is this idiocy going to stop?”

Larry Ellison, CEO, Oracle (WSJ 9/25/08)

Page 3: Security & Privacy in Cloud Computing

Video  

Page 4: Security & Privacy in Cloud Computing

Closer  to  Earth  

•  Let’s  presume  that  Cloud  Compu>ng  is  real.    

•  What  is  it?  •  Let’s  try  to  cut  through  the  hyperbole  and  define  Cloud  Compu>ng  and  see  what  it  has  to  offer  consumers  and  organiza>ons.    

Page 5: Security & Privacy in Cloud Computing
Page 6: Security & Privacy in Cloud Computing

Example:  MicrosoK  

Page 7: Security & Privacy in Cloud Computing

Sor>ng  things  out…  

PlaMorm  

U>lity  or  Infrastructure  

SoKware  

Page 8: Security & Privacy in Cloud Computing

Infrastructure  as  a  Service  

•  Amazon  sells  compu>ng  power  in  a  way  similar  to  how  we  get  electricity  from  the  power  company.  

•  Uses  a  pay-­‐as-­‐you-­‐go  model  for  offering  VM  instances,  compu>ng  power  and  storage  on  demand.  

Page 9: Security & Privacy in Cloud Computing

PlaMorm  as  a  Service  

•  One  step  above  the  u>lity,  you  find  the  PaaS  providers,  like  Google  App  Engine,  Salesforce’  force.com,  and  the  recently  announced  MicrosoK  Azure  plaMorm.    

•  Here  you  develop  apps  and  leverage  a  common  development  framework  and  plaMorm  for  delivery.  

Page 10: Security & Privacy in Cloud Computing

SoKware  as  a  Service  

•  SoKware  as  a  Service  (SaaS)  is  what  most  people  are  familiar  with.  This  is  where  many  of  the  common  Web  2.0  applica>ons  are,  like:  Flickr,  Gmail,  Google  Apps,  Facebook,  TwiZer....  

•  There  are  also  enterprise  applica>ons,  such  as  SAP,  Oracle,  MicrosoK  and  others  aZemp>ng  to  gain  market  share  here.  

Page 11: Security & Privacy in Cloud Computing

Terminology  

•  Let’s  face  it,  the  use  of  all  these  acronyms  can  get  confusing!  

•  SOA  and  SaaS  oKen  get  confused.  •  The  u>lity  and  plaMorm  services  are  oKen  called  nothing  more  than  the  evolu>on  of  third-­‐party  hos>ng  services  that  companies  have  used  for  years.    

•  There  are  good  reasons  these  assump>ons  are  incorrect.  

Page 12: Security & Privacy in Cloud Computing

SOA  is  dead…?  “SOA met its demise on January 1, 2009, when it was

wiped out by the catastrophic impact of the economic recession. SOA is survived by its offspring: mashups, BPM, SaaS, Cloud Computing, and all other architectural approaches that depend on “services.” Manes’ real point, to quote her is that “we should not be talking about an architectural concept that has no universally accepted definition and an indefensible value proposition. Instead we should be talking about concrete things (like services) and concrete architectural practices (like application portfolio management) that deliver real value to the business.”

Anne Thomas Manes, Burton Group

Page 13: Security & Privacy in Cloud Computing

Consumers  •  Cloud  Compu>ng  is  a  new  name  for  things  consumers  are  already  doing.  

•  Consumers  are  >red  of  being  IT  techs.  •  Consumers  want  to  DO  things  online,  and    have  the    Internet  cloud  be  as  simple  as  Cable  TV.  

I  don’t  care  what’s  up  

there,  as  long  as  it  WORKS!  

Page 14: Security & Privacy in Cloud Computing

The  Business  Case  

•  Cost  Savings  from  economies  of  scale  •  Scalability  •  Elas>city  •  Reliability  •  (and  in  some  cases,  they  enjoy  a  transfer  of  liability  by  outsourcing  services)  

Page 15: Security & Privacy in Cloud Computing

Source: www.cio.com/article/print/109706

2007

Page 16: Security & Privacy in Cloud Computing

Source: www.cio.com/article/print/109706

Page 17: Security & Privacy in Cloud Computing

Where  does  it  make  sense?  

•  Start-­‐ups  •  Apps  that  are  not  processing  key  data  

•  Apps  that  benefit  greatly  from  economies  of  scale,  and  that  require  high  availability  and  DRP  

•  Apps  that  need  periodic,  huge  capacity  or  CPU  processing  

Page 18: Security & Privacy in Cloud Computing
Page 19: Security & Privacy in Cloud Computing

Where  does  it  not  make  sense?  

•  Key  apps  that  are  earning  your  bread  and  buZer  

•  Apps  that  touch  personal  data  or  process  high-­‐value/consumer  transac>ons  should  be  considered  carefully  

•  Most  cloud  compu>ng  works  well  for  highly  paralell,  but  not  serial  apps  

Page 20: Security & Privacy in Cloud Computing

On-­‐site  vs.  Off-­‐site  •  PaaS  can  be  hosted  at  your  data  center,  

outsourced,  or  hosted  in  a  hybrid  environment  like  this  example.  

Source: cohesiveft.com/vpncubed

Page 21: Security & Privacy in Cloud Computing

Concern  in  the  Cloud  

•  Security  •  Control  •  Performance  •  Support  •  Vendor  Lock-­‐In  •  Speed  of  Scaling  •  Configurability  

Page 22: Security & Privacy in Cloud Computing

Security  Concerns  •  CIA  +  Privacy  •  Can  you  extend  your  policies  to  the  cloud?  

•  Regulatory  compliance  •  Managing  data  on  shared  systems  •  Forensics  •  Audi>ng  •  Segrega>on  of  data  •  Portability  &  Interoperability  •  Reliability  &  Manageability  

Page 23: Security & Privacy in Cloud Computing

In  The  News  

•  Monster.com Breach May Preface Targeted Attacks

•  Salesforce.com AdmitsData Loss

•  Millions of GmailUsers Left in theLurch

•  Gmail is down,down, down

Page 24: Security & Privacy in Cloud Computing

More…  

•  United  Airlines  Flight  Opera>ons  Computer  System  Failure  

•  San  Francisco  Power  Grid  Failure  •  PayPal  Subscrip>on  Processing  Fails  •  Skype  Down  for  Days  •  LAX  TSA  Screening  System  Failure    

•  What  if  Google  were  to  disappear  for  a  few  days?  Or,  Facebook?  Yahoo?  

Page 25: Security & Privacy in Cloud Computing

Compliance  in  the  Cloud  

•  Let  me  just  list  some  common  U.S.  regula>ons  and  speak  to  them:  

• PCI  •  SOX  • HIPAA  • GLB  • California  Breach  Law  (SB1386)  

Page 26: Security & Privacy in Cloud Computing

Future  Trends  

•  The  Web  as  a  Par>cipatory  Worldwide  Communica>ons  Media  (Wikipedia,  Facebook,  YouTube…)  

•  The  Need  to  Use  Less  Energy  •  Innova>on  Impera>ve  •  Quest  for  Simplicity    •  Structure  Out  of  Chaos  

Source: www.cio.com/article/438371/Cloud_Computing_Hype_Versus_Reality

Page 27: Security & Privacy in Cloud Computing

•  The  Grinch:  It  came  without  segrega>on.  It  came  without  recovery  goals.  It  came  without  adequate  physical,  logical,  or  personnel  access  controls.  It  could  have  been  high,  it  could  have  been  low,  I  just  have  no  clue  where  the  data  may  flow!  

•  Narrator:  Then  the  Grinch  thought  of  something  he  hadn't  before.    

•  The  Grinch:  Maybe  the  perfect  solu>on  doesn't    come  from  a  store.  Maybe  solving  business  problems  securely...    

•  Narrator:  He  thought    •  The  Grinch:  ...means  a  liZle  bit  more.    

 

Grinch  in  the  Cloud  

Page 28: Security & Privacy in Cloud Computing

Useful  Resources  

•  World  Privacy  Forum,  www.worldprivacyforum.org  

•  Security  Monks  Blog,  hZp://blog.securitymonks.com/2009/01/25/recent-­‐cloud-­‐pos>ngs/  

•  Ra>onal  Survivability  Blog,  hZp://ra>onalsecurity.typepad.com/