Dr. Susan Cole, CISSP, CCSK [email protected] CLOUD SECURITY: Concerns, Complications and...
Transcript of Dr. Susan Cole, CISSP, CCSK [email protected] CLOUD SECURITY: Concerns, Complications and...
Agenda
What is it? Definition Deployment Models Service Models
BenefitsConcernsComplicationsRisksImprovementsConsiderations
December 10, 2013
December 10, 2013
Cloud computing is a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction.
What goes “into” the Cloud?• Data/information• Applications/functions/processes
(Grance and Mell, 2011)
What is it? - Definition
December 10, 2013
What is it? - Definition
Essential Characteristics:On-demand self-service.
Broad network access.
Resource pooling.
Rapid elasticity.
Measured Service.
(NIST and CSA, 2009)
December 10, 2013
What is it? – Deployment Models
Private - operated solely for an organization.
Community - shared by several organizations and supports a specific community that has shared concerns
Public - made available to the general public or a large industry group and is owned by an organization selling cloud services.
Hybrid - a composition of two or more clouds
(NIST and CSA, 2009)
December 10, 2013
What is it? – Service Models
Software as a Service (SaaS) Delivers applications hosted on cloud as internet-based services Does not require installing apps on customers’ computers Example: Salesforce
Platform as a Service (PaaS) Delivers platforms, tools, services Without installing any of these platforms or support tools on local
machines Example: Google Apps
Infrastructure as a Service (IaaS) Delivers “computation resources,” network and storage as internet-based
service Example: Amazon EC2
December 10, 2013
What is it? – Service Models
x
(CSA, 2009)
December 10, 2013
Benefits
Availability!
Economic benefits! Cost Reduction Scalable Easier to collaborate (long-distance) Small and mid-size business access to tech at lower prices
There’s a chance security will be as good or better if cloud provider is a quality service provider.
December 10, 2013
Benefits
Ways to Use the Cloud
Social MediaBusiness ApplicationsProductivity ApplicationsEmail as a serviceInfrastructureWebsite hostingStorageEmpower Mobile Devices (BYOD)
December 10, 2013
Benefits
Organization Projected Savings Service
City of Orlando $262, 500 per year Email to Google
City of Pittsburgh $100,000 per year Email to Google
City of LA $ 1.1 MILLION per year Email & Office to Google
Army (Army Experience Center)
Cost down to 8M from $83M Recruitment tracking platform (service not identified)
NOAA 50% lower cost to taxpayer Email and calendar (service not identified)
Air Force (Personnel Services Delivery Transformation)
$4 MILLION per year Web self-service, incident management, customer surveys, analytics, knowledge management to RightNow
http://info.apps.gov/content/state-and-local-cloud-computing-case-studies
December 10, 2013
Benefits
Organization Area Savings
DoD US Army Online Experience Center
Business App • Costs down to 8M for full licensing from $83M • 33% productivity gain • 30 times higher response rates
Federal Labor Relation Authority (FLRA) Case Management System
Business App • 88% reduction in total cost of ownership over a five year period
• Eliminated up-front licensing cost of $273,000 Reduced annual maintenance from $77,000 to $16,800
Social Security Administration (SSA) Online Answers Knowledge Base
Business App • Nearly 99% of 25M web self-service sessions handled without agent intervention.
NASA Jet Propulsion Lab (JPL) Cassini
Infrastructure • Processing costs totaled less than $200 compared to the thousands required to maintain in house systems.
http://cloud.cio.gov/step-step/cloud-computing-success-stories
December 10, 2013
Benefits
Organization Area Savings
DoD DISA Gig Content Delivery Service
Infrastructure • A DISA customer avoided installation of 500 servers worldwide by using GCDS.
• Offload up to 90% of the hits from data center infrastructure.
USDA Cloud email Email as a service
• Reduced mail messaging costs to less than $8 a month per user
• Once fully operational, USDA expects to save $6 million per year compared to legacy system costs
NOAA Cloud email Email as a service
• 50% lower cost to taxpayer
DOT Office of Comptroller of the Currency (OCC) Vulnerability Assessment System
Productivity App
• 458% increase in scanning• Reduction in per scan cost from $99.34 to $13.66• 12% increase in detection• Eliminated 3 hardware and software platforms
reducing number of scanners to one
http://cloud.cio.gov/step-step/cloud-computing-success-stories
December 10, 2013
Benefits
Organization Area Savings
Benefits.gov Hybrid Cloud Implementation
Website Hosting • Initially, a 60% reduction in costs due to a discount provided by USDA
Bureau of Engraving and Printing Public-Facing Website
Website Hosting • Reduced infrastructure costs from $800,000 to $1,550
http://cloud.cio.gov/step-step/cloud-computing-success-stories
December 10, 2013
Concerns
Migration Costs Additional training for staff New monitoring systems
(Ashford, 2012)
December 10, 2013
Concerns
Security is “arguably the most significant barrier to faster and more widespread adoption of cloud computing.”
(Chen, et al, 2010)
December 10, 2013
Concerns
Shared Risks
Outsourcing security to a 3rd party = loss of control
Coexistence of different tenants using same instance of service but unaware of strength of the other’s security controls
Lack of security guarantees in SLAs
Hosting on publicly available infrastructure increases probability of attacks
December 10, 2013
Concerns
Shared Risks
“Cloud providers priorities do not always align with the customer’s objectives.”
Self-preservation Reporting to customer or externally…
Is your cloud provider using services from yet another cloud provider?
Need to protect not only data… but activity patterns Possible reverse engineering by others in the cloud to find out customer
base, revenue, etc.
December 10, 2013
Concerns
Shared RisksAuditability in the cloud…
Already required for banking and health sectors Should be “mutual” for provider and customer
“Sharing of resources violates the confidentiality of tenants’ IT assets which leads to the need for secure multi-tenancy.”
(Morsey, et al, 2010)
December 10, 2013
Complications
BYODCan’t avoid!Saves $ if employees provide devicesSingle device solution
No need to carry multiple devices
Improves moraleIncreases productivity
Employees willing to work after-hours; always connected
Federal Agencies have Pilot BYOD Programs NSA (mobile for classified by not BYOD yet) NIST 800-124
December 10, 2013
Complications
Penetration of Mobile Devices by Ownership
(Osterman, 2012)
December 10, 2013
Complications
Beyond the device…What does access with a device like this mean?
Next generation has to have technology tools! Recruitment
December 10, 2013
Complications
(Osterman, 2012)
December 10, 2013
Risks
Application control Data Loss Labor laws Privacy Issues Regulatory requirements Lost and stolen devices Data recovery Expectation of Cloud Providers to manage security
December 10, 2013
Risks
(CSA, 2009)
December 10, 2013
Improvements
Cloud is becoming more secureFedRAMPCloud Security Alliance
STARCloud Service Providers
Built in versus added on
December 10, 2013
Improvements
Standards and Regulations http://cloud.cio.gov/action/manage-your-cloud 25 Point Implementation Plan to Reform Information Technology
Management Download:
http://cloud.cio.gov/document/25-point-implementaton-plan-reform-information-technology-management
Federal Cloud Computing Strategy Download:
http://cloud.cio.gov/document/federal-cloud-computing-strategy
Federal IT Shared Services Strategy Download:
http://cloud.cio.gov/document/federal-it-shared-services-strategy
December 10, 2013
Improvements
Federal Data Center Consolidation Initiative (FDCCI)https://cio.gov/deliver/data-center-consolidation/
That could affect Cloud Security:LegislationTPM chipsSelf-Encrypting Drives (SEDs)
December 10, 2013
Considerations
Identity ManagementRemote ManagementVirtualizationData-at-RestPortability
December 10, 2013
Considerations
How to Apply Security
1.Determine what needs to go (data and/or functions)
2.Evaluate importance to organization
3.Evaluate deployment models
4.Evaluate service models
5.Evaluate cloud provider (CSA, 2009)
December 10, 2013
Considerations
Three Options
1.Accept whatever assurances the service provider offers
2.Evaluate the service provider yourself
3.Use a neutral 3rd party to conduct a security assessment
The cloud provider should perform regular security assessment and provide reports to their clients.
December 10, 2013
Considerations
Security Assessments
“Traditional service providers submit to external audits and security certifications, providing their customers with information on the specific controls that were evaluated.
A cloud-computing provider that is unwilling or unable to do this is signaling that customers can only use them for the most trivial functions.”
(Heiser and Nicolett, 2008)
December 10, 2013
Considerations
How to Take Control
Decide what (data and/or functions) should be migrated to the cloud…
Cost/benefit analysis: not all are good choice Risk Assessment
Investigate physical security of where data will be housed…
Encrypt
December 10, 2013
Considerations
How to take control
Schedule monthly meeting with security personnel of the cloud provider.
Employ legal experts (experienced with “cloud”) early to formulate contract.
Much easier than bringing in lawyers after the fact to fight
Get definitions and procedures outlined in advance… (incidents, disasters, etc)
December 10, 2013
References and Background Info
December 10, 2013
References Almond, Carl. (2009). “A Practical Guide to Cloud Computing Security: What you need to know now about your business and cloud
security.” Avanade Inc.
Al Morsey, M., Grundy, J., and I. Muller. (2010). “An Analysis of The Cloud Computing Security Problem.” APSEC 2010 Cloud Workshop, Sydney, Australia.
Ashford, W. (2012). “Cloud Computing: Could it Cost More?” TechTarget. http://www.computerweekly.com/news/2240163197/Cloud-computing-Could-it-cost-more
Ashford, W. (2011). “Self-encrypting drives: SED the best-kept secret in hard drive encryption security” TechTarget. http://www.computerweekly.com/feature/Self-encrypting-drives-SED-the-best-kept-secret-in-hard-drive-encryption-security
Avanade (2012). “Global Survey: Dispelling Six Myths of Consumerization of IT.” http://www.avanade.com/Documents/Resources/consumerization-of-it-executive-summary.pdf
Chen, Y., Paxson, V., and R. Katz. (2010). “What’s New About Cloud Computing Security?” Electrical Engineering and Computer Sciences, University of California at Berkeley.
Cloud Security Alliance (CSA) (2009). “Security Guidance for Critical Areas of Focus in Cloud Computing V2.1”
Cox, P. (2010). “Remote management threatens Infrastructure as a Service security” TechTarget. http://searchcloudcomputing.techtarget.com/tip/How-to-use-Infrastructure-as-a-Service-securely-part-2
Grance, T. and P. Mell (2011). “The NIST Definition of Cloud Computing (Draft).” NIST Special Publication 800-145 (Draft).
35
December 10, 2013
References Grance, T. and P. Mell (2011). “The NIST Definition of Cloud Computing (Draft).” NIST Special Publication 800-145 (Draft).
Heiser, J. and M. Nicolett. (2008). “Assessing the Security Risks of Cloud Computing.” Gartner.
Hess, K, (2012). “BYOD busted? It's OK we know you're doing it.” ZDNet. http://www.zdnet.com/blog/consumerization/byod-busted-its-ok-we-know-youre-doing-it/169
Holland, K. (2011). “Pros and Cons of Cloud Computing.” Beckon. http://www.thebeckon.com/pros-and-cons-of-cloud-computing/
Iyengar, G. (2011). “Cloud Computing – Maze in the Haze.” SANS: GIAC (GSEC) Gold Certification Paper.
Jacobs, D. (2013). “The TPM chip: An unexploited resource for network security.” TechTarget. http://searchnetworking.techtarget.com/tip/The-TPM-chip-An-unexploited-resource-for-network-security
Mimosa, M. (2012). “TPM Chip in Windows 8 Lays Foundation for Widespread Enhancements to Hardware-Based Security.” Threatpost. http://threatpost.com/en_us/blogs/tpm-chip-windows-8-lays-foundation-widespread-enhancements-hardware-based-security-102612
Osterman (2012), sponsored by Accellion. “Putting IT Back in Control of BYOD: An Osterman Research White Paper”
36
December 10, 2013
References
Reed, J. (2010). “Following Incident into the Cloud.” SANS: GIAC (GCIH) Gold Certification Paper.
Rouse, M. (2012). “Identity as a Service.” TechTarget. http://searchconsumerization.techtarget.com/definition/identity-as-a-Service-IDaaS
Sinclair, J. (2010). “Auditing in Cloud Computing.” SAP RESEARCH. http://www.slideshare.net/jonathansinclair86/cloud-auditing
Tutti, C. (2011). “NIST Cloud Roadmap: Too much too fast?” Federal Computer Week.
Vizard, M. (2012) “The Keys to the Cloud Security Kingdom.” IT Business Edge. http://www.itbusinessedge.com/cm/blogs/vizard/the-keys-to-the-cloud-security-kingdom/?cs=49788&utm_source=feedburner&utm_medium=twitter&utm_campaign=Feed%3A+MikeVizard+%28Mike+Vizard%29
Winkler, V. (2011). “Cloud Computing: Virtual Cloud Security Concerns.” TechNet. http://technet.microsoft.com/en-us/magazine/hh641415.aspx
37