Hamed Pishvayazdi, spring 1394 1. Cloud Definition.
-
Upload
ophelia-boone -
Category
Documents
-
view
219 -
download
3
Transcript of Hamed Pishvayazdi, spring 1394 1. Cloud Definition.
![Page 1: Hamed Pishvayazdi, spring 1394 1. Cloud Definition.](https://reader038.fdocuments.in/reader038/viewer/2022103007/56649de45503460f94ada920/html5/thumbnails/1.jpg)
Hamed Pishvayazdi, spring 1394
1
![Page 2: Hamed Pishvayazdi, spring 1394 1. Cloud Definition.](https://reader038.fdocuments.in/reader038/viewer/2022103007/56649de45503460f94ada920/html5/thumbnails/2.jpg)
Cloud Definition
![Page 3: Hamed Pishvayazdi, spring 1394 1. Cloud Definition.](https://reader038.fdocuments.in/reader038/viewer/2022103007/56649de45503460f94ada920/html5/thumbnails/3.jpg)
Cloud Characteristics
oOn demand
o Pay-per-use : less investmento Pay-as-you-go
oElastic Capacity & Infinite Resources & ScalabilityoSelf-Service Interface & ManageabilityoAbstraction: Resources that are abstract and virtualizedoUtility ComputingoBetter resource utilizationoReduce power (Green IT computing)oUbiquity of access (anywhere, anytime, …)oEase of management & Self-serviceoCustomization: More in IaaS and less in PaaS and SaaS
![Page 4: Hamed Pishvayazdi, spring 1394 1. Cloud Definition.](https://reader038.fdocuments.in/reader038/viewer/2022103007/56649de45503460f94ada920/html5/thumbnails/4.jpg)
Cloud Security: Advantages & Disadvantages
![Page 5: Hamed Pishvayazdi, spring 1394 1. Cloud Definition.](https://reader038.fdocuments.in/reader038/viewer/2022103007/56649de45503460f94ada920/html5/thumbnails/5.jpg)
General Security Advantages
Cloud homogeneity makes security auditing/testing simpler
Clouds enable automated security management
Redundancy / Disaster Recovery
5
![Page 6: Hamed Pishvayazdi, spring 1394 1. Cloud Definition.](https://reader038.fdocuments.in/reader038/viewer/2022103007/56649de45503460f94ada920/html5/thumbnails/6.jpg)
Cloud Security Advantages Dedicated Security Team Greater Investment in Security Infrastructure Fault Tolerance and Reliability Greater Resiliency Hypervisor Protection Against Network Attacks
6
![Page 7: Hamed Pishvayazdi, spring 1394 1. Cloud Definition.](https://reader038.fdocuments.in/reader038/viewer/2022103007/56649de45503460f94ada920/html5/thumbnails/7.jpg)
Cloud Security Advantages (Cont.)Simplification of Compliance AnalysisData Held by Unbiased Party (cloud vendor
assertion)Low-Cost Disaster Recovery and Data Storage
SolutionsOn-Demand Security ControlsReal-Time Detection of System TamperingRapid Re-Constitution of ServicesUsing cloud for security:
Defense or attackAdvanced Honeynet CapabilitiesDOSDecryption7
![Page 8: Hamed Pishvayazdi, spring 1394 1. Cloud Definition.](https://reader038.fdocuments.in/reader038/viewer/2022103007/56649de45503460f94ada920/html5/thumbnails/8.jpg)
Responsibility & Accountability“Ultimately, you can outsource responsibility but
you can’t outsource accountability.”
8
![Page 9: Hamed Pishvayazdi, spring 1394 1. Cloud Definition.](https://reader038.fdocuments.in/reader038/viewer/2022103007/56649de45503460f94ada920/html5/thumbnails/9.jpg)
Companies are still afraid to use clouds
9
![Page 10: Hamed Pishvayazdi, spring 1394 1. Cloud Definition.](https://reader038.fdocuments.in/reader038/viewer/2022103007/56649de45503460f94ada920/html5/thumbnails/10.jpg)
10
Specific Customer Concerns Related to Security
Protection of intellectual property and data
Ability to enforce regulatory or contractual obligations
Unauthorized use of data
Confidentiality of data
Availability of data
Integrity of data
Ability to test or audit a provider’s environment
Other
30%21%15%12% 9% 8% 6% 3%
Source: Deloitte Enterprise@Risk: Privacy and Data Protection Survey, 2007
![Page 11: Hamed Pishvayazdi, spring 1394 1. Cloud Definition.](https://reader038.fdocuments.in/reader038/viewer/2022103007/56649de45503460f94ada920/html5/thumbnails/11.jpg)
11
Lots of Governance Issues Cloud Provider going out of business
Provider not achieving SLAs
Provider having poor business continuity planning
Data Centers in countries with unfriendly laws
Proprietary lock-in with technology, data formats
Mistakes made by internal IT security – several orders of magnitude more serious
![Page 12: Hamed Pishvayazdi, spring 1394 1. Cloud Definition.](https://reader038.fdocuments.in/reader038/viewer/2022103007/56649de45503460f94ada920/html5/thumbnails/12.jpg)
12
![Page 13: Hamed Pishvayazdi, spring 1394 1. Cloud Definition.](https://reader038.fdocuments.in/reader038/viewer/2022103007/56649de45503460f94ada920/html5/thumbnails/13.jpg)
13
Problems Associated with Cloud ComputingMost security problems stem from:
Loss of controlLack of trust (mechanisms)Multi-tenancy
These problems exist mainly in 3rd party management modelsSelf-managed clouds still have security issues,
but not related to above
![Page 14: Hamed Pishvayazdi, spring 1394 1. Cloud Definition.](https://reader038.fdocuments.in/reader038/viewer/2022103007/56649de45503460f94ada920/html5/thumbnails/14.jpg)
Possible SolutionsMinimize Lack of Trust
Policy LanguageCertification
Minimize Loss of Control MonitoringUtilizing different cloudsAccess control managementIdentity Management (IDM)
Minimize Multi-tenancy
14
![Page 15: Hamed Pishvayazdi, spring 1394 1. Cloud Definition.](https://reader038.fdocuments.in/reader038/viewer/2022103007/56649de45503460f94ada920/html5/thumbnails/15.jpg)
15
Cloud Forcing Key Issues
Separation between data owners and data processors
Anonymity of geography Anonymity of providerPhysical vs virtual controlsIdentity management
![Page 16: Hamed Pishvayazdi, spring 1394 1. Cloud Definition.](https://reader038.fdocuments.in/reader038/viewer/2022103007/56649de45503460f94ada920/html5/thumbnails/16.jpg)
© 2008 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID
… and one other
Public Cloud
Private Cloud
Virtual Private
Cloud
Hybrid Cloud
Community Cloud
Cloud Deployment Model
16
Public Cloud
Cloud infrastructure made available to the general public.
Private Cloud
Cloud infrastructure operated solely for an organization.
Virtual Private
Cloud
Cloud services that simulate the private cloud experience in public
cloud infrastructure
Hybrid Cloud
Cloud infrastructure composed of two or more clouds that interoperate
or federate through technology
Community Cloud
Cloud infrastructure shared by several organizations and supporting
a specific community
NIST Deployment Models
![Page 17: Hamed Pishvayazdi, spring 1394 1. Cloud Definition.](https://reader038.fdocuments.in/reader038/viewer/2022103007/56649de45503460f94ada920/html5/thumbnails/17.jpg)
© 2008 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID
Ownership
Control
Internal Resources
All cloud resources owned by or dedicated to enterprise
External Resources
All cloud resources owned by providers; used by many customers
Private Cloud
Cloud definition/governance controlled by enterprise
Public Cloud
Cloud definition/governance controlled by provider
Hybrid Cloud
Interoperability and portability among Public and/or Private Cloud systems
Enterprise Deployment ModelsDistinguishing between Ownership and Control
17
![Page 18: Hamed Pishvayazdi, spring 1394 1. Cloud Definition.](https://reader038.fdocuments.in/reader038/viewer/2022103007/56649de45503460f94ada920/html5/thumbnails/18.jpg)
18
Amazon Virtual Private Cloud VPC (http://aws.amazon.com/vpc/ )
![Page 19: Hamed Pishvayazdi, spring 1394 1. Cloud Definition.](https://reader038.fdocuments.in/reader038/viewer/2022103007/56649de45503460f94ada920/html5/thumbnails/19.jpg)
19
We Have ControlIt’s located at X.We have backups.Our admins control access.Our uptime is sufficient.The auditors are happy.Our security team is engaged.
Who Has Control?Where is it located?Who backs it up?Who has access?How resilient is it?How do auditors observe?How does our security team engage?
Of enterprises consider security #1 inhibitor to cloud adoptions
80%
Of enterprises are concerned about the reliability of clouds48%
Of respondents are concerned with cloud interfering with their ability to comply with regulations
33%
Source: Driving Profitable Growth Through Cloud Computing, IBM Study, 2008 (conducted by Oliver Wyman)
![Page 20: Hamed Pishvayazdi, spring 1394 1. Cloud Definition.](https://reader038.fdocuments.in/reader038/viewer/2022103007/56649de45503460f94ada920/html5/thumbnails/20.jpg)
Governance structure of IT organizations
20
![Page 21: Hamed Pishvayazdi, spring 1394 1. Cloud Definition.](https://reader038.fdocuments.in/reader038/viewer/2022103007/56649de45503460f94ada920/html5/thumbnails/21.jpg)
Assessment responsibility
![Page 22: Hamed Pishvayazdi, spring 1394 1. Cloud Definition.](https://reader038.fdocuments.in/reader038/viewer/2022103007/56649de45503460f94ada920/html5/thumbnails/22.jpg)
22
High-level cloud security concerns
ComplianceComplying with SOX, HIPPA
and other regulations may prohibit the use of clouds for some applications.
Comprehensive auditing capabilities are essential.
22
Less ControlMany companies and governments are uncomfortable with the idea of their
information located on systems they do not control. Providers must offer a high degree of
security transparency to help put customers at ease.
ReliabilityHigh availability will be a key concern. IT
departments will worry about a loss of service should outages occur. Mission critical
applications may not run in the cloud without strong availability guarantees.
Security ManagementProviders must supply easy, visual controls
to manage firewall and security settings for applications and runtime
environments in the cloud.
Data SecurityMigrating workloads to a shared network and compute infrastructure increases the
potential for unauthorized exposure. Authentication and access technologies
become increasingly important.
![Page 23: Hamed Pishvayazdi, spring 1394 1. Cloud Definition.](https://reader038.fdocuments.in/reader038/viewer/2022103007/56649de45503460f94ada920/html5/thumbnails/23.jpg)
Customer Pain PointsP - Privacy (Confidentiality)A - Authorization (Authentication)
I - IntegrityN - Non-Repudiation
23
The fundamentals of security haven’t changed for a long time.However, in the last few years due to viruses, worms, intrusions & DDoSattacks, another one has been added called “Assured Information Access”.
![Page 24: Hamed Pishvayazdi, spring 1394 1. Cloud Definition.](https://reader038.fdocuments.in/reader038/viewer/2022103007/56649de45503460f94ada920/html5/thumbnails/24.jpg)
Threat ModelRisk 1: Resource Exhaustion*Risk 2: Customer Isolation Failure*Risk 3: Management Interface CompromiseRisk 4: Interception of Data in TransmissionRisk 5: Data leakage on Upload/Download,
Intra-cloud
24
![Page 25: Hamed Pishvayazdi, spring 1394 1. Cloud Definition.](https://reader038.fdocuments.in/reader038/viewer/2022103007/56649de45503460f94ada920/html5/thumbnails/25.jpg)
Threat ModelRisk 6: Insecure or Ineffective Deletion of
Data*Risk 7: Distributed Denial of Service (DDoS)Risk 8: Economic Denial of Service*Risk 9: Loss or Compromise of Encryption
KeysRisk 10: Malicious Probes or Scans
25
![Page 26: Hamed Pishvayazdi, spring 1394 1. Cloud Definition.](https://reader038.fdocuments.in/reader038/viewer/2022103007/56649de45503460f94ada920/html5/thumbnails/26.jpg)
Threat ModelRisk 11: Compromise of Service
Engine/Hypervisor*Risk 12: Conflicts between customer
hardening procedures and cloud environmentRisk 13: Subpoena and E-Discovery*Risk 14: Risk from Changes of Jurisdiction*Risk 15: Licensing Risks*
26
![Page 27: Hamed Pishvayazdi, spring 1394 1. Cloud Definition.](https://reader038.fdocuments.in/reader038/viewer/2022103007/56649de45503460f94ada920/html5/thumbnails/27.jpg)
Threat ModelRisk 16: Network FailureRisk 17: Networking ManagementRisk 18: Modification of Network TrafficRisk 19: Privilege Escalation*Risk 20: Social Engineering Attacks
27
![Page 28: Hamed Pishvayazdi, spring 1394 1. Cloud Definition.](https://reader038.fdocuments.in/reader038/viewer/2022103007/56649de45503460f94ada920/html5/thumbnails/28.jpg)
Threat ModelRisk 21: Loss or Compromise of Operation
LogsRisk 22: Loss or compromise of Security LogsRisk 23: Backups Lost or StolenRisk 23: Unauthorized Access to Premises,
Including Physical Access to Machines and Other Facilities
Risk 25: Theft of Computer Equipment.*
28
![Page 29: Hamed Pishvayazdi, spring 1394 1. Cloud Definition.](https://reader038.fdocuments.in/reader038/viewer/2022103007/56649de45503460f94ada920/html5/thumbnails/29.jpg)
Overview
29
![Page 30: Hamed Pishvayazdi, spring 1394 1. Cloud Definition.](https://reader038.fdocuments.in/reader038/viewer/2022103007/56649de45503460f94ada920/html5/thumbnails/30.jpg)
30
![Page 31: Hamed Pishvayazdi, spring 1394 1. Cloud Definition.](https://reader038.fdocuments.in/reader038/viewer/2022103007/56649de45503460f94ada920/html5/thumbnails/31.jpg)
Mapping the Model to the Metal
31
Physical Physical Plant Security, CCTV, Guards
Compute & StorageHost-based Firewalls, HIDS/HIPS, Integrity & File/log Management, Encryption, Masking
Network NIDS/NIPS, Firewalls, DPI, Anti-DDoS,QoS, DNSSEC, OAuth
Management
GRC, IAM, VA/VM, Patch Management,Configuration Management, Monitoring
Information DLP, CMF, Database Activity Monitoring, Encryption
ApplicationsSDLC, Binary Analysis, Scanners, WebApp Firewalls, Transactional Sec.
Trusted ComputingHardware & Software RoT & API’s
Security Control Model
Cloud Model
Compliance Model
PCI
HIPAA
GLBA
FirewallsCode ReviewWAFEncryptionUnique User IDsAnti-VirusMonitoring/IDS/IPSPatch/Vulnerability ManagementPhysical Access ControlTwo-Factor Authentication...
SOX
Find the Gaps!
![Page 32: Hamed Pishvayazdi, spring 1394 1. Cloud Definition.](https://reader038.fdocuments.in/reader038/viewer/2022103007/56649de45503460f94ada920/html5/thumbnails/32.jpg)
CSA Guidance Research
Governance and Enterprise Risk Management
Legal and Electronic Discovery
Compliance and Audit
Information Lifecycle Management
Portability and Interoperability
Security, Bus. Cont,, and Disaster Recovery
Data Center Operations
Incident Response, Notification, Remediation
Application Security
Encryption and Key Management
Identity and Access Management
Virtualization
Cloud ArchitectureCloud Architecture
Op
erat
ing
in t
he
Clo
ud
Go
vernin
g th
e Clo
ud
![Page 33: Hamed Pishvayazdi, spring 1394 1. Cloud Definition.](https://reader038.fdocuments.in/reader038/viewer/2022103007/56649de45503460f94ada920/html5/thumbnails/33.jpg)
33
CSA Guidance Domains
Governing in the Cloud2. Governance & Risk
Mgt
3. Legal
4. Electronic Discovery
5. Compliance & Audit
6. Information Lifecycle Mgt
7. Portability & Interoperability
Operating in the Cloud2. Traditional, BCM, DR
3. Data Center Operations
4. Incident Response
5. Application Security
6. Encryption & Key Mgt
7. Identity & Access Mgt
8. Storage
9. Virtualization
1. Understand Cloud Architecture
![Page 34: Hamed Pishvayazdi, spring 1394 1. Cloud Definition.](https://reader038.fdocuments.in/reader038/viewer/2022103007/56649de45503460f94ada920/html5/thumbnails/34.jpg)
Governing Governing the cloudthe cloud
![Page 35: Hamed Pishvayazdi, spring 1394 1. Cloud Definition.](https://reader038.fdocuments.in/reader038/viewer/2022103007/56649de45503460f94ada920/html5/thumbnails/35.jpg)
Legalbetween the laws the cloud provider must comply
with and those governing the cloud customerGain a clear expectation of the cloud provider’s
response to legal requests for information.Cross-border data transfers
35
![Page 36: Hamed Pishvayazdi, spring 1394 1. Cloud Definition.](https://reader038.fdocuments.in/reader038/viewer/2022103007/56649de45503460f94ada920/html5/thumbnails/36.jpg)
Legal IssuesLiability
Contractual responsibilityFinancial compensationnot meeting SLALegal requests for informationProhibit data use by providerRestrict cross border transfer
Intellectual PropertyAll data including copies owned by clientState data rights in SLA clearly
36
![Page 37: Hamed Pishvayazdi, spring 1394 1. Cloud Definition.](https://reader038.fdocuments.in/reader038/viewer/2022103007/56649de45503460f94ada920/html5/thumbnails/37.jpg)
Electronic DiscoveryOrganizations have control over the data they are
legally responsible for.Preserve data as authentic and reliable.
MetadataLogfiles
Mutual understanding of roles and responsibilities
37
![Page 38: Hamed Pishvayazdi, spring 1394 1. Cloud Definition.](https://reader038.fdocuments.in/reader038/viewer/2022103007/56649de45503460f94ada920/html5/thumbnails/38.jpg)
Compliance & Audit
Classify data and systems to understand compliance requirements
Understand data locations, copiesMaintain a right to audit on demandNeed uniformity in comprehensive
certification scoping to beef up SAS 70 II, ISO 2700X
38
![Page 39: Hamed Pishvayazdi, spring 1394 1. Cloud Definition.](https://reader038.fdocuments.in/reader038/viewer/2022103007/56649de45503460f94ada920/html5/thumbnails/39.jpg)
Information Lifecycle Mgtlogical segregation of information and
protective controls implementedUnderstand the privacy restrictions inherent
in dataData retention assurance easy, data
destruction may be very difficult.
39
![Page 40: Hamed Pishvayazdi, spring 1394 1. Cloud Definition.](https://reader038.fdocuments.in/reader038/viewer/2022103007/56649de45503460f94ada920/html5/thumbnails/40.jpg)
Information Lifecycle ManagementFrom creation to destructionData classification Data confidentialityData integrity Provider Access needs be definedData retentionData destruction :harder to proveCross-jurisdictional issuesNegotiate penalties for data breachesAccess control: like RBAC
40
![Page 41: Hamed Pishvayazdi, spring 1394 1. Cloud Definition.](https://reader038.fdocuments.in/reader038/viewer/2022103007/56649de45503460f94ada920/html5/thumbnails/41.jpg)
Portability & Interoperability
Understand and implement layers of abstractionFor SaaS:
regular data extractions and backups to a usable formatFor IaaS:
deploy applications abstracted from the machine image.For PaaS:
“loose coupling” using SOA principlesUnderstand who the competitors are to your cloud
providers and what their capabilities are to assist in migration.
Advocate open standards.
41
![Page 42: Hamed Pishvayazdi, spring 1394 1. Cloud Definition.](https://reader038.fdocuments.in/reader038/viewer/2022103007/56649de45503460f94ada920/html5/thumbnails/42.jpg)
CSA Guidance Research
Governance and Enterprise Risk Management
Legal and Electronic Discovery
Compliance and Audit
Information Lifecycle Management
Portability and Interoperability
Security, Bus. Cont,, and Disaster Recovery
Data Center Operations
Incident Response, Notification, Remediation
Application Security
Encryption and Key Management
Identity and Access Management
Virtualization
Cloud ArchitectureCloud Architecture
Op
erat
ing
in t
he
Clo
ud
Go
vernin
g th
e Clo
ud
![Page 43: Hamed Pishvayazdi, spring 1394 1. Cloud Definition.](https://reader038.fdocuments.in/reader038/viewer/2022103007/56649de45503460f94ada920/html5/thumbnails/43.jpg)
Operating in Operating in the cloudthe cloud
![Page 44: Hamed Pishvayazdi, spring 1394 1. Cloud Definition.](https://reader038.fdocuments.in/reader038/viewer/2022103007/56649de45503460f94ada920/html5/thumbnails/44.jpg)
Traditional, BCM/DRGreatest concern: insider threat
Onsite inspections of cloud provider facilities whenever possible.
BCP/DRP
Identify physical interdependencies in provider infrastructure.
44
![Page 45: Hamed Pishvayazdi, spring 1394 1. Cloud Definition.](https://reader038.fdocuments.in/reader038/viewer/2022103007/56649de45503460f94ada920/html5/thumbnails/45.jpg)
Business ContinuityDisaster recovery plan
Is it comparable to client’s data center?
Can we do a BC audit?Location of recovery data centersSLA Guarantee Data Portability
45
![Page 46: Hamed Pishvayazdi, spring 1394 1. Cloud Definition.](https://reader038.fdocuments.in/reader038/viewer/2022103007/56649de45503460f94ada920/html5/thumbnails/46.jpg)
Incident ResponseAny data classified private:
should always be encrypted
Application layer logging frameworks to:granular narrowing of incidents to a specific customer.
Cloud providers and customers need defined collaboration for incident response.
46
![Page 47: Hamed Pishvayazdi, spring 1394 1. Cloud Definition.](https://reader038.fdocuments.in/reader038/viewer/2022103007/56649de45503460f94ada920/html5/thumbnails/47.jpg)
Application SecuritySecure software Development Lifecycle (SDL)
IaaS, PaaS and SaaS: differing trust boundaries for SDL
For IaaS, need trusted virtual machine images
Apply best practices available to harden DMZ host systems to virtual machines
Securing inter-host communications:no assumption of a secure channel between hosts
Understand malicious actors techniques
47
![Page 48: Hamed Pishvayazdi, spring 1394 1. Cloud Definition.](https://reader038.fdocuments.in/reader038/viewer/2022103007/56649de45503460f94ada920/html5/thumbnails/48.jpg)
48
![Page 49: Hamed Pishvayazdi, spring 1394 1. Cloud Definition.](https://reader038.fdocuments.in/reader038/viewer/2022103007/56649de45503460f94ada920/html5/thumbnails/49.jpg)
49
Cyber Security (DPI) DPI refers to the ability to inspect all packet contents
Other packet processing models allow partial access (shown below) Full Layer 2-7 Inspection No inherent MAC or IP address: invisible on the network Real-time analysis with full packet & flow manipulation Create/remove packets High speed analysis (10 Gbits/sec)
MAC Header IP Header TCP/UDP Payload
DPI Access to all packet data, including Layer 7 applications such as VoIP, P2P, HTTP, SMTP
Switch
Servers
MAC Header IP Header TCP/UDP Payload
Router MAC Header IP Header TCP/UDP Payload
Firewall MAC Header IP Header TCP/UDP Payload
MAC Header IP Header TCP/UDP Payload
Traditional Network Devices
![Page 50: Hamed Pishvayazdi, spring 1394 1. Cloud Definition.](https://reader038.fdocuments.in/reader038/viewer/2022103007/56649de45503460f94ada920/html5/thumbnails/50.jpg)
Encryption & Key MgtNot controlling backend systems:
Assure data is encrypted being stored on the backend
Use encryption : separate data holding from data usage.
Segregate the key management from the cloud provider hosting the data, creating a chain of separation.
50
![Page 51: Hamed Pishvayazdi, spring 1394 1. Cloud Definition.](https://reader038.fdocuments.in/reader038/viewer/2022103007/56649de45503460f94ada920/html5/thumbnails/51.jpg)
51
![Page 52: Hamed Pishvayazdi, spring 1394 1. Cloud Definition.](https://reader038.fdocuments.in/reader038/viewer/2022103007/56649de45503460f94ada920/html5/thumbnails/52.jpg)
52
![Page 53: Hamed Pishvayazdi, spring 1394 1. Cloud Definition.](https://reader038.fdocuments.in/reader038/viewer/2022103007/56649de45503460f94ada920/html5/thumbnails/53.jpg)
Identity & Access MgtRobust federated identity management
Insist upon standards : primarily SAML, WS-Federation and Liberty ID-FF federation
Validate that cloud provider support: strong authentication natively via delegation support robust password policies
Consider implementing Single Sign-on (SSO)
Using cloud-based “Identity as a Service” providers may be a useful tool for
53
![Page 54: Hamed Pishvayazdi, spring 1394 1. Cloud Definition.](https://reader038.fdocuments.in/reader038/viewer/2022103007/56649de45503460f94ada920/html5/thumbnails/54.jpg)
54
![Page 55: Hamed Pishvayazdi, spring 1394 1. Cloud Definition.](https://reader038.fdocuments.in/reader038/viewer/2022103007/56649de45503460f94ada920/html5/thumbnails/55.jpg)
Data & StorageStorage architecture and abstraction layers:
verify that the storage subsystem does not span domain trust boundaries
knowing storage geographical location is possible
Cloud provider’s data search capabilities
Storage retirement processes.
storage can be seized by a third party or government entity?
How encryption is managed on multi-tenant storage?
Long term archiving, will the data be available several years later?
55
![Page 56: Hamed Pishvayazdi, spring 1394 1. Cloud Definition.](https://reader038.fdocuments.in/reader038/viewer/2022103007/56649de45503460f94ada920/html5/thumbnails/56.jpg)
PrivacyPrivate data
What is collected?Where is it stored?How is it stored?How is it used?How long is it stored?
Tagging of PII dataAccess control of PII dataProtection of digital identities & credentialsAccess policy for 3rd parties (e.g. Govt.
agency)How will 3rd parties protect my privacy?
56
![Page 57: Hamed Pishvayazdi, spring 1394 1. Cloud Definition.](https://reader038.fdocuments.in/reader038/viewer/2022103007/56649de45503460f94ada920/html5/thumbnails/57.jpg)
Governance & Enterprise Risk ManagementCSPs accept no responsibility for data they store in their
infrastructureBe clear on who owns the data SLAs include
availability service quality resolution times critical success factors, key performance indicators, etc.
Regular 3rd party risk assessments Require listings of all 3rd party relationshipsFor mission critical situations & PII examine creating a
private or hybrid cloudRisk Management
57
![Page 58: Hamed Pishvayazdi, spring 1394 1. Cloud Definition.](https://reader038.fdocuments.in/reader038/viewer/2022103007/56649de45503460f94ada920/html5/thumbnails/58.jpg)
VirtualizationVirtualized operating systems should be augmented by
third party security technology
Risk of insecure machine images provisioning.
Virtualization advantages :creating isolated environments better defined memory space, :minimize application instability
and simplify recovery.
Need granular monitoring of traffic crossing VM backplanes
58
![Page 59: Hamed Pishvayazdi, spring 1394 1. Cloud Definition.](https://reader038.fdocuments.in/reader038/viewer/2022103007/56649de45503460f94ada920/html5/thumbnails/59.jpg)
Physical/Personnel SecurityProtection against internal attacks
Ensure internal people can’t exploit the information to their gain
Restricted & Monitored access 24x7Background checks for all relevant
personnelAudit privileged users?Coordination of Admins (Hybrid Cloud)
59
![Page 60: Hamed Pishvayazdi, spring 1394 1. Cloud Definition.](https://reader038.fdocuments.in/reader038/viewer/2022103007/56649de45503460f94ada920/html5/thumbnails/60.jpg)
The Host Level
SaaS/PaaSBoth the PaaS and SaaS platforms abstract and
hide the host OS from end usersHost security responsibilities are transferred to
the CSP (Cloud Service Provider) You do not have to worry about protecting hosts
However, as a customer, you still own the risk of managing information hosted in the cloud services.
60
From [6] Cloud Security and Privacy by Mather and Kumaraswamy
![Page 61: Hamed Pishvayazdi, spring 1394 1. Cloud Definition.](https://reader038.fdocuments.in/reader038/viewer/2022103007/56649de45503460f94ada920/html5/thumbnails/61.jpg)
The Host Level (cont.)
61
![Page 62: Hamed Pishvayazdi, spring 1394 1. Cloud Definition.](https://reader038.fdocuments.in/reader038/viewer/2022103007/56649de45503460f94ada920/html5/thumbnails/62.jpg)
Thank you !!!
62
![Page 63: Hamed Pishvayazdi, spring 1394 1. Cloud Definition.](https://reader038.fdocuments.in/reader038/viewer/2022103007/56649de45503460f94ada920/html5/thumbnails/63.jpg)
Question????