Cloud Computing:Finding the Silver Lining

Steve Hanna, Juniper Networks

AgendaWhat is Cloud Computing?Security Analysis of Cloud ComputingConclusions

AgendaWhat is Cloud Computing?Security Analysis of Cloud ComputingConclusions

Cloud Computing DefinedDynamically scalable shared resources accessed over a networkOnly pay for what you useShared internally or with other customersResources = storage, computing, services, etc.Internal network or Internet

NotesSimilar to TimesharingRent IT resources vs. buyNew term definition still being developed

Office UserEnterpriseLANConventional Data CenterInternetRemote UserData CenterDataApplications

Office UserEnterpriseLANCloud Computing ModelInternetCloud ProviderRemote UserApplicationsDataEnterprise 1

Many Flavors of Cloud ComputingSaaS Software as a ServiceNetwork-hosted application

DaaS Data as a Service Customer queries against providers database

PaaS Platform as a ServiceNetwork-hosted software development platform

IaaS Infrastructure as a ServiceProvider hosts customer VMs or provides network storage

IPMaaS Identity and Policy Management as a ServiceProvider manages identity and/or access control policy for customer

NaaS Network as a ServiceProvider offers virtualized networks (e.g. VPNs)

Cloud Computing ProvidersNaaSIaaS (DC/server)DaaSSaaSPaaSIPMaaSIPMSoftware\ & DataInfrastructure

Cloud Computing Pros and Cons

Whos using Clouds today?

Example: MogulusMogulus is a live broadcast platform on the internet. (cloud customer)Producers can use the Mogulus browser-based Studio application to create LIVE, scheduled and on-demand internet television to broadcast anywhere on the web through a single player widget. Mogulus is entirely hosted on cloud (cloud provider) On Election night Mogulus ramped to:87000 videos @500kbps = 43.5 Gbps http://www.mogulus.com

Example: AnimotoAnimoto is a video rendering & production house with service available over the Internet (cloud customer)With their patent-pending technology and high-end motion design, each video is a fully customized orchestration of user-selected images and music in several formats, including DVD. Animoto is entirely hosted on cloud(cloud provider)Released Facebook App: users were able to easily render their photos into MTV like videos Ramped from 25,000 users to 250,000 users in three daysSigning up 20,000 new users per hour at peak Went from 50 to 3500 servers in 5 daysTwo weeks later scaled back to 100 servershttp://www.animoto.com

Example: New York TimesTimesmachine is a news archive of the NY Times available in pdf over the Internet to newspaper subscribers (cloud customer) Timesmachine is entirely hosted on cloud (cloud provider) Timesmachine needed infrastructure to host several terabits of dataInternal IT rejected due to costBusiness owners got the data up on cloud for $50 over one weekendhttp://timesmachine.nytimes.com

Example: Eli LillyEli Lilly is the 10th largest pharmaceutical company in the world (cloud customer) Moved entire R&D environment to cloud (cloud provider) Results:Reduced costsGlobal access to R&D applicationsRapid transition due to VM hosting

Time to deliver new services greatly reduced:New server: 7.5 weeks down to 3 minutesNew collaboration: 8 weeks down to 5 minutes64 node linux cluster: 12 weeks down to 5 minutes

Whos using Clouds today?Startups & Small businessesCan use clouds for everythingSaaS, IaaS, collaboration services, online presence Mid-Size EnterprisesCan use clouds for many thingsCompute cycles for R&D projects, online collaboration, partner integration, social networking, new business tools Large EnterprisesMore likely to have hybrid models where they keep some things in houseOn premises data for legal and risk management reasons

AgendaWhat is Cloud Computing?Security Analysis of Cloud ComputingConclusions

Information Security Risk Management Process (ISO 27005)Establish ContextRisk AssessmentIdentify RisksIdentify AssetsIdentify ThreatsIdentify Existing ControlsIdentify VulnerabilitiesIdentify ConsequencesEstimate RisksEvaluate RisksDevelop Risk Treatment PlanReduce, Retain, Avoid, or Transfer RisksRisk AcceptanceImplement Risk Treatment PlanMonitor and Review Risks

Streamlined Security Analysis ProcessIdentify AssetsWhich assets are we trying to protect?What properties of these assets must be maintained?

Identify ThreatsWhat attacks can be mounted?What other threats are there (natural disasters, etc.)?

Identify CountermeasuresHow can we counter those attacks?

Appropriate for Organization-Independent AnalysisWe have no organizational context or policies

Identify Assets

Office UserEnterpriseLANConventional Data CenterInternetRemote UserData CenterDataApplications

Office UserEnterpriseLANCloud Computing ModelInternetCloud ProviderRemote UserApplicationsDataEnterpriseLANEnterprise 1Enterprise 2

Identify AssetsCustomer Data

Customer Applications

Client Computing Devices

Information Security Principles (Triad)C I A

ConfidentialityPrevent unauthorized disclosure

IntegrityPreserve information integrity

AvailabilityEnsure information is available when needed

Identify Assets & PrinciplesCustomer DataConfidentiality, integrity, and availability

Customer ApplicationsConfidentiality, integrity, and availability

Client Computing DevicesConfidentiality, integrity, and availability

Identify Threats

Office UserEnterpriseLANCloud Computing ModelInternetCloud ProviderRemote UserApplicationsDataEnterpriseLANEnterprise 1Enterprise 2

Identify ThreatsFailures in Provider Security

Attacks by Other Customers

Availability and Reliability Issues

Legal and Regulatory Issues

Perimeter Security Model Broken

Integrating Provider and Customer Security Systems

Failures in Provider SecurityExplanationProvider controls servers, network, etc.Customer must trust providers securityFailures may violate CIA principles

CountermeasuresVerify and monitor providers security

NotesOutside verification may sufficeFor SMB, provider security may exceed customer security

Attacks by Other CustomersThreatsProvider resources shared with untrusted partiesCPU, storage, networkCustomer data and applications must be separatedFailures will violate CIA principles

CountermeasuresHypervisors for compute separationMPLS, VPNs, VLANs, firewalls for network separationCryptography (strong)Application-layer separation (less strong)

Availability and Reliability IssuesThreatsClouds may be less available than in-house ITComplexity increases chance of failureClouds are prominent attack targetsInternet reliability is spottyShared resources may provide attack vectorsBUT cloud providers focus on availability

CountermeasuresEvaluate provider measures to ensure availabilityMonitor availability carefullyPlan for downtimeUse public clouds for less essential applications

Legal and Regulatory IssuesThreatsLaws and regulations may prevent cloud computingRequirements to retain controlCertification requirements not met by providerGeographical limitations EU Data PrivacyNew locations may trigger new laws and regulations

CountermeasuresEvaluate legal issuesRequire provider compliance with laws and regulationsRestrict geography as needed

Perimeter Security Model Broken

Office UserEnterpriseLANPerimeter Security ModelInternetRemote UserData CenterDataApplicationsSafe Zone

Office UserEnterpriseLANPerimeter Security with Cloud Computing?

InternetCloud ProviderRemote UserApplicationsDataEnterpriseLANEnterprise 1Enterprise 2

Perimeter Security Model BrokenThreatsIncluding the cloud in your perimeterLets attackers inside the perimeterPrevents mobile users from accessing the cloud directlyNot including the cloud in your perimeterEssential services arent trustedNo access controls on cloud

CountermeasuresDrop the perimeter model!

Integrating Provider and Customer SecurityThreatDisconnected provider and customer security systemsFired employee retains access to cloudMisbehavior in cloud not reported to customer

CountermeasuresAt least, integrate identity managementConsistent access controlsBetter, integrate monitoring and notifications

NotesCan use SAML, LDAP, RADIUS, XACML, IF-MAP, etc.

AgendaWhat is Cloud Computing?Security Analysis of Cloud ComputingConclusions

Bottom Line on Cloud Computing SecurityEngage in full risk management process for each case

For small and medium organizationsCloud security may be a big improvement!Cost savings may be large (economies of scale)

For large organizationsAlready have large, secure data centersMain sweet spots:Elastic servicesInternet-facing services

Employ countermeasures listed above

Security Analysis Skills Reviewed TodayInformation Security Risk Management ProcessVariations used throughout IT industryISO 27005, NIST SP 800-30, etc.Requires thorough knowledge of threats and controlsBread and butter of InfoSec Learn it!Time-consuming but not difficult

Streamlined Security Analysis ProcessMany variationsRFC 3552, etc.Requires thorough knowledge of threats and controlsUseful for organization-independent analysisPractice this on any RFC or other standardBecome able to do it in 10 minutes

Discussion

This slide speaks to Junipers unique position and value to the customerwhy we do policy and control, and ultimately, can offer an end to end experience, better than anyone else.

We have infrastructure smarts in our DNA, we know what it means to build and support carrier grade networks. We have an intelligent IP based control plane and standard based interop with 3rd party access equipment.

The Session and resource control portfolio leverages the smarts in the networkuses the network as the database for resource availability and state informationthis is something that OSS vendors with P&C solutions dont do/dont do well. We mine the network for info in real-time, and use that info to ensure that resources exist to support subscriber and application driven requests with quality. SRCs can modify network behavior and pre-allocate resources to ensure the highest quality experience. Also, via the open Nbound interfaces, can ensure that the apps get the network layer support they needremember the apps are network unawarethey assume infinite network resources exist. Its the SRCs that provide the mediation and control on a per sub, per session basis to make sure the network supports the customer experience

Alsowe add security portfolio into the mixneed to secure the control plane between the network, the Policy layer and the service. Also can leverage that integration to make policy based actions based on real-time security events.