• No results found

Cloud Computing: Finding the Silver Lining

N/A
N/A
Info
Download
Protected

Academic year: 2021

Share "Cloud Computing: Finding the Silver Lining"

Copied!
41
0
0

Loading.... (view fulltext now)

Download now ( 41 Page )

Full text

(1)

Cloud Computing:

Finding the Silver Lining

(2)

Agenda

What is Cloud Computing?

Security Analysis of Cloud Computing

(3)

Agenda

What is Cloud Computing?

Security Analysis of Cloud Computing

(4)

Cloud Computing Defined

Dynamically scalable shared resources

accessed over a network

Only pay for what you use

Shared internally or with other customers

Resources = storage, computing, services, etc.

Internal network or Internet

Notes

Similar to Timesharing

•  Rent IT resources vs. buy

(5)

Office User

Enterprise LAN

Conventional Data Center

Internet Remote User Data Center Data Applications

(6)

Office User

Enterprise LAN

Cloud Computing Model

Internet Cloud Provider Remote User Applications Data Enterprise 1 Enterprise LAN Enterprise 2

(7)

Many Flavors of Cloud Computing

  SaaS – Software as a Service

•  Network-hosted application

  DaaS – Data as a Service

•  Customer queries against provider’s database

  PaaS– Platform as a Service

•  Network-hosted software development platform

  IaaS – Infrastructure as a Service

•  Provider hosts customer VMs or provides network storage

  IPMaaS – Identity and Policy Management as a Service

•  Provider manages identity and/or access control policy for customer

  NaaS – Network as a Service

(8)

Cloud Computing Providers

NaaS

IaaS (DC/server)

DaaS

SaaS

PaaS

IPMaaS

IPM

Software\ & Data

(9)

Security and privacy Compliance/regulatory laws mandate on-site

ownership of data

Availability & reliability

Inhibitors

Uncertainty around interoperability, portability & lock in Latency & bandwidth

guarantees

Absence of robust SLAs

Cloud Computing Pros and Cons

Management moves to cloud provider

Dynamic resource availability for crunch

periods

Consumption based cost Resource sharing is more

efficient

Pros

Faster time to roll out new services

(10)
(11)

Example: Mogulus

Mogulus is a live broadcast platform on the internet.

(cloud customer)

•  Producers can use the Mogulus browser-based Studio application

to create LIVE, scheduled and on-demand internet television to broadcast anywhere on the web through a single player widget.

Mogulus is entirely hosted on cloud

(cloud provider)

On Election night Mogulus ramped to:

•  87000 videos @500kbps = 43.5 Gbps

(12)

Example: Animoto

Animoto is a video rendering & production house with

service available over the Internet

(cloud customer)

•  With their patent-pending technology and high-end motion design,

each video is a fully customized orchestration of user-selected

images and music in several formats, including DVD.

Animoto is entirely hosted on cloud

(cloud provider)

Released Facebook App: users were able to easily render

their photos into MTV like videos

•  Ramped from 25,000 users to 250,000 users in three days

•  Signing up 20,000 new users per hour at peak

•  Went from 50 to 3500 servers in 5 days

•  Two weeks later scaled back to 100 servers

(13)

Example: New York Times

Timesmachine is a news archive of the

NY Times available in pdf over the

Internet to newspaper subscribers

(cloud customer)

Timesmachine is entirely hosted on

cloud

(cloud provider)

Timesmachine needed infrastructure

to host several terabits of data

Internal IT rejected due to cost

Business owners got the data up on

cloud for $50 over one weekend

(14)

Example: Eli Lilly

  Eli Lilly is the 10th largest pharmaceutical

company in the world

(cloud customer)

  Moved entire R&D environment to

cloud (cloud provider)

  Results:

•  Reduced costs

•  Global access to R&D applications

•  Rapid transition due to VM hosting

•  Time to deliver new services greatly reduced:

•  New server: 7.5 weeks down to 3 minutes

•  New collaboration: 8 weeks down to 5

minutes

•  64 node linux cluster: 12 weeks down to 5

(15)

Who’s using Clouds today?

Startups & Small businesses

•  Can use clouds for everything

•  SaaS, IaaS, collaboration services, online presence

Mid-Size Enterprises

•  Can use clouds for many things

•  Compute cycles for R&D projects, online collaboration, partner

integration, social networking, new business tools

Large Enterprises

•  More likely to have hybrid models where they keep some things in

house

(16)

Agenda

What is Cloud Computing?

Security Analysis of Cloud Computing

(17)

Information Security Risk Management

Process (ISO 27005)

Establish Context

Risk Assessment

•  Identify Risks •  Identify Assets •  Identify Threats

•  Identify Existing Controls

•  Identify Vulnerabilities

•  Identify Consequences

•  Estimate Risks

•  Evaluate Risks

Develop Risk Treatment Plan

•  Reduce, Retain, Avoid, or Transfer Risks

Risk Acceptance

Implement Risk Treatment Plan

(18)

Streamlined Security Analysis Process

Identify Assets

•  Which assets are we trying to protect?

•  What properties of these assets must be maintained?

Identify Threats

•  What attacks can be mounted?

•  What other threats are there (natural disasters, etc.)?

Identify Countermeasures

•  How can we counter those attacks?

Appropriate for Organization-Independent Analysis

(19)
(20)

Office User

Enterprise LAN

Conventional Data Center

Internet Remote User Data Center Data Applications

(21)

Office User

Enterprise LAN

Cloud Computing Model

Internet Cloud Provider Remote User Applications Data Enterprise LAN Enterprise 1 Enterprise 2

(22)

Identify Assets

Customer Data

Customer Applications

(23)

Information Security Principles (Triad)

C I A

Confidentiality

•  Prevent unauthorized disclosure

Integrity

•  Preserve information integrity

Availability

(24)

Identify Assets & Principles

Customer Data

Confidentiality, integrity, and availability

Customer Applications

Confidentiality, integrity, and availability

Client Computing Devices

(25)
(26)

Office User

Enterprise LAN

Cloud Computing Model

Internet Cloud Provider Remote User Applications Data Enterprise LAN Enterprise 1 Enterprise 2

(27)

Identify Threats

Failures in Provider Security

Attacks by Other Customers

Availability and Reliability Issues

Legal and Regulatory Issues

Perimeter Security Model Broken

(28)

Failures in Provider Security

Explanation

Provider controls servers, network, etc.

Customer must trust provider’s security

Failures may violate CIA principles

Countermeasures

Verify and monitor provider’s security

Notes

Outside verification may suffice

For SMB, provider security may exceed customer

(29)

Attacks by Other Customers

Threats

Provider resources shared with untrusted parties

•  CPU, storage, network

Customer data and applications must be separated

Failures will violate CIA principles

Countermeasures

Hypervisors for compute separation

MPLS, VPNs, VLANs, firewalls for network separation

Cryptography (strong)

(30)

Availability and Reliability Issues

Threats

Clouds may be less available than in-house IT

•  Complexity increases chance of failure

•  Clouds are prominent attack targets

•  Internet reliability is spotty

•  Shared resources may provide attack vectors

•  BUT cloud providers focus on availability

Countermeasures

Evaluate provider measures to ensure availability

Monitor availability carefully

Plan for downtime

(31)

Legal and Regulatory Issues

Threats

Laws and regulations may prevent cloud computing

•  Requirements to retain control

•  Certification requirements not met by provider

•  Geographical limitations – EU Data Privacy

New locations may trigger new laws and regulations

Countermeasures

Evaluate legal issues

Require provider compliance with laws and regulations

(32)
(33)

Office User

Enterprise LAN

Perimeter Security Model

Internet Remote User Data Center Data Applications Safe Zone

(34)

Office User

Enterprise LAN

Perimeter Security with Cloud Computing?

Internet Cloud Provider Remote User Applications Data Enterprise LAN Enterprise 1 Enterprise 2

(35)

Perimeter Security Model Broken

Threats

Including the cloud in your perimeter

•  Lets attackers inside the perimeter

•  Prevents mobile users from accessing the cloud directly

Not including the cloud in your perimeter

•  Essential services aren’t trusted

•  No access controls on cloud

Countermeasures

(36)

Integrating Provider and Customer Security

Threat

Disconnected provider and customer security systems

•  Fired employee retains access to cloud

•  Misbehavior in cloud not reported to customer

Countermeasures

At least, integrate identity management

•  Consistent access controls

Better, integrate monitoring and notifications

Notes

(37)

Agenda

What is Cloud Computing?

Security Analysis of Cloud Computing

(38)

Bottom Line on Cloud Computing Security

Engage in full risk management process for each case

For small and medium organizations

•  Cloud security may be a big improvement!

•  Cost savings may be large (economies of scale)

For large organizations

•  Already have large, secure data centers

•  Main sweet spots:

•  Elastic services

•  Internet-facing services

(39)

Security Analysis Skills Reviewed Today

Information Security Risk Management Process

•  Variations used throughout IT industry

•  ISO 27005, NIST SP 800-30, etc.

•  Requires thorough knowledge of threats and controls

•  Bread and butter of InfoSec – Learn it!

•  Time-consuming but not difficult

Streamlined Security Analysis Process

•  Many variations

•  RFC 3552, etc.

•  Requires thorough knowledge of threats and controls

•  Useful for organization-independent analysis

•  Practice this on any RFC or other standard

(40)
(41)

References

Download now ( PDF - 41 Page - 1.68 MB )

Related documents

Bill HF 1904: The Interpreting Stakeholder Group (ISG) Report as Required by Minn. Stat , Subd. 2

(8) whether any current practitioners of the occupation in Minnesota lack whatever specialized training, education, or experience might be required to engage in the occupation and,

The Firm as a Community Explaining Asymmetric Behavior and Downward Rigidity of Wages

continuously will shift the locus XX downward continuously, resulting in a continuous decrease in the equilibrium proportion of shirking workers. The result for wage cuts will

175 Years of. Innovation, Service & Expertise. Cooper Industries, Ltd Annual Report

Cooper has a full suite of products that ensure the safety of people at work and in their daily lives, ranging from market- leading Cooper Bussmann fuses and Cooper Crouse-Hinds

Total N-nitrosamine Precursor Adsorption with Carbon Nanotubes: Elucidating Controlling Physiochemical Properties and Developing a Size-Resolved Precursor Surrogate

characteristics identified in Chapter 2 informed the selection of 12 CNT types for screening and ultimately three CNTs for use in batch adsorption studies to assess removal of

Mutual Fund Tax Clienteles

In particular, we find that long-term capital gain distributions are increasing in the proportion of defined contribution assets in the fund and that mutual funds held primarily

Saint Margaret of Antioch Parish, Burlington, MA. Christmas December 25, The Nativity of The Lord

If you know someone who is interested in becoming a Catholic or completing the Sacraments of Initiation in the Church, please have them contact Father Silva or

Children of the Holocaust : a guide to teaching Holocaust curriculum in the elementary classroom : an honors thesis [(HONRS 499)]

There are many picture story books for young children now that are either based on true stories of Holocaust survivors or based on events that happened during the Holocaust..

Local Fictionality within Global Nonfiction: Roz Chast's Why Can't We Talk about Something More Pleasant?

Furthermore, rhetorical theory believes that attending to fictionality adds an important layer to our understanding of the relation between fiction and nonfiction, be- cause