Cyber Security and Cloud
Computing
Dr Daniel Prince
Scope of Today
• SME Attractors for Cloud • Switching to the Cloud
– Public – Private – Private – Hybrid
SME Space
• 2.1m companies registered for VAT and or PAYE in March 2010
• 98% of these businesses have less than 50 employees • Only 0.4% have more than 250 employee
• (Source: Office for National Statistics) • (Source: Office for National Statistics) • Drivers
– Reduce expenditure on IT systems – Maintain capabilities
SME Security View
• Lack in-house IT and infosec expertise
• Already used to outsourced IT service model • Traditionally neglected by security vendors • Few SMEs have any formal security policy • Few SMEs have any formal security policy
– Fewer have implemented ISMS or certification
• Mostly dependent on IT contractor advice. • 66% of all security breaches occur within
Switch to Cloud Computing
• Considerations
– Security and Privacy Issues
• Public data
• Personal data (citizens sensitivities)
– Compliance – Compliance
• Government security policies • Legal requirements
• Need to protect assets to succeed
– Confidentiality, Integrity, Availability, Reputation
Switch to Cloud Computing…
• Compromise of personal data
– Damage to customers
– Damage to organisational reputation
• Information Security Management System • Information Security Management System
(ISMS)
– ISO/IEC 27001:2005 – ITIL
– Policies and procedures
Legislation affecting the Cloud
Official Secrets Act 1989
Data Protection Act 1998
Freedom of Information Act 2000
Data Protection Act 1998
Data Protection Act 1998 European Directive 95/46/EC
European Convention on Human Rights
Legislation affecting the Cloud
• Conflicting demands of privacy and freedom • Use of meta data – what to keep?
• Requires comprehensive procedures
Public Cloud Challenges
• Maintaining security and sovereignty
– Where are servers located?
• Data sovereignty – which country is data in
– What security is in place?
• Data segregation in virtual environment
• Compliance with legal and government policies
– Audit and compliance
• Visibility of audit results and security logs
– Disaster recovery plans
Public Cloud Challenges…
• Deletion of data
– Can all copies be removed?
– Standards for purging data/memory
• Risks from other customers business • Risks from other customers business
– Attack against another customer could impact – Highest customer security controls for all
• Maintaining compliance
Private Cloud Challenges
• Does not have security by default
– Policies and standards have to be applied
• Off Premise (3rd Party provider)
– Service Level Agreements (SLA’s) required – Service Level Agreements (SLA’s) required – Vetting of staff
– Bearer bandwidth and availability
• On Premise
Hybrid Cloud Challenges
• All advantages/disadvantages of Public/Private Clouds
• Separate public/personal data
– Public non-sensitive data in Public Cloud – Public non-sensitive data in Public Cloud
– Personal and sensitive data in Private Cloud
• Help to gain trust of citizens
• Maintaining compliance
– Need to maintain compliance of both
Loss of Physical Control
• ENISA (2009) - non-cloud attack vectors
translate with the same or a lower probability of occurrence in their cloud counterparts.
• HOWEVER, malicious insiders... • HOWEVER, malicious insiders...
Exposing Sensitive Data
• First, legal liability under current Data
Protection Laws within the European Union?
– ENISA has advised public bodies in member states against using the cloud for anything other than
non-sensitive and non-mission critical data. non-sensitive and non-mission critical data.
• Second, what types of data can legally be stored in the cloud?
– Compliance requires proof of certain activities. – PCI DSS requirement 10.2 for “tracking and
Exposing Sensitive Data
• Third, the transfer and storage of data in non-domestic and potentially unknown jurisdictions.
– EU Data Protection Directive - Data must be stored within the 27 member states or 3 of the EEA member countries, unless "sufficient" levels of protection can countries, unless "sufficient" levels of protection can be proved.
– Review of 31 T&Cs found 15 to make no mention of data location or transit protection.
– Data Protection Laws between member states - the Directive may sometimes provide inadequate
Exposing Sensitive Data
• Cross-border movement of data and the
impact of changing jurisdictions, associated legal obligations, and law enforcement
practices (e.g., the USA's PATRIOT Act). practices (e.g., the USA's PATRIOT Act).
• Some T&Cs state the willingness to disclose data without court orders upon request from law-enforcement agencies, or if it's in the
Other Implications
• What are the implications of CSP acquisition or failure? • Acquisition and the possibility of sudden changes in CSP
policies and non-binding agreements? • Review of 27 T&Cs found:
– 8 to mention no process for varying terms.
– 13 to state amendments could be posted on their website, and – 13 to state amendments could be posted on their website, and
continued use is acceptance.
– Only 3 to state changes must be in writing with the agreement of both parties.
• Cloud-based IAM solution are comparatively inadequate to their non-cloud alternatives.
Multi-tenancy
• First, negative consequences from co-tenant activities.
• Second, isolation failure through compromising the underlying privileged architecture.
the underlying privileged architecture. • Third, there's a correlation between the
increasing complexity of cloud offerings
Take Away
1. Start by thinking about your information 2. What legal requirements cover you?
3. Think about Threat and Risk
4. Think about how you can get out of the 4. Think about how you can get out of the
Cloud cleanly
Summary
• It's not just a new technology, but a new business model.
• Does the cloud provide a false sense of security?
security?
• Why holding back:
– Risks not fully understood
• Lack of trust in security
• Lack of confidence in technology
