Information Security: Cloud Computing

(1)

Information Security:

Cloud Computing

Taylor Baines Limited is a Registered Company in England & Wales. Registration No. 07272922 Registered Office Southgate House 88 Town Square Basildon SS14 1BN.

Simon Taylor

MSc CLAS CISSP CISMP PCIRM

(2)

Cloud Computing

So what is cloud computing?

• Client-server model using web browser protocols • The Cloud provides server-based applications • The cloud provides all data services to the user

• Output is provided to the user client device via web browser. For example: • User wants to create a word-processing document

• User starts a browser session and logs into the cloud service and selects “word-processing”

• Cloud service application server starts word-processing session • Users machine is only used for input and output via the browser • All computations, changes and data storage are done

“in The Cloud”

• Service provider may pool resources of many computers in the cloud to achieve resource intensive tasks

Cloud computing is relatively new as a business concept but already organisations are converting to cloud computing architecture. As with any new concept, business or technological risks arise that must be considered.

(3)

Cloud Computing Layers

Infrastructure as a Service (IaaS) • Delivers computer infrastructure • Typically a platform virtualisation environment • Organisation purchases a “fully outsourced service”

Platform as a Service (Paas)

• Typically delivers a platform and solution stack

• Offers deployment of applications without

hardware cost & complexity of management

• May include application design and implementation

Software as a Service (SaaS)

• Provides on-demand software

• Application & data hosted centrally

• Accessed by browser (often on thin-client device)

There are three layers of cloud computing that are commonly referred to which are:

(4)

Cloud Computing Models

Public Cloud

• Resources dynamically provided, self-service basis over the internet • Delivered from an

off-site third party provider • Billed on a

utility-computing basis

Community Cloud

• Established when several organisations have similar computing requirements & seek to share infrastructure • May offer better levels

of security (C & I) than public cloud

• (e.g. Google’s Gov.Cloud)

Hybrid Cloud

• Use part public and part private clouds • Often used for

archiving and backup solutions

• Organisation still ahs to build & manage the “private cloud” Private Cloud • A simple extension of existing client-server architecture managed by a single organisation • Typically uses a “shared services” model (see earlier section)

In addition to layers of cloud computing there are different models:

(5)

"Cloud Computing" - Internet based computing whereby shared infrastructure, resources, software and information are provided to computers on demand [source: Wikipedia]

"Provider" - The organisation(s) providing cloud computing services.

"Organisation" - The organisation receiving and utilising cloud computing services from a "provider".

"Infrastructure as a Service (IaaS)" - Capability to provision processing, storage, networks and other fundamental computing resources, offering the customer organisation the ability to deploy and run arbitrary software including operating

systems and applications. IaaS puts these IT operations into the hands of a third party.

[source: ISACA – Across Cloud Computing Governance & Risks - May 2010]

"Platform as a Service (PaaS)" - Capability to deploy onto the cloud infrastructure

customer-created or acquired applications created using programming languages and tools supported by the provider.

"Software as a Service (SaaS)" - Capability to use the provider's applications running on cloud infrastructure. The applications are accessible from various client devices through a thin-client interface such as a web browser

(e.g. web-based e-mail).

Cloud Computing Definitions

(6)

Cloud Computing Security Issues

There are a number of issues relating to cloud computing: • Privacy - Infrastructure, platform, applications & data

controlled and managed by third party service providers who can monitor (lawfully or unlawfully) the communications and data.

• Compliance – In order to comply with legislation & regulation, “community” or “hybrid” models may need to be used that are typically more expensive and may offer restricted benefits.

• US – FISMA, HIPAA, SOX • EU – DPD

• UK – DPA, OSA • Global – PCI DSS

• Legal – Increase in “trademarking” of cloud computing terminology, use of proprietary platforms & restrictive business practices (e.g. Google Vs US Dept Interior relating to public sector procurement). Also issues exist around

intellectual property rights (IPR) modelling within the cloud. • Security – Traditional protection mechanisms need to be

reconsidered. Unease around “letting go of control” of security to a third party.

These Concerns are delaying its wider adoption as organisations seek to understand all the implications

(7)

Cloud Computing Provider Selection

In 2008 Gartner identified the following 7 risks organisations should consider when selecting a cloud computing provider: 1. Privileged user access.

• Outsourced services bypass the "physical, logical and personnel controls" IT departments exert over in-house programs.

• Get as much information as you can about the people who manage your data. • "Ask providers to supply specific information on the hiring and oversight of

privileged administrators, and the controls over their access," 2. Regulatory compliance.

• Customers are ultimately responsible for the security and integrity of their own data, even when it is held by a service provider.

• Traditional service providers are subjected to external audits and security certifications.

• Cloud computing providers who refuse to undergo this scrutiny are "signalling that customers can only use them for the most trivial functions,"

Source:

Gartner: Seven cloud-computing security risks (July 2008)

(8)

Cloud Computing Provider Selection

3. Data location.

• When you use the cloud, you probably won't know exactly where your data is hosted (even which country)

• In fact, you might not even know what country it will be stored in.

• Ask providers if they will commit to storing and processing data in specific jurisdictions, and whether they will make a contractual commitment to obey local privacy requirements on behalf of their customers.

4. Data segregation

• Data in the cloud is typically in a shared environment alongside data from other customers.

• Encryption is effective but isn't a cure-all.

• Find out what is done to segregate data at rest. • The cloud provider should provide evidence that

encryption schemes were designed and tested by experienced specialists.

Source:

(9)

Cloud Computing Provider Selection

5. Recovery.

• A cloud provider should tell you what will happen to your data and service in case of a disaster.

• Any offering that does not replicate the data and application infrastructure across multiple sites is vulnerable to a total failure.

• Ask your provider if it has "the ability to do a complete restoration, and how long it will take."

6. Investigative support.

• Investigating inappropriate or illegal activity may be impossible in cloud computing.

• Cloud services are especially difficult to investigate, because logging and data for multiple customers may be co-located and may also be spread across an ever-changing set of hosts and data centres.

• If you cannot get a contractual commitment to support specific forms of investigation, along with evidence that the vendor has already successfully supported such activities, then your only safe assumption is that investigation and discovery requests will be impossible

Source:

(10)

Cloud Computing Provider Selection

7. Long-term viability.

• Ideally, your cloud computing provider will never go

broke or get acquired and swallowed up by a larger company but you must be sure your data will remain available even after such an event.

• Ask potential providers how you would get your data back and if it would be in a format that you could import into a replacement application.

Gartner Says:

• “Smart customers will ask tough questions and consider getting a security assessment from a neutral third party before committing to a cloud vendor”

• Cloud computing has "unique attributes that require risk assessment in areas such as data integrity, recovery, and privacy, and an evaluation of legal issues in areas such as e-discovery, regulatory compliance, and auditing”

• Demand transparency avoiding vendors that refuse to provide detailed information on security programs. Ask questions related to the qualifications of policy makers, architects, coders and operators; risk-control processes

and technical mechanisms and about the level of testing that's been done to verify that service and control

processes are functioning as intended, and that vendors can identify unanticipated vulnerabilities.

Source:

(11)

Cloud Computing Risk Comparison

Many of the risks that exist around a classical organisational IT infrastructure and service provision exist in a cloud computing environment – They are just “out there” instead of “in here”

Confidentiality

• The same issues around confidentiality exist with the added concern as above that there is some degree of “loss of control”.

• Data stored and/or processed in the cloud still needs to be classified, segregated and handled according to it protection requirements.

• Controlling this relies on the security processes of the cloud provider and access to and audit of these processes is vital in maintaining a degree of control and

assurance.

• Confidentiality issues are generally considered the number one concern for organisations when considering using cloud services.

Integrity

• Integrity within the cloud is generally perceived to be on a par, if not better, than most classical organisational architectures.

• Cloud providers tend to be large, experienced, IT providers with

(12)

Cloud Computing Risk Comparison

Integrity

• Integrity within the cloud is generally perceived to be on a

par, if not better, than most classical organisational architectures.

• Cloud providers tend to be large, experienced, IT providers with experience in resilient IT technologies that protect integrity.

• However, due to the ubiquitous nature of access to the cloud, there is always the potential for attackers, posing as legitimate service users, to try to affect the integrity of your organisation’s data.

Availability

• Availability is at the same time one of the strengths and one of the weaknesses of cloud computing.

• The size and scalability of cloud computing environments reduces risk of availability issues due to capacity management problems

• The resilient architectures of cloud providers also help to provide assurance around issues such as DDOS

attacks and others.

• However, cloud computing is entirely dependent on the user connection into the cloud – if this is compromised then the organisation may be powerless to effect

recovery.

(13)

Provider / Customer Risk

Whilst the cloud services supplier will naturally want to provide a quality (and

hopefully) secure service to your organisation as a customer there are some important considerations to be made:

• The provider is a business looking to make money

• They will perceive the risks differently to your organisation and make decisions based on the risks to their organisation as a priority over yours

• Depending on the size and nature of your organisation, they may prioritise your concerns and issues higher or lower than other customers

• Realised risks to the cloud provider may only be “low impact” to them, but it could shut down your organisation completely.

• Service providers are not usually held up as the main culprit if an incident becomes news:

• HMRC data loss – suspected that discs were lost in transit by a courier company… but the headlines were all around the poor security practices of HMRC not the courier company.

• Remember under DPA, the data controller is ultimately responsible for the security of data, not the data

processor

It is important to differentiating between the commercial risk of the provider and the risk to the customer.

(14)