Cloud Computing
Benefits and Risks
Bill Wells, CISSP, CISM, CISA, CRISC, CIPP/IT
WHAT IS “CLOUD COMPUTING?”
Legacy Definition
Internet
Hosting
Today’s Definition
Virtual Servers App Servers DB Servers Web Hosting
Private Cloud
Virtual Servers App Servers DB Servers Web Hosting Web Services
Public Cloud
Virtual Servers App Servers DB Servers Web Hosting Web Services
Hybrid Cloud
Virtual Servers App Servers DB Servers Web Hosting Web Services
Textbook Definitions
(a la Wikipedia.com) Public cloud• Public cloud applications, storage, and other resources are made available to the general public by a service provider. These services are free or offered on a pay-per-use model. Generally, public cloud service providers like Amazon AWS, Microsoft and Google own and operate the infrastructure and offer access only via Internet (direct connectivity is not offered).[28]
Community cloud
• Community cloud shares infrastructure between several organizations from a specific community with common concerns (security, compliance, jurisdiction, etc.), whether managed internally or by a third-party and hosted internally or externally. The costs are spread over fewer users than a public cloud (but more than a private cloud), so only some of the cost savings potential of cloud computing are realized.[4]
Hybrid cloud
• Hybrid cloud is a composition of two or more clouds (private, community or public) that remain unique entities but are bound together, offering the benefits of multiple deployment models.[4]
By utilizing "hybrid cloud" architecture, companies and individuals are able to obtain degrees of fault tolerance combined with locally immediate usability without dependency on internet connectivity. Hybrid cloud architecture requires both on-premises resources and off-site (remote) server-based cloud infrastructure.
Hybrid clouds lack the flexibility, security and certainty of in-house applications.[51]Hybrid cloud provides the flexibility of in house
applications with the fault tolerance and scalability of cloud based services.
Private cloud
• Private cloud is cloud infrastructure operated solely for a single organization, whether managed internally or by a third-party and hosted internally or externally.[4]Undertaking a private cloud project requires a significant level and degree of engagement to
virtualize the business environment, and it will require the organization to reevaluate decisions about existing resources. When it is done right, it can have a positive impact on a business, but every one of the steps in the project raises security issues that must be addressed in order to avoid serious vulnerabilities.[52]
They have attracted criticism because users "still have to buy, build, and manage them" and thus do not benefit from less hands-on management,[53]essentially "[lacking] the economic model that makes cloud computing such an intriguing concept".[54][55]
BENEFITS OF CLOUD COMPUTING
Benefits
•
Reduced Cost
– Lower Cap-Ex – Less hardware – Less headcount
– Less operational overhead
•
Scalability
– More computing resources – Faster implementation cycles – Pay as you grow
Benefits
•
Flexibility
– Ability to use services previously too costly – Ability to set up and tear down as needed – Use in-house or external providers
•
Greater mobility
– Data and apps available anywhere the users are
– Administrative functions available anywhere the admins are – Typically higher degree of mobile technology
Benefits
•
Skilled Practitioners
– Microsoft – Google – Amazon – IBM
– Yahoo!
•
Free up internal resources
– Increased innovation
Benefits
•
Quality of service
– 24/7 support
– Rapid response to emergencies – Skilled IT staff always on-hand
•
Resiliency and redundancy
– Backup and recovery services – Hot-failover
Business Loves the Cloud
What’s not to love?
•
Reduced operational costs and lower capital spending
•
Capability to repurpose skilled staff from business support
to business innovation and growth
•
Ability to use a pay-as-you-grow model for IT spend
•
Greater agility to rapidly adjust to changing market
conditions
•
Expanded access to business systems and data for
employees and business partners
•
Enhanced business resiliency in the face of natural and
RISKS
Risks
•
Compliance
•
Provider Resiliency
•
Vulnerability Management
•
Cloud Management
•
VM Environment Operations
•
Encryption Management
Compliance Risks
•
SOX, HIPAA, PCI, BASEL Accords, and others require
demonstrated compliance
•
Do not assume provider is required to comply or will be
liable
•
Read provider privacy and security policy
•
Customer is sole owner of responsibility for compliance
•
Encryption not a default for data at rest and data in flight
Provider Resiliency Risks
•
Provider’s position in the market
– Major player or small operation? – Core business or on the menu?
•
Subject to acquisition or liquidation
– Financial statements – Media buzz
•
Service level monitoring
– Service level agreement in place? – How are service levels monitored?
Provider Resiliency Risks
•
Backup and recoverability
– Included in contract? – Tape restore or hot site?
•
Maximum allowable downtime
– Recovery Time Objective – Recovery Point Objective – BC/DR Plans up to date?
•
Logging and monitoring capability in co-located facilities
with other providers' customers
Vulnerability Management Risks
•
Unauthorized access to management interface
– Shared
– Multiple admins
•
Management Access
– Management interface shared – Typically web-based
– Subject to common web-based attacks
•
Internet protocol vulnerabilities
– Well-known ports and protocols
– Well-known technologies (e.g., web-based)
Cloud Management Risks
•
Metering and billing evasion
– Manipulation of billing data – Billing evasion
•
Security metrics not adapted to cloud
– Standardized cloud-specific metrics do not exist
VM Environment Operational Risks
•
Customer technical staff
– Inadequate skills to manage specifications – Inadequate skills to assess & identify risks
•
Virtualized networks' insufficient controls
– IP-based zoning typically not available – VM's share hardware
•
VM's typically use a template
– Attacker may be able to analyze
VM Environment Operational Risks
•
VM replication
– May lead to data leakage via cloning – Keys may be inadvertently cloned
•
Data recovery vulnerability
– Resources are subject to reassignment
Encryption Management Risks
•
Cryptographic vulnerability
– Weak random number generation – Entropy of unique numbers
•
Poor key management
– Many keys are typically required
– Lack of fixed hardware infrastructure may limit key
management methods, such as hardware security module (HSM)
Identity Management Risks
•
Insecure user behavior
– Weak passwords
– Indiscriminate data sharing
•
One-factor authentication
– Typical cloud offerings limited to username & password – Subject to account lockout and DOS against that feature
•
Weak credential-reset mechanism
– Method needs to be understood – Password recovery, reuse and reset
Identity Management Risks
•
Insufficient or faulty authorization checks
– HTTP is stateless
– Transaction integrity and security may be weak – URL obfuscation may not be used
•
Coarse authorization control
– Duty separation may not be possible
– May not be able to honor "business need to know"
•
Insufficient logging & monitoring
– Shared audit logfiles
– May not be able to filter/prune sufficiently
Assessing the Risks
•
Compliance
– Legal, Compliance and Security should jointly review contracts with the business owner
•
Provider Resiliency
– BCP/DR Staff should review provider’s ability to recover
•
Vulnerability Management
– Network and Applications staff should review vulnerability management processes
•
Cloud Management
– IT Cost management and Info Security staff should review for means of understanding value tracking and security
Assessing the Risks
•
VM Environment Operations
– Infrastructure architects, engineering and support staff should review architecture and integration design
•
Encryption Management
– Information security and security staff should review for appropriateness
•
Identity Management
– Identity management, entitlement review, segregation of duties and information security teams should review
WRAP UP & QUESTIONS
Risks
Maybe next time you’ll do the risk assessment BEFORE you start using it
