• No results found

How To Secure Cloud Computing

N/A
N/A
Info
Download
Protected

Academic year: 2021

Share "How To Secure Cloud Computing"

Copied!
14
0
0

Loading.... (view fulltext now)

Download now ( 14 Page )

Full text

(1)

A hole in the cloud: Is cloud secure?

N. Vijaykumar

Infosys Technologies Limited, Bangalore

(2)

Security in cloud is a key challenge !

… Some highlights include SMBs' concerns regarding security and privacy with cloud environments, topping the list, at 51%, as a reason for not being

interested in pay-per-use hosting of virtual servers, also known as cloud

computing…

Source: Forrester Research, The State Of Emerging SMB Hardware: 2009 To 2010 Business Data Services North America And Europe 0%

10% 20% 30% 40% 50% 60% 70%

Data integrity tampering Interruption of availability Hacker / Data breach Loss of data due to system failure Business Continuity / DR Source: CSO Forum, 2010

All these only goes to suggest that Cloud security is being viewed as a critical parameter for cloud adoption !

(3)

Security is a common thread, whatever

flavor of cloud be…

Private Cloud

Public Cloud (SaaS model)

Public Cloud (for usage

burst)

For accessing SaaS enabled applications over public internet

For supporting capacity burst from Private to public clouds For private

cloud access

IaaS

(4)

How different is security in “cloud”, from an

“on-premise” datacenter?

1 3rd party service provider

2 Multi-tenancy

3 Geographical Distribution

(5)

Breaking down security concerns in cloud

Manageability

• Provisioning of

users

• Identity & access

management

• Policy based

management

Data Security

• Data privacy

• Data protection &

leakage prevention

• Data availability

Compliance

• Compliance to

standards (HIPPA, GLBA…)

• Monitor & enforce

compliance

• GRC requirements

Contractual

• SLA management • Business services

management

• Audit & reporting • Above all, TRUST

(6)

In cloud, these become very critical

Host Security

Network Security

Data Security & Protection

(7)

Host Security: server hardware is still at

risk…

Virtualization is the key building block of any cloud environment

Virtual instances are vulnerable… There have been such instances in most of the Hypervisors

Underlying hardware is susceptible to attacks using Hypervisor

Virtualization software is not a kind of security layer, hence secure it..

Check how cloud service provider has implemented host security before signing up (IaaS)

(8)

Network Security: The attack area gets only

bigger in cloud

Cloud being implemented and accessed over

internet, provides a much bigger network security risk as compared to “on-premise”

Enterprise and cloud are disconnected

A conventional perimeter security model would not suffice for cloud

Identity and access management is a concern area in cloud. Enterprises might not have control of end users logging on to cloud

(9)

Concern-in-chief: Data security

How secure is the data? How secure is the application?

Data life cycle management: in rest, transition etc. Data (of multiple customers’) are co-located !!!

How does a public cloud provider, provides

segmentation and ensure data security, integrity? Levels of encryption and data protection offered by public clouds

(10)

Compliance and audits: Only Trust can help

Adherence to security standards (SAS, HIPPA) by the provider

Where is my data? requirement for data to be within the country’s geographical boundaries

Is the cloud auditable?

Ensure that contract includes everything qualitative…

(11)

Cloud Information Assurance Framework by

ENISA

Aims at increasing transparency by

defining a a minimum baseline for:

 Comparing cloud

offers

 Assessing the risk

to go Cloud

 Reducing audit

burden and security risks

 Applicable to both

public and private clouds 0 0.51 1.52 2.53 3.54 4.55 Personnel security

Supply chain security Operational Security Identity and Access

Management Data and Service

Portability Business Continuity Management Physical and Environmental Controls Asset Management

Legal and compliance requirements

Example Provider Comparison Chart

Score Provider 1 Score Provider 2

(12)

Key questions that you should ask your

cloud provider

Do I have a control over where my information will be stored? Where is my data stored ?

Is your cloud operations open for physical and 3rd party inspections

Will you share the audit results of the ISMS audits in your infrastructure?

What are your policies concerning my sensitive information? What are the anti-theft and anti-hacking mechanisms that you have implemented?

(13)

The last word

Cloud means different things to different people

"Cloud Computing Security“ is no different than "Regular

Security“, in some ways

Security is perhaps one of the weakest link in the cloud lifecycle. Identify the weakest security mechanism and increase the lines of defenses

Such issues can be tackled with a combination of technology and management

So the only weapon we have is mutual TRUST, backed by complex set of contractual & legal

(14)

THANK YOU

References

Download now ( PDF - 14 Page - 449.20 KB )

Related documents

Manuel Heitor s Brief Biographical Note (full CV available at )

 Unsteady  Combustion,  Kluwer  Academic  Publishers,  .. NATO/ASI

Medical Device Software Verification, Validation, and Compliance

FDA guidance documents and industry standards describe risk management for medical device software as a supporting process to the software development and validation processes..

Experion MX. Improve QCS Performance and Reduce Lifecycle Costs Honeywell Users Group Americas. Honeywell.com. 1 Document control number

Standardized SESP and K&E Support Choice Legacy Node Virtualization Experion MX and MXProLine Application Upgrade PC Hardware Refresh (with display and

Understanding the use of urban green spaces from user-generated geographic information

The aim of this paper is to discuss what kinds of information about urban green space use and values can be extracted from different types of user-generated geographic information

CHC Helicopter Investor Presentation March 2014

¹ Calculated as implied daily cost of helicopter/divided by typical day rate for offshore rig; implied daily cost of helicopter calculated by dividing FY2013 HE rate of $8.73M by

IB Language A: Language & Literature Syllabus

Non-literary texts are chosen from a variety of sources and media to represent as wide a range of text types as possible, and works are chosen from a variety of literary forms..

Presentation to the IT Directional Meeting. July 23, 2014 Pioneer Room State Capitol

• Please submit service requests for next biennium cost estimates. • We will use a blended rate of $125/hr on the estimates to

Quantifying the Quality of Web Authentication Mechanisms A Usability Perspective

Environmental factors were not considered when the quality coefficient was calculated in the previous section, and this weakens the measure as a determinant of its efficacy within the