04 CloudComputingRisk

Cloud Computing
Enterprise Risks and Mitigation

Anchises M. G. de Paula iDefense Intelligence Analyst adepaula@verisign.com December 4, 2009
GTS - 14
Agenda
Overview of cloud computing
Cloud computing risks and generic mitigation strategies
Cloud Computing for Malicious Intent Questions and answers

GTS - 14
22 2
Copyright iDefense 2009
Overview of cloud computing
GTS - 14
3
Overview
The term cloud computing is poorly defined
GTS - 14
44
Overview
Cloud computing is a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction.
Source: http://csrc.nist.gov/groups/SNS/cloud-computing/index.html
GTS - 14
55
Overview
Essential Cloud Characteristics: On-demand self-service Broad network access Resource pooling Location independence Rapid elasticity Measured service
GTS - 14
66
Overview
GTS - 14
77
Overview
Multiple vendors, multiple definitions
GTS - 14
88
Overview
Utility pricing model
GTS - 14
99
Overview
Utility pricing model
Cloud-based Service Provider (CSP) handle burden of resources GTS - 14

10 10
10
Overview
Three basic categories for cloud computing technologies:

Infrastructure as a Service (IaaS)
GTS - 14
11 11
11
Overview

Platform as a Service (PaaS)
GTS - 14
12 12
12
Overview

Software as a Service (SaaS)
GTS - 14
13 13
13
Overview

Resource Abstraction
Software as a Service (SaaS)
GTS - 14
14 14
14
Variations on a Theme
Public Cloud
GTS - 14
15 15
15
Public Cloud Private Cloud
GTS - 14
16 16
16
Public Cloud Private Cloud Hybrid Cloud
GTS - 14
17 17
17
Cloud computing risks and generic mitigation strategies
GTS - 14
18
18
Areas of Risk
Privileged User Access Data Segregation Regulatory Compliance Physical Location of Data Availability Recovery Investigative Support Viability and Longevity
GTS - 14
19 19
19
Mitigation Strategies
Understand the risks
Evaluate any potential cloud-based solution and CSP
Unique solution, generic risks
GTS - 14
20 20
20
Risks
Privileged User Access:
CSP must have access Improper access -> Data Exposure HR policies 3rd party of a 3rd party
GTS - 14
21 21
21
Mitigation
Privileged User Access:
CSP must have access Improper access -> Data Exposure HR policies 3rd party of a 3rd party
Privilege Access Control Mitigation:

Support to HR and data policies Outsourcing involved? Evaluate the access controls
GTS - 14
22 22
22
Risks
Data Segregation:
Shared common resources Multiple consumers, same physical machine Failure to segregate data: data exposure, loss or corruption
GTS - 14
23 23
23
Risks
Data Segregation:
GTS - 14
24 24
24
Risks
Data Segregation:
GTS - 14
25 25
25
Mitigation
Data Segregation:
Data Segregation Mitigation:

Whats the risk of data segregation failure? Encryption of data: shifting of risks Understand the how, where, when of consumer data storage
GTS - 14
26 26
26
Risks
Regulatory Compliance:
Regulations for sensitive information and outsourcing Conflicting regulations and laws Failure to comply: significant legal risks
GTS - 14
27 27
27
Mitigation
Regulatory Compliance:
Regulations for sensitive information and outsourcing Conflicting regulations and laws Failure to comply: significant legal risks
Regulatory Control Mitigation:

Know your regulatory obligation Know your CSPs regulatory obligations Understand your liabilities Location may change regulatory obligations FISMA HIPAA SOX PCI SAS 70 Audits
28
GTS - 14
28 28
Risks
Physical Location of Data:

Location, location, location Location tied to regulatory issues Volatile regions introduce a higher degree of risk Hostile/Unethical governments have unforeseen risk of data exposure
GTS - 14
29 29
29
Risks

10/9/09
SA pigeon 'faster than broadband'

BBC News Cyber A Durban IT company pitted an 11-monthold bird armed with a 4GB memory stick against the ADSL service from the country's biggest web firm, Telkom. Winston the pigeon took two hours to carry the data 60 miles - in the same time the ADSL had sent 4% of the data. computers.
GTS - 14
30 30
30
Mitigation

Physical Location of Data Mitigation:

Identify your datas location Avoid CSPs that cannot guarantee the location Avoid CSPs that use data centers in hostile countries Use CSPs that reside in consumers country
GTS - 14
31 31
31
Risks
Availability:
Constant connectivity required Any failure terminating connectivity is a risk Data loss and downtime risks
GTS - 14
32 32
32
Risks
Availability:
Constant connectivity required Any failure terminating connectivity is a risk Data loss and downtime risks
GTS - 14
33 33
33
Mitigation
Service Availability Mitigation:

Availability is the greatest risk ! Understand the CSPs infrastructure: avoid single points of failure Private clouds may reduce the availability risk, but introduce additional cost and overhead Establish service-level agreements (SLAs) with their CSPs Balance the risk introduced by using multiple data centers with the risk of a single site failure Assume at least one outage, whats the impact to you?
GTS - 14
34 34
34
Risks
Recovery:
Improper backups or system failure The more data, more data loss risk Recovery time is operational downtime
GTS - 14
35 35
35
Mitigation
Recovery:
Improper backups or system failure The more data, more data loss risk Recovery time is operational downtime
Recovery Mitigation:
Understand backed up systems (Encrypted? Multiple sites?) Identify the time required to completely recover data Practice a full recovery to test the CSPs response time
GTS - 14
36 36
36
Risks
Investigative Support:
Multiple consumers, aggregated logs CSPs may hinder incident responses Uncooperative CSPs: lost forensic data and investigation hindrances
GTS - 14
37 37
37
Mitigation
Investigative Support:
Multiple consumers, aggregated logs CSPs may hinder incident responses Uncooperative CSPs: lost forensic data and investigation hindrances
Investigative Support Mitigation:

Establish policies and procedures with the CSP Avoid CSPs unwilling to participate in incident
GTS - 14
38 38
38
Risks
Viability and Longevity:

CSP failure can occur at any time, for any reason Risk of data loss and operational downtime Large companies sometimes terminate services Abrupt shutdowns are a more significant risk
GTS - 14
39 39
39
Mitigation
Viability and Longevity:

CSP failure can occur at any time, for any reason Risk of data loss and operational downtime Large companies sometimes terminate services Abrupt shutdowns are a more significant risk
Viability and Longevity Mitigation:

Understand the way a CSP can going dark Have a secondary CSP in mind Review the history and financial stability of any CSP prior to engaging
GTS - 14
40 40
40
Cloud Computing for Malicious Intent
GTS - 14
41
41
Malicious use
Bad guys are already using such technology ;)

Botnets Hacking as a Service, SPAM
GTS - 14
42 42
42
Malicious use
Bad guys are already using such technology

Botnets Hacking as a Service, SPAM
11/9/09
Bot herders hide master control channel in Google cloud
Malicious use of Cloud Services

C&C Server on the cloud Storage of malicious data Cracking passwords
by Dan Goodin, The Register Cyber criminals' love affair with cloud computing just got steamier with the discovery that Google's AppEngine was tapped to act as the master control channel that feeds commands to large networks of infected computers.
GTS - 14
43 43
43
Conclusion
GTS - 14
44
44
Conclusions
Understanding the risk of cloud-based solutions Understand the level of sensitivity of your data Perform due diligence when evaluating a CSP Identify the location of your data Get assurance that your data will remain where it is placed.
Cloud computing is a new technology still experiencing growing pains. Enterprises must be aware of this and anticipate the risks the technology introduces. GTS - 14
45 45
45
Additional Reading
Cloud Security Alliance (CSA): Security Guidance for Critical Areas of Focus in Cloud Computing http://www.cloudsecurityalliance.org/guidance/csaguide.pdf NIST Cloud Computing Project http://csrc.nist.gov/groups/SNS/cloud-computing/index.html ENISA report on Cloud Computing: Benefits, risks and recommendations for information security http://www.enisa.europa.eu/act/rm/files/deliverables/cloud-computing-riskassessment iDefense Topical Research Paper: Cloud Computing
GTS - 14
46 46
46
Q&A
GTS - 14
47
Thank You
Anchises M. G. de Paula iDefense Intelligence Analyst adepaula@verisign.com
48

04 CloudComputingRisk

Transféré par

Informations du document

Description originale:

Titre original

Copyright

Formats disponibles

Partager ce document

Partager ou intégrer le document

Options de partage

Avez-vous trouvé ce document utile ?

Ce contenu est-il inapproprié ?

Droits d'auteur :

Formats disponibles

04 CloudComputingRisk

Transféré par

Droits d'auteur :

Formats disponibles

Cloud Computing

Enterprise Risks and Mitigation

Overview of cloud computing

Cloud computing risks and generic mitigation strategies

Cloud Computing for Malicious Intent Questions and answers

Copyright iDefense 2009

Overview of cloud computing

Copyright iDefense 2009

The term cloud computing is poorly defined

Copyright iDefense 2009

The term cloud computing is poorly defined

Copyright iDefense 2009

The term cloud computing is poorly defined

Copyright iDefense 2009

The term cloud computing is poorly defined

Copyright iDefense 2009

The term cloud computing is poorly defined

Multiple vendors, multiple definitions

Copyright iDefense 2009

The term cloud computing is poorly defined

Multiple vendors, multiple definitions

Utility pricing model

Copyright iDefense 2009

The term cloud computing is poorly defined

Multiple vendors, multiple definitions

Utility pricing model

Cloud-based Service Provider (CSP) handle burden of resources GTS - 14

Copyright iDefense 2009

Three basic categories for cloud computing technologies:

Copyright iDefense 2009

Three basic categories for cloud computing technologies:

Platform as a Service (PaaS)

Copyright iDefense 2009

Three basic categories for cloud computing technologies:

Platform as a Service (PaaS)

Software as a Service (SaaS)

Copyright iDefense 2009

Three basic categories for cloud computing technologies:

Platform as a Service (PaaS)

Software as a Service (SaaS)

Copyright iDefense 2009

Copyright iDefense 2009

Public Cloud Private Cloud

Copyright iDefense 2009

Public Cloud Private Cloud Hybrid Cloud

Copyright iDefense 2009

Cloud computing risks and generic mitigation strategies

Copyright iDefense 2009

Copyright iDefense 2009

Understand the risks

Evaluate any potential cloud-based solution and CSP

Unique solution, generic risks

Copyright iDefense 2009

Copyright iDefense 2009

Privilege Access Control Mitigation:

Copyright iDefense 2009

Copyright iDefense 2009

Copyright iDefense 2009

Copyright iDefense 2009

Data Segregation Mitigation:

Copyright iDefense 2009

Copyright iDefense 2009