Académique Documents
Professionnel Documents
Culture Documents
GTS - 14
Agenda
GTS - 14
3
Overview
GTS - 14
44
Overview
Cloud computing is a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction.
Source: http://csrc.nist.gov/groups/SNS/cloud-computing/index.html
GTS - 14
55
Overview
Essential Cloud Characteristics: On-demand self-service Broad network access Resource pooling Location independence Rapid elasticity Measured service
GTS - 14
66
Overview
GTS - 14
77
Overview
GTS - 14
88
Overview
GTS - 14
99
Overview
Overview
GTS - 14
11 11
11
Overview
GTS - 14
12 12
12
Overview
GTS - 14
13 13
13
Overview
Resource Abstraction
GTS - 14
14 14
14
Variations on a Theme
Public Cloud
GTS - 14
15 15
15
Variations on a Theme
GTS - 14
16 16
16
Variations on a Theme
GTS - 14
17 17
17
GTS - 14
18
18
Areas of Risk
Privileged User Access Data Segregation Regulatory Compliance Physical Location of Data Availability Recovery Investigative Support Viability and Longevity
GTS - 14
19 19
19
Mitigation Strategies
GTS - 14
20 20
20
Risks
Privileged User Access:
CSP must have access Improper access -> Data Exposure HR policies 3rd party of a 3rd party
GTS - 14
21 21
21
Mitigation
Privileged User Access:
CSP must have access Improper access -> Data Exposure HR policies 3rd party of a 3rd party
GTS - 14
22 22
22
Risks
Data Segregation:
Shared common resources Multiple consumers, same physical machine Failure to segregate data: data exposure, loss or corruption
GTS - 14
23 23
23
Risks
Data Segregation:
Shared common resources Multiple consumers, same physical machine Failure to segregate data: data exposure, loss or corruption
GTS - 14
24 24
24
Risks
Data Segregation:
Shared common resources Multiple consumers, same physical machine Failure to segregate data: data exposure, loss or corruption
GTS - 14
25 25
25
Mitigation
Data Segregation:
Shared common resources Multiple consumers, same physical machine Failure to segregate data: data exposure, loss or corruption
GTS - 14
26 26
26
Risks
Regulatory Compliance:
Regulations for sensitive information and outsourcing Conflicting regulations and laws Failure to comply: significant legal risks
GTS - 14
27 27
27
Mitigation
Regulatory Compliance:
Regulations for sensitive information and outsourcing Conflicting regulations and laws Failure to comply: significant legal risks
GTS - 14
28 28
Risks
GTS - 14
29 29
29
Risks
GTS - 14
30 30
30
Mitigation
GTS - 14
31 31
31
Risks
Availability:
Constant connectivity required Any failure terminating connectivity is a risk Data loss and downtime risks
GTS - 14
32 32
32
Risks
Availability:
Constant connectivity required Any failure terminating connectivity is a risk Data loss and downtime risks
GTS - 14
33 33
33
Mitigation
GTS - 14
34 34
34
Risks
Recovery:
Improper backups or system failure The more data, more data loss risk Recovery time is operational downtime
GTS - 14
35 35
35
Mitigation
Recovery:
Improper backups or system failure The more data, more data loss risk Recovery time is operational downtime
Recovery Mitigation:
Understand backed up systems (Encrypted? Multiple sites?) Identify the time required to completely recover data Practice a full recovery to test the CSPs response time
GTS - 14
36 36
36
Risks
Investigative Support:
Multiple consumers, aggregated logs CSPs may hinder incident responses Uncooperative CSPs: lost forensic data and investigation hindrances
GTS - 14
37 37
37
Mitigation
Investigative Support:
Multiple consumers, aggregated logs CSPs may hinder incident responses Uncooperative CSPs: lost forensic data and investigation hindrances
GTS - 14
38 38
38
Risks
GTS - 14
39 39
39
Mitigation
GTS - 14
40 40
40
GTS - 14
41
41
Malicious use
GTS - 14
42 42
42
Malicious use
by Dan Goodin, The Register Cyber criminals' love affair with cloud computing just got steamier with the discovery that Google's AppEngine was tapped to act as the master control channel that feeds commands to large networks of infected computers.
GTS - 14
43 43
43
Conclusion
GTS - 14
44
44
Conclusions
Understanding the risk of cloud-based solutions Understand the level of sensitivity of your data Perform due diligence when evaluating a CSP Identify the location of your data Get assurance that your data will remain where it is placed.
Cloud computing is a new technology still experiencing growing pains. Enterprises must be aware of this and anticipate the risks the technology introduces. GTS - 14
45 45
45
Additional Reading
Cloud Security Alliance (CSA): Security Guidance for Critical Areas of Focus in Cloud Computing http://www.cloudsecurityalliance.org/guidance/csaguide.pdf NIST Cloud Computing Project http://csrc.nist.gov/groups/SNS/cloud-computing/index.html ENISA report on Cloud Computing: Benefits, risks and recommendations for information security http://www.enisa.europa.eu/act/rm/files/deliverables/cloud-computing-riskassessment iDefense Topical Research Paper: Cloud Computing
GTS - 14
46 46
46
Q&A
GTS - 14
Copyright iDefense 2009
47
Thank You
Anchises M. G. de Paula iDefense Intelligence Analyst adepaula@verisign.com
48