1 / 36

24.Cloud Security

24.Cloud Security

MitSoni
Télécharger la présentation

24.Cloud Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Cloud Security http://clean-clouds.com

  2. Objectives Security Objectives Cloud Characteristics & Security Implications Cloud Security Challenges Control & Cloud Service Model Roles & Responsibilities Security Guidelines Documents & Checklists

  3. Security Objectives • Cloud security is about 3 objectives: • Confidentiality (C): keeping data private • Integrity (I): data in the cloud is what is supposed to be • Availability (A): availability of Information

  4. All kinds of security measures, are cheaper when implemented on a larger scale. • (e.g. filtering, backup patch management, hardening of virtual machine instances and hypervisors, etc) • The same amount of investment in security buys better protection. Cloud Computing~ Economy of Scale & Security

  5. Cloud Security - Overview • Cloud computing presents an added level of risk • Services are outsourced to a third party. • Off-Premise • Multi-tenant architecture • Loss of Governance - Less control over data and operations • Legal and Contractual Risks Source: Unknown / Missing

  6. Cloud Characteristics -> Outsourced Source: Unknown / Missing

  7. Cloud Characteristics -> Off-Premise Source: Unknown / Missing

  8. Multi-Tenant Architecture~ Shared Resources Source: Unknown / Missing

  9. Loss of Governance • The client cedes control to the Provider on a number of issues effecting security: External pen testing not permitted. • Very limited logs available. • Usually no forensics service offered • Not possible to inspect hardware • No information on location/jurisdiction of data. • Outsource or sub-contract services to third-parties (fourth parties?) Source: Unknown / Missing

  10. Legal and Contractual Risks • Data in multiple jurisdictions, some of which may be risky. • Multiple transfers of data exacerbate the problem • Subpoena and e-discovery • Intellectual Property • Risk Allocation and limitation of liability • Compliance challenges–how to provide evidence of compliance. Source: Unknown / Missing

  11. Cloud Security Challenges - Part 1 • Data dispersal and international privacy laws • Exposure of data to foreign government and data subpoenas • Data retention issues • Need for isolation management • Multi-tenancy • Logging challenges • Data ownership issues • Quality of service guarantees Source: Unknown / Missing 11

  12. Cloud Security Challenges - Part 2 • Dependence on secure hypervisors • Attraction to hackers (high value target) • Security of virtual OSs in the cloud • Possibility for massive outages • Encryption needs for cloud computing • Encrypting administrative access to OS instances • Encrypting application data at rest • Encrypting application data at transits • Public cloud vs internal cloud security Source: Unknown / Missing 12

  13. Additional Issues Issues with moving PII and sensitive data to the cloud Privacy impact assessments Using SLAs to obtain cloud security Suggested requirements for cloud SLAs Issues with cloud forensics Contingency planning and disaster recovery for cloud implementations Handling compliance FISMA HIPAA FDA PCI SAS 70 Audits 13

  14. Control & Cloud Service Model Source: Unknown / Missing

  15. Responsibilities

  16. CIA & Cloud Service Model Source: Unknown / Missing

  17. Why Security is “X” factor for Cloud Service Provider?

  18. Skin in the Game & Cloud Service Provider • Skin in the Game is term by investor “warren buffet” referring to situation in which high ranking insiders uses their own money to buy stock in the company they are running. Source: Unknown / Missing

  19. Security Guidelines for Application Migration on Cloud

  20. How Security Guidelines can help? Source: Unknown / Missing

  21. Cloud Security Areas

  22. Authentication • Existing authentication or Cloud providers’ authentication service? • SSO • Single sign on for applications on cloud and on premise? • Authorization • User Provision and De-Provisioning Service • User directory & Federation Services • How trust is maintained across cloud and on premise domain? Identity & Access Management

  23. Directory Services • Fedreration Service like ADFS 2.0 implements standards such as WS-Trust, WS-Federation which is useful. • Using the WS-Federation standard, Novell Access Manager supports multiple identity stores out of the box, including Novell eDirectory, Microsoft Active Directory and Sun ONE Directory Server. • IBM Tivoli Federated Identity Manager is used for federation services. Source: Unknown / Missing

  24. Data Security • Hardware, database, memory, etc... –like buying a hotel room or booking an aircraft. Source: Unknown / Missing

  25. Data Confidentiality • Data Integrity • Availability • Backup & Archive • Key Management Information Security Life-Cycle

  26. Encryption is sufficient? • Encryption technique e.g. 128/256-bit AES symmetric/Asymmetric encryption • File system or disk encryption techniques • Does the encryption meet FIPS 140-2? • Practical processing operations on encrypted data are not possible Source: Unknown / Missing

  27. Network Security • Concerns • Security for Data in transit • Perimeter Security • N/W Security Threats (DoS, Man in the middle , Packet sniffing) • Solutions • Virtual Private Cloud • IPSec networks • Stateful firewall Source: Unknown / Missing

  28. Virtualization / Hypervisor Threats - How is your data and application isolated from other customers? • Host Operating System - How to protect Host Operating System? • OS hardening - How OS level security like OS hardening are maintained? • Anti-virus - ensure security from Malware & Spyware? Virtualization Security

  29. Physical Security • Environmental Safeguards - (SAS70) Type II audit procedures • Redundancy • Climate and Temperature • Fire Detection and Suppression • Physical Security - (SAS70) Type II audit procedures • Professional security staff utilizing video surveillance, • Authorized staff must pass two-factor authentication • Access to datacenters by employees must be logged and audited routinely Source: Unknown / Missing

  30. What constitutes a cloud-based incident? • Customer vs. Provider definitions • What technologies play a key role in incident detection and response? • Network security, host controls, monitoring/alerting • What do cloud customers need to ask/know about provider incident response? • Will consumer organizations be provided an audit trail? Maybe. Incident response in the Cloud

  31. Download with Linkedin Username/Password

  32. Download with Linkedin Username/Password

  33. Download with Linkedin Username/Password

  34. Download with Linkedin Username/Password

  35. Download with Linkedin Username/Password

  36. Thank You

More Related