1 / 51

Security and Cloudsourcing

Roger Clarke Xamax Consultancy and PSARN Security, Canberra Visiting Professor in Computer Science, ANU and in Cyberspace Law & Policy, UNSW Cloud Computing Forum Realm Hotel, Canberra – 24 February 2011 http://www.rogerclarke.com/EC/CCSec {.html,.ppt}. Security and Cloudsourcing.

mcneilj
Télécharger la présentation

Security and Cloudsourcing

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Roger ClarkeXamax Consultancy and PSARN Security, Canberra Visiting Professor in Computer Science, ANUand in Cyberspace Law & Policy, UNSWCloud Computing ForumRealm Hotel, Canberra – 24 February 2011 http://www.rogerclarke.com/EC/CCSec {.html,.ppt} Security and Cloudsourcing

  2. Security and CloudsourcingAGENDA • CloudSourcing • Why Cloudsourcing Challenges Security • Downsides of CloudSourcing(Security in the Broadest) • Operational Disbenefits and Risks • Contingent Risks • Security Risks (Security in the Less Broad) • Commercial Disbenefits and Risks • Compliance Disbenefits and Risks • Risk Management Strategies • Questions To Ask Cloudsourcing Tenderers

  3. Cloudsourcing from the User Perspective A service that satisfies all of the following conditions: 1. It is delivered over a telecommunications network 2. The service depends on virtualised resourcesi.e. the user has no technical need to be aware which server(s) running on which host(s) is/are delivering the service, nor where the host(s) is/are located 3. The service is acquired under a relatively flexible contractual arrangement, at least re the quantum used

  4. Cloudsourcing from the User Perspective A service that satisfies all of the following conditions: 1. It is delivered over a telecommunications network 2. The service depends on virtualised resourcesi.e. the user does not know which server(s) running on which host(s) is/are delivering the service, nor where the host(s) is/are located 3. The service is acquired under a relatively flexible contractual arrangement, at least re the quantum used 4. The user organisation places reliance on the servicefor data access and/or data processing 5. The user organisation has legal responsibilities

  5. From Insourcing to Cloudsourcing Off-Site Hosting Outsourced Facility Multiple Outsourced Facilities

  6. From Insourcing to Cloudsourcing Integrated Multi-Site Outsourced Facilities

  7. From Insourcing to Cloudsourcing CloudSourced Facilities

  8. From Insourcing to Cloudsourcing CloudSourced Facilities

  9. Sourcing Phases Insourcing Outsourced Site Outsourced Facility Outsourced Facilitiesin Multiple Locations Integrated Multi-Site Outsourced Facilities Cloudsourced Facilities From Insourcing to CloudsourcingChanges in Risk-Exposure

  10. Sourcing Phases Insourcing Outsourced Site Outsourced Facility Outsourced Facilitiesin Multiple Locations Integrated Multi-Site Outsourced Facilities Cloudsourced Facilities Increasing: Component-Count Location-Count Complexity Dependencies Fragility Decreasing: Internal Expertise Internal Knowability('set and forget') From Insourcing to CloudsourcingChanges in Risk-Exposure

  11. CC Architecture – The User Organisation Perspective

  12. A Comprehensive CC Architecture

  13. Downsides from the User Perspective(Security in the Broadest) 1. Operational Disbenefits and Risks Dependability on a day-to-day basis 2. Contingent Risks Low likelihood, but highly significant 3. Security Risks Security in the less broad 4. Commercial Disbenefits and Risks 5. Compliance Disbenefits and Risks

  14. 1. Operational Disbenefits and Risks • Fit – to users' needs, and customisability • Reliability – continuity of operation • Availabilityhosts/server/db readiness/reachability • Accessibilitynetwork readiness • Usabilityresponse-time, and consistency • Robustnessfrequency of un/planned unavailability (97% uptime = 5 hr per week offline) • Resiliencespeed of resumption after outages • Recoverabilityservice readiness after resumption • Integrity – sustained correctness of the service, and the data • Maintainability – fit, reliability, integrity after bug-fixes & mods

  15. 1. Operational Disbenefits and Risks • Fit – to users' needs, and customisability • Reliability – continuity of operation • Availability hosts/server/db readiness/reachability • Accessibility network readiness • Usability response-time, and consistency • Robustnessfrequency of un/planned unavailability (97% uptime = 5 hr per week offline) • Resiliencespeed of resumption after outages • Recoverabilityservice readiness after resumption • Integrity – sustained correctness of the service, and the data • Maintainability – fit, reliability, integrity after bug-fixes & mods

  16. 1. Operational Disbenefits and Risks • Fit – to users' needs, and customisability • Reliability – continuity of operation • Availabilityhosts/server/db readiness/reachability • Accessibilitynetwork readiness • Usabilityresponse-time, and consistency • Robustness frequency of un/planned unavailability (97% uptime = 5 hr per week offline) • Resiliencespeed of resumption after outages • Recoverabilityservice readiness after resumption • Integrity – sustained correctness of the service, and the data • Maintainability – fit, reliability, integrity after bug-fixes & mods

  17. 2. Contingent Risks • Major Service Interruptions • Service Survival – supplier collapse or withdrawalSafeguards include software escrow; escrow inspection; proven recovery procedures; rights that are proof against actions by receivers • Data Survival – data backup/mirroring/synch, accessibility • Data Acessibility – blockage by opponents or a foreign power • Compatibility – software, versions, protocols, data formats • FlexibilityCustomisationForward-Compatibility to migrate to new levelsBackward-Compatibility to protect legacy systemsLateral Compatibility to enable dual-sourcing and escape

  18. 2. Contingent Risks • Major Service Interruptions • Service Survival – supplier collapse or withdrawalSafeguards include software escrow; escrow inspection; proven recovery procedures; rights that are proof against actions by receivers • Data Survival – data backup/mirroring/synch, accessibility • Data Acessibility – blockage by opponents or a foreign power • Compatibility – software, versions, protocols, data formats • FlexibilityCustomisationForward-Compatibility to migrate to new levelsBackward-Compatibility to protect legacy systemsLateral Compatibility to enable dual-sourcing and escape

  19. 3. Security Risks • Service SecurityEnvironmental, second-party and third-party threats to any aspect of reliability or integrity • Data SecurityEnvironmental, second-party and third-party threats to content, both in remote storage and in transit • Authentication and AuthorisationHow to provide clients with convenient access to data and processes in the cloud, while denying access to imposters? • Susceptibility to DDOSMultiple, separate servers; but choke-points will exist

  20. 3. Security Risks • Service SecurityEnvironmental, second-party and third-party threats to any aspect of reliability or integrity • Data SecurityEnvironmental, second-party and third-party threats to content, both in remote storage and in transit • Authentication and AuthorisationHow to provide clients with convenient access to data and processes in the cloud, while denying access to imposters? • Susceptibility to DDOSMultiple, separate servers; but choke-points will exist

  21. 4. Commercial Disbenefits and Risks • Acquisition • Lack of information • Non-Negotiability of Terms and SLA • Ongoing • Loss of Corporate Expertisere apps, IT services, costs to deliver • Inherent Lock-In Effectfrom high switching costs, formats, protocols • High-volume Data Transfersfrom large datasets, replication/synchronisation • Service Levels to the Organisation's Customers

  22. 4. Commercial Disbenefits and Risks • Acquisition • Lack of information • Non-Negotiability of Terms and SLA • Ongoing • Loss of Corporate Expertisere apps, IT services, costs to deliver • Inherent Lock-In Effectfrom high switching costs, formats, protocols • High-volume Data Transfersfrom large datasets, replication/synchronisation • Service Levels to the Organisation's Customers

  23. 5. Compliance Disbenefits and Risks • General Statutory & Common Law Obligations • Evidence Discovery Law • Financial Regulations • Company Directors' obligations re asset protection, due diligence, business continuity, risk management • Security Treaty Obligations • Confidentiality – incl. against foreign governments • Strategic • Commercial • Governmental • Privacy – particularly Unauthorised Use and DisclosureSecond-Party (service-provider abuse), Third-Party ('data breach','unauthorised disclosure'), Storage in Data Havens (India, Arkansas)

  24. 5. Compliance Disbenefits and Risks • General Statutory & Common Law Obligations • Evidence Discovery Law • Financial Regulations • Company Directors' obligations re asset protection, due diligence, business continuity, risk management • Security Treaty Obligations • Confidentiality – incl. against foreign governments • Strategic • Commercial • Governmental • Privacy – particularly Unauthorised Use and DisclosureSecond-Party (service-provider abuse), Third-Party ('data breach','unauthorised disclosure'), Storage in Data Havens (India, Arkansas)

  25. 5. Compliance Disbenefits and Risks • General Statutory & Common Law Obligations • Evidence Discovery Law • Financial Regulations • Company Directors' obligations re asset protection, due diligence, business continuity, risk management • Security Treaty Obligations • Confidentiality – incl. against foreign governments • Strategic • Commercial • Governmental • Privacy – particularly Unauthorised Use and DisclosureSecond-Party (service-provider abuse), Third-Party ('data breach','unauthorised disclosure'), Storage in Data Havens (India, Arkansas)

  26. 5. Compliance Disbenefits and Risks • General Statutory & Common Law Obligations • Evidence Discovery Law • Financial Services Regulations • Company Directors' obligations re asset protection, due diligence, business continuity, risk management • Security Treaty Obligations • Confidentiality – incl. against foreign governments • Strategic • Commercial • Governmental • Privacy – particularly Unauthorised Use and DisclosureSecond-Party (service-provider abuse), Third-Party ('data breach','unauthorised disclosure'), Storage in Data Havens (India, Arkansas)

  27. Processes Risk Assessment => Risk Management Risk Management Strategies

  28. Processes Risk Assessment => Risk Management Legal Aspects Service Level Agreement (SLA) Risk Management Strategies

  29. 1. Service name 2. Clearance information (with location and date) 1. Service Level Manager 2. Customer 3. Contract duration 1. Start and end dates 2. Rules regarding termination of the agreement 4. Description/ desired customer outcome 1. Business justification 2. Business processes/ activities oncust side supported by the service 3. Desired outcome in terms of utility 4. Desired outcome in terms of warranty 5. Service and asset criticality 1. Identification of business-critical assets connected with the service 1. Vital Business Functions (VBFs) supported by the service 2. Other critical assets used within the service 2. Estimation of the business impact caused by a loss of service or assets 6. Reference to further contracts which also apply (e.g. SLA) 7. Service times 1. Hours when the service is available 2. Exceptions (e.g. weekends, public holidays) 3. Maintenance slots 8. Required types and levels of support 1. On-site support 1. Area/ locations 2. Types of users 3. Types of infrastructure to be supported 4. Reaction and resolution times 2. Remote support 1. Area/ locations 2. Types of users (user groups granted access to the service) 3. Types of infrastructure to be supported 4. Reaction and resolution times 9. Service level requirements/ targets 1. Availability targets and commitments 1. Conditions under which the service is considered to be unavailable 2. Availability targets 3. Reliability targets (usually defined as MTBF or MTBSI ) 4. Maintainability targets (usually defined as MTRS) 5. Downtimes for maintenance 6. Restrictions on maintenance 7. Procedures for announcing interruptions to the service 8. Requirements regarding availability reporting 2. Capacity/ performance targets and commitments 1. Required capacity (lower/upper limit) for the service, e.g. 1. Numbers and types of transactions 2. Numbers and types of users 3. Business cycles (daily, weekly) and seasonal variations 2. Response times from applications 3. Requirements for scalability 4. Requirements regarding capacity and performance reporting 3. Service Continuity commitments 1. Time within which a defined level of service must be re-established 2. Time within which normal service levels must be restored 10. Mandated technical standards and spec of the technical service interface 11. Responsibilities 1. Duties of the service provider 2. Duties of the customer (contract partner for the service) 3. Responsibilities of service users (e.g. with respect to IT security) 4. IT Security aspects to be observed when using the service 12. Costs and pricing 1. Cost for the service provision 2. Rules for penalties/ charge backs 13. Change history 14. List of annexes SLA Checklist (ITILv3 Edited Down) http://wiki.en.it-processmaps.com/index.php/Checklist_SLA_OLA_UC

  30. Processes Risk Assessment => Risk Management LegalAspects Service Level Agreement (SLA) Contract Terms Risk Management Strategies

  31. Processes Risk Assessment => Risk Management Legal Aspects Service Level Agreement (SLA) Contract Terms Ongoing Due Diligence Audit and Certification Risk Management Strategies

  32. Processes Risk Assessment => Risk Management Legal Aspects Service Level Agreement (SLA) Contract Terms Ongoing Due Diligence Audit and Certification Multi-Sourcing Several Suppliers Risk Management Strategies

  33. Processes Risk Assessment => Risk Management Legal Aspects Service Level Agreement (SLA) Contract Terms Ongoing Due Diligence Audit and Certification Multi-Sourcing Several SuppliersOf necessity compatible Risk Management Strategies

  34. Processes Risk Assessment => Risk Management Legal Aspects Service Level Agreement (SLA) Contract Terms Ongoing Due Diligence Audit and Certification Multi-Sourcing Several SuppliersOf necessity compatible Parallel, In-House Risk Management Strategies

  35. Processes Risk Assessment => Risk Management Legal Aspects Service Level Agreement (SLA) Contract Terms Ongoing Due Diligence Audit and Certification Multi-Sourcing Several SuppliersOf necessity compatible Parallel, In-House Redundancy – Multiple and Independent Processing Facilities Hot/Warm-Site Data Storage Risk Management Strategies

  36. A New Digital Security Model • In a highly-interconnected world,Perimeter Security / The Walled Fortressdoesn't work any more • The new Core Principle: When unauthorised access happens, make sure that the data is valueless to anyone other than the user-organisation

  37. A New Digital Security ModelSome Implementation Techniques • Obscure the content and identities(Only the user-organisation has the decryption-key) • Use pseudo-identifiers not identifiers(Only the user-organisation has the cross-index) • Split the content into 'small enough' morsels(Only the user-organisation has the whole picture) • Authenticate attributes rather than identities NITTA (2011) 'New Digital Security Models' National IT and Telecom Agency, Copenhagen, February 2011, http://digitaliser.dk/resource/896495

  38. Categories of Use-Profile • CC is very well-suited for ... Uses of computing that are highly price-sensitiveAdjuncts to analysis and decision-makingTrade off loss of control, uncertain reliability and contingent risks against cost-advantages, convenience, scalability, etc.

  39. Categories of Use-Profile • CC is very well-suited for ... Uses of computing that are highly price-sensitiveAdjuncts to analysis and decision-makingTrade off loss of control, uncertain reliability and contingent risks against cost-advantages, convenience, scalability, etc. • CC is completely inappropriate for ... • 'mission-critical systems' • systems embodying the organisation's 'core competencies' • applications whose failure or extended malperformance would threaten the organisation's health or survival

  40. Categories of Use-Profile • CC is very well-suited for ... Uses of computing that are highly price-sensitiveAdjuncts to analysis and decision-makingTrade off loss of control, uncertain reliability and contingent risks against cost-advantages, convenience, scalability, etc. • CC is completely inappropriate for ... • 'Mission-critical systems' • Systems embodying the organisation's 'core competencies' • Applications whose failure or extended malperformance would threaten the organisation's health or survival • CC may be applicable, it all depends ... • Can the risks be adequately understood and managed? • Trade-offs between potential benefits vs. uncontrollable risks

  41. Questions to ask CloudSourcing Tenderers • How do you ensure that natural disasters and DDOS won't interrupt or delay my services?

  42. Questions to ask CloudSourcing Tenderers • How do you ensure that natural disasters and DDOS won't interrupt or delay my services? • What's your Vulnerability Testing regime?

  43. Questions to ask CloudSourcing Tenderers • How do you ensure that natural disasters and DDOS won't interrupt or delay my services? • What's your Vulnerability Testing regime? Managed Vulnerability Assessment ServiceMVAS PSARN Management & Engineering

  44. Questions to ask CloudSourcing Tenderers • How do you ensure that natural disasters and DDOS won't interrupt or delay my services? • What's your Vulnerability Testing regime? • How do you know, & how do I know, at all times, the Jurisdictional Location(s) of my data? • How do you assure me that my unencrypted data is never in, and never crosses, particular jurisdictions?

  45. Questions to ask CloudSourcing Tenderers • How do you ensure that natural disasters and DDOS won't interrupt or delay my services? • What's your Vulnerability Testing regime? • How do you know, & how do I know, at all times, the Jurisdictional Location(s) of my data? • How do you assure me that my unencrypted data is never in, and never crosses, particular jurisdictions? • After 3 hours' delay, what's your Contingency Plan?

  46. Questions to ask CloudSourcing Tenderers • How do you ensure that natural disasters and DDOS won't interrupt or delay my services? • What's your Vulnerability Testing regime? • How do you know, & how do I know, at all times, the Jurisdictional Location(s) of my data? • How do you assure me that my unencrypted data is never in, and never crosses, particular jurisdictions? • After 3 hours' delay, what's your Contingency Plan? Remember Virgin Blue and Accenture/Navitaire "The Virgin Blue check-in system that crashed and left tens of thousands of passengers stranded was meant to be backed up by a parallel 'disaster recovery system' within 3 hours, but it did not work for 21 hours" http://www.smh.com.au/travel/travel-news/backup-for-airlines-checkin-system-delayed-for-18-hours-20100927-15u5f.html

  47. Questions to ask CloudSourcing Tenderers • How do you ensure that natural disasters and DDOS won't interrupt or delay my services? • What's your Vulnerability Testing regime? • How do you know, & how do I know, at all times, the Jurisdictional Location(s) of my data? • How do you assure me that my unencrypted data is never in, and never crosses, particular jurisdictions? • After 3 hours' delay, what's your Contingency Plan? • Where are the Backups of my data?

  48. Questions to ask CloudSourcing Tenderers • How do you ensure that natural disasters and DDOS won't interrupt or delay my services? • What's your Vulnerability Testing regime? • How do you know, & how do I know, at all times, the Jurisdictional Location(s) of my data? • How do you assure me that my unencrypted data is never in, and never crosses, particular jurisdictions? • After 3 hours' delay, what's your Contingency Plan? • Where are the Backups of my data? • If I choose someone else, what's involved in Switching Suppliers, to you, at a later date?

  49. Conclusion • "Past efforts at utility computing failed, and we note that in each case one or two ... critical characteristics were missing" (Armbrust et al. 2008, p. 5 – UC Berkeley) • CC may be just another marketing buzz-phrase that leaves corporate wreckage in its wake • CC service-providers need to invest a great deal in many aspects of architecture, infrastructure, applications, and terms of contract and SLA • User organisations need to trial CC with care

  50. Security and CloudsourcingAGENDA • CloudSourcing • Why Cloudsourcing Challenges Security • Downsides of CloudSourcing(Security in the Broadest) • Operational Disbenefits and Risks • Contingent Risks • Security Risks (Security in the Less Broad) • Commercial Disbenefits and Risks • Compliance Disbenefits and Risks • Risk Management Strategies • Questions To Ask Cloudsourcing Tenderers

More Related