dr bhavani thuraisingham november 2012 n.
Skip this Video
Loading SlideShow in 5 Seconds..
Dr. Bhavani Thuraisingham November, 2012 PowerPoint Presentation
Download Presentation
Dr. Bhavani Thuraisingham November, 2012

Dr. Bhavani Thuraisingham November, 2012

304 Vues Download Presentation
Télécharger la présentation

Dr. Bhavani Thuraisingham November, 2012

- - - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

  1. A Comprehensive Overview of Secure Cloud Computing Dr. Bhavani Thuraisingham November, 2012

  2. Outline • What is Cloud Computing • Cloud Computing Infrastructure Security • Cloud Storage and Data Security • Identity Management in the Cloud • Security Management in the Cloud • Privacy • Audit and Compliance • Cloud Service Providers • Security as a Service • Impact of Cloud Computing • Directions • Reference: Cloud Security and Privacy: Mather, Kumaraswamy and Latif, O’Reilly Publishers

  3. What is Cloud Computing? • Definition • SPI Framework • Traditional Software Model • Cloud Services Delivery Model • Deployment Model • Key Drivers • Impact • Governance • Barriers

  4. Definition of Cloud Computing • Multitenancy - shared resources • Massive scalability • Elasticity • Pay as you go • Self provisioning of resources

  5. SPI Framework • Software as a Service (SAAS), Platform as a Service (PaaS), Infrastructure as a Service (IaaS) • Several Technologies work together • Cloud access devices • Browsers and thin clients • High speed broad band access • Data centers and Server farms • Storage devices • Virtualization technologies • APIs

  6. Traditional Software Model • Large upfront licensing costs • Annual support costs • Depends on number of users • Not based on usage • Organization is responsible for hardware • Security is a consideration • Customized applications

  7. Cloud Services Delivery Model • SaaS • Rents software on a subscription basis • Service includes software, hardware and support • Users access the service through authorized device • Suitable for a company to outsource hosting of apps • PaaS • Vendor offers development environment to application developers • Provide develops toolkits, building blocks, payment hooks • IaaS • Processing power and storage service • Hypervisor is at this level

  8. Deployment Models • Public Clouds • Hosted, operated and managed by third party vendor • Security and day to day management by the vendor • Private Clouds • Networks, infrastructures, data centers owned by the organization • Hybrid Clouds • Sensitive applications in a private cloud and non sensitive applications in a public cloud

  9. Key Drivers • Small investment and low ongoing costs • Economies of scale • Open standards • Sustainability

  10. Impact • How are the following communities Impacted by the Cloud? • Individual Customers • Individual Businesses • Start-ups • Small and Medium sized businesses • Large businesses

  11. Governance • Five layers of governance for IT are Network, Storage Server, Services and Apps • For on premise hosting, organization has control over Storage, Server, Services and Apps; Vendor and organization have share control over networks • For SaaS model all layers are controlled by the vendor • For the IaaS model, Apps are controlled by the organization, Services controlled by both while the network, storage and server controlled by the vendor • For PaaS, Apps and Services are controlled by both while servers, storage and network controlled by the vendor

  12. Barriers • Security • Privacy • Connectivity and Open access • Reliability • Interoperability • Independence from CSP (cloud service provider) • Economic value • IR governance • Changes in IT organization • Political issues

  13. Cloud Computing Infrastructure Security • Infrastructure Security at the Network Level • Infrastructure Security at the Host Level • Infrastructure Security at the Application Level • Note: We will examine IaaS, PaaS and SaaS Security issues at Network, Host and Application Levels

  14. Security at the Network Level • Ensuring data confidentiality and integrity of the organizations data in transit to and from the public cloud provider • Ensuring proper access control (Authentication, Authorization, Auditing) to resources in the public cloud • Ensuring availability of the Internet facing resources of the public cloud used by the organization • Replacing the established network zones and tiers with domains • How can you mitigate the risk factors?

  15. Security at the Host Level • Host security at PaaS and SaaS Level • Both the PaaS and SaaS hide the host operating system from end users • Host security responsibilities in SaaS and PaaS are transferred to CSP • Host security at IaaS Level • Virtualization software security • Hypervisor security • Threats: Blue Pill attack on the hypervisor • Customer guest OS or virtual server security • Attacks to the guest OS: e.g., stealing keys used to access and manage the hosts

  16. Security at the Application Level • Usually it’s the responsibility of both the CSP and the customer • Application security at the SaaS level • SaaS Providers are responsible for providing application security • Application security at the PaaS level • Security of the PaaS Platform • Security of the customer applications deployed on a PaaS platform • Application security at the IaaS Level • Customer applications treated a black box • IaaS is not responsible for application level security

  17. Cloud Storage and Data Security • Aspects of Data Security • Data Security Mitigation • Provider Data and its Security

  18. Aspects of Data Security • Security for • Data in transit • Data at rest • Processing of data including multitenancy • Data Lineage • Data Provenance • Data remnance • Solutions include encryption, identity management, sanitation

  19. Data Security Mitigation • Even through data in transit is encrypted, use of the data in the cloud will require decryption. • That is, cloud will have unencrypted data • Mitigation • Sensitive data cannot be stored in a public cloud • Homomorphic encryption may be a solution in the future

  20. Provider Data and its Security • What data does the provider collect – e.g., metadata, and how can this data be secured? • Data security issues • Access control, Key management for encrypting • Confidentiality, Integrity and Availability are objectives of data security in the cloud

  21. Identity and Access Management (IAM) in the Cloud • Trust boundaries and IAM • Why IAM? • IAM challenges • IAM definitions • IAM architecture and practice • Getting ready for the cloud • Relevant IAM standards and protocols for cloud services • IAM practices in the cloud • Cloud authorization management • Cloud Service provider IAM practice

  22. Trust Boundaries and IAM • In a traditional environment, trust boundary is within the control of the organization • This includes the governance of the networks, servers, services, and applications • In a cloud environment, the trust boundary is dynamic and moves within the control of the service provider as well ass organizations • Identity federation is an emerging industry best practice for dealing with dynamic and loosely coupled trust relationships in the collaboration model of an organization • Core of the architecture is the directory service which is the repository for the identity, credentials and user attributes

  23. Why IAM • Improves operational efficiency and regulatory compliance management • IAM enables organizations to achieve access cont6rol and operational security • Cloud use cases that need IAM • Organization employees accessing SaaS se4rvidce using identity federation • IT admin access CSP management console to provision resources and access foe users using a corporate identity • Developers creating accounts for partner users in PaaS • End uses access storage service in a cloud • Applications residing in a cloud serviced provider access storage from another cloud service

  24. IAM Challenges • Provisioning resources to users rapidly to accommodate their changing roles • Handle turnover in an organization • Disparate dictionaries, identities, access rights • Need standards and protocols that address the IAM challenges

  25. IAM Definitions • Authentication • Verifying the identity of a user, system or service • Authorization • Privileges that a user or system or service has after being authenticated (e.g., access control) • Auditing • Exam what the user, system or service has carried out • Check for compliance

  26. IAM Practice • IAMN process consists of the following: • User management (for managing identity life cycles), • Authentication management, • Authorization management, • Access management, • Data management and provisioning, • Monitoring and auditing • Provisioning, • Credential and attribute management, • Entitlement management, • Compliance management, • Identity federation management, • Centralization of authentication and authorization,

  27. Getting Ready for the Cloud • Organization using a cloud must plan for user account provisioning • How can a user be authenticated in a cloud • Organization can use cloud based solutions from a vendor for IAM (e.g., Symplified) • Identity Management as a Service • Industry standards for federated identity management • SAML, WS-Federation, Liberty Alliance

  28. Relevant IAM Standards, Protocols for Cloud • IAM Standards and Specifications for Organizations • SAML • SPML • XACML • OAuth (Open Authentication) – cloud service X accessing data in cloud service Y without disclosing credentials • IAM Standards and Specifications for Consumers • OpenID • Information Cards • Open Authenticate (OATH) • Open Authentication API (OpenAuth)

  29. IAM Practices in the Cloud • Cloud Identity Administration • Life cycle management of user identities in the cloud • Federated Identity (SSO) • Enterprise an enterprise Identity provider within an Organization perimeter • Cloud-based Identity provider

  30. Cloud Authorization Management • XACML is the preferred model for authorization • RBAC is being explored • Dual roles: Administrator and User • IAM support for compliance management

  31. Cloud Service Provider and IAM Practice • What is the responsibility of the CSP and the responsibility of the organization/enterprise? • Enterprise IAM requirements • Provisioning of cloud service accounts to users • Provisioning of cloud services for service to service integration’ • SSO support for users based on federation standards • Support for international and regulatory policy requirements • User activity monitoring • How can enterprises expand their IAM requirements to SaaS, PaaS and IaaS

  32. Security Management in the Cloud • Security Management Standards • Security Management in the Cloud • Availability Management • Access Control • Security Vulnerability, Patch and Configuration Management

  33. Security Management Standards • Security Manage3ment has to be carried out in the cloud • Standards include ITIL (Information Technology Infrastructure Library) and ISO 27001/27002 • What are the policies, procedures, processes and work instruction for managing security

  34. Security Management in the Cloud • Availability Management (ITIL) • Access Control (ISIO, ITIL) • Vulnerability Management (ISO, IEC) • Patch Management (ITIL) • Configuration Management (ITIL) • Incident Response (ISO/IEC) • System use and Access Monitoring

  35. Availability Management • SaaS availability • Customer responsibility: Customer must understand SLA and communication methods • SaaS health monitoring • PaaS availability • Customer responsibility • ‘PaaS health monitoring • IaaS availability • Customer responsibility • IaaS health monitoring

  36. Access Control Management in the Cloud • Who should have access and why • How is a resources accessed • How is the access monitored • Impact of access control of SaaS, PaaS and IaaS

  37. Security Vulnerability, Patch and Configuration (VPC) Management • How can security vulnerability, patch and configuration management for an organization be extended to a cloud environment • What is the impact of VPS on SaaS, PaaS and IaaS

  38. Privacy • Privacy and Data Life Cycle • Key Privacy Concerns in the Cloud • Who is Responsible for Privacy • Privacy Risk Management and Compliance ion the Cloud • Legal and Regulatory Requirements

  39. Privacy and Data Life Cycle • Privacy: Accountability of organizations to data subjects as well as the transparency to an organization’s practice around personal information • Data Life Cycle • Generation, Use, Transfer, Transformation, Storage, Archival, Destruction • Need policies

  40. Privacy Concerns in the Cloud • Access • Compliance • Storage • Retention • Destruction • Audit and Monitoring • Privacy Breaches

  41. Who is Responsible for Privacy • Organization that collected the information in the first place – the owner organization • What is the role of the CSP? • Organizations can transfer liability but not accountability • Risk assessment and mitigation throughout the data lifecycle • Knowledge about legal obligations

  42. Privacy Risk Management and Compliance • Collection Limitation Principle • Use Limitation Principle • Security Principle • Retention and Destruction Principle • Transfer Principle • Accountab9lity Principle

  43. Legal and Regulatory Requirements • US Regulations • Federal Rules of Civil Procedure • US Patriot Act • Electronic Communications Privacy Act • FISMA • GLBA • HIPAA • HITECH Act • International regulations • EU Directive • APEC Privacy Framework

  44. Audit and Compliance • Internal Policy Compliance • Governance, Risk and Compliance (GRC) • Control Objectives • Regulatory/External Compliance • Cloud Security Alliance • Auditing for Compliance

  45. Audit and Compliance • Defines Strategy • Define Requirements (provide services to clients) • Defines Architecture (that is architect and structure services to meet requirements) • Define Policies • Defines process and procedures • Ongoing operations • Ongoing monitoring • Continuous improvement

  46. Governance, Risk and Compliance • Risk assessment • Key controls (to address the risks and compliance requirements) • Monitoring • Reporting • Continuous improvement • Risk assessment – new IT projects and systems

  47. Control Objectives • Security Policy • Organization of information security • Asset management • Human resources security • Physical and environmental security • Communications and operations management • Access control • Information systems acquisition, development and maintenance • Information Security incident management • Compliance • Key Management

  48. Regulatory/External Compliance • Sarbanes-Oxley Act • PCI DSS • HIPAA • COBIT • What is the impact of Cloud computing on the above regulations?

  49. Cloud Security Alliance (CSA) • Create and apply best practices to securing the cloud • Objectives include • Promote common level of understanding between consumers and providers • Promote independent research into best practices • Launch awareness and educational programs • Create consensus • White Paper produced by CSA consist of 15 domains • Architecture, Risk management, Legal, Lifecycle management, applications security, storage, virtualization, - - - -

  50. Auditing for Compliance • Internal and External Audits • Audit Framework • SAS 70 • SysTrust • WebTrust • ISO 27001 certification • Relevance to Cloud