SlideShare uma empresa Scribd logo
1 de 20
Baixar para ler offline
Cloud Security:
            Identifying the Risks
            Jim Reavis, Executive Director

May, 2010
About the Cloud Security Alliance
•   Global, not-for-profit organization
•   Inclusive membership, supporting broad spectrum of
    subject matter expertise
•   Building best practices and a trusted cloud ecosystem
    • CSA Guidance V2.1 – Released Dec 2009
    • CSA Top Threats Research – Released March 2010
    • CSA Cloud Controls Matrix – Released April 2010
    • Trusted Cloud Initiative – Release Q4 2010
    • CSA Cloud Metrics Working Group – release TBA
    • Consensus Assessment Initiative
“To promote the use of best practices for providing security assurance
  within Cloud Computing, and provide education on the uses of Cloud
         Computing to help secure all other forms of computing.”
                  Copyright © 2010 Cloud Security Alliance   www.cloudsecurityalliance.org
Is Cloud Computing Working?
• Eli Lilly
  • New drug research project
  • IT promised system in 3 months, > $100,000 USD
  • Scientist completed in one day in cloud, < $500 USD
• Japanese government agencies
  • RFP for custom software development
  • Chose PaaS for 25% of cost and deployment time
    over traditional software house

               Copyright © 2010 Cloud Security Alliance   www.cloudsecurityalliance.org
What is Cloud Computing?
• Compute as a utility: third major era of computing
  •   Mainframe
  •   PC Client/Server
  •   Cloud computing: On demand model for allocation and consumption
      of computing
• Cloud enabled by
  •   Moore‟s Law: Costs of compute & storage approaching zero
  •   Hyperconnectivity: Robust bandwidth from dotcom investments
  •   Service Oriented Architecture (SOA)
  •   Scale: Major providers create massive IT capabilities
• Disruptive to IT and IT Security
• Challenges many of our IT definitions, e.g. what is data?
                    Copyright © 2010 Cloud Security Alliance   www.cloudsecurityalliance.org
Defining Cloud
•   On demand provisioning
•   Elasticity
•   Multi-tenancy
•   Key types
    •   Infrastructure as a Service
        (IaaS): basic O/S & storage
    •   Platform as a Service (PaaS):
        IaaS + rapid app development
    •   Software as a Service (SaaS):
        complete application
    •   Public, Private, Community &
        Hybrid Cloud deployments

                      Copyright © 2010 Cloud Security Alliance   www.cloudsecurityalliance.org
S-P-I Framework                                                              You “RFP”
                                                                             security in
                                                                                       SaaS
                                                                                 Software as a Service


   You build
   security in
                                                     PaaS
                                            Platform as a Service
         IaaS
Infrastructure as a Service




                              Copyright © 2010 Cloud Security Alliance   www.cloudsecurityalliance.org
Top Threats to Cloud Computing

Cloud Security Risks / Threats
• Shared Technology Vulnerabilities
• Data Loss/Data Leakage
• Malicious Insiders
• Account Service or Hijacking of Traffic
• Insecure APIs
• Nefarious Use of Service
• Unknown Risk Profile
            Copyright © 2010 Cloud Security Alliance   www.cloudsecurityalliance.org
Shared Technology Vulnerabilities

  Description

  • Exposed hardware, operating systems, middleware, application stacks and
    network components may posses known vulnerabilities


  Impact

  • Successful exploitation could impact multiple customers


  Example

  • Cloudburst - Kostya Kortchinksy (Blackhat 2009)
    • Arbitrary code execution vulnerability identified in VMware SVGA II device, a
      virtualized PCI Display Adapter
    • Vulnerable component present on VMware Workstation, VMware Player,
      VMware Server and VMware ESX


                     Copyright © 2010 Cloud Security Alliance   www.cloudsecurityalliance.org
Data Loss / Data Leakage
 Description

 • Data compromise due to improper access controls or weak encryption
 • Poorly secured data is at greater risk due to the multi-tenant
   architecture

 Impact

 • Data integrity and confidentiality

 Example

 • Hey, You, Get Off of My Cloud: Exploring Information Leakage in Third-
   Party Compute Clouds (UCSD/MIT)
   • Research detailing techniques to ensure that images are deployed on
     the same physical hardware as a victim and then leveraging cross-
     VM attacks to identify data leakage

                    Copyright © 2010 Cloud Security Alliance   www.cloudsecurityalliance.org
Malicious Insiders
 Description

 • Employees of the cloud vendor may abuse privileges to access customer
   data/functionality
 • Reduced visibility into internal processes may inhibit detection of the breach

 Impact

 • Data confidentiality and integrity
 • Reputational damage
 • Legal repercussions

 Example

 • Google Investigates Insider Threat After China Hack (eWeek)
   • “Google is investigating whether some of its own staff are behind the
     repeated attempts to hack into the Gmail accounts of Chinese human rights
     activists”


                     Copyright © 2010 Cloud Security Alliance   www.cloudsecurityalliance.org
Interception or Hijacking of Traffic

  Description

  • Intercept and/or redirect traffic destined for the clients or cloud
  • Steal credentials to eavesdrop or manipulate account information /
    services

  Impact

  • Confidentiality and integrity of data
  • Damage to reputation
  • Consequences (legal) from malicious use of resources

  Example

  • Twitter DNS account compromise
  • Zeus botnet C&Cs on compromised Amazon EC2 accounts

                   Copyright © 2010 Cloud Security Alliance   www.cloudsecurityalliance.org
Insecure APIs
 Description

 • APIs designed to permit access to functionality and data may be
   vulnerable or improperly utilized, exposing applications to attack

 Impact

 • Data confidentiality and integrity
 • Denial of service

 Example

 • P0wning the Programmable Web (Websense – AusCERT 2009_
   • 80% of tested applications not using available security in APIs (e.g.
     unencrypted traffic and basic authentication)
   • Demonstrated CSRF, MITM and data leakage attacks

                   Copyright © 2010 Cloud Security Alliance   www.cloudsecurityalliance.org
Nefarious Use of Service
 Description

 • Attackers are drawn to the cloud for the same reasons as legitimate
   consumers – access to massive proceesing power at a low cost

 Impact

 • Password cracking, DDoS, malware hosting, spam, C&C servers,
   CAPTCHA cracking, etc.

 Example

 • Current search of MalwareDomainList.com for „amazonaws.com‟
   returns 21 results
 • “In the past three years, ScanSafe has recorded 80 unique malware
   incidents involving amazonaws” – ScanSafe blog
 • Amazon's EC2 Having Problems With Spam and Malware - Slashdot

                  Copyright © 2010 Cloud Security Alliance   www.cloudsecurityalliance.org
Unknown Risk Profile
 Description
 • A lack of visibility into security controls could leave cloud consumers exposed to
   unnecessary risk.


 Impact
 • Significant data breaches could occur, possibly without the knowledge of the cloud
   consumer.


 Example
 • Heartland Payment Systems was “willing to do only the bare minimum and comply with state
   laws instead of taking the extra effort to notify every single customer, regardless of law, about
   whether their data [had] been stolen.”
   http://www.pcworld.com/article/158038/heartland_has_no_heart_for_violated_customers.html




                        Copyright © 2010 Cloud Security Alliance   www.cloudsecurityalliance.org
Survey Results
Top Ranked Threats

RANK   THREAT                                                  PERCENT


1)     Data Loss/Leakage                                       28.8%
2)     Abuse and Nefarious use of Cloud                        17.8%
       Computing
3)     Insecure API‟s                                          15.1%
4)     Malicious Insiders                                      11.0%
5)     Account/Service and Traffic Hijacking                   9.6%
6)     Unknown Risk Profile                                    9.6%
7)     Shared Technology Vulnerabilities                       8.2%
                Copyright © 2010 Cloud Security Alliance   www.cloudsecurityalliance.org
Status
 Revisions
 • Top threats list will be updated 2x per year

 Process
 • Recommended changes will be solicited from CSA participants
 • Panel of judges will be established with representation from the
   security community, solution providers and cloud consumers
 • Recommendations will be summarized and solicited to judges
   for review
 • Judges will vote on any recommended changes
 • Contact project team to recommend judges



                 Copyright © 2010 Cloud Security Alliance   www.cloudsecurityalliance.org
CSA Guidance Domains
                                                                                       Cloud Architecture

                                                                          Governance and Enterprise Risk Management




                                                                                                                         Governing the
                                                                                 Legal and Electronic Discovery




                                                                                                                            Cloud
•   Popular best practices
                                                                                     Compliance and Audit

                                                                               Information Lifecycle Management
    for securing cloud                                                           Portability and Interoperability

    computing                                                              Security, Bus. Cont,, and Disaster Recovery




                                                 Operating in the Cloud
                                                                                    Data Center Operations

• 13 Domains of concern –                                                 Incident Response, Notification, Remediation

    governing & operating                                                             Application Security

                                                                                Encryption and Key Management
    groupings                                                                   Identity and Access Management

                                                                                          Virtualization



Guidance > 100k downloads: cloudsecurityalliance.org/guidance

                 Copyright © 2010 Cloud Security Alliance                         www.cloudsecurityalliance.org
Summary
•   Cloud Computing is real and transformational
•   Challenges for People, Process, Technology,
    Organizations and Countries
• Broad governance approach needed
• Tactical fixes needed
• Combination of updating existing best practices and
    creating completely new best practices
•   Common sense not optional

                 Copyright © 2010 Cloud Security Alliance   www.cloudsecurityalliance.org
Contact

• Help us secure cloud computing
• www.cloudsecurityalliance.org
• info@cloudsecurityalliance.org
• LinkedIn: www.linkedin.com/groups?gid=1864210
• Twitter: @cloudsa


              Copyright © 2010 Cloud Security Alliance   www.cloudsecurityalliance.org
Thank you!



        www.cloudsecurityalliance.org

Mais conteúdo relacionado

Mais procurados

Infrastructure Security by Sivamurthy Hiremath
Infrastructure Security by Sivamurthy HiremathInfrastructure Security by Sivamurthy Hiremath
Infrastructure Security by Sivamurthy HiremathClubHack
 
Chap 6 cloud security
Chap 6 cloud securityChap 6 cloud security
Chap 6 cloud securityRaj Sarode
 
Cloud Computing and Security - ISACA Hyderabad Chapter Presentation
Cloud Computing and Security - ISACA Hyderabad Chapter PresentationCloud Computing and Security - ISACA Hyderabad Chapter Presentation
Cloud Computing and Security - ISACA Hyderabad Chapter PresentationVenkateswar Reddy Melachervu
 
Cloud Computing Risk Management (IIA Webinar)
Cloud Computing Risk Management (IIA Webinar)Cloud Computing Risk Management (IIA Webinar)
Cloud Computing Risk Management (IIA Webinar)Brian K. Dickard
 
Cloud Security - Emerging Facets and Frontiers
Cloud Security - Emerging Facets and FrontiersCloud Security - Emerging Facets and Frontiers
Cloud Security - Emerging Facets and FrontiersGokul Alex
 
The Cloud & I, The CISO challenges with Cloud Computing
The Cloud & I, The CISO challenges with Cloud Computing The Cloud & I, The CISO challenges with Cloud Computing
The Cloud & I, The CISO challenges with Cloud Computing Moshe Ferber
 
Cloud Security for U.S. Military Agencies
Cloud Security for U.S. Military AgenciesCloud Security for U.S. Military Agencies
Cloud Security for U.S. Military AgenciesNJVC, LLC
 
Cloud computing-security-issues
Cloud computing-security-issuesCloud computing-security-issues
Cloud computing-security-issuesAleem Mohammed
 
Cloud Security: A New Perspective
Cloud Security: A New PerspectiveCloud Security: A New Perspective
Cloud Security: A New PerspectiveWen-Pai Lu
 
Cloud Security Demystified
Cloud Security DemystifiedCloud Security Demystified
Cloud Security DemystifiedMichael Torres
 
Security Issues of Cloud Computing
Security Issues of Cloud ComputingSecurity Issues of Cloud Computing
Security Issues of Cloud ComputingFalgun Rathod
 
Cloud Security And Privacy
Cloud Security And PrivacyCloud Security And Privacy
Cloud Security And Privacytmather
 
Cloud computing understanding security risk and management
Cloud computing   understanding security risk and managementCloud computing   understanding security risk and management
Cloud computing understanding security risk and managementShamsundar Machale (CISSP, CEH)
 
Cloud security privacy- org
Cloud security  privacy- orgCloud security  privacy- org
Cloud security privacy- orgDharmalingam S
 

Mais procurados (19)

Infrastructure Security by Sivamurthy Hiremath
Infrastructure Security by Sivamurthy HiremathInfrastructure Security by Sivamurthy Hiremath
Infrastructure Security by Sivamurthy Hiremath
 
Cloud Security
Cloud Security Cloud Security
Cloud Security
 
Chap 6 cloud security
Chap 6 cloud securityChap 6 cloud security
Chap 6 cloud security
 
Cloud Security
Cloud SecurityCloud Security
Cloud Security
 
Cloud Computing and Security - ISACA Hyderabad Chapter Presentation
Cloud Computing and Security - ISACA Hyderabad Chapter PresentationCloud Computing and Security - ISACA Hyderabad Chapter Presentation
Cloud Computing and Security - ISACA Hyderabad Chapter Presentation
 
Cloud Computing Risk Management (IIA Webinar)
Cloud Computing Risk Management (IIA Webinar)Cloud Computing Risk Management (IIA Webinar)
Cloud Computing Risk Management (IIA Webinar)
 
Cloud Security - Emerging Facets and Frontiers
Cloud Security - Emerging Facets and FrontiersCloud Security - Emerging Facets and Frontiers
Cloud Security - Emerging Facets and Frontiers
 
The Cloud & I, The CISO challenges with Cloud Computing
The Cloud & I, The CISO challenges with Cloud Computing The Cloud & I, The CISO challenges with Cloud Computing
The Cloud & I, The CISO challenges with Cloud Computing
 
Cloud Security for U.S. Military Agencies
Cloud Security for U.S. Military AgenciesCloud Security for U.S. Military Agencies
Cloud Security for U.S. Military Agencies
 
4.5.cloud security
4.5.cloud security4.5.cloud security
4.5.cloud security
 
Cloud computing-security-issues
Cloud computing-security-issuesCloud computing-security-issues
Cloud computing-security-issues
 
Cloud Security: A New Perspective
Cloud Security: A New PerspectiveCloud Security: A New Perspective
Cloud Security: A New Perspective
 
Cloud Security Demystified
Cloud Security DemystifiedCloud Security Demystified
Cloud Security Demystified
 
Security Issues of Cloud Computing
Security Issues of Cloud ComputingSecurity Issues of Cloud Computing
Security Issues of Cloud Computing
 
Cloud Security And Privacy
Cloud Security And PrivacyCloud Security And Privacy
Cloud Security And Privacy
 
Cloud Security Governance
Cloud Security GovernanceCloud Security Governance
Cloud Security Governance
 
Cloud security
Cloud security Cloud security
Cloud security
 
Cloud computing understanding security risk and management
Cloud computing   understanding security risk and managementCloud computing   understanding security risk and management
Cloud computing understanding security risk and management
 
Cloud security privacy- org
Cloud security  privacy- orgCloud security  privacy- org
Cloud security privacy- org
 

Semelhante a Presd1 10

Migrating Critical Applications to the Cloud - isaca seattle - sanitized
Migrating Critical Applications to the Cloud - isaca seattle - sanitizedMigrating Critical Applications to the Cloud - isaca seattle - sanitized
Migrating Critical Applications to the Cloud - isaca seattle - sanitizedUnifyCloud
 
Migrating Critical Applications To The Cloud - ISACA Seattle - Sanitized
Migrating Critical Applications To The Cloud - ISACA Seattle - SanitizedMigrating Critical Applications To The Cloud - ISACA Seattle - Sanitized
Migrating Critical Applications To The Cloud - ISACA Seattle - SanitizedNorm Barber
 
security and compliance in the cloud
security and compliance in the cloudsecurity and compliance in the cloud
security and compliance in the cloudAjay Rathi
 
Cloud computing and Cloud security fundamentals
Cloud computing and Cloud security fundamentalsCloud computing and Cloud security fundamentals
Cloud computing and Cloud security fundamentalsViresh Suri
 
Cloud Security: A matter of trust?
Cloud Security: A matter of trust?Cloud Security: A matter of trust?
Cloud Security: A matter of trust?Mark Williams
 
talk6securingcloudamarprusty-191030091632.pptx
talk6securingcloudamarprusty-191030091632.pptxtalk6securingcloudamarprusty-191030091632.pptx
talk6securingcloudamarprusty-191030091632.pptxTrongMinhHoang1
 
Lss implementing cyber security in the cloud, and from the cloud-feb14
Lss implementing cyber security in the cloud, and from the cloud-feb14Lss implementing cyber security in the cloud, and from the cloud-feb14
Lss implementing cyber security in the cloud, and from the cloud-feb14L S Subramanian
 
Cloud security for banks - the central bank of Israel regulations for cloud s...
Cloud security for banks - the central bank of Israel regulations for cloud s...Cloud security for banks - the central bank of Israel regulations for cloud s...
Cloud security for banks - the central bank of Israel regulations for cloud s...Moshe Ferber
 
Gitex journey to the cloud
Gitex journey to the cloudGitex journey to the cloud
Gitex journey to the cloudJorge Sebastiao
 
Taiye Lambo - Auditing the cloud
Taiye Lambo - Auditing the cloudTaiye Lambo - Auditing the cloud
Taiye Lambo - Auditing the cloudnooralmousa
 
The Cloud Crossover
The Cloud CrossoverThe Cloud Crossover
The Cloud CrossoverArmor
 
Cloud Computing Security Issues in Infrastructure as a Service”
Cloud Computing Security Issues in Infrastructure as a Service”Cloud Computing Security Issues in Infrastructure as a Service”
Cloud Computing Security Issues in Infrastructure as a Service”Vivek Maurya
 
Keys-to-Success-and-Security-in-the-Cloud
Keys-to-Success-and-Security-in-the-CloudKeys-to-Success-and-Security-in-the-Cloud
Keys-to-Success-and-Security-in-the-Cloudpatmisasi
 
Keys to success and security in the cloud
Keys to success and security in the cloudKeys to success and security in the cloud
Keys to success and security in the cloudScalar Decisions
 
Security Considerations When Using Cloud Infrastructure Services.pdf
Security Considerations When Using Cloud Infrastructure Services.pdfSecurity Considerations When Using Cloud Infrastructure Services.pdf
Security Considerations When Using Cloud Infrastructure Services.pdfCiente
 

Semelhante a Presd1 10 (20)

Migrating Critical Applications to the Cloud - isaca seattle - sanitized
Migrating Critical Applications to the Cloud - isaca seattle - sanitizedMigrating Critical Applications to the Cloud - isaca seattle - sanitized
Migrating Critical Applications to the Cloud - isaca seattle - sanitized
 
Migrating Critical Applications To The Cloud - ISACA Seattle - Sanitized
Migrating Critical Applications To The Cloud - ISACA Seattle - SanitizedMigrating Critical Applications To The Cloud - ISACA Seattle - Sanitized
Migrating Critical Applications To The Cloud - ISACA Seattle - Sanitized
 
security and compliance in the cloud
security and compliance in the cloudsecurity and compliance in the cloud
security and compliance in the cloud
 
Cloud computing and Cloud security fundamentals
Cloud computing and Cloud security fundamentalsCloud computing and Cloud security fundamentals
Cloud computing and Cloud security fundamentals
 
Cloud Security: A matter of trust?
Cloud Security: A matter of trust?Cloud Security: A matter of trust?
Cloud Security: A matter of trust?
 
talk6securingcloudamarprusty-191030091632.pptx
talk6securingcloudamarprusty-191030091632.pptxtalk6securingcloudamarprusty-191030091632.pptx
talk6securingcloudamarprusty-191030091632.pptx
 
Lss implementing cyber security in the cloud, and from the cloud-feb14
Lss implementing cyber security in the cloud, and from the cloud-feb14Lss implementing cyber security in the cloud, and from the cloud-feb14
Lss implementing cyber security in the cloud, and from the cloud-feb14
 
Cloud security for banks - the central bank of Israel regulations for cloud s...
Cloud security for banks - the central bank of Israel regulations for cloud s...Cloud security for banks - the central bank of Israel regulations for cloud s...
Cloud security for banks - the central bank of Israel regulations for cloud s...
 
Cloud Security Alliance - Guidance
Cloud Security Alliance - GuidanceCloud Security Alliance - Guidance
Cloud Security Alliance - Guidance
 
Introduction Of Cloud Computing
Introduction Of Cloud Computing Introduction Of Cloud Computing
Introduction Of Cloud Computing
 
Gitex journey to the cloud
Gitex journey to the cloudGitex journey to the cloud
Gitex journey to the cloud
 
Taiye Lambo - Auditing the cloud
Taiye Lambo - Auditing the cloudTaiye Lambo - Auditing the cloud
Taiye Lambo - Auditing the cloud
 
Cloud security ppt
Cloud security pptCloud security ppt
Cloud security ppt
 
The Cloud Crossover
The Cloud CrossoverThe Cloud Crossover
The Cloud Crossover
 
Cloud Security
Cloud SecurityCloud Security
Cloud Security
 
Cloud Computing Security Issues in Infrastructure as a Service”
Cloud Computing Security Issues in Infrastructure as a Service”Cloud Computing Security Issues in Infrastructure as a Service”
Cloud Computing Security Issues in Infrastructure as a Service”
 
Keys-to-Success-and-Security-in-the-Cloud
Keys-to-Success-and-Security-in-the-CloudKeys-to-Success-and-Security-in-the-Cloud
Keys-to-Success-and-Security-in-the-Cloud
 
Keys to success and security in the cloud
Keys to success and security in the cloudKeys to success and security in the cloud
Keys to success and security in the cloud
 
Security Considerations When Using Cloud Infrastructure Services.pdf
Security Considerations When Using Cloud Infrastructure Services.pdfSecurity Considerations When Using Cloud Infrastructure Services.pdf
Security Considerations When Using Cloud Infrastructure Services.pdf
 
Security As A Service In Cloud(SECaaS)
Security As A Service In Cloud(SECaaS)Security As A Service In Cloud(SECaaS)
Security As A Service In Cloud(SECaaS)
 

Mais de Niels Groeneveld (9)

Presd2 06
Presd2 06Presd2 06
Presd2 06
 
Presd2 04
Presd2 04Presd2 04
Presd2 04
 
Presd2 02
Presd2 02Presd2 02
Presd2 02
 
Presd1 17
Presd1 17Presd1 17
Presd1 17
 
Presd1 14
Presd1 14Presd1 14
Presd1 14
 
Presd1 13
Presd1 13Presd1 13
Presd1 13
 
Presd1 11
Presd1 11Presd1 11
Presd1 11
 
Presd1 09
Presd1 09Presd1 09
Presd1 09
 
Presd1 04
Presd1 04Presd1 04
Presd1 04
 

Último

NIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 WorkshopNIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 WorkshopBachir Benyammi
 
Bird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystemBird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystemAsko Soukka
 
COMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a WebsiteCOMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a Websitedgelyza
 
Introduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptxIntroduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptxMatsuo Lab
 
Digital magic. A small project for controlling smart light bulbs.
Digital magic. A small project for controlling smart light bulbs.Digital magic. A small project for controlling smart light bulbs.
Digital magic. A small project for controlling smart light bulbs.francesco barbera
 
UiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation DevelopersUiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation DevelopersUiPathCommunity
 
Machine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdfMachine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdfAijun Zhang
 
PicPay - GenAI Finance Assistant - ChatGPT for Customer Service
PicPay - GenAI Finance Assistant - ChatGPT for Customer ServicePicPay - GenAI Finance Assistant - ChatGPT for Customer Service
PicPay - GenAI Finance Assistant - ChatGPT for Customer ServiceRenan Moreira de Oliveira
 
OpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability AdventureOpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability AdventureEric D. Schabell
 
Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.YounusS2
 
Comparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioComparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioChristian Posta
 
RAG Patterns and Vector Search in Generative AI
RAG Patterns and Vector Search in Generative AIRAG Patterns and Vector Search in Generative AI
RAG Patterns and Vector Search in Generative AIUdaiappa Ramachandran
 
Empowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership BlueprintEmpowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership BlueprintMahmoud Rabie
 
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...Will Schroeder
 
Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024D Cloud Solutions
 
UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1DianaGray10
 
Designing A Time bound resource download URL
Designing A Time bound resource download URLDesigning A Time bound resource download URL
Designing A Time bound resource download URLRuncy Oommen
 
Do we need a new standard for visualizing the invisible?
Do we need a new standard for visualizing the invisible?Do we need a new standard for visualizing the invisible?
Do we need a new standard for visualizing the invisible?SANGHEE SHIN
 
20200723_insight_release_plan_v6.pdf20200723_insight_release_plan_v6.pdf
20200723_insight_release_plan_v6.pdf20200723_insight_release_plan_v6.pdf20200723_insight_release_plan_v6.pdf20200723_insight_release_plan_v6.pdf
20200723_insight_release_plan_v6.pdf20200723_insight_release_plan_v6.pdfJamie (Taka) Wang
 
GenAI and AI GCC State of AI_Object Automation Inc
GenAI and AI GCC State of AI_Object Automation IncGenAI and AI GCC State of AI_Object Automation Inc
GenAI and AI GCC State of AI_Object Automation IncObject Automation
 

Último (20)

NIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 WorkshopNIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 Workshop
 
Bird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystemBird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystem
 
COMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a WebsiteCOMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a Website
 
Introduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptxIntroduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptx
 
Digital magic. A small project for controlling smart light bulbs.
Digital magic. A small project for controlling smart light bulbs.Digital magic. A small project for controlling smart light bulbs.
Digital magic. A small project for controlling smart light bulbs.
 
UiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation DevelopersUiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation Developers
 
Machine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdfMachine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdf
 
PicPay - GenAI Finance Assistant - ChatGPT for Customer Service
PicPay - GenAI Finance Assistant - ChatGPT for Customer ServicePicPay - GenAI Finance Assistant - ChatGPT for Customer Service
PicPay - GenAI Finance Assistant - ChatGPT for Customer Service
 
OpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability AdventureOpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability Adventure
 
Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.
 
Comparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioComparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and Istio
 
RAG Patterns and Vector Search in Generative AI
RAG Patterns and Vector Search in Generative AIRAG Patterns and Vector Search in Generative AI
RAG Patterns and Vector Search in Generative AI
 
Empowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership BlueprintEmpowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership Blueprint
 
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
 
Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024
 
UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1
 
Designing A Time bound resource download URL
Designing A Time bound resource download URLDesigning A Time bound resource download URL
Designing A Time bound resource download URL
 
Do we need a new standard for visualizing the invisible?
Do we need a new standard for visualizing the invisible?Do we need a new standard for visualizing the invisible?
Do we need a new standard for visualizing the invisible?
 
20200723_insight_release_plan_v6.pdf20200723_insight_release_plan_v6.pdf
20200723_insight_release_plan_v6.pdf20200723_insight_release_plan_v6.pdf20200723_insight_release_plan_v6.pdf20200723_insight_release_plan_v6.pdf
20200723_insight_release_plan_v6.pdf20200723_insight_release_plan_v6.pdf
 
GenAI and AI GCC State of AI_Object Automation Inc
GenAI and AI GCC State of AI_Object Automation IncGenAI and AI GCC State of AI_Object Automation Inc
GenAI and AI GCC State of AI_Object Automation Inc
 

Presd1 10

  • 1. Cloud Security: Identifying the Risks Jim Reavis, Executive Director May, 2010
  • 2. About the Cloud Security Alliance • Global, not-for-profit organization • Inclusive membership, supporting broad spectrum of subject matter expertise • Building best practices and a trusted cloud ecosystem • CSA Guidance V2.1 – Released Dec 2009 • CSA Top Threats Research – Released March 2010 • CSA Cloud Controls Matrix – Released April 2010 • Trusted Cloud Initiative – Release Q4 2010 • CSA Cloud Metrics Working Group – release TBA • Consensus Assessment Initiative “To promote the use of best practices for providing security assurance within Cloud Computing, and provide education on the uses of Cloud Computing to help secure all other forms of computing.” Copyright © 2010 Cloud Security Alliance www.cloudsecurityalliance.org
  • 3. Is Cloud Computing Working? • Eli Lilly • New drug research project • IT promised system in 3 months, > $100,000 USD • Scientist completed in one day in cloud, < $500 USD • Japanese government agencies • RFP for custom software development • Chose PaaS for 25% of cost and deployment time over traditional software house Copyright © 2010 Cloud Security Alliance www.cloudsecurityalliance.org
  • 4. What is Cloud Computing? • Compute as a utility: third major era of computing • Mainframe • PC Client/Server • Cloud computing: On demand model for allocation and consumption of computing • Cloud enabled by • Moore‟s Law: Costs of compute & storage approaching zero • Hyperconnectivity: Robust bandwidth from dotcom investments • Service Oriented Architecture (SOA) • Scale: Major providers create massive IT capabilities • Disruptive to IT and IT Security • Challenges many of our IT definitions, e.g. what is data? Copyright © 2010 Cloud Security Alliance www.cloudsecurityalliance.org
  • 5. Defining Cloud • On demand provisioning • Elasticity • Multi-tenancy • Key types • Infrastructure as a Service (IaaS): basic O/S & storage • Platform as a Service (PaaS): IaaS + rapid app development • Software as a Service (SaaS): complete application • Public, Private, Community & Hybrid Cloud deployments Copyright © 2010 Cloud Security Alliance www.cloudsecurityalliance.org
  • 6. S-P-I Framework You “RFP” security in SaaS Software as a Service You build security in PaaS Platform as a Service IaaS Infrastructure as a Service Copyright © 2010 Cloud Security Alliance www.cloudsecurityalliance.org
  • 7. Top Threats to Cloud Computing Cloud Security Risks / Threats • Shared Technology Vulnerabilities • Data Loss/Data Leakage • Malicious Insiders • Account Service or Hijacking of Traffic • Insecure APIs • Nefarious Use of Service • Unknown Risk Profile Copyright © 2010 Cloud Security Alliance www.cloudsecurityalliance.org
  • 8. Shared Technology Vulnerabilities Description • Exposed hardware, operating systems, middleware, application stacks and network components may posses known vulnerabilities Impact • Successful exploitation could impact multiple customers Example • Cloudburst - Kostya Kortchinksy (Blackhat 2009) • Arbitrary code execution vulnerability identified in VMware SVGA II device, a virtualized PCI Display Adapter • Vulnerable component present on VMware Workstation, VMware Player, VMware Server and VMware ESX Copyright © 2010 Cloud Security Alliance www.cloudsecurityalliance.org
  • 9. Data Loss / Data Leakage Description • Data compromise due to improper access controls or weak encryption • Poorly secured data is at greater risk due to the multi-tenant architecture Impact • Data integrity and confidentiality Example • Hey, You, Get Off of My Cloud: Exploring Information Leakage in Third- Party Compute Clouds (UCSD/MIT) • Research detailing techniques to ensure that images are deployed on the same physical hardware as a victim and then leveraging cross- VM attacks to identify data leakage Copyright © 2010 Cloud Security Alliance www.cloudsecurityalliance.org
  • 10. Malicious Insiders Description • Employees of the cloud vendor may abuse privileges to access customer data/functionality • Reduced visibility into internal processes may inhibit detection of the breach Impact • Data confidentiality and integrity • Reputational damage • Legal repercussions Example • Google Investigates Insider Threat After China Hack (eWeek) • “Google is investigating whether some of its own staff are behind the repeated attempts to hack into the Gmail accounts of Chinese human rights activists” Copyright © 2010 Cloud Security Alliance www.cloudsecurityalliance.org
  • 11. Interception or Hijacking of Traffic Description • Intercept and/or redirect traffic destined for the clients or cloud • Steal credentials to eavesdrop or manipulate account information / services Impact • Confidentiality and integrity of data • Damage to reputation • Consequences (legal) from malicious use of resources Example • Twitter DNS account compromise • Zeus botnet C&Cs on compromised Amazon EC2 accounts Copyright © 2010 Cloud Security Alliance www.cloudsecurityalliance.org
  • 12. Insecure APIs Description • APIs designed to permit access to functionality and data may be vulnerable or improperly utilized, exposing applications to attack Impact • Data confidentiality and integrity • Denial of service Example • P0wning the Programmable Web (Websense – AusCERT 2009_ • 80% of tested applications not using available security in APIs (e.g. unencrypted traffic and basic authentication) • Demonstrated CSRF, MITM and data leakage attacks Copyright © 2010 Cloud Security Alliance www.cloudsecurityalliance.org
  • 13. Nefarious Use of Service Description • Attackers are drawn to the cloud for the same reasons as legitimate consumers – access to massive proceesing power at a low cost Impact • Password cracking, DDoS, malware hosting, spam, C&C servers, CAPTCHA cracking, etc. Example • Current search of MalwareDomainList.com for „amazonaws.com‟ returns 21 results • “In the past three years, ScanSafe has recorded 80 unique malware incidents involving amazonaws” – ScanSafe blog • Amazon's EC2 Having Problems With Spam and Malware - Slashdot Copyright © 2010 Cloud Security Alliance www.cloudsecurityalliance.org
  • 14. Unknown Risk Profile Description • A lack of visibility into security controls could leave cloud consumers exposed to unnecessary risk. Impact • Significant data breaches could occur, possibly without the knowledge of the cloud consumer. Example • Heartland Payment Systems was “willing to do only the bare minimum and comply with state laws instead of taking the extra effort to notify every single customer, regardless of law, about whether their data [had] been stolen.” http://www.pcworld.com/article/158038/heartland_has_no_heart_for_violated_customers.html Copyright © 2010 Cloud Security Alliance www.cloudsecurityalliance.org
  • 15. Survey Results Top Ranked Threats RANK THREAT PERCENT 1) Data Loss/Leakage 28.8% 2) Abuse and Nefarious use of Cloud 17.8% Computing 3) Insecure API‟s 15.1% 4) Malicious Insiders 11.0% 5) Account/Service and Traffic Hijacking 9.6% 6) Unknown Risk Profile 9.6% 7) Shared Technology Vulnerabilities 8.2% Copyright © 2010 Cloud Security Alliance www.cloudsecurityalliance.org
  • 16. Status Revisions • Top threats list will be updated 2x per year Process • Recommended changes will be solicited from CSA participants • Panel of judges will be established with representation from the security community, solution providers and cloud consumers • Recommendations will be summarized and solicited to judges for review • Judges will vote on any recommended changes • Contact project team to recommend judges Copyright © 2010 Cloud Security Alliance www.cloudsecurityalliance.org
  • 17. CSA Guidance Domains Cloud Architecture Governance and Enterprise Risk Management Governing the Legal and Electronic Discovery Cloud • Popular best practices Compliance and Audit Information Lifecycle Management for securing cloud Portability and Interoperability computing Security, Bus. Cont,, and Disaster Recovery Operating in the Cloud Data Center Operations • 13 Domains of concern – Incident Response, Notification, Remediation governing & operating Application Security Encryption and Key Management groupings Identity and Access Management Virtualization Guidance > 100k downloads: cloudsecurityalliance.org/guidance Copyright © 2010 Cloud Security Alliance www.cloudsecurityalliance.org
  • 18. Summary • Cloud Computing is real and transformational • Challenges for People, Process, Technology, Organizations and Countries • Broad governance approach needed • Tactical fixes needed • Combination of updating existing best practices and creating completely new best practices • Common sense not optional Copyright © 2010 Cloud Security Alliance www.cloudsecurityalliance.org
  • 19. Contact • Help us secure cloud computing • www.cloudsecurityalliance.org • info@cloudsecurityalliance.org • LinkedIn: www.linkedin.com/groups?gid=1864210 • Twitter: @cloudsa Copyright © 2010 Cloud Security Alliance www.cloudsecurityalliance.org
  • 20. Thank you! www.cloudsecurityalliance.org