Cloud security is must for any of the IaaS, PaaS, SaaS or CaaS initiative. this presentation aims to simplify the concept of cloud security with clear steps to achieve it. It also summarize the controls required to implement cloud security.
4. Essential Characteristic
On‐Demand
Lowered requirement to forecasts
Lowered requirement to forecasts
Demand trends are predicted by the
provider
Usage‐metered
Usage metered
Pay‐by‐the‐realtime use
Self‐service from pool of resources
Resources managed by consumer
Resources managed by consumer
with a GUI or API
Elastic Scalability
Grow or shrink resources as required
Grow or shrink resources as required
Ubiquitous Network
The network is essential to use the
service
ser i e
5. Beyond basic..
Modes of Deployment
p S i
Services
Types
Compute Storage
IaaS
Deployment Network Datacentre
models
Web 2.0 Applications
Public cloud S
PaaS Runtime
Development tools
Business
Hybrid cloud Middleware
Database Java Runtime
Private cloud
Pi t l d
Community cloud Collaboratio
ERP / CRM
aS
n
Saa
Business Enterprise
Processes Applications
7. Lots of noise on....
Cloud Security?
...how do we simplify it
how it...
http://www.flickr.com/photos/purpleslog/2870445256/in/photostream/
8. It is
same
As current InfoSec
practice
You have to take the
ha e
same approach as
current ISMS
http://www.flickr.com/photos/pheckaboolala/341063811
9
9. Cloud Security
• What is it?
– Protection of your information in
Protection of your information in
cloud
• Why is critical?
– Your information is at central
unknown place in cloud
– No visibility of security measures in
No visibility of security measures in
Public cloud
• Impact of breach on business?
– Lack of Compliance
k f li
– Legal issue
– Breach of privacy
Breach of privacy
http://www.flickr.com/photos/nigeljohnson73/6788941421
10. Threats in XaaS
Threats in XaaS Models
• SaaS:
– Built in security functionality
Built in security functionality
– Least consumer extensibility
– Relatively high level of integrated security
• PaaS
– Enable developers to build their own applications on top of the platform
– M
More extensible than SaaS, at the expense of customer ready features
ibl h S S h f d f
– Built in capabilities are less complete, but there is more flexibility to layer on additional
security
• IaaS
– Few application‐like features,
– Enormous extensibility
– Less integrated security capabilities and functionality beyond protecting the
infrastructure itself
– Assets to be managed and secured by the cloud consumer
12. 1. Identify asset 2. Assess impact 3. Map the asset
to c oud y
to cloudify o ta se g
of transferring to potential
to potential
a) Data assets on cloud cloud
b) Applications on business in deployment
case of breach
case of breach models
Security Framework
4. Evaluate 5. Evaluate the
controls in Dataflow , to
ata o , to
each of Iaas/ understand the
Paas/ Saas flow
layer
y
depending
upon asset
14. 3 Dimensions of cloud security
Business IT Assets Risk
Criticality
C iti lit in cloud
i l d Assessment
A t
For achieving robust and practical security consider all 3 perspective
15. Types of Controls
Types of Controls
Governance
G Operational
O ti l
(Strategic) (Tactical)
• Risk Management • BCP/ DR
• Legal & Electronic • Data centre
Discovery Operations
• Compliance/ Audit • Incident
• Information Life Management
M t
cycle management • Application security
• Portability and
Portability and • Encryption
Encryption
Interoperability • Identity & Access
Management
Management
• Virtualization
16. Implement Controls
• Possible controls – Layered security
– facilities (physical security)
– network infrastructure(network
t ki f t t ( t k
security)
– IT systems (system security)
– information and applications
(application security).
• IaaS Cloud provider :
IaaS Cloud provider :
– address security controls such as
physical security, environmental
security, and virtualization security
it d i t li ti it
• SaaS
– Addresses upto Application layer
Addresses upto Application layer
http://www.flickr.com/photos/telstar/2816038167
17. Summary
• Consider three perspective‐
Assets, Risk management and
Business criticality
• Cloud as an operational model
neither provide for nor prevent
p p
achieving compliance
• Selection of control depends on
the service and deployment model
the service and deployment model
• Control varies depending on the
design, deployment, and
management of the resources
f h
• Most of Security controls in cloud
are, same as normal IT
environment
http://www.flickr.com/photos/isadocafe/2095153000/
18. Sameer Paradia – CGEIT, CISM, CISSP
(sameer_m_paradia@yahoo.com)
Practicing IT Security for 12+ y
g y years out of 20+ y
years of IT Services/ Outsourcing work experience.
g p
http://www.flickr.com/photos/forgetmeknottphotography/7003899183/sizes/l/in/photostream/