This document summarizes a presentation on cybersecurity in the cloud. The presentation covered cloud computing definitions and models including SaaS, PaaS, IaaS, and public, private and hybrid clouds. It discussed major cloud vendors like Amazon Web Services, Microsoft Azure, and OpenStack. The presentation addressed security issues in the cloud like outages, data breaches, and regulatory compliance. It emphasized the importance of service level agreements, testing disaster recovery plans, and monitoring metrics when adopting cloud services.

1. VCU Cybersecurity Fair Security in the Cloud Presented By: Bryan Miller

2. Speaker Introduction What is the “Cloud” SaaS, PaaS, IaaS Public, Private and Hybrid Clouds Vendor Offerings Security Issues Wrap-Up 10/4/2011 Security in the Cloud 1 Agenda

3. B.S. Information Systems – VCU M.S. Computer Science – VCU President, Syrinx Technologies, 2007 Member of ISSA, HIMSS, InfraGard, ILTA Adjunct Faculty Member in Information Systems and Computer Science @ VCU, FTEMS lecturer CISSP, former Cisco CCIE in R/S Published author Over 25 years in the industry 10/4/2011 Security in the Cloud 2 Speaker Introduction

4. Convenient, on-demand network access to a shared pool of configurable resources: Networks Servers Storage Applications Services Rapid and minimal management effort or service provider interaction (based on NIST) 10/4/2011 Security in the Cloud 3 What is the “Cloud”?

5. NIST SP 800-145 definition: "Cloud computing is a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. This cloud model promotes availability and is composed of five essential characteristics, three service models, and four deployment models.” 10/4/2011 Security in the Cloud 4 The NIST Standard for Cloud Computing

6. IDC – 2008 Security was the factor most likely to discourage the use of cloud computing? 72% of small (<100 employees) businesses 63% of mid-sized (100-199 employees) businesses IDC – 2011 50% of small businesses 47% of mid-sized businesses 10/4/2011 Security in the Cloud 5 First, Some Statistics

7. By 2014, the conservative estimate is that the “cloud business” will be approximately $100 billion dollars. By 2012, approximately 20% of businesses will not own any IT resources. 10/4/2011 Security in the Cloud 6

8. 10/4/2011 Security in the Cloud 7

9. 10/4/2011 Security in the Cloud 8

11. Salesforce.com

12. Office 36510/4/2011 Security in the Cloud 9 Software as a Service (SaaS)

14. Google Apps Engine

15. Microsoft Azure

16. Force.com10/4/2011 Security in the Cloud 10 Platform as a Service (PaaS)

18. Amazon Web Services (AWS)

19. OpenStack

20. Dell10/4/2011 Security in the Cloud 11 Infrastructure as a Service (IaaS)

21. Public Shared resources, usually multi-tenant Off-premise Private Resources dedicated to client On-premise or off-premise Hybrid Combination of on-premise and cloud-based services Growing in popularity as companies slowly transition applications 10/4/2011 Security in the Cloud 12 Public vs. Private vs. Hybrid Cloud Models

22. Amazon Web Services EC2 - IaaS Data centers (Regions) Virginia Northern California Ireland Singapore Tokyo Within each region, services are divided into Availability Zones AWS GovCloud – Accessible by US only, allows government agencies to store data Currently used by NASA 10/4/2011 Security in the Cloud 13 Vendor Offerings

23. Microsoft Azure – PaaS Windows Azure – OS providing scalable compute and storage facilities Windows SQL Azure – Cloud-based, scalable version of SQL Server OpenStack - IaaS Open source software Over 100 partner companies Rackspace Dell Citrix Cisco 10/4/2011 Security in the Cloud 14

24. Dell – IaaS Built on VMware technology (vCloud family of products) Adding support for Azure and OpenStack 3 models: Pay as you go Reserved Dedicated Apple iCloud - SaaS Stores music, photos, applications, calendars, documents 5 GB of free storage 10/4/2011 Security in the Cloud 15

25. Take into account the following: Response times Data corruption Service degradation/outage Data breach Backup/Restore issues What happens if the company closes or is sold Regulatory issues HIPAA – do you have a BA agreement in place? PCI – are you sure your provider is compliant? 10/4/2011 Security in the Cloud 16 What about SLAs?

26. Bloomberg News reported that hackers used AWS’s EC2 to launch an attack against Sony’s PlayStation Network. The attack reportedly compromised the personal accounts of more than 100 million Sony customers. Prices for EC2 range from 3 cents to $2.48 an hour for users on the East coast of the U.S. Dual GPU setups are currently priced at $2.10/hr. Network World magazine reported that Exploits as a Service (EaaS) is becoming a profitable business. 10/4/2011 Security in the Cloud 17 Security Issues

27. Definition: The point at which cloud computing causes a catastrophic failure. Intellectual property is the lifeblood of an organization. IP can get lost in the shuffle of VM sprawl, data sprawl, technology sprawl or the speed at which business is performed. How can things go wrong? A salesperson mails himself a report to Gmail for home access. A customer service team uses Dropbox1 to transfer client files. A PM is frustrated by IT policies and stands up a free server in the Amazon EC2 cloud 1 June 2011: Passwords optional for 4 hours, approximately 100 accounts were affected 10/4/2011 Security in the Cloud 18 Cloudpocalypse

28. Amazon EC2 Outages July, 2008 Affected multiple Availability Zones Affected US and EU April, 2011 Affected Reddit, Foursquare, Quora Elastic Book Store went offline (provides mountable disk volumes to EC2) 3 days of outage for some users Why? During maintenance the data traffic was moved to a secondary, low-capacity network instead of the proper backup networks August, 2011 Why: Lightning strike in Dublin, Ireland Knocked European cloud services offline for 2 days Affected Netflix, Quora, Foursquare 10/4/2011 Security in the Cloud 19 When the Cloud Dissipates

29. Gmail Outages 2008: July 16 – “long outage” August 6 – up to 15 hours August 11 – 2 hours August 15 – up to 24 hours October 16 – 30 hours 2009: February 24 – 2 hours September 1 – 2 hours 2011: February 27 – several hours August 8 – several hours 10/4/2011 Security in the Cloud 20

30. Decide if the cloud is appropriate for the given business model Choose the vendor and precisely define the SLA Test thoroughly before moving into production Migrate slowly and carefully watch the metrics Make sure the users/clients are happy Routinely test the backup and restore process Don’t forget about DR and BCP 10/4/2011 Security in the Cloud 21 Wrap-Up