SlideShare uma empresa Scribd logo

Cloud computing understanding security risk and management

Shamsundar Machale (CISSP, CEH)
Shamsundar Machale (CISSP, CEH)

The aim of this paper is to make cloud service consumer aware about cloud computing fundamentals, its essential services, service models and deployment options. This also through light on security and risk management piece of CSA trusted cloud reference architecture, cloud control matrix and notorious nine threats and ENISAs top risks to cloud computing. At the end it talks about certifications and attestation part.

Tecnologia
1 de 9
Baixar para ler offline
Cloud Computing - understanding security risk and management The aim of this paper is to make cloud service consumer aware about cloud computing fundamentals, its essential services, service models and deployment options. This also through light on security and risk management piece of CSA trusted cloud reference architecture, cloud control matrix and notorious nine threats and ENISAs top risks to cloud computing. At the end it talks about certifications and attestation part. Author – Shamsundar Machale (CISSP)
Fig.1 NIST Visual Model of Cloud Computing Definition Any cloud should demonstrate the certain essential characteristics to get full benefits of cloud. Any missing essential characteristic would not give you 100% benefit from cloud computing. Whatever is not your core, outsource it. Similarly maintaining capex IT infrastructure, information is not your core so outsource it to some specialized agency i.e. Cloud Service Provider (CSP) Multi-tenancy is the fundamental used in resource pooling but keep in mind that resource pooling is not limited to your server and storage, it is extended to network connectivity, physical security, administration of cloud services and last but not least is your facility space. CSP uses the same infrastructure to provide services to multiple clients from same or different geographies. This provides great benefit to Cloud consumer (CC) by not having direct capital investment and pay per use model of cloud. Only required amount of compute, storage etc. are provisioned and no extra investment is done by CC. At the same time resource pooling might become huge risk if attacker uses shared pooled resource to steal sensitive information processed by CC. this is possible through attacks such as guest hopping attack or side channel attack to capture cryptographic keys. Second essential characteristic is on-demand self-service. The CC should be able to do the provisioning / de-provisioning of computing What is definition of Cloud Computing? Cloud computing is model for enabling continent, on-demand network access to a shared pool of configuration computing resources (e.g. networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management efforts or services provider interaction The above NIST definition defines in what way you can deploy cloud, what service offerings you can make available and what are the essential characteristics of cloud Fig. 1 represents the visual model of above NIST cloud computing definition. Let’s take a deeper look into the definition.
resources by themselves with minimum administrative involvement from CSP. The lead time required doing the provisioning and de-provisioning should be reduced significantly. Rapid elasticity means CC should be able to do expansion and contraction of services as per their requirements with immediate effect and it will be charged on pay per usages policy. There should not be any locking CSP side while reducing the required level of resources. As there is trend of BYOD and consumerization, people want to access applications locations and end device independent which essentially means there should not be any restriction on your work location, it can be work from office, home or cafe and how do you access it, is it through your desktop, laptop, smartphone or tablet. Lastly CC should be able to measure services offered by CSP through SLA. Let’s take a look at service offering models; there are typically three kind of service offering models as below IaaS (Infrastructure as a Service) – Here you will get only infrastructure like compute and storage. This is nothing but plain vanilla virtual machine with operating system e.g. Amazon EC2 and S3, Rackspace etc. PaaS (Platform as a Service) – Here you expect little bit more from CP which will help in development of applications on provided infrastructure. It includes development tools, configuration management and deployment platforms such as Microsoft Azure, Force and Google App engine. SaaS (Software as a Service) – this is full package of application, CC has to just use it and don’t worry how and where it is running, who is managing the show? It is pure service such as online CRM system (Salesforce.com), online office tools (Office 365), online content filtering and messaging etc. As you move from IaaS to SaaS CC loses control on the services whereas CSP gains more control which is depicted in below figure. Fig-2
Now we will look at third tier of cloud computing definition which is nothing but deployment options. As you seen in the above visual model there are four ways in which cloud services can be deployed. Public Cloud – Available publicly, multiple customers can avail same services with different SLA commitments Private Cloud – Build specifically for single customer and available to only one customer Community Cloud – Services can be offered to same of customers which are forming community such as cloud services for power generation companies, cloud services for manufacturing industry etc. Hybrid Cloud – Combination of any of the above Below table provides more information about the deployment models Fig.3
As mentioned above security of cloud services is joint responsibility of CC and CSP which purely depends on the service offering. As per CSA’s “ Trusted cloud Reference Architecture version 2.0 “, Security and Risk Management is one of the key building block to focus if you want to build trusted cloud Fig.4 CSA Trusted cloud security reference arcthitecture This block basically talks about below domains. Governance Risk and Compliance - how are you going to manage governance, risk, audit, vendor, policy and awareness around CSP support staff? InfoSec Management – capability management, risk portfolio, risk dashboard, and residual risk management Privilege Management Infrastructure – This purely focuses around how effectively you manage the identities in the cloud. How secure is your authentication service? How do you manage authorization and accountability of identities in the cloud? How privilege identities are handled? Threat and Vulnerability Management - How do you keep environment vulnerability free, up to date with latest patches and assurance on compliance testing to CC. What is Security for Cloud Computing? As per CSA, Security controls in cloud computing are, for the most part, no different than security controls in any IT environment. However, because of the cloud service models employed, the operational models, and the technologies used to enable cloud services, cloud computing may present different risks to an organization than traditional IT solutions. This means we have to focus on defense in depth approach for security in cloud computing The focus of defense in depth approach is always a data at center and different type of controls such as Administrative, Technical and Physical are wrapped around data. For example physical security has the same importance in both traditional data center and cloud based datacenter.
Infrastructure Protection Services - How do you protect your applications, operating systems on servers, databases, network and end points. What kind of technical controls are put around these? Do you have perimeter firewall at network level, whether servers are locked down as per hardening guidelines, do you have Anti-virus, HIPS / HIDS installed at the end points, logging and monitoring enabled, application level firewall and web content filtering Data Protection – how well are you managing the data lifecycle, what controls are placed to prevent the Data loss, how are you protecting your intellectual properties and how effective is your cryptographic service management. Policies and Standards – Have you defined information security policies, guidelines based on different industry standards like ISO 27001. Whether operational security baseline and standard operating procedures defined and followed within the organization. Whether asset / data classification guidelines are defined and practiced within team. CSA has defined the Cloud Controls Matrix which provides fundamental security principles to guide cloud vendors and to assist cloud customers in assessing the overall security risk of a cloud provider. The latest version of Cloud Controls Matrix is CCM v3.0.1 As per this control matrix there are 133 controls divided into 16 domains of CSA cloud security. Fig.5 CCMv3.0.2 Domains Risk Management is one of the important aspect of cloud computing. There is no different strategy for management of risk in the cloud. You have to follow the conventional approach of performing the risk assessment based on certain framework and management of these risk either through risk mitigation by use of certain controls, transfer, avoid or accept the risk. As per ENISA’s “ Cloud Computing Benefits, risks and recommendations for information security Rev.B-2012 ” document cloud risks are classified into three categories “Policy and Organizational Risks”, “Technical Risks”, and “Legal Risks”
Below figure represents the top rated risk identified by ENISA based on the probability and impact of the risk. Fig.6 ENISA top security risks to cloud computing If you refer to below table which list down “ The Notorious Nine – Cloud Computing Top Threats in 2013” you will find certain risk / threats are common in both the documents such as Malicious Insider / Cloud Provider Malicious Insider, shared technology issue / isolation failure, insecure APIs / Management interface compromise Fig.7 – Notorious Nine Threats to Cloud Computing Data Breaches Data Loss Account Hijacking Insecure APIs Denial of Service Malicious Insiders Abuse of Cloud Services Insufficient Due Diligence Shared Technology Issues
Security Certification and Attestations – CSPcan provide the assurance to CC on current compliance level with respect to different standards, legal and regulatory requirements through certain security certifications and attestations. Below figure provides the security certifications obtained by different CSPs. This is just a reference and CC is kidnly reuquested to obtain list of current certifications during evaluation of CSP Fig.8 – Security Certifications and Attestations Conclusion - Cloud computing is double edged sword which provides good amount of benefits but only if implemented properly considering all security, governance, privacy and legal requirements. Risk assessment and due diligence would be the key for cloud consumers to make their case as success story.
References – “CSA Trusted cloud Reference Architecture version 2.0” “CSA Cloud Controls Matrix, CCM v3.0.1” “The Notorious Nine – Cloud Computing Top Threats in 2013” ENISA’s “Cloud Computing Benefits, risks and recommendations for information security Rev.B-2012” The Forrester Wave™: Public Cloud Platform Service Providers’ Security, Q4 2014 END OF DOCUMENT

Recomendados

Cloud computing security
Cloud computing security Cloud computing security
Cloud computing security
Akhila Param
 
Cloud security
Cloud securityCloud security
Cloud security
BikashPokharel3
 
Cloud computing security
Cloud computing securityCloud computing security
Cloud computing security
Antonio Sanz Alcober
 
Cloud Security Strategy
Cloud Security StrategyCloud Security Strategy
Cloud Security Strategy
Capgemini
 
Cloud Security
Cloud SecurityCloud Security
Cloud Security
AWS User Group Bengaluru
 
Cloud security
Cloud securityCloud security
Cloud security
Tushar Kayande
 
Cloud security Presentation
Cloud security PresentationCloud security Presentation
Cloud security Presentation
Ajay p
 
Cloud computing and Cloud security fundamentals
Cloud computing and Cloud security fundamentalsCloud computing and Cloud security fundamentals
Cloud computing and Cloud security fundamentals
Viresh Suri
 

Recomendados

Cloud computing security
Cloud computing security Cloud computing security
Cloud computing security
Akhila Param
 
Cloud security
Cloud securityCloud security
Cloud security
BikashPokharel3
 
Cloud computing security
Cloud computing securityCloud computing security
Cloud computing security
Antonio Sanz Alcober
 
Cloud Security Strategy
Cloud Security StrategyCloud Security Strategy
Cloud Security Strategy
Capgemini
 
Cloud Security
Cloud SecurityCloud Security
Cloud Security
AWS User Group Bengaluru
 
Cloud security
Cloud securityCloud security
Cloud security
Tushar Kayande
 
Cloud security Presentation
Cloud security PresentationCloud security Presentation
Cloud security Presentation
Ajay p
 
Cloud computing and Cloud security fundamentals
Cloud computing and Cloud security fundamentalsCloud computing and Cloud security fundamentals
Cloud computing and Cloud security fundamentals
Viresh Suri
 
Cloud Security - Security Aspects of Cloud Computing
Cloud Security - Security Aspects of Cloud ComputingCloud Security - Security Aspects of Cloud Computing
Cloud Security - Security Aspects of Cloud Computing
Jim Geovedi
 
Cloud Computing Security
Cloud Computing SecurityCloud Computing Security
Cloud Computing Security
Ninh Nguyen
 
Cloud computing-security-issues
Cloud computing-security-issuesCloud computing-security-issues
Cloud computing-security-issues
Aleem Mohammed
 
Cloud Computing Risk Management (Multi Venue)
Cloud Computing Risk Management (Multi Venue)Cloud Computing Risk Management (Multi Venue)
Cloud Computing Risk Management (Multi Venue)
Brian K. Dickard
 
Cloud services
Cloud servicesCloud services
Cloud services
Sushant Kumar
 
Cloud Security: A New Perspective
Cloud Security: A New PerspectiveCloud Security: A New Perspective
Cloud Security: A New Perspective
Wen-Pai Lu
 
Cloud security and security architecture
Cloud security and security architectureCloud security and security architecture
Cloud security and security architecture
Vladimir Jirasek
 
Cloud computing
Cloud computing Cloud computing
Cloud computing
hari krishnan.n
 
Cloud Computing and Security - ISACA Hyderabad Chapter Presentation
Cloud Computing and Security - ISACA Hyderabad Chapter PresentationCloud Computing and Security - ISACA Hyderabad Chapter Presentation
Cloud Computing and Security - ISACA Hyderabad Chapter Presentation
Venkateswar Reddy Melachervu
 
cloud security ppt
cloud security ppt cloud security ppt
cloud security ppt
Devyani Vaidya
 
8 secure distributed data storage in cloud computing
8 secure distributed data storage in cloud computing8 secure distributed data storage in cloud computing
8 secure distributed data storage in cloud computing
Majid Hajibaba
 
Public cloud
Public cloudPublic cloud
Public cloud
Dr.Neeraj Kumar Pandey
 
Unit 2 -Cloud Computing Architecture
Unit 2 -Cloud Computing ArchitectureUnit 2 -Cloud Computing Architecture
Unit 2 -Cloud Computing Architecture
MonishaNehkal
 
Cloud computing security issues and challenges
Cloud computing security issues and challengesCloud computing security issues and challenges
Cloud computing security issues and challenges
Dheeraj Negi
 
Cloud computing
Cloud computingCloud computing
Cloud computing
Aditya Dwivedi
 
Cloud architecture
Cloud architectureCloud architecture
Cloud architecture
Adeel Javaid
 
Cloud security
Cloud securityCloud security
Cloud security
Niharika Varshney
 
Cloud security
Cloud securityCloud security
Cloud security
Purva Dublay
 
INTRODUCTION TO CLOUD COMPUTING
INTRODUCTION TO CLOUD COMPUTINGINTRODUCTION TO CLOUD COMPUTING
INTRODUCTION TO CLOUD COMPUTING
Tanmoy Barman
 
Cloud computing and data security
Cloud computing and data securityCloud computing and data security
Cloud computing and data security
Mohammed Fazuluddin
 
Cloud computing Risk management
Cloud computing Risk management Cloud computing Risk management
Cloud computing Risk management
Padma Jella
 
Cloud Computing Powerpoint
Cloud Computing PowerpointCloud Computing Powerpoint
Cloud Computing Powerpoint
thomaslipkin
 

Mais conteúdo relacionado

Mais procurados

Cloud Computing Risk Management (Multi Venue)
Cloud Computing Risk Management (Multi Venue)Cloud Computing Risk Management (Multi Venue)
Cloud Computing Risk Management (Multi Venue)
Brian K. Dickard
 
8 secure distributed data storage in cloud computing
8 secure distributed data storage in cloud computing8 secure distributed data storage in cloud computing
8 secure distributed data storage in cloud computing
Majid Hajibaba
 
Cloud architecture
Cloud architectureCloud architecture
Cloud architecture
Adeel Javaid
 

Mais procurados (20)

Cloud Security - Security Aspects of Cloud Computing
Cloud Security - Security Aspects of Cloud ComputingCloud Security - Security Aspects of Cloud Computing
Cloud Security - Security Aspects of Cloud Computing
 
Cloud Computing Security
Cloud Computing SecurityCloud Computing Security
Cloud Computing Security
 
Cloud computing-security-issues
Cloud computing-security-issuesCloud computing-security-issues
Cloud computing-security-issues
 
Cloud Computing Risk Management (Multi Venue)
Cloud Computing Risk Management (Multi Venue)Cloud Computing Risk Management (Multi Venue)
Cloud Computing Risk Management (Multi Venue)
 
Cloud services
Cloud servicesCloud services
Cloud services
 
Cloud Security: A New Perspective
Cloud Security: A New PerspectiveCloud Security: A New Perspective
Cloud Security: A New Perspective
 
Cloud security and security architecture
Cloud security and security architectureCloud security and security architecture
Cloud security and security architecture
 
Cloud computing
Cloud computing Cloud computing
Cloud computing
 
Cloud Computing and Security - ISACA Hyderabad Chapter Presentation
Cloud Computing and Security - ISACA Hyderabad Chapter PresentationCloud Computing and Security - ISACA Hyderabad Chapter Presentation
Cloud Computing and Security - ISACA Hyderabad Chapter Presentation
 
cloud security ppt
cloud security ppt cloud security ppt
cloud security ppt
 
8 secure distributed data storage in cloud computing
8 secure distributed data storage in cloud computing8 secure distributed data storage in cloud computing
8 secure distributed data storage in cloud computing
 
Public cloud
Public cloudPublic cloud
Public cloud
 
Unit 2 -Cloud Computing Architecture
Unit 2 -Cloud Computing ArchitectureUnit 2 -Cloud Computing Architecture
Unit 2 -Cloud Computing Architecture
 
Cloud computing security issues and challenges
Cloud computing security issues and challengesCloud computing security issues and challenges
Cloud computing security issues and challenges
 
Cloud computing
Cloud computingCloud computing
Cloud computing
 
Cloud architecture
Cloud architectureCloud architecture
Cloud architecture
 
Cloud security
Cloud securityCloud security
Cloud security
 
Cloud security
Cloud securityCloud security
Cloud security
 
INTRODUCTION TO CLOUD COMPUTING
INTRODUCTION TO CLOUD COMPUTINGINTRODUCTION TO CLOUD COMPUTING
INTRODUCTION TO CLOUD COMPUTING
 
Cloud computing and data security
Cloud computing and data securityCloud computing and data security
Cloud computing and data security
 

Destaque

Cloud Computing Powerpoint
Cloud Computing PowerpointCloud Computing Powerpoint
Cloud Computing Powerpoint
thomaslipkin
 
Chapter 05 Digital Safety and Security
Chapter 05 Digital Safety and SecurityChapter 05 Digital Safety and Security
Chapter 05 Digital Safety and Security
xtin101
 
3.2.1 computer security risks
3.2.1 computer security risks3.2.1 computer security risks
3.2.1 computer security risks
hazirma
 
Cloud computing presentation
Cloud computing presentationCloud computing presentation
Cloud computing presentation
William Mann
 
Data security in cloud computing
Data security in cloud computingData security in cloud computing
Data security in cloud computing
Prince Chandu
 

Destaque (12)

Cloud computing Risk management
Cloud computing Risk management Cloud computing Risk management
Cloud computing Risk management
 
Cloud Computing Powerpoint
Cloud Computing PowerpointCloud Computing Powerpoint
Cloud Computing Powerpoint
 
CIO Cloud Security Checklist
CIO Cloud Security ChecklistCIO Cloud Security Checklist
CIO Cloud Security Checklist
 
Cloud Computing Risk Management (IIA Webinar)
Cloud Computing Risk Management (IIA Webinar)Cloud Computing Risk Management (IIA Webinar)
Cloud Computing Risk Management (IIA Webinar)
 
Chapter 05 Digital Safety and Security
Chapter 05 Digital Safety and SecurityChapter 05 Digital Safety and Security
Chapter 05 Digital Safety and Security
 
Cloud security
Cloud security Cloud security
Cloud security
 
3.2.1 computer security risks
3.2.1 computer security risks3.2.1 computer security risks
3.2.1 computer security risks
 
Cloud computing presentation
Cloud computing presentationCloud computing presentation
Cloud computing presentation
 
Data security in the cloud
Data security in the cloud Data security in the cloud
Data security in the cloud
 
Cloud security ppt
Cloud security pptCloud security ppt
Cloud security ppt
 
Data security in cloud computing
Data security in cloud computingData security in cloud computing
Data security in cloud computing
 
INFORMATION SECURITY
INFORMATION SECURITYINFORMATION SECURITY
INFORMATION SECURITY
 

Semelhante a Cloud computing understanding security risk and management

Fault Tolerance in AWS Distributed Cloud Computing
Fault Tolerance in AWS Distributed Cloud ComputingFault Tolerance in AWS Distributed Cloud Computing
Fault Tolerance in AWS Distributed Cloud Computing
Caner KAYA
 
A Survey on Cloud Computing Security – Challenges and Trust Issues
A Survey on Cloud Computing Security – Challenges and Trust IssuesA Survey on Cloud Computing Security – Challenges and Trust Issues
A Survey on Cloud Computing Security – Challenges and Trust Issues
IJCSIS Research Publications
 
Cloud Computing Security Issues in Infrastructure as a Service” report
Cloud Computing Security Issues in Infrastructure as a Service” reportCloud Computing Security Issues in Infrastructure as a Service” report
Cloud Computing Security Issues in Infrastructure as a Service” report
Vivek Maurya
 
Security in cloud computing kashyap kunal
Security in cloud computing kashyap kunalSecurity in cloud computing kashyap kunal
Security in cloud computing kashyap kunal
Kashyap Kunal
 
A Survey of Cloud Computing Security Issues and Consequences
A Survey of Cloud Computing Security Issues and ConsequencesA Survey of Cloud Computing Security Issues and Consequences
A Survey of Cloud Computing Security Issues and Consequences
Associate Professor in VSB Coimbatore
 
SECURITY CONCERN ON CLOUD BASED ON ATTRIBUTES: AN SURVEY
SECURITY CONCERN ON CLOUD BASED ON ATTRIBUTES: AN SURVEYSECURITY CONCERN ON CLOUD BASED ON ATTRIBUTES: AN SURVEY
SECURITY CONCERN ON CLOUD BASED ON ATTRIBUTES: AN SURVEY
Editor Jacotech
 
Legal And Regulatory Issues Cloud Computing...V2.0
Legal And Regulatory Issues Cloud Computing...V2.0Legal And Regulatory Issues Cloud Computing...V2.0
Legal And Regulatory Issues Cloud Computing...V2.0
David Spinks
 

Semelhante a Cloud computing understanding security risk and management (20)

Cloud Security using NIST guidelines
Cloud Security using NIST guidelinesCloud Security using NIST guidelines
Cloud Security using NIST guidelines
 
Cloud Security using NIST guidelines
Cloud Security using NIST guidelinesCloud Security using NIST guidelines
Cloud Security using NIST guidelines
 
Cloud notes 1
Cloud notes 1Cloud notes 1
Cloud notes 1
 
Data Security Model Enhancement In Cloud Environment
Data Security Model Enhancement In Cloud EnvironmentData Security Model Enhancement In Cloud Environment
Data Security Model Enhancement In Cloud Environment
 
A Review on Data Protection of Cloud Computing Security, Benefits, Risks and ...
A Review on Data Protection of Cloud Computing Security, Benefits, Risks and ...A Review on Data Protection of Cloud Computing Security, Benefits, Risks and ...
A Review on Data Protection of Cloud Computing Security, Benefits, Risks and ...
 
Cloud Ecosystems A Perspective
Cloud Ecosystems A PerspectiveCloud Ecosystems A Perspective
Cloud Ecosystems A Perspective
 
Fault Tolerance in AWS Distributed Cloud Computing
Fault Tolerance in AWS Distributed Cloud ComputingFault Tolerance in AWS Distributed Cloud Computing
Fault Tolerance in AWS Distributed Cloud Computing
 
Ijirsm ashok-kumar-h-problems-and-solutions-infrastructure-as-service-securit...
Ijirsm ashok-kumar-h-problems-and-solutions-infrastructure-as-service-securit...Ijirsm ashok-kumar-h-problems-and-solutions-infrastructure-as-service-securit...
Ijirsm ashok-kumar-h-problems-and-solutions-infrastructure-as-service-securit...
 
A Survey on Cloud Computing Security – Challenges and Trust Issues
A Survey on Cloud Computing Security – Challenges and Trust IssuesA Survey on Cloud Computing Security – Challenges and Trust Issues
A Survey on Cloud Computing Security – Challenges and Trust Issues
 
Cloud Computing Security Issues in Infrastructure as a Service” report
Cloud Computing Security Issues in Infrastructure as a Service” reportCloud Computing Security Issues in Infrastructure as a Service” report
Cloud Computing Security Issues in Infrastructure as a Service” report
 
Requirements and Challenges for Securing Cloud Applications and Services
Requirements and Challenges for Securing Cloud Applications and ServicesRequirements and Challenges for Securing Cloud Applications and Services
Requirements and Challenges for Securing Cloud Applications and Services
 
Cloud_computing Notes.docx
Cloud_computing Notes.docxCloud_computing Notes.docx
Cloud_computing Notes.docx
 
Security in cloud computing kashyap kunal
Security in cloud computing kashyap kunalSecurity in cloud computing kashyap kunal
Security in cloud computing kashyap kunal
 
Cc unit 3 updated version
Cc unit 3 updated versionCc unit 3 updated version
Cc unit 3 updated version
 
A Survey of Cloud Computing Security Issues and Consequences
A Survey of Cloud Computing Security Issues and ConsequencesA Survey of Cloud Computing Security Issues and Consequences
A Survey of Cloud Computing Security Issues and Consequences
 
1376843836 94879193
1376843836 948791931376843836 94879193
1376843836 94879193
 
SECURITY CONCERN ON CLOUD BASED ON ATTRIBUTES: AN SURVEY
SECURITY CONCERN ON CLOUD BASED ON ATTRIBUTES: AN SURVEYSECURITY CONCERN ON CLOUD BASED ON ATTRIBUTES: AN SURVEY
SECURITY CONCERN ON CLOUD BASED ON ATTRIBUTES: AN SURVEY
 
1376843836 94879193
1376843836 948791931376843836 94879193
1376843836 94879193
 
Legal And Regulatory Issues Cloud Computing...V2.0
Legal And Regulatory Issues Cloud Computing...V2.0Legal And Regulatory Issues Cloud Computing...V2.0
Legal And Regulatory Issues Cloud Computing...V2.0
 
Cloud Security, Standards and Applications
Cloud Security, Standards and ApplicationsCloud Security, Standards and Applications
Cloud Security, Standards and Applications
 

Último

TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Victor Rentea
 

Último (20)

DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
Platformless Horizons for Digital Adaptability
Platformless Horizons for Digital AdaptabilityPlatformless Horizons for Digital Adaptability
Platformless Horizons for Digital Adaptability
 
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
 
Vector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptxVector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptx
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Six Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal OntologySix Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal Ontology
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
WSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering DevelopersWSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering Developers
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 

Cloud computing understanding security risk and management

  • 1. Cloud Computing - understanding security risk and management The aim of this paper is to make cloud service consumer aware about cloud computing fundamentals, its essential services, service models and deployment options. This also through light on security and risk management piece of CSA trusted cloud reference architecture, cloud control matrix and notorious nine threats and ENISAs top risks to cloud computing. At the end it talks about certifications and attestation part. Author – Shamsundar Machale (CISSP)
  • 2. Fig.1 NIST Visual Model of Cloud Computing Definition Any cloud should demonstrate the certain essential characteristics to get full benefits of cloud. Any missing essential characteristic would not give you 100% benefit from cloud computing. Whatever is not your core, outsource it. Similarly maintaining capex IT infrastructure, information is not your core so outsource it to some specialized agency i.e. Cloud Service Provider (CSP) Multi-tenancy is the fundamental used in resource pooling but keep in mind that resource pooling is not limited to your server and storage, it is extended to network connectivity, physical security, administration of cloud services and last but not least is your facility space. CSP uses the same infrastructure to provide services to multiple clients from same or different geographies. This provides great benefit to Cloud consumer (CC) by not having direct capital investment and pay per use model of cloud. Only required amount of compute, storage etc. are provisioned and no extra investment is done by CC. At the same time resource pooling might become huge risk if attacker uses shared pooled resource to steal sensitive information processed by CC. this is possible through attacks such as guest hopping attack or side channel attack to capture cryptographic keys. Second essential characteristic is on-demand self-service. The CC should be able to do the provisioning / de-provisioning of computing What is definition of Cloud Computing? Cloud computing is model for enabling continent, on-demand network access to a shared pool of configuration computing resources (e.g. networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management efforts or services provider interaction The above NIST definition defines in what way you can deploy cloud, what service offerings you can make available and what are the essential characteristics of cloud Fig. 1 represents the visual model of above NIST cloud computing definition. Let’s take a deeper look into the definition.
  • 3. resources by themselves with minimum administrative involvement from CSP. The lead time required doing the provisioning and de-provisioning should be reduced significantly. Rapid elasticity means CC should be able to do expansion and contraction of services as per their requirements with immediate effect and it will be charged on pay per usages policy. There should not be any locking CSP side while reducing the required level of resources. As there is trend of BYOD and consumerization, people want to access applications locations and end device independent which essentially means there should not be any restriction on your work location, it can be work from office, home or cafe and how do you access it, is it through your desktop, laptop, smartphone or tablet. Lastly CC should be able to measure services offered by CSP through SLA. Let’s take a look at service offering models; there are typically three kind of service offering models as below IaaS (Infrastructure as a Service) – Here you will get only infrastructure like compute and storage. This is nothing but plain vanilla virtual machine with operating system e.g. Amazon EC2 and S3, Rackspace etc. PaaS (Platform as a Service) – Here you expect little bit more from CP which will help in development of applications on provided infrastructure. It includes development tools, configuration management and deployment platforms such as Microsoft Azure, Force and Google App engine. SaaS (Software as a Service) – this is full package of application, CC has to just use it and don’t worry how and where it is running, who is managing the show? It is pure service such as online CRM system (Salesforce.com), online office tools (Office 365), online content filtering and messaging etc. As you move from IaaS to SaaS CC loses control on the services whereas CSP gains more control which is depicted in below figure. Fig-2
  • 4. Now we will look at third tier of cloud computing definition which is nothing but deployment options. As you seen in the above visual model there are four ways in which cloud services can be deployed. Public Cloud – Available publicly, multiple customers can avail same services with different SLA commitments Private Cloud – Build specifically for single customer and available to only one customer Community Cloud – Services can be offered to same of customers which are forming community such as cloud services for power generation companies, cloud services for manufacturing industry etc. Hybrid Cloud – Combination of any of the above Below table provides more information about the deployment models Fig.3
  • 5. As mentioned above security of cloud services is joint responsibility of CC and CSP which purely depends on the service offering. As per CSA’s “ Trusted cloud Reference Architecture version 2.0 “, Security and Risk Management is one of the key building block to focus if you want to build trusted cloud Fig.4 CSA Trusted cloud security reference arcthitecture This block basically talks about below domains. Governance Risk and Compliance - how are you going to manage governance, risk, audit, vendor, policy and awareness around CSP support staff? InfoSec Management – capability management, risk portfolio, risk dashboard, and residual risk management Privilege Management Infrastructure – This purely focuses around how effectively you manage the identities in the cloud. How secure is your authentication service? How do you manage authorization and accountability of identities in the cloud? How privilege identities are handled? Threat and Vulnerability Management - How do you keep environment vulnerability free, up to date with latest patches and assurance on compliance testing to CC. What is Security for Cloud Computing? As per CSA, Security controls in cloud computing are, for the most part, no different than security controls in any IT environment. However, because of the cloud service models employed, the operational models, and the technologies used to enable cloud services, cloud computing may present different risks to an organization than traditional IT solutions. This means we have to focus on defense in depth approach for security in cloud computing The focus of defense in depth approach is always a data at center and different type of controls such as Administrative, Technical and Physical are wrapped around data. For example physical security has the same importance in both traditional data center and cloud based datacenter.
  • 6. Infrastructure Protection Services - How do you protect your applications, operating systems on servers, databases, network and end points. What kind of technical controls are put around these? Do you have perimeter firewall at network level, whether servers are locked down as per hardening guidelines, do you have Anti-virus, HIPS / HIDS installed at the end points, logging and monitoring enabled, application level firewall and web content filtering Data Protection – how well are you managing the data lifecycle, what controls are placed to prevent the Data loss, how are you protecting your intellectual properties and how effective is your cryptographic service management. Policies and Standards – Have you defined information security policies, guidelines based on different industry standards like ISO 27001. Whether operational security baseline and standard operating procedures defined and followed within the organization. Whether asset / data classification guidelines are defined and practiced within team. CSA has defined the Cloud Controls Matrix which provides fundamental security principles to guide cloud vendors and to assist cloud customers in assessing the overall security risk of a cloud provider. The latest version of Cloud Controls Matrix is CCM v3.0.1 As per this control matrix there are 133 controls divided into 16 domains of CSA cloud security. Fig.5 CCMv3.0.2 Domains Risk Management is one of the important aspect of cloud computing. There is no different strategy for management of risk in the cloud. You have to follow the conventional approach of performing the risk assessment based on certain framework and management of these risk either through risk mitigation by use of certain controls, transfer, avoid or accept the risk. As per ENISA’s “ Cloud Computing Benefits, risks and recommendations for information security Rev.B-2012 ” document cloud risks are classified into three categories “Policy and Organizational Risks”, “Technical Risks”, and “Legal Risks”
  • 7. Below figure represents the top rated risk identified by ENISA based on the probability and impact of the risk. Fig.6 ENISA top security risks to cloud computing If you refer to below table which list down “ The Notorious Nine – Cloud Computing Top Threats in 2013” you will find certain risk / threats are common in both the documents such as Malicious Insider / Cloud Provider Malicious Insider, shared technology issue / isolation failure, insecure APIs / Management interface compromise Fig.7 – Notorious Nine Threats to Cloud Computing Data Breaches Data Loss Account Hijacking Insecure APIs Denial of Service Malicious Insiders Abuse of Cloud Services Insufficient Due Diligence Shared Technology Issues
  • 8. Security Certification and Attestations – CSPcan provide the assurance to CC on current compliance level with respect to different standards, legal and regulatory requirements through certain security certifications and attestations. Below figure provides the security certifications obtained by different CSPs. This is just a reference and CC is kidnly reuquested to obtain list of current certifications during evaluation of CSP Fig.8 – Security Certifications and Attestations Conclusion - Cloud computing is double edged sword which provides good amount of benefits but only if implemented properly considering all security, governance, privacy and legal requirements. Risk assessment and due diligence would be the key for cloud consumers to make their case as success story.
  • 9. References – “CSA Trusted cloud Reference Architecture version 2.0” “CSA Cloud Controls Matrix, CCM v3.0.1” “The Notorious Nine – Cloud Computing Top Threats in 2013” ENISA’s “Cloud Computing Benefits, risks and recommendations for information security Rev.B-2012” The Forrester Wave™: Public Cloud Platform Service Providers’ Security, Q4 2014 END OF DOCUMENT