Dr. John D. Johnson presents on security and privacy surrounding cloud computing at the 2009 InfraGard conference in Springfield, IL.

1. Security
&
Privacy
Issues
in

2. The
Hype
“The interesting thing about cloud
computing is that we’ve redefined cloud
computing to include everything that we
already do. I can’t think of anything that
isn’t cloud computing with all of these
announcements. The computer industry
is the only industry that is more fashion-
driven than women’s fashion. Maybe I’m
an idiot, but I have no idea what anyone
is talking about. What is it? It’s complete
gibberish. It’s insane. When is this
idiocy going to stop?”
Larry Ellison, CEO, Oracle (WSJ 9/25/08)

3. Video

4. Closer
to
Earth
• Let’s
presume
that
Cloud
Compu>ng
is
real.
• What
is
it?
• Let’s
try
to
cut
through
the
hyperbole
and
define
Cloud
Compu>ng
and
see
what
it
has
to
offer
consumers
and
organiza>ons.

6. Example:
MicrosoK

7. Sor>ng
things
out…
U>lity
or
Infrastructure
PlaMorm
SoKware

8. Infrastructure
as
a
Service
• Amazon
sells
compu>ng
power
in
a
way
similar
to
how
we
get
electricity
from
the
power
company.
• Uses
a
pay-­‐as-­‐you-­‐go
model
for
offering
VM
instances,
compu>ng
power
and
storage
on
demand.

9. PlaMorm
as
a
Service
• One
step
above
the
u>lity,
you
find
the
PaaS
providers,
like
Google
App
Engine,
Salesforce’
force.com,
and
the
recently
announced
MicrosoK
Azure
plaMorm.
• Here
you
develop
apps
and
leverage
a
common
development
framework
and
plaMorm
for
delivery.

10. SoKware
as
a
Service
• SoKware
as
a
Service
(SaaS)
is
what
most
people
are
familiar
with.
This
is
where
many
of
the
common
Web
2.0
applica>ons
are,
like:
Flickr,
Gmail,
Google
Apps,
Facebook,
TwiZer....
• There
are
also
enterprise
applica>ons,
such
as
SAP,
Oracle,
MicrosoK
and
others
aZemp>ng
to
gain
market
share
here.

11. Terminology
• Let’s
face
it,
the
use
of
all
these
acronyms
can
get
confusing!
• SOA
and
SaaS
oKen
get
confused.
• The
u>lity
and
plaMorm
services
are
oKen
called
nothing
more
than
the
evolu>on
of
third-­‐party
hos>ng
services
that
companies
have
used
for
years.
• There
are
good
reasons
these
assump>ons
are
incorrect.

12. SOA
is
dead…?
“SOA met its demise on January 1, 2009, when it was
wiped out by the catastrophic impact of the economic
recession. SOA is survived by its offspring: mashups,
BPM, SaaS, Cloud Computing, and all other
architectural approaches that depend on “services.”
Manes’ real point, to quote her is that “we should not be
talking about an architectural concept that has no
universally accepted definition and an indefensible
value proposition. Instead we should be talking about
concrete things (like services) and concrete
architectural practices (like application portfolio
management) that deliver real value to the business.”
Anne Thomas Manes, Burton Group

13. Consumers
• Cloud
Compu>ng
is
a
new
name
for
things
consumers
are
already
doing.
• Consumers
are
>red
of
being
IT
techs.
• Consumers
want
to
DO
things
online,
and
have
the
Internet
cloud
I
don’t
care
be
as
what’s
up
there,
as
long
simple
as
as
it
WORKS!
Cable
TV.

14. The
Business
Case
• Cost
Savings
from
economies
of
scale
• Scalability
• Elas>city
• Reliability
• (and
in
some
cases,
they
enjoy
a
transfer
of
liability
by
outsourcing
services)

15. 2007
Source: www.cio.com/article/print/
109706

16. Source: www.cio.com/article/print/
109706

17. Where
does
it
make
sense?
• Start-­‐ups
• Apps
that
are
not
processing
key
data
• Apps
that
benefit
greatly
from
economies
of
scale,
and
that
require
high
availability
and
DRP
• Apps
that
need
periodic,
huge
capacity
or
CPU
processing

19. Where
does
it
not
make
sense?
• Key
apps
that
are
earning
your
bread
and
buZer
• Apps
that
touch
personal
data
or
process
high-­‐value/consumer
transac>ons
should
be
considered
carefully
• Most
cloud
compu>ng
works
well
for
highly
paralell,
but
not
serial
apps

20. On-­‐site
vs.
Off-­‐site
• PaaS
can
be
hosted
at
your
data
center,
outsourced,
or
hosted
in
a
hybrid
environment
like
this
example.
Source: cohesiveft.com/vpncubed

21. Concern
in
the
Cloud
• Security
• Control
• Performance
• Support
• Vendor
Lock-­‐In
• Speed
of
Scaling
• Configurability

22. Security
Concerns
• CIA
+
Privacy
• Can
you
extend
your
policies
to
the
cloud?
• Regulatory
compliance
• Managing
data
on
shared
systems
• Forensics
• Audi>ng
• Segrega>on
of
data
• Portability
&
Interoperability
• Reliability
&
Manageability

23. In
The
News
• Monster.com Breach May Preface
Targeted Attacks
• Salesforce.com Admits
Data Loss
• Millions of Gmail
Users Left in the
Lurch
• Gmail is down,
down, down

24. More…
• United
Airlines
Flight
Opera>ons
Computer
System
Failure
• San
Francisco
Power
Grid
Failure
• PayPal
Subscrip>on
Processing
Fails
• Skype
Down
for
Days
• LAX
TSA
Screening
System
Failure
• What
if
Google
were
to
disappear
for
a
few
days?
Or,
Facebook?
Yahoo?

25. Compliance
in
the
Cloud
• Let
me
just
list
some
common
U.S.
regula>ons
and
speak
to
them:
• PCI
• SOX
• HIPAA
• GLB
• California
Breach
Law
(SB1386)

26. Future
Trends
• The
Web
as
a
Par>cipatory
Worldwide
Communica>ons
Media
(Wikipedia,
Facebook,
YouTube…)
• The
Need
to
Use
Less
Energy
• Innova>on
Impera>ve
• Quest
for
Simplicity
• Structure
Out
of
Chaos
Source: www.cio.com/article/438371/
Cloud_Computing_Hype_Versus_Reality

27. Grinch
in
the
Cloud
• The
Grinch:
It
came
without
segrega>on.
It
came
without
recovery
goals.
It
came
without
adequate
physical,
logical,
or
personnel
access
controls.
It
could
have
been
high,
it
could
have
been
low,
I
just
have
no
clue
where
the
data
may
flow!
• Narrator:
Then
the
Grinch
thought
of
something
he
hadn't
before.
• The
Grinch:
Maybe
the
perfect
solu>on
doesn't
come
from
a
store.
Maybe
solving
business
problems
securely...
• Narrator:
He
thought
• The
Grinch:
...means
a
liZle
bit
more.

28. Useful
Resources
• World
Privacy
Forum,
www.worldprivacyforum.org
• Security
Monks
Blog,
hZp://blog.securitymonks.com/2009/01/25/
recent-­‐cloud-­‐pos>ngs/
• Ra>onal
Survivability
Blog,
hZp://ra>onalsecurity.typepad.com/