Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Cloud Computing: New Approaches for Security
1. 24/01/2013 1John Rhoton – 2013
Cloud Computing
New Approaches for Security
John Rhoton
Cloud and Big Data Conference 2013
CnS Events, Vienna, Austria
8 October 2013
rhoton@gmail.com
3. 24/01/2013 3John Rhoton – 2013
75%
67%
63%
53%
53%
52%
Major social unrest impacting Business
activities
Economical recession
Cyber attacks
Natural disasters impacting a major
Business Hub
Collapse of the Euro zone
Military or business tensions impacting
access to natural resources
Major threatening scenarios according to CEOs
Source : 16th Annual Global CEO Survey, 2013, PwC
63% of CEO identify Cyber
attacks as TOP 3 Threats
for their company
14%
Percentage of spending in IT Security in 2010. This
ratio was only 8.2% in 2007.
11,36 billion $
Investments in 2011 in US for classified data
security.
Information Security is now considered as high-stake topic by most CEOs.
As a result: IT Security investments are significantly growing.
Source: Forrester, The Evolution Of IT Security, 2010 To 2011 Source: Report on Cost Estimates for Security Classification Activities for FiscalYear 2011
5,5 billion of
attacks stopped in
2011
Volume of attacks was
3 billion in 2010
Sourrce: SYMANTEC
IT Security is now a Top CEO concern
Source: Beamap
4. 24/01/2013 4John Rhoton – 2013
Risk to data security continue to intensify and show no signs of abating. Given today’s elevated threat
environment, Companies must prepare to address the new Security context and review their mitigation strategies.
Increasing volume and source of
data to protect
80% of data did not
exist 2 years ago
1,8 Zetabytes
Volume of data created
in 2011
7,9 Zetabytes
Estimated Volume of
data for 2015
IT Systems more connected, mobile and
open
Mobile Social media
Bring your own
device
Development of Cyber-activism practices
and cyber-attacks
Anonymous Wikileaks Stuxnet*
IT infrastructure more and more complex
and heterogeneous
Cloud
Computing
Big Data
Technology
Innovation
*Stuxnet is a computer worm discovered in June 2010 that is believed to have been created by the United States and Israelto attack Iran's nuclear facilities
New Security context for IT infrastructure
Source: Beamap
5. 24/01/2013 5John Rhoton – 2013
Top 10 Challenges to Enterprise Cloud Adoption
33% Implementation/transition/ integration costs too high
31% Integration with existing architecture
30% Data loss and privacy risks
30% Loss of control
26% Lack of visibility into future demand, associated costs
26% A lack of interoperability between cloud providers
26% General security risks
21% Risk of intellectual property theft
18% Legal and regulatory compliance
18% Transparency of operational controls and data
Source: KPMG International’s Global cloud survey: the implementation challenge
6. 24/01/2013 6John Rhoton – 2013
Cloud Security Challenges and Benefits
• Most companies overestimate their internal security and
underestimate Cloud provider security
• Providers invest heavily in security
processes, mechanisms, tools and skill that enterprises
cannot easily match
• But, not all cloud providers are equal! They have
different resources and expertise, so it is important to vet
each service individually!
• Initial Cloud security analysis may reveal gaps but these
can be addressed with:
• Best practice architectures
• Appropriate tools (e.g. API management, Identity
management)
Key Observations
• Customer data is a key asset for every Company
• However, todays #1 solution for CRM is a Cloud solution :
Salesforce.com
• Salesforce.com has become a de-facto standard CRM solution
selected after due diligence by industry leaders:
Would you store your Customer
Data in the Cloud ?
Would you store key regulatory
data in the Cloud ?
Example of Cloud Provider
investment in Security matter:
AWS opened a Security Blog
in April 2013
Nasdaq OMX is offering Wall Street brokers a chance to store key
regulatory data on Amazon’s “cloud” computers, marking the
ecommerce conglomerate’s boldest incursion into the financial
services sector.
(Financial Times)
How to Build Trust in Cloud ?
The CSA Security, Trust & Assurance Registry (STAR) is a publicly
accessible registry that documents the security controls provided
by various cloud computing offerings.
https://cloudsecurityalliance.org/star/
Source: Beamap
7. 24/01/2013 7John Rhoton – 2013
The biggest cultural hurdle to cloud adoption is acceptance of shift from direct to
indirect trust.
• Whatstays the same?
• Humans (subject to negligenceand malice) administer IT systems (subject to infectionand failure)
• But explicitservice contracts replace implicitemploymentcontracts
• Processesthat are audited,certified and exposed to public scrutinymay be much stronger than secret
internalequivalents
Trust Shift
• Personal observation
• Personal experience
• Insight
Employees Contractors
Partners
Suppliers
Experts
Legal Counsel
Auditors
Public Scrutiny• Public verification
• Contracts
• Compensation
Directtrust
model
Indirect
trustmodel
8. 24/01/2013 8John Rhoton – 2013
Business
Continuity
Eliminate
High
Probability
Low
Probability
High ImpactLow Impact
Resilience
Risk Treatment
9. 24/01/2013 9John Rhoton – 2013
Barriers
• Compliance
• Data leakage
• Data loss
• Service loss
• Vendor lock-in
10. 24/01/2013 10John Rhoton – 2013
Compliance
Enforce Logical Barriers
Global Internet versus National Laws
11. 24/01/2013 11John Rhoton – 2013
All governments have equivalent to Patriot Act
Western Governments collaborate to satisfy requests regardless of location of provider and/or data
Requests are executed regardless of whether data is hosted on cloud or on-premise.
Cf comparison of governmental authorities’ access to data in the cloud (next slide)
Hot Topic #1 Is Patriot Act an American phenomenon ?1
Governmental Compliance (Hot topics)
12. 24/01/2013 12John Rhoton – 2013
May government
require a Cloud
provider to disclose
customer data?
May a Cloud provider
voluntarily disclose
customer data to the
government in
response to an
informal request?
If a Cloud provider
must disclose
customer data to
the government,
must the customer
be notified?
May government
monitor
Electronic
communications
sent through the
systems of a Cloud
provider?
Are government
orders to disclose
Customer data
subject to review by
a judge?
Can the
government
require the Cloud
provider to disclose
data in foreign
country?
Yes No – must request
data through legal
process
Yes, for content
data,
except with a
search warrant
Yes Yes Yes
Yes
Yes, except for
personal data
without a legal
Purpose
No Yes Yes Yes
Yes
Yes, except for
personal data
without a legal
Purpose
No Yes Yes Yes
Yes
Yes, except for
personal data
without a legal
purpose
Yes, except may
withhold until
disclosure no longer
would compromise
the investigation
Yes Yes No, not without
cooperation from
the other country’s
government
US laws are no
more threatening
than others
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
Source: Hogan Lovells White Paper “A Global Reality: Governmental Access to Data in the Cloud” bit.ly/PMDuWL
Comparison of Governmental Access
13. 24/01/2013 13John Rhoton – 2013
All governments have equivalent to Patriot Act
Western Governments collaborate to satisfy requests regardless of location of provider and/or data
Requests are executed regardless of whether data is hosted on cloud or on-premise.
Cf comparison of governmental authorities’ access to data in the cloud (next slide)
Sophisticated intelligence agencies (USA, Russia, China, Israel, France...) have means to obtain any information they require
Corporate data is not usually an interesting target but may be in some instances.
Interception of corporate data by an intelligence agency doesn't automatically result in harm to corporation. It depends on how they use it (e.g. corporate
espionage).
It is impossible to secure against this threat. Some agencies resort to unlawful means (e.g. bribery, extortion) to obtain this data.
Protecting corporate data (e.g. through encryption) doesn't prevent access but makes it more costly to obtain and therefore less likely governments will
obtain it unless they have a clear purpose.
Hot Topic #1 Is Patriot Act an American phenomenon ?
Hot Topic #2 Is PRISM a danger for Corporate Data ?
1
2
Shortly after Snowden's leaked documents, the big Internet companies and their allies issued dire warnings, predicting that American businesses would lose
tens of billions of dollars in revenue abroad as distrustful customers seek out local alternatives.
At Amazon, which was not named in Snowden's documents but is seen as a likely victim because it is a top provider of cloud computing services, a spokeswoman
said global demand "has never been greater."
There are multiple theories for why the business impact of the Snowden leaks has been so minimal.
One is that cloud customers have few good alternatives, since U.S. companies have most of the market and switching costs money.
Perhaps more convincing, Amazon, Microsoft and some others offer data centers in Europe with encryption that prevents significant hurdles to snooping by
anyone including the service providers themselves and the U.S. agencies. Encryption, however, comes with drawbacks, making using the cloud more cumbersome.
Hot Topic #3 PRISM: Risk or Opportunity for US Cloud Computing Industry ?3
Governmental Compliance (Hot topics)
Source: Beamap
18. 24/01/2013 18John Rhoton – 2013
Business Continuity
• Cold Site
• Warm Site
• Hot Site
• Double-Active
Multi-dimensional redundancy is critical
19. 24/01/2013 19John Rhoton – 2013
Lock-in vs. Cloud Stacks
Proprietary
Hardware
Proprietary
Software
Open
Source
Consortium
Driven
Balance ease with flexibility
20. 24/01/2013 20John Rhoton – 2013
Denial of Service
Account/ Service Hijacking
Insecure Interfaces and API
Data Loss
Shared Technologies
Data Breaches
REMEDIATION PRINCIPLES
CLOUD RISKS
Cloud Risks and Remediation
Source: Beamap
21. 24/01/2013 21John Rhoton – 2013
On-premise
Datacenter
Public Cloud
Public Cloud
This scenario is based on the following
concepts:
• Mobility of VM from on-premise
Datacenter to Cloud with the same
“Security” requirements
• Propagation of the Network
security rules to the Cloud
(firewalling, IP addresses…)
• Propagation of QoS rules
(Resiliency, back-up & restores…)
Scenario illustration Description
Network Security
Resiliency
Identity and access
management
Attack
protection
Encryption
Application
Security
Sample Cloud Architecture
Source: Beamap
22. 24/01/2013 22John Rhoton – 2013
Cloud-based Protection Services
• Malware
• Denial of Service
• Identity Management
• Backup and Restore
• Intrusion Prevention
23. 24/01/2013 23John Rhoton – 2013
The Key components of the Cloud reference architecture:
1. Virtual Private Cloud with VPN connection to the corporate Datacenter
2. Dual connectivity (Direct connection to back-up VPN connection)
3. At least two Availability zones used to provide application resiliency
4. Elastic Load Balancers to distribute workloads across servers and
availability zones
5. Data replication across availability zones
6. Application tiering
7. Database tiering
8. Database snapshots
9. DoS filter
10.Identity Router
11.API Security Management module
12.Cloud Management module
Cloud Management Layer
Cloudreferencearchitecture
Key Management System
(External system)
(External system)
1
2
3
4
5
6
7
8
9
10
11
12
Cloud Reference Architecture
Source: Beamap
24. 24/01/2013 24John Rhoton – 2013
Summary
• Security is perceived as biggest challenge to cloud
computing
• Risks are often over-hyped for dubious reasons
– Market protection
– Job security
• Cloud security is under-rated
• Internal security is over-rated
• Security challenges real but addressable
– Encryption / Strong Authentication
– Network security / Isolation
– Multi-sourcing strategy
– Redundancy
26. 24/01/2013 26John Rhoton – 2013
Contact Details
Feel free to reach out to me at:
linkedin/in/rhoton
or look me up at:
amazon.com/author/rhoton
slideshare.net/rhoton
Notas do Editor
Risk Mitigation Data leakage Encryption Data loss Multi-source, backup Vendor Standards, multi-source, backup, exit strategy lock-in Service loss SLA, audit, certifications Compliance SLA, audit, certifications Old trust basis:Personal observationPersonal experienceHuman InsightNew trust basis:Public verificationContractsCompensationDesign challenges:IntegrationUser managementReliabilityGovernance / SLAsSecurity
Backdoor in Dual-EC DRBG (Dual Elliptic Curve Deterministic Random Bit Generator) http://rump2007.cr.yp.to/15-shumow.pdf
Backdoor in Dual-EC DRBG (Dual Elliptic Curve Deterministic Random Bit Generator) http://rump2007.cr.yp.to/15-shumow.pdf