cloud computing: new approaches for security
TRANSCRIPT
24/01/2013 1John Rhoton – 2013
Cloud ComputingNew Approaches for Security
John Rhoton
Cloud and Big Data Conference 2013CnS Events, Vienna, Austria
8 October [email protected]
m
24/01/2013 2John Rhoton – 2013
Agenda
• Security Context• Trust Shift• Security Challenges• Remediation
– Best practices– Tools
24/01/2013 3John Rhoton – 2013
75%
67%
63%
53%
53%
52%
Major social unrest impacting Business activities
Economical recession
Cyber attacks
Natural disasters impacting a major Business Hub
Collapse of the Euro zone
Military or business tensions impacting access to natural
resources
Major threatening scenarios according to CEOs
Source : 16th Annual Global CEO Survey, 2013, PwC
63% of CEO identify Cyber attacks as TOP 3 Threats for
their company
14%Percentage of spending in IT Security in 2010. This ratio was only 8.2% in 2007.
11,36 billion $Investments in 2011 in US for classified data security.
Information Security is now considered as high-stake topic by most CEOs.As a result: IT Security investments are significantly growing.
Source: Forrester, The Evolution Of IT Security, 2010 To 2011 Source: Report on Cost Estimates for Security Classification Activities for Fiscal Year 2011
5,5 billion of attacks stopped in 2011
Volume of attacks was 3 billion in 2010
Sourrce: SYMANTEC
IT Security is now a Top CEO concern
Source: Beamap
24/01/2013 4John Rhoton – 2013
Risk to data security continue to intensify and show no signs of abating. Given today’s elevated threat environment, Companies must prepare to address the new Security context and review their mitigation strategies.
Increasing volume and source of data to protect
80% of data did not exist 2 years ago
1,8 ZetabytesVolume of data created
in 2011
7,9 ZetabytesEstimated Volume of
data for 2015
IT Systems more connected, mobile and open
Mobile Social mediaBring your own
device
Development of Cyber-activism practices and cyber-attacks
Anonymous Wikileaks Stuxnet*
IT infrastructure more and more complex and heterogeneous Cloud Computing Big Data
TechnologyInnovation
*Stuxnet is a computer worm discovered in June 2010 that is believed to have been created by the United States and Israel to attack Iran's nuclear facilities
New Security context for IT infrastructure
Source: Beamap
24/01/2013 5John Rhoton – 2013
Top 10 Challenges to Enterprise Cloud Adoption
33% Implementation/transition/ integration costs too high 31% Integration with existing architecture 30% Data loss and privacy risks 30% Loss of control 26% Lack of visibility into future demand, associated costs 26% A lack of interoperability between cloud providers26% General security risks 21% Risk of intellectual property theft 18% Legal and regulatory compliance 18% Transparency of operational controls and data
Source: KPMG International’s Global cloud survey: the implementation challenge
24/01/2013 6John Rhoton – 2013
Cloud Security Challenges and Benefits
• Most companies overestimate their internal security and underestimate Cloud provider security
• Providers invest heavily in security processes, mechanisms, tools and skill that enterprises cannot easily match
• But, not all cloud providers are equal! They have different resources and expertise, so it is important to vet each service individually!
• Initial Cloud security analysis may reveal gaps but these can be addressed with:
• Best practice architectures• Appropriate tools (e.g. API management, Identity
management)
Key Observations
• Customer data is a key asset for every Company• However, todays #1 solution for CRM is a Cloud solution :
Salesforce.com• Salesforce.com has become a de-facto standard CRM solution
selected after due diligence by industry leaders:
Would you store your Customer Data in the Cloud ?
Would you store key regulatory data in the Cloud ?
Example of Cloud Provider investment in Security matter: AWS opened a Security Blog
in April 2013
Nasdaq OMX is offering Wall Street brokers a chance to store key regulatory data on Amazon’s “cloud” computers, marking the ecommerce conglomerate’s boldest incursion into the financial services sector.(Financial Times)
How to Build Trust in Cloud ?
The CSA Security, Trust & Assurance Registry (STAR) is a publicly accessible registry that documents the security controls provided by various cloud computing offerings.
https://cloudsecurityalliance.org/star/
Source: Beamap
24/01/2013 7John Rhoton – 2013
The biggest cultural hurdle to cloud adoption is acceptance of shift from direct to indirect trust.
• What stays the same?• Humans (subject to negligence and malice) administer IT systems (subject to infection and failure)• But explicit service contracts replace implicit employment contracts
• Processes that are audited, certified and exposed to public scrutiny may be much stronger than secret internal equivalents
Trust Shift
• Personal observation• Personal experience• Insight
Employees Contractors
Partners Suppliers
ExpertsLegal Counsel
AuditorsPublic Scrutiny• Public verification
• Contracts• Compensation
Dir
ect
tru
st
mo
del
Ind
irect
tru
st
mo
del
24/01/2013 8John Rhoton – 2013
BusinessContinuity
Eliminate
High Probability
Low Probability
High ImpactLow Impact
Resilience
Risk Treatment
24/01/2013 9John Rhoton – 2013
Barriers
• Compliance• Data leakage• Data loss• Service loss• Vendor lock-in
24/01/2013 10John Rhoton – 2013
Compliance
Enforce Logical Barriers
Global Internet versus National Laws
24/01/2013 11John Rhoton – 2013
All governments have equivalent to Patriot ActWestern Governments collaborate to satisfy requests regardless of location of provider and/or dataRequests are executed regardless of whether data is hosted on cloud or on-premise.Cf comparison of governmental authorities’ access to data in the cloud (next slide)
Hot Topic #1 Is Patriot Act an American phenomenon ? 1
Governmental Compliance (Hot topics)
24/01/2013 12John Rhoton – 2013
May governmentrequire a Cloud provider to disclose customer data?
May a Cloud provider voluntarily disclose customer data to the government in response to an informal request?
If a Cloud provider must disclose customer data tothe government, must the customer be notified?
May government monitorElectronic communicationssent through the systems of a Cloud provider?
Are government orders to discloseCustomer data subject to review by a judge?
Can thegovernmentrequire the Cloudprovider to disclosedata in foreign country?
Yes No – must request data through legal
process
Yes, for content data,
except with asearch warrant
Yes Yes Yes
YesYes, except for personal data
without a legalPurpose
No Yes Yes Yes
YesYes, except for personal data
without a legalPurpose
No Yes Yes Yes
Yes
Yes, except for personal datawithout a legal
purpose
Yes, except maywithhold untildisclosure no
longerwould compromisethe investigation
Yes Yes No, not withoutcooperation from
the other country’sgovernment
US laws are no more threatening
than others
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
Source: Hogan Lovells White Paper “A Global Reality: Governmental Access to Data in the Cloud” bit.ly/PMDuWL
Comparison of Governmental Access
24/01/2013 13John Rhoton – 2013
All governments have equivalent to Patriot ActWestern Governments collaborate to satisfy requests regardless of location of provider and/or dataRequests are executed regardless of whether data is hosted on cloud or on-premise.Cf comparison of governmental authorities’ access to data in the cloud (next slide)
Sophisticated intelligence agencies (USA, Russia, China, Israel, France...) have means to obtain any information they requireCorporate data is not usually an interesting target but may be in some instances.Interception of corporate data by an intelligence agency doesn't automatically result in harm to corporation. It depends on how they use it (e.g. corporate espionage).It is impossible to secure against this threat. Some agencies resort to unlawful means (e.g. bribery, extortion) to obtain this data.Protecting corporate data (e.g. through encryption) doesn't prevent access but makes it more costly to obtain and therefore less likely governments will obtain it unless they have a clear purpose.
Hot Topic #1 Is Patriot Act an American phenomenon ?
Hot Topic #2 Is PRISM a danger for Corporate Data ?
1
2
Shortly after Snowden's leaked documents, the big Internet companies and their allies issued dire warnings, predicting that American businesses would lose tens of billions of dollars in revenue abroad as distrustful customers seek out local alternatives.At Amazon, which was not named in Snowden's documents but is seen as a likely victim because it is a top provider of cloud computing services, a spokeswoman said global demand "has never been greater."There are multiple theories for why the business impact of the Snowden leaks has been so minimal.One is that cloud customers have few good alternatives, since U.S. companies have most of the market and switching costs money.Perhaps more convincing, Amazon, Microsoft and some others offer data centers in Europe with encryption that prevents significant hurdles to snooping by anyone including the service providers themselves and the U.S. agencies. Encryption, however, comes with drawbacks, making using the cloud more cumbersome.
Hot Topic #3 PRISM: Risk or Opportunity for US Cloud Computing Industry ?3
Governmental Compliance (Hot topics)
Source: Beamap
24/01/2013 14John Rhoton – 2013
Host
Guest Guest
Guest Guest
Host
Guest
Guest
1
2
3
4 5
6
Multi-tenancy Increases Threat Vectors
Expand Monitoring Scope and Depth
24/01/2013 15John Rhoton – 2013
Confidentiality
• Data Governance– Data loss prevention
• Compartmentalization
• Encryption
Classify data, Select and Combine Options
24/01/2013 16John Rhoton – 2013
Identity Federation
Identity challenges• Password
proliferation• Weak
authentication• Support costs• User
productivityImplement Identity Standards (SAML,
SCIM)
24/01/2013 17John Rhoton – 2013
Redundancy
• Dimensions– Physical– Geographical– Technological– Organizational
• Horizontal Scalability• ACID (Atomic Consistent Isolated Durable)
=> BASE (Basic Availability, Soft-state, Eventual consistency)
Architect for scale
24/01/2013 18John Rhoton – 2013
Business Continuity
• Cold Site• Warm Site• Hot Site• Double-Active
Multi-dimensional redundancy is critical
24/01/2013 19John Rhoton – 2013
Lock-in vs. Cloud Stacks
Proprietary Hardware
Proprietary Software
OpenSource
ConsortiumDriven
Balance ease with flexibility
24/01/2013 20John Rhoton – 2013
Denial of Service
Account/ Service Hijacking
Insecure Interfaces and API
Data Loss
Shared Technologies
Data Breaches
REMEDIATION PRINCIPLES
CLOUD RISKS Due
Dili
genc
e &
Dat
a
Gov
erna
nce
Encr
yption
(da
ta &
netw
ork)
Spe
cific
Sec
urity
tool
s
Patc
hing
&
Har
deni
ngRe
silie
nt
arch
itec
ture
desi
gn (ba
ck-
up…
)
M
FA (M
ulti-
fact
or
auth
entific
atio
n)
API Security and
Management solution
Fully patched
Internet Browser
and servers
Traffic analysis,
intrusion detection…
Integration with
patch management
system
Virtu
al P
riva
te
Clou
d
feat
ures
Cloud Risks and Remediation
Source: Beamap
24/01/2013 21John Rhoton – 2013
On-premise Datacenter
Public Cloud
Public Cloud
This scenario is based on the following concepts:
• Mobility of VM from on-premise Datacenter to Cloud with the same “Security” requirements
• Propagation of the Network security rules to the Cloud (firewalling, IP addresses…)
• Propagation of QoS rules (Resiliency, back-up & restores…)
Scenario illustration Description
Network Security
Resiliency
Identity and access management
Attack protection
Encryption
Application Security
Sample Cloud Architecture
Source: Beamap
24/01/2013 22John Rhoton – 2013
Cloud-based Protection Services
• Malware• Denial of Service• Identity Management• Backup and Restore• Intrusion Prevention
24/01/2013 23John Rhoton – 2013
The Key components of the Cloud reference architecture:1. Virtual Private Cloud with VPN connection to the corporate Datacenter2. Dual connectivity (Direct connection to back-up VPN connection)3. At least two Availability zones used to provide application resiliency4. Elastic Load Balancers to distribute workloads across servers and
availability zones5. Data replication across availability zones
6. Application tiering7. Database tiering8. Database snapshots9. DoS filter10.Identity Router11.API Security Management module12.Cloud Management module
Cloud Management Layer
Clo
ud
refe
ren
ce a
rch
itectu
re
Key Management System
(External system)
(External system)
1
2
3
4
5
6
7
8
9
10
11
12
Cloud Reference Architecture
Source: Beamap
24/01/2013 24John Rhoton – 2013
Summary• Security is perceived as biggest challenge to cloud
computing• Risks are often over-hyped for dubious reasons
– Market protection– Job security
• Cloud security is under-rated• Internal security is over-rated• Security challenges real but addressable
– Encryption / Strong Authentication– Network security / Isolation– Multi-sourcing strategy– Redundancy
24/01/2013 25John Rhoton – 2013
Emotional vs Factual
• Fear, Uncertainty and Doubt• Increased Effort
– Evaluation– Negotiation– Integration– Implementation
• Reduce CAPEX benefits
Plan early, think objectively