Practical Security Problems in Practical Security Problems in Cloud ComputingCloud Computing

Alon Refaeli – Porticor TechnologiesAlon Refaeli – Porticor Technologies

alon@SecuredZones.comalon@SecuredZones.com

May 2009May 2009

The Cloud Computing Main The Cloud Computing Main ElementsElements

Infrastructure As a Service (IaaS) – switch , Infrastructure As a Service (IaaS) – switch , NT, access control etc.NT, access control etc.

Platform As a Service (PaaS) Platform As a Service (PaaS) - .Net,Java,LAMP etc.- .Net,Java,LAMP etc.

Software As a Service (SaaS) – CRM, ERP Software As a Service (SaaS) – CRM, ERP etc.etc.

Foundational Elements of Foundational Elements of Cloud ComputingCloud Computing

Business Models :Business Models :Web 2.0Web 2.0

• • Software as a Service (SaaS)Software as a Service (SaaS)

• • Utility ComputingUtility Computing

• • Service Level AgreementsService Level Agreements

• • Open standards, Data Portability, and AccessibilityOpen standards, Data Portability, and Accessibility

Architecture :Architecture :

Autonomic System ComputingAutonomic System Computing Grid ComputingGrid Computing

Platform VirtualizationPlatform VirtualizationWeb ServicesWeb Services

Service Oriented ArchitecturesService Oriented ArchitecturesWeb application frameworksWeb application frameworks

Open source softwareOpen source software

Why Cloud ComputingWhy Cloud Computing??

Capital ExpenditureCapital Expenditure MultitenancyMultitenancy ScalabilityScalability ReliabilityReliability SecuritySecurity PerformancePerformance Location IndependenceLocation Independence

Cyber Threats – No End in SightCyber Threats – No End in Sight

Thousands of cyber attacks each day on Thousands of cyber attacks each day on key utilitieskey utilities

Well known infrastructure-based disruptions Well known infrastructure-based disruptions : : September 11 Internet Inaccessibility , Estonian DDoS Attacks ,DNS Attacks ,Georgian Attacks September 11 Internet Inaccessibility , Estonian DDoS Attacks ,DNS Attacks ,Georgian Attacks

from Russiafrom Russia

General consensus – attacks growing in General consensus – attacks growing in sophistication and scalesophistication and scale

Security Threats + CloudSecurity Threats + Cloud?? = ?? =

New challenges emerge as services New challenges emerge as services become more distributed :become more distributed :

Nobody ‘owns’ the cloudNobody ‘owns’ the cloud

Everyone relies on the cloudEveryone relies on the cloud

Each individual autonomous system is responsible for securing their section of the cloudEach individual autonomous system is responsible for securing their section of the cloud

Impact of their actions now affects everyone – even more than before!Impact of their actions now affects everyone – even more than before!

Bottom line… things that impact you and Bottom line… things that impact you and your business don’t end at your gateway your business don’t end at your gateway anymoreanymore

Cloud Computing ThreatsCloud Computing Threats

Security follows mainstream IT Security follows mainstream IT Platform EvolutionPlatform Evolution

1990’s

Ope

ratio

nal C

ompl

exity

Red

uced

2000 2002 2005

SoftwareGateway

SoftwareClient-Server

Appliance

SaaS

SoftwareEnd-Point

2009

Virtual Machine

Cloud

Mobile

Key Customer Questions on SaaS Key Customer Questions on SaaS and Cloud Client type servicesand Cloud Client type services

Privacy

Performance

Availability

Personalization

Encryption

Global/Local Caching

Application Design

Multi-Tenant

What is the role of Access Management?What is the role of Access Management?

Organizations don’t get a clear view of who has done what with a resource, so cannot demonstrate ‘control’

Common Pain points

Who did access what?

Who shouldhave access

to what?

Siloed approach to authorization across hundreds or even thousands of applications

Who has Access

to what?

Months to modify applications with embedded authorization policy or by deploying agents

The 3 primary security concerns for The 3 primary security concerns for Cloud ComputingCloud Computing

1. federated authentication1. federated authentication 2. entitlement/authorization control (based 2. entitlement/authorization control (based

on multiple attributes) on multiple attributes) 3. transaction logging for audit, compliance 3. transaction logging for audit, compliance

and forensics and forensics

federated authenticationfederated authentication

No.1 is available through Identity-as-a-No.1 is available through Identity-as-a-service vendors such as Tricipher.service vendors such as Tricipher.

SAML will become the standard Federated SAML will become the standard Federated Identity model once MS Geneva is rolled Identity model once MS Geneva is rolled out. out.

entitlement/authorization controlentitlement/authorization control

No.2 is more difficult.No.2 is more difficult. Entitlement is built into apps such as Entitlement is built into apps such as

salesforce today. However, enterprise web salesforce today. However, enterprise web and file services (such as MS SharePoint) and file services (such as MS SharePoint) do not have the fine grained controls do not have the fine grained controls needed for audit & compliance. This is needed for audit & compliance. This is where network-based AuthZ players play. where network-based AuthZ players play.

transaction loggingtransaction logging

No.3 - transaction logging in my opinion is No.3 - transaction logging in my opinion is the big deal-breaker.the big deal-breaker.

If you don't know 'who' has done 'what' in If you don't know 'who' has done 'what' in your cloud apps, then how will you survive a your cloud apps, then how will you survive a SOX or PCI audit? SOX or PCI audit?

This is probably one of the major questions This is probably one of the major questions that needs to be answered by new Cloud that needs to be answered by new Cloud Security (start-ups) vendors. Security (start-ups) vendors.

Standardization of security in Cloud Standardization of security in Cloud ComputingComputing

It is still in early stage – this is the time to It is still in early stage – this is the time to shape and influence – the NISTshape and influence – the NIST is trying to is trying to the role.the role.

The main problem is the Identity and Access The main problem is the Identity and Access Management, which will be different from Management, which will be different from the current solutions.the current solutions.

ReferencesReferences

Amazon : Amazon :

http://s3.amazonaws.com/aws_blog/AWS_Sehttp://s3.amazonaws.com/aws_blog/AWS_Security_Whitepaper_2008_09.pdfcurity_Whitepaper_2008_09.pdf

RSA Event 2009 :RSA Event 2009 :

http://www.vnunet.com/vnunet/news/2240794/http://www.vnunet.com/vnunet/news/2240794/rsa-2009-cryptography-expertsrsa-2009-cryptography-experts