cloud computing security needs & problems alon refaeli
DESCRIPTION
Cloud Computing Security Needs & ProblemsTRANSCRIPT
Practical Security Problems in Practical Security Problems in Cloud ComputingCloud Computing
Alon Refaeli – Porticor TechnologiesAlon Refaeli – Porticor Technologies
[email protected]@SecuredZones.com
May 2009May 2009
The Cloud Computing Main The Cloud Computing Main ElementsElements
Infrastructure As a Service (IaaS) – switch , Infrastructure As a Service (IaaS) – switch , NT, access control etc.NT, access control etc.
Platform As a Service (PaaS) Platform As a Service (PaaS) - .Net,Java,LAMP etc.- .Net,Java,LAMP etc.
Software As a Service (SaaS) – CRM, ERP Software As a Service (SaaS) – CRM, ERP etc.etc.
Foundational Elements of Foundational Elements of Cloud ComputingCloud Computing
Business Models :Business Models :Web 2.0Web 2.0
• • Software as a Service (SaaS)Software as a Service (SaaS)
• • Utility ComputingUtility Computing
• • Service Level AgreementsService Level Agreements
• • Open standards, Data Portability, and AccessibilityOpen standards, Data Portability, and Accessibility
Architecture :Architecture :
Autonomic System ComputingAutonomic System Computing Grid ComputingGrid Computing
Platform VirtualizationPlatform VirtualizationWeb ServicesWeb Services
Service Oriented ArchitecturesService Oriented ArchitecturesWeb application frameworksWeb application frameworks
Open source softwareOpen source software
Why Cloud ComputingWhy Cloud Computing??
Capital ExpenditureCapital Expenditure MultitenancyMultitenancy ScalabilityScalability ReliabilityReliability SecuritySecurity PerformancePerformance Location IndependenceLocation Independence
Cyber Threats – No End in SightCyber Threats – No End in Sight
Thousands of cyber attacks each day on Thousands of cyber attacks each day on key utilitieskey utilities
Well known infrastructure-based disruptions Well known infrastructure-based disruptions : : September 11 Internet Inaccessibility , Estonian DDoS Attacks ,DNS Attacks ,Georgian Attacks September 11 Internet Inaccessibility , Estonian DDoS Attacks ,DNS Attacks ,Georgian Attacks
from Russiafrom Russia
General consensus – attacks growing in General consensus – attacks growing in sophistication and scalesophistication and scale
Security Threats + CloudSecurity Threats + Cloud?? = ?? =
New challenges emerge as services New challenges emerge as services become more distributed :become more distributed :
Nobody ‘owns’ the cloudNobody ‘owns’ the cloud
Everyone relies on the cloudEveryone relies on the cloud
Each individual autonomous system is responsible for securing their section of the cloudEach individual autonomous system is responsible for securing their section of the cloud
Impact of their actions now affects everyone – even more than before!Impact of their actions now affects everyone – even more than before!
Bottom line… things that impact you and Bottom line… things that impact you and your business don’t end at your gateway your business don’t end at your gateway anymoreanymore
Cloud Computing ThreatsCloud Computing Threats
Security follows mainstream IT Security follows mainstream IT Platform EvolutionPlatform Evolution
1990’s
Ope
ratio
nal C
ompl
exity
Red
uced
2000 2002 2005
SoftwareGateway
SoftwareClient-Server
Appliance
SaaS
SoftwareEnd-Point
2009
Virtual Machine
Cloud
Mobile
Key Customer Questions on SaaS Key Customer Questions on SaaS and Cloud Client type servicesand Cloud Client type services
Privacy
Performance
Availability
Personalization
Encryption
Global/Local Caching
Application Design
Multi-Tenant
What is the role of Access Management?What is the role of Access Management?
Organizations don’t get a clear view of who has done what with a resource, so cannot demonstrate ‘control’
Common Pain points
Who did access what?
Who shouldhave access
to what?
Siloed approach to authorization across hundreds or even thousands of applications
Who has Access
to what?
Months to modify applications with embedded authorization policy or by deploying agents
The 3 primary security concerns for The 3 primary security concerns for Cloud ComputingCloud Computing
1. federated authentication1. federated authentication 2. entitlement/authorization control (based 2. entitlement/authorization control (based
on multiple attributes) on multiple attributes) 3. transaction logging for audit, compliance 3. transaction logging for audit, compliance
and forensics and forensics
federated authenticationfederated authentication
No.1 is available through Identity-as-a-No.1 is available through Identity-as-a-service vendors such as Tricipher.service vendors such as Tricipher.
SAML will become the standard Federated SAML will become the standard Federated Identity model once MS Geneva is rolled Identity model once MS Geneva is rolled out. out.
entitlement/authorization controlentitlement/authorization control
No.2 is more difficult.No.2 is more difficult. Entitlement is built into apps such as Entitlement is built into apps such as
salesforce today. However, enterprise web salesforce today. However, enterprise web and file services (such as MS SharePoint) and file services (such as MS SharePoint) do not have the fine grained controls do not have the fine grained controls needed for audit & compliance. This is needed for audit & compliance. This is where network-based AuthZ players play. where network-based AuthZ players play.
transaction loggingtransaction logging
No.3 - transaction logging in my opinion is No.3 - transaction logging in my opinion is the big deal-breaker.the big deal-breaker.
If you don't know 'who' has done 'what' in If you don't know 'who' has done 'what' in your cloud apps, then how will you survive a your cloud apps, then how will you survive a SOX or PCI audit? SOX or PCI audit?
This is probably one of the major questions This is probably one of the major questions that needs to be answered by new Cloud that needs to be answered by new Cloud Security (start-ups) vendors. Security (start-ups) vendors.
Standardization of security in Cloud Standardization of security in Cloud ComputingComputing
It is still in early stage – this is the time to It is still in early stage – this is the time to shape and influence – the NISTshape and influence – the NIST is trying to is trying to the role.the role.
The main problem is the Identity and Access The main problem is the Identity and Access Management, which will be different from Management, which will be different from the current solutions.the current solutions.
ReferencesReferences
Amazon : Amazon :
http://s3.amazonaws.com/aws_blog/AWS_Sehttp://s3.amazonaws.com/aws_blog/AWS_Security_Whitepaper_2008_09.pdfcurity_Whitepaper_2008_09.pdf
RSA Event 2009 :RSA Event 2009 :
http://www.vnunet.com/vnunet/news/2240794/http://www.vnunet.com/vnunet/news/2240794/rsa-2009-cryptography-expertsrsa-2009-cryptography-experts