1

Cloud SecurityReality or Illusion

By: Srinivas ThimmaiahDate: 11 Mar 2017

Srinivas Thimmaiah | Cloud Security | 11 Mar 2017

About me

Srinivas Thimmaiah | Cloud Security | 11 Mar 2017 Page 2

An seasoned Information Security professional, speaker & blogger having around 13+ years of rich and insightful work experience in the areas of Information Security Assurance, Governance, Risk Management, BCM, Supplier Management, Awareness, IT Security, operational excellence and also in influencing team members and management.

CISM, ISO 27001 certified, CISCO certified Information Security & IT Security experienced professional.

Agenda Cloud Ecosystem

What is Cloud computing Cloud services Deployment models

Cloud adoption trends 2017 Cloud Risks Conclusion

Srinivas Thimmaiah | Cloud Security | 11 Mar 2017 Page 3

Cloud EcosystemCloud computing is the delivery of computing services—servers, storage, databases, networking, software, analytics and more—over the Internet (“the cloud”).

Srinivas Thimmaiah | Cloud Security | 11 Mar 2017 Page 4Source: Microsoft

Rapid Elasticity

Broad Network Access

Measure service On-demand self-service

Resource pooling

Characteristics of Cloud Computing

Cloud Ecosystem

Srinivas Thimmaiah | Cloud Security | 11 Mar 2017 Page 5

Cloud Service Models

Infrastructure as a Service

Platform as a Service

Software as a Service

Application platform or middleware as a service on which developers can build and deploy custom applications

Compute, storage, IT infra as a service, rather than as dedicated capability

End-user applications delivered as a service rather than on-premises software

SaaS (consume)

PaaS (build)

IaaS (host)

Cloud Ecosystem

Srinivas Thimmaiah | Cloud Security | 11 Mar 2017 Page 6

Public Private

CommunityHybrid

Cloud Deployment Models

Cloud Ecosystem

Srinivas Thimmaiah | Cloud Security | 11 Mar 2017 Page 7

PublicPrivate

CommunityHybrid

Cloud Deployment Models Provisioned by general public Exists on the premise of the

cloud provider May be owned, managed by

business, government or a combination

Organizations

Google

Zoho

SalesforceMicrosoft

AmazonYahoo

Rackspace

PublicPrivate

CommunityHybrid

Cloud Ecosystem

Srinivas Thimmaiah | Cloud Security | 11 Mar 2017 Page 8

Cloud Deployment Models Provisioned for single

organization May exist on or off site May be managed by organization

or outsourced

Cloud Ecosystem

Srinivas Thimmaiah | Cloud Security | 11 Mar 2017 Page 9

Public Private

CommunityCloud

Hybrid

Provisioned for exclusive use by a specific community

May be managed by one or more of the community organizations

May be managed by community organization or outsourced

Cloud Deployment Models

Community of Organizations

Cloud Ecosystem

Srinivas Thimmaiah | Cloud Security | 11 Mar 2017 Page 10

Public Private

CommunityHybrid Combination of two or

more distinct cloud infrastructures

Cloud Deployment Models Public Cloud

Private Cloud

Organization

Cloud adoption trends of 2017

Srinivas Thimmaiah | Cloud Security | 11 Mar 2017 Page 11Source: Rightscale 2016 State of the Cloud Report

Public Cloud Private Cloud Hybrid Cloud Any Cloud

88% 89% 89%

63%

77%72%

58%

71%67%

93% 95% 95%

Cloud Risks

Srinivas Thimmaiah | Cloud Security | 11 Mar 2017 Page 12

Risks

Policy & Organization Risks Technical Risks Legal Risks

Generic Risks

Source: csaguide

Cloud Risks

Srinivas Thimmaiah | Cloud Security | 11 Mar 2017 Page 13

Lock-in

Loss of governanceCompliance challenges

Loss of business reputation due to cotenant activities

Cloud service termination or failure

Cloud provider acquisition

Supply chain failure

Policy & Organization

risks

Source: csaguide

Cloud Risks

Srinivas Thimmaiah | Cloud Security | 11 Mar 2017 Page 14

Resource exhaustion (under or over provisioning)

Isolation failure

Cloud provider malicious insider – abuse of high privilege roles

Management interface compromise (manipulation, availability of infrastructure)

Intercepting data in transit

Insecure of ineffective deletion of data

Data leakage on up/download, intra-cloud

Distributed denial of service (DDOS)

Economic denial of service (EDOS)

Loss of encryption keys

Undertaking malicious probes or scans Compromise server engine

Technical risks

Source: csaguide

Cloud Risks

Srinivas Thimmaiah | Cloud Security | 11 Mar 2017 Page 15

Risk from changes of jurisdiction

Licensing risks Data protection risks

Subpoena and e-discovery

Legal risks

Source: csaguide

Cloud Risks

Srinivas Thimmaiah | Cloud Security | 11 Mar 2017 Page 16

Modifying network traffic

Privilege escalation

Loss or compromise of security logs

Network management (i.e, network congestion/mis-connection/non-optimal use)

Backup lost, stolen

Unauthorized access to premises

Natural disasterTheft of computer equipment

Network breaks

Social engineering attacks

Loss or compromise of operational logs

Generic risks

Source: csaguide

Conclusion

Srinivas Thimmaiah | Cloud Security | 11 Mar 2017 Page 17

Effective onboarding process Vendor analysis Risk management Contract Management

Justification for cloud adoption

Re-visit the services

Monitoring the services

Source: From Body to Spirit; From Illusion to Reality

Srinivas Thimmaiah | Cloud Security | 11 Mar 2017 Page 18

Srinivas Thimmaiah | Cloud Security | 11 Mar 2017 Page 19

Srinivas Thimmaiah | Cloud Security | 11 Mar 2017 Page 20

https://www.google.co.in/search?q=road+with+car&biw=1920&bih=935&source=lnms&tbm=isch&sa=X&ved=0ahUKEwiGx-W6va_SAhVI_iwKHULgBTwQ_AUIBigB#tbm=isch&q=cloud+security+icon&*&imgrc=QnwqNekhOpC6-M:

https://www.google.co.in/search?q=road+with+car&biw=1920&bih=935&source=lnms&tbm=isch&sa=X&ved=0ahUKEwiGx-W6va_SAhVI_iwKHULgBTwQ_AUIBigB#tbm=isch&q=cars+on+highway&*&imgrc=WRHPKYuTO2knwM:

References