Cloud Security: Risks and Recommendations for New Entrants

A Report by Irvin ChooACC 626

What is the Cloud?Type Description ExamplesSaaS -Software coded by the

Cloud service provider- accessed through “thin clients” (e.g. Web browsers)

Salesforce CRM, Gmail

PaaS - Development platform supplied by the CSP

Google App Engine, Microsoft Azure

IaaS - Raw processing power provided by the CSP

Amazon EC2

What is the Cloud?

Cloud Characteristics Elasticity

Automatic Provisioning/De-provisioning Accessibility

Anywhere and everywhere Multi-tenancy

Know your neighbour Pay-as-you-go

Cloud Security Risks Old risks vs. New risks

Cloud Dependency Stack

Expanding Attack Surfaces

Cloud Cartography and Side Channels

Cloud Security Risks Old Risks vs. New Risks

Some risks (e.g. Phishing often attributed to cloud) – not a cloud specific risk

New risks should span from the inherent properties of cloud computing models

Can have a hybrid of both Distributed Denial of Service vs. Economic Denial of

Service EDoS: using elasticity aspect to provision resources

beyond sustainable capacities

Cloud Security Risks Expanding Attack surfaces

Hypervisors (IaaS) Allocate resources to virtual environment within the

physical server

Application Program Interfaces (PaaS) Proprietary Communicates between developer’s program and

underlying platform

Cloud Security Risks The Cloud Dependency Stack

Compatibility concerns Misconfiguration of

software

High integration, high risk

Compromise at any level can undermine the entire infrastructure

SaaS

PaaS

IaaS

Cloud Physical Infrastructure

Cloud Security Risks Cloud Cartography

Multi-tenancy issue Locating VM’s in the cloud Random Distribution?

Hey, you, get off of my Cloud! (Amazon EC2 study) 50% success rate Even brute force methods

fairly successful Inexpensive

Cloud Security Risks Side Channel Attacks

Primary risk from multi-tenant environment Indirect form of spying Listening through the cache

Can infer information rather than directly intercepting it

Researchers were able to guess passwords by monitoring spikes in cache activity

Can change face of corporate espionage

Controls and Recommendations

First Steps

Responsibilities and the SLA

Security Frameworks

Controls and Recommendations

First Steps Why is encryption important?

Ensure authorize access Provides base level protection over information

Basic encryption policies Authentication data Data for archiving/storage

Limitations Not suited for data in transit/rapid processing (e.g. SaaS) Gmail struggled with encryption until 2010

Controls and Recommendations

Responsibilities and the SLA Ponemon: 69% of cloud service providers

believe security to be responsibility of the users Continuous monitoring

CSP may be hesitant to give access data/logs Generally secretive security policies

Securing ownership of data in case of security breaches

Controls and Recommendations

Recommended Security Frameworks Strong response to lack of cloud-based security

risk framework ISACA COBIT Framework for IT Governance of

control International Organization for Standardization

ISO 27001 ENISA Cloud Computing Assurance Framework Cloud Security Alliance Cloud Controls Matrix

Controls and Recommendations

Recommended Security FrameworksOrganization Title URL

ISACA COBIT www.isaca.org/Knowledge-Center/COBIT/Pages/Overview.aspx

International Organization for Standardization

ISO 27001/27002 http://www.27000.org/

Cloud Security Alliance (CSA) Cloud Controls Matrix https://cloudsecurityalliance.org/research/projects/cloud-controls-matrix-ccm/

U.S. Department of Commerce

National Institute of Standards and Technology (NIST)

http://csrc.nist.gov/publications/drafts/800-144/Draft-SP-800-144_cloud-computing.pdf

Implications for CA’s Assurance Opportunities

Certificate of Cloud Security Knowledge

Implications for CA’s Cloud Computing is an opportunity for CAs

Executives require stronger cloud-based assurance model

5970/CSAE 3416 is inadequate Cloud risks extend far beyond financial

reporting considerations Distinguishing between Cloud service

providers

Implications for CAs CSA Certificate of Cloud Security Knowledge

“The Certificate of Cloud Security Knowledge provides individuals with a solid foundation in cloud security issues and best practices. Organizations that leverage this training will be better positioned to get the most out of their investments in cloud computing. In addition, the certification can be a large help with recruitment efforts as organizations can easily qualify the experience of an individual in cloud security if they have earned the CCSK certificate.”~ Gary Phillips, senior director, technology assurance and

standards research, Symantec Corp

Conclusions Cloud entails new risks

Expansion of attack surfaces Evolution of old threats

Risks can be mitigated by Implementing client-side controls Strong Service level agreement Unified risk assessment process

Thank you!!

Works Cited Al Morsy, M., Grundy, J., & Müller, I. (2010, Nov 30). An Analysis of The Cloud Computing Security Problem. Retrieved

June 15, 2011, from Swinburne University of Technology: http://www.ict.swin.edu.au/personal/malmorsy/Pubs/cloud2010_1.pdf

Brenner, B. (2009). Why Security Matters Again. Retrieved May 28, 2011, from CIO Online. Brodkin, J. (2010). 5 Problems with SaaS Security. Network World , 28 (18), pp. 1-2. CA Technologies and the Ponemon Institute Roll out Study on Cloud Providers and Consumers. (2011, May 31).

Entertainment Close-up . Choo, R. (2010). Cloud Computing: Challenges and Future Directions. Retrieved May 24, 2011, from Trends & Issues in

Crime and Criminal Justice: http://www.aic.gov.au/documents/C/4/D/%7BC4D887F9-7D3B-4CFE-9D88-567C01AB8CA0%7Dtandi400.pdf

Cloud Computing Information Assurance Framework. (2009, November 2009). Retrieved June 15, 2011, from European Network and Information Security Agency: http://www.enisa.europa.eu/act/rm/files/deliverables/cloud-computing-information-assurance-framework

Cloud Computing: Benefits, Risks and Recommendations for Information Security. (2009). Retrieved May 28, 2011, from European Network and Information Security Agency: http://www.enisa.europa.eu/act/rm/files/deliverables/cloud-computing-risk-assessment

Cloud Computing: Business Benefits. (2009). Retrieved June 17, 2011, from ISACA: http://www.isaca.org/Knowledge-Center/Research/Documents/Cloud-Computing-28Oct09-Research.pdf?id=91d6e1d8-4d4f-4b13-b039-6488b36b3da5

Cloud Computing: Business Benefits With Security, Governance. (2009). Retrieved June 20, 2011, from ISACA: http://www.isaca.org/Knowledge-Center/Research/Documents/Cloud-Computing-28Oct09-Research.pdf?id=91d6e1d8-4d4f-4b13-b039-6488b36b3da5

Works Cited Cloud Controls Matrix. (2010, December 15). Retrieved June 16, 2011, from Cloud Security Alliance:

https://cloudsecurityalliance.org/research/projects/cloud-controls-matrix-ccm/ COBIT Framework for IT Governance and Control. (2011). Retrieved June 15, 2011, from ISACA:

http://www.isaca.org/Knowledge-Center/COBIT/Pages/Overview.aspx Farrell, R. (2010). Securing the Cloud. Information Security Journal , 6 (19), pp. 310-319. Friedman, A. A., & West, D. M. (2010, October). Issues in Technology Innovation. Retrieved June 14, 2011, from

Connections Magazine: http://www.connectionsmagazine.com/papers/10/29.pdf Greengard, S. (2010). Weaving a Web 2.0 Security Strategy. Baseline , 1 (106), pp. 20-24. Greenwald, J. (2010). Savings Cloud Risks of Outsourcing Tech. Business Insurance , 1 (1247), pp. 4-5. Gregg, M. (2011). 10 Security Concerns for Cloud Computing. Retrieved June 1, 2011, from Global Knowledge:

http://www.globalknowledge.ae/knowledge%20centre/white%20papers/virtualisation%20white%20papers/10%20security%20concerns%20for%20cloud.aspx

Hoff, C. (2009). The Economic Denial of Sustainability Concept. Retrieved June 1, 2011, from Rational Security: http://rationalsecurity.typepad.com/blog/edos/

Jarabek, C. (2010). A Review of Cloud computing Security: Virtualization, Side-Channel Attacks and Management. Retrieved May 31, 2011, from University of Calgary: http://people.ucalgary.ca/~cjjarabe/papers/jarabek_cloud_security.pdf

Lempereur, C., & Cimpean, D. (2011, May 12). An assurance framework for cloud computing(. Retrieved June 18, 2011, from ISACA Berlin: http://www.isaca.be/media/files/an_assurance_framework_for_cloud_computing_12may2011

Loveland, G. (2010). Security Among the clouds. Compliance Week , 8 (83). Mather, T., Kumaraswamy, S., & Latif, S. (2009). Cloud Security and Privacy: An Enterprise Perspective on Risks and

Compliance.

Works Cited McMillon, M. (2010). Deconstructing Cloud Computing. Retrieved June 1, 2011, from ISACA Denver:

http://www.isaca-denver.org/Chapter-Resources/Cloud_Computing_Security_Public_v1.3.ppt Mullins, R. J. (2010). New Cloud Security Certification Launched. Infromation Week , 1 (1277), p. 16. Peterson, R. (2008, September 11). What You Need to Know About Cloud Computing. Retrieved June 15, 2011, from PC

Magazine: http://www.pcmag.com/article2/0,2817,2330239,00.asp Ristenpart, T., Tromer, E., Shacham, H., & Savage, S. (2009). Hey, You, Get off of My Cloud: Exploring Information

Leakage in Third-Party Compute Clouds. Retrieved June 1, 2011, from Massachusetts Institute of Technology: http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.150.681&rep=rep1&type=pdf

Shipley, G. (2010). Cloud Computing: Risks. Information Week , 1 (1262), pp. 20-23. The Cloudy Prognosis for Data Security in Virtual Enterprises. (2011). Database Trends and Applications , 25 (1), pp.

7-9. Todd, B. (2000, February 18). Distributed Denial of Service Attacks. Retrieved June 14, 2011, from Linux Security:

http://www.linuxsecurity.com/resource_files/intrusion_detection/ddos-whitepaper.html Top Threats to Cloud Computing. (2010). Retrieved May 24, 2011, from Cloud Security Alliance:

http://www.cloudsecurityalliance.org/topthreats Transitioning from Section 5970 to CSAE 3416. (2011, March 29). Retrieved June 16, 2011, from

PricewaterhouseCoopers: http://www.pwc.com/ca/en/financial-reporting/newsletter/2011-03-29-transitioning-from-section-5970-to-csae-3416.jhtml

Urquhart, J. (2010, November 22). Cloud security is dependent on the law. Retrieved June 16, 2011, from CNET News: http://news.cnet.com/8301-19413_3-20023507-240.html?part=rss&tag=feed&subj=TheWisdomofClouds

Zetter, K. (2009, April 7). FBI Defends Disruptive Raids on Texas Data Centers. Retrieved June 16, 2011, from Wired: http://www.wired.com/threatlevel/2009/04/data-centers-ra/