SlideShare a Scribd company logo

The Cloud Security Landscape

Peter Wood
Peter Wood

An ethical hacker's view of the cloud security landscape. As presented at the inaugural meeting of the CSA UK & Ireland chapter, March 2011

Related slideshows

Intersect
IntersectIntersect
Intersect
 
Protecting Data on Laptops
Protecting Data on LaptopsProtecting Data on Laptops
Protecting Data on Laptops
 
MBM's InterGuard Security Suite
MBM's InterGuard Security SuiteMBM's InterGuard Security Suite
MBM's InterGuard Security Suite
 
1 of 24
Download to read offline
The Cloud Security Landscape An Ethical Hacker’s View Peter Wood Chief Executive Officer First•Base Technologies
Who am I ? Worked in computers and electronics since 1969 1969 Founded First•Base in 1989 (one of the first ethical hacking firms) - Social engineer & penetration tester - Conference speaker and security ‘expert’ - Chair of Advisory board at CSA UK & Ireland - Vice Chair of BCS Information Risk Management and Audit Group - ISACA Security Advisory Group and Conference Task Force 1989 - Corporate Executive Programme Expert - IISP Interviewer - FBCS, CITP, CISSP, MIEEE, M.Inst.ISP - Registered BCS Security Consultant - Member of ACM, ISACA, ISSA, Mensa 2 © First Base Technologies 2011
Agenda • Cloud Computing: Define • Is Cloud Computing Insecure? • Cloud Security Guidance • Q&A 3 © First Base Technologies 2011
Agenda • Cloud Computing: Define • Is Cloud Computing Secure? • Cloud Security Guidance • Q&A 4 © First Base Technologies 2011
Cloud Service Models • Software (SaaS) - consumer uses a provider’s applications running on a cloud infrastructure. Consumer does not manage or control the underlying cloud infrastructure (including network, servers, operating systems, storage or even individual application capabilities, with the possible exception of limited user-specific application configuration settings) • Platform (PaaS) - consumer uses a provider’s infrastructure to run their own applications. Consumer does not manage or control the underlying cloud infrastructure (including network, servers, operating systems or storage) • Infrastructure (IaaS) consumer uses a provider’s infrastructure to run their own applications and operating systems. Consumer does not manage or control the underlying cloud infrastructure but has control over operating systems, storage, deployed applications, and possibly limited control of select networking components (e.g., host firewalls) 5 © First Base Technologies 2011
Cloud Deployment Models • Public Cloud - available to the general public or a large industry group and owned by an organisation selling cloud services • Private Cloud - operated for a single organisation. May be managed by the organisation or a third party and may exist on- premises or off-premises • Community Cloud - shared by several organisations and supports a specific community that has shared concerns (e.g., mission, security requirements, policy, or compliance considerations). May be managed by the organisations or a third party and may exist on-premises or off-premises • Hybrid Cloud - composition of two or more clouds (private, community, or public) that remain unique entities but are bound together by standardised or proprietary technology that enables data and application portability (e.g., cloud bursting for load- balancing between clouds) 6 © First Base Technologies 2011
7 © First Base Technologies 2011
8 © First Base Technologies 2011
Agenda • Cloud Computing: Define • Is Cloud Computing Secure? • Cloud Security Guidance • Q&A 9 © First Base Technologies 2011
Not the best approach to cloud 10 © First Base Technologies 2011
Typical cloud security questions • Your data is … where? • Which country? • Who has access? • Have staff been vetted? • How well is it segregated from other users? • Is it encrypted? Who holds the keys? • How is it backed up (encrypted? where is it?) • How is it transmitted (encrypted? authenticated?) • Have the providers been tested by a reputable third party? 11 © First Base Technologies 2011
Amrit Williams Blog Observations of a Digitally Enlightened Mind • When we allow services to be delivered by a third party, we lose all control over how they secure and maintain the health of their environments - and you simply can't enforce what you can't control. • The ‘experts’ will tell you otherwise, convince you that their model is 100 per cent secure and that you have nothing to fear. Then again, those experts don't lose their jobs if you fail. Amrit Williams is CTO at BigFix and was previously a research director in the Information Security and Risk Research Practice at Gartner, Inc. http://techbuddha.wordpress.com/ 12 © First Base Technologies 2011
Just a little brainstorm 13 © First Base Technologies 2011
Agenda • Cloud Computing: Define • Is Cloud Computing Secure? • Cloud Security Guidance • Q&A 14 © First Base Technologies 2011
Security Guidance for Critical Areas of Focus in Cloud Computing V2.1 -> V3.0 Cloud Security Alliance http://www.cloudsecurityalliance.org/guidance/csaguide.v2.1.pdf https://wiki.cloudsecurityalliance.org/guidance/index.php/Main_Page 15 © First Base Technologies 2011
Risk Assessment Evaluate your tolerance for moving an asset to various cloud computing models • Identify the asset for the cloud deployment • Evaluate the asset • Map the asset to potential cloud deployment models • Evaluate potential cloud service models and providers • Sketch the potential data flow 16 © First Base Technologies 2011
Identify the asset • Determine exactly what data or function is being considered for the cloud - This should include potential uses of the asset once it moves to the cloud to account for scope creep - Data and transaction volumes are often higher than expected • Data and applications don’t need to reside in the same location; can shift only parts of functions to the cloud - For example, host application and data in own data centre, while outsourcing a portion of its functionality to the cloud through a Platform as a Service 17 © First Base Technologies 2011
Evaluate the asset How would we be harmed if: • the asset became widely public and widely distributed? • an employee of our cloud provider accessed the asset? • the process or function were manipulated by an outsider? • the process or function failed to provide expected results? • the information/data were unexpectedly changed? • the asset were unavailable for a period of time? 18 © First Base Technologies 2011
Map the asset to potential models • Public • Private, internal/on-premises • Private, external (including dedicated or shared infrastructure) • Community; taking into account the hosting location, potential service provider, and identification of other community members • Hybrid. To effectively evaluate a potential hybrid deployment, you must have in mind at least a rough architecture of where components, functions, and data will reside 19 © First Base Technologies 2011
Evaluate models and providers • In this step focus on the degree of control you’ll have at each SPI tier to implement any required risk management • If you are evaluating a specific offering, at this point you might switch to a fuller risk assessment • Your focus will be on the degree of control you have to implement risk mitigation in the different SPI tiers • If you already have specific requirements (e.g. for handling of regulated data) you can include them in the evaluation 20 © First Base Technologies 2011
Sketch the potential data flow • If you are evaluating a specific deployment option, map out the data flow between your organisation, the cloud service, and any customers/other nodes • While most of these steps have been high-level, before making a final decision it’s absolutely essential to understand whether, and how, data can move in and out of the cloud • If you have yet to decide on a particular offering, you’ll want to sketch out the rough data flow for any options on your acceptable list. This is to insure that as you make final decisions, you’ll be able to identify risk exposure points. 21 © First Base Technologies 2011
Conclusions • Understand the importance of what you are considering moving to the cloud, your risk tolerance (at least at a high level), and which combinations of deployment and service models are acceptable • Have a rough idea of potential exposure points for sensitive information and operations • These together should give you sufficient context to evaluate any other security controls in the Guidance 22 © First Base Technologies 2011
Agenda • Cloud Computing: Define • Is Cloud Computing Secure? • Cloud Security Guidance • Q&A 23 © First Base Technologies 2011
Need more information? Peter Wood Chief Executive Officer First•Base Technologies LLP peterw@firstbase.co.uk Twitter: peterwoodx Blog: fpws.blogspot.com http://firstbase.co.uk http://white-hats.co.uk http://peterwood.com

More Related Content

The Cloud Security Landscape

  • 1. The Cloud Security Landscape An Ethical Hacker’s View Peter Wood Chief Executive Officer First•Base Technologies
  • 2. Who am I ? Worked in computers and electronics since 1969 1969 Founded First•Base in 1989 (one of the first ethical hacking firms) - Social engineer & penetration tester - Conference speaker and security ‘expert’ - Chair of Advisory board at CSA UK & Ireland - Vice Chair of BCS Information Risk Management and Audit Group - ISACA Security Advisory Group and Conference Task Force 1989 - Corporate Executive Programme Expert - IISP Interviewer - FBCS, CITP, CISSP, MIEEE, M.Inst.ISP - Registered BCS Security Consultant - Member of ACM, ISACA, ISSA, Mensa 2 © First Base Technologies 2011
  • 3. Agenda • Cloud Computing: Define • Is Cloud Computing Insecure? • Cloud Security Guidance • Q&A 3 © First Base Technologies 2011
  • 4. Agenda • Cloud Computing: Define • Is Cloud Computing Secure? • Cloud Security Guidance • Q&A 4 © First Base Technologies 2011
  • 5. Cloud Service Models • Software (SaaS) - consumer uses a provider’s applications running on a cloud infrastructure. Consumer does not manage or control the underlying cloud infrastructure (including network, servers, operating systems, storage or even individual application capabilities, with the possible exception of limited user-specific application configuration settings) • Platform (PaaS) - consumer uses a provider’s infrastructure to run their own applications. Consumer does not manage or control the underlying cloud infrastructure (including network, servers, operating systems or storage) • Infrastructure (IaaS) consumer uses a provider’s infrastructure to run their own applications and operating systems. Consumer does not manage or control the underlying cloud infrastructure but has control over operating systems, storage, deployed applications, and possibly limited control of select networking components (e.g., host firewalls) 5 © First Base Technologies 2011
  • 6. Cloud Deployment Models • Public Cloud - available to the general public or a large industry group and owned by an organisation selling cloud services • Private Cloud - operated for a single organisation. May be managed by the organisation or a third party and may exist on- premises or off-premises • Community Cloud - shared by several organisations and supports a specific community that has shared concerns (e.g., mission, security requirements, policy, or compliance considerations). May be managed by the organisations or a third party and may exist on-premises or off-premises • Hybrid Cloud - composition of two or more clouds (private, community, or public) that remain unique entities but are bound together by standardised or proprietary technology that enables data and application portability (e.g., cloud bursting for load- balancing between clouds) 6 © First Base Technologies 2011
  • 7. 7 © First Base Technologies 2011
  • 8. 8 © First Base Technologies 2011
  • 9. Agenda • Cloud Computing: Define • Is Cloud Computing Secure? • Cloud Security Guidance • Q&A 9 © First Base Technologies 2011
  • 10. Not the best approach to cloud 10 © First Base Technologies 2011
  • 11. Typical cloud security questions • Your data is … where? • Which country? • Who has access? • Have staff been vetted? • How well is it segregated from other users? • Is it encrypted? Who holds the keys? • How is it backed up (encrypted? where is it?) • How is it transmitted (encrypted? authenticated?) • Have the providers been tested by a reputable third party? 11 © First Base Technologies 2011
  • 12. Amrit Williams Blog Observations of a Digitally Enlightened Mind • When we allow services to be delivered by a third party, we lose all control over how they secure and maintain the health of their environments - and you simply can't enforce what you can't control. • The ‘experts’ will tell you otherwise, convince you that their model is 100 per cent secure and that you have nothing to fear. Then again, those experts don't lose their jobs if you fail. Amrit Williams is CTO at BigFix and was previously a research director in the Information Security and Risk Research Practice at Gartner, Inc. http://techbuddha.wordpress.com/ 12 © First Base Technologies 2011
  • 13. Just a little brainstorm 13 © First Base Technologies 2011
  • 14. Agenda • Cloud Computing: Define • Is Cloud Computing Secure? • Cloud Security Guidance • Q&A 14 © First Base Technologies 2011
  • 15. Security Guidance for Critical Areas of Focus in Cloud Computing V2.1 -> V3.0 Cloud Security Alliance http://www.cloudsecurityalliance.org/guidance/csaguide.v2.1.pdf https://wiki.cloudsecurityalliance.org/guidance/index.php/Main_Page 15 © First Base Technologies 2011
  • 16. Risk Assessment Evaluate your tolerance for moving an asset to various cloud computing models • Identify the asset for the cloud deployment • Evaluate the asset • Map the asset to potential cloud deployment models • Evaluate potential cloud service models and providers • Sketch the potential data flow 16 © First Base Technologies 2011
  • 17. Identify the asset • Determine exactly what data or function is being considered for the cloud - This should include potential uses of the asset once it moves to the cloud to account for scope creep - Data and transaction volumes are often higher than expected • Data and applications don’t need to reside in the same location; can shift only parts of functions to the cloud - For example, host application and data in own data centre, while outsourcing a portion of its functionality to the cloud through a Platform as a Service 17 © First Base Technologies 2011
  • 18. Evaluate the asset How would we be harmed if: • the asset became widely public and widely distributed? • an employee of our cloud provider accessed the asset? • the process or function were manipulated by an outsider? • the process or function failed to provide expected results? • the information/data were unexpectedly changed? • the asset were unavailable for a period of time? 18 © First Base Technologies 2011
  • 19. Map the asset to potential models • Public • Private, internal/on-premises • Private, external (including dedicated or shared infrastructure) • Community; taking into account the hosting location, potential service provider, and identification of other community members • Hybrid. To effectively evaluate a potential hybrid deployment, you must have in mind at least a rough architecture of where components, functions, and data will reside 19 © First Base Technologies 2011
  • 20. Evaluate models and providers • In this step focus on the degree of control you’ll have at each SPI tier to implement any required risk management • If you are evaluating a specific offering, at this point you might switch to a fuller risk assessment • Your focus will be on the degree of control you have to implement risk mitigation in the different SPI tiers • If you already have specific requirements (e.g. for handling of regulated data) you can include them in the evaluation 20 © First Base Technologies 2011
  • 21. Sketch the potential data flow • If you are evaluating a specific deployment option, map out the data flow between your organisation, the cloud service, and any customers/other nodes • While most of these steps have been high-level, before making a final decision it’s absolutely essential to understand whether, and how, data can move in and out of the cloud • If you have yet to decide on a particular offering, you’ll want to sketch out the rough data flow for any options on your acceptable list. This is to insure that as you make final decisions, you’ll be able to identify risk exposure points. 21 © First Base Technologies 2011
  • 22. Conclusions • Understand the importance of what you are considering moving to the cloud, your risk tolerance (at least at a high level), and which combinations of deployment and service models are acceptable • Have a rough idea of potential exposure points for sensitive information and operations • These together should give you sufficient context to evaluate any other security controls in the Guidance 22 © First Base Technologies 2011
  • 23. Agenda • Cloud Computing: Define • Is Cloud Computing Secure? • Cloud Security Guidance • Q&A 23 © First Base Technologies 2011
  • 24. Need more information? Peter Wood Chief Executive Officer First•Base Technologies LLP peterw@firstbase.co.uk Twitter: peterwoodx Blog: fpws.blogspot.com http://firstbase.co.uk http://white-hats.co.uk http://peterwood.com