SlideShare a Scribd company logo

Cloud security Deep Dive 2011

Kim Jensen
Kim Jensen

Cloud security Deep Dive 2011 Infoworld

TechnologyBusiness
1 of 8
Download to read offline
SPECIAL REPORT AUGUST 2011 Cloud Security Deep Dive A new security model for a new era Copyright © 2011 InfoWorld Media Group. All rights reserved.
i Cloud Security Deep Dive 2 Reinventing security for the cloud Cloud computing is a fundamentally new paradigm that challenges traditional security, demanding a new set of security best practices i By Roger A. Grimes software locally. Typically, SaaS offerings are multitenanted: Customers establish accounts on SECURITY CONCERNS are among the leading barriers one huge instance of the software running on to cloud adoption, and rightly so. While security assump- a virtualized infrastructure. Common examples tions and approaches remained largely intact through include Google’s Gmail, Microsoft’s Business other computing revolutions – mainframe to client-server, Online Productivity Suite, and Salesforce.com. client-server to Web – this time it really is different. • Platform as a Service (PaaS). PaaS providers In the past, we knew where the application was give developers complete development environ- running and we knew where our data was stored. We ments in which to code, host, and deliver appli- knew how both were protected. We knew who we cations. The development environment typically were sharing the system with, and we knew how dif- includes the underlying infrastructure, devel- ferent users and groups were being isolated. Cloud opment tools, APIs, and other related services. computing changes all of that. Examples include Google’s App Engine, Micro- Cloud computing introduces new kinds of risks, and soft’s Windows Azure, and Salesforce’s Force.com. it requires a new security model. This paper will discuss the nature of those risks, their impact on cloud security Naturally, many cloud service providers mix two or requirements, and the standards and best practices that more of these cloud service models or cannot be neatly are emerging to address those requirements. placed into one type. Additionally, the type of user who can access the cloud further defines each model, CLOUD COMPUTING MODELS as well as what type of cloud is at issue: Before delving into cloud computing exploits and defenses, it helps to get a basic understanding of cloud • The public cloud. Public clouds are created computing models. Although new models appear to by one vendor and offered to the general pub- be emerging every day, here are the basic ones nearly lic. Public clouds are almost always Internet- everyone agrees on: accessible and multitenanted. • The private cloud. Private clouds are hosted • Infrastructure as a Service (IaaS). IaaS by the same organization that utilizes the ser- provides massively scalable, elastic computing vice (which in general does not support mult- resources via the Internet. Some providers offer itenancy). The primary value proposition is data just a single resource, such as storage space, but accessibility and fault tolerance. most now focus on providing complete computing • The hybrid cloud. This term typically applies platforms for customers’ VMs, including operating to organizations that have set up private cloud system, memory, storage, and processing power. services in combination with external public Clients often pay for only what they use, which cloud services. It also refers to service offerings fits nicely into any company’s computing budget. used exclusively by an invited group of private • Software as a Service (SaaS). SaaS provid- customers (also called a “community cloud”). ers deliver software functionality through the browser, without the end-user having to install For more information, see the National Institute for INFOWORLD.COM DEEP DIVE SERIES A U G U S T 2 011
i Cloud Security Deep Dive 3 Standards and Technology (NIST) document detailing Just as most clouds are Internet-accessible, they are common cloud terminology. also almost entirely Web-based, with browsers as clients and Web servers as the server endpoint connection. HOW CLOUD COMPUTING IS DIFFERENT Some clouds use simple HTML-based forms and Web Cloud computing is a major departure from traditional pages, but most are an increasingly complex set of Web networks and applications. In general, a service or offer- services and protocols. (Wikipedia has an excellent ing is considered cloud computing if it has at least four beginner’s tutorial on Web services.) of these seven traits: As the Web matures, most things that were once accomplished using a single computer will be executed • Internet (or intranet) accessible by a matrix of Web services, connected together in • A massively scalable, user-configurable pool of most cases by XML, SOAP (or REST), and SAML. As elastic computing resources (such as network Web 2.0 takes over, future security defenders must get bandwidth, compute power, memory, etc.) to know these services and protocols inside and out, • Multitenancy (one large software instance and defend against their deficiencies as they emerge shared by many customer accounts) (and there are bound to be plenty). • A broad authentication scheme • Subscription or usage-based payment MULTITENANCY • Self-service Multitenancy is a major defining trait for public clouds. • Lack of location specificity Typically, in a traditional environment, only the appli- cation’s owner and direct employees can access the All of these traits offer new challenges to the com- application data. In a cloud, multitenancy means that puter security professional, but accessibility, mult- multiple, distinct, separate end-user parties share the itenancy, broad authentication, and lack of location same service and/or resources. End-users may be aware specificity are the four items responsible for the biggest of this fact and may even be able to directly interact technology shift and demand for new security solutions. with other end-users. Or they may be unaware that resources are shared and that this is a risk. ACCESS TO THE INTERNET OR In a cloud, risk looms that the parties sharing that INTRANETS EQUALS HIGH RISK cloud will be able to — unintentionally or intentionally We already know that any computing resource that is — access one another’s private data. This has been the Internet accessible is at a higher risk than one that is case in cloud exploits with major cloud providers during not. It’s how most of the bad guys break into comput- the past few years. In some cases, all it took was modify- ers today, whether it involves social-engineered Trojan ing a client’s unique identifier, sent over in the browser horse programs, viruses, or human attackers. High-risk request, to another identifier, and up comes another cli- environments, like the top secret classified systems of ent’s data. Sometimes spillage has occurred when a bug most governments, usually aren’t allowed to connect to a in the cloud service offered up too much data without network that can connect to the Internet. Too much risk. the client doing anything out of the ordinary. Clouds don’t use VPN technologies. With cloud With IaaS-based clouds in particular, security research- computing, it’s assumed that all users and application ers are discovering a brand new class of vulnerabilities resources are Internet- or intranet-accessible, with all that did not exist in the old world. For example, attackers the elevated risk that implies. This means that anony- are finding ways to “cyberjack” another tenant’s data and mous attackers can access connection points just as any resources by discovering other tenant’s IP addresses and legitimate user or manager of the system can. In a tradi- computer resources or by searching for other people’s data tional computing environment, only a small percentage remnants after they release unneeded resources back to of servers are Internet-accessible. In cloud computing, the cloud. As it turns out, some cloud vendors don’t erase most servers are Internet-accessible. This must change or format the freed-up storage or memory resources. the security defender’s thinking. It’s too early to know whether these types of risks INFOWORLD.COM DEEP DIVE SERIES A U G U S T 2 011
i Cloud Security Deep Dive 4 will decrease as cloud security matures or whether they services include OpenID, InfoCard, and LiveID. Many will remain a fixture that defines the new threat model. of these authentication services are interoperable with each other and use common protocols such as XML, BROAD AUTHENTICATION SCHEMES SOAP, SAML, Web services, WS-Federation, and so on. Internet accessibility and multitenancy pose a chal- In the Web 2.0 world, each Web site (or cloud pro- lenge when determining how to authenticate large vider) can choose which federated identity service to numbers of different clients. In the traditional model, work with and accept. The Web site or service provider each authenticating user has a full user account located can require particular types of identity assurance (such in the application’s authentication database (or direc- as a simple password, smartcard, or biometric device) tory service). But scaling and multitenancy complicates before a user can participate. For example, a cancer the process, because conventional authentication ser- survivor Web site may wish to allow anonymous users vices tend to offer access to shared common resources whereas an online banking Web site may require a site- by default. In Active Directory, for example, mem- issued smartcard or other authenticating token to log on. bers of the Everyone group can see and list all sorts of Conversely, users may be able to submit only the resources that a cloud provider would probably not identity data they wish to share with the participat- want every client to see. ing service provider (called claims-based identity). For Initially, many cloud providers tried to solve this example, a user purchasing alcohol via the Internet may problem by using proprietary or private authentication need only to prove that he or she are over the legal services. But these services rarely have the scalabil- drinking age but not have to show his or her actual ity and functionality needed. First-generation clouds identity or birthdate. A central tenet of any good iden- required that all end-users have separate accounts in tity metasystem is that users should only have to show their databases — similar to the way Web surfers need the bare minimum of identity information necessary to log on separately to each website where they have to access the offered service and perform the desired an account. (For example, your Facebook account is transaction. Submitting (or requesting) too much iden- not related to your Amazon or iTunes accounts). This is tity information is considered very “Web 1.0.” known as “Web Identity 1.0” in identity system circles. In the Identity 2.0 model, authenticated anonymity Clearly, asking end-users to create and manage sepa- (called pseudo-anonymity) is possible. In this case, a rate log-on accounts for every future Web service they trusted third party knows the user’s real identity and will use doesn’t scale — for a multitude of reasons. Using has authenticated him or her, but hands out a different one big SSO (single sign-on) solution that interacted with identity credential that is trusted by the Web service participating Web sites became the “Web Identity 1.5” provider. Thus, that user can use the Web service with- way of doing things. With this authentication model, out revealing his or her true identity to the Web site. users registered with an “independent,” centralized authority to obtain an SSO ID. Then, when visiting par- THE EFFECT OF BROAD AUTHENTICATION ticipating Web sites, the user could enter their SSO cre- ON CLOUD COMPUTING dentials to gain access. An example of this sort of solution In the near future, it’s likely that both private and public was Microsoft’s Passport (now morphed into LiveID) and clouds will support Web 2.0 identities. Users of private other protocols created by the Liberty Alliance. clouds will likely use their SSO to access public cloud But many people balked at the idea of a single entity services, while external users may use their SSO to handling everyone’s SSO accounts. What evolved is access your company’s private or hybrid cloud offering. known as “Web Identity 2.0,” or federated identity, as The security impact of this is that a cloud attacker well as identity metasystems. With Web Identity 2.0, is likely to be an authenticated user within the cloud there can be a multitude of identity services (made system at the onset of an attack. By contrast, the old up of both centrally managed and single, stand-alone assumption is that the attacker didn’t start with authen- identities) that can interoperate with a large number ticated access and needed to gain original access to of Web sites and services. Popular individual identity begin high-level system exploitation. INFOWORLD.COM DEEP DIVE SERIES A U G U S T 2 011
i Cloud Security Deep Dive 5 For example, consider two of the earliest and largest exploitation of application vulnerabilities, session contami- cloud services: Google Gmail and Microsoft Hotmail nation, network attacks, man-in-the-middle attacks, social (now called LiveMail). Both contain millions of authen- engineering, and so on. But the unique characteristics of ticated users and both now support newer SSO forms cloud computing present a new set of challenges as well. such as OpenID and InfoCard. Google and Microsoft Start by assuming attackers are logged-in, authenti- have no idea which users are legitimate and which cated users, and begin your defenses from there — and intend to do harm to other users or to the service itself. there may be many attackers, thanks to the cloud’s Identity is still a work in progress. Solutions will change global reach. This level of attacker access means that and morph as people begin to adopt the cloud in great many conventional defenses (such as separated security numbers. And as new needs emerge, new solutions and pro- zones, firewalls, and so on) will have little relevance. tocols will need to be invented. Whatever trajectory these future developments take, Identity 2.0 is new paradigm that CLOUD SECURITY DEFENSE CLASSIFICATIONS requires a huge mind shift in computer security defenders. Managing cloud security is different than maintain- ing ordinary enterprise security. Security professionals LACK OF LOCATION SPECIFICITY should analyze all cloud offerings (including their own) The term “cloud” implies that a service is available widely, within a holistic security framework to make sure all if not globally, with a multitude of origination and des- angles are covered. tination points. The specific location of the computing Keep in mind that each combination of cloud ser- resources for a given cloud may not be immediately iden- vices has its own unique set of risks and countermea- tifiable by either the client, the cloud vendor, or both. In sures. Table 1 organizes these variables into a set of a traditional network offering, the user or vendor often is classifications and subtopics intended to generate fur- aware of where the application or data is being hosted. ther discussion and analysis. This brings up all sorts of interesting dilemmas. For example: How are security defenders supposed to CLOUD DEFENSE BEST PRACTICES protect data when they don’t even know where it is? Enterprise security is a vast discipline and each of How can a cloud provider identify a client’s data (for its many aspects must be reexamined in light of the legal and other purposes)? How does the cloud pro- cloud. Take user deprovisioning as an example. Nor- vider securely erase a client’s data if the client exits the mally, when an employee leaves a company, access to cloud solution? How can a particular client’s data be company applications and data is removed. But if that prevented from leaving the host country of origin, if employee has subscribed to cloud services on behalf of even the cloud operators don’t know where the data is? the company, from the beginning the company should have had the technology in place to track those sub- THE ROLE OF VIRTUALIZATION scriptions, or the former employee may still be able Virtualization tends to play a big role in cloud services, access company data. You can’t deprovision if you don’t either as the underpinning for the service or, in the case know what was provisioned in the first place. of IaaS, as part of the cloud service offering itself. And virtualization has every security risk that a physical com- CLOUD AUDITS puter environment has — plus guest-to-host and guest-to- For many cloud users, these questions can be answered guest vulnerabilities. Clearly, cloud computing amounts to only by asking the vendor and by verifying the controls. more than just semantic games. It presents a unique set of Many cloud providers have conducted third-party audits challenges that security defenders must rise up to meet. on themselves and will release the results to interested customers. Today, the Statement on Auditing Standards CLOUD SECURITY DEFENSES (SAS) 70 Type II audit is the most common cloud audit Cloud security is an evolving field. To begin with, cloud you’ll find in the U.S. There are many others, and no solutions are subject to all the conventional attacks single cloud auditing standard is accepted globally. If — buffer overflows, password attacks, physical attacks, the cloud vendor cannot provide an acceptable auditing INFOWORLD.COM DEEP DIVE SERIES A U G U S T 2 011
i Cloud Security Deep Dive 6 TABLE 1: CLOUD SECURITY CLASSIFICATIONS AND SUBTOPICS A security defender responsible for cloud security should consider a wide range of parameters when developing a cloud security defense plan. SECURITY CLASSIFICATION RELATED SUBTOPICS Infrastructure security Physical security, environmental controls, business continuity/disaster recovery, network infrastructure, firewalls, proxies, routers, access control lists, staffing/employee background checks, availability (performance and anti-DoS), security policies (including what can be made available to customers), remote access, mobile access and platforms, identity/authentication/federation, billing systems, virtualization issues, high availability Resource provisioning Provisioning; modification; ownership and control, access; deprovisioning; reuse/ reassignment of: users, computing resources, computer systems, or IP address space; domain name services; directory services; self-service configuration management Storage and data security Privacy/privacy controls, data tagging, data storage zoning, data retention policies, data permanence/deletion, encryption (at-rest, in-transit, key management, Federal Information Processing Standards/Federal Information Security Management Act), digital signing/integrity attestation, multitenancy issues, archiving, backup, recovery, data classification, locality requirements, malicious data aggregation prevention Application security Security design lifecycle, identity/authentication/federation, session management, data input (if applicable) validation, error handling, vulnerability testing, patching, authentication, data integration/ exchange, APIs, proxies, application sandboxing, versioning, bug/issue tracking Audit/compliance Logging, monitoring, auditing, compliance, accreditation, legal issues, regulations, locality requirements, discovery, forensics, SLAs, public communication plans, fraud detection General security Anti-malware, anti-spam, patching, incident response, data leak prevention report, ask if the cloud provider is willing to conduct wanted to admit. The cloud, with authenticated attack- routine audits using an industry-accepted format (such ers, just puts the nail in the coffin. as CloudAudit, CloudTrust, ISACA’s Cloud Computing What is a security defender to do? Well, for one, Management Audit/Assurance Program). Cloud ven- think in terms of data classification and ownership and dors are still waiting for something as widely respected marry that with strong security domain isolation. Cloud as the standard corporate financial audit, but this is providers should have ways for defenders to mark or quickly starting to change (see the Cloud Security Alli- tag data with ownership and security classification and ance section below). to enable defenses based upon those attributes. Data should be protected in such a way that unauthorized SAY GOODBYE TO THE DMZ (but authenticated, multitenanted) viewers can be pre- One of the major changes from traditional computing vented from seeing another’s data. If a client needs is the pervasiveness of the cloud. By its very defini- to prevent its data from leaving its home country, the tion, it is meant to be everywhere. If the DMZ wasn’t cloud provider should make sure the data never does. dead before, it certainly is now. The DMZ was always Cloud providers should physically prevent (using porous, with many more holes than any defender physical network dividers, routers, switches, IPSec, INFOWORLD.COM DEEP DIVE SERIES A U G U S T 2 011
i Cloud Security Deep Dive 7 access control lists, and so on) server and data com- defenses and response plans ready to go. All the hard mingling. If a particular server never needs to talk to work and peering agreements should be established most other servers, it should be prevented from doing ahead of time. so. If a client computer shouldn’t be able to talk to other client computers, make sure there is no way for USE DNS SECURITY an authenticated users to leverage cloud access to gain If your cloud provider’s DNS services support it, con- access to the other. sider implementing DNSSEC (DNS Security) between your DNS servers and the provider’s DNS servers. ENCRYPT YOUR DATA Once enabled, DNSSEC ensures that dependent cli- Data should always be encrypted when stored (using ents always get verified, authenticated DNS resolution separate symmetric encryption keys) and transmitted. If entries from authoritative DNS servers. Unfortunately, this is implemented appropriately, even if another ten- DNSSEC is enabled only on a small percentage of ant can access the data, all that will appear is gibberish. DNS providers. Ask your cloud provider if it will con- Shared symmetric keys for data encryption should be sider creating DNSSEC “trust anchors” between your discouraged, yet tenants should be able to access their site(s) and the provider’s — or consider implementing own encryption keys and change them when neces- static DNS records on your side, to prevent malicious sary. Cloud providers should not have ready access to DNS redirection attacks. tenant encryption keys. USE RED HERRINGS AND AN EARLY USE STRONG AUTHENTICATION WARNING SYSTEM Make sure any Identity 2.0 system you participate in Some cloud providers and customers create “red her- has a strong history of good security and uses open ring” data as an early warning system. Red herring data protocols. Proprietary, single-site authentications sys- is fake data that is injected into a database and then tems may seem to present lower risk than shared sys- monitored to see if it “leaks out.” For instance, suppose tems do, but the information surrounding proprietary the cloud provider creates complete client records for systems is rarely shared. Systems that use and support Fred and Wilma Flintstone. Everything about the fake open standards usually have the added protection of record would be unlikely to exist in the real world. community analysis. Weaknesses are frequently found Then the cloud vendor (or client) uses data leak detec- early and coded out. Newfound vulnerabilities are usu- tion systems and procedures to monitor for that specific ally shared and fixed faster. data. If the data is found outside the cloud provider’s system, then it could be an early warning that malicious PREPARE TO PREVENT DDoS ATTACKS data theft has occurred and should be investigated. Attackers are often content with simply denying legiti- mate users access to their services using DDoS attacks. KILL ALL OLD DATA Luckily cloud systems are usually very resilient against Cloud providers should ensure that all data no longer simple flood attacks and excel at ramping up more needed is permanently erased from computer mem- bandwidth and resources in the face of gigabytes of ory and storage. Shared resources shouldn’t mean per- malicious traffic. manently shared storage. Clients should contact cloud Be aware, however, that attackers may attempt to providers to make sure that all submitted data is solely take down upstream or downstream nodes that are owned by the client and learn what measures providers not under the control of the cloud provider. More take to ensure the permanent deletion of unneeded data. than one Internet access provider has been forced to cut off access for a victimized site simply to preserve CLOUD SECURITY ALLIANCE GUIDANCE access for everyone else. You shouldn’t be forced to The Cloud Security Alliance is quickly becoming the come up with creative defenses the first time you’re hit most respected source of guidance for cloud security. with a DDoS, so make sure you have adequate DDoS I especially encourage interested readers to review INFOWORLD.COM DEEP DIVE SERIES A U G U S T 2 011
i Cloud Security Deep Dive 8 Security Guidance for Critical Areas of Focus in Cloud Excel spreadsheet created for cloud service providers Computing. This document breaks down cloud security and auditors. It maps security controls to popular com- into thirteen different domains including: pliance requirements such as COBIT, HIPAA, and PCI DSS. CSA’s Consensus Assessments Initiative Question- • Governance and Enterprise Risk Management naire is a Microsoft Excel spreadsheet listing well over a • Legal and Electronic Discovery hundred questions that map back to the controls listed • Information Lifecycle Management in the Cloud Controls Matrix. Both of these documents • Portability and Interoperability are meant to be used together. • Business Continuity and Disaster Recovery My only complaint is that the controls and con- • Data Center Operations trol questions are fairly general. For instance, asking • Incident Response the cloud provider if data is encrypted at rest only • Application Security starts to get at what you really need to know, which is • Encryption and Key Management how the encryption has been implemented. The best • Identity and Access Management encryption algorithms have been pushed aside by poor • Virtualization deployment practices. Still, the CSA is the best independent source of The CSA has done an excellent job of highlighting cloud security advice today. If you’re considering a all the computer security bases as they apply to cloud service, you’ll want to find out how it measures cloud offerings. up to the CSA’s guidelines. For an example, see Micro- The CSA’s Cloud Controls Matrix is a Microsoft soft’s Office 365 Standard Response Document. i ADDITIONAL RESOURCES Cloud computing is a new paradigm that requires new security defenses. The material included here covers only a small portion of the considerations you need to weigh when preparing a holistic cloud defense. The following Web assets are excellent sources of additional information: NIST’s cloud section A great place to quickly get up csrc.nist.gov/groups/SNS/cloud-computing to speed on cloud terminology without reading a book. Cloud Security Alliance www.cloudsecurityalliance.org/certifyme.html IT Certification Cloud Threats and blogs.msdn.com/b/jmeier/archive/2010/07/08/ Security Measures cloud-security-threats-and-countermeasures-at-a-glance.aspx MSDN, J. Meier Black Hat Webcast: An interesting Webcast. www.blackhat.com/html/Webcast/Webcast-2010_cloudsec.html Chewing the Cloud: on cloud attacks Attacking Cloud-Based Services INFOWORLD.COM DEEP DIVE SERIES A U G U S T 2 011

Recommended

Mitigating Web 2.0 Threats
Mitigating Web 2.0 ThreatsMitigating Web 2.0 Threats
Mitigating Web 2.0 ThreatsKim Jensen
 
State of Internet 2H 2008
State of Internet 2H 2008State of Internet 2H 2008
State of Internet 2H 2008Kim Jensen
 
Project 3
Project 3Project 3
Project 3Priyanka Goswami
 
Managing and Securing Web 2.0
Managing and Securing Web 2.0Managing and Securing Web 2.0
Managing and Securing Web 2.0Jason Edelstein
 
Dallas Web Security Group - February Meeting - Addressing Top Security Threats
Dallas Web Security Group - February Meeting - Addressing Top Security ThreatsDallas Web Security Group - February Meeting - Addressing Top Security Threats
Dallas Web Security Group - February Meeting - Addressing Top Security ThreatsDallas Web Security Group
 
Dallas websecuritygroup addressing-top-security-threats-v2
Dallas websecuritygroup addressing-top-security-threats-v2Dallas websecuritygroup addressing-top-security-threats-v2
Dallas websecuritygroup addressing-top-security-threats-v2Dallas Web Security Group
 
Cloudifying threats-understanding-cloud-app-attacks-and-defenses joa-eng_0118
Cloudifying threats-understanding-cloud-app-attacks-and-defenses joa-eng_0118Cloudifying threats-understanding-cloud-app-attacks-and-defenses joa-eng_0118
Cloudifying threats-understanding-cloud-app-attacks-and-defenses joa-eng_0118AngelaHoltby
 
Cybersecurity
CybersecurityCybersecurity
CybersecurityNational LECET
 

Recommended

Mitigating Web 2.0 Threats
Mitigating Web 2.0 ThreatsMitigating Web 2.0 Threats
Mitigating Web 2.0 ThreatsKim Jensen
 
State of Internet 2H 2008
State of Internet 2H 2008State of Internet 2H 2008
State of Internet 2H 2008Kim Jensen
 
Project 3
Project 3Project 3
Project 3Priyanka Goswami
 
Managing and Securing Web 2.0
Managing and Securing Web 2.0Managing and Securing Web 2.0
Managing and Securing Web 2.0Jason Edelstein
 
Dallas Web Security Group - February Meeting - Addressing Top Security Threats
Dallas Web Security Group - February Meeting - Addressing Top Security ThreatsDallas Web Security Group - February Meeting - Addressing Top Security Threats
Dallas Web Security Group - February Meeting - Addressing Top Security ThreatsDallas Web Security Group
 
Dallas websecuritygroup addressing-top-security-threats-v2
Dallas websecuritygroup addressing-top-security-threats-v2Dallas websecuritygroup addressing-top-security-threats-v2
Dallas websecuritygroup addressing-top-security-threats-v2Dallas Web Security Group
 
Cloudifying threats-understanding-cloud-app-attacks-and-defenses joa-eng_0118
Cloudifying threats-understanding-cloud-app-attacks-and-defenses joa-eng_0118Cloudifying threats-understanding-cloud-app-attacks-and-defenses joa-eng_0118
Cloudifying threats-understanding-cloud-app-attacks-and-defenses joa-eng_0118AngelaHoltby
 
Cybersecurity
CybersecurityCybersecurity
CybersecurityNational LECET
 
Threat Modeling In 2021
Threat Modeling In 2021Threat Modeling In 2021
Threat Modeling In 2021Adam Shostack
 
Case study
Case studyCase study
Case studyShehrevar Davierwala
 
Tim Willoughby presentation to cloud workshop 2016
Tim Willoughby presentation to cloud workshop 2016Tim Willoughby presentation to cloud workshop 2016
Tim Willoughby presentation to cloud workshop 2016Tim Willoughby
 
Security and privacy
Security and privacySecurity and privacy
Security and privacyMohammed Adam
 
ISSA: Cloud data security
ISSA: Cloud data securityISSA: Cloud data security
ISSA: Cloud data securityUlf Mattsson
 
Cyber Security College Workshop
Cyber Security College WorkshopCyber Security College Workshop
Cyber Security College WorkshopRahul Nayan
 
Practical Security for the Cloud
Practical Security for the CloudPractical Security for the Cloud
Practical Security for the CloudChirag Joshi, CISA, CISM, CRISC
 
Microsoft Cyber Defense Operation Center Strategy
Microsoft Cyber Defense Operation Center Strategy Microsoft Cyber Defense Operation Center Strategy
Microsoft Cyber Defense Operation Center Strategy Ioannis Aligizakis, M.Sc.
 
Defending Against Modern Threats Wp Lr[1]
Defending Against Modern Threats Wp Lr[1]Defending Against Modern Threats Wp Lr[1]
Defending Against Modern Threats Wp Lr[1]DeepNines Technologies
 
Securing IT Against Modern Threats with Microsoft Cloud Security Tools - M365...
Securing IT Against Modern Threats with Microsoft Cloud Security Tools - M365...Securing IT Against Modern Threats with Microsoft Cloud Security Tools - M365...
Securing IT Against Modern Threats with Microsoft Cloud Security Tools - M365...Michael Noel
 
Master Thesis Security in Distributed Databases- Ian Lee
Master Thesis Security in Distributed Databases- Ian LeeMaster Thesis Security in Distributed Databases- Ian Lee
Master Thesis Security in Distributed Databases- Ian LeeIan Lee
 
Top Cyber Threat Predictions for 2019
Top Cyber Threat Predictions for 2019Top Cyber Threat Predictions for 2019
Top Cyber Threat Predictions for 2019PECB
 
"Evolving Cybersecurity Strategies" - Identity is the new security boundary
"Evolving Cybersecurity Strategies" - Identity is the new security boundary"Evolving Cybersecurity Strategies" - Identity is the new security boundary
"Evolving Cybersecurity Strategies" - Identity is the new security boundaryDean Iacovelli
 
ACS Talk (Melbourne) - The future of security
ACS Talk (Melbourne) - The future of securityACS Talk (Melbourne) - The future of security
ACS Talk (Melbourne) - The future of securitysiswarren
 
Cyber Resilience
Cyber ResilienceCyber Resilience
Cyber ResilienceIan-Edward Stafrace
 
Network security, seriously?
Network security, seriously?Network security, seriously?
Network security, seriously?Peter Wood
 
Cyberskills shortage: Where is the cyber workforce of tomorrow
Cyberskills shortage: Where is the cyber workforce of tomorrowCyberskills shortage: Where is the cyber workforce of tomorrow
Cyberskills shortage: Where is the cyber workforce of tomorrowStephen Cobb
 
The Future of Cyber Security
The Future of Cyber SecurityThe Future of Cyber Security
The Future of Cyber SecurityStephen Lahanas
 
A Manifesto for Cyber Resilience
A Manifesto for Cyber ResilienceA Manifesto for Cyber Resilience
A Manifesto for Cyber ResilienceSymantec
 
Akamai___WebSecurity_eBook_Final
Akamai___WebSecurity_eBook_FinalAkamai___WebSecurity_eBook_Final
Akamai___WebSecurity_eBook_FinalCheryl Goldberg
 
The Sophisticat, the Elephant, and the Secret of the Digital Native - by Arth...
The Sophisticat, the Elephant, and the Secret of the Digital Native - by Arth...The Sophisticat, the Elephant, and the Secret of the Digital Native - by Arth...
The Sophisticat, the Elephant, and the Secret of the Digital Native - by Arth...RAMP Group
 
Unified communication by hp
Unified communication by hpUnified communication by hp
Unified communication by hpKim Jensen
 

More Related Content

What's hot

Threat Modeling In 2021
Threat Modeling In 2021Threat Modeling In 2021
Threat Modeling In 2021Adam Shostack
 
Tim Willoughby presentation to cloud workshop 2016
Tim Willoughby presentation to cloud workshop 2016Tim Willoughby presentation to cloud workshop 2016
Tim Willoughby presentation to cloud workshop 2016Tim Willoughby
 
Security and privacy
Security and privacySecurity and privacy
Security and privacyMohammed Adam
 
ISSA: Cloud data security
ISSA: Cloud data securityISSA: Cloud data security
ISSA: Cloud data securityUlf Mattsson
 
Cyber Security College Workshop
Cyber Security College WorkshopCyber Security College Workshop
Cyber Security College WorkshopRahul Nayan
 
Microsoft Cyber Defense Operation Center Strategy
Microsoft Cyber Defense Operation Center Strategy Microsoft Cyber Defense Operation Center Strategy
Microsoft Cyber Defense Operation Center Strategy Ioannis Aligizakis, M.Sc.
 
Defending Against Modern Threats Wp Lr[1]
Defending Against Modern Threats Wp Lr[1]Defending Against Modern Threats Wp Lr[1]
Defending Against Modern Threats Wp Lr[1]DeepNines Technologies
 
Securing IT Against Modern Threats with Microsoft Cloud Security Tools - M365...
Securing IT Against Modern Threats with Microsoft Cloud Security Tools - M365...Securing IT Against Modern Threats with Microsoft Cloud Security Tools - M365...
Securing IT Against Modern Threats with Microsoft Cloud Security Tools - M365...Michael Noel
 
Master Thesis Security in Distributed Databases- Ian Lee
Master Thesis Security in Distributed Databases- Ian LeeMaster Thesis Security in Distributed Databases- Ian Lee
Master Thesis Security in Distributed Databases- Ian LeeIan Lee
 
Top Cyber Threat Predictions for 2019
Top Cyber Threat Predictions for 2019Top Cyber Threat Predictions for 2019
Top Cyber Threat Predictions for 2019PECB
 
"Evolving Cybersecurity Strategies" - Identity is the new security boundary
"Evolving Cybersecurity Strategies" - Identity is the new security boundary"Evolving Cybersecurity Strategies" - Identity is the new security boundary
"Evolving Cybersecurity Strategies" - Identity is the new security boundaryDean Iacovelli
 
ACS Talk (Melbourne) - The future of security
ACS Talk (Melbourne) - The future of securityACS Talk (Melbourne) - The future of security
ACS Talk (Melbourne) - The future of securitysiswarren
 
Network security, seriously?
Network security, seriously?Network security, seriously?
Network security, seriously?Peter Wood
 
Cyberskills shortage: Where is the cyber workforce of tomorrow
Cyberskills shortage: Where is the cyber workforce of tomorrowCyberskills shortage: Where is the cyber workforce of tomorrow
Cyberskills shortage: Where is the cyber workforce of tomorrowStephen Cobb
 
The Future of Cyber Security
The Future of Cyber SecurityThe Future of Cyber Security
The Future of Cyber SecurityStephen Lahanas
 
A Manifesto for Cyber Resilience
A Manifesto for Cyber ResilienceA Manifesto for Cyber Resilience
A Manifesto for Cyber ResilienceSymantec
 
Akamai___WebSecurity_eBook_Final
Akamai___WebSecurity_eBook_FinalAkamai___WebSecurity_eBook_Final
Akamai___WebSecurity_eBook_FinalCheryl Goldberg
 

What's hot (20)

Threat Modeling In 2021
Threat Modeling In 2021Threat Modeling In 2021
Threat Modeling In 2021
 
Case study
Case studyCase study
Case study
 
Tim Willoughby presentation to cloud workshop 2016
Tim Willoughby presentation to cloud workshop 2016Tim Willoughby presentation to cloud workshop 2016
Tim Willoughby presentation to cloud workshop 2016
 
Security and privacy
Security and privacySecurity and privacy
Security and privacy
 
ISSA: Cloud data security
ISSA: Cloud data securityISSA: Cloud data security
ISSA: Cloud data security
 
Cyber Security College Workshop
Cyber Security College WorkshopCyber Security College Workshop
Cyber Security College Workshop
 
Practical Security for the Cloud
Practical Security for the CloudPractical Security for the Cloud
Practical Security for the Cloud
 
Microsoft Cyber Defense Operation Center Strategy
Microsoft Cyber Defense Operation Center Strategy Microsoft Cyber Defense Operation Center Strategy
Microsoft Cyber Defense Operation Center Strategy
 
Defending Against Modern Threats Wp Lr[1]
Defending Against Modern Threats Wp Lr[1]Defending Against Modern Threats Wp Lr[1]
Defending Against Modern Threats Wp Lr[1]
 
Securing IT Against Modern Threats with Microsoft Cloud Security Tools - M365...
Securing IT Against Modern Threats with Microsoft Cloud Security Tools - M365...Securing IT Against Modern Threats with Microsoft Cloud Security Tools - M365...
Securing IT Against Modern Threats with Microsoft Cloud Security Tools - M365...
 
Master Thesis Security in Distributed Databases- Ian Lee
Master Thesis Security in Distributed Databases- Ian LeeMaster Thesis Security in Distributed Databases- Ian Lee
Master Thesis Security in Distributed Databases- Ian Lee
 
Top Cyber Threat Predictions for 2019
Top Cyber Threat Predictions for 2019Top Cyber Threat Predictions for 2019
Top Cyber Threat Predictions for 2019
 
"Evolving Cybersecurity Strategies" - Identity is the new security boundary
"Evolving Cybersecurity Strategies" - Identity is the new security boundary"Evolving Cybersecurity Strategies" - Identity is the new security boundary
"Evolving Cybersecurity Strategies" - Identity is the new security boundary
 
ACS Talk (Melbourne) - The future of security
ACS Talk (Melbourne) - The future of securityACS Talk (Melbourne) - The future of security
ACS Talk (Melbourne) - The future of security
 
Cyber Resilience
Cyber ResilienceCyber Resilience
Cyber Resilience
 
Network security, seriously?
Network security, seriously?Network security, seriously?
Network security, seriously?
 
Cyberskills shortage: Where is the cyber workforce of tomorrow
Cyberskills shortage: Where is the cyber workforce of tomorrowCyberskills shortage: Where is the cyber workforce of tomorrow
Cyberskills shortage: Where is the cyber workforce of tomorrow
 
The Future of Cyber Security
The Future of Cyber SecurityThe Future of Cyber Security
The Future of Cyber Security
 
A Manifesto for Cyber Resilience
A Manifesto for Cyber ResilienceA Manifesto for Cyber Resilience
A Manifesto for Cyber Resilience
 
Akamai___WebSecurity_eBook_Final
Akamai___WebSecurity_eBook_FinalAkamai___WebSecurity_eBook_Final
Akamai___WebSecurity_eBook_Final
 

Viewers also liked

The Sophisticat, the Elephant, and the Secret of the Digital Native - by Arth...
The Sophisticat, the Elephant, and the Secret of the Digital Native - by Arth...The Sophisticat, the Elephant, and the Secret of the Digital Native - by Arth...
The Sophisticat, the Elephant, and the Secret of the Digital Native - by Arth...RAMP Group
 
Unified communication by hp
Unified communication by hpUnified communication by hp
Unified communication by hpKim Jensen
 
Unified communication
Unified communicationUnified communication
Unified communicationKim Jensen
 
The Woo themes story - by Adriaan Pienaar
The Woo themes story - by Adriaan PienaarThe Woo themes story - by Adriaan Pienaar
The Woo themes story - by Adriaan PienaarRAMP Group
 
Websense Cortex Whitepaper
Websense Cortex WhitepaperWebsense Cortex Whitepaper
Websense Cortex WhitepaperKim Jensen
 
Buyers Guide To Messaging Security Dec 2009
Buyers Guide To Messaging Security Dec 2009Buyers Guide To Messaging Security Dec 2009
Buyers Guide To Messaging Security Dec 2009Kim Jensen
 
Dave Duarte - Intergrate web & mobile into your marketing mix - Net Prophet 2009
Dave Duarte - Intergrate web & mobile into your marketing mix - Net Prophet 2009Dave Duarte - Intergrate web & mobile into your marketing mix - Net Prophet 2009
Dave Duarte - Intergrate web & mobile into your marketing mix - Net Prophet 2009RAMP Group
 

Viewers also liked (8)

The Sophisticat, the Elephant, and the Secret of the Digital Native - by Arth...
The Sophisticat, the Elephant, and the Secret of the Digital Native - by Arth...The Sophisticat, the Elephant, and the Secret of the Digital Native - by Arth...
The Sophisticat, the Elephant, and the Secret of the Digital Native - by Arth...
 
Unified communication by hp
Unified communication by hpUnified communication by hp
Unified communication by hp
 
Unified communication
Unified communicationUnified communication
Unified communication
 
The Woo themes story - by Adriaan Pienaar
The Woo themes story - by Adriaan PienaarThe Woo themes story - by Adriaan Pienaar
The Woo themes story - by Adriaan Pienaar
 
Websense Cortex Whitepaper
Websense Cortex WhitepaperWebsense Cortex Whitepaper
Websense Cortex Whitepaper
 
Buyers Guide To Messaging Security Dec 2009
Buyers Guide To Messaging Security Dec 2009Buyers Guide To Messaging Security Dec 2009
Buyers Guide To Messaging Security Dec 2009
 
Uma panorâmica de Veneza
Uma panorâmica de VenezaUma panorâmica de Veneza
Uma panorâmica de Veneza
 
Dave Duarte - Intergrate web & mobile into your marketing mix - Net Prophet 2009
Dave Duarte - Intergrate web & mobile into your marketing mix - Net Prophet 2009Dave Duarte - Intergrate web & mobile into your marketing mix - Net Prophet 2009
Dave Duarte - Intergrate web & mobile into your marketing mix - Net Prophet 2009
 

Similar to Cloud security Deep Dive 2011

Cloud security deep dive infoworld jan 2011
Cloud security deep dive infoworld jan 2011Cloud security deep dive infoworld jan 2011
Cloud security deep dive infoworld jan 2011Kim Jensen
 
Cloudsecurity
CloudsecurityCloudsecurity
Cloudsecuritydrewz lin
 
Cloud computing final format(1)
Cloud computing final format(1)Cloud computing final format(1)
Cloud computing final format(1)ahmed elmeghiny
 
Cloud computing..
Cloud computing..Cloud computing..
Cloud computing..manoj kumar
 
Issues in cloud computing
Issues in cloud computingIssues in cloud computing
Issues in cloud computingronak patel
 
Iirdem a novel approach for enhancing security in multi cloud environment
Iirdem a novel approach for enhancing security in multi cloud environmentIirdem a novel approach for enhancing security in multi cloud environment
Iirdem a novel approach for enhancing security in multi cloud environmentIaetsd Iaetsd
 
A STUDY OF THE ISSUES AND SECURITY OF CLOUD COMPUTING
A STUDY OF THE ISSUES AND SECURITY OF CLOUD COMPUTINGA STUDY OF THE ISSUES AND SECURITY OF CLOUD COMPUTING
A STUDY OF THE ISSUES AND SECURITY OF CLOUD COMPUTINGEr Piyush Gupta IN ⊞⌘
 
Fog computing document
Fog computing documentFog computing document
Fog computing documentsravya raju
 
Cloud Computing Security Issues in Infrastructure as a Service” report
Cloud Computing Security Issues in Infrastructure as a Service” reportCloud Computing Security Issues in Infrastructure as a Service” report
Cloud Computing Security Issues in Infrastructure as a Service” reportVivek Maurya
 
Public cloud: A Review
Public cloud: A ReviewPublic cloud: A Review
Public cloud: A ReviewAjay844
 
Design and implement a new cloud security method based on multi clouds on ope...
Design and implement a new cloud security method based on multi clouds on ope...Design and implement a new cloud security method based on multi clouds on ope...
Design and implement a new cloud security method based on multi clouds on ope...csandit
 
DESIGN AND IMPLEMENT A NEW CLOUD SECURITY METHOD BASED ON MULTI CLOUDS ON OPE...
DESIGN AND IMPLEMENT A NEW CLOUD SECURITY METHOD BASED ON MULTI CLOUDS ON OPE...DESIGN AND IMPLEMENT A NEW CLOUD SECURITY METHOD BASED ON MULTI CLOUDS ON OPE...
DESIGN AND IMPLEMENT A NEW CLOUD SECURITY METHOD BASED ON MULTI CLOUDS ON OPE...cscpconf
 
INTRODUCTION TO CLOUD COMPUTING
INTRODUCTION TO CLOUD COMPUTINGINTRODUCTION TO CLOUD COMPUTING
INTRODUCTION TO CLOUD COMPUTINGTanmoy Barman
 
Safety in the Cloud(s): 'Vaporizing' the Web Application Firewall to Secure C...
Safety in the Cloud(s): 'Vaporizing' the Web Application Firewall to Secure C...Safety in the Cloud(s): 'Vaporizing' the Web Application Firewall to Secure C...
Safety in the Cloud(s): 'Vaporizing' the Web Application Firewall to Secure C...white paper
 
Security in cloud computing
Security in cloud computingSecurity in cloud computing
Security in cloud computingEr. Saba karim
 
fog computing provide security to the data in cloud
fog computing provide security to the data in cloudfog computing provide security to the data in cloud
fog computing provide security to the data in cloudpriyanka reddy
 

Similar to Cloud security Deep Dive 2011 (20)

Cloud security deep dive infoworld jan 2011
Cloud security deep dive infoworld jan 2011Cloud security deep dive infoworld jan 2011
Cloud security deep dive infoworld jan 2011
 
Cloudsecurity
CloudsecurityCloudsecurity
Cloudsecurity
 
Cloud computing final format(1)
Cloud computing final format(1)Cloud computing final format(1)
Cloud computing final format(1)
 
Cloud computing..
Cloud computing..Cloud computing..
Cloud computing..
 
Issues in cloud computing
Issues in cloud computingIssues in cloud computing
Issues in cloud computing
 
Iirdem a novel approach for enhancing security in multi cloud environment
Iirdem a novel approach for enhancing security in multi cloud environmentIirdem a novel approach for enhancing security in multi cloud environment
Iirdem a novel approach for enhancing security in multi cloud environment
 
A STUDY OF THE ISSUES AND SECURITY OF CLOUD COMPUTING
A STUDY OF THE ISSUES AND SECURITY OF CLOUD COMPUTINGA STUDY OF THE ISSUES AND SECURITY OF CLOUD COMPUTING
A STUDY OF THE ISSUES AND SECURITY OF CLOUD COMPUTING
 
Fog computing document
Fog computing documentFog computing document
Fog computing document
 
Eb31854857
Eb31854857Eb31854857
Eb31854857
 
Cloud Computing Security Issues in Infrastructure as a Service” report
Cloud Computing Security Issues in Infrastructure as a Service” reportCloud Computing Security Issues in Infrastructure as a Service” report
Cloud Computing Security Issues in Infrastructure as a Service” report
 
Public cloud: A Review
Public cloud: A ReviewPublic cloud: A Review
Public cloud: A Review
 
Design and implement a new cloud security method based on multi clouds on ope...
Design and implement a new cloud security method based on multi clouds on ope...Design and implement a new cloud security method based on multi clouds on ope...
Design and implement a new cloud security method based on multi clouds on ope...
 
DESIGN AND IMPLEMENT A NEW CLOUD SECURITY METHOD BASED ON MULTI CLOUDS ON OPE...
DESIGN AND IMPLEMENT A NEW CLOUD SECURITY METHOD BASED ON MULTI CLOUDS ON OPE...DESIGN AND IMPLEMENT A NEW CLOUD SECURITY METHOD BASED ON MULTI CLOUDS ON OPE...
DESIGN AND IMPLEMENT A NEW CLOUD SECURITY METHOD BASED ON MULTI CLOUDS ON OPE...
 
INTRODUCTION TO CLOUD COMPUTING
INTRODUCTION TO CLOUD COMPUTINGINTRODUCTION TO CLOUD COMPUTING
INTRODUCTION TO CLOUD COMPUTING
 
Safety in the Cloud(s): 'Vaporizing' the Web Application Firewall to Secure C...
Safety in the Cloud(s): 'Vaporizing' the Web Application Firewall to Secure C...Safety in the Cloud(s): 'Vaporizing' the Web Application Firewall to Secure C...
Safety in the Cloud(s): 'Vaporizing' the Web Application Firewall to Secure C...
 
Securing The Journey To The Cloud
Securing The Journey To The Cloud Securing The Journey To The Cloud
Securing The Journey To The Cloud
 
Security in cloud computing
Security in cloud computingSecurity in cloud computing
Security in cloud computing
 
fog computing provide security to the data in cloud
fog computing provide security to the data in cloudfog computing provide security to the data in cloud
fog computing provide security to the data in cloud
 
Fog doc
Fog doc Fog doc
Fog doc
 
Cloud computing
Cloud computing Cloud computing
Cloud computing
 

More from Kim Jensen

Forcepoint Whitepaper 2016 Security Predictions
Forcepoint Whitepaper 2016 Security PredictionsForcepoint Whitepaper 2016 Security Predictions
Forcepoint Whitepaper 2016 Security PredictionsKim Jensen
 
OpenDNS presenter pack
OpenDNS presenter packOpenDNS presenter pack
OpenDNS presenter packKim Jensen
 
Infoworld deep dive - Mobile Security2015 updated
Infoworld deep dive - Mobile Security2015 updatedInfoworld deep dive - Mobile Security2015 updated
Infoworld deep dive - Mobile Security2015 updatedKim Jensen
 
Hewlett-Packard Enterprise- State of Security Operations 2015
Hewlett-Packard Enterprise- State of Security Operations 2015Hewlett-Packard Enterprise- State of Security Operations 2015
Hewlett-Packard Enterprise- State of Security Operations 2015Kim Jensen
 
5 things needed to know migrating Windows Server 2003
5 things needed to know migrating Windows Server 20035 things needed to know migrating Windows Server 2003
5 things needed to know migrating Windows Server 2003Kim Jensen
 
Secunia Vulnerability Review 2014
Secunia Vulnerability Review 2014Secunia Vulnerability Review 2014
Secunia Vulnerability Review 2014Kim Jensen
 
Cisco 2013 Annual Security Report
Cisco 2013 Annual Security ReportCisco 2013 Annual Security Report
Cisco 2013 Annual Security ReportKim Jensen
 
Websense 2013 Threat Report
Websense 2013 Threat ReportWebsense 2013 Threat Report
Websense 2013 Threat ReportKim Jensen
 
Security Survey 2013 UK
Security Survey 2013 UKSecurity Survey 2013 UK
Security Survey 2013 UKKim Jensen
 
Miercom Security Effectiveness Test Report
Miercom Security Effectiveness Test Report Miercom Security Effectiveness Test Report
Miercom Security Effectiveness Test Report Kim Jensen
 
DK Cert Trend Rapport 2012
DK Cert Trend Rapport 2012DK Cert Trend Rapport 2012
DK Cert Trend Rapport 2012Kim Jensen
 
Bliv klar til cloud med Citrix Netscaler (pdf)
Bliv klar til cloud med Citrix Netscaler (pdf)Bliv klar til cloud med Citrix Netscaler (pdf)
Bliv klar til cloud med Citrix Netscaler (pdf)Kim Jensen
 
Data Breach Investigations Report 2012
Data Breach Investigations Report 2012Data Breach Investigations Report 2012
Data Breach Investigations Report 2012Kim Jensen
 
State of Web Q3 2011
State of Web Q3 2011State of Web Q3 2011
State of Web Q3 2011Kim Jensen
 
Wave mobile collaboration Q3 2011
Wave mobile collaboration Q3 2011Wave mobile collaboration Q3 2011
Wave mobile collaboration Q3 2011Kim Jensen
 
Corporate Web Security
Corporate Web SecurityCorporate Web Security
Corporate Web SecurityKim Jensen
 
Cloud rambøll mgmt - briefing d. 28. januar 2011
Cloud rambøll mgmt - briefing d. 28. januar 2011Cloud rambøll mgmt - briefing d. 28. januar 2011
Cloud rambøll mgmt - briefing d. 28. januar 2011Kim Jensen
 
Cloud services deep dive infoworld july 2010
Cloud services deep dive infoworld july 2010Cloud services deep dive infoworld july 2010
Cloud services deep dive infoworld july 2010Kim Jensen
 
Sådan kommer du i gang med skyen (pdf)
Sådan kommer du i gang med skyen (pdf)Sådan kommer du i gang med skyen (pdf)
Sådan kommer du i gang med skyen (pdf)Kim Jensen
 
Unified communications presence er den afgørende funktion (pdf)
Unified communications presence er den afgørende funktion (pdf)Unified communications presence er den afgørende funktion (pdf)
Unified communications presence er den afgørende funktion (pdf)Kim Jensen
 

More from Kim Jensen (20)

Forcepoint Whitepaper 2016 Security Predictions
Forcepoint Whitepaper 2016 Security PredictionsForcepoint Whitepaper 2016 Security Predictions
Forcepoint Whitepaper 2016 Security Predictions
 
OpenDNS presenter pack
OpenDNS presenter packOpenDNS presenter pack
OpenDNS presenter pack
 
Infoworld deep dive - Mobile Security2015 updated
Infoworld deep dive - Mobile Security2015 updatedInfoworld deep dive - Mobile Security2015 updated
Infoworld deep dive - Mobile Security2015 updated
 
Hewlett-Packard Enterprise- State of Security Operations 2015
Hewlett-Packard Enterprise- State of Security Operations 2015Hewlett-Packard Enterprise- State of Security Operations 2015
Hewlett-Packard Enterprise- State of Security Operations 2015
 
5 things needed to know migrating Windows Server 2003
5 things needed to know migrating Windows Server 20035 things needed to know migrating Windows Server 2003
5 things needed to know migrating Windows Server 2003
 
Secunia Vulnerability Review 2014
Secunia Vulnerability Review 2014Secunia Vulnerability Review 2014
Secunia Vulnerability Review 2014
 
Cisco 2013 Annual Security Report
Cisco 2013 Annual Security ReportCisco 2013 Annual Security Report
Cisco 2013 Annual Security Report
 
Websense 2013 Threat Report
Websense 2013 Threat ReportWebsense 2013 Threat Report
Websense 2013 Threat Report
 
Security Survey 2013 UK
Security Survey 2013 UKSecurity Survey 2013 UK
Security Survey 2013 UK
 
Miercom Security Effectiveness Test Report
Miercom Security Effectiveness Test Report Miercom Security Effectiveness Test Report
Miercom Security Effectiveness Test Report
 
DK Cert Trend Rapport 2012
DK Cert Trend Rapport 2012DK Cert Trend Rapport 2012
DK Cert Trend Rapport 2012
 
Bliv klar til cloud med Citrix Netscaler (pdf)
Bliv klar til cloud med Citrix Netscaler (pdf)Bliv klar til cloud med Citrix Netscaler (pdf)
Bliv klar til cloud med Citrix Netscaler (pdf)
 
Data Breach Investigations Report 2012
Data Breach Investigations Report 2012Data Breach Investigations Report 2012
Data Breach Investigations Report 2012
 
State of Web Q3 2011
State of Web Q3 2011State of Web Q3 2011
State of Web Q3 2011
 
Wave mobile collaboration Q3 2011
Wave mobile collaboration Q3 2011Wave mobile collaboration Q3 2011
Wave mobile collaboration Q3 2011
 
Corporate Web Security
Corporate Web SecurityCorporate Web Security
Corporate Web Security
 
Cloud rambøll mgmt - briefing d. 28. januar 2011
Cloud rambøll mgmt - briefing d. 28. januar 2011Cloud rambøll mgmt - briefing d. 28. januar 2011
Cloud rambøll mgmt - briefing d. 28. januar 2011
 
Cloud services deep dive infoworld july 2010
Cloud services deep dive infoworld july 2010Cloud services deep dive infoworld july 2010
Cloud services deep dive infoworld july 2010
 
Sådan kommer du i gang med skyen (pdf)
Sådan kommer du i gang med skyen (pdf)Sådan kommer du i gang med skyen (pdf)
Sådan kommer du i gang med skyen (pdf)
 
Unified communications presence er den afgørende funktion (pdf)
Unified communications presence er den afgørende funktion (pdf)Unified communications presence er den afgørende funktion (pdf)
Unified communications presence er den afgørende funktion (pdf)
 

Recently uploaded

DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenHervé Boutemy
 
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo DayH2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo DaySri Ambati
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyAlfredo García Lavilla
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024Lonnie McRorey
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Enterprise Knowledge
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...Fwdays
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piececharlottematthew16
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity PlanDatabarracks
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningLars Bell
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .Alan Dix
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsMiki Katsuragi
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024Stephanie Beckett
 

Recently uploaded (20)

DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache Maven
 
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo DayH2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easy
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piece
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity Plan
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine Tuning
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering Tips
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 

Cloud security Deep Dive 2011

  • 1. SPECIAL REPORT AUGUST 2011 Cloud Security Deep Dive A new security model for a new era Copyright © 2011 InfoWorld Media Group. All rights reserved.
  • 2. i Cloud Security Deep Dive 2 Reinventing security for the cloud Cloud computing is a fundamentally new paradigm that challenges traditional security, demanding a new set of security best practices i By Roger A. Grimes software locally. Typically, SaaS offerings are multitenanted: Customers establish accounts on SECURITY CONCERNS are among the leading barriers one huge instance of the software running on to cloud adoption, and rightly so. While security assump- a virtualized infrastructure. Common examples tions and approaches remained largely intact through include Google’s Gmail, Microsoft’s Business other computing revolutions – mainframe to client-server, Online Productivity Suite, and Salesforce.com. client-server to Web – this time it really is different. • Platform as a Service (PaaS). PaaS providers In the past, we knew where the application was give developers complete development environ- running and we knew where our data was stored. We ments in which to code, host, and deliver appli- knew how both were protected. We knew who we cations. The development environment typically were sharing the system with, and we knew how dif- includes the underlying infrastructure, devel- ferent users and groups were being isolated. Cloud opment tools, APIs, and other related services. computing changes all of that. Examples include Google’s App Engine, Micro- Cloud computing introduces new kinds of risks, and soft’s Windows Azure, and Salesforce’s Force.com. it requires a new security model. This paper will discuss the nature of those risks, their impact on cloud security Naturally, many cloud service providers mix two or requirements, and the standards and best practices that more of these cloud service models or cannot be neatly are emerging to address those requirements. placed into one type. Additionally, the type of user who can access the cloud further defines each model, CLOUD COMPUTING MODELS as well as what type of cloud is at issue: Before delving into cloud computing exploits and defenses, it helps to get a basic understanding of cloud • The public cloud. Public clouds are created computing models. Although new models appear to by one vendor and offered to the general pub- be emerging every day, here are the basic ones nearly lic. Public clouds are almost always Internet- everyone agrees on: accessible and multitenanted. • The private cloud. Private clouds are hosted • Infrastructure as a Service (IaaS). IaaS by the same organization that utilizes the ser- provides massively scalable, elastic computing vice (which in general does not support mult- resources via the Internet. Some providers offer itenancy). The primary value proposition is data just a single resource, such as storage space, but accessibility and fault tolerance. most now focus on providing complete computing • The hybrid cloud. This term typically applies platforms for customers’ VMs, including operating to organizations that have set up private cloud system, memory, storage, and processing power. services in combination with external public Clients often pay for only what they use, which cloud services. It also refers to service offerings fits nicely into any company’s computing budget. used exclusively by an invited group of private • Software as a Service (SaaS). SaaS provid- customers (also called a “community cloud”). ers deliver software functionality through the browser, without the end-user having to install For more information, see the National Institute for INFOWORLD.COM DEEP DIVE SERIES A U G U S T 2 011
  • 3. i Cloud Security Deep Dive 3 Standards and Technology (NIST) document detailing Just as most clouds are Internet-accessible, they are common cloud terminology. also almost entirely Web-based, with browsers as clients and Web servers as the server endpoint connection. HOW CLOUD COMPUTING IS DIFFERENT Some clouds use simple HTML-based forms and Web Cloud computing is a major departure from traditional pages, but most are an increasingly complex set of Web networks and applications. In general, a service or offer- services and protocols. (Wikipedia has an excellent ing is considered cloud computing if it has at least four beginner’s tutorial on Web services.) of these seven traits: As the Web matures, most things that were once accomplished using a single computer will be executed • Internet (or intranet) accessible by a matrix of Web services, connected together in • A massively scalable, user-configurable pool of most cases by XML, SOAP (or REST), and SAML. As elastic computing resources (such as network Web 2.0 takes over, future security defenders must get bandwidth, compute power, memory, etc.) to know these services and protocols inside and out, • Multitenancy (one large software instance and defend against their deficiencies as they emerge shared by many customer accounts) (and there are bound to be plenty). • A broad authentication scheme • Subscription or usage-based payment MULTITENANCY • Self-service Multitenancy is a major defining trait for public clouds. • Lack of location specificity Typically, in a traditional environment, only the appli- cation’s owner and direct employees can access the All of these traits offer new challenges to the com- application data. In a cloud, multitenancy means that puter security professional, but accessibility, mult- multiple, distinct, separate end-user parties share the itenancy, broad authentication, and lack of location same service and/or resources. End-users may be aware specificity are the four items responsible for the biggest of this fact and may even be able to directly interact technology shift and demand for new security solutions. with other end-users. Or they may be unaware that resources are shared and that this is a risk. ACCESS TO THE INTERNET OR In a cloud, risk looms that the parties sharing that INTRANETS EQUALS HIGH RISK cloud will be able to — unintentionally or intentionally We already know that any computing resource that is — access one another’s private data. This has been the Internet accessible is at a higher risk than one that is case in cloud exploits with major cloud providers during not. It’s how most of the bad guys break into comput- the past few years. In some cases, all it took was modify- ers today, whether it involves social-engineered Trojan ing a client’s unique identifier, sent over in the browser horse programs, viruses, or human attackers. High-risk request, to another identifier, and up comes another cli- environments, like the top secret classified systems of ent’s data. Sometimes spillage has occurred when a bug most governments, usually aren’t allowed to connect to a in the cloud service offered up too much data without network that can connect to the Internet. Too much risk. the client doing anything out of the ordinary. Clouds don’t use VPN technologies. With cloud With IaaS-based clouds in particular, security research- computing, it’s assumed that all users and application ers are discovering a brand new class of vulnerabilities resources are Internet- or intranet-accessible, with all that did not exist in the old world. For example, attackers the elevated risk that implies. This means that anony- are finding ways to “cyberjack” another tenant’s data and mous attackers can access connection points just as any resources by discovering other tenant’s IP addresses and legitimate user or manager of the system can. In a tradi- computer resources or by searching for other people’s data tional computing environment, only a small percentage remnants after they release unneeded resources back to of servers are Internet-accessible. In cloud computing, the cloud. As it turns out, some cloud vendors don’t erase most servers are Internet-accessible. This must change or format the freed-up storage or memory resources. the security defender’s thinking. It’s too early to know whether these types of risks INFOWORLD.COM DEEP DIVE SERIES A U G U S T 2 011
  • 4. i Cloud Security Deep Dive 4 will decrease as cloud security matures or whether they services include OpenID, InfoCard, and LiveID. Many will remain a fixture that defines the new threat model. of these authentication services are interoperable with each other and use common protocols such as XML, BROAD AUTHENTICATION SCHEMES SOAP, SAML, Web services, WS-Federation, and so on. Internet accessibility and multitenancy pose a chal- In the Web 2.0 world, each Web site (or cloud pro- lenge when determining how to authenticate large vider) can choose which federated identity service to numbers of different clients. In the traditional model, work with and accept. The Web site or service provider each authenticating user has a full user account located can require particular types of identity assurance (such in the application’s authentication database (or direc- as a simple password, smartcard, or biometric device) tory service). But scaling and multitenancy complicates before a user can participate. For example, a cancer the process, because conventional authentication ser- survivor Web site may wish to allow anonymous users vices tend to offer access to shared common resources whereas an online banking Web site may require a site- by default. In Active Directory, for example, mem- issued smartcard or other authenticating token to log on. bers of the Everyone group can see and list all sorts of Conversely, users may be able to submit only the resources that a cloud provider would probably not identity data they wish to share with the participat- want every client to see. ing service provider (called claims-based identity). For Initially, many cloud providers tried to solve this example, a user purchasing alcohol via the Internet may problem by using proprietary or private authentication need only to prove that he or she are over the legal services. But these services rarely have the scalabil- drinking age but not have to show his or her actual ity and functionality needed. First-generation clouds identity or birthdate. A central tenet of any good iden- required that all end-users have separate accounts in tity metasystem is that users should only have to show their databases — similar to the way Web surfers need the bare minimum of identity information necessary to log on separately to each website where they have to access the offered service and perform the desired an account. (For example, your Facebook account is transaction. Submitting (or requesting) too much iden- not related to your Amazon or iTunes accounts). This is tity information is considered very “Web 1.0.” known as “Web Identity 1.0” in identity system circles. In the Identity 2.0 model, authenticated anonymity Clearly, asking end-users to create and manage sepa- (called pseudo-anonymity) is possible. In this case, a rate log-on accounts for every future Web service they trusted third party knows the user’s real identity and will use doesn’t scale — for a multitude of reasons. Using has authenticated him or her, but hands out a different one big SSO (single sign-on) solution that interacted with identity credential that is trusted by the Web service participating Web sites became the “Web Identity 1.5” provider. Thus, that user can use the Web service with- way of doing things. With this authentication model, out revealing his or her true identity to the Web site. users registered with an “independent,” centralized authority to obtain an SSO ID. Then, when visiting par- THE EFFECT OF BROAD AUTHENTICATION ticipating Web sites, the user could enter their SSO cre- ON CLOUD COMPUTING dentials to gain access. An example of this sort of solution In the near future, it’s likely that both private and public was Microsoft’s Passport (now morphed into LiveID) and clouds will support Web 2.0 identities. Users of private other protocols created by the Liberty Alliance. clouds will likely use their SSO to access public cloud But many people balked at the idea of a single entity services, while external users may use their SSO to handling everyone’s SSO accounts. What evolved is access your company’s private or hybrid cloud offering. known as “Web Identity 2.0,” or federated identity, as The security impact of this is that a cloud attacker well as identity metasystems. With Web Identity 2.0, is likely to be an authenticated user within the cloud there can be a multitude of identity services (made system at the onset of an attack. By contrast, the old up of both centrally managed and single, stand-alone assumption is that the attacker didn’t start with authen- identities) that can interoperate with a large number ticated access and needed to gain original access to of Web sites and services. Popular individual identity begin high-level system exploitation. INFOWORLD.COM DEEP DIVE SERIES A U G U S T 2 011
  • 5. i Cloud Security Deep Dive 5 For example, consider two of the earliest and largest exploitation of application vulnerabilities, session contami- cloud services: Google Gmail and Microsoft Hotmail nation, network attacks, man-in-the-middle attacks, social (now called LiveMail). Both contain millions of authen- engineering, and so on. But the unique characteristics of ticated users and both now support newer SSO forms cloud computing present a new set of challenges as well. such as OpenID and InfoCard. Google and Microsoft Start by assuming attackers are logged-in, authenti- have no idea which users are legitimate and which cated users, and begin your defenses from there — and intend to do harm to other users or to the service itself. there may be many attackers, thanks to the cloud’s Identity is still a work in progress. Solutions will change global reach. This level of attacker access means that and morph as people begin to adopt the cloud in great many conventional defenses (such as separated security numbers. And as new needs emerge, new solutions and pro- zones, firewalls, and so on) will have little relevance. tocols will need to be invented. Whatever trajectory these future developments take, Identity 2.0 is new paradigm that CLOUD SECURITY DEFENSE CLASSIFICATIONS requires a huge mind shift in computer security defenders. Managing cloud security is different than maintain- ing ordinary enterprise security. Security professionals LACK OF LOCATION SPECIFICITY should analyze all cloud offerings (including their own) The term “cloud” implies that a service is available widely, within a holistic security framework to make sure all if not globally, with a multitude of origination and des- angles are covered. tination points. The specific location of the computing Keep in mind that each combination of cloud ser- resources for a given cloud may not be immediately iden- vices has its own unique set of risks and countermea- tifiable by either the client, the cloud vendor, or both. In sures. Table 1 organizes these variables into a set of a traditional network offering, the user or vendor often is classifications and subtopics intended to generate fur- aware of where the application or data is being hosted. ther discussion and analysis. This brings up all sorts of interesting dilemmas. For example: How are security defenders supposed to CLOUD DEFENSE BEST PRACTICES protect data when they don’t even know where it is? Enterprise security is a vast discipline and each of How can a cloud provider identify a client’s data (for its many aspects must be reexamined in light of the legal and other purposes)? How does the cloud pro- cloud. Take user deprovisioning as an example. Nor- vider securely erase a client’s data if the client exits the mally, when an employee leaves a company, access to cloud solution? How can a particular client’s data be company applications and data is removed. But if that prevented from leaving the host country of origin, if employee has subscribed to cloud services on behalf of even the cloud operators don’t know where the data is? the company, from the beginning the company should have had the technology in place to track those sub- THE ROLE OF VIRTUALIZATION scriptions, or the former employee may still be able Virtualization tends to play a big role in cloud services, access company data. You can’t deprovision if you don’t either as the underpinning for the service or, in the case know what was provisioned in the first place. of IaaS, as part of the cloud service offering itself. And virtualization has every security risk that a physical com- CLOUD AUDITS puter environment has — plus guest-to-host and guest-to- For many cloud users, these questions can be answered guest vulnerabilities. Clearly, cloud computing amounts to only by asking the vendor and by verifying the controls. more than just semantic games. It presents a unique set of Many cloud providers have conducted third-party audits challenges that security defenders must rise up to meet. on themselves and will release the results to interested customers. Today, the Statement on Auditing Standards CLOUD SECURITY DEFENSES (SAS) 70 Type II audit is the most common cloud audit Cloud security is an evolving field. To begin with, cloud you’ll find in the U.S. There are many others, and no solutions are subject to all the conventional attacks single cloud auditing standard is accepted globally. If — buffer overflows, password attacks, physical attacks, the cloud vendor cannot provide an acceptable auditing INFOWORLD.COM DEEP DIVE SERIES A U G U S T 2 011
  • 6. i Cloud Security Deep Dive 6 TABLE 1: CLOUD SECURITY CLASSIFICATIONS AND SUBTOPICS A security defender responsible for cloud security should consider a wide range of parameters when developing a cloud security defense plan. SECURITY CLASSIFICATION RELATED SUBTOPICS Infrastructure security Physical security, environmental controls, business continuity/disaster recovery, network infrastructure, firewalls, proxies, routers, access control lists, staffing/employee background checks, availability (performance and anti-DoS), security policies (including what can be made available to customers), remote access, mobile access and platforms, identity/authentication/federation, billing systems, virtualization issues, high availability Resource provisioning Provisioning; modification; ownership and control, access; deprovisioning; reuse/ reassignment of: users, computing resources, computer systems, or IP address space; domain name services; directory services; self-service configuration management Storage and data security Privacy/privacy controls, data tagging, data storage zoning, data retention policies, data permanence/deletion, encryption (at-rest, in-transit, key management, Federal Information Processing Standards/Federal Information Security Management Act), digital signing/integrity attestation, multitenancy issues, archiving, backup, recovery, data classification, locality requirements, malicious data aggregation prevention Application security Security design lifecycle, identity/authentication/federation, session management, data input (if applicable) validation, error handling, vulnerability testing, patching, authentication, data integration/ exchange, APIs, proxies, application sandboxing, versioning, bug/issue tracking Audit/compliance Logging, monitoring, auditing, compliance, accreditation, legal issues, regulations, locality requirements, discovery, forensics, SLAs, public communication plans, fraud detection General security Anti-malware, anti-spam, patching, incident response, data leak prevention report, ask if the cloud provider is willing to conduct wanted to admit. The cloud, with authenticated attack- routine audits using an industry-accepted format (such ers, just puts the nail in the coffin. as CloudAudit, CloudTrust, ISACA’s Cloud Computing What is a security defender to do? Well, for one, Management Audit/Assurance Program). Cloud ven- think in terms of data classification and ownership and dors are still waiting for something as widely respected marry that with strong security domain isolation. Cloud as the standard corporate financial audit, but this is providers should have ways for defenders to mark or quickly starting to change (see the Cloud Security Alli- tag data with ownership and security classification and ance section below). to enable defenses based upon those attributes. Data should be protected in such a way that unauthorized SAY GOODBYE TO THE DMZ (but authenticated, multitenanted) viewers can be pre- One of the major changes from traditional computing vented from seeing another’s data. If a client needs is the pervasiveness of the cloud. By its very defini- to prevent its data from leaving its home country, the tion, it is meant to be everywhere. If the DMZ wasn’t cloud provider should make sure the data never does. dead before, it certainly is now. The DMZ was always Cloud providers should physically prevent (using porous, with many more holes than any defender physical network dividers, routers, switches, IPSec, INFOWORLD.COM DEEP DIVE SERIES A U G U S T 2 011
  • 7. i Cloud Security Deep Dive 7 access control lists, and so on) server and data com- defenses and response plans ready to go. All the hard mingling. If a particular server never needs to talk to work and peering agreements should be established most other servers, it should be prevented from doing ahead of time. so. If a client computer shouldn’t be able to talk to other client computers, make sure there is no way for USE DNS SECURITY an authenticated users to leverage cloud access to gain If your cloud provider’s DNS services support it, con- access to the other. sider implementing DNSSEC (DNS Security) between your DNS servers and the provider’s DNS servers. ENCRYPT YOUR DATA Once enabled, DNSSEC ensures that dependent cli- Data should always be encrypted when stored (using ents always get verified, authenticated DNS resolution separate symmetric encryption keys) and transmitted. If entries from authoritative DNS servers. Unfortunately, this is implemented appropriately, even if another ten- DNSSEC is enabled only on a small percentage of ant can access the data, all that will appear is gibberish. DNS providers. Ask your cloud provider if it will con- Shared symmetric keys for data encryption should be sider creating DNSSEC “trust anchors” between your discouraged, yet tenants should be able to access their site(s) and the provider’s — or consider implementing own encryption keys and change them when neces- static DNS records on your side, to prevent malicious sary. Cloud providers should not have ready access to DNS redirection attacks. tenant encryption keys. USE RED HERRINGS AND AN EARLY USE STRONG AUTHENTICATION WARNING SYSTEM Make sure any Identity 2.0 system you participate in Some cloud providers and customers create “red her- has a strong history of good security and uses open ring” data as an early warning system. Red herring data protocols. Proprietary, single-site authentications sys- is fake data that is injected into a database and then tems may seem to present lower risk than shared sys- monitored to see if it “leaks out.” For instance, suppose tems do, but the information surrounding proprietary the cloud provider creates complete client records for systems is rarely shared. Systems that use and support Fred and Wilma Flintstone. Everything about the fake open standards usually have the added protection of record would be unlikely to exist in the real world. community analysis. Weaknesses are frequently found Then the cloud vendor (or client) uses data leak detec- early and coded out. Newfound vulnerabilities are usu- tion systems and procedures to monitor for that specific ally shared and fixed faster. data. If the data is found outside the cloud provider’s system, then it could be an early warning that malicious PREPARE TO PREVENT DDoS ATTACKS data theft has occurred and should be investigated. Attackers are often content with simply denying legiti- mate users access to their services using DDoS attacks. KILL ALL OLD DATA Luckily cloud systems are usually very resilient against Cloud providers should ensure that all data no longer simple flood attacks and excel at ramping up more needed is permanently erased from computer mem- bandwidth and resources in the face of gigabytes of ory and storage. Shared resources shouldn’t mean per- malicious traffic. manently shared storage. Clients should contact cloud Be aware, however, that attackers may attempt to providers to make sure that all submitted data is solely take down upstream or downstream nodes that are owned by the client and learn what measures providers not under the control of the cloud provider. More take to ensure the permanent deletion of unneeded data. than one Internet access provider has been forced to cut off access for a victimized site simply to preserve CLOUD SECURITY ALLIANCE GUIDANCE access for everyone else. You shouldn’t be forced to The Cloud Security Alliance is quickly becoming the come up with creative defenses the first time you’re hit most respected source of guidance for cloud security. with a DDoS, so make sure you have adequate DDoS I especially encourage interested readers to review INFOWORLD.COM DEEP DIVE SERIES A U G U S T 2 011
  • 8. i Cloud Security Deep Dive 8 Security Guidance for Critical Areas of Focus in Cloud Excel spreadsheet created for cloud service providers Computing. This document breaks down cloud security and auditors. It maps security controls to popular com- into thirteen different domains including: pliance requirements such as COBIT, HIPAA, and PCI DSS. CSA’s Consensus Assessments Initiative Question- • Governance and Enterprise Risk Management naire is a Microsoft Excel spreadsheet listing well over a • Legal and Electronic Discovery hundred questions that map back to the controls listed • Information Lifecycle Management in the Cloud Controls Matrix. Both of these documents • Portability and Interoperability are meant to be used together. • Business Continuity and Disaster Recovery My only complaint is that the controls and con- • Data Center Operations trol questions are fairly general. For instance, asking • Incident Response the cloud provider if data is encrypted at rest only • Application Security starts to get at what you really need to know, which is • Encryption and Key Management how the encryption has been implemented. The best • Identity and Access Management encryption algorithms have been pushed aside by poor • Virtualization deployment practices. Still, the CSA is the best independent source of The CSA has done an excellent job of highlighting cloud security advice today. If you’re considering a all the computer security bases as they apply to cloud service, you’ll want to find out how it measures cloud offerings. up to the CSA’s guidelines. For an example, see Micro- The CSA’s Cloud Controls Matrix is a Microsoft soft’s Office 365 Standard Response Document. i ADDITIONAL RESOURCES Cloud computing is a new paradigm that requires new security defenses. The material included here covers only a small portion of the considerations you need to weigh when preparing a holistic cloud defense. The following Web assets are excellent sources of additional information: NIST’s cloud section A great place to quickly get up csrc.nist.gov/groups/SNS/cloud-computing to speed on cloud terminology without reading a book. Cloud Security Alliance www.cloudsecurityalliance.org/certifyme.html IT Certification Cloud Threats and blogs.msdn.com/b/jmeier/archive/2010/07/08/ Security Measures cloud-security-threats-and-countermeasures-at-a-glance.aspx MSDN, J. Meier Black Hat Webcast: An interesting Webcast. www.blackhat.com/html/Webcast/Webcast-2010_cloudsec.html Chewing the Cloud: on cloud attacks Attacking Cloud-Based Services INFOWORLD.COM DEEP DIVE SERIES A U G U S T 2 011