SlideShare a Scribd company logo

Cloudop security

W
wardspan

The next session will look at security and privacy in the cloud. We'll examine the new risks, and what tools can mitigate them. We'll discuss governance, compliance, and what systems we need to use to access cloud resources securely. We'll deal with identity, single-sign-on, and so on.

TechnologyBusiness
1 of 34
CLOUDOPS: SECURITY It ain’t all fluffy and blue sky out there!
WHO’S THIS GUY? Ward Spangenberg, Director of Security Operations, Zynga Game Network No - I won’t whack the Petville boss who just broke into your cafe and made away with all your “grave dirt” riding a “luv- ewe”. Founding Member of the Cloud Security Alliance
WHAT’S HE GOING TO TALK ABOUT? Definitions: Same starting point for everyone. Security: What does that even mean? Compliance: Did he just say compliance and cloud in the same sentence? Privacy: All your cloud belong to us. Stuff: quips, stories, advice, and hopefully some laughter.
DEFINITION OF CLOUD COMPUTING Cloud computing describes a system where users can connect to a vast network of computing resources, data and servers that reside somewhere “cloudy,” usually on the Internet, rather than locally or in the data center. Cloud computing can give on-demand access to supercomputer- level power, even from a thin client or mobile device such as a smart phone or laptop. (or iPad) (@tomme Agreed. Quit arguing about definition. Common denominator: other people's ppl, other ppl's gear - let's focus on benefits #ccevent)
!"#$%&'()*+&,' -./)*"0.12' 3*&.),' 4.$5%6.' 4*;<9$.'9,'9' ?)9@*$0'9,'9' A1B$9,2$+62+$.'9,'9' 3*&.),' 4.$5%6.'=4994>' 4.$5%6.'=?994>' 4.$5%6.'=A994>' I1'-.091&'4.)BJ4.$5%6.' 7,,.189)' E$*9&'F.2<*$G'H66.,,' C9/%&'7)9,86%2"' (:9$962.$%,86,' C.,*+$6.'?**)%1D' 3.9,+$.&'4.$5%6.' 39,,%5.'469).' C.,%)%.12'(*0/+81D' (*00*1'' !*0*D.1.%2"' N.*D$9/:%6'-%,2$%#+8*1' (:9$962.$%,86,' L%$2+9)%M98*1' 4.$5%6.'I$%.1298*1' K*<'(*,2'4*;<9$.' H&5916.&'4.6+$%2"' THE NIST CLOUD DEFINITION
DEFINITIONS OF ARCHITECTURE IaaS: “based on pure virtualization. Vendor owns all the hardware and controls the network infrastructure, and you own everything from the guest operating system up. You request virtual instances on-demand and let them go when you are done.” PaaS: ““infrastructure as well as complete operational and development environments for the deployment of your applications.” SaaS: ““a web-based software deployment model that makes the software available entirely through a web browser.”
ARCHITECTURE MODEL EXAMPLES
DEPLOYMENT MODELS Public Private ("I'm just going to call a private cloud a data center." --Kash Rangan, Managing Director, Merrill Lynch) Managed Hybrid Mongrel/Mutt
WHY CONSIDER THE CLOUD? Increased productivity Decreased capital investments Reduced Costs for IT Scalable systems with low overhead Increased Storage Flexibility
WHAT WORKS? Stateless Computer Intensive Non-sensitive data Changing workload pattern Increased workload with greater subscription rate
WHAT DOESN’T WORK? Special hardware Huge data set Sensitive data Low latency requirements 99.999% Availability
CLOUD COMPUTING A “SECURITY NIGHTMARE”-JOHN CHAMBERS, CEO CISCO
SECURITY + CLOUD = ? As my friend Hoff likes to say: “...it is difficult to frame meaningful discussion around what security and Cloud Computing means...” Yes, no, maybe. Actually security is not a cloud specific issue. The real struggle is “operational, organizational and compliance issues that come with this new unchartered (or poorly chartered) territory.”
WHAT ARE YOU WORRIED ABOUT?
TOP THREATS TO CLOUD COMPUTING Abuse and Nefarious Use of Cloud Computing Insecure Application Programming Interfaces Malicious Insiders Shared Technology Vulnerabilities Data Loss/Leakage Account, Service & Traffic Hijacking Unknown Risk Profile
OWASP TOP 10 A1 – Injection A2 – Cross Site Scripting (XSS) A3 – Broken Authentication and Session Management A4 – Insecure Direct Object Reference A5 – Cross Site Request Forgery (CSRF) A6 – Security Misconfiguration (NEW) A7 – Failure to Restrict URL Access A8 – Unvalidated Redirects and Forwards (NEW) A9 – Insecure Cryptographic Storage A10 - Insufficient Transport Layer Protection
WEB APPLICATION SECURITY CONSORTIUM
LESSONS? Somethings are no different in the cloud than they are in the enterprise. The bad guys still want to abuse the resources. It still comes down to data loss.
CLOUD SECURITY COMPLEXITY Many different actors are involved Complex policy requirements Simplified procedural operations Many moving parts Learning curve for operations & security staff Traditional security boundaries
WHO’S YOUR NEIGHBOR? The “Process Next Door” may be behaving badly or be under attack. Unbalanced resource consumption can affect operational availability. Shared IP space may have a “bad reputation” Possible hypervisor level attacks on IaaS platforms Re-using IP addresses leads to unintentional DoS
IS IT THE SAME BUILDING? Very different attack surface compared to traditional infrastructure Large attack surface + high profile = high value targets Who has access to your data? Clouds bypass the "physical, logical and personnel controls" IT shops exert over in-house programs* Lack of visibility into data access by privileged users
GOT A HANDYMAN? Management tools & development frameworks may not provide all the security features they should or could. Tool vendors need to keep up to date with cloud providers feature enhancements. Limited security toolsets are available in cloud environments. Cloud forensics can be challenging.
COMPLIANCE POSSIBLE? Ability to leverage compliance and certifications cloud provider already has. Difficult to get feature/policy/procedure changes from cloud vendor to meet other regulatory requirements or certifications. Distributed nature of cloud services can add jurisdictional issues to regulatory compliance. Investigative support & forensics may be difficult to obtain from your cloud provider.
WHERE FOR ART THOU? Increased regulatory complexities of having data stored in multiple legal jurisdictions. Foreign governments, agencies or corporations may gain access to your data without your knowledge. Increased data availability & resiliency of having data automatically replicated to multiple sites. Intra-application communications may unintentionally span multiple locations Cloud providers blocking or having their traffic blocked based on geographic location can have a major business impact.
ANY CHANCE THAT COMES WITH A WARRANTY? Long term viability of cloud partners is a critical consideration in PaaS vendors. Lock-in with IaaS & SaaS vendors may be less of an issue. Data transfer costs are can be the toughest part of vendor lock-in. As open cloud platforms emerge and the hybrid deployment model gains popularity, standards will ease some of the current lock-in concerns.
DOES IT MATTER? All types of cloud systems can be leveraged for malicious purposes. IaaS clouds can be used for large scale spam, DoS, or Command & Control functions. PaaS platforms have already been used as Command & Control for botnets. Hijacked accounts can be used to stage internal DoS attacks within the cloud provider’s infrastructure. Defending against cloud based attacks can be extremely difficult.
PUBLIC DEPLOYMENT SECURITY ISSUES Advantages Disadvantages Anonymizing effect Collateral damage effect Data & AAA security Large security investments requirements Regulatory Compliance & Pre-certification Certifications Multi-site system & data Multi-jurisdiction data store redundancy Fault tolerance & excess capacity Known vulnerabilities are global
MONGREL DEPLOYMENT SECURITY ISSUES Advantages Disadvantages Data transfer/access Externalization of attack surface considerations Overcomes private cloud scaling Increased architecture limits complexity Multi-site system & data Credential management redundancy Isolation & segregation of secure Regulatory Compliance & data Certifications
COMMUNITY DEPLOYMENT ISSUES Advantages Disadvantages Increased redundancy & Extremely high level of availability complexity Shared risk & security costs Federation requirements Compliance & certification Increased Privileged User requirements attacks Easy targeting of high value systems
IAAS SECURITY ISSUES Advantages Disadvantages Increased control of encryption Account hijacking Minimized privileged user attacks Credential management Ability to use familiar AAA mechanisms API security risks More standardized deployments Lack of role based authorization Dependence on security of the Rapid cross vendor redeployment virtualization platform Full operational control at the VM level Full responsibility for operations
PAAS SECURITY ISSUES Advantages Disadvantages Less operational control than Less operational responsibility IaaS Instant multi-site business Vendor lock-in continuity Lack of security tools, reporting, Massive scale & resiliency etc. Simplification of compliance Increased privileged user attack analysis likelihood Built-in framework security Cloud provider’s long term features viability
SAAS SECURITY ISSUES Advantages Disadvantages Clearly defined access controls Inflexible reporting & features Vendor is responsible for data- Lack of version control center & application security Predictable scope of account Inability to layer security compromise controls Integration with internal Increased vulnerability to directory services privileged user attacks Simplified User ACD No control over legal discovery
QUESTIONS? Yes, I play Farmville, Petville, Fishville, Texas Hold’em, Mafia Wars, Vampire Wars and occasionally Yoville.
CONTACT INFO Ward Spangenberg wardspan@zynga.com twitter: @wardspan

Recommended

The Cloud Crossover
The Cloud CrossoverThe Cloud Crossover
The Cloud CrossoverArmor
 
Safe Net: Cloud Security Solutions
Safe Net: Cloud Security SolutionsSafe Net: Cloud Security Solutions
Safe Net: Cloud Security SolutionsASBIS SK
 
Case Study - Currency from the Cloud: Security & Compliance for Payment Provider
Case Study - Currency from the Cloud: Security & Compliance for Payment ProviderCase Study - Currency from the Cloud: Security & Compliance for Payment Provider
Case Study - Currency from the Cloud: Security & Compliance for Payment ProviderArmor
 
Introducing Kaspersky Security for Virtualization - Light Agent
Introducing Kaspersky Security for Virtualization - Light AgentIntroducing Kaspersky Security for Virtualization - Light Agent
Introducing Kaspersky Security for Virtualization - Light AgentKaspersky
 
CIS 2015 Identity and Data Security : Breaking the Boundaries - Nathanael Cof...
CIS 2015 Identity and Data Security : Breaking the Boundaries - Nathanael Cof...CIS 2015 Identity and Data Security : Breaking the Boundaries - Nathanael Cof...
CIS 2015 Identity and Data Security : Breaking the Boundaries - Nathanael Cof...CloudIDSummit
 
Refense Security Risk Briefing July 2009
Refense Security Risk Briefing July 2009Refense Security Risk Briefing July 2009
Refense Security Risk Briefing July 2009apompliano
 
Vulnerabilities in SaaS layer of cloud computing
Vulnerabilities in SaaS layer of cloud computingVulnerabilities in SaaS layer of cloud computing
Vulnerabilities in SaaS layer of cloud computingClinton DSouza
 
Damballa automated breach defense june 2014
Damballa automated breach defense june 2014Damballa automated breach defense june 2014
Damballa automated breach defense june 2014Ricardo Resnik
 

Recommended

The Cloud Crossover
The Cloud CrossoverThe Cloud Crossover
The Cloud CrossoverArmor
 
Safe Net: Cloud Security Solutions
Safe Net: Cloud Security SolutionsSafe Net: Cloud Security Solutions
Safe Net: Cloud Security SolutionsASBIS SK
 
Case Study - Currency from the Cloud: Security & Compliance for Payment Provider
Case Study - Currency from the Cloud: Security & Compliance for Payment ProviderCase Study - Currency from the Cloud: Security & Compliance for Payment Provider
Case Study - Currency from the Cloud: Security & Compliance for Payment ProviderArmor
 
Introducing Kaspersky Security for Virtualization - Light Agent
Introducing Kaspersky Security for Virtualization - Light AgentIntroducing Kaspersky Security for Virtualization - Light Agent
Introducing Kaspersky Security for Virtualization - Light AgentKaspersky
 
CIS 2015 Identity and Data Security : Breaking the Boundaries - Nathanael Cof...
CIS 2015 Identity and Data Security : Breaking the Boundaries - Nathanael Cof...CIS 2015 Identity and Data Security : Breaking the Boundaries - Nathanael Cof...
CIS 2015 Identity and Data Security : Breaking the Boundaries - Nathanael Cof...CloudIDSummit
 
Refense Security Risk Briefing July 2009
Refense Security Risk Briefing July 2009Refense Security Risk Briefing July 2009
Refense Security Risk Briefing July 2009apompliano
 
Vulnerabilities in SaaS layer of cloud computing
Vulnerabilities in SaaS layer of cloud computingVulnerabilities in SaaS layer of cloud computing
Vulnerabilities in SaaS layer of cloud computingClinton DSouza
 
Damballa automated breach defense june 2014
Damballa automated breach defense june 2014Damballa automated breach defense june 2014
Damballa automated breach defense june 2014Ricardo Resnik
 
Cisco umbrella overview
Cisco umbrella overviewCisco umbrella overview
Cisco umbrella overviewCisco Canada
 
DamballaOverview
DamballaOverviewDamballaOverview
DamballaOverviewDavid C. Petty
 
Using Security to Build with Confidence in AWS - Trend Micro
Using Security to Build with Confidence in AWS - Trend Micro Using Security to Build with Confidence in AWS - Trend Micro
Using Security to Build with Confidence in AWS - Trend Micro Amazon Web Services
 
Axoss Network Penetration Testing Services
Axoss Network Penetration Testing ServicesAxoss Network Penetration Testing Services
Axoss Network Penetration Testing ServicesBulent Buyukkahraman
 
Rik Ferguson
Rik FergusonRik Ferguson
Rik FergusonCloudExpoEurope
 
Out With the Old, In With the New – Reinvent and Justify Your 2013 Security S...
Out With the Old, In With the New – Reinvent and Justify Your 2013 Security S...Out With the Old, In With the New – Reinvent and Justify Your 2013 Security S...
Out With the Old, In With the New – Reinvent and Justify Your 2013 Security S...Skybox Security
 
Cyber Security protection by MultiPoint Ltd.
Cyber Security protection by MultiPoint Ltd.Cyber Security protection by MultiPoint Ltd.
Cyber Security protection by MultiPoint Ltd.Ricardo Resnik
 
Introducing New Kaspersky Endpoint Security for Business - ENGLISH
Introducing New Kaspersky Endpoint Security for Business - ENGLISHIntroducing New Kaspersky Endpoint Security for Business - ENGLISH
Introducing New Kaspersky Endpoint Security for Business - ENGLISHKirill Kertsenbaum
 
Endpoint Security
Endpoint SecurityEndpoint Security
Endpoint SecurityAhmed Hashem El Fiky
 
Enterprise Security in Hybrid Cloud ISACA-SV 2012
Enterprise Security in Hybrid Cloud ISACA-SV 2012Enterprise Security in Hybrid Cloud ISACA-SV 2012
Enterprise Security in Hybrid Cloud ISACA-SV 2012Symosis Security (Previously C-Level Security)
 
The World Against the Bad, Cisco AMP Solution to the Rescue
The World Against the Bad, Cisco AMP Solution to the RescueThe World Against the Bad, Cisco AMP Solution to the Rescue
The World Against the Bad, Cisco AMP Solution to the RescueCisco Canada
 
Kaspersky Endpoint Security for Business 2015
Kaspersky Endpoint Security for Business 2015Kaspersky Endpoint Security for Business 2015
Kaspersky Endpoint Security for Business 2015Kaspersky
 
Secure Your Virtualized Environment. Protection from Advanced Persistent Thre...
Secure Your Virtualized Environment. Protection from Advanced Persistent Thre...Secure Your Virtualized Environment. Protection from Advanced Persistent Thre...
Secure Your Virtualized Environment. Protection from Advanced Persistent Thre...Acrodex
 
(Pdf) yury chemerkin intelligence_sec_2013
(Pdf) yury chemerkin intelligence_sec_2013(Pdf) yury chemerkin intelligence_sec_2013
(Pdf) yury chemerkin intelligence_sec_2013STO STRATEGY
 
Anticipate and Prevent Cyber Attack Scenarios, Before They Occur
Anticipate and Prevent Cyber Attack Scenarios, Before They OccurAnticipate and Prevent Cyber Attack Scenarios, Before They Occur
Anticipate and Prevent Cyber Attack Scenarios, Before They OccurSkybox Security
 
Axoss Web Application Vulnerability Assessment Services
Axoss Web Application Vulnerability Assessment ServicesAxoss Web Application Vulnerability Assessment Services
Axoss Web Application Vulnerability Assessment ServicesBulent Buyukkahraman
 
Control Quotient: Adaptive Strategies For Gracefully Losing Control (RSAC US ...
Control Quotient: Adaptive Strategies For Gracefully Losing Control (RSAC US ...Control Quotient: Adaptive Strategies For Gracefully Losing Control (RSAC US ...
Control Quotient: Adaptive Strategies For Gracefully Losing Control (RSAC US ...David Etue
 
Cloud Security: Perception VS Reality
Cloud Security: Perception VS RealityCloud Security: Perception VS Reality
Cloud Security: Perception VS RealityKVH Co. Ltd.
 
Symantec Ubiquity
Symantec UbiquitySymantec Ubiquity
Symantec UbiquitySymantec
 
CloudPassage Best Practices for Automatic Security Scaling
CloudPassage Best Practices for Automatic Security ScalingCloudPassage Best Practices for Automatic Security Scaling
CloudPassage Best Practices for Automatic Security ScalingAmazon Web Services
 
Crush Cloud Complexity, Simplify Security - Shield X
Crush Cloud Complexity, Simplify Security - Shield XCrush Cloud Complexity, Simplify Security - Shield X
Crush Cloud Complexity, Simplify Security - Shield XPrime Infoserv
 
Effectively and Securely Using the Cloud Computing Paradigm
Effectively and Securely Using the Cloud Computing ParadigmEffectively and Securely Using the Cloud Computing Paradigm
Effectively and Securely Using the Cloud Computing Paradigmfanc1985
 

More Related Content

What's hot

Cisco umbrella overview
Cisco umbrella overviewCisco umbrella overview
Cisco umbrella overviewCisco Canada
 
Using Security to Build with Confidence in AWS - Trend Micro
Using Security to Build with Confidence in AWS - Trend Micro Using Security to Build with Confidence in AWS - Trend Micro
Using Security to Build with Confidence in AWS - Trend Micro Amazon Web Services
 
Axoss Network Penetration Testing Services
Axoss Network Penetration Testing ServicesAxoss Network Penetration Testing Services
Axoss Network Penetration Testing ServicesBulent Buyukkahraman
 
Out With the Old, In With the New – Reinvent and Justify Your 2013 Security S...
Out With the Old, In With the New – Reinvent and Justify Your 2013 Security S...Out With the Old, In With the New – Reinvent and Justify Your 2013 Security S...
Out With the Old, In With the New – Reinvent and Justify Your 2013 Security S...Skybox Security
 
Cyber Security protection by MultiPoint Ltd.
Cyber Security protection by MultiPoint Ltd.Cyber Security protection by MultiPoint Ltd.
Cyber Security protection by MultiPoint Ltd.Ricardo Resnik
 
Introducing New Kaspersky Endpoint Security for Business - ENGLISH
Introducing New Kaspersky Endpoint Security for Business - ENGLISHIntroducing New Kaspersky Endpoint Security for Business - ENGLISH
Introducing New Kaspersky Endpoint Security for Business - ENGLISHKirill Kertsenbaum
 
The World Against the Bad, Cisco AMP Solution to the Rescue
The World Against the Bad, Cisco AMP Solution to the RescueThe World Against the Bad, Cisco AMP Solution to the Rescue
The World Against the Bad, Cisco AMP Solution to the RescueCisco Canada
 
Kaspersky Endpoint Security for Business 2015
Kaspersky Endpoint Security for Business 2015Kaspersky Endpoint Security for Business 2015
Kaspersky Endpoint Security for Business 2015Kaspersky
 
Secure Your Virtualized Environment. Protection from Advanced Persistent Thre...
Secure Your Virtualized Environment. Protection from Advanced Persistent Thre...Secure Your Virtualized Environment. Protection from Advanced Persistent Thre...
Secure Your Virtualized Environment. Protection from Advanced Persistent Thre...Acrodex
 
(Pdf) yury chemerkin intelligence_sec_2013
(Pdf) yury chemerkin intelligence_sec_2013(Pdf) yury chemerkin intelligence_sec_2013
(Pdf) yury chemerkin intelligence_sec_2013STO STRATEGY
 
Anticipate and Prevent Cyber Attack Scenarios, Before They Occur
Anticipate and Prevent Cyber Attack Scenarios, Before They OccurAnticipate and Prevent Cyber Attack Scenarios, Before They Occur
Anticipate and Prevent Cyber Attack Scenarios, Before They OccurSkybox Security
 
Axoss Web Application Vulnerability Assessment Services
Axoss Web Application Vulnerability Assessment ServicesAxoss Web Application Vulnerability Assessment Services
Axoss Web Application Vulnerability Assessment ServicesBulent Buyukkahraman
 
Control Quotient: Adaptive Strategies For Gracefully Losing Control (RSAC US ...
Control Quotient: Adaptive Strategies For Gracefully Losing Control (RSAC US ...Control Quotient: Adaptive Strategies For Gracefully Losing Control (RSAC US ...
Control Quotient: Adaptive Strategies For Gracefully Losing Control (RSAC US ...David Etue
 
Cloud Security: Perception VS Reality
Cloud Security: Perception VS RealityCloud Security: Perception VS Reality
Cloud Security: Perception VS RealityKVH Co. Ltd.
 
Symantec Ubiquity
Symantec UbiquitySymantec Ubiquity
Symantec UbiquitySymantec
 

What's hot (19)

Cisco umbrella overview
Cisco umbrella overviewCisco umbrella overview
Cisco umbrella overview
 
DamballaOverview
DamballaOverviewDamballaOverview
DamballaOverview
 
Using Security to Build with Confidence in AWS - Trend Micro
Using Security to Build with Confidence in AWS - Trend Micro Using Security to Build with Confidence in AWS - Trend Micro
Using Security to Build with Confidence in AWS - Trend Micro
 
Axoss Network Penetration Testing Services
Axoss Network Penetration Testing ServicesAxoss Network Penetration Testing Services
Axoss Network Penetration Testing Services
 
Rik Ferguson
Rik FergusonRik Ferguson
Rik Ferguson
 
Out With the Old, In With the New – Reinvent and Justify Your 2013 Security S...
Out With the Old, In With the New – Reinvent and Justify Your 2013 Security S...Out With the Old, In With the New – Reinvent and Justify Your 2013 Security S...
Out With the Old, In With the New – Reinvent and Justify Your 2013 Security S...
 
Cyber Security protection by MultiPoint Ltd.
Cyber Security protection by MultiPoint Ltd.Cyber Security protection by MultiPoint Ltd.
Cyber Security protection by MultiPoint Ltd.
 
Introducing New Kaspersky Endpoint Security for Business - ENGLISH
Introducing New Kaspersky Endpoint Security for Business - ENGLISHIntroducing New Kaspersky Endpoint Security for Business - ENGLISH
Introducing New Kaspersky Endpoint Security for Business - ENGLISH
 
Endpoint Security
Endpoint SecurityEndpoint Security
Endpoint Security
 
Enterprise Security in Hybrid Cloud ISACA-SV 2012
Enterprise Security in Hybrid Cloud ISACA-SV 2012Enterprise Security in Hybrid Cloud ISACA-SV 2012
Enterprise Security in Hybrid Cloud ISACA-SV 2012
 
The World Against the Bad, Cisco AMP Solution to the Rescue
The World Against the Bad, Cisco AMP Solution to the RescueThe World Against the Bad, Cisco AMP Solution to the Rescue
The World Against the Bad, Cisco AMP Solution to the Rescue
 
Kaspersky Endpoint Security for Business 2015
Kaspersky Endpoint Security for Business 2015Kaspersky Endpoint Security for Business 2015
Kaspersky Endpoint Security for Business 2015
 
Secure Your Virtualized Environment. Protection from Advanced Persistent Thre...
Secure Your Virtualized Environment. Protection from Advanced Persistent Thre...Secure Your Virtualized Environment. Protection from Advanced Persistent Thre...
Secure Your Virtualized Environment. Protection from Advanced Persistent Thre...
 
(Pdf) yury chemerkin intelligence_sec_2013
(Pdf) yury chemerkin intelligence_sec_2013(Pdf) yury chemerkin intelligence_sec_2013
(Pdf) yury chemerkin intelligence_sec_2013
 
Anticipate and Prevent Cyber Attack Scenarios, Before They Occur
Anticipate and Prevent Cyber Attack Scenarios, Before They OccurAnticipate and Prevent Cyber Attack Scenarios, Before They Occur
Anticipate and Prevent Cyber Attack Scenarios, Before They Occur
 
Axoss Web Application Vulnerability Assessment Services
Axoss Web Application Vulnerability Assessment ServicesAxoss Web Application Vulnerability Assessment Services
Axoss Web Application Vulnerability Assessment Services
 
Control Quotient: Adaptive Strategies For Gracefully Losing Control (RSAC US ...
Control Quotient: Adaptive Strategies For Gracefully Losing Control (RSAC US ...Control Quotient: Adaptive Strategies For Gracefully Losing Control (RSAC US ...
Control Quotient: Adaptive Strategies For Gracefully Losing Control (RSAC US ...
 
Cloud Security: Perception VS Reality
Cloud Security: Perception VS RealityCloud Security: Perception VS Reality
Cloud Security: Perception VS Reality
 
Symantec Ubiquity
Symantec UbiquitySymantec Ubiquity
Symantec Ubiquity
 

Similar to Cloudop security

CloudPassage Best Practices for Automatic Security Scaling
CloudPassage Best Practices for Automatic Security ScalingCloudPassage Best Practices for Automatic Security Scaling
CloudPassage Best Practices for Automatic Security ScalingAmazon Web Services
 
Crush Cloud Complexity, Simplify Security - Shield X
Crush Cloud Complexity, Simplify Security - Shield XCrush Cloud Complexity, Simplify Security - Shield X
Crush Cloud Complexity, Simplify Security - Shield XPrime Infoserv
 
Effectively and Securely Using the Cloud Computing Paradigm
Effectively and Securely Using the Cloud Computing ParadigmEffectively and Securely Using the Cloud Computing Paradigm
Effectively and Securely Using the Cloud Computing Paradigmfanc1985
 
040711 webcast securing vmachine
040711 webcast securing vmachine 040711 webcast securing vmachine
040711 webcast securing vmachine Erin Banks
 
Authentication in cloud computing
Authentication in cloud computingAuthentication in cloud computing
Authentication in cloud computingvidhya dharmarajan
 
security and compliance in the cloud
security and compliance in the cloudsecurity and compliance in the cloud
security and compliance in the cloudAjay Rathi
 
AWS Cloud Security From the Point of View of the Compliance
AWS Cloud Security From the Point of View of the ComplianceAWS Cloud Security From the Point of View of the Compliance
AWS Cloud Security From the Point of View of the ComplianceYury Chemerkin
 
#ALSummit: Realities of Security in the Cloud
#ALSummit: Realities of Security in the Cloud#ALSummit: Realities of Security in the Cloud
#ALSummit: Realities of Security in the CloudAlert Logic
 
Data security in cloud
Data security in cloudData security in cloud
Data security in cloudInterop
 
Session Sponsored by Trend Micro: 3 Secrets to Becoming a Cloud Security Supe...
Session Sponsored by Trend Micro: 3 Secrets to Becoming a Cloud Security Supe...Session Sponsored by Trend Micro: 3 Secrets to Becoming a Cloud Security Supe...
Session Sponsored by Trend Micro: 3 Secrets to Becoming a Cloud Security Supe...Amazon Web Services
 
AWS Summit Auckland Platinum Sponsor presentation - Trend Micro
AWS Summit Auckland Platinum Sponsor presentation - Trend MicroAWS Summit Auckland Platinum Sponsor presentation - Trend Micro
AWS Summit Auckland Platinum Sponsor presentation - Trend MicroAmazon Web Services
 
Presentation on Effectively and Securely Using the Cloud Computing Paradigm v26
Presentation on Effectively and Securely Using the Cloud Computing Paradigm v26Presentation on Effectively and Securely Using the Cloud Computing Paradigm v26
Presentation on Effectively and Securely Using the Cloud Computing Paradigm v26Bill Annibell
 
Presentation On Effectively And Securely Using The Cloud Computing Paradigm V26
Presentation On Effectively And Securely Using The Cloud Computing Paradigm V26Presentation On Effectively And Securely Using The Cloud Computing Paradigm V26
Presentation On Effectively And Securely Using The Cloud Computing Paradigm V26TT L
 
Securing Your CI Pipeline with HashiCorp Vault - P2
Securing Your CI Pipeline with HashiCorp Vault - P2Securing Your CI Pipeline with HashiCorp Vault - P2
Securing Your CI Pipeline with HashiCorp Vault - P2Ashnikbiz
 
Softchoice & Microsoft: Public Cloud Security Webinar
Softchoice & Microsoft: Public Cloud Security WebinarSoftchoice & Microsoft: Public Cloud Security Webinar
Softchoice & Microsoft: Public Cloud Security WebinarSoftchoice Corporation
 
AWS Security Challenges
AWS Security ChallengesAWS Security Challenges
AWS Security ChallengesSTO STRATEGY
 
SaaS Security.pptx
SaaS Security.pptxSaaS Security.pptx
SaaS Security.pptxchelsi33
 
saassecurity-230424030940-08314322.pdf
saassecurity-230424030940-08314322.pdfsaassecurity-230424030940-08314322.pdf
saassecurity-230424030940-08314322.pdfSahilSingh316535
 

Similar to Cloudop security (20)

CloudPassage Best Practices for Automatic Security Scaling
CloudPassage Best Practices for Automatic Security ScalingCloudPassage Best Practices for Automatic Security Scaling
CloudPassage Best Practices for Automatic Security Scaling
 
Crush Cloud Complexity, Simplify Security - Shield X
Crush Cloud Complexity, Simplify Security - Shield XCrush Cloud Complexity, Simplify Security - Shield X
Crush Cloud Complexity, Simplify Security - Shield X
 
Effectively and Securely Using the Cloud Computing Paradigm
Effectively and Securely Using the Cloud Computing ParadigmEffectively and Securely Using the Cloud Computing Paradigm
Effectively and Securely Using the Cloud Computing Paradigm
 
040711 webcast securing vmachine
040711 webcast securing vmachine 040711 webcast securing vmachine
040711 webcast securing vmachine
 
Authentication in cloud computing
Authentication in cloud computingAuthentication in cloud computing
Authentication in cloud computing
 
Authentication cloud
Authentication cloudAuthentication cloud
Authentication cloud
 
security and compliance in the cloud
security and compliance in the cloudsecurity and compliance in the cloud
security and compliance in the cloud
 
Cloud Security Governance
Cloud Security GovernanceCloud Security Governance
Cloud Security Governance
 
AWS Cloud Security From the Point of View of the Compliance
AWS Cloud Security From the Point of View of the ComplianceAWS Cloud Security From the Point of View of the Compliance
AWS Cloud Security From the Point of View of the Compliance
 
#ALSummit: Realities of Security in the Cloud
#ALSummit: Realities of Security in the Cloud#ALSummit: Realities of Security in the Cloud
#ALSummit: Realities of Security in the Cloud
 
Data security in cloud
Data security in cloudData security in cloud
Data security in cloud
 
Session Sponsored by Trend Micro: 3 Secrets to Becoming a Cloud Security Supe...
Session Sponsored by Trend Micro: 3 Secrets to Becoming a Cloud Security Supe...Session Sponsored by Trend Micro: 3 Secrets to Becoming a Cloud Security Supe...
Session Sponsored by Trend Micro: 3 Secrets to Becoming a Cloud Security Supe...
 
AWS Summit Auckland Platinum Sponsor presentation - Trend Micro
AWS Summit Auckland Platinum Sponsor presentation - Trend MicroAWS Summit Auckland Platinum Sponsor presentation - Trend Micro
AWS Summit Auckland Platinum Sponsor presentation - Trend Micro
 
Presentation on Effectively and Securely Using the Cloud Computing Paradigm v26
Presentation on Effectively and Securely Using the Cloud Computing Paradigm v26Presentation on Effectively and Securely Using the Cloud Computing Paradigm v26
Presentation on Effectively and Securely Using the Cloud Computing Paradigm v26
 
Presentation On Effectively And Securely Using The Cloud Computing Paradigm V26
Presentation On Effectively And Securely Using The Cloud Computing Paradigm V26Presentation On Effectively And Securely Using The Cloud Computing Paradigm V26
Presentation On Effectively And Securely Using The Cloud Computing Paradigm V26
 
Securing Your CI Pipeline with HashiCorp Vault - P2
Securing Your CI Pipeline with HashiCorp Vault - P2Securing Your CI Pipeline with HashiCorp Vault - P2
Securing Your CI Pipeline with HashiCorp Vault - P2
 
Softchoice & Microsoft: Public Cloud Security Webinar
Softchoice & Microsoft: Public Cloud Security WebinarSoftchoice & Microsoft: Public Cloud Security Webinar
Softchoice & Microsoft: Public Cloud Security Webinar
 
AWS Security Challenges
AWS Security ChallengesAWS Security Challenges
AWS Security Challenges
 
SaaS Security.pptx
SaaS Security.pptxSaaS Security.pptx
SaaS Security.pptx
 
saassecurity-230424030940-08314322.pdf
saassecurity-230424030940-08314322.pdfsaassecurity-230424030940-08314322.pdf
saassecurity-230424030940-08314322.pdf
 

Recently uploaded

TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024Lonnie McRorey
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxLoriGlavin3
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenHervé Boutemy
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersRaghuram Pandurangan
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxLoriGlavin3
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxLoriGlavin3
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxhariprasad279825
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionDilum Bandara
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
Training state-of-the-art general text embedding
Training state-of-the-art general text embeddingTraining state-of-the-art general text embedding
Training state-of-the-art general text embeddingZilliz
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 
Time Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsTime Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsNathaniel Shimoni
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteDianaGray10
 
Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rick Flair
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningLars Bell
 

Recently uploaded (20)

TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache Maven
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information Developers
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptx
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An Introduction
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
Training state-of-the-art general text embedding
Training state-of-the-art general text embeddingTraining state-of-the-art general text embedding
Training state-of-the-art general text embedding
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 
Time Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsTime Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directions
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test Suite
 
Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine Tuning
 

Cloudop security

  • 1. CLOUDOPS: SECURITY It ain’t all fluffy and blue sky out there!
  • 2. WHO’S THIS GUY? Ward Spangenberg, Director of Security Operations, Zynga Game Network No - I won’t whack the Petville boss who just broke into your cafe and made away with all your “grave dirt” riding a “luv- ewe”. Founding Member of the Cloud Security Alliance
  • 3. WHAT’S HE GOING TO TALK ABOUT? Definitions: Same starting point for everyone. Security: What does that even mean? Compliance: Did he just say compliance and cloud in the same sentence? Privacy: All your cloud belong to us. Stuff: quips, stories, advice, and hopefully some laughter.
  • 4. DEFINITION OF CLOUD COMPUTING Cloud computing describes a system where users can connect to a vast network of computing resources, data and servers that reside somewhere “cloudy,” usually on the Internet, rather than locally or in the data center. Cloud computing can give on-demand access to supercomputer- level power, even from a thin client or mobile device such as a smart phone or laptop. (or iPad) (@tomme Agreed. Quit arguing about definition. Common denominator: other people's ppl, other ppl's gear - let's focus on benefits #ccevent)
  • 5. !"#$%&'()*+&,' -./)*"0.12' 3*&.),' 4.$5%6.' 4*;<9$.'9,'9' ?)9@*$0'9,'9' A1B$9,2$+62+$.'9,'9' 3*&.),' 4.$5%6.'=4994>' 4.$5%6.'=?994>' 4.$5%6.'=A994>' I1'-.091&'4.)BJ4.$5%6.' 7,,.189)' E$*9&'F.2<*$G'H66.,,' C9/%&'7)9,86%2"' (:9$962.$%,86,' C.,*+$6.'?**)%1D' 3.9,+$.&'4.$5%6.' 39,,%5.'469).' C.,%)%.12'(*0/+81D' (*00*1'' !*0*D.1.%2"' N.*D$9/:%6'-%,2$%#+8*1' (:9$962.$%,86,' L%$2+9)%M98*1' 4.$5%6.'I$%.1298*1' K*<'(*,2'4*;<9$.' H&5916.&'4.6+$%2"' THE NIST CLOUD DEFINITION
  • 6. DEFINITIONS OF ARCHITECTURE IaaS: “based on pure virtualization. Vendor owns all the hardware and controls the network infrastructure, and you own everything from the guest operating system up. You request virtual instances on-demand and let them go when you are done.” PaaS: ““infrastructure as well as complete operational and development environments for the deployment of your applications.” SaaS: ““a web-based software deployment model that makes the software available entirely through a web browser.”
  • 8. DEPLOYMENT MODELS Public Private ("I'm just going to call a private cloud a data center." --Kash Rangan, Managing Director, Merrill Lynch) Managed Hybrid Mongrel/Mutt
  • 9. WHY CONSIDER THE CLOUD? Increased productivity Decreased capital investments Reduced Costs for IT Scalable systems with low overhead Increased Storage Flexibility
  • 10. WHAT WORKS? Stateless Computer Intensive Non-sensitive data Changing workload pattern Increased workload with greater subscription rate
  • 11. WHAT DOESN’T WORK? Special hardware Huge data set Sensitive data Low latency requirements 99.999% Availability
  • 12. CLOUD COMPUTING A “SECURITY NIGHTMARE”-JOHN CHAMBERS, CEO CISCO
  • 13. SECURITY + CLOUD = ? As my friend Hoff likes to say: “...it is difficult to frame meaningful discussion around what security and Cloud Computing means...” Yes, no, maybe. Actually security is not a cloud specific issue. The real struggle is “operational, organizational and compliance issues that come with this new unchartered (or poorly chartered) territory.”
  • 15. TOP THREATS TO CLOUD COMPUTING Abuse and Nefarious Use of Cloud Computing Insecure Application Programming Interfaces Malicious Insiders Shared Technology Vulnerabilities Data Loss/Leakage Account, Service & Traffic Hijacking Unknown Risk Profile
  • 16. OWASP TOP 10 A1 – Injection A2 – Cross Site Scripting (XSS) A3 – Broken Authentication and Session Management A4 – Insecure Direct Object Reference A5 – Cross Site Request Forgery (CSRF) A6 – Security Misconfiguration (NEW) A7 – Failure to Restrict URL Access A8 – Unvalidated Redirects and Forwards (NEW) A9 – Insecure Cryptographic Storage A10 - Insufficient Transport Layer Protection
  • 17. WEB APPLICATION SECURITY CONSORTIUM
  • 18. LESSONS? Somethings are no different in the cloud than they are in the enterprise. The bad guys still want to abuse the resources. It still comes down to data loss.
  • 19. CLOUD SECURITY COMPLEXITY Many different actors are involved Complex policy requirements Simplified procedural operations Many moving parts Learning curve for operations & security staff Traditional security boundaries
  • 20. WHO’S YOUR NEIGHBOR? The “Process Next Door” may be behaving badly or be under attack. Unbalanced resource consumption can affect operational availability. Shared IP space may have a “bad reputation” Possible hypervisor level attacks on IaaS platforms Re-using IP addresses leads to unintentional DoS
  • 21. IS IT THE SAME BUILDING? Very different attack surface compared to traditional infrastructure Large attack surface + high profile = high value targets Who has access to your data? Clouds bypass the "physical, logical and personnel controls" IT shops exert over in-house programs* Lack of visibility into data access by privileged users
  • 22. GOT A HANDYMAN? Management tools & development frameworks may not provide all the security features they should or could. Tool vendors need to keep up to date with cloud providers feature enhancements. Limited security toolsets are available in cloud environments. Cloud forensics can be challenging.
  • 23. COMPLIANCE POSSIBLE? Ability to leverage compliance and certifications cloud provider already has. Difficult to get feature/policy/procedure changes from cloud vendor to meet other regulatory requirements or certifications. Distributed nature of cloud services can add jurisdictional issues to regulatory compliance. Investigative support & forensics may be difficult to obtain from your cloud provider.
  • 24. WHERE FOR ART THOU? Increased regulatory complexities of having data stored in multiple legal jurisdictions. Foreign governments, agencies or corporations may gain access to your data without your knowledge. Increased data availability & resiliency of having data automatically replicated to multiple sites. Intra-application communications may unintentionally span multiple locations Cloud providers blocking or having their traffic blocked based on geographic location can have a major business impact.
  • 25. ANY CHANCE THAT COMES WITH A WARRANTY? Long term viability of cloud partners is a critical consideration in PaaS vendors. Lock-in with IaaS & SaaS vendors may be less of an issue. Data transfer costs are can be the toughest part of vendor lock-in. As open cloud platforms emerge and the hybrid deployment model gains popularity, standards will ease some of the current lock-in concerns.
  • 26. DOES IT MATTER? All types of cloud systems can be leveraged for malicious purposes. IaaS clouds can be used for large scale spam, DoS, or Command & Control functions. PaaS platforms have already been used as Command & Control for botnets. Hijacked accounts can be used to stage internal DoS attacks within the cloud provider’s infrastructure. Defending against cloud based attacks can be extremely difficult.
  • 27. PUBLIC DEPLOYMENT SECURITY ISSUES Advantages Disadvantages Anonymizing effect Collateral damage effect Data & AAA security Large security investments requirements Regulatory Compliance & Pre-certification Certifications Multi-site system & data Multi-jurisdiction data store redundancy Fault tolerance & excess capacity Known vulnerabilities are global
  • 28. MONGREL DEPLOYMENT SECURITY ISSUES Advantages Disadvantages Data transfer/access Externalization of attack surface considerations Overcomes private cloud scaling Increased architecture limits complexity Multi-site system & data Credential management redundancy Isolation & segregation of secure Regulatory Compliance & data Certifications
  • 29. COMMUNITY DEPLOYMENT ISSUES Advantages Disadvantages Increased redundancy & Extremely high level of availability complexity Shared risk & security costs Federation requirements Compliance & certification Increased Privileged User requirements attacks Easy targeting of high value systems
  • 30. IAAS SECURITY ISSUES Advantages Disadvantages Increased control of encryption Account hijacking Minimized privileged user attacks Credential management Ability to use familiar AAA mechanisms API security risks More standardized deployments Lack of role based authorization Dependence on security of the Rapid cross vendor redeployment virtualization platform Full operational control at the VM level Full responsibility for operations
  • 31. PAAS SECURITY ISSUES Advantages Disadvantages Less operational control than Less operational responsibility IaaS Instant multi-site business Vendor lock-in continuity Lack of security tools, reporting, Massive scale & resiliency etc. Simplification of compliance Increased privileged user attack analysis likelihood Built-in framework security Cloud provider’s long term features viability
  • 32. SAAS SECURITY ISSUES Advantages Disadvantages Clearly defined access controls Inflexible reporting & features Vendor is responsible for data- Lack of version control center & application security Predictable scope of account Inability to layer security compromise controls Integration with internal Increased vulnerability to directory services privileged user attacks Simplified User ACD No control over legal discovery
  • 33. QUESTIONS? Yes, I play Farmville, Petville, Fishville, Texas Hold’em, Mafia Wars, Vampire Wars and occasionally Yoville.
  • 34. CONTACT INFO Ward Spangenberg wardspan@zynga.com twitter: @wardspan

Editor's Notes

  6. IaaS includes the entire infrastructure resource stack from the facilities to the hardware platforms that reside in them. Further, IaaS incorporates the capability to abstract resources (or not) as well as deliver physical and logical connectivity to those resources. Ultimately, IaaS provides a set of API&amp;#x2019;s which allows for management and other forms of interaction with the infrastructure by the consumer of the service. PaaS sits atop IaaS and adds an additional layer of integration with application development frameworks, middleware capabilities and functions such as database, messaging, and queuing that allows developers to build applications which are coupled to the platform and whose programming languages and tools are supported by the stack. SaaS in turn is built upon the underlying IaaS and PaaS stacks and provides a self- contained operating environment used to deliver the entire user experience including the content, how it is presented,
  8. Private Clouds are provided by an organization or their designated service provider and offer a single-tenant (dedicated) operating environment with all the benefits and functionality of elasticity and the accountability/utility model of Cloud. The physical infrastructure may be owned by and/or physically located in the organization&amp;#x2019;s datacenters (on-premise) or that of a designated service provider (off- premise) with an extension of management and security control planes controlled by the organization or designated service provider respectively. Public Clouds are provided by a designated service provider and may offer either a single-tenant (dedicated) or multi-tenant (shared) operating environment with all the benefits and functionality of elasticity and the accountability/utility model of Cloud. The physical infrastructure is generally owned by and managed by the designated service provider and located within the provider&amp;#x2019;s datacenters (off-premise.) Managed Clouds are provided by a designated service provider and may offer either a single-tenant (dedicated) or multi-tenant (shared) operating environment with all the benefits and functionality of elasticity and the accountability/utility model of Cloud. The physical infrastructure is owned by and/or physically located in the organization&amp;#x2019;s datacenters with an extension of management and security control planes controlled by the designated service provider. Hybrid Clouds are a combination of public and private cloud offerings that allow for transitive information exchange and possibly application compatibility and portability across disparate Cloud service offerings and providers utilizing standard or proprietary methodologies regardless of ownership or location. This model provides for an extension of management and security control planes
  14. Security concerns have been the top factor cited as delaying cloud adoption for the past several years. In part this is due to a lack of standards around testing, reporting, SLAs and other standard business agreements that have already been worked out in more mature markets (like hosting). Another major factor is that the terms used with cloud-computing can have very different meanings based on context and so discussing cloud security can be tricky without laying down some ground work as far as definitions and context.
  27. Public deployments have the advantage of leveraging the service provider&amp;#x2019;s experience, security budget, process &amp; procedure at a minimal cost to the consumer, however, if a provider doesn&amp;#x2019;t offer a security feature that is critical to your deployment you&amp;#x2019;re pretty much out of luck. Annonimizing effect: Being a small fish in a large ocean makes targeted attacks against your infrastructure very difficult to orchestrate. This is amplified by the transitory nature of IP addressing in most IaaS provider offerings. PaaS &amp; SaaS offerings take this further by providing such massively scaled systems that the cost of producing a successful attack can outweigh the potential benefits. Collateral Damage: Attacks against the overall cloud provider or against specific systems sharing the same physical infrastructure as yours can lead to collateral damage from attacks not directly targeted at your organization. The &amp;#x201C;VM Next Door&amp;#x201D; (same processor, same network segment, etc&amp;#x2026;) may be a bad actor of the target of one. Cloud providers are high value targets that present a large attack surface on public networks. This coupled with other items in this list such as the global scope of vulnerabilities can have a huge impact when doing a risk assessment for public cloud deployments. Large Security Investments: Public cloud providers have dedicated security teams, battle tested policies and procedures and more advanced security tools than most organizations can afford. This plays into the major economic motivators for public cloud adoption which is leveraging the expertise and budget of the cloud provider. Data &amp; AAA security: Keeping secure data on a multi-tenant, non-isolated system requires additional planning and resources than keeping it in a private data store. You need to work how &amp; when to encrypt data as well as how to manage access to that data. Managing AAA (Authentication, authorization &amp; accounting) functions can be more challenging in a public cloud deployment. The lack of multi-user role based access controls in most IaaS &amp; PaaS offerings makes managing access to underlying system controls challenging. However, the SOA oriented nature of public cloud services generally means you get a standardized method of accessing, collecting and acting upon AAA data. Pre-certification: Public cloud providers continue to amass different security certifications as well as guidelines, policies and procedures that can help their clients reach particular certification levels (ie: Amazon&amp;#x2019;s SAS-70 datacenter certifications). Public cloud providers will probably also become major players in helping shape new certification requirements going forward (ie: The development of new cloud based PCI compliance requirements have been announced) Regulatory Compliance &amp; Certifications: While &amp;#x201C;pre-certification&amp;#x201D; is in the advantages column, it is a double edged sword with public cloud providers. If a cloud provider does not have a particular certification you require, or does not provide a report or feature you require to attain a certification or compliance, the likelihood of being able to influence their feature sets is minimal. Multi-site system &amp; data redundancy: The automated sharding and distribution of data and workloads to multiple sites is major benefit of public cloud deployments. The cost and ease with which this is accomplished within public clouds is a major factor favoring their adoption. Multi-jurisdiction data store: The flip side to automated data replication to multiple geographic sites is that your data will most likely end up in multiple legal jurisdictions either in whole or in part. You may not even know which jurisdictions your data is in at any time. This can pose serious problems achieving certain regulatory requirements (Ie: EU Data Protection Directive, US Safe Harbour program). Additionally, you may not know when legal actions (ie: foreign data supoenas) have been issued against your data. Having data in multiple jurisdictions also has implications for legal data ownership &amp; recovery issues. Fault tolerance &amp; excess capacity: The automated systems and APIs used by IaaS, Paas &amp; SaaS providers has allowed for the creation of incredibly fault tolerant systems, from autoscalling instances in EC2 to the total cloaking of the hardware &amp; network layers in AppEngine and SalesForce.com. In terms of excess capacity public cloud providers allow you to scale to continue providing service in the face of DoS attacks, they also provide amazing resiliency and RESTORATION OF SERVICES following an attack or other security incident. Know vulnerabilities are global: This related back to the &amp;#x201C;Collateral Damage&amp;#x201D; item in that once a vulnerability in your public cloud provider&amp;#x2019;s infrastructure is discovered, it will generally affect all accounts. We have already seen this with several SaaS providers such as Google Apps.
  28. Externalization of attack surface: By placing the public side of your application in a public cloud, you can deflect attacks from your corporate environment to the cloud provider who may be bettr suited to dealing with them or mitigating them. Data Transfer &amp; Access Considerations: Though has to be given to how data is transferred into out of the public cloud. What are the security requirements? If you have access controls inplace internally, how do you extend those AAA functions to the public cloud? Private cloud scaling limits: Hybrid scenarios offer the promise of allowing private clouds to &amp;#x201C;spill-over&amp;#x201D; excess compute requirements into a public cloud as required. In reality these types of hybrid systems are very difficult to implement today, however temporarily moving certain workloads between private clouds and public clouds for special events can provide enormous ROI. Increase architectural complexity: Marshalling and managing separate AAA systems, data transfers and application communications between private infrastructure and public clouds can be tricky and requires lots of planning. Multi-site system &amp; data redundancy: Hybrid solutions also promise to allow corporations to quickly implement disaster recovery and business continuity plans. The costs associated with having a hot or warm standby secondary site are more complicated than in a pure public cloud deployment yet quite more cost effective than with a private cloud deployment. Credential Management: Managing access to the public cloud APIs as well as managing inbound traffic from application components hosted in a public cloud can be daunting. Can you validate that inbound messages to your private cloud actually originate from your own systems in the public cloud? Isolation &amp; segregation: Hybrid cloud deployments allow corporations to maintain control over the isolation and segregation of their most sensitive data while still providing many of the benefits inherit in a public cloud. Regulatory compliance: This can be trickiest in the hybrid model as requirements may span both your corporate systems and those of your cloud provider partners. More on regulatory compliance below.
  29. Redundancy &amp; Availability: by partnering with organizations that share similar requirements, goals &amp; data organizations can build clouds that provide many of the redundancy aspects offered by public clouds yet make sure that the overall security posture and feature set meets their needs. Complexity: More organizations = more complexity. Negotiations on requirements can be a major stumbling block. Shared risk &amp; security costs: by pooling security resources among several organizations, community clouds are able to offer security features and services that a single organization might not be able to afford. Federation requirements: Mapping role based access controls to users and interconnecting disparate corporate directory service and AAA systems can be extremely time consuming but can add a level of flexibility for security arrangements between partners that are unavailable in other cloud models. Compliance requirements: Members of a community cloud deployment can ensure that &amp;#x201C;their cloud&amp;#x201D; meets their particular regulatory and certification requirements. Ie: HIPPA, SoX, PCI-DSS, etc.. Increased privilege user attacks: Depending on the cloud and application architecture, many more people may have direct access to your organizations data in a community cloud model. This leads to the increased possibility of privileged user attacks. Easy targeting: Community clouds can be a treasure trove for malicious actors looking for specific information. You cannot hide behind the annonimity of public clouds to avoid targeted attacks against your organization or data &amp;#x201C;types&amp;#x201D;.
  30. Increased control of encryption: IaaS is the only cloud model that allows you to fully dictate when and how data gets encrypted before being committed to persistent storage. Account hijacking: Hijacking of cloud account credentials can place the &amp;#x201C;keys to the kingdom&amp;#x201D; in an attackers hand. Given the low levels of security generally required for exercising cloud account privileges this can be a major issue. Also changing cloud account credentials in an IaaS model can be more difficult than with other models. Minimized privileged user attacks: Due to the increased low level controls compared to other cloud service models, IaaS provides the least vulnerability to privileged user attacks. Ability to use familiar AAA mechanisms: Since IaaS clouds are providing familiar VMs, you can leverage your existing knowledge of how to secure and manage them. API security risks: Think about a private enterprise datacenter and all the layers of security you would need to transverse to shutdown a system from a remote location (2 factor VPN authentication, bastion host login, corporate directory credential authorization, ssh authentication, sudo restrictions, etc&amp;#x2026;). NOW, think about what it takes to remotely shutdown a system on EC2 or in Azure remotely. A simple API call from any internet enabled device. More standardized deployments: IaaS provider best practices and methodologies force, guide and cajole system engineers to rely on automated deployment systems. This leads to a much more standardized deployment and change management process. Lack of role based authorization: Many IaaS providers still do not provide mechanisms for restricting which systems different operations staff can access or control via API in a granular manner. Rapid cross vendor redeployment: Again due to the fact that IaaS clouds are providing well know OS VMs moving functionality between cloud providers is relatively easy (barring data transfer costs) Dependence on security of the virtualization platform: IaaS vendors rely on the security features of the hypervisor or virtualization software to provide security controls. Vulnerabilities in these cloud building blocks can impact all cloud provider customers. Full operational control at the VM level: Your organization maintains full control over your systems from the VM level upwards. Full responsibility for operations: Even though you have no control over the physical infrastructure or the network, your IT team is still responsible for the security and operations of your production systems. If a PaaS or SaaS provider has an outage you can&amp;#x2019;t be held responsible, if a IaaS provider has an outage, it was up to you to plan for that eventuality.