SlideShare a Scribd company logo

The Cloud Security Landscape

Peter Wood
Peter Wood

An ethical hacker's view of the cloud security landscape. As presented at the inaugural meeting of the CSA UK & Ireland chapter, March 2011

TechnologyBusiness
1 of 24
Download to read offline
The Cloud Security Landscape An Ethical Hacker’s View Peter Wood Chief Executive Officer First•Base Technologies
Who am I ? Worked in computers and electronics since 1969 1969 Founded First•Base in 1989 (one of the first ethical hacking firms) - Social engineer & penetration tester - Conference speaker and security ‘expert’ - Chair of Advisory board at CSA UK & Ireland - Vice Chair of BCS Information Risk Management and Audit Group - ISACA Security Advisory Group and Conference Task Force 1989 - Corporate Executive Programme Expert - IISP Interviewer - FBCS, CITP, CISSP, MIEEE, M.Inst.ISP - Registered BCS Security Consultant - Member of ACM, ISACA, ISSA, Mensa 2 © First Base Technologies 2011
Agenda • Cloud Computing: Define • Is Cloud Computing Insecure? • Cloud Security Guidance • Q&A 3 © First Base Technologies 2011
Agenda • Cloud Computing: Define • Is Cloud Computing Secure? • Cloud Security Guidance • Q&A 4 © First Base Technologies 2011
Cloud Service Models • Software (SaaS) - consumer uses a provider’s applications running on a cloud infrastructure. Consumer does not manage or control the underlying cloud infrastructure (including network, servers, operating systems, storage or even individual application capabilities, with the possible exception of limited user-specific application configuration settings) • Platform (PaaS) - consumer uses a provider’s infrastructure to run their own applications. Consumer does not manage or control the underlying cloud infrastructure (including network, servers, operating systems or storage) • Infrastructure (IaaS) consumer uses a provider’s infrastructure to run their own applications and operating systems. Consumer does not manage or control the underlying cloud infrastructure but has control over operating systems, storage, deployed applications, and possibly limited control of select networking components (e.g., host firewalls) 5 © First Base Technologies 2011
Cloud Deployment Models • Public Cloud - available to the general public or a large industry group and owned by an organisation selling cloud services • Private Cloud - operated for a single organisation. May be managed by the organisation or a third party and may exist on- premises or off-premises • Community Cloud - shared by several organisations and supports a specific community that has shared concerns (e.g., mission, security requirements, policy, or compliance considerations). May be managed by the organisations or a third party and may exist on-premises or off-premises • Hybrid Cloud - composition of two or more clouds (private, community, or public) that remain unique entities but are bound together by standardised or proprietary technology that enables data and application portability (e.g., cloud bursting for load- balancing between clouds) 6 © First Base Technologies 2011
7 © First Base Technologies 2011
8 © First Base Technologies 2011
Agenda • Cloud Computing: Define • Is Cloud Computing Secure? • Cloud Security Guidance • Q&A 9 © First Base Technologies 2011
Not the best approach to cloud 10 © First Base Technologies 2011
Typical cloud security questions • Your data is … where? • Which country? • Who has access? • Have staff been vetted? • How well is it segregated from other users? • Is it encrypted? Who holds the keys? • How is it backed up (encrypted? where is it?) • How is it transmitted (encrypted? authenticated?) • Have the providers been tested by a reputable third party? 11 © First Base Technologies 2011
Amrit Williams Blog Observations of a Digitally Enlightened Mind • When we allow services to be delivered by a third party, we lose all control over how they secure and maintain the health of their environments - and you simply can't enforce what you can't control. • The ‘experts’ will tell you otherwise, convince you that their model is 100 per cent secure and that you have nothing to fear. Then again, those experts don't lose their jobs if you fail. Amrit Williams is CTO at BigFix and was previously a research director in the Information Security and Risk Research Practice at Gartner, Inc. http://techbuddha.wordpress.com/ 12 © First Base Technologies 2011
Just a little brainstorm 13 © First Base Technologies 2011
Agenda • Cloud Computing: Define • Is Cloud Computing Secure? • Cloud Security Guidance • Q&A 14 © First Base Technologies 2011
Security Guidance for Critical Areas of Focus in Cloud Computing V2.1 -> V3.0 Cloud Security Alliance http://www.cloudsecurityalliance.org/guidance/csaguide.v2.1.pdf https://wiki.cloudsecurityalliance.org/guidance/index.php/Main_Page 15 © First Base Technologies 2011
Risk Assessment Evaluate your tolerance for moving an asset to various cloud computing models • Identify the asset for the cloud deployment • Evaluate the asset • Map the asset to potential cloud deployment models • Evaluate potential cloud service models and providers • Sketch the potential data flow 16 © First Base Technologies 2011
Identify the asset • Determine exactly what data or function is being considered for the cloud - This should include potential uses of the asset once it moves to the cloud to account for scope creep - Data and transaction volumes are often higher than expected • Data and applications don’t need to reside in the same location; can shift only parts of functions to the cloud - For example, host application and data in own data centre, while outsourcing a portion of its functionality to the cloud through a Platform as a Service 17 © First Base Technologies 2011
Evaluate the asset How would we be harmed if: • the asset became widely public and widely distributed? • an employee of our cloud provider accessed the asset? • the process or function were manipulated by an outsider? • the process or function failed to provide expected results? • the information/data were unexpectedly changed? • the asset were unavailable for a period of time? 18 © First Base Technologies 2011
Map the asset to potential models • Public • Private, internal/on-premises • Private, external (including dedicated or shared infrastructure) • Community; taking into account the hosting location, potential service provider, and identification of other community members • Hybrid. To effectively evaluate a potential hybrid deployment, you must have in mind at least a rough architecture of where components, functions, and data will reside 19 © First Base Technologies 2011
Evaluate models and providers • In this step focus on the degree of control you’ll have at each SPI tier to implement any required risk management • If you are evaluating a specific offering, at this point you might switch to a fuller risk assessment • Your focus will be on the degree of control you have to implement risk mitigation in the different SPI tiers • If you already have specific requirements (e.g. for handling of regulated data) you can include them in the evaluation 20 © First Base Technologies 2011
Sketch the potential data flow • If you are evaluating a specific deployment option, map out the data flow between your organisation, the cloud service, and any customers/other nodes • While most of these steps have been high-level, before making a final decision it’s absolutely essential to understand whether, and how, data can move in and out of the cloud • If you have yet to decide on a particular offering, you’ll want to sketch out the rough data flow for any options on your acceptable list. This is to insure that as you make final decisions, you’ll be able to identify risk exposure points. 21 © First Base Technologies 2011
Conclusions • Understand the importance of what you are considering moving to the cloud, your risk tolerance (at least at a high level), and which combinations of deployment and service models are acceptable • Have a rough idea of potential exposure points for sensitive information and operations • These together should give you sufficient context to evaluate any other security controls in the Guidance 22 © First Base Technologies 2011
Agenda • Cloud Computing: Define • Is Cloud Computing Secure? • Cloud Security Guidance • Q&A 23 © First Base Technologies 2011
Need more information? Peter Wood Chief Executive Officer First•Base Technologies LLP peterw@firstbase.co.uk Twitter: peterwoodx Blog: fpws.blogspot.com http://firstbase.co.uk http://white-hats.co.uk http://peterwood.com

Recommended

Emerging Threats and Attack Surfaces
Emerging Threats and Attack SurfacesEmerging Threats and Attack Surfaces
Emerging Threats and Attack Surfaces
Peter Wood
 
Unpatched Systems: An Ethical Hacker's View
Unpatched Systems: An Ethical Hacker's ViewUnpatched Systems: An Ethical Hacker's View
Unpatched Systems: An Ethical Hacker's View
Peter Wood
 
Cloud, social networking and BYOD collide!
Cloud, social networking and BYOD collide!Cloud, social networking and BYOD collide!
Cloud, social networking and BYOD collide!
Peter Wood
 
The Ultimate Defence - Think Like a Hacker
The Ultimate Defence - Think Like a HackerThe Ultimate Defence - Think Like a Hacker
The Ultimate Defence - Think Like a Hacker
Peter Wood
 
Social Networks and Security: What Your Teenager Likely Won't Tell You
Social Networks and Security: What Your Teenager Likely Won't Tell YouSocial Networks and Security: What Your Teenager Likely Won't Tell You
Social Networks and Security: What Your Teenager Likely Won't Tell You
Denim Group
 
Hp Fortify Pillar
Hp Fortify PillarHp Fortify Pillar
Hp Fortify Pillar
Ed Wong
 
Vulnerability Management
Vulnerability ManagementVulnerability Management
Vulnerability Management
justinkallhoff
 
Top 5 myths of it security in the light of current events tisa pro talk 4 2554
Top 5 myths of it security in the light of current events tisa pro talk 4 2554Top 5 myths of it security in the light of current events tisa pro talk 4 2554
Top 5 myths of it security in the light of current events tisa pro talk 4 2554
TISA
 

Recommended

Emerging Threats and Attack Surfaces
Emerging Threats and Attack SurfacesEmerging Threats and Attack Surfaces
Emerging Threats and Attack Surfaces
Peter Wood
 
Unpatched Systems: An Ethical Hacker's View
Unpatched Systems: An Ethical Hacker's ViewUnpatched Systems: An Ethical Hacker's View
Unpatched Systems: An Ethical Hacker's View
Peter Wood
 
Cloud, social networking and BYOD collide!
Cloud, social networking and BYOD collide!Cloud, social networking and BYOD collide!
Cloud, social networking and BYOD collide!
Peter Wood
 
The Ultimate Defence - Think Like a Hacker
The Ultimate Defence - Think Like a HackerThe Ultimate Defence - Think Like a Hacker
The Ultimate Defence - Think Like a Hacker
Peter Wood
 
Social Networks and Security: What Your Teenager Likely Won't Tell You
Social Networks and Security: What Your Teenager Likely Won't Tell YouSocial Networks and Security: What Your Teenager Likely Won't Tell You
Social Networks and Security: What Your Teenager Likely Won't Tell You
Denim Group
 
Hp Fortify Pillar
Hp Fortify PillarHp Fortify Pillar
Hp Fortify Pillar
Ed Wong
 
Vulnerability Management
Vulnerability ManagementVulnerability Management
Vulnerability Management
justinkallhoff
 
Top 5 myths of it security in the light of current events tisa pro talk 4 2554
Top 5 myths of it security in the light of current events tisa pro talk 4 2554Top 5 myths of it security in the light of current events tisa pro talk 4 2554
Top 5 myths of it security in the light of current events tisa pro talk 4 2554
TISA
 
Intersect
IntersectIntersect
Intersect
Fotios Lindiakos
 
Protecting Data on Laptops
Protecting Data on LaptopsProtecting Data on Laptops
Protecting Data on Laptops
Product Marketing Services
 
MBM's InterGuard Security Suite
MBM's InterGuard Security SuiteMBM's InterGuard Security Suite
MBM's InterGuard Security Suite
Charles McNeil
 
Ensure Software Security already during development
Ensure Software Security already during developmentEnsure Software Security already during development
Ensure Software Security already during development
IT Weekend
 
Mitigating Risk for the Mobile Worker: Novell ZENworks Endpoint Security Mana...
Mitigating Risk for the Mobile Worker: Novell ZENworks Endpoint Security Mana...Mitigating Risk for the Mobile Worker: Novell ZENworks Endpoint Security Mana...
Mitigating Risk for the Mobile Worker: Novell ZENworks Endpoint Security Mana...
Novell
 
Cloud Security: Perception Vs. Reality
Cloud Security: Perception Vs. RealityCloud Security: Perception Vs. Reality
Cloud Security: Perception Vs. Reality
Internap
 
The Need For Open Software Security Standards In A Mobile And Cloudy World
The Need For Open Software Security Standards In A Mobile And Cloudy WorldThe Need For Open Software Security Standards In A Mobile And Cloudy World
The Need For Open Software Security Standards In A Mobile And Cloudy World
Denim Group
 
Webinar: Be Cyber Smart – Stories from the Trenches
Webinar: Be Cyber Smart – Stories from the TrenchesWebinar: Be Cyber Smart – Stories from the Trenches
Webinar: Be Cyber Smart – Stories from the Trenches
Withum
 
Security For Free
Security For FreeSecurity For Free
Security For Free
gwarden
 
RSA 2010 Kevin Rowney
RSA 2010 Kevin RowneyRSA 2010 Kevin Rowney
RSA 2010 Kevin Rowney
Symantec
 
Symantec Ubiquity
Symantec UbiquitySymantec Ubiquity
Symantec Ubiquity
Symantec
 
Don’t Sweat the Small Stuff – Protect What Matters Most - Interop 2014
Don’t Sweat the Small Stuff – Protect What Matters Most - Interop 2014 Don’t Sweat the Small Stuff – Protect What Matters Most - Interop 2014
Don’t Sweat the Small Stuff – Protect What Matters Most - Interop 2014
Unisys Corporation
 
Skeletons in the Closet: Securing Inherited Applications
Skeletons in the Closet: Securing Inherited ApplicationsSkeletons in the Closet: Securing Inherited Applications
Skeletons in the Closet: Securing Inherited Applications
Denim Group
 
NEtwork Security Admin Portal
NEtwork Security Admin PortalNEtwork Security Admin Portal
NEtwork Security Admin Portal
Bhadreshsinh Gohil
 
Security Awareness
Security AwarenessSecurity Awareness
Security Awareness
Dinesh O Bareja
 
Infosec lecture-final
Infosec lecture-finalInfosec lecture-final
Infosec lecture-final
Paul Dutot IEng MIET MBCS CITP OSCP CSTM
 
Rationalization and Defense in Depth - Two Steps Closer to the Cloud
Rationalization and Defense in Depth - Two Steps Closer to the CloudRationalization and Defense in Depth - Two Steps Closer to the Cloud
Rationalization and Defense in Depth - Two Steps Closer to the Cloud
Bob Rhubart
 
Hastily Formed Networks (HFN) at the Waldo Canyon Fire
Hastily Formed Networks (HFN) at the Waldo Canyon FireHastily Formed Networks (HFN) at the Waldo Canyon Fire
Hastily Formed Networks (HFN) at the Waldo Canyon Fire
Rakesh Bharania
 
Dressing up the ICS Kill Chain
Dressing up the ICS Kill ChainDressing up the ICS Kill Chain
Dressing up the ICS Kill Chain
Dragos, Inc.
 
Security Testing in an Age of Austerity
Security Testing in an Age of AusteritySecurity Testing in an Age of Austerity
Security Testing in an Age of Austerity
Peter Wood
 
Migrating Critical Applications To The Cloud - ISACA Seattle - Sanitized
Migrating Critical Applications To The Cloud - ISACA Seattle - SanitizedMigrating Critical Applications To The Cloud - ISACA Seattle - Sanitized
Migrating Critical Applications To The Cloud - ISACA Seattle - Sanitized
Norm Barber
 
Migrating Critical Applications to the Cloud - isaca seattle - sanitized
Migrating Critical Applications to the Cloud - isaca seattle - sanitizedMigrating Critical Applications to the Cloud - isaca seattle - sanitized
Migrating Critical Applications to the Cloud - isaca seattle - sanitized
UnifyCloud
 

More Related Content

What's hot

MBM's InterGuard Security Suite
MBM's InterGuard Security SuiteMBM's InterGuard Security Suite
MBM's InterGuard Security Suite
Charles McNeil
 
The Need For Open Software Security Standards In A Mobile And Cloudy World
The Need For Open Software Security Standards In A Mobile And Cloudy WorldThe Need For Open Software Security Standards In A Mobile And Cloudy World
The Need For Open Software Security Standards In A Mobile And Cloudy World
Denim Group
 
Skeletons in the Closet: Securing Inherited Applications
Skeletons in the Closet: Securing Inherited ApplicationsSkeletons in the Closet: Securing Inherited Applications
Skeletons in the Closet: Securing Inherited Applications
Denim Group
 
Dressing up the ICS Kill Chain
Dressing up the ICS Kill ChainDressing up the ICS Kill Chain
Dressing up the ICS Kill Chain
Dragos, Inc.
 

What's hot (20)

Intersect
IntersectIntersect
Intersect
 
Protecting Data on Laptops
Protecting Data on LaptopsProtecting Data on Laptops
Protecting Data on Laptops
 
MBM's InterGuard Security Suite
MBM's InterGuard Security SuiteMBM's InterGuard Security Suite
MBM's InterGuard Security Suite
 
Ensure Software Security already during development
Ensure Software Security already during developmentEnsure Software Security already during development
Ensure Software Security already during development
 
Mitigating Risk for the Mobile Worker: Novell ZENworks Endpoint Security Mana...
Mitigating Risk for the Mobile Worker: Novell ZENworks Endpoint Security Mana...Mitigating Risk for the Mobile Worker: Novell ZENworks Endpoint Security Mana...
Mitigating Risk for the Mobile Worker: Novell ZENworks Endpoint Security Mana...
 
Cloud Security: Perception Vs. Reality
Cloud Security: Perception Vs. RealityCloud Security: Perception Vs. Reality
Cloud Security: Perception Vs. Reality
 
The Need For Open Software Security Standards In A Mobile And Cloudy World
The Need For Open Software Security Standards In A Mobile And Cloudy WorldThe Need For Open Software Security Standards In A Mobile And Cloudy World
The Need For Open Software Security Standards In A Mobile And Cloudy World
 
Webinar: Be Cyber Smart – Stories from the Trenches
Webinar: Be Cyber Smart – Stories from the TrenchesWebinar: Be Cyber Smart – Stories from the Trenches
Webinar: Be Cyber Smart – Stories from the Trenches
 
Security For Free
Security For FreeSecurity For Free
Security For Free
 
RSA 2010 Kevin Rowney
RSA 2010 Kevin RowneyRSA 2010 Kevin Rowney
RSA 2010 Kevin Rowney
 
Symantec Ubiquity
Symantec UbiquitySymantec Ubiquity
Symantec Ubiquity
 
Don’t Sweat the Small Stuff – Protect What Matters Most - Interop 2014
Don’t Sweat the Small Stuff – Protect What Matters Most - Interop 2014 Don’t Sweat the Small Stuff – Protect What Matters Most - Interop 2014
Don’t Sweat the Small Stuff – Protect What Matters Most - Interop 2014
 
Skeletons in the Closet: Securing Inherited Applications
Skeletons in the Closet: Securing Inherited ApplicationsSkeletons in the Closet: Securing Inherited Applications
Skeletons in the Closet: Securing Inherited Applications
 
NEtwork Security Admin Portal
NEtwork Security Admin PortalNEtwork Security Admin Portal
NEtwork Security Admin Portal
 
Security Awareness
Security AwarenessSecurity Awareness
Security Awareness
 
Infosec lecture-final
Infosec lecture-finalInfosec lecture-final
Infosec lecture-final
 
Rationalization and Defense in Depth - Two Steps Closer to the Cloud
Rationalization and Defense in Depth - Two Steps Closer to the CloudRationalization and Defense in Depth - Two Steps Closer to the Cloud
Rationalization and Defense in Depth - Two Steps Closer to the Cloud
 
Hastily Formed Networks (HFN) at the Waldo Canyon Fire
Hastily Formed Networks (HFN) at the Waldo Canyon FireHastily Formed Networks (HFN) at the Waldo Canyon Fire
Hastily Formed Networks (HFN) at the Waldo Canyon Fire
 
Dressing up the ICS Kill Chain
Dressing up the ICS Kill ChainDressing up the ICS Kill Chain
Dressing up the ICS Kill Chain
 
Security Testing in an Age of Austerity
Security Testing in an Age of AusteritySecurity Testing in an Age of Austerity
Security Testing in an Age of Austerity
 

Similar to The Cloud Security Landscape

Migrating Critical Applications To The Cloud - ISACA Seattle - Sanitized
Migrating Critical Applications To The Cloud - ISACA Seattle - SanitizedMigrating Critical Applications To The Cloud - ISACA Seattle - Sanitized
Migrating Critical Applications To The Cloud - ISACA Seattle - Sanitized
Norm Barber
 
Dr. Michael Valivullah, NASS/USDA - Cloud Computing
Dr. Michael Valivullah, NASS/USDA - Cloud ComputingDr. Michael Valivullah, NASS/USDA - Cloud Computing
Dr. Michael Valivullah, NASS/USDA - Cloud Computing
ikanow
 
The most trusted, proven enterprise-class Cloud:Closer than you think
The most trusted, proven enterprise-class Cloud:Closer than you think The most trusted, proven enterprise-class Cloud:Closer than you think
The most trusted, proven enterprise-class Cloud:Closer than you think
Uni Systems S.M.S.A.
 
Impact of busines model elements on cloud computing adoption
Impact of busines model elements on cloud computing adoptionImpact of busines model elements on cloud computing adoption
Impact of busines model elements on cloud computing adoption
Andreja Pucihar
 
Security concerns of cloud migration and its implications on cloud-enabled bu...
Security concerns of cloud migration and its implications on cloud-enabled bu...Security concerns of cloud migration and its implications on cloud-enabled bu...
Security concerns of cloud migration and its implications on cloud-enabled bu...
Adewole Shitta-bey
 

Similar to The Cloud Security Landscape (20)

Migrating Critical Applications To The Cloud - ISACA Seattle - Sanitized
Migrating Critical Applications To The Cloud - ISACA Seattle - SanitizedMigrating Critical Applications To The Cloud - ISACA Seattle - Sanitized
Migrating Critical Applications To The Cloud - ISACA Seattle - Sanitized
 
Migrating Critical Applications to the Cloud - isaca seattle - sanitized
Migrating Critical Applications to the Cloud - isaca seattle - sanitizedMigrating Critical Applications to the Cloud - isaca seattle - sanitized
Migrating Critical Applications to the Cloud - isaca seattle - sanitized
 
110307 cloud security requirements gourley
110307 cloud security requirements gourley110307 cloud security requirements gourley
110307 cloud security requirements gourley
 
Building Cloud capability for startups
Building Cloud capability for startupsBuilding Cloud capability for startups
Building Cloud capability for startups
 
Cloud capability for startups
Cloud capability for startupsCloud capability for startups
Cloud capability for startups
 
Dr. Michael Valivullah, NASS/USDA - Cloud Computing
Dr. Michael Valivullah, NASS/USDA - Cloud ComputingDr. Michael Valivullah, NASS/USDA - Cloud Computing
Dr. Michael Valivullah, NASS/USDA - Cloud Computing
 
Navigating through the Cloud - 7 feb 2012 at Institute for Information Manage...
Navigating through the Cloud - 7 feb 2012 at Institute for Information Manage...Navigating through the Cloud - 7 feb 2012 at Institute for Information Manage...
Navigating through the Cloud - 7 feb 2012 at Institute for Information Manage...
 
Info Sec 2010 Possibilities And Security Challenges Of Cloud Computing (Han...
Info Sec 2010 Possibilities And Security Challenges Of Cloud Computing (Han...Info Sec 2010 Possibilities And Security Challenges Of Cloud Computing (Han...
Info Sec 2010 Possibilities And Security Challenges Of Cloud Computing (Han...
 
Nfp Seminar Series Danny November 18 Emerging Technology Challenges And...
Nfp Seminar Series Danny November 18 Emerging Technology Challenges And...Nfp Seminar Series Danny November 18 Emerging Technology Challenges And...
Nfp Seminar Series Danny November 18 Emerging Technology Challenges And...
 
The most trusted, proven enterprise-class Cloud:Closer than you think
The most trusted, proven enterprise-class Cloud:Closer than you think The most trusted, proven enterprise-class Cloud:Closer than you think
The most trusted, proven enterprise-class Cloud:Closer than you think
 
Impact of busines model elements on cloud computing adoption
Impact of busines model elements on cloud computing adoptionImpact of busines model elements on cloud computing adoption
Impact of busines model elements on cloud computing adoption
 
Cloud Computing basic concept to understand
Cloud Computing basic concept to understandCloud Computing basic concept to understand
Cloud Computing basic concept to understand
 
Cloudcomputingoct2009 100301142544-phpapp02
Cloudcomputingoct2009 100301142544-phpapp02Cloudcomputingoct2009 100301142544-phpapp02
Cloudcomputingoct2009 100301142544-phpapp02
 
State of the Cloud and Data Centers 2014
State of the Cloud and Data Centers 2014State of the Cloud and Data Centers 2014
State of the Cloud and Data Centers 2014
 
Security concerns of cloud migration and its implications on cloud-enabled bu...
Security concerns of cloud migration and its implications on cloud-enabled bu...Security concerns of cloud migration and its implications on cloud-enabled bu...
Security concerns of cloud migration and its implications on cloud-enabled bu...
 
The Cloud is in the details webinar - Rothke
The Cloud is in the details webinar - RothkeThe Cloud is in the details webinar - Rothke
The Cloud is in the details webinar - Rothke
 
Shared responsibility - a model for good cloud security
Shared responsibility - a model for good cloud securityShared responsibility - a model for good cloud security
Shared responsibility - a model for good cloud security
 
Cloud Computing Introduction. Engineering seventh Semester
Cloud Computing Introduction. Engineering seventh SemesterCloud Computing Introduction. Engineering seventh Semester
Cloud Computing Introduction. Engineering seventh Semester
 
Iia 2012 Spring Conference Philly V Final
Iia 2012 Spring Conference Philly V FinalIia 2012 Spring Conference Philly V Final
Iia 2012 Spring Conference Philly V Final
 
Cloud computing
Cloud computingCloud computing
Cloud computing
 

More from Peter Wood

More from Peter Wood (20)

Hacking is easy: understanding your vulnerabilities
Hacking is easy: understanding your vulnerabilitiesHacking is easy: understanding your vulnerabilities
Hacking is easy: understanding your vulnerabilities
 
The future of cloud security
The future of cloud securityThe future of cloud security
The future of cloud security
 
The 2018 Threatscape
The 2018 ThreatscapeThe 2018 Threatscape
The 2018 Threatscape
 
Introduction to Cyber Resilience
Introduction to Cyber ResilienceIntroduction to Cyber Resilience
Introduction to Cyber Resilience
 
Network security, seriously?
Network security, seriously?Network security, seriously?
Network security, seriously?
 
Lessons from a Red Team Exercise
Lessons from a Red Team ExerciseLessons from a Red Team Exercise
Lessons from a Red Team Exercise
 
Red teaming in the cloud
Red teaming in the cloudRed teaming in the cloud
Red teaming in the cloud
 
All your files now belong to us
All your files now belong to usAll your files now belong to us
All your files now belong to us
 
Network Security - Real and Present Dangers
Network Security - Real and Present DangersNetwork Security - Real and Present Dangers
Network Security - Real and Present Dangers
 
Big Data and Security - Where are we now? (2015)
Big Data and Security - Where are we now? (2015)Big Data and Security - Where are we now? (2015)
Big Data and Security - Where are we now? (2015)
 
Advanced Threat Protection: Lessons from a Red Team Exercise
Advanced Threat Protection: Lessons from a Red Team ExerciseAdvanced Threat Protection: Lessons from a Red Team Exercise
Advanced Threat Protection: Lessons from a Red Team Exercise
 
Pragmatic Network Security - Avoiding Real-World Vulnerabilities
Pragmatic Network Security - Avoiding Real-World VulnerabilitiesPragmatic Network Security - Avoiding Real-World Vulnerabilities
Pragmatic Network Security - Avoiding Real-World Vulnerabilities
 
Attacking the cloud with social engineering
Attacking the cloud with social engineeringAttacking the cloud with social engineering
Attacking the cloud with social engineering
 
Advanced threat protection and big data
Advanced threat protection and big dataAdvanced threat protection and big data
Advanced threat protection and big data
 
Prime Targets in Network Infrastructure
Prime Targets in Network InfrastructurePrime Targets in Network Infrastructure
Prime Targets in Network Infrastructure
 
Security Intelligence: Advanced Persistent Threats
Security Intelligence: Advanced Persistent ThreatsSecurity Intelligence: Advanced Persistent Threats
Security Intelligence: Advanced Persistent Threats
 
Out of the Blue: Responding to New Zero-Day Threats
Out of the Blue: Responding to New Zero-Day ThreatsOut of the Blue: Responding to New Zero-Day Threats
Out of the Blue: Responding to New Zero-Day Threats
 
Social Networking - An Ethical Hacker's View
Social Networking - An Ethical Hacker's ViewSocial Networking - An Ethical Hacker's View
Social Networking - An Ethical Hacker's View
 
Top Five Internal Security Vulnerabilities
Top Five Internal Security VulnerabilitiesTop Five Internal Security Vulnerabilities
Top Five Internal Security Vulnerabilities
 
The Consumerisation of Corporate IT
The Consumerisation of Corporate ITThe Consumerisation of Corporate IT
The Consumerisation of Corporate IT
 

Recently uploaded

Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
WSO2
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Jeffrey Haguewood
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Victor Rentea
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Victor Rentea
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Angeliki Cooney
 

Recently uploaded (20)

Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot ModelMcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectors
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
 
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with Milvus
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
 

The Cloud Security Landscape

  • 1. The Cloud Security Landscape An Ethical Hacker’s View Peter Wood Chief Executive Officer First•Base Technologies
  • 2. Who am I ? Worked in computers and electronics since 1969 1969 Founded First•Base in 1989 (one of the first ethical hacking firms) - Social engineer & penetration tester - Conference speaker and security ‘expert’ - Chair of Advisory board at CSA UK & Ireland - Vice Chair of BCS Information Risk Management and Audit Group - ISACA Security Advisory Group and Conference Task Force 1989 - Corporate Executive Programme Expert - IISP Interviewer - FBCS, CITP, CISSP, MIEEE, M.Inst.ISP - Registered BCS Security Consultant - Member of ACM, ISACA, ISSA, Mensa 2 © First Base Technologies 2011
  • 3. Agenda • Cloud Computing: Define • Is Cloud Computing Insecure? • Cloud Security Guidance • Q&A 3 © First Base Technologies 2011
  • 4. Agenda • Cloud Computing: Define • Is Cloud Computing Secure? • Cloud Security Guidance • Q&A 4 © First Base Technologies 2011
  • 5. Cloud Service Models • Software (SaaS) - consumer uses a provider’s applications running on a cloud infrastructure. Consumer does not manage or control the underlying cloud infrastructure (including network, servers, operating systems, storage or even individual application capabilities, with the possible exception of limited user-specific application configuration settings) • Platform (PaaS) - consumer uses a provider’s infrastructure to run their own applications. Consumer does not manage or control the underlying cloud infrastructure (including network, servers, operating systems or storage) • Infrastructure (IaaS) consumer uses a provider’s infrastructure to run their own applications and operating systems. Consumer does not manage or control the underlying cloud infrastructure but has control over operating systems, storage, deployed applications, and possibly limited control of select networking components (e.g., host firewalls) 5 © First Base Technologies 2011
  • 6. Cloud Deployment Models • Public Cloud - available to the general public or a large industry group and owned by an organisation selling cloud services • Private Cloud - operated for a single organisation. May be managed by the organisation or a third party and may exist on- premises or off-premises • Community Cloud - shared by several organisations and supports a specific community that has shared concerns (e.g., mission, security requirements, policy, or compliance considerations). May be managed by the organisations or a third party and may exist on-premises or off-premises • Hybrid Cloud - composition of two or more clouds (private, community, or public) that remain unique entities but are bound together by standardised or proprietary technology that enables data and application portability (e.g., cloud bursting for load- balancing between clouds) 6 © First Base Technologies 2011
  • 7. 7 © First Base Technologies 2011
  • 8. 8 © First Base Technologies 2011
  • 9. Agenda • Cloud Computing: Define • Is Cloud Computing Secure? • Cloud Security Guidance • Q&A 9 © First Base Technologies 2011
  • 10. Not the best approach to cloud 10 © First Base Technologies 2011
  • 11. Typical cloud security questions • Your data is … where? • Which country? • Who has access? • Have staff been vetted? • How well is it segregated from other users? • Is it encrypted? Who holds the keys? • How is it backed up (encrypted? where is it?) • How is it transmitted (encrypted? authenticated?) • Have the providers been tested by a reputable third party? 11 © First Base Technologies 2011
  • 12. Amrit Williams Blog Observations of a Digitally Enlightened Mind • When we allow services to be delivered by a third party, we lose all control over how they secure and maintain the health of their environments - and you simply can't enforce what you can't control. • The ‘experts’ will tell you otherwise, convince you that their model is 100 per cent secure and that you have nothing to fear. Then again, those experts don't lose their jobs if you fail. Amrit Williams is CTO at BigFix and was previously a research director in the Information Security and Risk Research Practice at Gartner, Inc. http://techbuddha.wordpress.com/ 12 © First Base Technologies 2011
  • 13. Just a little brainstorm 13 © First Base Technologies 2011
  • 14. Agenda • Cloud Computing: Define • Is Cloud Computing Secure? • Cloud Security Guidance • Q&A 14 © First Base Technologies 2011
  • 15. Security Guidance for Critical Areas of Focus in Cloud Computing V2.1 -> V3.0 Cloud Security Alliance http://www.cloudsecurityalliance.org/guidance/csaguide.v2.1.pdf https://wiki.cloudsecurityalliance.org/guidance/index.php/Main_Page 15 © First Base Technologies 2011
  • 16. Risk Assessment Evaluate your tolerance for moving an asset to various cloud computing models • Identify the asset for the cloud deployment • Evaluate the asset • Map the asset to potential cloud deployment models • Evaluate potential cloud service models and providers • Sketch the potential data flow 16 © First Base Technologies 2011
  • 17. Identify the asset • Determine exactly what data or function is being considered for the cloud - This should include potential uses of the asset once it moves to the cloud to account for scope creep - Data and transaction volumes are often higher than expected • Data and applications don’t need to reside in the same location; can shift only parts of functions to the cloud - For example, host application and data in own data centre, while outsourcing a portion of its functionality to the cloud through a Platform as a Service 17 © First Base Technologies 2011
  • 18. Evaluate the asset How would we be harmed if: • the asset became widely public and widely distributed? • an employee of our cloud provider accessed the asset? • the process or function were manipulated by an outsider? • the process or function failed to provide expected results? • the information/data were unexpectedly changed? • the asset were unavailable for a period of time? 18 © First Base Technologies 2011
  • 19. Map the asset to potential models • Public • Private, internal/on-premises • Private, external (including dedicated or shared infrastructure) • Community; taking into account the hosting location, potential service provider, and identification of other community members • Hybrid. To effectively evaluate a potential hybrid deployment, you must have in mind at least a rough architecture of where components, functions, and data will reside 19 © First Base Technologies 2011
  • 20. Evaluate models and providers • In this step focus on the degree of control you’ll have at each SPI tier to implement any required risk management • If you are evaluating a specific offering, at this point you might switch to a fuller risk assessment • Your focus will be on the degree of control you have to implement risk mitigation in the different SPI tiers • If you already have specific requirements (e.g. for handling of regulated data) you can include them in the evaluation 20 © First Base Technologies 2011
  • 21. Sketch the potential data flow • If you are evaluating a specific deployment option, map out the data flow between your organisation, the cloud service, and any customers/other nodes • While most of these steps have been high-level, before making a final decision it’s absolutely essential to understand whether, and how, data can move in and out of the cloud • If you have yet to decide on a particular offering, you’ll want to sketch out the rough data flow for any options on your acceptable list. This is to insure that as you make final decisions, you’ll be able to identify risk exposure points. 21 © First Base Technologies 2011
  • 22. Conclusions • Understand the importance of what you are considering moving to the cloud, your risk tolerance (at least at a high level), and which combinations of deployment and service models are acceptable • Have a rough idea of potential exposure points for sensitive information and operations • These together should give you sufficient context to evaluate any other security controls in the Guidance 22 © First Base Technologies 2011
  • 23. Agenda • Cloud Computing: Define • Is Cloud Computing Secure? • Cloud Security Guidance • Q&A 23 © First Base Technologies 2011
  • 24. Need more information? Peter Wood Chief Executive Officer First•Base Technologies LLP peterw@firstbase.co.uk Twitter: peterwoodx Blog: fpws.blogspot.com http://firstbase.co.uk http://white-hats.co.uk http://peterwood.com