SlideShare una empresa de Scribd logo

A Cloud Security Ghost Story Craig Balding

C
craigbalding

Presented at Black Hat Europe 2009 by Craig Balding, founder of http://cloudsecurity.org

Tecnología
1 de 81
Descargar para leer sin conexión
A Cloud Security Ghost Story Craig Balding
Disclaimer The views and opinions expressed here are those of Craig Balding only and in no way represent the views, positions or opinions - expressed or implied - of my employer or anyone else.
Happy to take questions as we go ✴ Will limit in-flight answers to 2 minutes... ✴ ...to allow time for Q&A at end ✴ If you want SAP Pwnage, other track ;-) ✴
Tweeting/Blogging? Please add the tag: cloudsec
Clown Computing? Cloud == Internet It’s Outsourcing! It’s Virtualization! Overhyped Fad Nothing New Don’t Believe in Clouds?
A Service Model *aaS: ...as a Service On-Demand Pay As You Go (CC) Elastic Abstracted Resource What Is “Cloud”?
Cloud Security vs. Security in the Cloud Avoid the Facepalm
This is not ASP Shared Hardware Shared Fabric / Host Scalability / Cost Multi Tenancy
DB Security Model
DB == Tenant
DB == Tenant 1..n
Engineering Feat Scalability Availability New techniques 1000:1 Green “It’s Only Day 1”
Cloud Magic: Just Say No
Evil State Replication Woes Patching Devils Insidious Integrity Funding Cloud FAIL
Risk Management Your Liable Compensating Controls Plan for Failure Trust but Verify Web Services Security Browsers Are Brittle Security Givens
Ghost Central
*aaS: ...as a Service Pay As You Go (CC) Elastic Outages Very Public Support Forums Public Clouds
Classic SPI Model Software as a Service Platform as a Service Infrastruture as a Service
Examples Software as a Service Platform as a Service Infrastruture as a Service
SaaS CRM force.com == PaaS AppExchange Code Reviews Service Cloud Salesforce
Examples Software as a Service Platform as a Service Infrastruture as a Service
PaaS Python VM Justin Ferguson Java VM Data Import/Export SDC Google App Engine
Google Secure Data Connector
Software & Services Technology Preview Identity (Cameron) Microsoft Azure
Software + Services
Examples Software as a Service Platform as a Service Infrastruture as a Service
Public IaaS Pioneer EC2, S3, SQS etc “You secure” Security Whitepaper Evangelism Data Cleansing Amazon Web Services
One Key Management Plane New Policy Language Report a Scan If a HD is Stolen... AWS Ecosystem Amazon Web Services
Dynamo Paper Consistency Availability Integrity Out of order No Time Promises Eventually Consistent
AWS “Dev friendly” Dev Testimonials AMZN PMTS 866-216-1072 AWS API endpoints POST/PUT/DELETE Developers with Credit Cards
Visibility Mutants Cloud Stacks Integration Privacy Regulations SLAs Haunted House of the Cloud
The Visibility Ghost Ship
When Controls Fail Lingua Franca: API Manage SSL EC2 vs NSM Immature logging DLP The Visibility Ghostship
IaaS vs Paas vs SaaS Scan & Get Canned Idea: AllowScan API Pen-testing Scope Assurance
Virtual Data Center Version Control View as Timeline Pre/post Commit Sanity Checks Proactive Polling Data Center Tripwire
Call Premium Support Cloud Clamour No Business Context Incident Response
IaaS vs Paas vs SaaS Ghosting a Ghost Logs & Integration Offline Forensic VMs AWS EBS Cloning Forensics as a Service Cloud IR Teams? Forensics
IaaS vs Paas vs SaaS Mash-ups 1...n Theft of Hard Drive... First, find the DC Jurisdictional Hell Investigations
The March of the Mutated Hypervisor
AWS EC2 Xen with “mods” No Dom0 Access Xen DomU Expose via XML API The March of the Mutated Hypervisor
BIOS Functionality++ Research++ Cache Snooping Hypervisor Attack Persistent Rootkits The Vampire BIOS
Ghost in the Stacks
Dependent Services Consume & Provide Trust by Inheritence Mind the Gap Pass the Buck Cloud Stacks/Layers
Appirio Salesforce App Hook API Divert Attachments Client > EC2 > S3 Stored in Plaintext! Example
Net vs Storage Crypto
Enterprise Integration Road to Hell
Identity is > People Federated Auth Visibility DLP Metrics Billing Enterprise Integration
IaaS vs Paas vs SaaS VM Portability Frameworks AWS as defacto API Unified Cloud? Interoperability
Cloud Lock-in
The Green Latern of Privacy
EPIC Compliant Misstating Security Snafus & Vulns Lack of Crypto Bar of chocolate? $SOCIALNETWORKS The Green Lantern of Privacy
The Screaming Regulator
PCI: The Mosso Pitch HIPAA: AWS / “Apps” Screaming or silent? VirtSec / PCI DSS Groundhog Day The Screaming Regulator
Jurisdiction IP rights Content ownership Contract Law Wins Licensing Raid 8 Legal Concerns
The Curse of the Bloodstained SLA
Blah Blah Blah No CHANGELOG Blah Blah Blah Internet == No promises Blah Blah Blah CC_OK || rm -rf /cloud Blah Blah Blah Service Credits FTW! Blah Blah Blah Blood Stained SLA
AWS Security Pledge 7.2 We strive to keep Your Content secure, but cannot guarantee that we will be successful at doing so, given the nature of the Internet. Accordingly, without limitation to Section 4.3 above and Section 11.5 below, you acknowledge that you bear sole responsibility for adequate security, protection and backup of Your Content and Applications.
AWS Security Advice 7.2. ...We strongly encourage you, where available and appropriate, to (a) use encryption technology to protect Your Content from unauthorized access, (b) routinely archive Your Content, and (c) keep your Applications or any software that you use or run with our Services current with the latest security patches or updates.
Not even Service Credits? ;-) 7.2. ...We will have no liability to you for any unauthorized access or use, corruption, deletion, destruction or loss of any of Your Content or Applications.
Cloud Nirvana: The Rise of the Enterprise Private Cloud
Maximum Control Interoperability Cloudbursting Extend Off-site VMware / CISCO Eucalyptus (OSS) Private Clouds
Source: Chris Hoff
Infrastructure 1.0 Firewall Mentality Controls vs Data Investments vs Risk DL Time Bombs Visibility & IR Enterprise Skeletons
346 Legacy Apps Audit Reports 3rd Party Monsters Aging Policies Controls <> Assets Inner Control Freak Good Old Days Call from the Grave
Eucalyptus (OSS) API == AWS EC2 Xen + KVM Ship w/Ubuntu 9.04 Open Source Private Cloud
Centralised Controls Password Cracking Forensic Readiness Never Ending Logs Security Builds Security Testing Embrace the Cloud
Cloud Aggregator “Internet Trading Platformquot; Public/Private Handle Billing Cloud Brokers
Example: Zimory
Pick Your Poison Gold: A gold SLA cloud delivers the strongest quality standards. This includes availability and security standards. The providers offering these resources are compliant with all relevant security certifications. Silver: A silver SLA offers high availability and security standards. The providers are known brands. Bronze: A bronze SLA delivers the usual quality and availability standards of hosting providers. It does not contain certifications and additional security offerings.
Cloud Spirits General John Willis: IT ESM and Cloud (Droplets) Kevin L. Jackson: Cloud Musing (Federal) James Urquhart (CISCO): Wisdom of Clouds Werner Vogels (AWS CTO): All Things Distributed Google Groups Cloud Computing Security Christofer Hoff: rationalsurvivability.com Craig Balding (aka Me): cloudsecurity.org
Cloud Security Alliance ENISA Cloud Security Working Group Cloud Security Initiatives
Cloud Security Alliance Non-profit organization Promote practices to provide security assurance Comprised of many subject matter experts from a wide variety disciplines Official launch next week @ RSA Join? Linkedin Group “Cloud Security Alliance” open to all
ENISA Cloud Computing Risk Assessment European Policymakers responsible for funding Cloud risk mitigation research, policy, economic incentives, legislative measures, awareness-raising initiatives Business leaders to evaluate Cloud risks of and possible mitigation strategies. Individuals/citizens to evaluate cost/benefit of consumer Cloud services.
Hosting => Cloud Cloud Platform Wars Cloud Pwnage Trust Indicators Vertical Clouds Data Centric Security? Social Engineering++ Futures
Ghost Alley / Amsterdam
Thanks
Q&A Craig Balding
CSA: Domains •Information lifecycle •Portability & management InteroperabilityData •Governance and Center Operations Enterprise Risk Management Management •Incident Response, •Compliance & Audit Notification, Remediation •General Legal •quot;Traditionalquot; Security •eDiscovery impact (business •Encryption and Key Mgt continuity, disaster •Identity and Access Mgt recovery, physical security) •Storage •Architectural •Virtualization Framework •Application Security

Recomendados

What Everyone Ought To Know About Cloud Security
What Everyone Ought To Know About Cloud SecurityWhat Everyone Ought To Know About Cloud Security
What Everyone Ought To Know About Cloud Securitycraigbalding
 
Cloud computing and Cloud security fundamentals
Cloud computing and Cloud security fundamentalsCloud computing and Cloud security fundamentals
Cloud computing and Cloud security fundamentalsViresh Suri
 
Cloud Security Tutorial | Cloud Security Fundamentals | AWS Training | Edureka
Cloud Security Tutorial | Cloud Security Fundamentals | AWS Training | EdurekaCloud Security Tutorial | Cloud Security Fundamentals | AWS Training | Edureka
Cloud Security Tutorial | Cloud Security Fundamentals | AWS Training | EdurekaEdureka!
 
Cloud security
Cloud securityCloud security
Cloud securityFrançois Boucher
 
CIW Lab with CoheisveFT: Get started in public cloud - Part 1 Cloud & Virtual...
CIW Lab with CoheisveFT: Get started in public cloud - Part 1 Cloud & Virtual...CIW Lab with CoheisveFT: Get started in public cloud - Part 1 Cloud & Virtual...
CIW Lab with CoheisveFT: Get started in public cloud - Part 1 Cloud & Virtual...Ryan Koop
 
Introducing Azure Bastion
Introducing Azure BastionIntroducing Azure Bastion
Introducing Azure BastionAmmar Hasayen
 
Cloud Seeding
Cloud SeedingCloud Seeding
Cloud SeedingTrish McGinity, CCSK
 
Practical AWS Security - Scott Hogg
Practical AWS Security - Scott HoggPractical AWS Security - Scott Hogg
Practical AWS Security - Scott HoggTrish McGinity, CCSK
 

Recomendados

What Everyone Ought To Know About Cloud Security
What Everyone Ought To Know About Cloud SecurityWhat Everyone Ought To Know About Cloud Security
What Everyone Ought To Know About Cloud Securitycraigbalding
 
Cloud computing and Cloud security fundamentals
Cloud computing and Cloud security fundamentalsCloud computing and Cloud security fundamentals
Cloud computing and Cloud security fundamentalsViresh Suri
 
Cloud Security Tutorial | Cloud Security Fundamentals | AWS Training | Edureka
Cloud Security Tutorial | Cloud Security Fundamentals | AWS Training | EdurekaCloud Security Tutorial | Cloud Security Fundamentals | AWS Training | Edureka
Cloud Security Tutorial | Cloud Security Fundamentals | AWS Training | EdurekaEdureka!
 
Cloud security
Cloud securityCloud security
Cloud securityFrançois Boucher
 
CIW Lab with CoheisveFT: Get started in public cloud - Part 1 Cloud & Virtual...
CIW Lab with CoheisveFT: Get started in public cloud - Part 1 Cloud & Virtual...CIW Lab with CoheisveFT: Get started in public cloud - Part 1 Cloud & Virtual...
CIW Lab with CoheisveFT: Get started in public cloud - Part 1 Cloud & Virtual...Ryan Koop
 
Introducing Azure Bastion
Introducing Azure BastionIntroducing Azure Bastion
Introducing Azure BastionAmmar Hasayen
 
Cloud Seeding
Cloud SeedingCloud Seeding
Cloud SeedingTrish McGinity, CCSK
 
Practical AWS Security - Scott Hogg
Practical AWS Security - Scott HoggPractical AWS Security - Scott Hogg
Practical AWS Security - Scott HoggTrish McGinity, CCSK
 
Gogrid
GogridGogrid
GogridAvinash Killamsetty
 
In Cloud We Trust
In Cloud We TrustIn Cloud We Trust
In Cloud We TrustAndy Harjanto
 
Transform Your Risk Systems for Greater Agility with Accenture & AWS PPT
Transform Your Risk Systems for Greater Agility with Accenture & AWS PPT Transform Your Risk Systems for Greater Agility with Accenture & AWS PPT
Transform Your Risk Systems for Greater Agility with Accenture & AWS PPTAmazon Web Services
 
Tips For Building Private Cloud Architecture With Virtualization
Tips For Building Private Cloud Architecture With Virtualization Tips For Building Private Cloud Architecture With Virtualization
Tips For Building Private Cloud Architecture With Virtualization Aventis Systems, Inc.
 
Cloud Presentation
Cloud PresentationCloud Presentation
Cloud PresentationSantaMonicaChamber
 
Cloud Security ("securing the cloud")
Cloud Security ("securing the cloud")Cloud Security ("securing the cloud")
Cloud Security ("securing the cloud")Vic Winkler
 
Cloud Computing Ppt
Cloud Computing PptCloud Computing Ppt
Cloud Computing PptAnjoum .
 
The Journey to the Hybrid Multi Cloud
The Journey to the Hybrid Multi CloudThe Journey to the Hybrid Multi Cloud
The Journey to the Hybrid Multi CloudIdan Tohami
 
Cloud Reference Architecture - Part 1 Foundation
Cloud Reference Architecture - Part 1 FoundationCloud Reference Architecture - Part 1 Foundation
Cloud Reference Architecture - Part 1 FoundationAmmar Hasayen
 
CloudCamp London 3 - 451 Group - William Fellows
CloudCamp London 3 - 451 Group - William FellowsCloudCamp London 3 - 451 Group - William Fellows
CloudCamp London 3 - 451 Group - William FellowsChris Purrington
 
Hybride clouds door bart veldhuis
Hybride clouds door bart veldhuis Hybride clouds door bart veldhuis
Hybride clouds door bart veldhuis Ngi-NGN, platform voor ict professionals
 
Why Cloud Management Makes Sense
Why Cloud Management Makes SenseWhy Cloud Management Makes Sense
Why Cloud Management Makes SenseRightScale
 
Modernizing Technology Governance
Modernizing Technology GovernanceModernizing Technology Governance
Modernizing Technology GovernanceAlert Logic
 
Benefits of Cloud Computing
Benefits of Cloud ComputingBenefits of Cloud Computing
Benefits of Cloud ComputingAmazon Web Services
 
2016, A new era of OS and Cloud Security
2016, A new era of OS and Cloud Security2016, A new era of OS and Cloud Security
2016, A new era of OS and Cloud SecurityTudor Damian
 
Introduction to Microsoft Cloud Computing using Azure
Introduction to Microsoft Cloud Computing using AzureIntroduction to Microsoft Cloud Computing using Azure
Introduction to Microsoft Cloud Computing using AzureBizTalk360
 
The AWS Shared Responsibility Model in Practice - Nirav Kothari, AWS
The AWS Shared Responsibility Model in Practice - Nirav Kothari, AWSThe AWS Shared Responsibility Model in Practice - Nirav Kothari, AWS
The AWS Shared Responsibility Model in Practice - Nirav Kothari, AWSAlert Logic
 
The AWS Shared Security Responsibility Model in Practice
The AWS Shared Security Responsibility Model in PracticeThe AWS Shared Security Responsibility Model in Practice
The AWS Shared Security Responsibility Model in PracticeAlert Logic
 
Multi cloud governance best practices - AWS, Azure, GCP
Multi cloud governance best practices - AWS, Azure, GCPMulti cloud governance best practices - AWS, Azure, GCP
Multi cloud governance best practices - AWS, Azure, GCPFaiza Mehar
 
Cloud security ppt
Cloud security pptCloud security ppt
Cloud security pptVenkatesh Chary
 
Cloud Security- In Perspective
Cloud Security- In PerspectiveCloud Security- In Perspective
Cloud Security- In PerspectiveJustin Pirie
 
Challenges with Cloud Security by Ken Y Chan
Challenges with Cloud Security by Ken Y ChanChallenges with Cloud Security by Ken Y Chan
Challenges with Cloud Security by Ken Y ChanKen Chan
 

Más contenido relacionado

La actualidad más candente

Transform Your Risk Systems for Greater Agility with Accenture & AWS PPT
Transform Your Risk Systems for Greater Agility with Accenture & AWS PPT Transform Your Risk Systems for Greater Agility with Accenture & AWS PPT
Transform Your Risk Systems for Greater Agility with Accenture & AWS PPTAmazon Web Services
 
Tips For Building Private Cloud Architecture With Virtualization
Tips For Building Private Cloud Architecture With Virtualization Tips For Building Private Cloud Architecture With Virtualization
Tips For Building Private Cloud Architecture With Virtualization Aventis Systems, Inc.
 
Cloud Security ("securing the cloud")
Cloud Security ("securing the cloud")Cloud Security ("securing the cloud")
Cloud Security ("securing the cloud")Vic Winkler
 
Cloud Computing Ppt
Cloud Computing PptCloud Computing Ppt
Cloud Computing PptAnjoum .
 
The Journey to the Hybrid Multi Cloud
The Journey to the Hybrid Multi CloudThe Journey to the Hybrid Multi Cloud
The Journey to the Hybrid Multi CloudIdan Tohami
 
Cloud Reference Architecture - Part 1 Foundation
Cloud Reference Architecture - Part 1 FoundationCloud Reference Architecture - Part 1 Foundation
Cloud Reference Architecture - Part 1 FoundationAmmar Hasayen
 
CloudCamp London 3 - 451 Group - William Fellows
CloudCamp London 3 - 451 Group - William FellowsCloudCamp London 3 - 451 Group - William Fellows
CloudCamp London 3 - 451 Group - William FellowsChris Purrington
 
Why Cloud Management Makes Sense
Why Cloud Management Makes SenseWhy Cloud Management Makes Sense
Why Cloud Management Makes SenseRightScale
 
Modernizing Technology Governance
Modernizing Technology GovernanceModernizing Technology Governance
Modernizing Technology GovernanceAlert Logic
 
2016, A new era of OS and Cloud Security
2016, A new era of OS and Cloud Security2016, A new era of OS and Cloud Security
2016, A new era of OS and Cloud SecurityTudor Damian
 
Introduction to Microsoft Cloud Computing using Azure
Introduction to Microsoft Cloud Computing using AzureIntroduction to Microsoft Cloud Computing using Azure
Introduction to Microsoft Cloud Computing using AzureBizTalk360
 
The AWS Shared Responsibility Model in Practice - Nirav Kothari, AWS
The AWS Shared Responsibility Model in Practice - Nirav Kothari, AWSThe AWS Shared Responsibility Model in Practice - Nirav Kothari, AWS
The AWS Shared Responsibility Model in Practice - Nirav Kothari, AWSAlert Logic
 
The AWS Shared Security Responsibility Model in Practice
The AWS Shared Security Responsibility Model in PracticeThe AWS Shared Security Responsibility Model in Practice
The AWS Shared Security Responsibility Model in PracticeAlert Logic
 
Multi cloud governance best practices - AWS, Azure, GCP
Multi cloud governance best practices - AWS, Azure, GCPMulti cloud governance best practices - AWS, Azure, GCP
Multi cloud governance best practices - AWS, Azure, GCPFaiza Mehar
 

La actualidad más candente (20)

Gogrid
GogridGogrid
Gogrid
 
In Cloud We Trust
In Cloud We TrustIn Cloud We Trust
In Cloud We Trust
 
Transform Your Risk Systems for Greater Agility with Accenture & AWS PPT
Transform Your Risk Systems for Greater Agility with Accenture & AWS PPT Transform Your Risk Systems for Greater Agility with Accenture & AWS PPT
Transform Your Risk Systems for Greater Agility with Accenture & AWS PPT
 
Tips For Building Private Cloud Architecture With Virtualization
Tips For Building Private Cloud Architecture With Virtualization Tips For Building Private Cloud Architecture With Virtualization
Tips For Building Private Cloud Architecture With Virtualization
 
Cloud Presentation
Cloud PresentationCloud Presentation
Cloud Presentation
 
Cloud Security ("securing the cloud")
Cloud Security ("securing the cloud")Cloud Security ("securing the cloud")
Cloud Security ("securing the cloud")
 
Cloud Computing Ppt
Cloud Computing PptCloud Computing Ppt
Cloud Computing Ppt
 
The Journey to the Hybrid Multi Cloud
The Journey to the Hybrid Multi CloudThe Journey to the Hybrid Multi Cloud
The Journey to the Hybrid Multi Cloud
 
Cloud Reference Architecture - Part 1 Foundation
Cloud Reference Architecture - Part 1 FoundationCloud Reference Architecture - Part 1 Foundation
Cloud Reference Architecture - Part 1 Foundation
 
CloudCamp London 3 - 451 Group - William Fellows
CloudCamp London 3 - 451 Group - William FellowsCloudCamp London 3 - 451 Group - William Fellows
CloudCamp London 3 - 451 Group - William Fellows
 
Hybride clouds door bart veldhuis
Hybride clouds door bart veldhuis Hybride clouds door bart veldhuis
Hybride clouds door bart veldhuis
 
Why Cloud Management Makes Sense
Why Cloud Management Makes SenseWhy Cloud Management Makes Sense
Why Cloud Management Makes Sense
 
Modernizing Technology Governance
Modernizing Technology GovernanceModernizing Technology Governance
Modernizing Technology Governance
 
Benefits of Cloud Computing
Benefits of Cloud ComputingBenefits of Cloud Computing
Benefits of Cloud Computing
 
2016, A new era of OS and Cloud Security
2016, A new era of OS and Cloud Security2016, A new era of OS and Cloud Security
2016, A new era of OS and Cloud Security
 
Introduction to Microsoft Cloud Computing using Azure
Introduction to Microsoft Cloud Computing using AzureIntroduction to Microsoft Cloud Computing using Azure
Introduction to Microsoft Cloud Computing using Azure
 
The AWS Shared Responsibility Model in Practice - Nirav Kothari, AWS
The AWS Shared Responsibility Model in Practice - Nirav Kothari, AWSThe AWS Shared Responsibility Model in Practice - Nirav Kothari, AWS
The AWS Shared Responsibility Model in Practice - Nirav Kothari, AWS
 
The AWS Shared Security Responsibility Model in Practice
The AWS Shared Security Responsibility Model in PracticeThe AWS Shared Security Responsibility Model in Practice
The AWS Shared Security Responsibility Model in Practice
 
Multi cloud governance best practices - AWS, Azure, GCP
Multi cloud governance best practices - AWS, Azure, GCPMulti cloud governance best practices - AWS, Azure, GCP
Multi cloud governance best practices - AWS, Azure, GCP
 
Cloud security ppt
Cloud security pptCloud security ppt
Cloud security ppt
 

Destacado

Cloud Security- In Perspective
Cloud Security- In PerspectiveCloud Security- In Perspective
Cloud Security- In PerspectiveJustin Pirie
 
Challenges with Cloud Security by Ken Y Chan
Challenges with Cloud Security by Ken Y ChanChallenges with Cloud Security by Ken Y Chan
Challenges with Cloud Security by Ken Y ChanKen Chan
 
Launching a Highly-regulated Startup in the Public Cloud
Launching a Highly-regulated Startup in the Public CloudLaunching a Highly-regulated Startup in the Public Cloud
Launching a Highly-regulated Startup in the Public CloudPoornaprajna Udupi
 
2014-04-28 cloud security frameworks and enforcement
2014-04-28 cloud security frameworks and enforcement2014-04-28 cloud security frameworks and enforcement
2014-04-28 cloud security frameworks and enforcementShawn Wells
 
Privacy Preserving Public Auditing for Data Storage Security in Cloud.ppt
Privacy Preserving Public Auditing for Data Storage Security in Cloud.pptPrivacy Preserving Public Auditing for Data Storage Security in Cloud.ppt
Privacy Preserving Public Auditing for Data Storage Security in Cloud.pptGirish Chandra
 
Cloud Security at Netflix
Cloud Security at NetflixCloud Security at Netflix
Cloud Security at NetflixJason Chan
 
Cloud Security - Security Aspects of Cloud Computing
Cloud Security - Security Aspects of Cloud ComputingCloud Security - Security Aspects of Cloud Computing
Cloud Security - Security Aspects of Cloud ComputingJim Geovedi
 
PRIVACY-PRESERVING PUBLIC AUDITING FOR DATA STORAGE SECURITY IN CLOUD COMPUTING
PRIVACY-PRESERVING PUBLIC AUDITING FOR DATA STORAGE SECURITY IN CLOUD COMPUTINGPRIVACY-PRESERVING PUBLIC AUDITING FOR DATA STORAGE SECURITY IN CLOUD COMPUTING
PRIVACY-PRESERVING PUBLIC AUDITING FOR DATA STORAGE SECURITY IN CLOUD COMPUTINGKayalvizhi Selvaraj
 
2016 -11-18 OpenSCAP Workshop Coursebook
2016 -11-18 OpenSCAP Workshop Coursebook2016 -11-18 OpenSCAP Workshop Coursebook
2016 -11-18 OpenSCAP Workshop CoursebookShawn Wells
 
Cloud Computing Security
Cloud Computing SecurityCloud Computing Security
Cloud Computing SecurityNinh Nguyen
 
Cloud computing security issues and challenges
Cloud computing security issues and challengesCloud computing security issues and challenges
Cloud computing security issues and challengesDheeraj Negi
 
Cloud Security At Netflix, October 2013
Cloud Security At Netflix, October 2013Cloud Security At Netflix, October 2013
Cloud Security At Netflix, October 2013Jay Zarfoss
 
Cloud security and security architecture
Cloud security and security architectureCloud security and security architecture
Cloud security and security architectureVladimir Jirasek
 
Data security in cloud computing
Data security in cloud computingData security in cloud computing
Data security in cloud computingPrince Chandu
 
Slideshare Powerpoint presentation
Slideshare Powerpoint presentationSlideshare Powerpoint presentation
Slideshare Powerpoint presentationelliehood
 

Destacado (18)

Cloud Security- In Perspective
Cloud Security- In PerspectiveCloud Security- In Perspective
Cloud Security- In Perspective
 
Challenges with Cloud Security by Ken Y Chan
Challenges with Cloud Security by Ken Y ChanChallenges with Cloud Security by Ken Y Chan
Challenges with Cloud Security by Ken Y Chan
 
Cloud Security: Ten Things
Cloud Security: Ten ThingsCloud Security: Ten Things
Cloud Security: Ten Things
 
Launching a Highly-regulated Startup in the Public Cloud
Launching a Highly-regulated Startup in the Public CloudLaunching a Highly-regulated Startup in the Public Cloud
Launching a Highly-regulated Startup in the Public Cloud
 
Cloud Security
Cloud Security Cloud Security
Cloud Security
 
2014-04-28 cloud security frameworks and enforcement
2014-04-28 cloud security frameworks and enforcement2014-04-28 cloud security frameworks and enforcement
2014-04-28 cloud security frameworks and enforcement
 
Privacy Preserving Public Auditing for Data Storage Security in Cloud.ppt
Privacy Preserving Public Auditing for Data Storage Security in Cloud.pptPrivacy Preserving Public Auditing for Data Storage Security in Cloud.ppt
Privacy Preserving Public Auditing for Data Storage Security in Cloud.ppt
 
Cloud Security at Netflix
Cloud Security at NetflixCloud Security at Netflix
Cloud Security at Netflix
 
Cloud Security - Security Aspects of Cloud Computing
Cloud Security - Security Aspects of Cloud ComputingCloud Security - Security Aspects of Cloud Computing
Cloud Security - Security Aspects of Cloud Computing
 
PRIVACY-PRESERVING PUBLIC AUDITING FOR DATA STORAGE SECURITY IN CLOUD COMPUTING
PRIVACY-PRESERVING PUBLIC AUDITING FOR DATA STORAGE SECURITY IN CLOUD COMPUTINGPRIVACY-PRESERVING PUBLIC AUDITING FOR DATA STORAGE SECURITY IN CLOUD COMPUTING
PRIVACY-PRESERVING PUBLIC AUDITING FOR DATA STORAGE SECURITY IN CLOUD COMPUTING
 
2016 -11-18 OpenSCAP Workshop Coursebook
2016 -11-18 OpenSCAP Workshop Coursebook2016 -11-18 OpenSCAP Workshop Coursebook
2016 -11-18 OpenSCAP Workshop Coursebook
 
Cloud Computing Security
Cloud Computing SecurityCloud Computing Security
Cloud Computing Security
 
Cloud computing security issues and challenges
Cloud computing security issues and challengesCloud computing security issues and challenges
Cloud computing security issues and challenges
 
Cloud Security At Netflix, October 2013
Cloud Security At Netflix, October 2013Cloud Security At Netflix, October 2013
Cloud Security At Netflix, October 2013
 
Cloud security and security architecture
Cloud security and security architectureCloud security and security architecture
Cloud security and security architecture
 
Data security in cloud computing
Data security in cloud computingData security in cloud computing
Data security in cloud computing
 
Slideshare Powerpoint presentation
Slideshare Powerpoint presentationSlideshare Powerpoint presentation
Slideshare Powerpoint presentation
 
Slideshare ppt
Slideshare pptSlideshare ppt
Slideshare ppt
 

Similar a A Cloud Security Ghost Story Craig Balding

Automating your AWS Security Operations
Automating your AWS Security OperationsAutomating your AWS Security Operations
Automating your AWS Security OperationsAmazon Web Services
 
Automating your AWS Security Operations
Automating your AWS Security OperationsAutomating your AWS Security Operations
Automating your AWS Security OperationsEvident.io
 
AWS FSI Symposium 2017 NYC - 9 Cloud Enabled Security Designs
AWS FSI Symposium 2017 NYC - 9 Cloud Enabled Security DesignsAWS FSI Symposium 2017 NYC - 9 Cloud Enabled Security Designs
AWS FSI Symposium 2017 NYC - 9 Cloud Enabled Security DesignsAmazon Web Services
 
Risk Factory: PCI Compliance in the Cloud
Risk Factory: PCI Compliance in the CloudRisk Factory: PCI Compliance in the Cloud
Risk Factory: PCI Compliance in the CloudRisk Crew
 
Whose Cloud is It Anyway - Data Security in the Cloud
Whose Cloud is It Anyway - Data Security in the CloudWhose Cloud is It Anyway - Data Security in the Cloud
Whose Cloud is It Anyway - Data Security in the CloudSafeNet
 
Oas un llamado a la accion para proteger a ciudadanos-Sector Privado y Gobi...
Oas un llamado a la accion para proteger a ciudadanos-Sector Privado y Gobi...Oas un llamado a la accion para proteger a ciudadanos-Sector Privado y Gobi...
Oas un llamado a la accion para proteger a ciudadanos-Sector Privado y Gobi...Marcela Cárdenas Hidalgo
 
CloudPassage Best Practices for Automatic Security Scaling
CloudPassage Best Practices for Automatic Security ScalingCloudPassage Best Practices for Automatic Security Scaling
CloudPassage Best Practices for Automatic Security ScalingAmazon Web Services
 
Security Innovations in the Cloud
Security Innovations in the CloudSecurity Innovations in the Cloud
Security Innovations in the CloudAmazon Web Services
 
Introduction to Cloud Computing with Amazon Web Services and Customer Case Study
Introduction to Cloud Computing with Amazon Web Services and Customer Case StudyIntroduction to Cloud Computing with Amazon Web Services and Customer Case Study
Introduction to Cloud Computing with Amazon Web Services and Customer Case StudyAmazon Web Services
 
3 Secrets to Becoming a Cloud Security Superhero
3 Secrets to Becoming a Cloud Security Superhero3 Secrets to Becoming a Cloud Security Superhero
3 Secrets to Becoming a Cloud Security SuperheroAmazon Web Services
 
FullDay Faeder on Friday
FullDay Faeder on Friday FullDay Faeder on Friday
FullDay Faeder on Friday Adam Faeder
 
FullDay on Fridays Feb. 3, 2017
FullDay on Fridays Feb. 3, 2017FullDay on Fridays Feb. 3, 2017
FullDay on Fridays Feb. 3, 2017Adam Faeder
 
Best Practices for IoT Security in the Cloud
Best Practices for IoT Security in the CloudBest Practices for IoT Security in the Cloud
Best Practices for IoT Security in the CloudAmazon Web Services
 
Best Practices for IoT Security in the Cloud
Best Practices for IoT Security in the CloudBest Practices for IoT Security in the Cloud
Best Practices for IoT Security in the CloudAmazon Web Services
 
How Redlock Automates Security on AWS
How Redlock Automates Security on AWSHow Redlock Automates Security on AWS
How Redlock Automates Security on AWSAmazon Web Services
 
Why the cloud is more secure than your existing systems
Why the cloud is more secure than your existing systemsWhy the cloud is more secure than your existing systems
Why the cloud is more secure than your existing systemsErnest Mueller
 

Similar a A Cloud Security Ghost Story Craig Balding (20)

Automating your AWS Security Operations
Automating your AWS Security OperationsAutomating your AWS Security Operations
Automating your AWS Security Operations
 
Automating your AWS Security Operations
Automating your AWS Security OperationsAutomating your AWS Security Operations
Automating your AWS Security Operations
 
AWS FSI Symposium 2017 NYC - 9 Cloud Enabled Security Designs
AWS FSI Symposium 2017 NYC - 9 Cloud Enabled Security DesignsAWS FSI Symposium 2017 NYC - 9 Cloud Enabled Security Designs
AWS FSI Symposium 2017 NYC - 9 Cloud Enabled Security Designs
 
Risk Factory: PCI Compliance in the Cloud
Risk Factory: PCI Compliance in the CloudRisk Factory: PCI Compliance in the Cloud
Risk Factory: PCI Compliance in the Cloud
 
Whose Cloud is It Anyway - Data Security in the Cloud
Whose Cloud is It Anyway - Data Security in the CloudWhose Cloud is It Anyway - Data Security in the Cloud
Whose Cloud is It Anyway - Data Security in the Cloud
 
Oas un llamado a la accion para proteger a ciudadanos-Sector Privado y Gobi...
Oas un llamado a la accion para proteger a ciudadanos-Sector Privado y Gobi...Oas un llamado a la accion para proteger a ciudadanos-Sector Privado y Gobi...
Oas un llamado a la accion para proteger a ciudadanos-Sector Privado y Gobi...
 
Oas un llamado a la accion
Oas un llamado a la accionOas un llamado a la accion
Oas un llamado a la accion
 
CloudPassage Best Practices for Automatic Security Scaling
CloudPassage Best Practices for Automatic Security ScalingCloudPassage Best Practices for Automatic Security Scaling
CloudPassage Best Practices for Automatic Security Scaling
 
Cloud Security Alliance's GRC Stack Overview
Cloud Security Alliance's GRC Stack OverviewCloud Security Alliance's GRC Stack Overview
Cloud Security Alliance's GRC Stack Overview
 
Security Innovations in the Cloud
Security Innovations in the CloudSecurity Innovations in the Cloud
Security Innovations in the Cloud
 
Introduction to Cloud Computing with Amazon Web Services and Customer Case Study
Introduction to Cloud Computing with Amazon Web Services and Customer Case StudyIntroduction to Cloud Computing with Amazon Web Services and Customer Case Study
Introduction to Cloud Computing with Amazon Web Services and Customer Case Study
 
3 Secrets to Becoming a Cloud Security Superhero
3 Secrets to Becoming a Cloud Security Superhero3 Secrets to Becoming a Cloud Security Superhero
3 Secrets to Becoming a Cloud Security Superhero
 
FullDay Faeder on Friday
FullDay Faeder on Friday FullDay Faeder on Friday
FullDay Faeder on Friday
 
FullDay on Fridays Feb. 3, 2017
FullDay on Fridays Feb. 3, 2017FullDay on Fridays Feb. 3, 2017
FullDay on Fridays Feb. 3, 2017
 
Best Practices for IoT Security in the Cloud
Best Practices for IoT Security in the CloudBest Practices for IoT Security in the Cloud
Best Practices for IoT Security in the Cloud
 
Clouds And Security
Clouds And SecurityClouds And Security
Clouds And Security
 
Best Practices for IoT Security in the Cloud
Best Practices for IoT Security in the CloudBest Practices for IoT Security in the Cloud
Best Practices for IoT Security in the Cloud
 
How Redlock Automates Security on AWS
How Redlock Automates Security on AWSHow Redlock Automates Security on AWS
How Redlock Automates Security on AWS
 
AWS in FSI 2019
AWS in FSI 2019AWS in FSI 2019
AWS in FSI 2019
 
Why the cloud is more secure than your existing systems
Why the cloud is more secure than your existing systemsWhy the cloud is more secure than your existing systems
Why the cloud is more secure than your existing systems
 

Último

Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.Curtis Poe
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clashcharlottematthew16
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxNavinnSomaal
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostZilliz
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024Lonnie McRorey
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity PlanDatabarracks
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Manik S Magar
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024Stephanie Beckett
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxhariprasad279825
 

Último (20)

Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clash
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptx
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity Plan
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptx
 

A Cloud Security Ghost Story Craig Balding

  • 1. A Cloud Security Ghost Story Craig Balding
  • 2. Disclaimer The views and opinions expressed here are those of Craig Balding only and in no way represent the views, positions or opinions - expressed or implied - of my employer or anyone else.
  • 3. Happy to take questions as we go ✴ Will limit in-flight answers to 2 minutes... ✴ ...to allow time for Q&A at end ✴ If you want SAP Pwnage, other track ;-) ✴
  • 4. Tweeting/Blogging? Please add the tag: cloudsec
  • 5. Clown Computing? Cloud == Internet It’s Outsourcing! It’s Virtualization! Overhyped Fad Nothing New Don’t Believe in Clouds?
  • 6. A Service Model *aaS: ...as a Service On-Demand Pay As You Go (CC) Elastic Abstracted Resource What Is “Cloud”?
  • 7. Cloud Security vs. Security in the Cloud Avoid the Facepalm
  • 8. This is not ASP Shared Hardware Shared Fabric / Host Scalability / Cost Multi Tenancy
  • 11. DB == Tenant 1..n
  • 12. Engineering Feat Scalability Availability New techniques 1000:1 Green “It’s Only Day 1”
  • 14. Evil State Replication Woes Patching Devils Insidious Integrity Funding Cloud FAIL
  • 15. Risk Management Your Liable Compensating Controls Plan for Failure Trust but Verify Web Services Security Browsers Are Brittle Security Givens
  • 17. *aaS: ...as a Service Pay As You Go (CC) Elastic Outages Very Public Support Forums Public Clouds
  • 18. Classic SPI Model Software as a Service Platform as a Service Infrastruture as a Service
  • 19.
  • 20.
  • 21. Examples Software as a Service Platform as a Service Infrastruture as a Service
  • 22. SaaS CRM force.com == PaaS AppExchange Code Reviews Service Cloud Salesforce
  • 23. Examples Software as a Service Platform as a Service Infrastruture as a Service
  • 24. PaaS Python VM Justin Ferguson Java VM Data Import/Export SDC Google App Engine
  • 25. Google Secure Data Connector
  • 26. Software & Services Technology Preview Identity (Cameron) Microsoft Azure
  • 28. Examples Software as a Service Platform as a Service Infrastruture as a Service
  • 29. Public IaaS Pioneer EC2, S3, SQS etc “You secure” Security Whitepaper Evangelism Data Cleansing Amazon Web Services
  • 30. One Key Management Plane New Policy Language Report a Scan If a HD is Stolen... AWS Ecosystem Amazon Web Services
  • 31. Dynamo Paper Consistency Availability Integrity Out of order No Time Promises Eventually Consistent
  • 32. AWS “Dev friendly” Dev Testimonials AMZN PMTS 866-216-1072 AWS API endpoints POST/PUT/DELETE Developers with Credit Cards
  • 33. Visibility Mutants Cloud Stacks Integration Privacy Regulations SLAs Haunted House of the Cloud
  • 35. When Controls Fail Lingua Franca: API Manage SSL EC2 vs NSM Immature logging DLP The Visibility Ghostship
  • 36. IaaS vs Paas vs SaaS Scan & Get Canned Idea: AllowScan API Pen-testing Scope Assurance
  • 37. Virtual Data Center Version Control View as Timeline Pre/post Commit Sanity Checks Proactive Polling Data Center Tripwire
  • 38.
  • 39. Call Premium Support Cloud Clamour No Business Context Incident Response
  • 40. IaaS vs Paas vs SaaS Ghosting a Ghost Logs & Integration Offline Forensic VMs AWS EBS Cloning Forensics as a Service Cloud IR Teams? Forensics
  • 41. IaaS vs Paas vs SaaS Mash-ups 1...n Theft of Hard Drive... First, find the DC Jurisdictional Hell Investigations
  • 42. The March of the Mutated Hypervisor
  • 43. AWS EC2 Xen with “mods” No Dom0 Access Xen DomU Expose via XML API The March of the Mutated Hypervisor
  • 44. BIOS Functionality++ Research++ Cache Snooping Hypervisor Attack Persistent Rootkits The Vampire BIOS
  • 45. Ghost in the Stacks
  • 46. Dependent Services Consume & Provide Trust by Inheritence Mind the Gap Pass the Buck Cloud Stacks/Layers
  • 47. Appirio Salesforce App Hook API Divert Attachments Client > EC2 > S3 Stored in Plaintext! Example
  • 48. Net vs Storage Crypto
  • 50. Identity is > People Federated Auth Visibility DLP Metrics Billing Enterprise Integration
  • 51. IaaS vs Paas vs SaaS VM Portability Frameworks AWS as defacto API Unified Cloud? Interoperability
  • 53. The Green Latern of Privacy
  • 54. EPIC Compliant Misstating Security Snafus & Vulns Lack of Crypto Bar of chocolate? $SOCIALNETWORKS The Green Lantern of Privacy
  • 56. PCI: The Mosso Pitch HIPAA: AWS / “Apps” Screaming or silent? VirtSec / PCI DSS Groundhog Day The Screaming Regulator
  • 57. Jurisdiction IP rights Content ownership Contract Law Wins Licensing Raid 8 Legal Concerns
  • 58. The Curse of the Bloodstained SLA
  • 59. Blah Blah Blah No CHANGELOG Blah Blah Blah Internet == No promises Blah Blah Blah CC_OK || rm -rf /cloud Blah Blah Blah Service Credits FTW! Blah Blah Blah Blood Stained SLA
  • 60. AWS Security Pledge 7.2 We strive to keep Your Content secure, but cannot guarantee that we will be successful at doing so, given the nature of the Internet. Accordingly, without limitation to Section 4.3 above and Section 11.5 below, you acknowledge that you bear sole responsibility for adequate security, protection and backup of Your Content and Applications.
  • 61. AWS Security Advice 7.2. ...We strongly encourage you, where available and appropriate, to (a) use encryption technology to protect Your Content from unauthorized access, (b) routinely archive Your Content, and (c) keep your Applications or any software that you use or run with our Services current with the latest security patches or updates.
  • 62. Not even Service Credits? ;-) 7.2. ...We will have no liability to you for any unauthorized access or use, corruption, deletion, destruction or loss of any of Your Content or Applications.
  • 63. Cloud Nirvana: The Rise of the Enterprise Private Cloud
  • 64. Maximum Control Interoperability Cloudbursting Extend Off-site VMware / CISCO Eucalyptus (OSS) Private Clouds
  • 66. Infrastructure 1.0 Firewall Mentality Controls vs Data Investments vs Risk DL Time Bombs Visibility & IR Enterprise Skeletons
  • 67. 346 Legacy Apps Audit Reports 3rd Party Monsters Aging Policies Controls <> Assets Inner Control Freak Good Old Days Call from the Grave
  • 68. Eucalyptus (OSS) API == AWS EC2 Xen + KVM Ship w/Ubuntu 9.04 Open Source Private Cloud
  • 69. Centralised Controls Password Cracking Forensic Readiness Never Ending Logs Security Builds Security Testing Embrace the Cloud
  • 70. Cloud Aggregator “Internet Trading Platformquot; Public/Private Handle Billing Cloud Brokers
  • 72. Pick Your Poison Gold: A gold SLA cloud delivers the strongest quality standards. This includes availability and security standards. The providers offering these resources are compliant with all relevant security certifications. Silver: A silver SLA offers high availability and security standards. The providers are known brands. Bronze: A bronze SLA delivers the usual quality and availability standards of hosting providers. It does not contain certifications and additional security offerings.
  • 73. Cloud Spirits General John Willis: IT ESM and Cloud (Droplets) Kevin L. Jackson: Cloud Musing (Federal) James Urquhart (CISCO): Wisdom of Clouds Werner Vogels (AWS CTO): All Things Distributed Google Groups Cloud Computing Security Christofer Hoff: rationalsurvivability.com Craig Balding (aka Me): cloudsecurity.org
  • 74. Cloud Security Alliance ENISA Cloud Security Working Group Cloud Security Initiatives
  • 75. Cloud Security Alliance Non-profit organization Promote practices to provide security assurance Comprised of many subject matter experts from a wide variety disciplines Official launch next week @ RSA Join? Linkedin Group “Cloud Security Alliance” open to all
  • 76. ENISA Cloud Computing Risk Assessment European Policymakers responsible for funding Cloud risk mitigation research, policy, economic incentives, legislative measures, awareness-raising initiatives Business leaders to evaluate Cloud risks of and possible mitigation strategies. Individuals/citizens to evaluate cost/benefit of consumer Cloud services.
  • 77. Hosting => Cloud Cloud Platform Wars Cloud Pwnage Trust Indicators Vertical Clouds Data Centric Security? Social Engineering++ Futures
  • 78. Ghost Alley / Amsterdam
  • 81. CSA: Domains •Information lifecycle •Portability & management InteroperabilityData •Governance and Center Operations Enterprise Risk Management Management •Incident Response, •Compliance & Audit Notification, Remediation •General Legal •quot;Traditionalquot; Security •eDiscovery impact (business •Encryption and Key Mgt continuity, disaster •Identity and Access Mgt recovery, physical security) •Storage •Architectural •Virtualization Framework •Application Security