Cloud Security By Dr. Anton Ravindran

Cloud Security
Dr. Anton Ravindran
Venue: Lecture at
Institute for Research in Applicable
Computing (IRAC),
University of Bedfordshire

Adoption trends
CIO Agenda Report, Gartner, 2013 (2053 CIOs, 36 industries, 41 countries)

CLOUD SECURITY AN EXECUTIVE LEVEL CONCERN
Source: Cloud Security Alliance “Cloud Adoptions Practices & Priorities Survey Report” (2015)
82% of IT professionals in Asia
Pacific continue to regard cloud
data security as an executive-
level concern

GLOBAL CLOUD SECURITY MARKET GROWTH
ANALYSIS 2012-2014 (US$ MILLION)
425.4
629.6
963.4
0
200
400
600
800
1000
1200
2012 2013 2014
41.4% Compound annual

GLOBAL CLOUD SECURITY MARKET BY END-USER SEGMENTATION
38
31
17
9
5
Large Enterprises
Government Agencies
Cloud Service Providers
Medium Enterprises

Cloud Computing Landscape
Gartner predicts revenue of USD 131billion in 2013

A simple definition
“In simple words, the Cloud refers to the
process of sharing resources (such as
hardware, development platforms and/or
software) over the internet. It enables On-
Demand network access to a shared pool of
dynamically configurable computing
resources. These resources are accessed mostly
on a pay-per-use or subscription basis.”
The Cloud Changing the Business Ecosystem, KPMG, 2011

Why do customers use the cloud?

PRIVATE CLOUD VS. PUBLIC CLOUD

Public, Private, Hybrid
Off premises/third-party
Public/
external
Private/
internal
On premises/internal
Hybrid
Image reproduced from Cloud security and privacy, 2009, Mather et al.

Private and hybrid clouds
• Rise in hybrid and private
cloud for sensitive data
• Private cloud cost can be
prohibitive
• Hybrid cloud ranks 4 on
Gartner top 10 strategic
technology trends, 2014
KPMG's The Cloud: Changing the Business Ecosystem, 2011
Models companies use/intend to use*
(Larger companies prefer private)

CUSTOMER’S BIGGEST
CONCERN?
 A survey commissioned by Microsoft on ‘Cloud computing
among business leaders and the general population’ states that:
 58% of the general population and 86% of senior business leaders
are excited about the potential of cloud computing.
 But, more than 90% of these same people are concerned about the
security, access and privacy of their own data in the cloud.
Source: Microsoft

Customers’ biggest concerns
KPMG International’s 2012 Global Cloud Provider Survey (n=179)

CONTROL, LIABILITY AND
ACCOUNTABILITY
On premise
App
VM
Server
Storage
Network
On premise
(hosted)
App
VM
Server
Storage
Network
IaaS
App
VM
Server
Storage
Network
PaaS
App
Services
Server
Storage
Network
SaaS
App
Services
Server
Storage
Network
Organization has
control
Organization shares
control with vendor
Vendor
has control
Image reproduced from Cloud security and privacy, 2009, Mather et al.

Cloud security
• What’s not new?
• Phishing, password, malware, downtime etc.
• What’s new? Understand…
• Change in trust boundaries
• Impact of using
• Public vs. private cloud
• IaaS vs. PaaS vs. SaaS
• Division of responsibilities between customer and
Cloud Service Provider (CSP)

DEFINING SECURITY IN CLOUD
Confidentiality
Integrity
Availability
Accountability
Assurance
Source: NIST

CLOUD SECURITY IS NO DIFFERENT
Familiar Security
Model
Validated and driven by
customers’ security experts
Benefits all customers
Physical
Network
System
People & Process
CLOUD SECURITY IS NO DIFFERENT

 There are undoubtedly risks associated with the use of
Cloud-based services, just as there are risks associated
other delivery models.
Source: Capgemini

SECURITY & COMPLIANCE IS A SHARED RESPONSIBILITY
Foundation Services
Compute Storage Database Networking
Global
Infrastructure
Edge Locations
Availability Zones
Regions
Responsible for
the security
OF the cloud
Customers have
their choice of
Security IN the
Cloud
Client-side Data
Encryption
Sever-side Data
Encryption
Network Traffic
Protection
Operating System, Network & Firewall Configuration
Platform, Application, Identity & Access Management
Customer Application & ContentC
U
S
T
O
M
E
R

WHY ITS DIFFERENT?
 Most cloud security problems stem from:
 Loss of control
 Lack of trust
 Multi-tenancy

CLOUD DATA AND STORAGE SECURITY
Data-in-transit
Data-at-rest
Processing of Data
(including Multi-tenancy)

 When users use the cloud, user probably won’t know exactly where your data is
hosted, what country it will be stored in?
 Data should be stored and processed by only specific jurisdictions as define by
user.
 Provider should also make contractual commitment to obey privacy
requirement on behalf of their customers,
 Data-centered policies that are generated when a user provides personal or
sensitive information, that travels with that information throughout its lifetime
to ensure that the information is used only in accordance with the policy
DATA LOCATION
Data
Policies

 Sanitization is a process of removing sensitive information from a storage
device .
 What happens to data stored in a cloud computing environment once it has
passed Its user’s “use by date”
 What data sanitization practices does the cloud computing service provider
propose to implement for redundant and retiring data storage devices as and
when these devices are retired or taken out of service.
DATA SANITIZATION

SECURITY IS FAMILIAR
 Visibility
 Auditability
 Controllability
 Agility

SECURITY IS VISIBLE
HOW OFTEN DO YOU MAP YOUR NETWORK?
WHAT’S IN YOUR ENVIROMENT RIGHT NOW?

AWS CLOUDTRAIL
You are making
API calls
On a growing set
of services around
the world…
CloudTrail is
continuously
recording API calls
And delivering log
files to you

SECURITY IS VISIBLE
 Who is accessing the resources?
 Who took what action
 When?
 From Where?
 What did they do?
 Logs Logs Logs
 Physical

SECURITY IS AUDITABLE
Security Control Objectives
 Security Organization
 User Access
 Logical Security
 Physical Security and ENV. Safeguards
 Change Management
 Data Integrity, Availability and Redundancy
 Incident Handling

SECURITY IS CONTROLLABLE
 Mange encryption
 Key management Services
 Create, store & retrieve key securely
 Rotate Keys regularly
 Securely Audit access to keys
 Fine grained Access/Firewalls (closed)
 VPC
 Logs of Access Logs of Actions Logs of Activities
 Consistency of Security

Simple Security Controls
Easy to get Right
Easy to Audit
Easy to Enforce

What steps are you [CSP] taking to improve data security and privacy
in your cloud offerings? (top 3)*
CSPs improving security
Tighter
restrictions
on user
access
Greater use
of data
encryption
Improving
real-time
threat
detection

Top SLA parameters
System Availability Regulatory compliance
Data security
Functional capabilities
Response time
Other performance levels
*KPMG International’s 2012 Global Cloud Provider Survey (n=179)

HYPERVISOR BASED FIREWALL
 We do have some options available if we need a higher level of risk
mitigation than what is provided by a virtual firewall appliance i.e.
hypervisor based firewall.
 Example: VMware’s vShield
 A hypervisor based firewall moves the firewall to the other side of the
virtual switch, thus mitigating any risks within the switch itself.
 The problem with hypervisor based firewalls is that they are vendor
specific.

Source: CSA
HYPERVISOR BASED FIREWALL

FIRERACK VIRTUAL FIREWALL
 The Netservers FireRack firewall is an Internet security appliance
designed to provide highly compartmentalized security with
devolved management.
 Security Zones
 It is hence ideally suited for environments such as co-location
hosting or college networks where badly maintained or
untrustworthy computers on the same network as yours could
otherwise pose it a threat.

Source: FireRack
FIRERACK VIRTUAL FIREWALL

CLOUDPASSAGE HALO SVM AND HALO FIREWALL

MTCS MODEL
Level 3
Level 2
Level 1
Security
Controls
in place
Most
Stringent
Stringent
Baseline
Addresses
Security Risks
& Threats to
High impact IT
systems
Moderate impact
IT systems
Low impact IT
systems
Designed for
companies
with
Regulatory
compliance
requirements
Business critical
data and
systems
Business non-
critical data and
system
Examples
Hosting of highly
confidential
business data,
financial records,
medical records
Hosting of
confidential
business data,
email, CRM
Web site hosting
public
information

LIST OF SELECTED MTCS CERTIFIED CSPS
(AS OF 16 OCTOBER 2015)

COMMERCIAL CLOUD SECURITY VENDORS
 Trend Micro
 AppRiver
 Awareness Technologies
 Barracuda Networks
 CloudPassage
 Symantec

US DEPARTMENT OF
TRANSPORTATION
Case Study
Source: www.layer7tech.com

NUMBERS AND VOLUME
DOT
 12 agencies
 60,000 employees
 100’s of business and
government services managed
CARS
 18,000+ car dealers enrolled
 680,000 older vehicles traded
in for new, fuel-efficient cars

THE SOLUTION
LAYER 7 CLOUDSPAN
61

THE RESULTS
 CARS is considered one of the biggest successes of
the Obama administration.
 CARS had a large impact on the economic recovery
by saving or creating tens of thousands of jobs, as
well as by increasing GDP by an estimated $3.8 to
$6.8 billion.
 Going forward, the program will also result in a
reduction of fuel consumption (~33M gallons
annually) and CO2 emissions (~360K metric tons
annually) over the lifetime of the newly purchased
vehicles.

• Change in trust boundaries
• Mostly no new security or privacy
issues per se

CLOUD SECURITY IS FAMILIAR!
“Based on our experience, I believe that we can be even more secure in
the AWS cloud than in our own data centres.”
Tom Soderstrom, CTO, NASA
Nearly 60% of organizations agreed that CSPs[cloud service
providers] provide better security than their own IT
organizations.
Source: IDC 2013 U.S. Cloud Security Survey,
doc#242836,September 2013

Cloud Security By Dr. Anton Ravindran

Recomendados

Recomendados

Más contenido relacionado

La actualidad más candente

La actualidad más candente (19)

Similar a Cloud Security By Dr. Anton Ravindran

Similar a Cloud Security By Dr. Anton Ravindran (20)

Más de GSTF

Más de GSTF (10)

Último

Último (20)

Cloud Security By Dr. Anton Ravindran