SlideShare una empresa de Scribd logo

Cloud security deep dive infoworld jan 2011

Kim Jensen
Kim Jensen

Cloud security deep dive infoworld jan 2011

Tecnología
1 de 8
Descargar para leer sin conexión
SPECIAL REPORT JANUARY 2011 Cloud Security Deep Dive A new security model for a new era Copyright © 2011 InfoWorld Media Group. All rights reserved. Sponsored by
i Cloud Computing Deep Dive 2 Cloud security changes everything The scalability of cloud computing depends on sharing resources that were never shared before, demanding a new set of security best practices MANY COMPUTER SECURITY PRACTITIONERS infrastructure. Common examples include Google’s blow off cloud computing as just a semantic exercise Gmail, Microsoft’s Business Online Productivity describing conventional applications running across a Suite, and Salesforce.com. wide area network. They are wrong. Cloud computing is a new paradigm • Platform as a Service (PaaS). PaaS providers give that challenges traditional security dogma. Old assump- developers complete development environments tions are gone forever and the ones that replace them will in which to code, host, and deliver applications. make the security expert’s job harder than ever. The development environment typically includes This paper will cover how cloud computing differs the underlying infrastructure, development tools, from the past and discuss characteristics of the new APIs, and other related services. Examples include threat model. Google’s App Engine, Microsoft’s Windows Azure, and Salesforce’s Force.com. CLOUD COMPUTING MODELS Before delving into cloud computing exploits and Naturally, many cloud service providers mix two or defenses, it helps to get a basic understanding of cloud more of these cloud service models or cannot be neatly computing models. Although new models appear to placed into one type. Additionally, the type of user who be emerging every day, here are the basic ones nearly can access the cloud further defines each model, as well everyone agrees on: as what type of cloud is at issue: • Infrastructure as a Service (IaaS). IaaS pro- • The public cloud. Public clouds are created by vides massively scalable, elastic computing resources one vendor and offered to the general public. Pub- via the Internet. Some providers offer just a single lic clouds are almost always Internet-accessible and resource, such as storage space, but most now focus multitenanted. on providing complete computing platforms for cus- tomers’ VMs, including operating system, memory, • The private cloud. Private clouds are hosted by the storage, and processing power. Clients often pay for same organization that utilizes the service (which in only what they use, which fits nicely into any com- general does not support multitenancy). The primary pany’s computing budget. value proposition is data accessibility and fault tolerance. • Software as a Service (SasS). SaaS providers • The hybrid cloud. This term typically applies to deliver software functionality through the browser, organizations that have set up private cloud services without the end-user having to install software in combination with external public cloud services. locally. Typically, SaaS offerings are multiten- It also refers to service offerings used exclusively by anted: Customers establish accounts on one huge an invited group of private customers (also called a instance of the software running on a virtualized “community cloud”). INFOWORLD.COM DEEP DIVE SERIES J A N U A R Y 2 011
i Cloud Computing Deep Dive 3 For more information, see the National Institute for most servers are Internet-accessible. This must change Standards and Technology (NIST) document detailing the security defender’s thinking. common cloud terminology. Just as most clouds are Internet-accessible, they are also almost entirely Web-based, with browsers as clients HOW CLOUD COMPUTING IS DIFFERENT and Web servers as the server endpoint connection. Cloud computing is a major departure from traditional Some clouds use simple HTML-based forms and Web networks and applications. In general, a service or offer- pages, but most are an increasingly complex set of Web ing is considered cloud computing if it has at least four of services and protocols. (Wikipedia has an excellent begin- these seven traits: ner’s tutorial on Web services.) As the Web matures, most things that were once • Internet (or intranet) accessible accomplished using a single computer will be executed • A massively scalable, user-configurable pool of elastic by a matrix of Web services, connected together in most computing resources (such as network bandwidth, cases by XML, SOAP (or REST), and SAML. As Web 2.0 compute power, memory, etc.) takes over, future security defenders must get to know • Multitenancy (one large software instance shared by these services and protocols inside and out, and defend many customer accounts) against their deficiencies as they emerge (and there are • A broad authentication scheme bound to be plenty). • Subscription or usage-based payment • Self-service MULTITENANCY • Lack of location specificity Multitenancy is a major defining trait for public clouds. Typically, in a traditional environment, only the appli- All of these traits offer new challenges to the computer cation’s owner and direct employees can access the security professional, but accessibility, multitenancy, broad application data. In a cloud, multitenancy means that authentication, and lack of location-specificity are the four multiple, distinct, separate end-user parties share the items responsible for the biggest technology shift and same service and/or resources. End-users may be aware demand for new security solutions. of this fact and may even be able to directly interact with other end-users. Or they may be unaware that ACCESS TO THE INTERNET OR resources are shared and that this is a risk. INTRANETS EQUALS HIGH RISK In a cloud, risk looms that the parties sharing that We already know that any computing resource that is cloud will be able to — unintentionally or intentionally Internet accessible is at a higher risk than one that is — access one another’s private data. This has been the not. It’s how most of the bad guys break into comput- case in cloud exploits with major cloud providers during ers today, whether it involves social-engineered Trojan the past few years. In some cases, all it took was modify- horse programs, viruses, or human attackers. High-risk ing a client’s unique identifier, sent over in the browser environments, like the top secret classified systems of request, to another identifier, and up comes another cli- most governments, usually aren’t allowed to connect to a ent’s data. Sometimes spillage has occurred when a bug network that can connect to the Internet. Too much risk. in the cloud service offered up too much data without Clouds don’t use VPN technologies. With cloud the client doing anything out of the ordinary. computing, it’s assumed that all users and application With IaaS-based clouds in particular, security resources are Internet- or intranet-accessible, with all researchers are discovering a brand new class of vulner- the elevated risk that implies. This means that anony- abilities that did not exist in the old world. For example, mous attackers can access connection points just as any attackers are finding ways to “cyberjack” another ten- legitimate user or manager of the system can. In a tradi- ant’s data and resources by discovering other tenant’s tional computing environment, only a small percentage IP addresses and computer resources or by searching of servers are Internet-accessible. In cloud computing, for other people’s data remnants after they release INFOWORLD.COM DEEP DIVE SERIES J A N U A R Y 2 011
i Cloud Computing Deep Dive 4 unneeded resources back to the cloud. As it turns out, well as identity metasystems. With Web Identity 2.0, some cloud vendors don’t erase or format the freed-up there can be a multitude of identity services (made storage or memory resources. up of both centrally managed and single, stand-alone It’s too early to know whether these types of risks identities) that can interoperate with a large number will decrease as cloud security matures or whether they of Web sites and services. Popular individual identity will remain a fixture that defines the new threat model. services include OpenID, InfoCard, and LiveID. Many of these authentication services are interoperable with BROAD AUTHENTICATION SCHEMES each other and use common protocols such as XML, Internet accessibility and multitenancy pose a challenge SOAP, SAML, Web services, WS-Federation, and so on. when determining how to authenticate large num- In the Web 2.0 world, each Web site (or cloud pro- bers of different clients. In the traditional model, each vider) can choose which federated identity service to authenticating user has a full user account located in work with and accept. The Web site or service provider the application’s authentication database (or directory can require particular types of identity assurance (such service). But scaling and multitenancy complicates the as a simple password, smartcard, or biometric device) process, because conventional authentication services before a user can participate. For example, a cancer tend to offer access to shared common resources by survivor Web site may wish to allow anonymous users default. In Active Directory, for example, members of whereas an online banking Web site may require a site- the Everyone group can see and list all sorts of resources issued smartcard or other authenticating token to log on. that a cloud provider would probably not want every Conversely, users may be able to submit only the client to see. identity data they wish to share with the participat- Initially, many cloud providers tried to solve this ing service provider (called claims-based identity). For problem by using proprietary or private authentica- example, a user purchasing alcohol via the Internet may tion services. But these services rarely have the scal- need only to prove that he or she are over the legal ability and functionality needed. First-generation clouds drinking age but not have to show his or her actual required that all end-users have separate accounts in identity or birthdate. A central tenet of any good iden- their databases — similar to the way Web surfers need tity metasystem is that users should only have to show to log on separately to each website where they have the bare minimum of identity information necessary an account. (For example, your Facebook account is to access the offered service and perform the desired not related to your Amazon or iTunes accounts). This transaction. Submitting (or requesting) too much iden- is known as “Web Identity 1.0” in identity system circles. tity information is considered very “Web 1.0.” Clearly, asking end-users to create and manage sepa- In the Identity 2.0 model, authenticated anonymity rate log-on accounts for every future Web service they (called pseudo-anonymity) is possible. In this case, a will use doesn’t scale — for a multitude of reasons. Using trusted third party knows the user’s real identity and one big SSO (single sign-on) solution that interacted with has authenticated him or her, but hands out a different participating Web sites became the “Web Identity 1.5” identity credential that is trusted by the Web service pro- way of doing things. With this authentication model, vider. Thus, that user can use the Web service without users registered with an “independent,” centralized revealing his or her true identity to the Web site. authority to obtain an SSO ID. Then, when visiting par- ticipating Web sites, the user could enter their SSO cre- THE EFFECT OF BROAD AUTHENTICATION dentials to gain access. An example of this sort of solution ON CLOUD COMPUTING was Microsoft’s Passport (now morphed into LiveID) and In the near future, it’s likely that both private and public other protocols created by the Liberty Alliance. clouds will support Web 2.0 identities. Users of private But many people balked at the idea of a single entity clouds will likely use their SSO to access public cloud handling everyone’s SSO accounts. What evolved is services, while external users may use their SSO to known as “Web Identity 2.0,” or federated identity, as access your company’s private or hybrid cloud offering. INFOWORLD.COM DEEP DIVE SERIES J A N U A R Y 2 011
i Cloud Computing Deep Dive 5 The security impact of this is that a cloud attacker is guest-to-guest vulnerabilities. likely to be an authenticated user within the cloud Clearly, cloud computing amounts to more than just system at the onset of an attack. By contrast, the old semantic games. It presents a unique set of challenges assumption is that the attacker didn’t start with authenti- that security defenders must rise up to meet. cated access and needed to gain original access to begin high-level system exploitation. CLOUD SECURITY DEFENSES For example, consider two of the earliest and largest Cloud security is an evolving field. To begin with, cloud cloud services: Google Gmail and Microsoft Hotmail solutions are subject to all the conventional attacks — (now called LiveMail). Both contain millions of authen- buffer overflows, password attacks, physical attacks, ticated users and both now support newer SSO forms exploitation of application vulnerabilities, session con- such as OpenID and InfoCard. Google and Microsoft tamination, network attacks, man-in-the-middle attacks, have no idea which users are legitimate and which social engineering, and so on. But the unique charac- intend to do harm to other users or to the service itself. teristics of cloud computing present a new set of chal- Identity is still a work in progress. Solutions will lenges as well. change and morph as people begin to adopt the cloud Start by assuming attackers are logged-in, authen- in great numbers. And as new needs emerge, new solu- ticated users, and begin your defenses from there — tions and protocols will need to be invented. Whatever and there may be many attackers, thanks to the cloud’s trajectory these future developments take, Identity 2.0 global reach. This level of attacker access means that is new paradigm that requires a huge mind shift in com- many conventional defenses (such as separated security puter security defenders. zones, firewalls, and so on) will have little relevance. LACK OF LOCATION SPECIFICITY CLOUD SECURITY DEFENSE CLASSIFICATIONS The term “cloud” implies that a service is available widely, Managing cloud security is different than maintain- if not globally, with a multitude of origination and des- ing ordinary enterprise security. Security professionals tination points. The specific location of the computing should analyze all cloud offerings (including their own) resources for a given cloud may not be immediately iden- within a holistic security framework to make sure all tifiable by either the client, the cloud vendor, or both. In angles are covered. a traditional network offering, the user or vendor often Keep in mind that each combination of cloud ser- is aware of where the application or data is being hosted. vices has its own unique set of risks and countermea- This brings up all sorts of interesting dilemmas. For sures. Table 1 organizes these variables into a set of example: How are security defenders supposed to classifications and subtopics intended to generate fur- protect data when they don’t even know where it is? ther discussion and analysis. How can a cloud provider identify a client’s data (for legal and other purposes)? How does the cloud pro- CLOUD DEFENSE BEST PRACTICES vider securely erase a client’s data if the client exits the Enterprise security is a vast discipline and each of cloud solution? How can a particular client’s data be its many aspects must be reexamined in light of the prevented from leaving the host country of origin, if cloud. Take user deprovisioning as an example. Nor- even the cloud operators don’t know where the data is? mally, when an employee leaves a company, access to company applications and data is removed. But if that THE ROLE OF VIRTUALIZATION employee has subscribed to cloud services on behalf of Virtualization tends to play a big role in cloud services, the company, from the beginning the company should either as the underpinning for the service or, in the have had the technology in place to track those sub- case of IaaS, as part of the cloud service offering itself. scriptions, or the former employee may still be able And virtualization has every security risk that a physical access company data. You can’t deprovision if you don’t computer environment has — plus guest-to-host and know what was provisioned in the first place. INFOWORLD.COM DEEP DIVE SERIES J A N U A R Y 2 011
i Cloud Computing Deep Dive 6 TABLE 1: CLOUD SECURITY CLASSIFICATIONS AND SUBTOPICS A security defender responsible for cloud security should consider a wide range of parameters when developing a cloud security defense plan. SECURITY CLASSIFICATION RELATED SUBTOPICS Infrastructure security Physical security, environmental controls, business continuity/disaster recovery, network infrastructure, firewalls, proxies, routers, access control lists, staffing/employee background checks, availability (performance and anti-DoS), security policies (including what can be made available to customers), remote access, mobile access and platforms, identity/authentication/federation, billing systems, virtualization issues, high availability Resource provisioning Provisioning; modification; ownership and control, access; deprovisioning; reuse/ reassignment of: users, computing resources, computer systems, or IP address space; domain name services; directory services; self-service configuration management Storage and data security Privacy/privacy controls, data tagging, data storage zoning, data retention policies, data permanence/deletion, encryption (at-rest, in-transit, key management, Federal Information Processing Standards/Federal Information Security Management Act), digital signing/integrity attestation, multitenancy issues, archiving, backup, recovery, data classification, locality requirements, malicious data aggregation prevention Application security Security design lifecycle, identity/authentication/federation, session management, data input (if applicable) validation, error handling, vulnerability testing, patching, authentication, data integration/ exchange, APIs, proxies, application sandboxing, versioning, bug/issue tracking Audit/compliance Logging, monitoring, auditing, compliance, accreditation, legal issues, regulations, locality requirements, discovery, forensics, SLAs, public communication plans, fraud detection General security Anti-malware, anti-spam, patching, incident response, data leak prevention Implications of this type apply across a whole range providers should have ways for defenders to mark or of security issues. Here are some key ones to consider. tag data with ownership and security classification and For better or worse, the degree to which you can apply to enable defenses based upon those attributes. Data best security practices often depends on the provider. should be protected in such a way that unauthorized (but authenticated, multitenanted) viewers can be prevented SAY GOODBYE TO THE DMZ from seeing another’s data. If a client needs to prevent its One of the major changes from traditional computing data from leaving its home country, the cloud provider is the pervasiveness of the cloud. By its very definition, should make sure the data never does. it is meant to be everywhere. If the DMZ wasn’t dead Cloud providers should physically prevent (using physi- before, it certainly is now. The DMZ was always porous, cal network dividers, routers, switches, IPSec, access con- with many more holes than any defender wanted to trol lists, and so on) server and data commingling. If a admit. The cloud, with authenticated attackers, just puts particular server never needs to talk to most other servers, the nail in the coffin. it should be prevented from doing so. If a client computer What is a security defender to do? Well, for one, shouldn’t be able to talk to other client computers, make think in terms of data classification and ownership and sure there is no way for an authenticated users to leverage marry that with strong security domain isolation. Cloud cloud access to gain access to the other. INFOWORLD.COM DEEP DIVE SERIES J A N U A R Y 2 011
i Cloud Computing Deep Dive 7 ENCRYPT YOUR DATA USE DNS SECURITY Data should always be encrypted when stored (using sepa- If your cloud provider’s DNS services support it, con- rate symmetric encryption keys) and transmitted. If this is sider implementing DNSSEC (DNS Security) between implemented appropriately, even if another tenant can your DNS servers and the provider’s DNS servers. access the data, all that will appear is gibberish. Shared Once enabled, DNSSEC ensures that dependent cli- symmetric keys for data encryption should be discouraged, ents always get verified, authenticated DNS resolution yet tenants should be able to access their own encryption entries from authoritative DNS servers. Unfortunately, keys and change them when necessary. Cloud providers DNSSEC is enabled only on a small percentage of DNS should not have ready access to tenant encryption keys. providers. Ask your cloud provider if it will consider creating DNSSEC “trust anchors” between your site(s) USE STRONG AUTHENTICATION and the provider’s — or consider implementing static Make sure any Identity 2.0 system you participate in has DNS records on your side, to prevent malicious DNS a strong history of good security and uses open protocols. redirection attacks. Proprietary, single-site authentications systems may seem to present lower risk than shared systems do, but the infor- USE RED HERRINGS AND AN mation surrounding proprietary systems is rarely shared. EARLY WARNING SYSTEM Systems that use and support open standards usually have Some cloud providers and customers create “red her- the added protection of community analysis. Weaknesses ring” data as an early warning system. Red herring data are frequently found early and coded out. Newfound is fake data that is injected into a database and then vulnerabilities are usually shared and fixed faster. monitored to see if it “leaks out.” For instance, suppose the cloud provider creates complete client records for PREPARE TO PREVENT DDoS ATTACKS Fred and Wilma Flintstone. Everything about the fake Attackers are often content with simply denying legitimate record would be unlikely to exist in the real world. Then users access to their services using DDoS attacks. Luck- the cloud vendor (or client) uses data leak detection sys- ily cloud systems are usually very resilient against simple tems and procedures to monitor for that specific data. flood attacks and excel at ramping up more bandwidth If the data is found outside the cloud provider’s system, and resources in the face of gigabytes of malicious traffic. then it could be an early warning that malicious data Be aware, however, that attackers may attempt to theft has occurred and should be investigated. take down upstream or downstream nodes that are not under the control of the cloud provider. More than KILL ALL OLD DATA one Internet access provider has been forced to cut off Cloud providers should ensure that all data no longer access for a victimized site simply to preserve access for needed is permanently erased from computer memory everyone else. You shouldn’t be forced to come up with and storage. Shared resources shouldn’t mean perma- creative defenses the first time you’re hit with a DDoS, nently shared storage. Clients should contact cloud pro- so make sure you have adequate DDoS defenses and viders to make sure that all submitted data is solely owned response plans ready to go. All the hard work and peer- by the client and learn what measures providers take to ing agreements should be established ahead of time. ensure the permanent deletion of unneeded data. i INFOWORLD.COM DEEP DIVE SERIES J A N U A R Y 2 011
i Cloud Computing Deep Dive 8 ADDITIONAL RESOURCES Cloud computing is a new paradigm that requires new security defenses. The material included here covers only a small portion of the considerations you need to weigh when preparing a holistic cloud defense. The following Web assets are excellent sources of additional information: NIST’s cloud section http://csrc.nist.gov/groups/SNS/cloud-computing A great place to quickly get up to speed on cloud terminology without reading a book. Cloud Security Alliance http://www.cloudsecurityalliance.org Site represents a good collection point for enterprise-level cloud-related security. Look under the New Research section. Cloud Security Alliance IT Certification http://www.cloudsecurityalliance.org/certifyme.html Cloud Threats and Security Measures, MSDN, J. Meier http://blogs.msdn.com/b/jmeier/archive/2010/07/08/cloud-security-threats-and-countermeasures-at-a-glance.aspx Black Hat Webcast: Chewing the Cloud: Attacking Cloud-Based Services http://www.blackhat.com/html/Webcast/Webcast-2010_cloudsec.html An interesting Webcast on cloud attacks. INFOWORLD.COM DEEP DIVE SERIES J A N U A R Y 2 011

Recomendados

Clearing the air on Cloud Computing
Clearing the air on Cloud ComputingClearing the air on Cloud Computing
Clearing the air on Cloud ComputingKarthik Sankar
 
Cloud computing
Cloud computingCloud computing
Cloud computingMed Zaibi
 
Building a Hybrid Cloud
Building a Hybrid CloudBuilding a Hybrid Cloud
Building a Hybrid CloudSVForum Cloud SIG
 
The Move to the Cloud for Regulated Industries
The Move to the Cloud for Regulated IndustriesThe Move to the Cloud for Regulated Industries
The Move to the Cloud for Regulated Industriesdirkbeth
 
Cloud Computing: An Introduction
Cloud Computing: An IntroductionCloud Computing: An Introduction
Cloud Computing: An IntroductionSrinath Perera
 
cloud computing alcances e implementacion
cloud computing alcances e implementacioncloud computing alcances e implementacion
cloud computing alcances e implementacionJorge Guerra
 
Cloud computing
Cloud computingCloud computing
Cloud computingsaralaanuj
 
Utility metered cloud slideshare
Utility metered cloud slideshareUtility metered cloud slideshare
Utility metered cloud slideshareValencell, Inc.
 

Recomendados

Clearing the air on Cloud Computing
Clearing the air on Cloud ComputingClearing the air on Cloud Computing
Clearing the air on Cloud ComputingKarthik Sankar
 
Cloud computing
Cloud computingCloud computing
Cloud computingMed Zaibi
 
Building a Hybrid Cloud
Building a Hybrid CloudBuilding a Hybrid Cloud
Building a Hybrid CloudSVForum Cloud SIG
 
The Move to the Cloud for Regulated Industries
The Move to the Cloud for Regulated IndustriesThe Move to the Cloud for Regulated Industries
The Move to the Cloud for Regulated Industriesdirkbeth
 
Cloud Computing: An Introduction
Cloud Computing: An IntroductionCloud Computing: An Introduction
Cloud Computing: An IntroductionSrinath Perera
 
cloud computing alcances e implementacion
cloud computing alcances e implementacioncloud computing alcances e implementacion
cloud computing alcances e implementacionJorge Guerra
 
Cloud computing
Cloud computingCloud computing
Cloud computingsaralaanuj
 
Utility metered cloud slideshare
Utility metered cloud slideshareUtility metered cloud slideshare
Utility metered cloud slideshareValencell, Inc.
 
Private cloud, the Good, the Bad and the Ugly
Private cloud, the Good, the Bad and the UglyPrivate cloud, the Good, the Bad and the Ugly
Private cloud, the Good, the Bad and the UglyTudor Damian
 
Patterns for Cloud Computing
Patterns for Cloud ComputingPatterns for Cloud Computing
Patterns for Cloud ComputingSimon Guest
 
Cloud computing
Cloud computingCloud computing
Cloud computingsreeharsha43
 
Cloud building
Cloud buildingCloud building
Cloud buildingWahid Cirebon
 
Cloud computing 2
Cloud computing 2Cloud computing 2
Cloud computing 2Shyam Kona
 
Cloud Computing: A New Trend in IT
Cloud Computing: A New Trend in ITCloud Computing: A New Trend in IT
Cloud Computing: A New Trend in ITPutchong Uthayopas
 
Microsoft Best Practices - AWS India Summit 2012
Microsoft Best Practices - AWS India Summit 2012Microsoft Best Practices - AWS India Summit 2012
Microsoft Best Practices - AWS India Summit 2012Amazon Web Services
 
Cloud Computing Tools
Cloud Computing ToolsCloud Computing Tools
Cloud Computing ToolsJithin Parakka
 
Cloud notes 1
Cloud notes 1Cloud notes 1
Cloud notes 1Prateek Soni
 
ClassCloud: switch your PC Classroom into Cloud Testbed
ClassCloud: switch your PC Classroom into Cloud TestbedClassCloud: switch your PC Classroom into Cloud Testbed
ClassCloud: switch your PC Classroom into Cloud TestbedJazz Yao-Tsung Wang
 
Enterprise Private Cloud Computing
Enterprise Private Cloud ComputingEnterprise Private Cloud Computing
Enterprise Private Cloud ComputingCisco Canada
 
Business implementation of Cloud Computing
Business implementation of Cloud ComputingBusiness implementation of Cloud Computing
Business implementation of Cloud ComputingQuaid Sodawala
 
Windows Azure: Is Azure right for you?
Windows Azure: Is Azure right for you?Windows Azure: Is Azure right for you?
Windows Azure: Is Azure right for you?Intergen
 
Ms Cloud Basics Private Cloud
Ms Cloud Basics Private CloudMs Cloud Basics Private Cloud
Ms Cloud Basics Private CloudStas Kolbin
 
Z26167171
Z26167171Z26167171
Z26167171IJERA Editor
 
Cloud Computing Integration Introduction
Cloud Computing Integration IntroductionCloud Computing Integration Introduction
Cloud Computing Integration Introductiontoryharis
 
Vr storm cips_03nov2010
Vr storm cips_03nov2010Vr storm cips_03nov2010
Vr storm cips_03nov2010National Research Council Canada
 
Back that *aa s up – bridging multiple clouds for bursting and redundancy
Back that *aa s up – bridging multiple clouds for bursting and redundancyBack that *aa s up – bridging multiple clouds for bursting and redundancy
Back that *aa s up – bridging multiple clouds for bursting and redundancyRightScale
 
Cloud management
Cloud managementCloud management
Cloud managementsurbhi jha
 
Cloud security Deep Dive 2011
Cloud security Deep Dive 2011Cloud security Deep Dive 2011
Cloud security Deep Dive 2011Kim Jensen
 
Cloudsecurity
CloudsecurityCloudsecurity
Cloudsecuritydrewz lin
 
Cloud computing final format(1)
Cloud computing final format(1)Cloud computing final format(1)
Cloud computing final format(1)ahmed elmeghiny
 

Más contenido relacionado

La actualidad más candente

Private cloud, the Good, the Bad and the Ugly
Private cloud, the Good, the Bad and the UglyPrivate cloud, the Good, the Bad and the Ugly
Private cloud, the Good, the Bad and the UglyTudor Damian
 
Patterns for Cloud Computing
Patterns for Cloud ComputingPatterns for Cloud Computing
Patterns for Cloud ComputingSimon Guest
 
Cloud computing 2
Cloud computing 2Cloud computing 2
Cloud computing 2Shyam Kona
 
Cloud Computing: A New Trend in IT
Cloud Computing: A New Trend in ITCloud Computing: A New Trend in IT
Cloud Computing: A New Trend in ITPutchong Uthayopas
 
Microsoft Best Practices - AWS India Summit 2012
Microsoft Best Practices - AWS India Summit 2012Microsoft Best Practices - AWS India Summit 2012
Microsoft Best Practices - AWS India Summit 2012Amazon Web Services
 
ClassCloud: switch your PC Classroom into Cloud Testbed
ClassCloud: switch your PC Classroom into Cloud TestbedClassCloud: switch your PC Classroom into Cloud Testbed
ClassCloud: switch your PC Classroom into Cloud TestbedJazz Yao-Tsung Wang
 
Enterprise Private Cloud Computing
Enterprise Private Cloud ComputingEnterprise Private Cloud Computing
Enterprise Private Cloud ComputingCisco Canada
 
Business implementation of Cloud Computing
Business implementation of Cloud ComputingBusiness implementation of Cloud Computing
Business implementation of Cloud ComputingQuaid Sodawala
 
Windows Azure: Is Azure right for you?
Windows Azure: Is Azure right for you?Windows Azure: Is Azure right for you?
Windows Azure: Is Azure right for you?Intergen
 
Ms Cloud Basics Private Cloud
Ms Cloud Basics Private CloudMs Cloud Basics Private Cloud
Ms Cloud Basics Private CloudStas Kolbin
 
Cloud Computing Integration Introduction
Cloud Computing Integration IntroductionCloud Computing Integration Introduction
Cloud Computing Integration Introductiontoryharis
 
Back that *aa s up – bridging multiple clouds for bursting and redundancy
Back that *aa s up – bridging multiple clouds for bursting and redundancyBack that *aa s up – bridging multiple clouds for bursting and redundancy
Back that *aa s up – bridging multiple clouds for bursting and redundancyRightScale
 
Cloud management
Cloud managementCloud management
Cloud managementsurbhi jha
 

La actualidad más candente (19)

Private cloud, the Good, the Bad and the Ugly
Private cloud, the Good, the Bad and the UglyPrivate cloud, the Good, the Bad and the Ugly
Private cloud, the Good, the Bad and the Ugly
 
Patterns for Cloud Computing
Patterns for Cloud ComputingPatterns for Cloud Computing
Patterns for Cloud Computing
 
Cloud computing
Cloud computingCloud computing
Cloud computing
 
Cloud building
Cloud buildingCloud building
Cloud building
 
Cloud computing 2
Cloud computing 2Cloud computing 2
Cloud computing 2
 
Cloud Computing: A New Trend in IT
Cloud Computing: A New Trend in ITCloud Computing: A New Trend in IT
Cloud Computing: A New Trend in IT
 
Microsoft Best Practices - AWS India Summit 2012
Microsoft Best Practices - AWS India Summit 2012Microsoft Best Practices - AWS India Summit 2012
Microsoft Best Practices - AWS India Summit 2012
 
Cloud Computing Tools
Cloud Computing ToolsCloud Computing Tools
Cloud Computing Tools
 
Cloud notes 1
Cloud notes 1Cloud notes 1
Cloud notes 1
 
ClassCloud: switch your PC Classroom into Cloud Testbed
ClassCloud: switch your PC Classroom into Cloud TestbedClassCloud: switch your PC Classroom into Cloud Testbed
ClassCloud: switch your PC Classroom into Cloud Testbed
 
Enterprise Private Cloud Computing
Enterprise Private Cloud ComputingEnterprise Private Cloud Computing
Enterprise Private Cloud Computing
 
Business implementation of Cloud Computing
Business implementation of Cloud ComputingBusiness implementation of Cloud Computing
Business implementation of Cloud Computing
 
Windows Azure: Is Azure right for you?
Windows Azure: Is Azure right for you?Windows Azure: Is Azure right for you?
Windows Azure: Is Azure right for you?
 
Ms Cloud Basics Private Cloud
Ms Cloud Basics Private CloudMs Cloud Basics Private Cloud
Ms Cloud Basics Private Cloud
 
Z26167171
Z26167171Z26167171
Z26167171
 
Cloud Computing Integration Introduction
Cloud Computing Integration IntroductionCloud Computing Integration Introduction
Cloud Computing Integration Introduction
 
Vr storm cips_03nov2010
Vr storm cips_03nov2010Vr storm cips_03nov2010
Vr storm cips_03nov2010
 
Back that *aa s up – bridging multiple clouds for bursting and redundancy
Back that *aa s up – bridging multiple clouds for bursting and redundancyBack that *aa s up – bridging multiple clouds for bursting and redundancy
Back that *aa s up – bridging multiple clouds for bursting and redundancy
 
Cloud management
Cloud managementCloud management
Cloud management
 

Similar a Cloud security deep dive infoworld jan 2011

Cloud security Deep Dive 2011
Cloud security Deep Dive 2011Cloud security Deep Dive 2011
Cloud security Deep Dive 2011Kim Jensen
 
Cloudsecurity
CloudsecurityCloudsecurity
Cloudsecuritydrewz lin
 
Cloud computing final format(1)
Cloud computing final format(1)Cloud computing final format(1)
Cloud computing final format(1)ahmed elmeghiny
 
Cloud computing..
Cloud computing..Cloud computing..
Cloud computing..manoj kumar
 
Iirdem a novel approach for enhancing security in multi cloud environment
Iirdem a novel approach for enhancing security in multi cloud environmentIirdem a novel approach for enhancing security in multi cloud environment
Iirdem a novel approach for enhancing security in multi cloud environmentIaetsd Iaetsd
 
Issues in cloud computing
Issues in cloud computingIssues in cloud computing
Issues in cloud computingronak patel
 
Cloud Computing Security Issues in Infrastructure as a Service” report
Cloud Computing Security Issues in Infrastructure as a Service” reportCloud Computing Security Issues in Infrastructure as a Service” report
Cloud Computing Security Issues in Infrastructure as a Service” reportVivek Maurya
 
Cloud computing
Cloud computingCloud computing
Cloud computingJawhar Ali
 
Fog computing document
Fog computing documentFog computing document
Fog computing documentsravya raju
 
Public cloud: A Review
Public cloud: A ReviewPublic cloud: A Review
Public cloud: A ReviewAjay844
 
A STUDY OF THE ISSUES AND SECURITY OF CLOUD COMPUTING
A STUDY OF THE ISSUES AND SECURITY OF CLOUD COMPUTINGA STUDY OF THE ISSUES AND SECURITY OF CLOUD COMPUTING
A STUDY OF THE ISSUES AND SECURITY OF CLOUD COMPUTINGEr Piyush Gupta IN ⊞⌘
 
fog computing provide security to the data in cloud
fog computing provide security to the data in cloudfog computing provide security to the data in cloud
fog computing provide security to the data in cloudpriyanka reddy
 
Cloud computing and its application in libraries
Cloud computing and its application in librariesCloud computing and its application in libraries
Cloud computing and its application in librariesNabi Hasan
 
Splendens Project Proposal by Slidesgo.pptx
Splendens Project Proposal by Slidesgo.pptxSplendens Project Proposal by Slidesgo.pptx
Splendens Project Proposal by Slidesgo.pptxssuserea0dfe
 
The Nitty Gritty of Cloud Computing
The Nitty Gritty of Cloud ComputingThe Nitty Gritty of Cloud Computing
The Nitty Gritty of Cloud ComputingMike Tase
 

Similar a Cloud security deep dive infoworld jan 2011 (20)

Cloud security Deep Dive 2011
Cloud security Deep Dive 2011Cloud security Deep Dive 2011
Cloud security Deep Dive 2011
 
Cloudsecurity
CloudsecurityCloudsecurity
Cloudsecurity
 
Cloud computing final format(1)
Cloud computing final format(1)Cloud computing final format(1)
Cloud computing final format(1)
 
Cloud computing..
Cloud computing..Cloud computing..
Cloud computing..
 
Iirdem a novel approach for enhancing security in multi cloud environment
Iirdem a novel approach for enhancing security in multi cloud environmentIirdem a novel approach for enhancing security in multi cloud environment
Iirdem a novel approach for enhancing security in multi cloud environment
 
Issues in cloud computing
Issues in cloud computingIssues in cloud computing
Issues in cloud computing
 
Cloud computing.pptx
Cloud computing.pptxCloud computing.pptx
Cloud computing.pptx
 
Cloud Computing Security Issues in Infrastructure as a Service” report
Cloud Computing Security Issues in Infrastructure as a Service” reportCloud Computing Security Issues in Infrastructure as a Service” report
Cloud Computing Security Issues in Infrastructure as a Service” report
 
Cloud computing
Cloud computingCloud computing
Cloud computing
 
Cloud computing
Cloud computingCloud computing
Cloud computing
 
Cloud computing
Cloud computing Cloud computing
Cloud computing
 
Fog computing document
Fog computing documentFog computing document
Fog computing document
 
Public cloud: A Review
Public cloud: A ReviewPublic cloud: A Review
Public cloud: A Review
 
Cc unit 1 updated
Cc unit 1 updatedCc unit 1 updated
Cc unit 1 updated
 
A STUDY OF THE ISSUES AND SECURITY OF CLOUD COMPUTING
A STUDY OF THE ISSUES AND SECURITY OF CLOUD COMPUTINGA STUDY OF THE ISSUES AND SECURITY OF CLOUD COMPUTING
A STUDY OF THE ISSUES AND SECURITY OF CLOUD COMPUTING
 
fog computing provide security to the data in cloud
fog computing provide security to the data in cloudfog computing provide security to the data in cloud
fog computing provide security to the data in cloud
 
Fog doc
Fog doc Fog doc
Fog doc
 
Cloud computing and its application in libraries
Cloud computing and its application in librariesCloud computing and its application in libraries
Cloud computing and its application in libraries
 
Splendens Project Proposal by Slidesgo.pptx
Splendens Project Proposal by Slidesgo.pptxSplendens Project Proposal by Slidesgo.pptx
Splendens Project Proposal by Slidesgo.pptx
 
The Nitty Gritty of Cloud Computing
The Nitty Gritty of Cloud ComputingThe Nitty Gritty of Cloud Computing
The Nitty Gritty of Cloud Computing
 

Más de Kim Jensen

Forcepoint Whitepaper 2016 Security Predictions
Forcepoint Whitepaper 2016 Security PredictionsForcepoint Whitepaper 2016 Security Predictions
Forcepoint Whitepaper 2016 Security PredictionsKim Jensen
 
OpenDNS presenter pack
OpenDNS presenter packOpenDNS presenter pack
OpenDNS presenter packKim Jensen
 
Infoworld deep dive - Mobile Security2015 updated
Infoworld deep dive - Mobile Security2015 updatedInfoworld deep dive - Mobile Security2015 updated
Infoworld deep dive - Mobile Security2015 updatedKim Jensen
 
Hewlett-Packard Enterprise- State of Security Operations 2015
Hewlett-Packard Enterprise- State of Security Operations 2015Hewlett-Packard Enterprise- State of Security Operations 2015
Hewlett-Packard Enterprise- State of Security Operations 2015Kim Jensen
 
5 things needed to know migrating Windows Server 2003
5 things needed to know migrating Windows Server 20035 things needed to know migrating Windows Server 2003
5 things needed to know migrating Windows Server 2003Kim Jensen
 
Secunia Vulnerability Review 2014
Secunia Vulnerability Review 2014Secunia Vulnerability Review 2014
Secunia Vulnerability Review 2014Kim Jensen
 
Cisco 2013 Annual Security Report
Cisco 2013 Annual Security ReportCisco 2013 Annual Security Report
Cisco 2013 Annual Security ReportKim Jensen
 
Websense 2013 Threat Report
Websense 2013 Threat ReportWebsense 2013 Threat Report
Websense 2013 Threat ReportKim Jensen
 
Security Survey 2013 UK
Security Survey 2013 UKSecurity Survey 2013 UK
Security Survey 2013 UKKim Jensen
 
Miercom Security Effectiveness Test Report
Miercom Security Effectiveness Test Report Miercom Security Effectiveness Test Report
Miercom Security Effectiveness Test Report Kim Jensen
 
DK Cert Trend Rapport 2012
DK Cert Trend Rapport 2012DK Cert Trend Rapport 2012
DK Cert Trend Rapport 2012Kim Jensen
 
Bliv klar til cloud med Citrix Netscaler (pdf)
Bliv klar til cloud med Citrix Netscaler (pdf)Bliv klar til cloud med Citrix Netscaler (pdf)
Bliv klar til cloud med Citrix Netscaler (pdf)Kim Jensen
 
Data Breach Investigations Report 2012
Data Breach Investigations Report 2012Data Breach Investigations Report 2012
Data Breach Investigations Report 2012Kim Jensen
 
State of Web Q3 2011
State of Web Q3 2011State of Web Q3 2011
State of Web Q3 2011Kim Jensen
 
Wave mobile collaboration Q3 2011
Wave mobile collaboration Q3 2011Wave mobile collaboration Q3 2011
Wave mobile collaboration Q3 2011Kim Jensen
 
Corporate Web Security
Corporate Web SecurityCorporate Web Security
Corporate Web SecurityKim Jensen
 
Cloud rambøll mgmt - briefing d. 28. januar 2011
Cloud rambøll mgmt - briefing d. 28. januar 2011Cloud rambøll mgmt - briefing d. 28. januar 2011
Cloud rambøll mgmt - briefing d. 28. januar 2011Kim Jensen
 
Cloud services deep dive infoworld july 2010
Cloud services deep dive infoworld july 2010Cloud services deep dive infoworld july 2010
Cloud services deep dive infoworld july 2010Kim Jensen
 
Sådan kommer du i gang med skyen (pdf)
Sådan kommer du i gang med skyen (pdf)Sådan kommer du i gang med skyen (pdf)
Sådan kommer du i gang med skyen (pdf)Kim Jensen
 
Unified communications presence er den afgørende funktion (pdf)
Unified communications presence er den afgørende funktion (pdf)Unified communications presence er den afgørende funktion (pdf)
Unified communications presence er den afgørende funktion (pdf)Kim Jensen
 

Más de Kim Jensen (20)

Forcepoint Whitepaper 2016 Security Predictions
Forcepoint Whitepaper 2016 Security PredictionsForcepoint Whitepaper 2016 Security Predictions
Forcepoint Whitepaper 2016 Security Predictions
 
OpenDNS presenter pack
OpenDNS presenter packOpenDNS presenter pack
OpenDNS presenter pack
 
Infoworld deep dive - Mobile Security2015 updated
Infoworld deep dive - Mobile Security2015 updatedInfoworld deep dive - Mobile Security2015 updated
Infoworld deep dive - Mobile Security2015 updated
 
Hewlett-Packard Enterprise- State of Security Operations 2015
Hewlett-Packard Enterprise- State of Security Operations 2015Hewlett-Packard Enterprise- State of Security Operations 2015
Hewlett-Packard Enterprise- State of Security Operations 2015
 
5 things needed to know migrating Windows Server 2003
5 things needed to know migrating Windows Server 20035 things needed to know migrating Windows Server 2003
5 things needed to know migrating Windows Server 2003
 
Secunia Vulnerability Review 2014
Secunia Vulnerability Review 2014Secunia Vulnerability Review 2014
Secunia Vulnerability Review 2014
 
Cisco 2013 Annual Security Report
Cisco 2013 Annual Security ReportCisco 2013 Annual Security Report
Cisco 2013 Annual Security Report
 
Websense 2013 Threat Report
Websense 2013 Threat ReportWebsense 2013 Threat Report
Websense 2013 Threat Report
 
Security Survey 2013 UK
Security Survey 2013 UKSecurity Survey 2013 UK
Security Survey 2013 UK
 
Miercom Security Effectiveness Test Report
Miercom Security Effectiveness Test Report Miercom Security Effectiveness Test Report
Miercom Security Effectiveness Test Report
 
DK Cert Trend Rapport 2012
DK Cert Trend Rapport 2012DK Cert Trend Rapport 2012
DK Cert Trend Rapport 2012
 
Bliv klar til cloud med Citrix Netscaler (pdf)
Bliv klar til cloud med Citrix Netscaler (pdf)Bliv klar til cloud med Citrix Netscaler (pdf)
Bliv klar til cloud med Citrix Netscaler (pdf)
 
Data Breach Investigations Report 2012
Data Breach Investigations Report 2012Data Breach Investigations Report 2012
Data Breach Investigations Report 2012
 
State of Web Q3 2011
State of Web Q3 2011State of Web Q3 2011
State of Web Q3 2011
 
Wave mobile collaboration Q3 2011
Wave mobile collaboration Q3 2011Wave mobile collaboration Q3 2011
Wave mobile collaboration Q3 2011
 
Corporate Web Security
Corporate Web SecurityCorporate Web Security
Corporate Web Security
 
Cloud rambøll mgmt - briefing d. 28. januar 2011
Cloud rambøll mgmt - briefing d. 28. januar 2011Cloud rambøll mgmt - briefing d. 28. januar 2011
Cloud rambøll mgmt - briefing d. 28. januar 2011
 
Cloud services deep dive infoworld july 2010
Cloud services deep dive infoworld july 2010Cloud services deep dive infoworld july 2010
Cloud services deep dive infoworld july 2010
 
Sådan kommer du i gang med skyen (pdf)
Sådan kommer du i gang med skyen (pdf)Sådan kommer du i gang med skyen (pdf)
Sådan kommer du i gang med skyen (pdf)
 
Unified communications presence er den afgørende funktion (pdf)
Unified communications presence er den afgørende funktion (pdf)Unified communications presence er den afgørende funktion (pdf)
Unified communications presence er den afgørende funktion (pdf)
 

Último

Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionDilum Bandara
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyAlfredo García Lavilla
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxLoriGlavin3
 
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo DayH2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo DaySri Ambati
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...Fwdays
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsMiki Katsuragi
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteDianaGray10
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Enterprise Knowledge
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenHervé Boutemy
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clashcharlottematthew16
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 

Último (20)

Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An Introduction
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easy
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
 
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo DayH2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering Tips
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test Suite
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache Maven
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clash
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 

Cloud security deep dive infoworld jan 2011

  • 1. SPECIAL REPORT JANUARY 2011 Cloud Security Deep Dive A new security model for a new era Copyright © 2011 InfoWorld Media Group. All rights reserved. Sponsored by
  • 2. i Cloud Computing Deep Dive 2 Cloud security changes everything The scalability of cloud computing depends on sharing resources that were never shared before, demanding a new set of security best practices MANY COMPUTER SECURITY PRACTITIONERS infrastructure. Common examples include Google’s blow off cloud computing as just a semantic exercise Gmail, Microsoft’s Business Online Productivity describing conventional applications running across a Suite, and Salesforce.com. wide area network. They are wrong. Cloud computing is a new paradigm • Platform as a Service (PaaS). PaaS providers give that challenges traditional security dogma. Old assump- developers complete development environments tions are gone forever and the ones that replace them will in which to code, host, and deliver applications. make the security expert’s job harder than ever. The development environment typically includes This paper will cover how cloud computing differs the underlying infrastructure, development tools, from the past and discuss characteristics of the new APIs, and other related services. Examples include threat model. Google’s App Engine, Microsoft’s Windows Azure, and Salesforce’s Force.com. CLOUD COMPUTING MODELS Before delving into cloud computing exploits and Naturally, many cloud service providers mix two or defenses, it helps to get a basic understanding of cloud more of these cloud service models or cannot be neatly computing models. Although new models appear to placed into one type. Additionally, the type of user who be emerging every day, here are the basic ones nearly can access the cloud further defines each model, as well everyone agrees on: as what type of cloud is at issue: • Infrastructure as a Service (IaaS). IaaS pro- • The public cloud. Public clouds are created by vides massively scalable, elastic computing resources one vendor and offered to the general public. Pub- via the Internet. Some providers offer just a single lic clouds are almost always Internet-accessible and resource, such as storage space, but most now focus multitenanted. on providing complete computing platforms for cus- tomers’ VMs, including operating system, memory, • The private cloud. Private clouds are hosted by the storage, and processing power. Clients often pay for same organization that utilizes the service (which in only what they use, which fits nicely into any com- general does not support multitenancy). The primary pany’s computing budget. value proposition is data accessibility and fault tolerance. • Software as a Service (SasS). SaaS providers • The hybrid cloud. This term typically applies to deliver software functionality through the browser, organizations that have set up private cloud services without the end-user having to install software in combination with external public cloud services. locally. Typically, SaaS offerings are multiten- It also refers to service offerings used exclusively by anted: Customers establish accounts on one huge an invited group of private customers (also called a instance of the software running on a virtualized “community cloud”). INFOWORLD.COM DEEP DIVE SERIES J A N U A R Y 2 011
  • 3. i Cloud Computing Deep Dive 3 For more information, see the National Institute for most servers are Internet-accessible. This must change Standards and Technology (NIST) document detailing the security defender’s thinking. common cloud terminology. Just as most clouds are Internet-accessible, they are also almost entirely Web-based, with browsers as clients HOW CLOUD COMPUTING IS DIFFERENT and Web servers as the server endpoint connection. Cloud computing is a major departure from traditional Some clouds use simple HTML-based forms and Web networks and applications. In general, a service or offer- pages, but most are an increasingly complex set of Web ing is considered cloud computing if it has at least four of services and protocols. (Wikipedia has an excellent begin- these seven traits: ner’s tutorial on Web services.) As the Web matures, most things that were once • Internet (or intranet) accessible accomplished using a single computer will be executed • A massively scalable, user-configurable pool of elastic by a matrix of Web services, connected together in most computing resources (such as network bandwidth, cases by XML, SOAP (or REST), and SAML. As Web 2.0 compute power, memory, etc.) takes over, future security defenders must get to know • Multitenancy (one large software instance shared by these services and protocols inside and out, and defend many customer accounts) against their deficiencies as they emerge (and there are • A broad authentication scheme bound to be plenty). • Subscription or usage-based payment • Self-service MULTITENANCY • Lack of location specificity Multitenancy is a major defining trait for public clouds. Typically, in a traditional environment, only the appli- All of these traits offer new challenges to the computer cation’s owner and direct employees can access the security professional, but accessibility, multitenancy, broad application data. In a cloud, multitenancy means that authentication, and lack of location-specificity are the four multiple, distinct, separate end-user parties share the items responsible for the biggest technology shift and same service and/or resources. End-users may be aware demand for new security solutions. of this fact and may even be able to directly interact with other end-users. Or they may be unaware that ACCESS TO THE INTERNET OR resources are shared and that this is a risk. INTRANETS EQUALS HIGH RISK In a cloud, risk looms that the parties sharing that We already know that any computing resource that is cloud will be able to — unintentionally or intentionally Internet accessible is at a higher risk than one that is — access one another’s private data. This has been the not. It’s how most of the bad guys break into comput- case in cloud exploits with major cloud providers during ers today, whether it involves social-engineered Trojan the past few years. In some cases, all it took was modify- horse programs, viruses, or human attackers. High-risk ing a client’s unique identifier, sent over in the browser environments, like the top secret classified systems of request, to another identifier, and up comes another cli- most governments, usually aren’t allowed to connect to a ent’s data. Sometimes spillage has occurred when a bug network that can connect to the Internet. Too much risk. in the cloud service offered up too much data without Clouds don’t use VPN technologies. With cloud the client doing anything out of the ordinary. computing, it’s assumed that all users and application With IaaS-based clouds in particular, security resources are Internet- or intranet-accessible, with all researchers are discovering a brand new class of vulner- the elevated risk that implies. This means that anony- abilities that did not exist in the old world. For example, mous attackers can access connection points just as any attackers are finding ways to “cyberjack” another ten- legitimate user or manager of the system can. In a tradi- ant’s data and resources by discovering other tenant’s tional computing environment, only a small percentage IP addresses and computer resources or by searching of servers are Internet-accessible. In cloud computing, for other people’s data remnants after they release INFOWORLD.COM DEEP DIVE SERIES J A N U A R Y 2 011
  • 4. i Cloud Computing Deep Dive 4 unneeded resources back to the cloud. As it turns out, well as identity metasystems. With Web Identity 2.0, some cloud vendors don’t erase or format the freed-up there can be a multitude of identity services (made storage or memory resources. up of both centrally managed and single, stand-alone It’s too early to know whether these types of risks identities) that can interoperate with a large number will decrease as cloud security matures or whether they of Web sites and services. Popular individual identity will remain a fixture that defines the new threat model. services include OpenID, InfoCard, and LiveID. Many of these authentication services are interoperable with BROAD AUTHENTICATION SCHEMES each other and use common protocols such as XML, Internet accessibility and multitenancy pose a challenge SOAP, SAML, Web services, WS-Federation, and so on. when determining how to authenticate large num- In the Web 2.0 world, each Web site (or cloud pro- bers of different clients. In the traditional model, each vider) can choose which federated identity service to authenticating user has a full user account located in work with and accept. The Web site or service provider the application’s authentication database (or directory can require particular types of identity assurance (such service). But scaling and multitenancy complicates the as a simple password, smartcard, or biometric device) process, because conventional authentication services before a user can participate. For example, a cancer tend to offer access to shared common resources by survivor Web site may wish to allow anonymous users default. In Active Directory, for example, members of whereas an online banking Web site may require a site- the Everyone group can see and list all sorts of resources issued smartcard or other authenticating token to log on. that a cloud provider would probably not want every Conversely, users may be able to submit only the client to see. identity data they wish to share with the participat- Initially, many cloud providers tried to solve this ing service provider (called claims-based identity). For problem by using proprietary or private authentica- example, a user purchasing alcohol via the Internet may tion services. But these services rarely have the scal- need only to prove that he or she are over the legal ability and functionality needed. First-generation clouds drinking age but not have to show his or her actual required that all end-users have separate accounts in identity or birthdate. A central tenet of any good iden- their databases — similar to the way Web surfers need tity metasystem is that users should only have to show to log on separately to each website where they have the bare minimum of identity information necessary an account. (For example, your Facebook account is to access the offered service and perform the desired not related to your Amazon or iTunes accounts). This transaction. Submitting (or requesting) too much iden- is known as “Web Identity 1.0” in identity system circles. tity information is considered very “Web 1.0.” Clearly, asking end-users to create and manage sepa- In the Identity 2.0 model, authenticated anonymity rate log-on accounts for every future Web service they (called pseudo-anonymity) is possible. In this case, a will use doesn’t scale — for a multitude of reasons. Using trusted third party knows the user’s real identity and one big SSO (single sign-on) solution that interacted with has authenticated him or her, but hands out a different participating Web sites became the “Web Identity 1.5” identity credential that is trusted by the Web service pro- way of doing things. With this authentication model, vider. Thus, that user can use the Web service without users registered with an “independent,” centralized revealing his or her true identity to the Web site. authority to obtain an SSO ID. Then, when visiting par- ticipating Web sites, the user could enter their SSO cre- THE EFFECT OF BROAD AUTHENTICATION dentials to gain access. An example of this sort of solution ON CLOUD COMPUTING was Microsoft’s Passport (now morphed into LiveID) and In the near future, it’s likely that both private and public other protocols created by the Liberty Alliance. clouds will support Web 2.0 identities. Users of private But many people balked at the idea of a single entity clouds will likely use their SSO to access public cloud handling everyone’s SSO accounts. What evolved is services, while external users may use their SSO to known as “Web Identity 2.0,” or federated identity, as access your company’s private or hybrid cloud offering. INFOWORLD.COM DEEP DIVE SERIES J A N U A R Y 2 011
  • 5. i Cloud Computing Deep Dive 5 The security impact of this is that a cloud attacker is guest-to-guest vulnerabilities. likely to be an authenticated user within the cloud Clearly, cloud computing amounts to more than just system at the onset of an attack. By contrast, the old semantic games. It presents a unique set of challenges assumption is that the attacker didn’t start with authenti- that security defenders must rise up to meet. cated access and needed to gain original access to begin high-level system exploitation. CLOUD SECURITY DEFENSES For example, consider two of the earliest and largest Cloud security is an evolving field. To begin with, cloud cloud services: Google Gmail and Microsoft Hotmail solutions are subject to all the conventional attacks — (now called LiveMail). Both contain millions of authen- buffer overflows, password attacks, physical attacks, ticated users and both now support newer SSO forms exploitation of application vulnerabilities, session con- such as OpenID and InfoCard. Google and Microsoft tamination, network attacks, man-in-the-middle attacks, have no idea which users are legitimate and which social engineering, and so on. But the unique charac- intend to do harm to other users or to the service itself. teristics of cloud computing present a new set of chal- Identity is still a work in progress. Solutions will lenges as well. change and morph as people begin to adopt the cloud Start by assuming attackers are logged-in, authen- in great numbers. And as new needs emerge, new solu- ticated users, and begin your defenses from there — tions and protocols will need to be invented. Whatever and there may be many attackers, thanks to the cloud’s trajectory these future developments take, Identity 2.0 global reach. This level of attacker access means that is new paradigm that requires a huge mind shift in com- many conventional defenses (such as separated security puter security defenders. zones, firewalls, and so on) will have little relevance. LACK OF LOCATION SPECIFICITY CLOUD SECURITY DEFENSE CLASSIFICATIONS The term “cloud” implies that a service is available widely, Managing cloud security is different than maintain- if not globally, with a multitude of origination and des- ing ordinary enterprise security. Security professionals tination points. The specific location of the computing should analyze all cloud offerings (including their own) resources for a given cloud may not be immediately iden- within a holistic security framework to make sure all tifiable by either the client, the cloud vendor, or both. In angles are covered. a traditional network offering, the user or vendor often Keep in mind that each combination of cloud ser- is aware of where the application or data is being hosted. vices has its own unique set of risks and countermea- This brings up all sorts of interesting dilemmas. For sures. Table 1 organizes these variables into a set of example: How are security defenders supposed to classifications and subtopics intended to generate fur- protect data when they don’t even know where it is? ther discussion and analysis. How can a cloud provider identify a client’s data (for legal and other purposes)? How does the cloud pro- CLOUD DEFENSE BEST PRACTICES vider securely erase a client’s data if the client exits the Enterprise security is a vast discipline and each of cloud solution? How can a particular client’s data be its many aspects must be reexamined in light of the prevented from leaving the host country of origin, if cloud. Take user deprovisioning as an example. Nor- even the cloud operators don’t know where the data is? mally, when an employee leaves a company, access to company applications and data is removed. But if that THE ROLE OF VIRTUALIZATION employee has subscribed to cloud services on behalf of Virtualization tends to play a big role in cloud services, the company, from the beginning the company should either as the underpinning for the service or, in the have had the technology in place to track those sub- case of IaaS, as part of the cloud service offering itself. scriptions, or the former employee may still be able And virtualization has every security risk that a physical access company data. You can’t deprovision if you don’t computer environment has — plus guest-to-host and know what was provisioned in the first place. INFOWORLD.COM DEEP DIVE SERIES J A N U A R Y 2 011
  • 6. i Cloud Computing Deep Dive 6 TABLE 1: CLOUD SECURITY CLASSIFICATIONS AND SUBTOPICS A security defender responsible for cloud security should consider a wide range of parameters when developing a cloud security defense plan. SECURITY CLASSIFICATION RELATED SUBTOPICS Infrastructure security Physical security, environmental controls, business continuity/disaster recovery, network infrastructure, firewalls, proxies, routers, access control lists, staffing/employee background checks, availability (performance and anti-DoS), security policies (including what can be made available to customers), remote access, mobile access and platforms, identity/authentication/federation, billing systems, virtualization issues, high availability Resource provisioning Provisioning; modification; ownership and control, access; deprovisioning; reuse/ reassignment of: users, computing resources, computer systems, or IP address space; domain name services; directory services; self-service configuration management Storage and data security Privacy/privacy controls, data tagging, data storage zoning, data retention policies, data permanence/deletion, encryption (at-rest, in-transit, key management, Federal Information Processing Standards/Federal Information Security Management Act), digital signing/integrity attestation, multitenancy issues, archiving, backup, recovery, data classification, locality requirements, malicious data aggregation prevention Application security Security design lifecycle, identity/authentication/federation, session management, data input (if applicable) validation, error handling, vulnerability testing, patching, authentication, data integration/ exchange, APIs, proxies, application sandboxing, versioning, bug/issue tracking Audit/compliance Logging, monitoring, auditing, compliance, accreditation, legal issues, regulations, locality requirements, discovery, forensics, SLAs, public communication plans, fraud detection General security Anti-malware, anti-spam, patching, incident response, data leak prevention Implications of this type apply across a whole range providers should have ways for defenders to mark or of security issues. Here are some key ones to consider. tag data with ownership and security classification and For better or worse, the degree to which you can apply to enable defenses based upon those attributes. Data best security practices often depends on the provider. should be protected in such a way that unauthorized (but authenticated, multitenanted) viewers can be prevented SAY GOODBYE TO THE DMZ from seeing another’s data. If a client needs to prevent its One of the major changes from traditional computing data from leaving its home country, the cloud provider is the pervasiveness of the cloud. By its very definition, should make sure the data never does. it is meant to be everywhere. If the DMZ wasn’t dead Cloud providers should physically prevent (using physi- before, it certainly is now. The DMZ was always porous, cal network dividers, routers, switches, IPSec, access con- with many more holes than any defender wanted to trol lists, and so on) server and data commingling. If a admit. The cloud, with authenticated attackers, just puts particular server never needs to talk to most other servers, the nail in the coffin. it should be prevented from doing so. If a client computer What is a security defender to do? Well, for one, shouldn’t be able to talk to other client computers, make think in terms of data classification and ownership and sure there is no way for an authenticated users to leverage marry that with strong security domain isolation. Cloud cloud access to gain access to the other. INFOWORLD.COM DEEP DIVE SERIES J A N U A R Y 2 011
  • 7. i Cloud Computing Deep Dive 7 ENCRYPT YOUR DATA USE DNS SECURITY Data should always be encrypted when stored (using sepa- If your cloud provider’s DNS services support it, con- rate symmetric encryption keys) and transmitted. If this is sider implementing DNSSEC (DNS Security) between implemented appropriately, even if another tenant can your DNS servers and the provider’s DNS servers. access the data, all that will appear is gibberish. Shared Once enabled, DNSSEC ensures that dependent cli- symmetric keys for data encryption should be discouraged, ents always get verified, authenticated DNS resolution yet tenants should be able to access their own encryption entries from authoritative DNS servers. Unfortunately, keys and change them when necessary. Cloud providers DNSSEC is enabled only on a small percentage of DNS should not have ready access to tenant encryption keys. providers. Ask your cloud provider if it will consider creating DNSSEC “trust anchors” between your site(s) USE STRONG AUTHENTICATION and the provider’s — or consider implementing static Make sure any Identity 2.0 system you participate in has DNS records on your side, to prevent malicious DNS a strong history of good security and uses open protocols. redirection attacks. Proprietary, single-site authentications systems may seem to present lower risk than shared systems do, but the infor- USE RED HERRINGS AND AN mation surrounding proprietary systems is rarely shared. EARLY WARNING SYSTEM Systems that use and support open standards usually have Some cloud providers and customers create “red her- the added protection of community analysis. Weaknesses ring” data as an early warning system. Red herring data are frequently found early and coded out. Newfound is fake data that is injected into a database and then vulnerabilities are usually shared and fixed faster. monitored to see if it “leaks out.” For instance, suppose the cloud provider creates complete client records for PREPARE TO PREVENT DDoS ATTACKS Fred and Wilma Flintstone. Everything about the fake Attackers are often content with simply denying legitimate record would be unlikely to exist in the real world. Then users access to their services using DDoS attacks. Luck- the cloud vendor (or client) uses data leak detection sys- ily cloud systems are usually very resilient against simple tems and procedures to monitor for that specific data. flood attacks and excel at ramping up more bandwidth If the data is found outside the cloud provider’s system, and resources in the face of gigabytes of malicious traffic. then it could be an early warning that malicious data Be aware, however, that attackers may attempt to theft has occurred and should be investigated. take down upstream or downstream nodes that are not under the control of the cloud provider. More than KILL ALL OLD DATA one Internet access provider has been forced to cut off Cloud providers should ensure that all data no longer access for a victimized site simply to preserve access for needed is permanently erased from computer memory everyone else. You shouldn’t be forced to come up with and storage. Shared resources shouldn’t mean perma- creative defenses the first time you’re hit with a DDoS, nently shared storage. Clients should contact cloud pro- so make sure you have adequate DDoS defenses and viders to make sure that all submitted data is solely owned response plans ready to go. All the hard work and peer- by the client and learn what measures providers take to ing agreements should be established ahead of time. ensure the permanent deletion of unneeded data. i INFOWORLD.COM DEEP DIVE SERIES J A N U A R Y 2 011
  • 8. i Cloud Computing Deep Dive 8 ADDITIONAL RESOURCES Cloud computing is a new paradigm that requires new security defenses. The material included here covers only a small portion of the considerations you need to weigh when preparing a holistic cloud defense. The following Web assets are excellent sources of additional information: NIST’s cloud section http://csrc.nist.gov/groups/SNS/cloud-computing A great place to quickly get up to speed on cloud terminology without reading a book. Cloud Security Alliance http://www.cloudsecurityalliance.org Site represents a good collection point for enterprise-level cloud-related security. Look under the New Research section. Cloud Security Alliance IT Certification http://www.cloudsecurityalliance.org/certifyme.html Cloud Threats and Security Measures, MSDN, J. Meier http://blogs.msdn.com/b/jmeier/archive/2010/07/08/cloud-security-threats-and-countermeasures-at-a-glance.aspx Black Hat Webcast: Chewing the Cloud: Attacking Cloud-Based Services http://www.blackhat.com/html/Webcast/Webcast-2010_cloudsec.html An interesting Webcast on cloud attacks. INFOWORLD.COM DEEP DIVE SERIES J A N U A R Y 2 011