Download - Cloud computing - Risks and Mitigation - GTS
![Page 1: Cloud computing - Risks and Mitigation - GTS](https://reader035.vdocument.in/reader035/viewer/2022062418/555b2837d8b42ae82e8b46e4/html5/thumbnails/1.jpg)
Cloud Computing Enterprise Risks and Mitigation
Anchises M. G. de PaulaiDefense Intelligence AnalystNov. 2009 GTS GTS GTS GTS ---- 14141414
![Page 2: Cloud computing - Risks and Mitigation - GTS](https://reader035.vdocument.in/reader035/viewer/2022062418/555b2837d8b42ae82e8b46e4/html5/thumbnails/2.jpg)
2
2GTS GTS GTS GTS ---- 14141414
Copyright iDefense 20092
Agenda
� Overview of cloud computing
� Cloud computing risks and generic mitigation strategies
� Cloud Computing for Malicious Intent
�Questions and answers
sour
ce: s
xc.h
u
![Page 3: Cloud computing - Risks and Mitigation - GTS](https://reader035.vdocument.in/reader035/viewer/2022062418/555b2837d8b42ae82e8b46e4/html5/thumbnails/3.jpg)
3GTS GTS GTS GTS ---- 14141414
Copyright iDefense 20093
Overview of cloud computing
![Page 4: Cloud computing - Risks and Mitigation - GTS](https://reader035.vdocument.in/reader035/viewer/2022062418/555b2837d8b42ae82e8b46e4/html5/thumbnails/4.jpg)
4
4GTS GTS GTS GTS ---- 14141414
Copyright iDefense 20094
Overview
� The term “cloud computing” is poorly defined
![Page 5: Cloud computing - Risks and Mitigation - GTS](https://reader035.vdocument.in/reader035/viewer/2022062418/555b2837d8b42ae82e8b46e4/html5/thumbnails/5.jpg)
5
5GTS GTS GTS GTS ---- 14141414
Copyright iDefense 20095
Overview
� The term “cloud computing” is poorly defined
“ Cloud computing is a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimalmanagement effort or service provider interaction.”Source: http://csrc.nist.gov/groups/SNS/cloud-computing/index.html
![Page 6: Cloud computing - Risks and Mitigation - GTS](https://reader035.vdocument.in/reader035/viewer/2022062418/555b2837d8b42ae82e8b46e4/html5/thumbnails/6.jpg)
6
6GTS GTS GTS GTS ---- 14141414
Copyright iDefense 20096
Overview
� The term “cloud computing” is poorly defined
“ Essential Cloud Characteristics:• On-demand self-service • Broad network access• Resource pooling• Location independence• Rapid elasticity• Measured service”
![Page 7: Cloud computing - Risks and Mitigation - GTS](https://reader035.vdocument.in/reader035/viewer/2022062418/555b2837d8b42ae82e8b46e4/html5/thumbnails/7.jpg)
7
7GTS GTS GTS GTS ---- 14141414
Copyright iDefense 20097
Overview
� The term “cloud computing” is poorly defined
![Page 8: Cloud computing - Risks and Mitigation - GTS](https://reader035.vdocument.in/reader035/viewer/2022062418/555b2837d8b42ae82e8b46e4/html5/thumbnails/8.jpg)
8
8GTS GTS GTS GTS ---- 14141414
Copyright iDefense 20098
Overview
� The term “cloud computing” is poorly defined
� Multiple vendors, multiple definitions
� Utility pricing model
� Cloud-based Service Provider (CSP) handle burden of resources
![Page 9: Cloud computing - Risks and Mitigation - GTS](https://reader035.vdocument.in/reader035/viewer/2022062418/555b2837d8b42ae82e8b46e4/html5/thumbnails/9.jpg)
9
9GTS GTS GTS GTS ---- 14141414
Copyright iDefense 2009
Overview
� Three basic categories for cloud computing technologies:– Infrastructure as a Service (IaaS)
– Platform as a Service (PaaS)
– Software as a Service (SaaS)
9
Resource A
bstraction
![Page 10: Cloud computing - Risks and Mitigation - GTS](https://reader035.vdocument.in/reader035/viewer/2022062418/555b2837d8b42ae82e8b46e4/html5/thumbnails/10.jpg)
10
10GTS GTS GTS GTS ---- 14141414
Copyright iDefense 2009
Variations on a Theme
� Public Cloud
10
![Page 11: Cloud computing - Risks and Mitigation - GTS](https://reader035.vdocument.in/reader035/viewer/2022062418/555b2837d8b42ae82e8b46e4/html5/thumbnails/11.jpg)
11
11GTS GTS GTS GTS ---- 14141414
Copyright iDefense 2009
Variations on a Theme
� Public Cloud
� Private Cloud
11
![Page 12: Cloud computing - Risks and Mitigation - GTS](https://reader035.vdocument.in/reader035/viewer/2022062418/555b2837d8b42ae82e8b46e4/html5/thumbnails/12.jpg)
12
12GTS GTS GTS GTS ---- 14141414
Copyright iDefense 2009
Variations on a Theme
� Public Cloud
� Private Cloud
� Hybrid Cloud
12
![Page 13: Cloud computing - Risks and Mitigation - GTS](https://reader035.vdocument.in/reader035/viewer/2022062418/555b2837d8b42ae82e8b46e4/html5/thumbnails/13.jpg)
13GTS GTS GTS GTS ---- 14141414
Copyright iDefense 200913
Cloud computing risks and generic mitigation strategies
![Page 14: Cloud computing - Risks and Mitigation - GTS](https://reader035.vdocument.in/reader035/viewer/2022062418/555b2837d8b42ae82e8b46e4/html5/thumbnails/14.jpg)
14
14GTS GTS GTS GTS ---- 14141414
Copyright iDefense 200914
Areas of Risk
▪ Privileged User Access
▪ Data Segregation
▪ Regulatory Compliance
▪ Physical Location of Data
▪ Availability
▪ Recovery
▪ Investigative Support
▪ Viability and Longevity
![Page 15: Cloud computing - Risks and Mitigation - GTS](https://reader035.vdocument.in/reader035/viewer/2022062418/555b2837d8b42ae82e8b46e4/html5/thumbnails/15.jpg)
15
15GTS GTS GTS GTS ---- 14141414
Copyright iDefense 2009
Mitigation Strategies
� Understand the risks
� Evaluate any potential cloud-based solution and CSP
� Unique solution, generic risks
15
source: sxc.hu
![Page 16: Cloud computing - Risks and Mitigation - GTS](https://reader035.vdocument.in/reader035/viewer/2022062418/555b2837d8b42ae82e8b46e4/html5/thumbnails/16.jpg)
16
16GTS GTS GTS GTS ---- 14141414
Copyright iDefense 2009
Risks
� Privileged User Access:• CSP must have access
• Improper access -> Data Exposure
• HR policies
• 3rd party of a 3rd party
16
![Page 17: Cloud computing - Risks and Mitigation - GTS](https://reader035.vdocument.in/reader035/viewer/2022062418/555b2837d8b42ae82e8b46e4/html5/thumbnails/17.jpg)
17
17GTS GTS GTS GTS ---- 14141414
Copyright iDefense 2009
Mitigation
� Privileged User Access:• CSP must have access
• Improper access -> Data Exposure
• HR policies
• 3rd party of a 3rd party
� Privilege Access Control Mitigation:– Support to HR and data policies
– Outsourcing involved?
– Evaluate the access controls
17
![Page 18: Cloud computing - Risks and Mitigation - GTS](https://reader035.vdocument.in/reader035/viewer/2022062418/555b2837d8b42ae82e8b46e4/html5/thumbnails/18.jpg)
18
18GTS GTS GTS GTS ---- 14141414
Copyright iDefense 2009
Risks
� Data Segregation:• Shared common resources
• Multiple consumers, same physical machine
• Failure to segregate data: data exposure, loss
or corruption
18
![Page 19: Cloud computing - Risks and Mitigation - GTS](https://reader035.vdocument.in/reader035/viewer/2022062418/555b2837d8b42ae82e8b46e4/html5/thumbnails/19.jpg)
19
19GTS GTS GTS GTS ---- 14141414
Copyright iDefense 2009
Risks
� Data Segregation:• Shared common resources
• Multiple consumers, same physical machine
• Failure to segregate data: data exposure, loss
or corruption
19
![Page 20: Cloud computing - Risks and Mitigation - GTS](https://reader035.vdocument.in/reader035/viewer/2022062418/555b2837d8b42ae82e8b46e4/html5/thumbnails/20.jpg)
20
20GTS GTS GTS GTS ---- 14141414
Copyright iDefense 2009
Risks
� Data Segregation:• Shared common resources
• Multiple consumers, same physical machine
• Failure to segregate data: data exposure, loss
or corruption
20
![Page 21: Cloud computing - Risks and Mitigation - GTS](https://reader035.vdocument.in/reader035/viewer/2022062418/555b2837d8b42ae82e8b46e4/html5/thumbnails/21.jpg)
21
21GTS GTS GTS GTS ---- 14141414
Copyright iDefense 2009
Mitigation
� Data Segregation:• Shared common resources
• Multiple consumers, same physical machine
• Failure to segregate data: data exposure, loss
or corruption
� Data Segregation Mitigation:– What’s the risk of data segregation failure?
– Encryption of data: shifting of risks
– Understand the “how, where, when”of consumer data storage
21
![Page 22: Cloud computing - Risks and Mitigation - GTS](https://reader035.vdocument.in/reader035/viewer/2022062418/555b2837d8b42ae82e8b46e4/html5/thumbnails/22.jpg)
22
22GTS GTS GTS GTS ---- 14141414
Copyright iDefense 2009
Risks
� Regulatory Compliance:– Regulations for sensitive information and outsourcing
– Conflicting regulations and laws
– Failure to comply: significant legal risks
22
![Page 23: Cloud computing - Risks and Mitigation - GTS](https://reader035.vdocument.in/reader035/viewer/2022062418/555b2837d8b42ae82e8b46e4/html5/thumbnails/23.jpg)
23
23GTS GTS GTS GTS ---- 14141414
Copyright iDefense 2009
Mitigation
� Regulatory Compliance:– Regulations for sensitive information and outsourcing
– Conflicting regulations and laws
– Failure to comply: significant legal risks
� Regulatory Control Mitigation:– Know your regulatory obligation
– Know your CSP’s regulatory obligations
– Understand your liabilities
– Location may change regulatory obligations
23
FISMA HIPAA SOXPCI SAS 70 Audits
![Page 24: Cloud computing - Risks and Mitigation - GTS](https://reader035.vdocument.in/reader035/viewer/2022062418/555b2837d8b42ae82e8b46e4/html5/thumbnails/24.jpg)
24
24GTS GTS GTS GTS ---- 14141414
Copyright iDefense 2009
Risks
� Physical Location of Data:– Location, location, location
– Location tied to regulatory issues
– Volatile regions introduce a higher degree of risk
– Hostile/Unethical governments have unforeseen risk of data exposure
24
![Page 25: Cloud computing - Risks and Mitigation - GTS](https://reader035.vdocument.in/reader035/viewer/2022062418/555b2837d8b42ae82e8b46e4/html5/thumbnails/25.jpg)
25
25GTS GTS GTS GTS ---- 14141414
Copyright iDefense 2009
Risks
� Physical Location of Data:– Location, location, location
– Location tied to regulatory issues
– Volatile regions introduce a higher degree of risk
– Hostile/Unethical governments have unforeseen risk of data exposure
25
10/9/09SA pigeon 'faster than broadband'BBC NewsCyber A Durban IT company pitted an 11-month-old bird armed with a 4GB memory stick against the ADSL service from the country's biggest web firm, Telkom. Winston the pigeon took two hours to carry the data 60 miles - in the same time the ADSL had sent 4% of the data. computers.
![Page 26: Cloud computing - Risks and Mitigation - GTS](https://reader035.vdocument.in/reader035/viewer/2022062418/555b2837d8b42ae82e8b46e4/html5/thumbnails/26.jpg)
26
26GTS GTS GTS GTS ---- 14141414
Copyright iDefense 2009
Mitigation
� Physical Location of Data:– Location, location, location
– Location tied to regulatory issues
– Volatile regions introduce a higher degree of risk
– Hostile/Unethical governments have unforeseen risk of data exposure
� Physical Location of Data Mitigation:– Identify your data’s location
– Avoid CSPs that cannot guarantee the location
– Avoid CSPs that use data centers in hostile countries
– Use CSPs that reside in consumer’s country
26
![Page 27: Cloud computing - Risks and Mitigation - GTS](https://reader035.vdocument.in/reader035/viewer/2022062418/555b2837d8b42ae82e8b46e4/html5/thumbnails/27.jpg)
27
27GTS GTS GTS GTS ---- 14141414
Copyright iDefense 2009
Risks
� Availability:– Constant connectivity required
– Any failure terminating connectivity is a risk
– Data loss and downtime risks
27
![Page 28: Cloud computing - Risks and Mitigation - GTS](https://reader035.vdocument.in/reader035/viewer/2022062418/555b2837d8b42ae82e8b46e4/html5/thumbnails/28.jpg)
28
28GTS GTS GTS GTS ---- 14141414
Copyright iDefense 2009
Risks
� Availability:– Constant connectivity required
– Any failure terminating connectivity is a risk
– Data loss and downtime risks
28
![Page 29: Cloud computing - Risks and Mitigation - GTS](https://reader035.vdocument.in/reader035/viewer/2022062418/555b2837d8b42ae82e8b46e4/html5/thumbnails/29.jpg)
29
29GTS GTS GTS GTS ---- 14141414
Copyright iDefense 2009
Mitigation
� Service Availability Mitigation:– Availability is the greatest risk !
– Understand the CSP’s infrastructure: avoid single points of failure
– Private clouds may reduce the availability risk, but introduce additional cost and overhead
– Establish service-level agreements (SLAs) with their CSPs
– Balance the risk introduced by using multiple data centers with the risk of a single site failure
– Assume at least one outage, what’s the impact to you?
29
![Page 30: Cloud computing - Risks and Mitigation - GTS](https://reader035.vdocument.in/reader035/viewer/2022062418/555b2837d8b42ae82e8b46e4/html5/thumbnails/30.jpg)
30
30GTS GTS GTS GTS ---- 14141414
Copyright iDefense 2009
Risks
� Recovery:– Improper backups or system failure
– The more data, more data loss risk
– Recovery time is operational downtime
30
![Page 31: Cloud computing - Risks and Mitigation - GTS](https://reader035.vdocument.in/reader035/viewer/2022062418/555b2837d8b42ae82e8b46e4/html5/thumbnails/31.jpg)
31
31GTS GTS GTS GTS ---- 14141414
Copyright iDefense 2009
Mitigation
� Recovery:– Improper backups or system failure
– The more data, more data loss risk
– Recovery time is operational downtime
� Recovery Mitigation:– Understand backed up systems
(Encrypted? Multiple sites?)
– Identify the time required to completely recover data
– Practice a full recovery to test the CSP’s response time
31
![Page 32: Cloud computing - Risks and Mitigation - GTS](https://reader035.vdocument.in/reader035/viewer/2022062418/555b2837d8b42ae82e8b46e4/html5/thumbnails/32.jpg)
32
32GTS GTS GTS GTS ---- 14141414
Copyright iDefense 2009
Risks
� Investigative Support:– Multiple consumers, aggregated logs
– CSPs may hinder incident responses
– Uncooperative CSPs: lost forensic data
and investigation hindrances
32
![Page 33: Cloud computing - Risks and Mitigation - GTS](https://reader035.vdocument.in/reader035/viewer/2022062418/555b2837d8b42ae82e8b46e4/html5/thumbnails/33.jpg)
33
33GTS GTS GTS GTS ---- 14141414
Copyright iDefense 2009
Mitigation
� Investigative Support:– Multiple consumers, aggregated logs
– CSPs may hinder incident responses
– Uncooperative CSPs: lost forensic data
and investigation hindrances
� Investigative Support Mitigation:– Establish policies and procedures with the CSP
– Avoid CSPs unwilling to participate in incident
33
![Page 34: Cloud computing - Risks and Mitigation - GTS](https://reader035.vdocument.in/reader035/viewer/2022062418/555b2837d8b42ae82e8b46e4/html5/thumbnails/34.jpg)
34
34GTS GTS GTS GTS ---- 14141414
Copyright iDefense 2009
Risks
� Viability and Longevity:– CSP failure can occur at any time, for any reason
– Risk of data loss and operational downtime
– Large companies sometimes terminate services
– Abrupt shutdowns are a more significant risk
34
![Page 35: Cloud computing - Risks and Mitigation - GTS](https://reader035.vdocument.in/reader035/viewer/2022062418/555b2837d8b42ae82e8b46e4/html5/thumbnails/35.jpg)
35
35GTS GTS GTS GTS ---- 14141414
Copyright iDefense 2009
Mitigation
� Viability and Longevity:– CSP failure can occur at any time, for any reason
– Risk of data loss and operational downtime
– Large companies sometimes terminate services
– Abrupt shutdowns are a more significant risk
� Viability and Longevity Mitigation:– Understand the way a CSP can “going dark”
– Have a secondary CSP in mind
– Review the history and financial stability of any CSP prior to engaging
35
![Page 36: Cloud computing - Risks and Mitigation - GTS](https://reader035.vdocument.in/reader035/viewer/2022062418/555b2837d8b42ae82e8b46e4/html5/thumbnails/36.jpg)
36GTS GTS GTS GTS ---- 14141414
Copyright iDefense 200936
Cloud Computing for Malicious Intent
![Page 37: Cloud computing - Risks and Mitigation - GTS](https://reader035.vdocument.in/reader035/viewer/2022062418/555b2837d8b42ae82e8b46e4/html5/thumbnails/37.jpg)
37
37GTS GTS GTS GTS ---- 14141414
Copyright iDefense 2009
Malicious use
� Bad guys are already using such technology ;)– Botnets
– Hacking as a Service, SPAM
37
sour
ce: s
xc.h
u
![Page 38: Cloud computing - Risks and Mitigation - GTS](https://reader035.vdocument.in/reader035/viewer/2022062418/555b2837d8b42ae82e8b46e4/html5/thumbnails/38.jpg)
38
38GTS GTS GTS GTS ---- 14141414
Copyright iDefense 2009
Malicious use
� Bad guys are already using such technology– Botnets
– Hacking as a Service, SPAM
� Malicious use of Cloud Services– C&C Server on the cloud
– Storage of malicious data
– Cracking passwords
38
11/9/09Bot herders hide master control channel in Google cloudby Dan Goodin, The RegisterCyber criminals' love affair with cloud computing just got steamier with the discovery that Google's AppEngine was tapped to act as the master control channel that feeds commands to large networks of infected computers.
sour
ce: s
xc.h
u
![Page 39: Cloud computing - Risks and Mitigation - GTS](https://reader035.vdocument.in/reader035/viewer/2022062418/555b2837d8b42ae82e8b46e4/html5/thumbnails/39.jpg)
39GTS GTS GTS GTS ---- 14141414
Copyright iDefense 200939
Conclusion
![Page 40: Cloud computing - Risks and Mitigation - GTS](https://reader035.vdocument.in/reader035/viewer/2022062418/555b2837d8b42ae82e8b46e4/html5/thumbnails/40.jpg)
40
40GTS GTS GTS GTS ---- 14141414
Copyright iDefense 2009
Conclusions
� Understanding the risk of cloud-based solutions
� Understand the level of sensitivity of your data
� Perform due diligence when evaluating a CSP
� Identify the location of your data
� Get assurance that your data will remain where it is placed.
40
Cloud computing is a new technology still experiencing growing pains. Enterprises must be aware of this and anticipate the risks the technology introduces.
![Page 41: Cloud computing - Risks and Mitigation - GTS](https://reader035.vdocument.in/reader035/viewer/2022062418/555b2837d8b42ae82e8b46e4/html5/thumbnails/41.jpg)
41
41GTS GTS GTS GTS ---- 14141414
Copyright iDefense 2009
Additional Reading
� Cloud Security Alliance (CSA): “Security Guidance for Critical Areas of Focus in Cloud Computing”
http://www.cloudsecurityalliance.org/guidance/csaguide.pdf
� NIST Cloud Computing Project
http://csrc.nist.gov/groups/SNS/cloud-computing/index.html
� ENISA report on “Cloud Computing: Benefits, risks and recommendations for information security”
http://www.enisa.europa.eu/act/rm/files/deliverables/cloud-computing-risk-assessment
� iDefense Topical Research Paper: “Cloud Computing”
41
![Page 42: Cloud computing - Risks and Mitigation - GTS](https://reader035.vdocument.in/reader035/viewer/2022062418/555b2837d8b42ae82e8b46e4/html5/thumbnails/42.jpg)
42
Q&A
GTS GTS GTS GTS ---- 14141414
Copyright iDefense 2009
![Page 43: Cloud computing - Risks and Mitigation - GTS](https://reader035.vdocument.in/reader035/viewer/2022062418/555b2837d8b42ae82e8b46e4/html5/thumbnails/43.jpg)
43
Thank You
Anchises M. G. de PaulaiDefense Intelligence Analyst