insert presenter logo here on slide master 1 what is cloud computing really? scott clark chicago...
TRANSCRIPT
Insert presenter logo here on slide master
1
WHAT IS CLOUD COMPUTING REALLY?
Scott ClarkChicago Chapter PresidentCloud Security Alliance
The Blind Men and the Cloud
It was six men of Info Tech
To learning much inclined,
Who went to see the Cloud
(Though all of them were blind),
That each by observation
Might satisfy his mind
2
The Blind Men and the Cloud
The First approached the Cloud,
So sure that he was boasting
“I know exactly what this is…
This Cloud is simply Hosting.”
3
The Blind Men and the Cloud
The Second grasped within the Cloud,
Saying, “No it’s obvious to me,
This Cloud is grid computing…
Servers working together in harmony!”
4
The Blind Men and the Cloud
The Third, in need of an answer,
Cried, "Ho! I know its source of power
It’s a utility computing solution
Which charges by the hour.”
5
The Blind Men and the Cloud
The Fourth reached out to touch it,
It was there, but it was not
“Virtualization,” said he.
“That’s precisely what we’ve got!”
6
The Blind Men and the Cloud
The Fifth, so sure the rest were wrong
Declared “It’s SaaS you fools,
Applications with no installation
It’s breaking all the rules!"
7
The Blind Men and the Cloud
The Sixth (whose name was Benioff),
Felt the future he did know,
He made haste in boldly stating,
“This *IS* Web 3.0.”
8
The Blind Men and the Cloud
And so these men of Info Tech
Disputed loud and long,
Each in his own opinion
Exceeding stiff and strong,
Though each was partly in the right,
And all were partly wrong!
Sam Charrington & Noreen Barczweski
© 2009, Appistry, Inc
9
Insert presenter logo here on slide master
Agenda
10
Introduction to Cloud Computing
What is Different in the Cloud?
CSA Guidance
Additional Resources
“This Cloud is simply Hosting”
11
12
Evolution of “Hosting”
13
CUSTOM“Co-Location”
COMMODITY“Cloud Service Providers”
Evolution of Data Centers
Closest to power plants Google Data Center
• State of Oregon
• Columbia River
• 103 Mega Watt Data Center on 30 acres
• Near 1.8 GW Hydropower Station
14
Data Center is the new “Server”
15
POD Computing
16
17
Google’s low cost commodity server
18
Is This New??
• Berkeley credited
• Cluster of Servers
• Started in 1994
19
20
21
22
23
Broadband Network Access
24
25
Rapid Elasticity
26
27
Unused resources
Measured Service
• Risk of over-provisioning: underutilization
Static data center
Demand
Capacity
Time
28
Measured Service
• Heavy penalty for under-provisioning
Lost revenue
Lost users
Demand
Capacity
Time (days)1 2 3
Demand
Capacity
Time (days)1 2 3
Demand
Capacity
Time (days)1 2 3
29
Unused resources
Measured Service
• Pay by use instead of provisioning for peak
Static data center Data center in the cloud
Demand
Capacity
Time
Demand
Capacity
Time
Source: “Above The Clouds”
31
Resource Pooling =Virtualization
Hardware
Operating System
App App App
Traditional Stack
Hardware
OS
App App App
Hypervisor
OS OS
Virtualized Stack
Server Virtualization
33
Storage Virtualization
34
Platform-Independent Razor-Thin CapEx
SuperioNetwork Virtualization
Application
Application
Application
Application
Application
Application
Application
Application
ToR Switch ToR Switch
Application VMs
☒ High CapEx☒ Low Utilization☒ High Complexity☒ Change-Resistant
Deploy anywhere
Elastic scalability
Interfaces with provisioning & orchestration systems
Evolves with rapidly changing network architectures
Utility licensing model
36
Case Study
• Created 10,000 Core-Cluster
• Leveraged Amazon’s EC2
• Genentech needed a super computer to examine how proteins bind together
• Using Genentech’s resources would have taken weeks or months to gain access & run program
37
Completed in 8 Hours! Genentech’s Cost = $8,480!
• Infrastructure: 1250 instances with 8-core / 7-GB RAM
• Cluster Size: 10,000 cores, 8.75 TB RAM, 2 PB of disk space total
• Scale: Comparable to #114 of Top 500 Supercomputer list
• Security: Engineered with HTTPS & 128/256-bit AES encryption
• User Effort: Single click to start the cluster
• Start-up Time: Thousands of cores in minutes, full cluster in 45-minutes
• Up-front Capital Investment/Licensing Fees: $0
• Total CycleCloud and Infrastructure Cost: $1,060/hour
38
39
Delivery Models
• Utility computing (IaaS)– Why buy machines when you can rent cycles?– Examples: Amazon’s EC2, GoGrid, AppNexus
• Platform as a Service (PaaS)– Give me nice API and take care of the implementation– Example: Google App Engine, Force.com
• Software as a Service (SaaS)– Just run it for me!– Example: Gmail, Salesforce.com and NetSuite
“Why do it yourself if you can pay someone to do it for you?”
41
Forrester: Cloud Market To Reach $241 Billion By 2020
42
Case Study – Hybrid Cloud
• June 25, 2009
• 1 Million visits in 24/hrs
• Twitter stood still
• Ticket Master crawled
• Yahoo! 16.4 million site visitors in 24 hours more that Election Day of 15.1
• Sony.com couldn’t sell music – 200 sites down
43
Private to Public Burst
44
45
What About Service Oriented Architecture???
46
BREAK
47
48
Insert presenter logo here on slide master
• Many concepts “in the cloud” are similar to concepts in standard outsourcing
• There are at least four themes which require a different mindset when working on security for cloud services:– Role clarity for security controls– Legal / jurisdictional / cross-border data movement– Virtualization concentration risk– Virtualization network security control parity.
49
What is Different in the Cloud?
Insert presenter logo here on slide master
What is Different in the Cloud?
Role Clarity
IaaSInfrastructure as a
Service
PaaSPlatform as a Service
SaaSSoftware as a Service
Security ~ YOU
Security ~ THEM
Insert presenter logo here on slide master
What is Different in the Cloud?
Legal / Jurisdictional Issues Amplified
“Cloud” Provider Datacenter in San Francisco, USA
“Cloud” Provider Datacenter in Tokyo, Japan
“Cloud” Provider Datacenter in Geneva, Switzerland
“Cloud” Provider Datacenter in Sao Paolo, Brazil
“Cloud” Provider Datacenter in London, U.K.
Yo
ur C
orp
ora
te D
ata?
Insert presenter logo here on slide master
What is Different in the Cloud?
Virtualization Concentration Risks“Old Way – Hack a
System”“New Way – Hack a
Datacenter”
Hypervisor
Insert presenter logo here on slide master
Virtualized N-Tier Control Equivalence
What is Different in the Cloud?
“Current Way” “New Way”
HypervisorInternet
Users
Presentation Layer
Data Layer
How do we ensure control
parity?
Internet
Users
•FW•WAF•NIDS / IPS
•FW•WAF•NIDS / IPS
Insert presenter logo here on slide master
Key Cloud Security Problems
From CSA Top Threats Research:–Trust: Lack of Provider transparency, impacts Governance,
Risk Management, Compliance
–Data: Leakage, Loss or Storage in unfriendly geography
–Insecure Cloud software
–Malicious use of Cloud services
–Account/Service Hijacking
–Malicious Insiders
–Cloud-specific attacks
Cloud Security Alliance Guidance
55
Insert presenter logo here on slide master
Cloud Security Alliance Guidance
Available at http://www.cloudsecurityalliance.org/Research.html
Governance and Enterprise Risk ManagementGovernance and Enterprise Risk Management
Legal and Electronic DiscoveryLegal and Electronic Discovery
Compliance and AuditCompliance and Audit
Information Lifecycle ManagementInformation Lifecycle Management
Portability and InteroperabilityPortability and Interoperability
Security, Bus. Cont,, and Disaster RecoverySecurity, Bus. Cont,, and Disaster Recovery
Data Center OperationsData Center Operations
Incident Response, Notification, RemediationIncident Response, Notification, Remediation
Application SecurityApplication Security
Encryption and Key ManagementEncryption and Key Management
Identity and Access ManagementIdentity and Access Management
VirtualizationVirtualization
Cloud ArchitectureCloud Architecture
Op
erat
ing
in t
he
Clo
ud
Go
vernin
g th
e Clo
ud
Insert presenter logo here on slide master
Defining Cloud
• On demand provisioning
• Elasticity
• Multi-tenancy
• Key types
– Infrastructure as a Service (IaaS): basic O/S & storage
– Platform as a Service (PaaS): IaaS + rapid dev
– Software as a Service (SaaS): complete application
– Public, Private, Community & Hybrid Cloud deployments
Insert presenter logo here on slide master
Governance and Enterprise Risk Management
• Due Diligence of Due Diligence of providers governance providers governance structure and process in structure and process in addition to security addition to security controls. SLA’scontrols. SLA’s
• Risk Assessment Risk Assessment approaches between approaches between provider and user should provider and user should be consistent. be consistent. Consistency in Impact Consistency in Impact Analysis and definition of Analysis and definition of likelihoodlikelihood
Governance and Enterprise Risk ManagementGovernance and Enterprise Risk Management
Legal and Electronic DiscoveryLegal and Electronic Discovery
Compliance and AuditCompliance and Audit
Information Lifecycle ManagementInformation Lifecycle Management
Portability and InteroperabilityPortability and Interoperability
Security, Bus. Cont,, and Disaster RecoverySecurity, Bus. Cont,, and Disaster Recovery
Data Center OperationsData Center Operations
Incident Response, Notification, RemediationIncident Response, Notification, Remediation
Application SecurityApplication Security
Encryption and Key ManagementEncryption and Key Management
Identity and Access ManagementIdentity and Access Management
VirtualizationVirtualization
Cloud ArchitectureCloud Architecture
Op
erat
ing
in t
he
Clo
ud
Go
vernin
g th
e Clo
ud
Insert presenter logo here on slide master
Legal and Electronic Discovery
• Mutual understanding of Mutual understanding of roles related to litigation, roles related to litigation, discovery searches and discovery searches and expert testimonyexpert testimony
• Data in custody of Data in custody of provider must receive provider must receive equivalent guardianship equivalent guardianship as original owner as original owner
• Unified process for Unified process for responding to subpoenas responding to subpoenas and service of process, and service of process, etcetc
Governance and Enterprise Risk ManagementGovernance and Enterprise Risk Management
Legal and Electronic DiscoveryLegal and Electronic Discovery
Compliance and AuditCompliance and Audit
Information Lifecycle ManagementInformation Lifecycle Management
Portability and InteroperabilityPortability and Interoperability
Security, Bus. Cont,, and Disaster RecoverySecurity, Bus. Cont,, and Disaster Recovery
Data Center OperationsData Center Operations
Incident Response, Notification, RemediationIncident Response, Notification, Remediation
Application SecurityApplication Security
Encryption and Key ManagementEncryption and Key Management
Identity and Access ManagementIdentity and Access Management
VirtualizationVirtualization
Cloud ArchitectureCloud Architecture
Op
erat
ing
in t
he
Clo
ud
Go
vernin
g th
e Clo
ud
Insert presenter logo here on slide master
Compliance and Audit
• Right to Audit ClauseRight to Audit Clause
• Analyze Impact or Analyze Impact or Regulations on data Regulations on data securitysecurity
• Prepare evidence of Prepare evidence of how each requirement is how each requirement is being metbeing met
• Auditor qualification and Auditor qualification and selectionselection
Governance and Enterprise Risk ManagementGovernance and Enterprise Risk Management
Legal and Electronic DiscoveryLegal and Electronic Discovery
Compliance and AuditCompliance and Audit
Information Lifecycle ManagementInformation Lifecycle Management
Portability and InteroperabilityPortability and Interoperability
Security, Bus. Cont,, and Disaster RecoverySecurity, Bus. Cont,, and Disaster Recovery
Data Center OperationsData Center Operations
Incident Response, Notification, RemediationIncident Response, Notification, Remediation
Application SecurityApplication Security
Encryption and Key ManagementEncryption and Key Management
Identity and Access ManagementIdentity and Access Management
VirtualizationVirtualization
Cloud ArchitectureCloud Architecture
Op
erat
ing
in t
he
Clo
ud
Go
vernin
g th
e Clo
ud
Insert presenter logo here on slide master
Information Lifecycle Management
• How is Integrity How is Integrity maintained? maintained?
• If compromised how its If compromised how its detected and reported?detected and reported?
• Identify all controls used Identify all controls used during date lifecycleduring date lifecycle
• Know where you data is!Know where you data is!
• Understand provider’s Understand provider’s data search capabilities data search capabilities and limitations and limitations
Governance and Enterprise Risk ManagementGovernance and Enterprise Risk Management
Legal and Electronic DiscoveryLegal and Electronic Discovery
Compliance and AuditCompliance and Audit
Information Lifecycle ManagementInformation Lifecycle Management
Portability and InteroperabilityPortability and Interoperability
Security, Bus. Cont,, and Disaster RecoverySecurity, Bus. Cont,, and Disaster Recovery
Data Center OperationsData Center Operations
Incident Response, Notification, RemediationIncident Response, Notification, Remediation
Application SecurityApplication Security
Encryption and Key ManagementEncryption and Key Management
Identity and Access ManagementIdentity and Access Management
VirtualizationVirtualization
Cloud ArchitectureCloud Architecture
Op
erat
ing
in t
he
Clo
ud
Go
vernin
g th
e Clo
ud
Insert presenter logo here on slide master
Portability and Interoperability
• IaaS - Understand VM IaaS - Understand VM capture and porting to capture and porting to new provider especially if new provider especially if different technologies different technologies used.used.
• PaaS – Understand how PaaS – Understand how logging, monitoring and logging, monitoring and audit transfers to another audit transfers to another providerprovider
• SaaS – perform regular SaaS – perform regular backups into useable form backups into useable form without SaaS. without SaaS.
Governance and Enterprise Risk ManagementGovernance and Enterprise Risk Management
Legal and Electronic DiscoveryLegal and Electronic Discovery
Compliance and AuditCompliance and Audit
Information Lifecycle ManagementInformation Lifecycle Management
Portability and InteroperabilityPortability and Interoperability
Security, Bus. Cont,, and Disaster RecoverySecurity, Bus. Cont,, and Disaster Recovery
Data Center OperationsData Center Operations
Incident Response, Notification, RemediationIncident Response, Notification, Remediation
Application SecurityApplication Security
Encryption and Key ManagementEncryption and Key Management
Identity and Access ManagementIdentity and Access Management
VirtualizationVirtualization
Cloud ArchitectureCloud Architecture
Op
erat
ing
in t
he
Clo
ud
Go
vernin
g th
e Clo
ud
Insert presenter logo here on slide master
Security, Business Continuity and Disaster Recovery
• Conduct an onsite Conduct an onsite inspection whenever inspection whenever possiblepossible
• Inspect cloud providers Inspect cloud providers disaster recovery and disaster recovery and business continuity plansbusiness continuity plans
• Ask for documentation of Ask for documentation of external and internal external and internal security controls – security controls – adherence to industry adherence to industry standards?standards?
Governance and Enterprise Risk ManagementGovernance and Enterprise Risk Management
Legal and Electronic DiscoveryLegal and Electronic Discovery
Compliance and AuditCompliance and Audit
Information Lifecycle ManagementInformation Lifecycle Management
Portability and InteroperabilityPortability and Interoperability
Security, Bus. Cont,, and Disaster RecoverySecurity, Bus. Cont,, and Disaster Recovery
Data Center OperationsData Center Operations
Incident Response, Notification, RemediationIncident Response, Notification, Remediation
Application SecurityApplication Security
Encryption and Key ManagementEncryption and Key Management
Identity and Access ManagementIdentity and Access Management
VirtualizationVirtualization
Cloud ArchitectureCloud Architecture
Op
erat
ing
in t
he
Clo
ud
Go
vernin
g th
e Clo
ud
Insert presenter logo here on slide master
Data Center Operations
• Demonstration of Demonstration of Compartmentalization of Compartmentalization of systems, networks, systems, networks, management, management, provisioning and provisioning and personnelpersonnel
• Understanding of Understanding of providers patch providers patch management policies management policies and procedures – should and procedures – should be reflected in the be reflected in the contract! contract!
Governance and Enterprise Risk ManagementGovernance and Enterprise Risk Management
Legal and Electronic DiscoveryLegal and Electronic Discovery
Compliance and AuditCompliance and Audit
Information Lifecycle ManagementInformation Lifecycle Management
Portability and InteroperabilityPortability and Interoperability
Security, Bus. Cont,, and Disaster RecoverySecurity, Bus. Cont,, and Disaster Recovery
Data Center OperationsData Center Operations
Incident Response, Notification, RemediationIncident Response, Notification, Remediation
Application SecurityApplication Security
Encryption and Key ManagementEncryption and Key Management
Identity and Access ManagementIdentity and Access Management
VirtualizationVirtualization
Cloud ArchitectureCloud Architecture
Op
erat
ing
in t
he
Clo
ud
Go
vernin
g th
e Clo
ud
Insert presenter logo here on slide master
Incident Response, Notification and Remediation
• May have limited May have limited involvement in Incident involvement in Incident Response, understand Response, understand prearranged prearranged communicated path to communicated path to providers incident providers incident response teamresponse team
• What incident detection What incident detection and analysis tools used? and analysis tools used? Will proprietary tools Will proprietary tools make joint investigations make joint investigations difficult? difficult?
Governance and Enterprise Risk ManagementGovernance and Enterprise Risk Management
Legal and Electronic DiscoveryLegal and Electronic Discovery
Compliance and AuditCompliance and Audit
Information Lifecycle ManagementInformation Lifecycle Management
Portability and InteroperabilityPortability and Interoperability
Security, Bus. Cont,, and Disaster RecoverySecurity, Bus. Cont,, and Disaster Recovery
Data Center OperationsData Center Operations
Incident Response, Notification, RemediationIncident Response, Notification, Remediation
Application SecurityApplication Security
Encryption and Key ManagementEncryption and Key Management
Identity and Access ManagementIdentity and Access Management
VirtualizationVirtualization
Cloud ArchitectureCloud Architecture
Op
erat
ing
in t
he
Clo
ud
Go
vernin
g th
e Clo
ud
Insert presenter logo here on slide master
Application Security
• S-P-I creates different S-P-I creates different trust boundaries in SDLC trust boundaries in SDLC – account for in dev, test – account for in dev, test and productionand production
• Obtain contractual Obtain contractual permission before permission before performing remote performing remote vulnerability and vulnerability and application assessmentsapplication assessments– provider inability to provider inability to
distinguish testing from an distinguish testing from an actual attackactual attack
Governance and Enterprise Risk ManagementGovernance and Enterprise Risk Management
Legal and Electronic DiscoveryLegal and Electronic Discovery
Compliance and AuditCompliance and Audit
Information Lifecycle ManagementInformation Lifecycle Management
Portability and InteroperabilityPortability and Interoperability
Security, Bus. Cont,, and Disaster RecoverySecurity, Bus. Cont,, and Disaster Recovery
Data Center OperationsData Center Operations
Incident Response, Notification, RemediationIncident Response, Notification, Remediation
Application SecurityApplication Security
Encryption and Key ManagementEncryption and Key Management
Identity and Access ManagementIdentity and Access Management
VirtualizationVirtualization
Cloud ArchitectureCloud Architecture
Op
erat
ing
in t
he
Clo
ud
Go
vernin
g th
e Clo
ud
Insert presenter logo here on slide master
Encryption and Key Management
• Separate key management Separate key management from provider hosting the data from provider hosting the data creating a chain of separationcreating a chain of separation
• Understand provider’s key Understand provider’s key management lifecycle: how management lifecycle: how keys are generated, used, keys are generated, used, stored, backed up, rotated and stored, backed up, rotated and deleteddeleted
• Ensure encryption adheres to Ensure encryption adheres to industry and government industry and government standards when stipulated in standards when stipulated in the contractthe contract
Governance and Enterprise Risk ManagementGovernance and Enterprise Risk Management
Legal and Electronic DiscoveryLegal and Electronic Discovery
Compliance and AuditCompliance and Audit
Information Lifecycle ManagementInformation Lifecycle Management
Portability and InteroperabilityPortability and Interoperability
Security, Bus. Cont,, and Disaster RecoverySecurity, Bus. Cont,, and Disaster Recovery
Data Center OperationsData Center Operations
Incident Response, Notification, RemediationIncident Response, Notification, Remediation
Application SecurityApplication Security
Encryption and Key ManagementEncryption and Key Management
Identity and Access ManagementIdentity and Access Management
VirtualizationVirtualization
Cloud ArchitectureCloud Architecture
Op
erat
ing
in t
he
Clo
ud
Go
vernin
g th
e Clo
ud
Insert presenter logo here on slide master
Identity and Access Management
• IAM is a big challenge today in IAM is a big challenge today in secure cloud computingsecure cloud computing
• Identity – avoid providers Identity – avoid providers proprietary solutions unique to proprietary solutions unique to cloud providercloud provider
• Local authentication service Local authentication service offered by provider should be offered by provider should be OATH compliantOATH compliant
Governance and Enterprise Risk ManagementGovernance and Enterprise Risk Management
Legal and Electronic DiscoveryLegal and Electronic Discovery
Compliance and AuditCompliance and Audit
Information Lifecycle ManagementInformation Lifecycle Management
Portability and InteroperabilityPortability and Interoperability
Security, Bus. Cont,, and Disaster RecoverySecurity, Bus. Cont,, and Disaster Recovery
Data Center OperationsData Center Operations
Incident Response, Notification, RemediationIncident Response, Notification, Remediation
Application SecurityApplication Security
Encryption and Key ManagementEncryption and Key Management
Identity and Access ManagementIdentity and Access Management
VirtualizationVirtualization
Cloud ArchitectureCloud Architecture
Op
erat
ing
in t
he
Clo
ud
Go
vernin
g th
e Clo
ud
Insert presenter logo here on slide master
Virtualization
• Understand internal security Understand internal security controls to VM other than built controls to VM other than built in Hypervisor isolation – IDS, in Hypervisor isolation – IDS, AV, vulnerability scanning etc. AV, vulnerability scanning etc.
• Understand external security Understand external security controls to protect controls to protect administrative interfaces administrative interfaces exposed (Web-based, API’s)exposed (Web-based, API’s)
• Reporting mechanisms that Reporting mechanisms that provides evidence of isolation provides evidence of isolation and raises alerts if a breach of and raises alerts if a breach of isolation occurs.isolation occurs.
Governance and Enterprise Risk ManagementGovernance and Enterprise Risk Management
Legal and Electronic DiscoveryLegal and Electronic Discovery
Compliance and AuditCompliance and Audit
Information Lifecycle ManagementInformation Lifecycle Management
Portability and InteroperabilityPortability and Interoperability
Security, Bus. Cont,, and Disaster RecoverySecurity, Bus. Cont,, and Disaster Recovery
Data Center OperationsData Center Operations
Incident Response, Notification, RemediationIncident Response, Notification, Remediation
Application SecurityApplication Security
Encryption and Key ManagementEncryption and Key Management
Identity and Access ManagementIdentity and Access Management
VirtualizationVirtualization
Cloud ArchitectureCloud Architecture
Op
erat
ing
in t
he
Clo
ud
Go
vernin
g th
e Clo
ud
Additional Cloud Security Alliance Resources
70
Insert presenter logo here on slide master
Cloud Security Alliance Initiatives
1. GRC Stack
2. Security Guidance for Critical Areas of Focus in Cloud Computing
3. Cloud Controls Matrix (CCM)
4. Consensus Assessments Initiative
5. Cloud Metrics
6. Trusted Cloud Initiative
7. Top Threats to Cloud Computing
8. CloudAudit
9. Common Assurance Maturity Model
10. CloudSIRT
11. Security as a Service
71
Insert presenter logo here on slide master
Cloud Controls Matrix Tool
• Controls derived from guidance
• Rated as applicable to S-P-I
• Customer vs Provider role
• Mapped to COBIT, HIPAA, ISO/IEC 27002-2005, NIST SP800-53 and PCI DSS
• Help bridge the gap for IT & IT auditors
www.cloudsecurityalliance.org/cm.html
Insert presenter logo here on slide master
Contact
• Help us secure cloud computing
• www.cloudsecurityalliance.org
• Cloud Security Alliance, Chicago Chapter
• LinkedIn: http://www.linkedin.com/groups?gid=3755674
Questions?
74