Cloud computing provides opportunities for scalability, availability, and performance but also poses risks if not implemented securely. Key risks include vendor lock-in, lack of governance and control, non-compliance, and various technical risks around isolation faults, data leaks, network attacks, and provider compromises. Migrating to the cloud requires carefully analyzing requirements, evaluating cloud models and providers, defining security controls, and having business continuity plans to mitigate risks. With proper planning and risk mitigation, cloud computing can be implemented securely.
4. Index 4
> Cloud Computing
> Opportunities
> Cloud Computing risks
> Migrating to a Cloud Infraestructure
Tema 1: Diseño de software seguro
Cloud Computing Security
5. “Cloud computing is a model for
enabling ubiquitous, convenient,
on-demand network access to a
shared pool of configurable
computing resources (e.g.,
networks, servers, storage,
applications, and services) that can
be rapidly provisioned and
released with minimal management
effort or service provider
interaction”
[*First & last boring slide. Promise]
6. Cloud Computing: Main point 6
>On demand
>Ubiquous
>Resource pool
>Elastic
>Measureable
Tema 1: Diseño de software seguro
Cloud Computing Security
8. IaaS – Infrastructure as a Service 8
> Raw infrastructure
> Storage, network & servers
> We do the rest
> Flexible but costly
> Ej: Amazon AWS
Tema 1: Diseño de software seguro
Cloud Computing Security
9. PaaS – Platform as a Service 9
> You’ve got the OS but no
apps
> IaaS + OS + Base services
> App deploying ok (.jar)
> Less control but less cost
> Ej: Google App Engine
Tema 1: Diseño de software seguro
Cloud Computing Security
10. SaaS – Software as a Service 10
> You’ve got everything
> Iaas + Paas + Apps
> Ready to go
> Minimal control / Minimal
effort
> Ej: Salesforce.com (CRM)
Tema 1: Diseño de software seguro
Cloud Computing Security
11. Public, Private Clouds 11
> Públic: Public access, shared
resources, (-security, -cost)
Ej: Amazon AWS
> Private: Private access,
dedicated resources (+security,
+cost)
Ej: NASA Nebula OpenStack
Tema 1: Diseño de software seguro
Cloud Computing Security
12. Community , Hybrid 12
> Community: Group that shares
a private cloud
Ej: Business holding
> Hybrid: Mix some of the others
Tema 1: Diseño de software seguro
Cloud Computing Security
18. Amazon AWS - http://aws.amazon.com/ 18
> Amazon Web Services
> EC2 (Elastic Cloud Computing)
> S3 (Simple Storage Service)
> You can do … almost everything
> Others: Rackspace, vCloud, Azure,
IBM (great, too)
Tema 1: Diseño de software seguro
Cloud Computing Security
19. NetFlix - http://www.netflix.com/ 19
> Video streaming (Films, serials, shows)
> Almost 20% of EEUU bandwidth
> Uses Amazon AWS
> Benefits: Escalability + Availability
> Video transcoding “on the fly” with EC2
> Video storage in EC3 with S3
> Usage data analysis with EC2
Tema 1: Diseño de software seguro
Cloud Computing Security
20. Dropbox - http://www.dropbox.com/ 20
> Backup in the cloud
> Around 12Pb (12.000 Tb)
> Uses Amazon S3
> Benefit: Escalability
> Business model (VIP):
http://www.w2lessons.com/2011/04/econo
mics-of-dropbox.html
Tema 1: Diseño de software seguro
Cloud Computing Security
27. Vendor lock-in 27
> It’s hard to say goodbye
> SaaS : No “export” option
> PaaS : API interoperability
> IaaS : Different technologies
> Defsense: Right CP (Cloud Provider) choice
Tema 1: Diseño de software seguro
Cloud Computing Security
29. Lack of IT Governance 29
> IT Governance != Cloud Computing
Governance
> Limited funcionalities / High costs
> Loss of Control of our IT
> Defense: Clear objectives & design,
Right CP choice
Tema 1: Diseño de software seguro
Cloud Computing Security
31. Compliance & Laws 31
> We need to comply with all the
regulations (PCI DSS, LOPD)
> Imposes transitive compliance on
the CP
> Legal lapses
> Defense: Good analysis, right CP
choice
Tema 1: Diseño de software seguro
Cloud Computing Security
35. Provider failures 35
> “Errare machina est”
> Starting security standards
> CP Business Continuity plan
> OUR Business Continuity plan
> Defense: Business continuity
definition, right CP choice
Tema 1: Diseño de software seguro
Cloud Computing Security
37. Third party failures 37
> CP = Service & Technologies
Integrator
> But … what about electricity,
connectivity, HVAC ?
> We have to take care of our
facilities too
> Defense: Right CP choice, third party
evaluation (CP and proper)
Tema 1: Diseño de software seguro
Cloud Computing Security
40. Resource starvation 40
> Resources are assigned on demand
> CP scales up … but how ?
> Situation: No more resources
available when they were most
needed !!
> Defense: Resource reservation, right
CP choice
Tema 1: Diseño de software seguro
Cloud Computing Security
42. Isolation Faults 42
> Cloud = Shared Resources = Shared flat
> How secure is your neighbour ?
> Third party security failure Everybody
is compromised
> Defense: Private Clouds, right CP choice
Tema 1: Diseño de software seguro
Cloud Computing Security
44. Data leaks 44
> Lots of sensitive info in our CP
> Disgruntled employees
> Wrong service configuration
> Defense: Right CP choice, cipher use,
log reviews
Tema 1: Diseño de software seguro
Cloud Computing Security
46. Data Transit 46
> Network Information flows
> Local interception
> On transit interception
> In-Cloud Intercepcion
> Defense: SSL, cipher use
Tema 1: Diseño de software seguro
Cloud Computing Security
50. DDOS / EDOS 50
> DDOS (Distributed Denial Of Service)
> Intended to take down an infrastructure
Attack to availability
> Cloud Neighbour are collateral damage
> EDOS (Economic Denial of Service)
> Intended to cause economic damage
> Defense: SLAs, charge limits, incident
response
Tema 1: Diseño de software seguro
Cloud Computing Security
52. Cipher 52
> Sensible info Cipher
> Secure information deletion (wipe)
> Defensas: Strong ciphers, guardar
claves, SLA
Tema 1: Diseño de software seguro
Cloud Computing Security
53. Backups 53
> Info is EVERYTHING Backups
> Don’t forget your backups (even if
the CP does … you too)
> Automated procedure
> Defensa: Procedure design, right CP
choice
Tema 1: Diseño de software seguro
Cloud Computing Security
54. Logs Access 54
> Logs = Activity of our IT
> Needed to do debugging
> Critic if a security incident arises
> How can access my logs ?
> Defense: SLA, right CP choice
Tema 1: Diseño de software seguro
Cloud Computing Security
56. Disaster Recovery 56
> Shit happens (Murphy’s Law)
> Earthquakes, fires, floods, alien invasions…
> Our CP must have a Business Continuity
plan
> We must have ours !!
> Defense: Business Continuity plan
Tema 1: Diseño de software seguro
Cloud Computing Security
58. Compliance & Laws 58
> Lots of laws & regulations
> Is our CP compliant ?
> National & International laws
> Defense: Preliminary analysis, right
CP choice
Tema 1: Diseño de software seguro
Cloud Computing Security
59. Data protection 59
> LOPD (Ley Orgánica de Protección
de Datos)
> Cloud implies sometimes
international data transfers
Complicated issues
> Safe Harbour Amazon, Google
> Defense: Preliminary analysis, right
CP choice
Tema 1: Diseño de software seguro
Cloud Computing Security
60. Computer Forensic 60
> Security incident in our CP
Someone has set up a child
pornography site
> Maybe anyone in our cloud !!
> Possible result = Server seizure
> Defense: Right CP choice, SLA,
Business Continuity plan
Tema 1: Diseño de software seguro
Cloud Computing Security
63. Identify Services 63
> Services that can benefit most from
Cloud Computing
> Main benefits: Scalability,
Availability & Elasticity
> Intermitent but heavy resource use
services (Ej: Sports newspapers on
mondays)
Tema 1: Diseño de software seguro
Cloud Computing Security
64. Evaluate CC models 64
> IaaS, PaaS, SaaS ?
> ¿Public, Private, Hybrid,
Community?
> See what others like us are doing
> Decide which model fits our needs
best
Tema 1: Diseño de software seguro
Cloud Computing Security
66. Defining security needs 66
> Know our service throughly
> Define the information flows
> Identify sensitive info
> Measure how critical the service is
> Assign a value to the srevice
Tema 1: Diseño de software seguro
Cloud Computing Security
67. Risk Analysis 67
> Know the existing risks when using
cloud computing
> Apply them to our service
> Define a maximum risk level
> Important!: Be utterly objective
Tema 1: Diseño de software seguro
Cloud Computing Security
72. Bean counting … 72
> Migration costs
> Cloud operation costs
> Current operation costs
> Troubleshooting costs (both cloud
& current)
> Make money talk …
Tema 1: Diseño de software seguro
Cloud Computing Security
73. Make a decision 73
> Evaluate pros & cons of our current
IT model & cloud computing
> It’s not all about money …
> Informed decision taking
> You always should have a plan B
Tema 1: Diseño de software seguro
Cloud Computing Security
74. CC offers great
opportunities
CC has risks
There has to
be a plan
75. Conclusiones 75
>Cloud computing is here
>Lots of business models &
opportunities
>Must know all the risks
>Must have a sensible business plan
Tema 1: Diseño de software seguro
Cloud Computing Security
76. Conclusiones
I love it
when a
cloud
plan
comes
together