The document discusses cloud security risks and awareness. It covers various types of cloud models including public, private, hybrid clouds. It identifies top threats to cloud computing such as abuse and malicious use, account hijacking, and data leakage. The document examines how to secure the cloud from the perspective of cloud providers and clients. It addresses concerns around governance, compliance and trust between cloud providers and organizations. Finally, it discusses the lack of regulations and standards in cloud computing and calls for the development of standards to improve cloud security.
AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)
Cloud Security CISO club -April 2011 v2
1. Cloud Security: Risks and Awareness
Shahar Geiger Maor, Senior Analyst
www.shaharmaor.blogspot.com http://www.facebook.com/shahar.maor http://twitter.com/shaharmaor
2. We Should Know, by now, What Cloud
Means
http://www.opengroup.org/jericho/cloud_cube_model_v1.0.pdf
Shahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion of graphic 2
3. Game Changer #7
Hybrid Clouds
Private Clouds
Public Clouds
– BPaaS
– PaaS
– SaaS
– IaaS
Shahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion of graphic 3
4. 4 types: Enterprise Clouds
http://www.readwriteweb.com/cloud/201
1/04/the-cloud-stratosphere-infogra.php source or attribution from any graphic or portion of graphic
Shahar Maor’s work Copyright 2011 @STKI Do not remove 4
5. Cloudy IT: the hybrid world
ISPs will become strategic
Developers are now doing most of their
By 2014 :
development work for public cloud versions.
80% of Israeli companies
But will have private cloud versions 2015
Will run hybrid clouds
Shahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion of graphic 5
6. How does a private “cloud” looks Like ?
Shahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion of graphic 6
7. Enterprise Benefits from Cloud Computing
Capability From
To
Server/Storage
10-20% 70-90%
Utilization Cloud accelerates
business value
Self service None Unlimited
across a wide
Test variety of
Weeks Minutes
Provisioning domains.
Change
Months Days/Hours
Management
Release
Weeks Minutes
Management
Time to market bad Better
Fixed cost
Metering/Billing Granular
model
Focus on the
Not really Much better
Core
Legacy environments Cloud enabled enterprise
Shahar Maor’s work Copyright 2011 @STKI Do IBM STKI modifications from any graphic or portion of graphic
Source: not remove source or attribution 7
8. Technologies Categorization 20102011
Cyber
Warfare
Market Curiosity
Mobile
“Social” Sec
Security
IT Project
Major
DLP Changes
IRM
Cloud Size of figure =
Application Security complexity/
Security cost of project
Endpoint Security
Security Management
Network
Security
Using Implementing Looking
Market Maturity
Shahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion of graphic
Source: STKI 8
9. Cloud Security
Shahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion of graphic
http://securosis.com/research 9
10. Top Threats To Cloud Computing
Abuse and
Nefarious Use of
Cloud Computing
Unknown Risk Malicious
Profile Insiders
Shared
Account or
Technology
Service Hijacking
Issues
Insecure
Data Loss or
Interfaces and
Leakage
APIs
http://www.cloudsecurityalliance.org/topthreats/csathreats.v1.0.pdf
Shahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion of graphic 10
11. Cloud Provider Vs. Organization
Governance Compliance Trust
Identity and
Access Software
Architecture
Isolation
Management
Incident
Data Protection Availability
Response
Shahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion of graphic
http://csrc.nist.gov/publications/drafts/800-144/Draft-SP-800-144_cloud-computing.pdf 11
12. Division of Liabilities in the Cloud
http://www.enisa.europa.eu/act/rm/files/deliverables/cloud-computing-information-assurance-
Shahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion of graphic
framework/ 12
13. How to Secure the Cloud?
–Provider’s Side
Technologies believed to be most important in securing the cloud computing
environment
Shahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion of graphic
http://www.ca.com/files/IndustryResearch/security-cloud-computing-users_235659.pdf 13
14. Cloud Services Concerns
–Client’s Side
Security (especially
access issues) is still
considered a top
concern
Shahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion of graphic
Source: InformationWeek, State of Cloud, Jan 2011 14
15. Cloud Services Concerns
–Client’s Side
“We won’t be involving our security
team in this project until the last
possible moment,
because the answer will be ‘no.’”
-VP at one of the largest retailers in
the world
Shahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion of graphic
Source: InformationWeek, State of Cloud, Jan 2011 15
16. Lack of Confidence in IT?
Who is responsible for ensuring a secure cloud computing environment?
Isn't cloud security an IT
responsibility???
-So why is it 3rd?
Don’t let it scatter
Shahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion of graphic
http://www.ca.com/files/IndustryResearch/security-cloud-computing-users_235659.pdf 16
17. Regulations, Standards and Certifications
Regulations????? Looking for regulations?
…Please wait for the next
-Nothing (so far…)
disaster
Shahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion of graphic 17
18. Regulations, Standards and Certifications
• Standards:
– AICPA: SAS 70:
• there is no published list of SAS 70 standards
(Recommendation: ask to review your cloud provider’s SAS 70
type Ⅰ/Ⅱ report!!!)
• Certifications:
– NIST (National Institute of Standards and Technology)
• Recommended Security Controls for Federal Information Systems
and Organizations* === > FISMA (Federal Information Security
Management Act) ATO (Authorization to Operate).
– CSA:
• CCSK –Certified Cloud Security Knowledge
* Not related directly to cloud security
Shahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion of graphic 18
19. Regulations, Standards and Certifications
• Guidelines:
– CSA (Cloud Security Alliance):
• CCM -Cloud Controls Matrix
– NIST (National Institute of Standards and Technology):
• DRAFT Guidelines on Security and Privacy in Public Cloud
Computing
– ENISA (European Network and Information Security
Agency):
• Cloud Security Information Assurance Framework
Shahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion of graphic 19
20. Addressing Cloud Issues in the Israeli
Government
0102/01 מתוך נייר עמדה בנושא: עקרונות להגנת הפרטיות במידע אישי במיקור חוץ בישראל
http://www.justice.gov.il/NR/rdonlyres/1FB266DE-95A0-4C31-939B-3796DCB0C232/23065/positionmikurhuz.pdf
?
Shahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion of graphic 20
21. In Short
Security is an …”We put
The cloud is
EASY our money in No rush!
here to stay
showstopper the cloud”
Find yourself
Look for
a solid
standards
partner
Shahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion of graphic 21
22. Thank you!
Shahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion of graphic 22