Security of Cloud Computing

Hi – 5 Marcus Hogue Chris Jacobson Alexandra Korol Mark Ordonez Jinjia Xi.

Topic Overview. Introduction Cloud Basics Securing the Cloud Leveraging the Cloud Final Recommendations.

[Audio] "Worldwide cloud services revenue is on pace to surpass $56.3 billion in 2009, a 21.3 percent increase from 2008 revenue of $46.4 billion, according to Gartner, Inc. The market is expected to reach $150.1 billion in 2013." Business processes delivered as cloud services are the largest segment of the overall cloud services market, accounting for 83 percent of the overall market in 2008. The segment, consisting of cloud-based advertising, e-commerce, human resources and payments processing, is forecast to grow 19.8 percent in 2009 to $46.6 billion, up from $38.9 billion in 2008. While much of the publicity for cloud computing currently centers on systems infrastructure delivered as a service, this is still an early-stage market. In 2008, such services accounted for only 5.5 percent of the overall cloud services market and are expected to account for 6 percent of the market in 2009. Infrastructure services revenue was $2.5 billion in 2008 and is forecast to reach $3.2 billion in 2009..

Cloud Basics. Cloud Characteristics Service Models SaaS IaaS PaaS Deployment Models Public Private Community Hybrid.

[Audio] General Definition – Cloud computing is the delivery of hosting services that are provided to a client over the Internet. Cloud computing is different from traditional hosting because it is on demand, a user can specify how much of the service they want and the services are completely managed by the provider of the service. http://searchcloudcomputing.techtarget.com/sDefinition/0,,sid201_gci1287881,00.html On-Demand self-service – The client can allocate resources with no interaction with a person. Examples of this are network storage. Broad network access – Access to resources on the network can be accesses by many different platforms(Cell phone, laptops, etc) Resource pooling – The cloud provider pools computing resources to support many customers. Resources can be dynamically assigned based on customer demand. Also, customers do not know the exact location of resources, but generally know the region. Resources that are pooled can include but are not limited to storage, processing, network bandwidth. Private clouds also are able to pool resources between separate parts of the same organization. Rapid Elasticity – Resources can be scaled up or down quickly. This is opaque to the customer, since the customer sees unlimited resources available and has the ability to purchase any amount of resources in any quantity for any amount of time Measured Service – Service that consumers are using is tracked and metered. This allowed the cloud to "control and optimize" resources that are being leveraged by customers. Three implementations of cloud computing – Infrastructure as a service, Platform as a service and Software as a service, which will be discussed on the next slide. (15) CSA - Security Guidance for Critical Areas of Focus in Cloud Computing v2.1.pdf.

[Audio] CSA, Security guidance for critical areas of focus in cloud computing There are so many different cloud deployment options. This is a popular service model. It is called SPI service models. SPI refers to Software as a Service, Platform as a Service, or Infrastructure as a Service, explained in depth in next slides Higher layers are built on lower layers. Higher ions include lower ones. IaaS: Customer rent fundamental computing resources from service providers (for example: processing, storage, networks and so on). And they are able to run their own operation system and applications. While they do not need manage and maintain hardware. Example: Amazon EC2 provides resizable compute capacity in the cloud. PaaS: Customers deploy applications onto the provider's infrastructure. These applications are created using programming languages and tools supported by the providers. Beside the hardware, customers do not manage operation systems. Example: Google App Engine supports two application environments: Java and Python SaaS: Customers use the provider's application which is accessible over the Internet. Customers only need control limited user-specific application configuration setting. Example: Salesforce.Com offers CRM application. Customers use the CRM system as web application..

[Audio] Natural Evolution of the Web How to set up new web sites traditionally? In general, there are three steps: buy compute and storage / hardware of servers, build developer platforms, create application => output is web sites How cloud has changed this process? With cold computing, company can easily take a shortcut to build website. Some of the potential benefits include cost savings and the built-in flexibility..

[Audio] Regardless of the service model utilized (SaaS, PaaS, or IaaS) there are four deployment models for cloud services that address specific requirements: Public Cloud The cloud infrastructure is made available to any organizations. For example: company may build their datacenter with Amazon Simple Storage Service, a secure VPN connect storage service and enterprise intranet. (Both service providers and company are benefit from economies of scale.).

[Audio] Private Cloud If company has to keep lots of sensitive information in datacenter, public cloud maybe is not best approach. The private cloud is usually a pool of resource inside a company. But it may be managed by either the company or a third party. Private cloud offers the benefit and flexibility of cloud and does not scarify security..

[Audio] Community Cloud The cloud infrastructure is shared by several organizations and supports a specific community that has shared concerns (e.g., mission, security requirements, policy, or compliance considerations). The US Government and NASA created a community cloud for all US government agencies..

[Audio] Hybrid Cloud The cloud infrastructure is a combination of two or more clouds (private, community, or public) that remain unique entities. The different types of clouds are bound together by standardized or proprietary technology that enables data and application portability..

Securing the Cloud. Security Interaction Model Top Security Threats Cloud Provider Security Practices – Google Case Study.

[Audio] Investigate provider security practices Identify gaps between provider and consumer security policies; address as appropriate..

[Audio] Insert brief description of each type of threat.

[Audio] Insert example of one of these threats. Abuse and nefarious use of cloud computing Stricter initial registration and validation processes. Enhanced credit card fraud monitoring and coordination. Comprehensive introspection of customer network traffic. Monitoring public blacklists for one’s own network blocks. Insecure interfaces & API ’ s Analyze the security model of cloud provider interfaces. Ensure strong authentication and access controls are implemented in concert with encrypted transmission. Understand the dependency chain associated with the API. Unknown risk profile Disclosure of applicable logs and data. Partial/full disclosure of infrastructure details Monitoring and alerting on necessary information..

[Audio] Insert example of one of these threats. Malicious insiders Enforce strict supply chain management and conduct a comprehensive supplier assessment. Specify human resource requirements as part of legal contracts. Require transparency into overall information security and management practices, as well as compliance reporting. Determine security breach notification processes. Shared technology issues Implement security best practices for installation and configuration. Monitor environment for unauthorized changes/activity. Promote strong authentication and access control for administrative access and operations. Enforce service level agreements for patching and vulnerability remediation. Conduct vulnerability scanning and configuration audits..

[Audio] Insert example of one of these threats. Data loss or leakage Implement strong API access control. Encrypt and protect integrity of data in transit. Analyze data protection at both design and run time. Implement strong key generation, storage and management, and destruction practices. Contractually demand providers wipe persistent media before it is released into the pool. Contractually specify provider backup and retention strategies. Account or service hijacking Prohibit the sharing of account credentials between users and services. Leverage strong two-factor authentication techniques where possible. Employ proactive monitoring to detect unauthorized activity. Understand cloud provider security policies and SLAs..

Google Security Practices. Organizational and Operational Security Data Security Threat Evasion Safe Access Privacy.

[Audio] Google takes a holistic approach to security They design security into products, architecture, infrastructure, and systems from the beginning. Google employs a full time security team They develop, document, and implement comprehensive security policies. The team is divided into functional areas: Perimeter defense Infrastructure defense Application defense Vulnerability detection and response The team focuses its efforts on preventative measures, and they respond to other security issues as they arise. ….

[Audio] Google Code of Conduct The corporate culture is security- and user-centric. Physical security Google has a large global network of distributed datacenters. Geographic location of datacenters chosen to provide protection against catastrophic events. Physical access to the datacenters is limited, tightly controlled, and audited. Logical security … Accessibility … Redundancy Multiple levels of redundancy are used to ensure reliability and availability. Google maintains mirrors within a data center, as well as between datacenters..

[Audio] Spam and virus protection … Application & network attacks ….

[Audio] Avoids local storage … Access controls … Encrypted connections … Integrated security ….

[Audio] Privacy policy … Does not access confidential user data … Does not alter data … Maintain own IP rights … Indemnification, liability … End of use ….

Leveraging the Cloud. Decision Making Process Clan Wars Case Study.

[Audio] Identify the asset for cloud deployment Data Applications / Functions / Processes Evaluate the asset requirements for confidentiality, integrity, and availability. Sample questions to ask include: 1. How would we be harmed if the asset became widely public and widely distributed? 2. How would we be harmed if an employee of our cloud provider accessed the asset? 3. How would we be harmed if the process or function were manipulated by an outsider? 4. How would we be harmed if the process or function failed to provide expected results? 5. How would we be harmed if the information/data were unexpectedly changed? 6. How would we be harmed if the asset were unavailable for a period of time? Map the asset to potential cloud deployment models Public Private, internal Private, external Community Hybrid Evaluate potential cloud service models and providers Service models: SaaS, IaaS, PaaS Providers: Google, Amazon, Microsoft, Rackspace Sketch the potential data flow Map data flow between organization, cloud, and other entities (i.e.: customer, vendor, etc) Before making a decision, it is important to understand whether, and how, data can move in and out of the cloud Draw conclusions.

[Audio] Since the game is multiplayer and browser based, there is a high risk for users attempting to modify the data stream. The concern grows when considering credit card data may be involved in the process..

[Audio] As the company was starting from scratch, all components were considered for cloud candidates. The evaluation showed that the payment system was the highest concern. If the game was hacked in any way, we would restore from backup (and process refunds if needed). The primary components were infrastructure, payment processing, and tools for collaborating internally (such as Google Apps, Dropbox, etc.).

[Audio] The user begins a session by browsing to the website where they will be directed to one of two web servers via DNS round-robin load balancing. Once the user initiates the game, the flash client (SWF files) are downloaded from the CDN and the flash client begins communicating with the Java application servers via an AMF gateway to the tomcat application server. Payments happen via the web tier and the payments are processed directly via Paypal through calls to their API, rather than by Clan War's web servers. The general process is: Clan Wars tells PayPal "User X wants to make a payment to us for $Y" PayPal handles the transaction PayPal returns a succeed/fail code for the transaction Clan Wars approves the transaction and the customer receives the item they are paying for. At no step in the process does the credit card information reside on Clan War's servers..

[Audio] Usage based billing primary benefit in cost Cost of servers ~$320/month Cost of CDN ~$100/month Cost of traditional servers ~$875/month ======== Maintenance benefits: Backup/snapshots Resize servers Clone servers Data Redundancy (RAID 0+1) No concerns about maintaining file regional file servers.

[Audio] "Close the Gap". Final Recommendation. No universal answer Evaluate your security needs versus the capabilities of the provider.

Q & A.

Supplemental Material. The sections that follow will not be covered during the presentation but are included for reference..

[Audio] Physical Security Limited access to data centers Biometric Scanning and access card access to datacenter Visual Monitoring via security cameras Auditing by independent firm All employees have a background screening before getting hired System Security Systems run by secure OS that always has latest patches Firewall and VPN access User can get an optional IDS Operational Security Employee training on data and privacy policies All systems are audited and logged, when someone accesses the system Follows ISO17799 security policies and procedures Application Security Passwords are stored encrypted and transmitted encrypted Random initial passwords.

Cloud Consumer Best Practices. Operational Domains Traditional Security, Business Continuity, and Disaster Recovery Data Center operations Incident Management Application security Encryption & Key Mgmt Identity & access Mgmt Virtualization.