Dr. Bhavani Thuraisingham - PowerPoint PPT Presentation

Loading...

PPT – Dr. Bhavani Thuraisingham PowerPoint presentation | free to download - id: 5e9965-NWE0N



Loading


The Adobe Flash plugin is needed to view this content

Get the plugin now

View by Category
About This Presentation
Title:

Dr. Bhavani Thuraisingham

Description:

Title: Example: Data Mining for the NBA Author: Chris Clifton Last modified by: bxt043000 Created Date: 8/31/1999 4:11:00 PM Document presentation format – PowerPoint PPT presentation

Number of Views:181
Avg rating:3.0/5.0
Slides: 55
Provided by: ChrisC2
Learn more at: http://www.utdallas.edu
Category:

less

Write a Comment
User Comments (0)
Transcript and Presenter's Notes

Title: Dr. Bhavani Thuraisingham


1

A Comprehensive Overview of Secure Cloud Computing
  • Dr. Bhavani Thuraisingham
  • November, 2012

2
Outline
  • What is Cloud Computing
  • Cloud Computing Infrastructure Security
  • Cloud Storage and Data Security
  • Identity Management in the Cloud
  • Security Management in the Cloud
  • Privacy
  • Audit and Compliance
  • Cloud Service Providers
  • Security as a Service
  • Impact of Cloud Computing
  • Directions
  • Reference Cloud Security and Privacy Mather,
    Kumaraswamy and Latif, OReilly Publishers

3
What is Cloud Computing?
  • Definition
  • SPI Framework
  • Traditional Software Model
  • Cloud Services Delivery Model
  • Deployment Model
  • Key Drivers
  • Impact
  • Governance
  • Barriers

4
Definition of Cloud Computing
  • Multitenancy - shared resources
  • Massive scalability
  • Elasticity
  • Pay as you go
  • Self provisioning of resources

5
SPI Framework
  • Software as a Service (SAAS), Platform as a
    Service (PaaS), Infrastructure as a Service
    (IaaS)
  • Several Technologies work together
  • Cloud access devices
  • Browsers and thin clients
  • High speed broad band access
  • Data centers and Server farms
  • Storage devices
  • Virtualization technologies
  • APIs

6
Traditional Software Model
  • Large upfront licensing costs
  • Annual support costs
  • Depends on number of users
  • Not based on usage
  • Organization is responsible for hardware
  • Security is a consideration
  • Customized applications

7
Cloud Services Delivery Model
  • SaaS
  • Rents software on a subscription basis
  • Service includes software, hardware and support
  • Users access the service through authorized
    device
  • Suitable for a company to outsource hosting of
    apps
  • PaaS
  • Vendor offers development environment to
    application developers
  • Provide develops toolkits, building blocks,
    payment hooks
  • IaaS
  • Processing power and storage service
  • Hypervisor is at this level

8
Deployment Models
  • Public Clouds
  • Hosted, operated and managed by third party
    vendor
  • Security and day to day management by the vendor
  • Private Clouds
  • Networks, infrastructures, data centers owned by
    the organization
  • Hybrid Clouds
  • Sensitive applications in a private cloud and non
    sensitive applications in a public cloud

9
Key Drivers
  • Small investment and low ongoing costs
  • Economies of scale
  • Open standards
  • Sustainability

10
Impact
  • How are the following communities Impacted by the
    Cloud?
  • Individual Customers
  • Individual Businesses
  • Start-ups
  • Small and Medium sized businesses
  • Large businesses

11
Governance
  • Five layers of governance for IT are Network,
    Storage Server, Services and Apps
  • For on premise hosting, organization has control
    over Storage, Server, Services and Apps Vendor
    and organization have share control over networks
  • For SaaS model all layers are controlled by the
    vendor
  • For the IaaS model, Apps are controlled by the
    organization, Services controlled by both while
    the network, storage and server controlled by the
    vendor
  • For PaaS, Apps and Services are controlled by
    both while servers, storage and network
    controlled by the vendor

12
Barriers
  • Security
  • Privacy
  • Connectivity and Open access
  • Reliability
  • Interoperability
  • Independence from CSP (cloud service provider)
  • Economic value
  • IR governance
  • Changes in IT organization
  • Political issues

13
Cloud Computing Infrastructure Security
  • Infrastructure Security at the Network Level
  • Infrastructure Security at the Host Level
  • Infrastructure Security at the Application Level
  • Note We will examine IaaS, PaaS and SaaS
    Security issues at Network, Host and Application
    Levels

14
Security at the Network Level
  • Ensuring data confidentiality and integrity of
    the organizations data in transit to and from the
    public cloud provider
  • Ensuring proper access control (Authentication,
    Authorization, Auditing) to resources in the
    public cloud
  • Ensuring availability of the Internet facing
    resources of the public cloud used by the
    organization
  • Replacing the established network zones and tiers
    with domains
  • How can you mitigate the risk factors?

15
Security at the Host Level
  • Host security at PaaS and SaaS Level
  • Both the PaaS and SaaS hide the host operating
    system from end users
  • Host security responsibilities in SaaS and PaaS
    are transferred to CSP
  • Host security at IaaS Level
  • Virtualization software security
  • Hypervisor security
  • Threats Blue Pill attack on the hypervisor
  • Customer guest OS or virtual server security
  • Attacks to the guest OS e.g., stealing keys used
    to access and manage the hosts

16
Security at the Application Level
  • Usually its the responsibility of both the CSP
    and the customer
  • Application security at the SaaS level
  • SaaS Providers are responsible for providing
    application security
  • Application security at the PaaS level
  • Security of the PaaS Platform
  • Security of the customer applications deployed on
    a PaaS platform
  • Application security at the IaaS Level
  • Customer applications treated a black box
  • IaaS is not responsible for application level
    security

17
Cloud Storage and Data Security
  • Aspects of Data Security
  • Data Security Mitigation
  • Provider Data and its Security

18
Aspects of Data Security
  • Security for
  • Data in transit
  • Data at rest
  • Processing of data including multitenancy
  • Data Lineage
  • Data Provenance
  • Data remnance
  • Solutions include encryption, identity
    management, sanitation

19
Data Security Mitigation
  • Even through data in transit is encrypted, use of
    the data in the cloud will require decryption.
  • That is, cloud will have unencrypted data
  • Mitigation
  • Sensitive data cannot be stored in a public cloud
  • Homomorphic encryption may be a solution in the
    future

20
Provider Data and its Security
  • What data does the provider collect e.g.,
    metadata, and how can this data be secured?
  • Data security issues
  • Access control, Key management for encrypting
  • Confidentiality, Integrity and Availability are
    objectives of data security in the cloud

21
Identity and Access Management (IAM) in the Cloud
  • Trust boundaries and IAM
  • Why IAM?
  • IAM challenges
  • IAM definitions
  • IAM architecture and practice
  • Getting ready for the cloud
  • Relevant IAM standards and protocols for cloud
    services
  • IAM practices in the cloud
  • Cloud authorization management
  • Cloud Service provider IAM practice

22
Trust Boundaries and IAM
  • In a traditional environment, trust boundary is
    within the control of the organization
  • This includes the governance of the networks,
    servers, services, and applications
  • In a cloud environment, the trust boundary is
    dynamic and moves within the control of the
    service provider as well ass organizations
  • Identity federation is an emerging industry best
    practice for dealing with dynamic and loosely
    coupled trust relationships in the collaboration
    model of an organization
  • Core of the architecture is the directory service
    which is the repository for the identity,
    credentials and user attributes

23
Why IAM
  • Improves operational efficiency and regulatory
    compliance management
  • IAM enables organizations to achieve access
    cont6rol and operational security
  • Cloud use cases that need IAM
  • Organization employees accessing SaaS se4rvidce
    using identity federation
  • IT admin access CSP management console to
    provision resources and access foe users using a
    corporate identity
  • Developers creating accounts for partner users in
    PaaS
  • End uses access storage service in a cloud
  • Applications residing in a cloud serviced
    provider access storage from another cloud
    service

24
IAM Challenges
  • Provisioning resources to users rapidly to
    accommodate their changing roles
  • Handle turnover in an organization
  • Disparate dictionaries, identities, access rights
  • Need standards and protocols that address the IAM
    challenges

25
IAM Definitions
  • Authentication
  • Verifying the identity of a user, system or
    service
  • Authorization
  • Privileges that a user or system or service has
    after being authenticated (e.g., access control)
  • Auditing
  • Exam what the user, system or service has carried
    out
  • Check for compliance

26
IAM Practice
  • IAMN process consists of the following
  • User management (for managing identity life
    cycles),
  • Authentication management,
  • Authorization management,
  • Access management,
  • Data management and provisioning,
  • Monitoring and auditing
  • Provisioning,
  • Credential and attribute management,
  • Entitlement management,
  • Compliance management,
  • Identity federation management,
  • Centralization of authentication and
    authorization,

27
Getting Ready for the Cloud
  • Organization using a cloud must plan for user
    account provisioning
  • How can a user be authenticated in a cloud
  • Organization can use cloud based solutions from a
    vendor for IAM (e.g., Symplified)
  • Identity Management as a Service
  • Industry standards for federated identity
    management
  • SAML, WS-Federation, Liberty Alliance

28
Relevant IAM Standards, Protocols for Cloud
  • IAM Standards and Specifications for
    Organizations
  • SAML
  • SPML
  • XACML
  • OAuth (Open Authentication) cloud service X
    accessing data in cloud service Y without
    disclosing credentials
  • IAM Standards and Specifications for Consumers
  • OpenID
  • Information Cards
  • Open Authenticate (OATH)
  • Open Authentication API (OpenAuth)

29
IAM Practices in the Cloud
  • Cloud Identity Administration
  • Life cycle management of user identities in the
    cloud
  • Federated Identity (SSO)
  • Enterprise an enterprise Identity provider within
    an Organization perimeter
  • Cloud-based Identity provider

30
Cloud Authorization Management
  • XACML is the preferred model for authorization
  • RBAC is being explored
  • Dual roles Administrator and User
  • IAM support for compliance management

31
Cloud Service Provider and IAM Practice
  • What is the responsibility of the CSP and the
    responsibility of the organization/enterprise?
  • Enterprise IAM requirements
  • Provisioning of cloud service accounts to users
  • Provisioning of cloud services for service to
    service integration
  • SSO support for users based on federation
    standards
  • Support for international and regulatory policy
    requirements
  • User activity monitoring
  • How can enterprises expand their IAM requirements
    to SaaS, PaaS and IaaS

32
Security Management in the Cloud
  • Security Management Standards
  • Security Management in the Cloud
  • Availability Management
  • Access Control
  • Security Vulnerability, Patch and Configuration
    Management

33
Security Management Standards
  • Security Manage3ment has to be carried out in the
    cloud
  • Standards include ITIL (Information Technology
    Infrastructure Library) and ISO 27001/27002
  • What are the policies, procedures, processes and
    work instruction for managing security

34
Security Management in the Cloud
  • Availability Management (ITIL)
  • Access Control (ISIO, ITIL)
  • Vulnerability Management (ISO, IEC)
  • Patch Management (ITIL)
  • Configuration Management (ITIL)
  • Incident Response (ISO/IEC)
  • System use and Access Monitoring

35
Availability Management
  • SaaS availability
  • Customer responsibility Customer must understand
    SLA and communication methods
  • SaaS health monitoring
  • PaaS availability
  • Customer responsibility
  • PaaS health monitoring
  • IaaS availability
  • Customer responsibility
  • IaaS health monitoring

36
Access Control Management in the Cloud
  • Who should have access and why
  • How is a resources accessed
  • How is the access monitored
  • Impact of access control of SaaS, PaaS and IaaS

37
Security Vulnerability, Patch and Configuration
(VPC) Management
  • How can security vulnerability, patch and
    configuration management for an organization be
    extended to a cloud environment
  • What is the impact of VPS on SaaS, PaaS and IaaS

38
Privacy
  • Privacy and Data Life Cycle
  • Key Privacy Concerns in the Cloud
  • Who is Responsible for Privacy
  • Privacy Risk Management and Compliance ion the
    Cloud
  • Legal and Regulatory Requirements

39
Privacy and Data Life Cycle
  • Privacy Accountability of organizations to data
    subjects as well as the transparency to an
    organizations practice around personal
    information
  • Data Life Cycle
  • Generation, Use, Transfer, Transformation,
    Storage, Archival, Destruction
  • Need policies

40
Privacy Concerns in the Cloud
  • Access
  • Compliance
  • Storage
  • Retention
  • Destruction
  • Audit and Monitoring
  • Privacy Breaches

41
Who is Responsible for Privacy
  • Organization that collected the information in
    the first place the owner organization
  • What is the role of the CSP?
  • Organizations can transfer liability but not
    accountability
  • Risk assessment and mitigation throughout the
    data lifecycle
  • Knowledge about legal obligations

42
Privacy Risk Management and Compliance
  • Collection Limitation Principle
  • Use Limitation Principle
  • Security Principle
  • Retention and Destruction Principle
  • Transfer Principle
  • Accountab9lity Principle

43
Legal and Regulatory Requirements
  • US Regulations
  • Federal Rules of Civil Procedure
  • US Patriot Act
  • Electronic Communications Privacy Act
  • FISMA
  • GLBA
  • HIPAA
  • HITECH Act
  • International regulations
  • EU Directive
  • APEC Privacy Framework

44
Audit and Compliance
  • Internal Policy Compliance
  • Governance, Risk and Compliance (GRC)
  • Control Objectives
  • Regulatory/External Compliance
  • Cloud Security Alliance
  • Auditing for Compliance

45
Audit and Compliance
  • Defines Strategy
  • Define Requirements (provide services to clients)
  • Defines Architecture (that is architect and
    structure services to meet requirements)
  • Define Policies
  • Defines process and procedures
  • Ongoing operations
  • Ongoing monitoring
  • Continuous improvement

46
Governance, Risk and Compliance
  • Risk assessment
  • Key controls (to address the risks and compliance
    requirements)
  • Monitoring
  • Reporting
  • Continuous improvement
  • Risk assessment new IT projects and systems

47
Control Objectives
  • Security Policy
  • Organization of information security
  • Asset management
  • Human resources security
  • Physical and environmental security
  • Communications and operations management
  • Access control
  • Information systems acquisition, development and
    maintenance
  • Information Security incident management
  • Compliance
  • Key Management

48
Regulatory/External Compliance
  • Sarbanes-Oxley Act
  • PCI DSS
  • HIPAA
  • COBIT
  • What is the impact of Cloud computing on the
    above regulations?

49
Cloud Security Alliance (CSA)
  • Create and apply best practices to securing the
    cloud
  • Objectives include
  • Promote common level of understanding between
    consumers and providers
  • Promote independent research into best practices
  • Launch awareness and educational programs
  • Create consensus
  • White Paper produced by CSA consist of 15 domains
  • Architecture, Risk management, Legal, Lifecycle
    management, applications security, storage,
    virtualization, - - - -

50
Auditing for Compliance
  • Internal and External Audits
  • Audit Framework
  • SAS 70
  • SysTrust
  • WebTrust
  • ISO 27001 certification
  • Relevance to Cloud

51
Cloud Service Providers
  • Amazon Web Services (IaaS)
  • Google (SaaS, PaaS)
  • Microsoft Azure (SaaS, IaaS)
  • Proofpoint (SaaS, IaaS)
  • RightScale (SaaS)
  • Slaeforce.com (SaaS, PaaS)
  • Sun Open Cloud Platform
  • Workday (SaaS)

52
Security as a Service
  • Email Filtering
  • Web Content Filtering
  • Vulnerability Management
  • Identity Management

53
Impact of Cloud Computing
  • Benefits
  • Low cost solution
  • Responsiveness flexibility
  • IT Expense marches Transaction volume
  • Business users are in direct control of
    technology decisions
  • Line between home computing applications and
    enterprise applications will blur
  • Threats
  • Vested interest of cloud providers
  • Less control over the use of technologies
  • Perceived risk of using cloud computing
  • Portability and Lock-in to Proprietary systems
    for CSPs
  • Lack of integration and componentization

54
Directions
  • Analysts predict that cloud computing will be a
    huge growth area
  • Cloud growth will be much higher than traditional
    IT growth
  • Will likely revolutionize IT
  • Need to examine how traditional solutions for
    IAM, Governance, Risk Assessment etc will work
    for Cloud
  • Technologies will be enhanced (IaaS, PaaS, SaaS)
  • Security will continue o be a major concern
About PowerShow.com