Dr.

Bhavani Thuraisingham
November, 2012
A Comprehensive Overview of
Secure Cloud Computing
Outline

What is Cloud Computing

Cloud Computing Infrastruture !eurit"

Cloud !torage and Data !eurit"

Identit" #anagement in the Cloud

!eurit" #anagement in the Cloud

$riva"

%udit and Compliane

Cloud !ervie $roviders

!eurit" as a !ervie

Impat of Cloud Computing

Diretions

&eferene' Cloud !eurit" and $riva"' #ather,

(umaras)am" and *atif, +,&eill" $ublishers
What is Cloud Computing?

Definition

!$I -rame)or.

Traditional !oft)are #odel

Cloud !ervies Deliver" #odel

Deplo"ment #odel

(e" Drivers

Impat

/overnane

Barriers
Definition of Cloud Computing

#ultitenan" 0 shared resoures

#assive salabilit"

1lastiit"

$a" as "ou go

!elf provisioning of resoures

SPI Framework

!oft)are as a !ervie 2!%%!3, $latform as a !ervie 2$aa!3,

Infrastruture as a !ervie 2Iaa!3

!everal Tehnologies )or. together

-
Cloud aess devies
-
Bro)sers and thin lients
-
4igh speed broad band aess
-
Data enters and !erver farms
-
!torage devies
-
5irtuali6ation tehnologies
-
%$Is
raditional Software !odel

*arge upfront liensing osts

%nnual support osts

Depends on number of users

Not based on usage

+rgani6ation is responsible for hard)are

!eurit" is a onsideration

Customi6ed appliations
Cloud Services Deliver" !odel

!aa!
-
&ents soft)are on a subsription basis
-
!ervie inludes soft)are, hard)are and support
-
7sers aess the servie through authori6ed devie
-
!uitable for a ompan" to outsoure hosting of apps

$aa!
-
5endor offers development environment to appliation
developers
-
$rovide develops tool.its, building blo.s, pa"ment
hoo.s

Iaa!
-
$roessing po)er and storage servie
-
4"pervisor is at this level
Deplo"ment !odels

$ubli Clouds
-
4osted, operated and managed b" third part" vendor
-
!eurit" and da" to da" management b" the vendor

$rivate Clouds
-
Net)or.s, infrastrutures, data enters o)ned b" the
organi6ation

4"brid Clouds
-
!ensitive appliations in a private loud and non sensitive
appliations in a publi loud
#e" Drivers

!mall investment and lo) ongoing osts

1onomies of sale

+pen standards

!ustainabilit"
Impact

4o) are the follo)ing ommunities Impated b" the Cloud8

Individual Customers

Individual Businesses

!tart0ups

!mall and #edium si6ed businesses

*arge businesses
$overnance

-ive la"ers of governane for IT are Net)or., !torage !erver,

!ervies and %pps

-or on premise hosting, organi6ation has ontrol over

!torage, !erver, !ervies and %pps9 5endor and organi6ation
have share ontrol over net)or.s

-or !aa! model all la"ers are ontrolled b" the vendor

-or the Iaa! model, %pps are ontrolled b" the organi6ation,
!ervies ontrolled b" both )hile the net)or., storage and
server ontrolled b" the vendor

-or $aa!, %pps and !ervies are ontrolled b" both )hile
servers, storage and net)or. ontrolled b" the vendor
%arriers

!eurit"

$riva"

Connetivit" and +pen aess

&eliabilit"

Interoperabilit"

Independene from C!$ 2loud servie provider3

1onomi value

I& governane

Changes in IT organi6ation

$olitial issues
Cloud Computing Infrastructure Securit"

Infrastruture !eurit" at the Net)or. *evel

Infrastruture !eurit" at the 4ost *evel

Infrastruture !eurit" at the %ppliation *evel

Note' We )ill e:amine Iaa!, $aa! and !aa! !eurit" issues at

Net)or., 4ost and %ppliation *evels
Securit" at the &etwork 'evel

1nsuring data onfidentialit" and integrit" of the

organi6ations data in transit to and from the publi loud
provider

1nsuring proper aess ontrol 2%uthentiation,

%uthori6ation, %uditing3 to resoures in the publi loud

1nsuring availabilit" of the Internet faing resoures of the

publi loud used b" the organi6ation

&eplaing the established net)or. 6ones and tiers )ith

domains

4o) an "ou mitigate the ris. fators8

Securit" at the (ost 'evel

4ost seurit" at $aa! and !aa! *evel

-
Both the $aa! and !aa! hide the host operating s"stem
from end users
-
4ost seurit" responsibilities in !aa! and $aa! are
transferred to C!$

4ost seurit" at Iaa! *evel

-
5irtuali6ation soft)are seurit"

4"pervisor seurit"

Threats' Blue $ill atta. on the h"pervisor

-
Customer guest +! or virtual server seurit"

%tta.s to the guest +!' e.g., stealing .e"s used to

aess and manage the hosts
Securit" at the Application 'evel

7suall" it,s the responsibilit" of both the C!$ and the

ustomer

%ppliation seurit" at the !aa! level

-
!aa! $roviders are responsible for providing appliation
seurit"

%ppliation seurit" at the $aa! level

-
!eurit" of the $aa! $latform
-
!eurit" of the ustomer appliations deplo"ed on a $aa!
platform

%ppliation seurit" at the Iaa! *evel

-
Customer appliations treated a bla. bo:
-
Iaa! is not responsible for appliation level seurit"
Cloud Storage and Data Securit"

%spets of Data !eurit"

Data !eurit" #itigation

$rovider Data and its !eurit"

Aspects of Data Securit"

!eurit" for
-
Data in transit
-
Data at rest
-
$roessing of data inluding multitenan"
-
Data *ineage
-
Data $rovenane
-
Data remnane

!olutions inlude enr"ption, identit" management, sanitation

Data Securit" !itigation

1ven through data in transit is enr"pted, use of the data in

the loud )ill re;uire der"ption.
-
That is, loud )ill have unenr"pted data

#itigation
-
!ensitive data annot be stored in a publi loud
-
4omomorphi enr"ption ma" be a solution in the future
Provider Data and its Securit"

What data does the provider ollet < e.g., metadata, and ho)
an this data be seured8

Data seurit" issues

-
%ess ontrol, (e" management for enr"pting

Confidentialit", Integrit" and %vailabilit" are ob=etives of data

seurit" in the loud
Identit" and Access !anagement )IA!* in the
Cloud

Trust boundaries and I%#

Wh" I%#8

I%# hallenges

I%# definitions

I%# arhiteture and pratie

/etting read" for the loud

&elevant I%# standards and protools for loud servies

I%# praties in the loud

Cloud authori6ation management

Cloud !ervie provider I%# pratie

rust %oundaries and IA!

In a traditional environment, trust boundar" is )ithin the

ontrol of the organi6ation

This inludes the governane of the net)or.s, servers,

servies, and appliations

In a loud environment, the trust boundar" is d"nami and

moves )ithin the ontrol of the servie provider as )ell ass
organi6ations

Identit" federation is an emerging industr" best pratie for

dealing )ith d"nami and loosel" oupled trust relationships
in the ollaboration model of an organi6ation

Core of the arhiteture is the diretor" servie )hih is the

repositor" for the identit", redentials and user attributes
Wh" IA!

Improves operational effiien" and regulator" ompliane

management

I%# enables organi6ations to ahieve aess ont>rol and

operational seurit"

Cloud use ases that need I%#

-
+rgani6ation emplo"ees aessing !aa! se?rvide using
identit" federation
-
IT admin aess C!$ management onsole to provision
resoures and aess foe users using a orporate identit"
-
Developers reating aounts for partner users in $aa!
-
1nd uses aess storage servie in a loud
-
%ppliations residing in a loud servied provider aess
storage from another loud servie
IA! Challenges

$rovisioning resoures to users rapidl" to aommodate their

hanging roles

4andle turnover in an organi6ation

Disparate ditionaries, identities, aess rights

Need standards and protools that address the I%#

hallenges
IA! Definitions

%uthentiation
-
5erif"ing the identit" of a user, s"stem or servie

%uthori6ation
-
$rivileges that a user or s"stem or servie has after being
authentiated 2e.g., aess ontrol3

%uditing
-
1:am )hat the user, s"stem or servie has arried out
-
Che. for ompliane
IA! Practice

I%#N proess onsists of the follo)ing'

-
7ser management 2for managing identit" life "les3,
-
%uthentiation management,
-
%uthori6ation management,
-
%ess management,
-
Data management and provisioning,
-
#onitoring and auditing
-
$rovisioning,
-
Credential and attribute management,
-
1ntitlement management,
-
Compliane management,
-
Identit" federation management,
-
Centrali6ation of authentiation and authori6ation,
$etting +ead" for the Cloud

+rgani6ation using a loud must plan for user aount

provisioning
-
4o) an a user be authentiated in a loud

+rgani6ation an use loud based solutions from a vendor for

I%# 2e.g., !"mplified3
-
Identit" #anagement as a !ervie

Industr" standards for federated identit" management

-
!%#*, W!0-ederation, *ibert" %lliane
+elevant IA! Standards, Protocols for Cloud

I%# !tandards and !peifiations for +rgani6ations

-
!%#*
-
!$#*
-
@%C#*
-
+%uth 2+pen %uthentiation3 < loud servie @ aessing
data in loud servie A )ithout dislosing redentials

I%# !tandards and !peifiations for Consumers

-
+penID
-
Information Cards
-
+pen %uthentiate 2+%T43
-
+pen %uthentiation %$I 2+pen%uth3
IA! Practices in the Cloud

Cloud Identit" %dministration

-
*ife "le management of user identities in the loud

-ederated Identit" 2!!+3

-
1nterprise an enterprise Identit" provider )ithin an
+rgani6ation perimeter
-
Cloud0based Identit" provider
Cloud Authori-ation !anagement

@%C#* is the preferred model for authori6ation

&B%C is being e:plored

Dual roles' %dministrator and 7ser

I%# support for ompliane management

Cloud Service Provider and IA! Practice

What is the responsibilit" of the C!$ and the responsibilit" of

the organi6ationBenterprise8

1nterprise I%# re;uirements

-
$rovisioning of loud servie aounts to users
-
$rovisioning of loud servies for servie to servie
integration,
-
!!+ support for users based on federation standards
-
!upport for international and regulator" poli"
re;uirements
-
7ser ativit" monitoring

4o) an enterprises e:pand their I%# re;uirements to !aa!,

$aa! and Iaa!
Securit" !anagement in the Cloud

!eurit" #anagement !tandards

!eurit" #anagement in the Cloud

%vailabilit" #anagement

%ess Control

!eurit" 5ulnerabilit", $ath and Configuration #anagement

Securit" !anagement Standards

!eurit" #anageCment has to be arried out in the loud

!tandards inlude ITI* 2Information Tehnolog"

Infrastruture *ibrar"3 and I!+ 2D001B2D002

What are the poliies, proedures, proesses and )or.

instrution for managing seurit"
Securit" !anagement in the Cloud

%vailabilit" #anagement 2ITI*3

%ess Control 2I!I+, ITI*3

5ulnerabilit" #anagement 2I!+, I1C3

$ath #anagement 2ITI*3

Configuration #anagement 2ITI*3

Inident &esponse 2I!+BI1C3

!"stem use and %ess #onitoring

Availa.ilit" !anagement

!aa! availabilit"
-
Customer responsibilit"' Customer must understand !*%
and ommuniation methods
-
!aa! health monitoring

$aa! availabilit"
-
Customer responsibilit"
-
E$aa! health monitoring

Iaa! availabilit"
-
Customer responsibilit"
-
Iaa! health monitoring
Access Control !anagement in the Cloud

Who should have aess and )h"

4o) is a resoures aessed

4o) is the aess monitored

Impat of aess ontrol of !aa!, $aa! and Iaa!

Securit" /ulnera.ilit", Patch and Configuration
)/PC* !anagement

4o) an seurit" vulnerabilit", path and onfiguration

management for an organi6ation be e:tended to a loud
environment

What is the impat of 5$! on !aa!, $aa! and Iaa!

Privac"

$riva" and Data *ife C"le

(e" $riva" Conerns in the Cloud

Who is &esponsible for $riva"

$riva" &is. #anagement and Compliane ion the Cloud

*egal and &egulator" &e;uirements

Privac" and Data 'ife C"cle

$riva"' %ountabilit" of organi6ations to data sub=ets as

)ell as the transparen" to an organi6ation,s pratie around
personal information

Data *ife C"le

-
/eneration, 7se, Transfer, Transformation, !torage,
%rhival, Destrution
-
Need poliies
Privac" Concerns in the Cloud

%ess

Compliane

!torage

&etention

Destrution

%udit and #onitoring

$riva" Breahes
Who is +esponsi.le for Privac"

+rgani6ation that olleted the information in the first plae <

the o)ner organi6ation

What is the role of the C!$8

+rgani6ations an transfer liabilit" but not aountabilit"

&is. assessment and mitigation throughout the data life"le

(no)ledge about legal obligations

Privac" +isk !anagement and Compliance

Colletion *imitation $riniple

7se *imitation $riniple

!eurit" $riniple

&etention and Destrution $riniple

Transfer $riniple

%ountabFlit" $riniple
'egal and +egulator" +e0uirements

7! &egulations
-
-ederal &ules of Civil $roedure
-
7! $atriot %t
-
1letroni Communiations $riva" %t
-
-I!#%
-
/*B%
-
4I$%%
-
4IT1C4 %t

International regulations
-
17 Diretive
-
%$1C $riva" -rame)or.
Audit and Compliance

Internal $oli" Compliane

/overnane, &is. and Compliane 2/&C3

Control +b=etives

&egulator"B1:ternal Compliane

Cloud !eurit" %lliane

%uditing for Compliane

Audit and Compliance

Defines !trateg"

Define &e;uirements 2provide servies to lients3

Defines %rhiteture 2that is arhitet and struture servies

to meet re;uirements3

Define $oliies

Defines proess and proedures

+ngoing operations

+ngoing monitoring

Continuous improvement
$overnance, +isk and Compliance

&is. assessment

(e" ontrols 2to address the ris.s and ompliane

re;uirements3

#onitoring

&eporting

Continuous improvement

&is. assessment < ne) IT pro=ets and s"stems

Control O.1ectives

!eurit" $oli"

+rgani6ation of information seurit"

%sset management

4uman resoures seurit"

$h"sial and environmental seurit"

Communiations and operations management

%ess ontrol

Information s"stems a;uisition, development and

maintenane

Information !eurit" inident management

Compliane

(e" #anagement
+egulator"234ternal Compliance

!arbanes0+:le" %t

$CI D!!

4I$%%

C+BIT

What is the impat of Cloud omputing on the above

regulations8
Cloud Securit" Alliance )CSA*

Create and appl" best praties to seuring the loud

+b=etives inlude
-
$romote ommon level of understanding bet)een
onsumers and providers
-
$romote independent researh into best praties
-
*aunh a)areness and eduational programs
-
Create onsensus

White $aper produed b" C!% onsist of 1G domains

-
%rhiteture, &is. management, *egal, *ife"le
management, appliations seurit", storage, virtuali6ation,
0 0 0 0
Auditing for Compliance

Internal and 1:ternal %udits

%udit -rame)or.
-
!%! D0
-
!"sTrust
-
WebTrust
-
I!+ 2D001 ertifiation

&elevane to Cloud
Cloud Service Providers

%ma6on Web !ervies 2Iaa!3

/oogle 2!aa!, $aa!3

#irosoft %6ure 2!aa!, Iaa!3

$roofpoint 2!aa!, Iaa!3

&ight!ale 2!aa!3

!laefore.om 2!aa!, $aa!3

!un +pen Cloud $latform

Wor.da" 2!aa!3
Securit" as a Service

1mail -iltering

Web Content -iltering

5ulnerabilit" #anagement

Identit" #anagement
Impact of Cloud Computing

Benefits
-
*o) ost solution
-
&esponsiveness fle:ibilit"
-
IT 1:pense marhes Transation volume
-
Business users are in diret ontrol of tehnolog"
deisions
-
*ine bet)een home omputing appliations and
enterprise appliations )ill blur

Threats
-
5ested interest of loud providers
-
*ess ontrol over the use of tehnologies
-
$ereived ris. of using loud omputing
-
$ortabilit" and *o.0in to $roprietar" s"stems for C!$s
-
*a. of integration and omponenti6ation
Directions

%nal"sts predit that loud omputing )ill be a huge gro)th

area

Cloud gro)th )ill be muh higher than traditional IT gro)th

Will li.el" revolutioni6e IT

Need to e:amine ho) traditional solutions for I%#,

/overnane, &is. %ssessment et )ill )or. for Cloud

Tehnologies )ill be enhaned 2Iaa!, $aa!, !aa!3

!eurit" )ill ontinue o be a ma=or onern