Slide 1: Practical Security Problems in Cloud Computing
Alon Refaeli – Porticor Technologies alon@SecuredZones.com May 2009
Slide 2: The Cloud Computing Main Elements
Infrastructure As a Service (IaaS) – switch , NT, access control etc. Platform As a Service (PaaS) .Net,Java,LAMP etc. Software As a Service (SaaS) – CRM, ERP etc.
Slide 3: Foundational Elements of Cloud Computing
: Business Models Web 2.0 (Software as a Service (SaaS • Utility Computing • Service Level Agreements • Open standards, Data Portability, and Accessibility • : Architecture
Autonomic System Computing Grid Computing Platform Virtualization Web Services Service Oriented Architectures Web application frameworks Open source software
Slide 4: ?Why Cloud Computing
Capital Expenditure Multitenancy Scalability Reliability Security Performance Location Independence
Slide 5: Cyber Threats – No End in Sight
Thousands of cyber attacks each day on key utilities Well known infrastructure-based disruptions : September 11 Internet Inaccessibility , Estonian DDoS Attacks ,DNS Attacks ,Georgian Attacks
from Russia
General consensus – attacks growing in sophistication and scale
Slide 6: ?? = Security Threats + Cloud
New challenges emerge as services become more distributed :
Nobody ‘owns’ the cloud Everyone relies on the cloud Each individual autonomous system is responsible for securing their section of the cloud Impact of their actions now affects everyone – even more than before!
Bottom line… things that impact you and your business don’t end at your gateway anymore
Slide 7: Cloud Computing Threats
Slide 8: Security follows mainstream IT Platform Evolution
SaaS Operational Complexity Reduced
Cloud
Appliance Software Gateway Software Client-Server Software End-Point
Virtual Machine
Mobile
1990’s
2000
2002
2005
2009
Slide 9: Key Customer Questions on SaaS and Cloud Client type services
Privacy Performance Availability Personalization Encryption Global/Local Caching Application Design Multi-Tenant
Slide 10: ?What is the role of Access Management
Common Pain points
Who should have access to what?
Siloed approach to authorization across hundreds or even thousands of applications Months to modify applications with embedded authorization policy or by deploying agents
Who has Access to what?
Who did access what?
Organizations don’t get a clear view of who has done what with a resource, so cannot demonstrate ‘control’
Slide 11: The 3 primary security concerns for Cloud Computing
1. federated authentication 2. entitlement/authorization control (based on multiple attributes) 3. transaction logging for audit, compliance and forensics
Slide 12: federated authentication
No.1 is available through Identity-as-aservice vendors such as Tricipher. SAML will become the standard Federated Identity model once MS Geneva is rolled out.
Slide 13: entitlement/authorization control
No.2 is more difficult. Entitlement/AuthZ is built into apps such as salesforce today. However, enterprise web and file services (such as MS SharePoint) do not have the fine grained controls needed for audit & compliance. This is where network-based AuthZ players play.
Slide 14: transaction logging
No.3 - transaction logging in my opinion is the big deal-breaker. If you don't know 'who' has done 'what' in your cloud apps, then how will you survive a SOX or PCI audit? This is probably one of the major questions that needs to be answered by new Cloud Security (start-ups) vendors.
Slide 15: Standardization of security in Cloud Computing
It is still in early stage – this is the time to shape and influence – the NIST is trying to the role. The main problem is the Identity and Access Management, which will be different from the current solutions.
Slide 16: References
Amazon : http://s3.amazonaws.com/aws_blog/AWS_Secur RSA Event 2009 : http://www.vnunet.com/vnunet/news/2240794/rsa
