Beruflich Dokumente
Kultur Dokumente
Focus on.
Cloud Computing Infrastructure
Security
Cloud Storage and Data Security
Identity Management in the Cloud
Security Management in the Cloud
Privacy
Audit and Compliance
Cloud Service Providers
Security as a Service
Impact of Cloud Computing
Impact
How are the following communities Impacted by the
Cloud?
Individual Customers
Individual Businesses
Start-ups
Small and Medium sized businesses
Large businesses
Governance
Five layers of governance for IT are Network, Storage
,Server, Services and Apps
For on premise hosting, organization has control over
Storage, Server, Services and Apps; Vendor and
organization have share control over networks
For SaaS model all layers are controlled by the vendor
For the IaaS model, Apps are controlled by the
organization, Services controlled by both while the
network, storage and server controlled by the vendor
For PaaS, Apps and Services are controlled by both while
servers, storage and network controlled by the vendor
Barriers
Security
Privacy
Connectivity and Open access
Reliability
Interoperability
Independence from CSP (cloud service provider)
Economic value
IR governance
Changes in IT organization
Political issues
Cloud Computing
Infrastructure Security
Infrastructure Security at the Network Level
Infrastructure Security at the Host Level
Infrastructure Security at the Application Level
Note: We will examine IaaS, PaaS and SaaS Security issues at
Network, Host and Application Levels
Cloud environment.
Dynamic nature of Cloud Computing (Elasticity)
brings new operational challenges from a security
management perspective.
CSP should focus on the following
SaaS and Paas Host Security
IaaS Host Security
Stealing keys used to access and manage hosts (SSH private keys)
Attacking unpatched, vulnerable services listening on standards ports
Hijacking Accounts that are not properly secured (weak/no passwords)
Attacking systems that are not properly secured by host firewalls
Deploying Torjans embedded in the s/w component in the VM
Mitigation
Sensitive/ Regulated data cannot be stored in a public
cloud.
(or) Encrypted data placed into the cloud for simple
storage.
Homomorphic encryption may be a solution in the future
At Host level
System log files
At Application Level
Cloud Storage
Data stored in cloud(Storage-as-a-Service) will refer
to IaaS and not associated with an application
running in cloud on PaaS and IaaS.
The Same 3 security concerns are associated with
data stored in cloud as with data stored else where
Confidentiality
Integrity
Availability
Confidentiali
ty
Key Management
Custom
er/CSP
Custom
er/CSP
Key Management
Custom
er/CSP
Custom
er/CSP
Integrit
y
Confidentiality doesnt mean Integrity (Consider 2 Aspects)
Data can be Encrypted for confidentiality, but for Integrity,
requires the use of Message Authentication Codes(MACs).
The Simplest way to use MACs is to use block symmetric
algorithm in CBC mode and include one-way hashing
function.
It is the one reason why Effective Key management is
difficult.
Cloud Customer ask CSP about Key Management?
If Customer had Bulk Storage using IaaS in Cloud, How
does he check for Integrity?
Soln : To validate data Integrity when data remains in
cloud (No downloading and reuploading)
i.e Transfer cost(Utilization of Bandwidth) and even he doesnt
know on which physical machines his data is stored.
Availability
Apart from Confidentiality and Integrity of
Customers data, we must also concern about the
Availability.
The 3 major Threats (all are familiar)
Availability w.r.t network-based Attacks
Availability @ CSP site (99.999%)
Availability w.r.t Backups
Why IAM?
IAM challenges
IAM definitions
IAM architecture and practice
Getting ready for the cloud
Relevant IAM standards and protocols for cloud
services
IAM practices in the cloud
Cloud authorization management
Why IAM
Improves Operational Efficiency and Regulatory
Compliance Management
IAM enables organizations to achieve Access
Control And Operational Security
Cloud use cases that need IAM
Organization employees accessing SaaS service
using identity federation
IT admin access CSP management console to
provision resources and access for users using a
corporate identity
Developers creating accounts for partner users in
PaaS
End uses access storage service in a cloud
Applications residing in a cloud serviced provider
IAM Challenges
Provisioning resources to users rapidly to accommodate
their changing roles (Employees, Contractors, partners,
etc.,) based on their responsibilities.
Handle turnover in an organization.
Turnover varies by industry and function, i.e., seasonal
staffing fluctuations in finance depts, mergers and
acquisitions, new product and service releases, business
process outsourcing and changing responsibilities.
As a result, sustaining IAM processes can turn into a
persistent challenge.
IAM Definitions
Authentication
Verifying the identity of a user, system or service
Authorization
Privileges that a user or system or service has after
being authenticated (e.g., access control)
Auditing
Exam what the user, system or service has carried
out
Check for compliance
IAM
Architecture
Authentication Management
Activities for the effective governance and
management of the process for determining
that an entity is who or what it claims to be
Authorization Management
Activities for the effective management of
the process for determining entitlement
rights that decide what resources an entity is
permitted to access in accordance with the
IAM Practice
IAM process consists of the following
Operational Activities:
Provisioning
Credential And Attribute Management
Entitlement Management
Compliance Management
Identity Federation Management
Centralization Of Authentication And
Authorization
IAM Practice
IAM process consists of the following
Operational Activities:
Provisioning
This is the process of on-boarding users to systems
and applications.
IT provide users with necessary access to data and
technology resources.
Provisioning can be thought of as a combination of
the duties of the human resources and IT
departments, where users are given access to data
repositories or systems, applications, and databases
based on a unique user identity.
Deprovisioning works in the opposite manner,
resulting in the deletion or deactivation of an
identity or of privileges assigned to the user
IAM Practice
IAM process consists of the following
Operational Activities:
Credential And Attribute Management
These processes are designed to manage the life
cycle of credentials and user attributescreate,
issue, manage, revoketo minimize the business risk
associated with identity impersonation and
inappropriate account use.
Credentials are usually bound to an individual and are
verified during the authentication process.
The processes include provisioning of attributes,
static (e.g., standard text password) and dynamic
(e.g., one-time password) credentials that comply
with a password standard (e.g., passwords resistant
to dictionary attacks), handling password expiration,
IAM Practice
IAM process consists of the following
Operational Activities:
Entitlement Management
Entitlements are also referred to as authorization
policies.
The processes in this domain address the provisioning
and deprovisioning of privileges needed for the user
to access resources including systems, applications,
and databases.
Proper entitlement management ensures that users
are assigned only the required privileges (least
privileges) that match with their job functions.
Entitlement management can be used to strengthen
the security of web services, web applications, legacy
applications, documents and files, and physical
IAM Practice
IAM process consists of the following
Operational Activities:
Compliance Management
This process implies that access rights and privileges
are monitored and tracked to ensure the security of
an enterprises resources.
The process also helps auditors verify compliance to
various internal access control policies, and standards
that include practices such as segregation of duties,
access monitoring, periodic auditing, and reporting.
An example is a user certification process that allows
application owners to certify that only authorized
users have the privileges necessary to access
business-sensitive information.
IAM Practice
IAM process consists of the following
Operational Activities:
Identity Federation Management
Federation is the process of managing the trust
relationships established beyond the internal network
boundaries or administrative domain boundaries
among distinct organizations.
A federation is an association of organizations that
come together to exchange information about their
users and resources to enable collaborations and
transactions (e.g., sharing user information with the
organizations benefits systems managed by a thirdparty provider).
Federation of identities to service providers will
support SSO to cloud services.
IAM Practice
IAM process consists of the following
Operational Activities:
Centralization Of Authentication And
Authorization
A central authentication and authorization
infrastructure alleviates the need for application
developers to build custom authentication and
authorization features into their applications.
Furthermore, it promotes a loose coupling
architecture where applications become agnostic to
the authentication methods and policies.
This approach is also called an externalization of
authN and authZ from applications.
Cloud Authorization
Management
Security Management
Standards
Security Manage3ment has to be carried out in
the cloud
Standards include ITIL (Information Technology
Infrastructure Library) and ISO 27001/27002
What are the policies, procedures, processes
and work instruction for managing security
Availability Management
SaaS availability
Customer responsibility: Customer must
understand SLA and communication methods
SaaS health monitoring
PaaS availability
Customer responsibility
PaaS health monitoring
IaaS availability
Customer responsibility
IaaS health monitoring
Privacy
Access
Compliance
Storage
Retention
Destruction
Audit and Monitoring
Privacy Breaches
US Regulations
International regulations
EU Directive
APEC Privacy Framework
Control Objectives
Security Policy
Organization of information security
Asset management
Human resources security
Physical and environmental security
Communications and operations
management
Access control
Information systems acquisition,
Regulatory/External
Compliance
Sarbanes-Oxley Act
PCI DSS
HIPAA
COBIT
What is the impact of Cloud
computing on the above regulations?
Relevance to Cloud
Security as a Service
Email Filtering
Web Content Filtering
Vulnerability Management
Identity Management
Threats
Vested interest of cloud providers
Directions
Analysts predict that cloud
computing will be a huge growth
area
Cloud growth will be much higher
than traditional IT growth
Will likely revolutionize IT
Need to examine how traditional
solutions for IAM, Governance, Risk
Assessment etc will work for Cloud
Technologies will be enhanced (IaaS,