Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Aerospace Engineering

Who are you?

advertisement 
Feeling safe in
the cloud
Pete Hickey
Université d’Ottawa
Everybody talks about clouds
Not all are happy
History of confusion
• 1967 The Saskatoon Connection
Joni Mitchel, 1967
I’ve looked at clouds from both sides now
From up and down
And still somehow
It’s cloud illusions I recall
I really don’t know clouds at all
Clouds
• Some people think the moving student email to Google/Microsoft is moving to the
cloud.
• Much more than that.
Jean-Philippe’s mountain cloud
Jean-Philippe’s mountain cloud
Jean-Philippe’s mountain cloud
Jean-Philippe’s mountain cloud
• Not everyone has the same idea
• Can’t see what is there.
What goes around comes around
• Early days, mainframes.
• Move to PCs and distributed processing
– At one time we had 37 Novell servers on
campus
• Move to centralize
– Economics : economy of scale
– Manageability
• Move to the cloud is the same thing on a
larger scale.
It will come
• Just because something is not a good fit
does not stop us.
• Look at the Internet
– Not designed for how we use it
– We change in spite of the issues.
Clouds are attractive!
• Somebody Else’s Problem( SEP) is a
condition where individuals/populations of
individuals choose to decentralize
themselves from an issue that may be in
critical need of recognition
• Everyone offering cloud services
– Whatever you want, you can get it.
– You can even get things you don’t want.
Clouds are attractive!
• Can provide something you don’t have the
resources for
• Broad network access
– Available from anywhere
– Accessible from any platform
• Can be provided FAST!
• Rapid elasticity.
Clouds are attractive!
• Reduce or eliminate need for YOUR tech
support. Get rid of your skilled geeks
• Trust the company to provide the service.
Trust me!!!!!
New skillsets required!
• Contract negotiation more important!
• You must have a thorough understanding of
your process/system
• You must have a thorough understanding of
their system
• You must ensure everything is clear in the
contract.
Replace your geeks with lawyers!
Planning is essential
• When providing something in-house, you
can react to changes, unrealized needs.
• In theory, an project is well planned in
advance.
• In reality, not always true.
“Let’s get it going, then fix it after.”
The Unknown
As we know,
There are known knowns.
There are things we know we know.
We also know
There are known unknowns.
That is to say
We know there are some things
We do not know.
But there are also unknown unknowns,
The ones we don't know
We don't know.
—Feb. 12, 2002, US Department of Defense news briefing
Trust the company
• Everyone is getting into the cloud.
• Do you have confidence in the company’s
ability to deliver the product?
• Or are they just getting the product out the
door
Areas of trust to consider
• The ability of the company to provide what
you want
• The integrity of the employees of that
company.
Trust People
• In general, people are trustworthy.
• Trust should make you think of this:
Trust
Trust
• Statistics tell us that, the larger the population,
the greater the number at the end of the bell
curve.
• As we increase the size of the population we
trust, the probability of an untrustworthy
individual increases.
Trust
• Dataloss.org states that data loss is from
– 22% inside accidental
– 10% inside malicious.
• Malicious insider is HIGH RISK
– Due to their access to sensitive data.
• You have more insiders
Trust
• In the past, we would trust our staff
because we knew them.
• The cloud brings a new style of trust.
Trust by Contract!
Trust
• You can’t trust a population you don’t know.
• Get it in the contract!
• Job for the future “Cloud Contracting Engineer.”
Kinds of clouds
• IAAS Infrastructure as a Service. EG Amazon’s E2C
–
–
–
–
–
Hardware provided for you
Quick to create new machines
Attractive for seasonal growth and un-growth.
Attractive if space is expensive
OS and hardware maintained for you.
Kinds of clouds
• PAAS Platform as a service.
– The OS and middleware there for you
– Develop custom applications without worrying about
the rest.
Kinds of clouds
• SAAS Software as a service EG GoogleDocs, email
– Very rapid deployment.
– No maintenance/upgrades/patching.
• Just about everything imaginable is out
there
Kinds of clouds
•
•
•
•
•
SAAS
PAAS
IAAS
The lower  Security responsibility : you
The higher Security responsibility : them.
Things to think about
•
•
•
•
•
•
•
•
Your neighbors
Breaches
Your data/processes
Authentication
Authorisation
Monitoring
Auditing
E-discovery
Things to think about
•
•
•
•
•
•
image
Physical Security
DNS issues
Laws regulations
Risk evaluation
Business continuity
Welcome to my Neighborhood!
Your Neighbors
Your Neighbors
• In house, would you run your business
systems on the same VMWare cluster
which has open student shell access?
• Why? why not?
• Defense in depth?
Your Neighbors
• Do you know your neighbors
• Do you care?
• Do you know how you are kept separate
from them?
• First recognizable group to use IAAS were
the spammers.
– Your neighbors may not be your friends
Breaches and attacks
• All the OWASP things still hold
• Other concerns as well
Breaches and attacks
Breaches and attacks
• What if your neighbor is breached?
– Will you be notified?
• What if the cloud infrastructure is
breached?
– Will you be notified.
• What about an attack from a neighbor?
• What does a vulnerability in VMWare
mean?
Collateral Damage
What if your neighbor is DoS attractive?
What if your neighbor is hacking attractive?
Collateral damage?
Know your data well!
Know your data?
• Understand what it is, and any
regulations/laws
• Know how it may change
• Relatively easy with a database
• More difficult with something like
GoogleDocs.
• Similar for processes
– People have a way of using things in a way
which was never intended.
New exposure risks
•
•
•
•
•
To the world
Cloud employees
Other cloud customers.
Data or process changed
Lack of access for a period of time
Where is your data?
•
•
•
•
US? France? Japan? North Korea?
Many only worry about data in US.
Will it always stay where it is now?
Do you have any way to verify?
Termination of contract.
• Intentional/unintentional
• Data retrieved?
• Data will be destroyed?
Destruction of data !
• Do you have a legal obligation to destroy
data after X years?
• After being required to keep data for Y
years do you want to destroy it.
• What is in the cloud providers backups?
• Destruction of data should be a cloud
supplier’s responsibility.
Backups/archives!
• Will you maintain your own as well?
• What is the effect of total loss of data?
– Careful about that locally
• All backups usually handled similarly
• Concerns about multiple cloud providers.
It has happened
SEP example
Who owns the data
E-discovery
•
•
•
•
You?
Them?
What tools do you have?
You and the provider SHOULD be aligned
here.
Can the cloud use your data?
• For advertising?
• In advertising?
– Facebook using users pictures in ads.
Facebook picture
PCI-DSS
Gives some areas to think about
Build a secure network
• Existence of firewalls?
• Their network’s security is probably
classified.
Do not use vendor supplied passwords
• Servers hardened?
• Not much to say here
• You HOPE!
PCI-DSS
Gives some areas to think about
Encryption
• Secure channels to data even more
important.
• Can you store your data in the cloud with
your own encryption?
– Could solve a lot of problems
• Can you encrypt it on your own?
• Can the provider provide the infrastructure
to let you encrypt with your keys?
PCI-DSS
Gives some areas to think about
Vulnerability management
• Ensure cloud provider does it
• How soon are patches applied?
PCI-DSS
Gives some areas to think about
Regularly monitor and test
•
•
•
•
•
Logs? What can you see?
What tools do you have
Raw data or canned reports?
Can you increase details if necessary
Audit logs?
Monitor traffic
Monitor traffic
• Traffic blocked by firewall or unseen by the
app may give an idea of threats.
• Do you have any idea of what is there that
you don’t see?
Test and Monitor
• Pen testing and vulnerability scanning may
be disallowed by contract.
– Other neighbors may view it as an attack
– Cloud provider may view it as an attack.
• Be PCI compliant by buying a PCI compliant
service.
PCI-DSS
Gives some areas to think about
Policy
• Check their security policies
• Do you need cloud security policies?
– With SaaS (or any other) you may have users
going out to the cloud without central approval
– Universities tend to be bad for this (eg DropBox)
Authentication
“Who are you?”
Authentication
• Are accounts local or at cloud providers?
– Tends to vary with size of system.
• Are you giving your cloud provider access
to your credentials.
– Users tend to have similar passwords for
multiple sites.
– Hint. Think Shibboleth
• If accounts are in the cloud how are former
employees accounts deleted?
Authentication
• What if laws/regulations require 2-factor
authentication in the future?
Authentication
• Stolen credentials may be more of a risk
– Lack of defense in depth
• Compensate somehow
Administrative access
•
•
•
•
•
How are admin accounts handled?
Defense in depth: In house, VPN first.
In the cloud everyone can poke.
Essential to protect admin access!
Can you see failed logon attempts?
Can you go back?
• If things go wrong?
• Move to another provider if theirs is
better?
Business continuity
• Don’t forget it.
• May be more difficult if not planned.
DNS issues
• Phishing may be more of a threat.
• Yourname.cloud.com?
– How would outsiders see that?
• Reverse lookup?
How do you measure their security?
• Certifications, 3rd party audits
• Global Payments was PCI compliant March
29.
What about your image?
• What if the Armed Forces use cloud
services?
• What if Canada Revenue Agency did?
If you would not feel good about them in the
cloud, ask yourself “why?”
Previous examples of things gone wrong
• They can happen in-house as well
• Just be aware that they can also happen out
there.
• It’s not a SEP… it’s YOUR problm.
Bottom line
• It’s all in the contract.
• You need a very good understanding of the
data, processes and the systems.
• Advance planning is even more important.
• You probably still need your geek as an
architect for your cloud contracting team.
Cloud contracting team!
“The flight here was specular. Like
hovering all the way inside a jewel. We
are the first generation to see the clouds
from both sides.”
Saül Bellow, Henderson the rain king
Trust me!!!!!
Feeling safe in
the cloud
Pete Hickey
Université d’Ottawa
Related documents
Earth Science January 22, 2014 17.3 RCQ Pg 488 List 3 factors that
Earth Science January 22, 2014 17.3 RCQ Pg 488 List 3 factors that
Name
Name
Jordan University of Science and Technology Abstract: Authors
Jordan University of Science and Technology Abstract: Authors
Slide - People
Slide - People
Cloud Computing - Lutheran Services in America
Cloud Computing - Lutheran Services in America
Chapter 11: Ascending and Descending Air
Chapter 11: Ascending and Descending Air
Lisa Neal-Graves, Director Technology Insights, Intel
Lisa Neal-Graves, Director Technology Insights, Intel
Cisco Video Strategy - Distributed Computing Industry Association
Cisco Video Strategy - Distributed Computing Industry Association
Download
advertisement