CLOUD SECURITY:
Concerns, Complications and
Considerations
Dr. Susan Cole, CISSP, CCSK
scole@faculty.ctuonline.edu
Agenda
 What is it?
 Definition
 Deployment Models
 Service Models






Benefits
Concerns
Complications
Risks
Improvements
Considerations
December 10, 2013
What is it? - Definition
Cloud computing is a model for enabling ubiquitous, convenient, ondemand network access to a shared pool of configurable computing
resources (e.g., networks, servers, storage, applications, and services)
that can be rapidly provisioned and released with minimal
management effort or service provider interaction.
(Grance and Mell, 2011)
What goes “into” the Cloud?
• Data/information
• Applications/functions/processes
December 10, 2013
What is it? - Definition
Essential Characteristics:
 On-demand self-service.
 Broad network access.
 Resource pooling.
 Rapid elasticity.
 Measured Service.
(NIST and CSA, 2009)
December 10, 2013
What is it? – Deployment Models
 Private - operated solely for an
organization.
 Community - shared by several
organizations and supports a specific
community that has shared concerns
 Public - made available to the general
public or a large industry group and is
owned by an organization selling cloud
services.
 Hybrid - a composition of two or more
clouds
(NIST and CSA, 2009)
December 10, 2013
What is it? – Service Models
 Software as a Service (SaaS)
 Delivers applications hosted on cloud as internet-based services
 Does not require installing apps on customers’ computers
 Example: Salesforce
 Platform as a Service (PaaS)
 Delivers platforms, tools, services
 Without installing any of these platforms or support tools on local
machines
 Example: Google Apps
 Infrastructure as a Service (IaaS)
 Delivers “computation resources,” network and storage as internet-based
service
 Example: Amazon EC2
December 10, 2013
What is it? – Service Models
x
(CSA, 2009)
December 10, 2013
Benefits
 Availability!
 Economic benefits!




Cost Reduction
Scalable
Easier to collaborate (long-distance)
Small and mid-size business access to tech at lower prices
 There’s a chance security will be as good or better if cloud
provider is a quality service provider.
December 10, 2013
Benefits
Ways to Use the Cloud








Social Media
Business Applications
Productivity Applications
Email as a service
Infrastructure
Website hosting
Storage
Empower Mobile Devices (BYOD)
December 10, 2013
Benefits
Organization
Projected Savings
Service
City of Orlando
$262, 500 per year
Email to Google
City of Pittsburgh
$100,000 per year
Email to Google
City of LA
$ 1.1 MILLION per year
Email & Office to Google
Army
Cost down to 8M from $83M
Recruitment tracking platform
(Army Experience Center)
NOAA
(service not identified)
50% lower cost to taxpayer
Email and calendar
(service not identified)
Air Force
(Personnel Services Delivery
Transformation)
$4 MILLION per year
Web self-service, incident
management, customer
surveys, analytics, knowledge
management to RightNow
http://info.apps.gov/content/state-and-local-cloud-computing-case-studies
December 10, 2013
Benefits
Organization
Area
Savings
DoD US Army Online
Experience Center
Business App
•
•
•
Costs down to 8M for full licensing from $83M
33% productivity gain
30 times higher response rates
Federal Labor Relation
Authority (FLRA) Case
Management System
Business App
•
88% reduction in total cost of ownership over a
five year period
Eliminated up-front licensing cost of $273,000
Reduced annual maintenance from $77,000 to
$16,800
Social Security
Administration (SSA)
Online Answers
Knowledge Base
Business App
•
Nearly 99% of 25M web self-service sessions
handled without agent intervention.
NASA Jet Propulsion Lab
(JPL) Cassini
Infrastructure
•
Processing costs totaled less than $200 compared
to the thousands required to maintain in house
systems.
•
http://cloud.cio.gov/step-step/cloud-computing-success-stories
December 10, 2013
Benefits
Organization
Area
Savings
DoD DISA Gig Content
Delivery Service
Infrastructure
•
•
A DISA customer avoided installation of 500
servers worldwide by using GCDS.
Offload up to 90% of the hits from data center
infrastructure.
Email as a
service
•
•
Reduced mail messaging costs to less than $8 a
month per user
Once fully operational, USDA expects to save $6
million per year compared to legacy system costs
NOAA Cloud email
Email as a
service
•
50% lower cost to taxpayer
DOT Office of
Comptroller of the
Currency (OCC)
Vulnerability Assessment
System
Productivity App • 458% increase in scanning
USDA Cloud email
•
•
•
Reduction in per scan cost from $99.34 to $13.66
12% increase in detection
Eliminated 3 hardware and software platforms
reducing number of scanners to one
http://cloud.cio.gov/step-step/cloud-computing-success-stories
December 10, 2013
Benefits
Organization
Area
Savings
Benefits.gov Hybrid
Cloud Implementation
Website Hosting
•
Initially, a 60% reduction in costs due to a
discount provided by USDA
Bureau of Engraving and
Printing Public-Facing
Website
Website Hosting
•
Reduced infrastructure costs from $800,000 to
$1,550
http://cloud.cio.gov/step-step/cloud-computing-success-stories
December 10, 2013
Concerns
 Migration Costs
 Additional training for staff
 New monitoring systems
(Ashford, 2012)
December 10, 2013
Concerns
Security
is “arguably the most significant barrier to faster
and more widespread adoption of cloud
computing.”
(Chen, et al, 2010)
December 10, 2013
Concerns
Shared Risks
 Outsourcing security to a 3rd party = loss of control
 Coexistence of different tenants using same instance of service
but unaware of strength of the other’s security controls
 Lack of security guarantees in SLAs
 Hosting on publicly available infrastructure increases probability
of attacks
December 10, 2013
Concerns
Shared Risks
 “Cloud providers priorities do not always align with the customer’s
objectives.”
 Self-preservation
 Reporting to customer or externally…
 Is your cloud provider using services from yet another cloud
provider?
 Need to protect not only data… but activity patterns
 Possible reverse engineering by others in the cloud to find out customer
base, revenue, etc.
December 10, 2013
Concerns
Shared Risks
 Auditability in the cloud…
Already required for banking and health sectors
Should be “mutual” for provider and customer
 “Sharing of resources violates the confidentiality of
tenants’ IT assets which leads to the need for secure multitenancy.”
(Morsey, et al, 2010)
December 10, 2013
Complications
BYOD
 Can’t avoid!
 Saves $ if employees provide devices
 Single device solution
 No need to carry multiple devices
 Improves morale
 Increases productivity
 Employees willing to work after-hours; always connected
 Federal Agencies have Pilot BYOD Programs
 NSA (mobile for classified by not BYOD yet)
 NIST 800-124
December 10, 2013
Complications
Penetration of Mobile Devices by Ownership
(Osterman, 2012)
December 10, 2013
Complications
 Beyond the device…
 What does access with a device like this mean?
 Next generation has to have technology tools!
 Recruitment
December 10, 2013
Complications
(Osterman, 2012)
December 10, 2013
Risks








Application control
Data Loss
Labor laws
Privacy Issues
Regulatory requirements
Lost and stolen devices
Data recovery
Expectation of Cloud Providers to manage security
December 10, 2013
Risks
(CSA, 2009)
December 10, 2013
Improvements
 Cloud is becoming more secure
 FedRAMP
 Cloud Security Alliance
 STAR
 Cloud Service Providers
 Built in versus added on
December 10, 2013
Improvements
 Standards and Regulations
 http://cloud.cio.gov/action/manage-your-cloud
 25 Point Implementation Plan to Reform Information Technology
Management
 Download: http://cloud.cio.gov/document/25-pointimplementaton-plan-reform-information-technologymanagement
 Federal Cloud Computing Strategy
 Download: http://cloud.cio.gov/document/federal-cloudcomputing-strategy
 Federal IT Shared Services Strategy
 Download: http://cloud.cio.gov/document/federal-it-sharedservices-strategy
December 10, 2013
Improvements
 Federal Data Center Consolidation Initiative
(FDCCI)
 https://cio.gov/deliver/data-center-consolidation/
 That could affect Cloud Security:
 Legislation
 TPM chips
 Self-Encrypting Drives (SEDs)
December 10, 2013
Considerations
 Identity Management
 Remote Management
 Virtualization
 Data-at-Rest
 Portability
December 10, 2013
Considerations
How to Apply Security
1. Determine what needs to go (data and/or functions)
2. Evaluate importance to organization
3. Evaluate deployment models
4. Evaluate service models
5. Evaluate cloud provider
December 10, 2013
(CSA, 2009)
Considerations
Three Options
1. Accept whatever assurances the service provider offers
2. Evaluate the service provider yourself
3. Use a neutral 3rd party to conduct a security assessment
The cloud provider should perform regular security
assessment and provide reports to their clients.
December 10, 2013
Considerations
Security Assessments
 “Traditional service providers submit to external audits
and security certifications, providing their customers with
information on the specific controls that were evaluated.
 A cloud-computing provider that is unwilling or unable to
do this is signaling that customers can only use them for
the most trivial functions.”
(Heiser and Nicolett, 2008)
December 10, 2013
Considerations
How to Take Control
 Decide what (data and/or functions) should be migrated to
the cloud…
 Cost/benefit analysis: not all are good choice
 Risk Assessment
 Investigate physical security of where data will be
housed…
 Encrypt
December 10, 2013
Considerations
How to take control
 Schedule monthly meeting with security personnel of the cloud
provider.
 Employ legal experts (experienced with “cloud”) early to formulate
contract.
 Much easier than bringing in lawyers after the fact to fight
 Get definitions and procedures outlined in advance… (incidents,
disasters, etc)
December 10, 2013
References and Background Info
December 10, 2013
References

Almond, Carl. (2009). “A Practical Guide to Cloud Computing Security: What you need to know now about your business and
cloud security.” Avanade Inc.

Al Morsey, M., Grundy, J., and I. Muller. (2010). “An Analysis of The Cloud Computing Security Problem.” APSEC 2010
Cloud Workshop, Sydney, Australia.

Ashford, W. (2012). “Cloud Computing: Could it Cost More?” TechTarget.
http://www.computerweekly.com/news/2240163197/Cloud-computing-Could-it-cost-more

Ashford, W. (2011). “Self-encrypting drives: SED the best-kept secret in hard drive encryption security” TechTarget.
http://www.computerweekly.com/feature/Self-encrypting-drives-SED-the-best-kept-secret-in-hard-drive-encryption-security

Avanade (2012). “Global Survey: Dispelling Six Myths of Consumerization of IT.”
http://www.avanade.com/Documents/Resources/consumerization-of-it-executive-summary.pdf

Chen, Y., Paxson, V., and R. Katz. (2010). “What’s New About Cloud Computing Security?” Electrical Engineering and
Computer Sciences, University of California at Berkeley.

Cloud Security Alliance (CSA) (2009). “Security Guidance for Critical Areas of Focus in Cloud Computing V2.1”

Cox, P. (2010). “Remote management threatens Infrastructure as a Service security” TechTarget.
http://searchcloudcomputing.techtarget.com/tip/How-to-use-Infrastructure-as-a-Service-securely-part-2

Grance, T. and P. Mell (2011). “The NIST Definition of Cloud Computing (Draft).” NIST Special Publication 800-145 (Draft).
December 10, 2013
35
References

Grance, T. and P. Mell (2011). “The NIST Definition of Cloud Computing (Draft).” NIST Special Publication 800-145 (Draft).

Heiser, J. and M. Nicolett. (2008). “Assessing the Security Risks of Cloud Computing.” Gartner.

Hess, K, (2012). “BYOD busted? It's OK we know you're doing it.” ZDNet. http://www.zdnet.com/blog/consumerization/byodbusted-its-ok-we-know-youre-doing-it/169


Holland, K. (2011). “Pros and Cons of Cloud Computing.” Beckon. http://www.thebeckon.com/pros-and-cons-of-cloudcomputing/

Iyengar, G. (2011). “Cloud Computing – Maze in the Haze.” SANS: GIAC (GSEC) Gold Certification Paper.

Jacobs, D. (2013). “The TPM chip: An unexploited resource for network security.” TechTarget.
http://searchnetworking.techtarget.com/tip/The-TPM-chip-An-unexploited-resource-for-network-security

Mimosa, M. (2012). “TPM Chip in Windows 8 Lays Foundation for Widespread Enhancements to Hardware-Based Security.”
Threatpost. http://threatpost.com/en_us/blogs/tpm-chip-windows-8-lays-foundation-widespread-enhancements-hardware-basedsecurity-102612

Osterman (2012), sponsored by Accellion. “Putting IT Back in Control of BYOD: An Osterman Research White Paper”
December 10, 2013
36
References

Reed, J. (2010). “Following Incident into the Cloud.” SANS: GIAC (GCIH) Gold Certification Paper.

Rouse, M. (2012). “Identity as a Service.” TechTarget. http://searchconsumerization.techtarget.com/definition/identity-as-aService-IDaaS

Sinclair, J. (2010). “Auditing in Cloud Computing.” SAP RESEARCH. http://www.slideshare.net/jonathansinclair86/cloudauditing

Tutti, C. (2011). “NIST Cloud Roadmap: Too much too fast?” Federal Computer Week.

Vizard, M. (2012) “The Keys to the Cloud Security Kingdom.” IT Business Edge.
http://www.itbusinessedge.com/cm/blogs/vizard/the-keys-to-the-cloud-securitykingdom/?cs=49788&utm_source=feedburner&utm_medium=twitter&utm_campaign=Feed%3A+MikeVizard+%28Mike+Vizard
%29

Winkler, V. (2011). “Cloud Computing: Virtual Cloud Security Concerns.” TechNet. http://technet.microsoft.com/enus/magazine/hh641415.aspx
December 10, 2013
37