cloud security - reality or illusion
Post on 21-Apr-2017
30 Views
Preview:
TRANSCRIPT
1
Cloud SecurityReality or Illusion
By: Srinivas ThimmaiahDate: 11 Mar 2017
Srinivas Thimmaiah | Cloud Security | 11 Mar 2017
About me
Srinivas Thimmaiah | Cloud Security | 11 Mar 2017 Page 2
An seasoned Information Security professional, speaker & blogger having around 13+ years of rich and insightful work experience in the areas of Information Security Assurance, Governance, Risk Management, BCM, Supplier Management, Awareness, IT Security, operational excellence and also in influencing team members and management.
CISM, ISO 27001 certified, CISCO certified Information Security & IT Security experienced professional.
Agenda Cloud Ecosystem
What is Cloud computing Cloud services Deployment models
Cloud adoption trends 2017 Cloud Risks Conclusion
Srinivas Thimmaiah | Cloud Security | 11 Mar 2017 Page 3
Cloud EcosystemCloud computing is the delivery of computing services—servers, storage, databases, networking, software, analytics and more—over the Internet (“the cloud”).
Srinivas Thimmaiah | Cloud Security | 11 Mar 2017 Page 4Source: Microsoft
Rapid Elasticity
Broad Network Access
Measure service On-demand self-service
Resource pooling
Characteristics of Cloud Computing
Cloud Ecosystem
Srinivas Thimmaiah | Cloud Security | 11 Mar 2017 Page 5
Cloud Service Models
Infrastructure as a Service
Platform as a Service
Software as a Service
Application platform or middleware as a service on which developers can build and deploy custom applications
Compute, storage, IT infra as a service, rather than as dedicated capability
End-user applications delivered as a service rather than on-premises software
SaaS (consume)
PaaS (build)
IaaS (host)
Cloud Ecosystem
Srinivas Thimmaiah | Cloud Security | 11 Mar 2017 Page 6
Public Private
CommunityHybrid
Cloud Deployment Models
Cloud Ecosystem
Srinivas Thimmaiah | Cloud Security | 11 Mar 2017 Page 7
PublicPrivate
CommunityHybrid
Cloud Deployment Models Provisioned by general public Exists on the premise of the
cloud provider May be owned, managed by
business, government or a combination
Organizations
Zoho
SalesforceMicrosoft
AmazonYahoo
Rackspace
PublicPrivate
CommunityHybrid
Cloud Ecosystem
Srinivas Thimmaiah | Cloud Security | 11 Mar 2017 Page 8
Cloud Deployment Models Provisioned for single
organization May exist on or off site May be managed by organization
or outsourced
Cloud Ecosystem
Srinivas Thimmaiah | Cloud Security | 11 Mar 2017 Page 9
Public Private
CommunityCloud
Hybrid
Provisioned for exclusive use by a specific community
May be managed by one or more of the community organizations
May be managed by community organization or outsourced
Cloud Deployment Models
Community of Organizations
Cloud Ecosystem
Srinivas Thimmaiah | Cloud Security | 11 Mar 2017 Page 10
Public Private
CommunityHybrid Combination of two or
more distinct cloud infrastructures
Cloud Deployment Models Public Cloud
Private Cloud
Organization
Cloud adoption trends of 2017
Srinivas Thimmaiah | Cloud Security | 11 Mar 2017 Page 11Source: Rightscale 2016 State of the Cloud Report
Public Cloud Private Cloud Hybrid Cloud Any Cloud
88% 89% 89%
63%
77%72%
58%
71%67%
93% 95% 95%
Cloud Risks
Srinivas Thimmaiah | Cloud Security | 11 Mar 2017 Page 12
Risks
Policy & Organization Risks Technical Risks Legal Risks
Generic Risks
Source: csaguide
Cloud Risks
Srinivas Thimmaiah | Cloud Security | 11 Mar 2017 Page 13
Lock-in
Loss of governanceCompliance challenges
Loss of business reputation due to cotenant activities
Cloud service termination or failure
Cloud provider acquisition
Supply chain failure
Policy & Organization
risks
Source: csaguide
Cloud Risks
Srinivas Thimmaiah | Cloud Security | 11 Mar 2017 Page 14
Resource exhaustion (under or over provisioning)
Isolation failure
Cloud provider malicious insider – abuse of high privilege roles
Management interface compromise (manipulation, availability of infrastructure)
Intercepting data in transit
Insecure of ineffective deletion of data
Data leakage on up/download, intra-cloud
Distributed denial of service (DDOS)
Economic denial of service (EDOS)
Loss of encryption keys
Undertaking malicious probes or scans Compromise server engine
Technical risks
Source: csaguide
Cloud Risks
Srinivas Thimmaiah | Cloud Security | 11 Mar 2017 Page 15
Risk from changes of jurisdiction
Licensing risks Data protection risks
Subpoena and e-discovery
Legal risks
Source: csaguide
Cloud Risks
Srinivas Thimmaiah | Cloud Security | 11 Mar 2017 Page 16
Modifying network traffic
Privilege escalation
Loss or compromise of security logs
Network management (i.e, network congestion/mis-connection/non-optimal use)
Backup lost, stolen
Unauthorized access to premises
Natural disasterTheft of computer equipment
Network breaks
Social engineering attacks
Loss or compromise of operational logs
Generic risks
Source: csaguide
Conclusion
Srinivas Thimmaiah | Cloud Security | 11 Mar 2017 Page 17
Effective onboarding process Vendor analysis Risk management Contract Management
Justification for cloud adoption
Re-visit the services
Monitoring the services
Source: From Body to Spirit; From Illusion to Reality
Srinivas Thimmaiah | Cloud Security | 11 Mar 2017 Page 18
Srinivas Thimmaiah | Cloud Security | 11 Mar 2017 Page 19
Srinivas Thimmaiah | Cloud Security | 11 Mar 2017 Page 20
https://www.google.co.in/search?q=road+with+car&biw=1920&bih=935&source=lnms&tbm=isch&sa=X&ved=0ahUKEwiGx-W6va_SAhVI_iwKHULgBTwQ_AUIBigB#tbm=isch&q=cloud+security+icon&*&imgrc=QnwqNekhOpC6-M:
https://www.google.co.in/search?q=road+with+car&biw=1920&bih=935&source=lnms&tbm=isch&sa=X&ved=0ahUKEwiGx-W6va_SAhVI_iwKHULgBTwQ_AUIBigB#tbm=isch&q=cars+on+highway&*&imgrc=WRHPKYuTO2knwM:
References
top related