Date post: | 11-Oct-2015 |
Category: |
Documents |
Upload: | avinash-ingle |
View: | 7 times |
Download: | 0 times |
of 41
Cloud Computing:Finding the Silver Lining
Steve Hanna, Juniper Networks
AgendaWhat is Cloud Computing?Security Analysis of Cloud ComputingConclusions
AgendaWhat is Cloud Computing?Security Analysis of Cloud ComputingConclusions
Cloud Computing DefinedDynamically scalable shared resources accessed over a networkOnly pay for what you useShared internally or with other customersResources = storage, computing, services, etc.Internal network or Internet
NotesSimilar to TimesharingRent IT resources vs. buyNew term definition still being developed
Office UserEnterpriseLANConventional Data CenterInternetRemote UserData CenterDataApplications
Office UserEnterpriseLANCloud Computing ModelInternetCloud ProviderRemote UserApplicationsDataEnterprise 1
Many Flavors of Cloud ComputingSaaS Software as a ServiceNetwork-hosted application
DaaS Data as a Service Customer queries against providers database
PaaS Platform as a ServiceNetwork-hosted software development platform
IaaS Infrastructure as a ServiceProvider hosts customer VMs or provides network storage
IPMaaS Identity and Policy Management as a ServiceProvider manages identity and/or access control policy for customer
NaaS Network as a ServiceProvider offers virtualized networks (e.g. VPNs)
Cloud Computing ProvidersNaaSIaaS (DC/server)DaaSSaaSPaaSIPMaaSIPMSoftware\ & DataInfrastructure
Cloud Computing Pros and Cons
Whos using Clouds today?
Example: MogulusMogulus is a live broadcast platform on the internet. (cloud customer)Producers can use the Mogulus browser-based Studio application to create LIVE, scheduled and on-demand internet television to broadcast anywhere on the web through a single player widget. Mogulus is entirely hosted on cloud (cloud provider) On Election night Mogulus ramped to:87000 videos @500kbps = 43.5 Gbps http://www.mogulus.com
Example: AnimotoAnimoto is a video rendering & production house with service available over the Internet (cloud customer)With their patent-pending technology and high-end motion design, each video is a fully customized orchestration of user-selected images and music in several formats, including DVD. Animoto is entirely hosted on cloud(cloud provider)Released Facebook App: users were able to easily render their photos into MTV like videos Ramped from 25,000 users to 250,000 users in three daysSigning up 20,000 new users per hour at peak Went from 50 to 3500 servers in 5 daysTwo weeks later scaled back to 100 servershttp://www.animoto.com
Example: New York TimesTimesmachine is a news archive of the NY Times available in pdf over the Internet to newspaper subscribers (cloud customer) Timesmachine is entirely hosted on cloud (cloud provider) Timesmachine needed infrastructure to host several terabits of dataInternal IT rejected due to costBusiness owners got the data up on cloud for $50 over one weekendhttp://timesmachine.nytimes.com
Example: Eli LillyEli Lilly is the 10th largest pharmaceutical company in the world (cloud customer) Moved entire R&D environment to cloud (cloud provider) Results:Reduced costsGlobal access to R&D applicationsRapid transition due to VM hosting
Time to deliver new services greatly reduced:New server: 7.5 weeks down to 3 minutesNew collaboration: 8 weeks down to 5 minutes64 node linux cluster: 12 weeks down to 5 minutes
Whos using Clouds today?Startups & Small businessesCan use clouds for everythingSaaS, IaaS, collaboration services, online presence Mid-Size EnterprisesCan use clouds for many thingsCompute cycles for R&D projects, online collaboration, partner integration, social networking, new business tools Large EnterprisesMore likely to have hybrid models where they keep some things in houseOn premises data for legal and risk management reasons
AgendaWhat is Cloud Computing?Security Analysis of Cloud ComputingConclusions
Information Security Risk Management Process (ISO 27005)Establish ContextRisk AssessmentIdentify RisksIdentify AssetsIdentify ThreatsIdentify Existing ControlsIdentify VulnerabilitiesIdentify ConsequencesEstimate RisksEvaluate RisksDevelop Risk Treatment PlanReduce, Retain, Avoid, or Transfer RisksRisk AcceptanceImplement Risk Treatment PlanMonitor and Review Risks
Streamlined Security Analysis ProcessIdentify AssetsWhich assets are we trying to protect?What properties of these assets must be maintained?
Identify ThreatsWhat attacks can be mounted?What other threats are there (natural disasters, etc.)?
Identify CountermeasuresHow can we counter those attacks?
Appropriate for Organization-Independent AnalysisWe have no organizational context or policies
Identify Assets
Office UserEnterpriseLANConventional Data CenterInternetRemote UserData CenterDataApplications
Office UserEnterpriseLANCloud Computing ModelInternetCloud ProviderRemote UserApplicationsDataEnterpriseLANEnterprise 1Enterprise 2
Identify AssetsCustomer Data
Customer Applications
Client Computing Devices
Information Security Principles (Triad)C I A
ConfidentialityPrevent unauthorized disclosure
IntegrityPreserve information integrity
AvailabilityEnsure information is available when needed
Identify Assets & PrinciplesCustomer DataConfidentiality, integrity, and availability
Customer ApplicationsConfidentiality, integrity, and availability
Client Computing DevicesConfidentiality, integrity, and availability
Identify Threats
Office UserEnterpriseLANCloud Computing ModelInternetCloud ProviderRemote UserApplicationsDataEnterpriseLANEnterprise 1Enterprise 2
Identify ThreatsFailures in Provider Security
Attacks by Other Customers
Availability and Reliability Issues
Legal and Regulatory Issues
Perimeter Security Model Broken
Integrating Provider and Customer Security Systems
Failures in Provider SecurityExplanationProvider controls servers, network, etc.Customer must trust providers securityFailures may violate CIA principles
CountermeasuresVerify and monitor providers security
NotesOutside verification may sufficeFor SMB, provider security may exceed customer security
Attacks by Other CustomersThreatsProvider resources shared with untrusted partiesCPU, storage, networkCustomer data and applications must be separatedFailures will violate CIA principles
CountermeasuresHypervisors for compute separationMPLS, VPNs, VLANs, firewalls for network separationCryptography (strong)Application-layer separation (less strong)
Availability and Reliability IssuesThreatsClouds may be less available than in-house ITComplexity increases chance of failureClouds are prominent attack targetsInternet reliability is spottyShared resources may provide attack vectorsBUT cloud providers focus on availability
CountermeasuresEvaluate provider measures to ensure availabilityMonitor availability carefullyPlan for downtimeUse public clouds for less essential applications
Legal and Regulatory IssuesThreatsLaws and regulations may prevent cloud computingRequirements to retain controlCertification requirements not met by providerGeographical limitations EU Data PrivacyNew locations may trigger new laws and regulations
CountermeasuresEvaluate legal issuesRequire provider compliance with laws and regulationsRestrict geography as needed
Perimeter Security Model Broken
Office UserEnterpriseLANPerimeter Security ModelInternetRemote UserData CenterDataApplicationsSafe Zone
Office UserEnterpriseLANPerimeter Security with Cloud Computing?
InternetCloud ProviderRemote UserApplicationsDataEnterpriseLANEnterprise 1Enterprise 2
Perimeter Security Model BrokenThreatsIncluding the cloud in your perimeterLets attackers inside the perimeterPrevents mobile users from accessing the cloud directlyNot including the cloud in your perimeterEssential services arent trustedNo access controls on cloud
CountermeasuresDrop the perimeter model!
Integrating Provider and Customer SecurityThreatDisconnected provider and customer security systemsFired employee retains access to cloudMisbehavior in cloud not reported to customer
CountermeasuresAt least, integrate identity managementConsistent access controlsBetter, integrate monitoring and notifications
NotesCan use SAML, LDAP, RADIUS, XACML, IF-MAP, etc.
AgendaWhat is Cloud Computing?Security Analysis of Cloud ComputingConclusions
Bottom Line on Cloud Computing SecurityEngage in full risk management process for each case
For small and medium organizationsCloud security may be a big improvement!Cost savings may be large (economies of scale)
For large organizationsAlready have large, secure data centersMain sweet spots:Elastic servicesInternet-facing services
Employ countermeasures listed above
Security Analysis Skills Reviewed TodayInformation Security Risk Management ProcessVariations used throughout IT industryISO 27005, NIST SP 800-30, etc.Requires thorough knowledge of threats and controlsBread and butter of InfoSec Learn it!Time-consuming but not difficult
Streamlined Security Analysis ProcessMany variationsRFC 3552, etc.Requires thorough knowledge of threats and controlsUseful for organization-independent analysisPractice this on any RFC or other standardBecome able to do it in 10 minutes
Discussion
This slide speaks to Junipers unique position and value to the customerwhy we do policy and control, and ultimately, can offer an end to end experience, better than anyone else.
We have infrastructure smarts in our DNA, we know what it means to build and support carrier grade networks. We have an intelligent IP based control plane and standard based interop with 3rd party access equipment.
The Session and resource control portfolio leverages the smarts in the networkuses the network as the database for resource availability and state informationthis is something that OSS vendors with P&C solutions dont do/dont do well. We mine the network for info in real-time, and use that info to ensure that resources exist to support subscriber and application driven requests with quality. SRCs can modify network behavior and pre-allocate resources to ensure the highest quality experience. Also, via the open Nbound interfaces, can ensure that the apps get the network layer support they needremember the apps are network unawarethey assume infinite network resources exist. Its the SRCs that provide the mediation and control on a per sub, per session basis to make sure the network supports the customer experience
Alsowe add security portfolio into the mixneed to secure the control plane between the network, the Policy layer and the service. Also can leverage that integration to make policy based actions based on real-time security events.