CLOUD COMPUTING

Congruent and Converging Forces

that compete

If you accept
There is an unquenchable thirst for
collaboration and sharing
We can work anywhere at any time highly
mobile workforce
You can work wherever you are at home,
traveling, etc.

Then
How do we achieve mission assurance on the same
network?
How do we ensure the network is there when we
need it?
What approach should we take?

Mission
Assurance
Work
Anywhere
at any
time

Sharing

Collaboration

Work
wherever
you are

Cloud Computing

Cloud means Internet. The computing takes place on the Internet

in place of the software you use executing on your desktop pc, its
hosted on the Internet on a server installed in a data centre usually
staffed by people who are experts in managing technology.

Gartner definition

a style of computing where massively scalable IT-enabled

capabilities are delivered as a service to external customers using
Internet technologies

Characteristics

It is sold on demand, typically by the minute or the hour;

it is elastic -- a user can have as much or as little of a service as they

want at any given time

the service is fully managed by the provider (the consumer needs

nothing but a personal computer and Internet access).

Significant innovations in virtualization and distributed computing,

as well as improved access to high-speed Internet and a weak
economy, have accelerated interest in cloud computing.

Private or Public?

A public cloud sells services to anyone on the Internet. (Currently,

Amazon Web Services is the largest public cloud provider.)

A private cloud is a proprietary network or a data center that

supplies hosted services to a limited number of people.

When a service provider uses public cloud resources to create their

private cloud, the result is called a virtual private cloud.

Private or public, the goal of cloud computing is to provide easy,

scalable access to computing resources and IT services.

Infrastructure-as-a-Service

Infrastructure-as-a-Service like Amazon Web Services provides

virtual server instance) to start, stop, access and configure their
virtual servers and storage.

In the enterprise, cloud computing allows a company to pay for

only as much capacity as is needed, and bring more online as soon
as required.

Because this pay-for-what-you-use model resembles the way

electricity, fuel and water are consumed, it's sometimes referred to
as utility computing.

Platform-as-a-service

Platform-as-a-service in the cloud is defined as a set of software and

product development tools hosted on the provider's infrastructure.
Developers create applications on the provider's platform over the
Internet.

PaaS providers may use APIs, website portals or gateway software

installed on the customer's computer. GoogleApps is an example.

Developers need to know that currently, there are not standards for
interoperability or data portability in the cloud. Some providers will
not allow software created by their customers to be moved off the
provider's platform.

Software-as-a-service

In the software-as-a-service cloud model, the vendor supplies the

hardware infrastructure, the software product and interacts with the
user through a front-end portal.

SaaS is a very broad market.

Services can be anything from Web-based email to inventory

control and database processing.

Because the service provider hosts both the application and the data,
the end user is free to use the service from anywhere.

Benefits

Reduced costs: You pay for what you use.

Scalability: You can scale your business storage needs seamlessly
rather than having to go out and purchase expensive programs or
hardware.

Automatic Updates: There is no need for IT to worry about paying

for your future updates in terms of software and hardware.

Remote Access: employees, partners and clients can access, and

update information wherever they are, rather than having to run
back the office.

Contd.

Disaster Relief: With your companys data safely stored on secure

data centers instead of your server room (previously known as your
storage closet), losing power due to hurricanes, earthquakes or a
construction worker cutting the power lines, you are back at work
as long as you have an internet connection.

Ease of Implementation: Your IT team (hopefully older than a 10

year old) may not like this, but implementing cloud services is as
easy as, well, setting up a LinkedIn page.

Skilled Vendors: Who would you rather manage and protect your
data? A company such as InfoStreet (with over 16 years experience
serving enterprise clients), IBM or Amazon or your IT staff.

Contd.

Response Time: Cloud computing accomplishes a better response

time in most cases than your standard server and hardware.

Even playing field for small firms: This allows small companies
to complete more effectively with some of the larger businesses,
balancing the playing field. Your small business can utilize the same
tools that Fortune 100 companies use and can do this because with
cloud computing, your business will only pay for what you need

Cloud Computing Challenges: Dealing with too many

issues
Scalability

Reliability
Billing

Utility & Risk

Management

Programming Env.
& Application Dev.

Software Eng.
Complexity

Uhm, I am not quite

clearYet another
complex IT paradigm?

Reasons to Consider Avoiding Cloud Computing

Security

Data Location & Privacy

Internet Dependency, Performance & Latency

Current Enterprise Applications Can't Be Migrated Easily

Many Cloud Offerings: Good, but new issues-vendor lock in,

scaling across clouds

IBM Cloud
Manjrasoft Aneka

Complex decisions
to make?

Threats, vulnerabilities, and enemies

Goal

Learn the cloud computing threat model by examining the assets,

vulnerabilities, entry points, and actors in a cloud

Technique

Apply different threat modeling schemes

Basic components

Attacker modeling
Choose what attacker to consider
Attacker motivation and capabilities

Assets / Attacker Goals

Vulnerabilities / threats

Who is the attacker?

Insider?
Malicious employees at client
Malicious employees at Cloud provider
Cloud provider itself

Outsider?
Intruders
Network attackers?

Attacker Capability: Malicious Insiders

At client

Learn passwords/authentication information

Gain control of the VMs

At cloud provider

Log client communication

Attacker Capability: Cloud Provider

What?
Can read unencrypted data
Can possibly peek into VMs, or make copies of VMs
Can monitor network communication, application patterns

Attacker motivation: Cloud Provider

Why?
Gain information about client data
Gain information on client behavior
Sell the information or use itself
Why not?

Cheaper to be honest?
Why? (again)
Third party clouds?

Attacker Capability: Outside attacker

What?
Listen to network traffic (passive)
Insert malicious traffic (active)
Probe cloud structure (active)
Launch DoS

Attacker goals: Outside attackers

Intrusion

Network analysis

Man in the middle

Cartography

Assets (Attacker goals)

Confidentiality

Data stored in the cloud

Configuration of VMs running on the cloud

Identity of the cloud users

Location of the VMs running client code

Assets (Attacker goals)

Integrity
Data stored in the cloud
Computations performed on the cloud

Assets (Attacker goals)

Availability
Cloud infrastructure
SaaS/ PaaS

Organizing the threats using STRIDE

Spoofing identity

Tampering with data

Repudiation

Information disclosure

Denial of service

Elevation of privilege