Photo Source flickr.

com

Top 10 Cloud Risks That Will Keep You

Awake at Night
Shankar Babu Chebrolu Ph.D., Vinay Bansal, Pankaj Telang
Cisco Public
 .. Amazon EC2 We want to use
(Cloud) to host SalesForce.com to
Eng. Lab host our next Cisco
testing. customer application

Cisco
Business .. Google docs to share
.. Facebook/MySpace Cisco documents within
User
to collaborate with team.
companys customer.

400+ ASPs (aka Cloud Providers) in use within Cisco

Cisco Public 2
Outline

Cloud Industry Adoption Trend

Cloud Taxonomy

OWASP Cloud Top 10

Cloud Security Risks

Risk Mitigations

Q&A

Cisco Public 4
Cloud Industry Adoption Trend

Global expenditure on Cloud

($ billion)
160 148.8
140
120
100
80 68.3
58.6
60
40
20
0
2009 2010 2014

(Source Gartner)

Cisco Public 5
 Cloud Taxonomy
Service Models Deployment Models

Software as a Public
Service (SaaS)

Private
Platform as a
Service (PaaS)
Hybrid

Infrastructure as a
Service (IaaS) Community

Broad Network Rapid Measured On-Demand Resource

Access Elasticity Service Self-Service Pooling

(Adapted from CSA Guide, originally from NIST)

Cisco Public 6
Cloud Top 10 - Motivation

Develop and maintain top

10 risks with cloud
Serve as a quick list of top
risks with cloud adoption

Provide guidelines on mitigating

the risks

Cisco Public 7
Cloud Top 10 - Approach
Easily Executable
Most Damaging
Incidence Frequency

ISC2
CSA Industry
Experience
Publications
IDC

NIST News

OWASP
Cloud Top 10

Cisco Public 8
Cloud Top 10 Risks
R1: Accountability & Data Risk

R2: User Identity Federation

R3: Regulatory Compliance

R4: Business Continuity & Resiliency

R5: User Privacy & Secondary Usage of Data

R6: Service & Data Integration

R7: Multi-tenancy & Physical Security

R8: Incidence Analysis & Forensics

R9: Infrastructure Security

R10: Non-production Environment Exposure

Cisco Public 9
R1: Accountability
In traditional data center, the owning organization is
accountable for security at all layers

Application
Organization fully accountable
for security at all layers
Web/App/DB server
Computing
Network
Storage

You can outsource hosted

services but you cannot
outsource accountability

In a cloud, who is accountable for security at these

layers?
Cisco Public 10
10
R1: Accountability (cont.)
Cloud Cloud Consumer
Provider
Application *
Web/App/DB server
Computing
SaaS Network

Accountable
Accountable Storage

Application
Web/App/DB server
PaaS Computing
Network
Storage

Application
Web/App/DB server
IaaS Computing
Network
* Few exceptions Storage
Cisco Public 11
R1: Data Risk
How sensitive is the data?

Informal blogs
Twitter posts
Public news
Newsgroup messages

Health records
Criminal records
Credit history
Payroll

Who owns the data?

Data encrypted? Single vs.
multiple keys
Data stored anywhere !!
Cisco Public 12
12
R1: Accountability & Data Risk
Mitigation

Logical isolation of the data of

multiple consumers

Provider fully destroys deleted

data

Multiple encryption keys

Cisco Public 13
13
R2: Risks: Islands of User Identities

Security Risks
1. Managing
Identities across
multiple providers
2. Less control over
user lifecycle (off-
boarding)
3. User experience

Enterprise

Cisco Public 14
R2: Mitigation: User Identity Federation

Mitigations
SAML 1. Federated Identity
2. OAuth for backend
integrations
3. Tighter user
provisioning
controls

Identity Federation

Cisco Public 15
 R3: Regulatory Compliance
Data that is perceived to be secure in one Lack of transparency in
country may not be perceived the underlying
secure in another country/region implementations makes it
difficult for data owners to
Key:
demonstrate compliance(
DC2
SOX/HIPAA etc.)

DC1 DC3

Lack of consistent standards

and requirements for global
regulatory compliance data
governance can no longer be
viewed from a point-to-point
data flow perspective but rather
a multi-point to multi-point.

European Union (EU) has very strict privacy laws and hence data stored
in US may not comply with those EU laws (US Patriot Act allows federal
agencies limitless powers to access any corporate data etc)
Cisco Public 16
R3: Regulatory Compliance Mitigation Strategy

Define data protection

requirements and SLAs

Apply risk management

framework, case-by-case basis

Provider / Consumer agreement to

a pre-defined RACI model
Cisco Public 17
17
R4: Business Continuity & Resiliency

Lack of know-how and capabilities needed

to ensure continuity & resiliency

Cloud provider may be acquired Monetary losses due to an

by a consumers competitor outage

Cisco Public 18
18
R4: Business Continuity & Resiliency
Mitigation

Contract defines Recovery Time Cloud providers Business

Objectives, and monetary penalty Continuity program certified to
for downtime standard such as BS 25999

Cisco Public 19
19
R5: User Privacy & Secondary Usage of Data
Users vs. Providers (Priorities)

Privacy of my data Keep Revenue Up/ Cost Down

- Address, Email,.. Push out the liabilities to user via
(Personally Identifiable Privacy and Acceptable Use
Information) Policy
- Health, personal financial Build Additional Services on users
info behavior (targeted advertisements
- Personal Details (email, ) e.g. Google Email, banner adv.
IMs,.) Do minimal to achieve compliance
Keep their social applications
more open (increased adoption)

End Users Providers

Cisco Public 20
R5: Risks: User Privacy & Secondary Usage of Data

User personal data mined or used (sold) without

consent
- Targeted Advertisements, third parties

User Privacy data transferred across jurisdictional

borders
No opt out features for user (user can not delete data)
Lack of individual control on ensuring appropriate
usage, sharing and protection of their personal
information.
Law Obligation for providers
- Key escrows to law agencies
- Subpoena

Cisco Public 21
R5: Mitigations: User Privacy & Secondary Usage of
Data
Policy Enactment
-Privacy and Acceptable Usage
- Consent (Opt In / Opt Out)
- Policy on Secondary Usage

De-identification of personal
Information
Encrypted storage

Terms of Service with providers

- Responsibility on compliance
- Geographical affinity
Cisco Public 22
 R6: Service & Data Integration

Branch Office Private Cloud / Internal Data Center

Key:
End Users Internal
Cloud Broker Cloud Broker Databases

Data traverses through the

internet between end users
and cloud data centers.
How secure the integrations are ?

Public Cloud
Cloud Provider 1 Cloud Provider 2

Proxy Proxy

Cloud Broker
Service / App 1 Service / App 2 Service / App 5 Service / App 6

Cisco Public 23
R6: Service & Data Integration Mitigation Strategy

Data in Transit
Data at Rest

Encryption (keys, protocols etc)

Cisco Public 24
24
R7: Risks: Multi-tenancy and Physical Security

Web Tier App/BizTier Database Tier

Cloud Consumers (Tenants)

Security Risks
1. Inadequate
Logical
Separations
2. Co-mingled
Tenant Data
3. Malicious or
Ignorant Tenants
4. Shared Service-
single point of
Backups
failures
5. Uncoordinated
Admin Change Controls
and Misconfigs
Reach back to 6. Performance
Enterprise Risks

Cisco Public 26
R7: Attacks and Incidences

MIT demonstrating cross-tenant attacks

(Amazon EC2)*
- Side channel Attacks
- Scanning other tenants
- DoS

Wordpress Outage June 2010**

- 100s of tenants (CNN,..) down in multi-tenant
environment.
- Uncoordinated Change in database

* http://chenxiwang.wordpress.com/2009/11/02/mits-attack-on-amazon-ec2-an-academic-exercise/

** http://smoothspan.wordpress.com/2010/06/11/wordpress-and-the-dark-side-of-multitenancy/
Cisco Public 27
R7: Mitigations: Multi-tenancy and Physical
Security
Architecting for Multi-Tenancy

Data Encryption (per tenant key

management)

Controlled and coordinated

Change Management

Transparency/Audit-
ability of
Administrative Access
Regular Third
Party Assessments
Virtual Private
Cloud (VPC)

Cisco Public 28
 R8: Incidence Analysis & Forensic Support
Complex integration and dynamics in cloud computing present significant
challenges to timely diagnosis and resolution of incidents such as:
Malware detection and
Immediate intrusion response to mitigate the impact

Branch Office Private Cloud / Internal Data Center

Key:
End Users Internal
Cloud Broker Cloud Broker Databases

Implications to Traditional Forensics ? International differences in

(seizing equipment and analysis on media/data recovered) relevant regulations
Public Cloud
Cloud Provider 1 Cloud Provider 2

Proxy Proxy

Cloud Broker
Service / App 1 Service / App 2 Service / App 5 Service / App 6

Cisco Public 29
R8: Incidence Analysis & Forensic Support
Mitigation Strategy

Comprehensive logging

Without compromising Performance

Dedicated Forensic VM Images

Cisco Public 30
30
R9: Infrastructure Security
Malicious parties are actively scanning the internet for

Vulnerable Applications or Services

Key:

Active
Unused Ports
Data

Default
Passwords

Default
Configurations

Cisco Public 31
 R9: Infrastructure Security - Mitigations

Segregation of duties and role

based administrative privs

Third party audits and app

vulnerability assessments

Tiered architecture with appropriate

security controls between them

Cisco Public
Hardening Networks, OS, Apps
32
R10: Non-Production Environment Exposure
Non-Production Environments are
used for design, development, and test activities internally within an
organization

Prod Non-Prod
Security flaws
Typical non-prod Data copied to non-prod from
environment use generic its production equivalent
authentication credentials

Non-Prod

High risk of an unauthorized user

getting access to the non production
environment
Cisco Public 33
33
R10: Non-Production Environment Exposure
Mitigation

Use multi layers of Prod Non-Prod

authentication

Non-prod data is not

identical to production

Dont use cloud for developing a highly

sensitive app in the cloud
Cisco Public 34
34
Summary: Peaceful Sleep

Photo - http://fineartamerica.com/featured/peaceful-sleep-ron-white.html
Cisco Public 35
Cisco Public 36
R5: Incidence: User Privacy & Secondary Usage of
Data

Cisco Public 37