Upload File

photo source – flickr.com top 10 cloud risks that will keep you … · 2020. 1. 17. · cisco...

  • Home
  • Documents
  • Photo Source – flickr.com Top 10 Cloud Risks That Will Keep You … · 2020. 1. 17. · Cisco Public Top 10 Cloud Risks That Will Keep You Awake at Night Shankar Babu Chebrolu Ph.D.,
35
Cisco Public Top 10 Cloud Risks That Will Keep You Awake at Night Shankar Babu Chebrolu Ph.D., Vinay Bansal, Pankaj Telang Photo Source – flickr.com

Upload: others

Post on 26-Jan-2021

3 views

Category:

Documents


0 download

Report

TRANSCRIPT

  • Cisco Public

    Top 10 Cloud Risks That Will Keep You Awake at Night

    Shankar Babu Chebrolu Ph.D., Vinay Bansal, Pankaj Telang

    Photo Source – flickr.com

  • 2Cisco Public

    We want to use SalesForce.com to host our next Cisco

    customer application

    .. Amazon EC2(Cloud) to host

    Eng. Lab testing….

    .. Google docs to share Cisco documents within

    team…... Facebook/MySpace

    to collaborate with company’s customer….

    Cisco Business

    User

    400+ ASPs (aka Cloud Providers) in use within Cisco

  • 4Cisco Public

    Outline

    Cloud – Industry Adoption Trend

    Cloud Taxonomy

    OWASP Cloud Top 10

    Cloud Security Risks

    Risk Mitigations

    Q & A

  • 5Cisco Public

    Cloud – Industry Adoption Trend

    58.6 68.3

    148.8

    020406080

    100120140160

    2009 2010 2014

    Global expenditure on Cloud ($ billion)

    (Source Gartner)

  • 6Cisco Public

    Cloud Taxonomy

    Public

    Private

    Hybrid

    Community

    Deployment ModelsService Models

    Software as aService (SaaS)

    Platform as aService (PaaS)

    Infrastructure as aService (IaaS)

    Broad Network Access

    Rapid Elasticity

    MeasuredService

    On-Demand Self-Service

    Resource Pooling

    (Adapted from CSA Guide, originally from NIST)

  • 7Cisco Public

    Cloud Top 10 - Motivation

    Serve as a quick list of top risks with cloud adoption

    Develop and maintain top 10 risks with cloud

    Provide guidelines on mitigating the risks

  • 8Cisco Public

    Cloud Top 10 - Approach

    NIST

    CSA

    Publications

    IndustryExperience

    News

    OWASPCloud Top 10

    Easily ExecutableMost DamagingIncidence Frequency

    IDC

    ISC2

  • 9Cisco Public

    Cloud Top 10 RisksR1: Accountability & Data Risk

    R2: User Identity Federation

    R3: Regulatory Compliance

    R4: Business Continuity & Resiliency

    R5: User Privacy & Secondary Usage of Data

    R6: Service & Data Integration

    R7: Multi-tenancy & Physical Security

    R8: Incidence Analysis & Forensics

    R9: Infrastructure Security

    R10: Non-production Environment Exposure

  • 10Cisco Public 10

    R1: Accountability

    ApplicationWeb/App/DB server

    ComputingNetworkStorage

    In traditional data center, the owning organization is accountable for security at all layers

    Organization fully accountable for security at all layers

    In a cloud, who is accountable for security at these layers?

    You can outsource hosted services but you cannot outsource accountability

  • 11Cisco Public

    R1: Accountability (cont.)

    ApplicationWeb/App/DB server

    ComputingNetworkStorage

    ApplicationWeb/App/DB server

    ComputingNetworkStorage

    ApplicationWeb/App/DB server

    ComputingNetworkStorage

    Cloud Consumer

    SaaS

    PaaS

    IaaS

    *

    * Few exceptions

    Acco

    unta

    ble

    AccountableCloud

    Provider

  • 12Cisco Public 12

    R1: Data Risk

    Health recordsCriminal recordsCredit historyPayroll

    How sensitive is the data?

    Informal blogsTwitter postsPublic newsNewsgroup messages

    Data encrypted? Single vs. multiple keys

    Who owns the data?

    Data stored anywhere !!

  • 13Cisco Public 13

    R1: Accountability & Data Risk Mitigation

    Logical isolation of the data of multiple consumers

    Multiple encryption keys

    Provider fully destroys deleted data

  • 14Cisco Public

    R2: Risks: Islands of User Identities

    Enterprise

    Security Risks1. Managing

    Identities across multiple providers

    2. Less control over user lifecycle (off-boarding)

    3. User experience

  • 15Cisco Public

    R2: Mitigation: User Identity Federation

    Identity Federation

    SAMLMitigations

    1. Federated Identity2. OAuth for backend

    integrations3. Tighter user

    provisioning controls

  • 16Cisco Public

    R3: Regulatory Compliance

    DC1

    Key:

    DC2

    Data that is perceived to be secure in one country may not be perceived secure in another country/region

    DC3

    European Union (EU) has very strict privacy laws and hence data stored in US may not comply with those EU laws (US Patriot Act allows federal agencies limitless powers to access any corporate data etc)

    Lack of transparency in the underlying implementations makes it difficult for data owners to demonstrate compliance( SOX/HIPAA etc.)

    Lack of consistent standards and requirements for global

    regulatory compliance – data governance can no longer be viewed from a point-to-point

    data flow perspective but rather a multi-point to multi-point.

  • 17Cisco Public 17

    R3: Regulatory Compliance – Mitigation Strategy

    Apply risk management framework, case-by-case basis

    Define data protection requirements and SLAs

    Provider / Consumer agreement to a pre-defined RACI model

  • 18Cisco Public 18

    R4: Business Continuity & Resiliency

    Lack of know-how and capabilities needed to ensure continuity & resiliency

    Monetary losses due to an outage

    Cloud provider may be acquired by a consumer’s competitor

  • 19Cisco Public 19

    R4: Business Continuity & Resiliency Mitigation

    Contract defines Recovery Time Objectives, and monetary penalty

    for downtime

    Cloud provider’s Business Continuity program certified to standard such as BS 25999

  • 20Cisco Public

    Privacy of my data- Address, Email,.. (Personally Identifiable Information)

    - Health, personal financial info

    -Personal Details (email, IMs,….)

    End Users

    Keep Revenue Up/ Cost Down Push out the liabilities to user via

    Privacy and Acceptable Use Policy

    Build Additional Services on users behavior (targeted advertisements ) e.g. Google Email, banner adv.

    Do minimal to achieve compliance

    Keep their social applications more open (increased adoption)

    R5: User Privacy & Secondary Usage of Data

    Providers

    Users vs. Providers (Priorities)

  • 21Cisco Public

    User personal data mined or used (sold) without consent

    - Targeted Advertisements, third parties

    User Privacy data transferred across jurisdictional borders

    No opt out features for user (user can not delete data)

    Lack of individual control on ensuring appropriate usage, sharing and protection of their personal information.

    Law Obligation for providers- Key escrows to law agencies- Subpoena

    R5: Risks: User Privacy & Secondary Usage of Data

  • 22Cisco Public

    R5: Mitigations: User Privacy & Secondary Usage of Data

    Policy Enactment-Privacy and Acceptable Usage- Consent (Opt In / Opt Out) - Policy on Secondary Usage

    De-identification of personal Information

    Encrypted storage

    Terms of Service with providers- Responsibility on compliance

    - Geographical affinity

  • 23Cisco Public

    R6: Service & Data Integration

    Key:

    Data traverses through the internet between end users and cloud data centers. How secure the integrations are ?

    End Users Cloud Broker

    Public Cloud

    Internal DatabasesCloud Broker

    Private Cloud / Internal Data Center

    Service / App 2Service / App 1 Service / App 5 Service / App 6

    Branch Office

    Cloud Provider 1 Cloud Provider 2

    ProxyProxy

    Cloud Broker

  • 24Cisco Public 24

    R6: Service & Data Integration – Mitigation Strategy

    Data in TransitData at Rest

    Encryption (keys, protocols etc)

  • 26Cisco Public

    Web Tier App/BizTier Database Tier

    Backups

    Clo

    ud C

    onsu

    mer

    s (T

    enan

    ts)

    Admin

    Reach back to Enterprise

    Security Risks1. Inadequate

    Logical Separations

    2. Co-mingled Tenant Data

    3. Malicious or Ignorant Tenants

    4. Shared Service-single point of failures

    5. Uncoordinated Change Controls and Misconfigs

    6. Performance Risks

    R7: Risks: Multi-tenancy and Physical Security

  • 27Cisco Public

    R7: Attacks and Incidences

    MIT demonstrating cross-tenant attacks (Amazon EC2)*

    -Side channel Attacks- Scanning other tenants-DoS

    Wordpress Outage June 2010**-100s of tenants (CNN,..) down in multi-tenant environment.

    - Uncoordinated Change in database

    * http://chenxiwang.wordpress.com/2009/11/02/mit’s-attack-on-amazon-ec2-an-academic-exercise/

    ** http://smoothspan.wordpress.com/2010/06/11/wordpress-and-the-dark-side-of-multitenancy/

    http://chenxiwang.wordpress.com/2009/11/02/mit’s-attack-on-amazon-ec2-an-academic-exercise/�http://smoothspan.wordpress.com/2010/06/11/wordpress-and-the-dark-side-of-multitenancy/�

  • 28Cisco Public

    R7: Mitigations: Multi-tenancy and Physical Security

    Architecting for Multi-Tenancy

    Virtual Private Cloud (VPC)

    Data Encryption (per tenant key management)

    Controlled and coordinated Change Management

    Transparency/Audit-ability of

    Administrative Access

    Regular Third Party Assessments

  • 29Cisco Public

    R8: Incidence Analysis & Forensic Support

    Key:

    End Users Cloud Broker

    Public Cloud

    Internal DatabasesCloud Broker

    Private Cloud / Internal Data Center

    Service / App 2Service / App 1 Service / App 5 Service / App 6

    Branch Office

    Cloud Provider 1 Cloud Provider 2

    ProxyProxy

    Cloud Broker

    Complex integration and dynamics in cloud computing present significant challenges to timely diagnosis and resolution of incidents such as:

    • Malware detection and • Immediate intrusion response to mitigate the impact

    Implications to Traditional Forensics ? (seizing equipment and analysis on media/data recovered)

    International differences in relevant regulations …

  • 30Cisco Public 30

    R8: Incidence Analysis & Forensic Support –Mitigation Strategy

    Comprehensive logging

    Dedicated Forensic VM Images

    Without compromising Performance

  • 31Cisco Public

    R9: Infrastructure Security

    Key:

    Malicious parties are actively scanning the internet for …

    Vulnerable Applications or Services

    Active Unused Ports

    Default Passwords

    Default Configurations

    Data

  • 32Cisco Public

    R9: Infrastructure Security - Mitigations

    Third party audits and app vulnerability assessments

    Segregation of duties and role based administrative privs

    Tiered architecture with appropriate security controls between them

    Hardening – Networks, OS, Apps

  • 33Cisco Public 33

    R10: Non-Production Environment ExposureNon-Production Environments are … used for design, development, and test activities internally within an organization

    Prod Non-Prod

    Data copied to non-prod from its production equivalent

    Typical non-prod environment use genericauthentication credentials

    Non-Prod

    High risk of an unauthorized user getting access to the non production

    environment

    Security flaws

  • 34Cisco Public 34

    R10: Non-Production Environment ExposureMitigation

    Use multi layers of authentication

    Prod Non-Prod

    Non-prod data is not identical to production

    Don’t use cloud for developing a highly sensitive app in the cloud

  • 35Cisco Public

    Summary: Peaceful Sleep

    • Photo - http://fineartamerica.com/featured/peaceful-sleep-ron-white.html

  • 36Cisco Public

  • 37Cisco Public

    R5: Incidence: User Privacy & Secondary Usage of Data

    Top 10 Cloud Risks That Will Keep You Awake at NightSlide Number 2OutlineCloud – Industry Adoption TrendCloud TaxonomyCloud Top 10 - MotivationCloud Top 10 - ApproachCloud Top 10 RisksSlide Number 10Slide Number 11Slide Number 12Slide Number 13R2: Risks: Islands of User IdentitiesR2: Mitigation: User Identity FederationR3: Regulatory Compliance�Slide Number 17Slide Number 18Slide Number 19Slide Number 20�R5: Mitigations: User Privacy & Secondary Usage of DataR6: Service & Data Integration�Slide Number 24Slide Number 26R7: Attacks and IncidencesR7: Mitigations: Multi-tenancy and Physical SecurityR8: Incidence Analysis & Forensic SupportSlide Number 30R9: Infrastructure SecuritySlide Number 32Slide Number 33Slide Number 34Summary: Peaceful SleepSlide Number 36R5: Incidence: User Privacy & Secondary Usage of Data


How to keep health risks from drinking alcohol to a low ... Alc… · 2 How to keep health risks from drinking alcohol to a low level: public consultation on proposed new guidelines

Wake-on-WLAN Nilesh Mishra, Kameswari Chebrolu, Bhaskaran Raman and Abhinav Pathak IIT Kanpur Wake-on-WLAN Nilesh Mishra, Bhaskaran Raman, Abhinav Pathak

No Sugars Added: How to Reduce Health Risks and … Sugars Added: How to Reduce Health Risks and Keep Life Sweet Rachel K. Johnson, PhD, MPH, RD, FAHA Bickford Green and Gold Professor

ALL INDIA SENIOR CITIZENS’ CONFEDERATION · 1) Shri V. NarayanaMurthy, President, APSC Samakhya, Near Police Station, Chebrolu 534406, UnguturuMandal, W.G.District, Andhra Pradesh

Kameswari Chebrolu Dept. of Electrical Engineering, IIT Kanpur

Risk Assessment Workshop - AGA Risk Management (ERM) coordinates controls to mitigate risks that could keep you from achieving your objectives

Keep going and keep growing. Keep going and keep growing ... · Keep going and keep growing. Keep going and keep growing. Keep going and keep growing.Keep going and keep growing.Keep

Transport Protocols End-to-End Protocolshome.iitk.ac.in › ~chebrolu › scourse › slides › kc04-tcp.pdf · Transport Protocols Kameswari Chebrolu Dept. of Electrical Engineering,

Business Cooperation Networks: Risks and Benefitspotential risks and benefits may be the way for business cooperation networks to acquire competitive earnings, and also to keep improving

Agricultural Robot Dataset for Plant Classification ...Agricultural Robot Dataset for Plant Classification, Localization and Mapping on Sugar Beet Fields Nived Chebrolu 1, Philipp

DEPARTMENT OF PREVENTIVE MEDICINE KEEP YOUR HEART … · Keep Your Heart Healthy screens Chicago residents in underserved communities for cardiovascular health risks. It is the first

Keep it clean. - Hilti · reduced pr oductivity and higher costs. Keep dust to a minimum – with Hilti. Hilti is committed to helping you reduce the risks your workfor ce is exposed

5G PRESENTATION BY KARTHEEK TAVVA FROM CHEBROLU ENGINEERING COLLEGE

Lone Working Contents What is lone working? Health and Safety Legislation Increased risks Tools for assessing risks Measures to keep safe Travelling

BRIMON: Wireless Sensor Network based Railway Bridge Monitoring Kameswari Chebrolu Assistant Professor Department of Electrical Engineering IIT Kanpur

 · Web viewPersonal belonging – any items of significant value should be insured by you personally on an ‘all-risks’ basis. You need keep to keep valuable items under lock

How to keep health risks from drinking alcohol to a low level ·  · 2016-08-15How to keep health risks from ... explanation behind them, ... to explain their rationale in a text

Auditing the risks of disruptive technologies Keep the tempo ·  · 2018-02-242 Auditing the risks of disruptive technologies | Keep the tempo We’re in the midst of an exciting

KPWA - How to take a Health Assessment · YOUR HEALTH ACTION PLAN Learn about personal health risks, how to address those risks, and how to keep up your good health. A summary of

Link Range and (In)Stability on Sensor Network Architecture Bhaskaran Raman, Kameswari Chebrolu, Naveen Madabhushi, Dattatraya Y. Gokhale, Phani K. Valiveti,

Emerging Risks that keep you Awake at Night Trevor W Case Manager, Insurance & Risk Management

Scanned by CamScanner - adarsh.ac.inadarsh.ac.in/NaacDvvcPDF/7.1.12.pdf · Adarsh College Of Engineering (ACEE) was established during the academic year 2008-2009 at Chebrolu village

Risks Risks In Construction

Global Risks Insights Geopolitical Risks

FAMSUN Chairmanen.famsungroup.com/Upload/201812/20181207082724_4453.pdf · chemicals to keep water quality high and disease risks low. Greater demand for sustainably raised fish in

Photo Source – flickr.com Top 10 Cloud Risks That Will Keep You … · 2020-01-17 · Cisco Public Top 10 Cloud Risks That Will Keep You Awake at Night Shankar Babu Chebrolu Ph.D.,

Chebrolu Hanumaiah Institute of Pharmaceutical Sciences … · 2019. 8. 26. · various drugs in single and combined dosage forms. References: 1. Spectrometric Identification of Organic

Risks€ Risks By Priority€ 37,920

PreventingOpioidAbuseandAddiction - DECKS€¦ · Cofounder/CEO Gautam Chebrolu Cofounder/CTO Collin O’Neill Chief Pharmaceutical Officer Dr. Kamran Saraf Chief Medical Officer

The Risks, They Just Keep On Coming · 1 The Risks, They Just Keep On Coming ( Impacts of Environmental Bills in Congress ) GAMS Anniversary Seminar September 19, 2003 Lloyd R. Kelly

The 4 Steps 1 2 3 4 Determine your income need Close your income gap Protect yourself from risks Keep your planning simple

Why do Adolescents take risks? What can Adults and Communities do to keep them safe?

Chebrolu Hanumaiah Institute of Pharmaceutical Sciences ... D.pdfChebrolu Hanumaiah Institute of Pharmaceutical Sciences Chandramoulipuram, Chowdavaram, Guntur – 522019, Andhra Pradesh

Lec01 Overview Chebrolu

Keep the Ball in Your Court. Know the Risks. · 2019-02-15 · Keep the Ball in Your Court. KNOW THE RISKS. Pain Pills can be Dangerous and Addictive justthinktwice.com. getsmartaboutdrugs.com