1

1

Enterprise and Cloud Computing – Clouded Security?

Dr. Shekhar KiraniDr. Shekhar KiraniDr. Shekhar KiraniDr. Shekhar Kirani

Vice President and Country Manager,

VeriSign India

10/08/09

2

2

Digital World: How it looks?

1.3B Global Internet Users

1. Source: Forrester Research 2008

2. Source: Goldman Sachs 2007 CSO Survey

3. Source: Synovate 2008 Consumer Survey

1.5T E-mails

177M Web sites

3

3Source:http://www.verisign.com/Resources/Naming_Services

_Resources/Domain_Name_Industry_Brief/index.html

Enterprise interactions Have

Become Enterprise Internet

Interactions

Enteprise Internet Interactions

->

Enterprise Cloud Interactions

Why Such a Growth?

Efficiency & Convenience = $$$

4

4

What is Cloud Computing?

Cloud Computing Is NOT

Grid Computing

Grid Computing

Distributed computing that uses a cluster of networked computers,

acting in concert to perform a task

5

5

Defining Cloud Computing

Cloud Computing Is NOT

Elastic Compute CloudSun Grid Service

Grid Computing Utility Computing

Utility Computing

Virtualized computing resources, such as computation and storage, offered

as a metered service

6

6

Defining Cloud Computing

Cloud Computing Is NOT

Grid Computing Utility Computing SaaS

Software-As-A-Service

Delivery method of applications over the web using utility computing and

multi-tenant architecture

7

7

Defining Cloud Computing

Cloud Computing Is NOT

Then

what is it?

Grid Computing Utility Computing SaaS

8

8

Defining Cloud Computing

Cloud Computing IS

Grid Computing

Utility Computing

SaaS

+

+

+

Storage Infrastructure

Identity Infrastructure

Security Infrastructure

Application Integration and Mash-ups

Business Intelligence

Business Process Management

9

9

Definition of Cloud Computing

So, Cloud Computing is an emerging technology that:

• utilizes concepts of grid and utility computing

• to provide application services over the Internet

• along with all associated functions available with regular in-premise implementations

• and may work in conjunction with in-premise resources

10

10

Enterprise

CLOUD 1 CLOUD 2 CLOUD 3

Typical Enterprise Setup for Cloud Services

� Different URLs with login-name/password

combination.

� Account Provisioning is batch-mode

� Single Sign-on is not yet present.

� Different URLs with login-name/password

combination.

� Account Provisioning is batch-mode

� Single Sign-on is not yet present.

11

11

Cloud Security Basics

� End-to-end security is key for SaaS/PaaS/IaaS Vendors

� Stronger SLA and security than enterprise security.

� Every resource is access controlled, logged, protected, and managed. Principle of Least Privileged.

� Weakest link in the security chain is always exploited

� Physical, network, transaction, customer, employee, consultant, etc

� Least protected to more protected

� Social engineering – will remain key attack method

� Security by Design: Before v/s After Thought

� Cost and Usability

� Level of Security

� Likelihood of exploit

� Opportunity to exploit

� Deterrence, Prevention, Identification, and Action

12

12

78%

The Identity Problem of Cloud Computing

30%of Enterprises and SMBs view security as a top

concern in SaaS1

72%believe Identity and Access Management is the key security issue2

1. Source: Forrester Research 2008

2. Source: Goldman Sachs 2007 CSO Survey

of consumers want more control over securing

their identity3

3. Source: Synovate 2008 Consumer Survey

13

13

Enterprise

CLOUD 1

ROGUE

APP

Weak Link 1: Phishing in SaaS

14

14

Solution: Secure (EV Certs) or Green Bar Certs

15

15

Example: Green Browser Bar

Phishing Site –Bar turned Red!

16

16

Rogue Emp

Enterprise

CLOUD 1

Weak Link 2: Identity Theft

17

17

Rogue Emp

Enterprise

CLOUD 1

Weak Link 2: Identity Theft

18

18

Rogue Emp

Enterprise

CLOUD 1

Solution 2: Identity Theft

19

19

Solution: 2nd Factor (or 2nd Password)

� Offer a 2nd Factor solution in addition to login name/password

–What you know and What you have

� Offer 2nd Factor across all types of devices (tokens, mobile, cards, etc).

� Identity theft requires a physical device to be stolen -> makes it hard!

20

20

Solution: 2nd Factor (2nd Password) for Online Access

21

21

Rogue Emp

Enterprise

Weak Link 3: Application/Data Security

22

22

Solution: Strong Enterprise Encryption Solutions

Email Applications

Digital Certs

+ =Endpoint Security

Data Storage

Encrypted Communication

Protected Assets and Data

Secured Data at Rest

23

23

Enterprise

Sys Adm 1 Sys Adm 2 Rogue Adm

No Digital Cer.

Digital Certificate.

Weak Link 4: Insider Theft

24

24

Solution: Strong Authentication

+ =

Digital Certs

&

OTP Token

Web Applications

Remote Access

Desktop Logon

Networking

Multi-Factor Desktop Logon

Strong Web Authentication

Secure Remote Access

Secure Network Access

25

25

Enterprise

Bot 1

Bot 2

Bot 3

Weak Link 5: DDoS Attack on Service

26

26

Enterprise

Bot 1

Bot 2

Bot 3

Weak Link 5: DDoS Attack on Service

27

27

Infrastructure: Evolving and Sophisticated DDoS Attacks

Attack Bandwidth VS (Normal) Bandwidth

70

60

50

40

30

20

10

0

DN

S G

bp

s

Attack Bandwidth

2000 2001 2002 2003 2004 2005 2006

(Normal) Bandwidth

Microsoft

Root Server Attacks

AOL

SobigWorm

30x3x

New threats due to increased nodes and adoption of IP-based

mobile devices

VoIP/Cell Phone Worm

?

Attacks

DNS Reflector

Normal DNS Traffic

150x

100x

50x

Routing Loop .COM

40x

DDoS Packet Filtering During Attack

28

28

Summary

� Cloud Services need to offer Strong SLA and Security

than Enterprises can do on their own.

� Cloud Services need to demonstrate back-to-back

SLA/Security throughout the SaaS/PaaS/IaaS chain.

� Clould Services need to demonstrate how they plan to

do Deterrence, Prevention, Identification, and Action

against attacks

� Enterprise will move to Cloud if Security/Privacy

Issues are addressed

29

29

Thank you!