Copyright 2009-11 1 Roger Clarke Xamax Consultancy and PSARN Security, Canberra Visiting Professor in Computer Science, ANU and in Cyberspace Law & Policy,

Copyright2009-11

1

Roger ClarkeXamax Consultancy and PSARN Security, Canberra

Visiting Professor in Computer Science, ANUand in Cyberspace Law & Policy, UNSW

Cloud Computing ForumRealm Hotel, Canberra – 24 February 2011

http://www.rogerclarke.com/EC/CCSec {.html,.ppt}

Security and Cloudsourcing

Copyright2009-11

2

Security and CloudsourcingAGENDA

• CloudSourcing• Why Cloudsourcing Challenges Security• Downsides of CloudSourcing

(Security in the Broadest)• Operational Disbenefits and Risks• Contingent Risks• Security Risks (Security in the Less Broad)• Commercial Disbenefits and Risks• Compliance Disbenefits and Risks

• Risk Management Strategies• Questions To Ask Cloudsourcing

Tenderers

Copyright2009-11

3

Cloudsourcing from the User Perspective

A service that satisfies all of the following conditions:

1. It is delivered over a telecommunications network

2. The service depends on virtualised resourcesi.e. the user has no technical need to be aware which server(s) running on which host(s) is/are delivering the service, nor where the host(s) is/are located

3. The service is acquired under a relatively flexible contractual arrangement, at least re the quantum used

Copyright2009-11

4

Cloudsourcing from the User Perspective

A service that satisfies all of the following conditions:1. It is delivered over a telecommunications network2. The service depends on virtualised resources

i.e. the user does not know which server(s) running on which host(s) is/are delivering the service, nor where the host(s) is/are located

3. The service is acquired under a relatively flexible contractual arrangement, at least re the quantum used

4. The user organisation places reliance on the service for data access and/or data processing

5. The user organisation has legal responsibilities

Copyright2009-11

5

From Insourcing to Cloudsourcing

Off-Site Hosting

Outsourced Facility

Multiple Outsourced Facilities

Copyright2009-11

6


Integrated Multi-Site Outsourced Facilities

Copyright2009-11

7


CloudSourced Facilities

Copyright2009-11

8


CloudSourced Facilities

Copyright2009-11

9

From Insourcing to CloudsourcingChanges in Risk-Exposure

Sourcing Phases• Insourcing• Outsourced Site• Outsourced Facility• Outsourced Facilities

in Multiple Locations• Integrated Multi-Site

Outsourced Facilities• Cloudsourced

Facilities

Copyright2009-11

10

From Insourcing to CloudsourcingChanges in Risk-Exposure

Sourcing Phases• Insourcing• Outsourced Site• Outsourced Facility• Outsourced Facilities

in Multiple Locations• Integrated Multi-Site

Outsourced Facilities• Cloudsourced

Facilities

Increasing:• Component-Count• Location-Count• Complexity• Dependencies• FragilityDecreasing:• Internal Expertise• Internal

Knowability('set and forget')

Copyright2009-11

11

CC Architecture – The User Organisation Perspective

Organisation

Client

App

Utility

Software

esp.

Web-

Browsers

Platform

– System

S’ware

User

Device

Broker

Cloud

Manager

Client-Side

Infrastructure

Cloud

Infrastructure

Intermediating

Infrastructure

Copyright2009-11

12

... ...

Organisation

Client

App

Utility

Software

esp.

Web-

Browsers

Platform

– System

S’ware

User

Device

Broker

Cloud

Manager

Server

App

Cloud

Platform

Cloud

Infra-

structure

Host

Database(s)

possibly

replicated

Client-Side

Infrastructure

Server-Side

Infrastructure

Intermediating

Infrastructure

A Comprehensive CC Architecture

Copyright2009-11

13

Downsides from the User Perspective(Security in the Broadest)

1. Operational Disbenefits and RisksDependability on a day-to-day basis

2. Contingent RisksLow likelihood, but highly significant

3. Security RisksSecurity in the less broad

4. Commercial Disbenefits and Risks

5. Compliance Disbenefits and Risks

Copyright2009-11

14

1. Operational Disbenefits and Risks• Fit – to users' needs, and customisability• Reliability – continuity of operation

• Availability hosts/server/db readiness/reachability

• Accessibility network readiness

• Usability response-time, and consistency

• Robustness frequency of un/planned unavailability (97% uptime = 5 hr per week offline)

• Resilience speed of resumption after outages

• Recoverability service readiness after resumption

• Integrity – sustained correctness of the service, and the data

• Maintainability – fit, reliability, integrity after bug-fixes & mods

Copyright2009-11

15










Copyright2009-11

16










Copyright2009-11

17

2. Contingent Risks• Major Service Interruptions• Service Survival – supplier collapse or withdrawal

Safeguards include software escrow; escrow inspection; proven recovery procedures; rights that are proof against actions by receivers

• Data Survival – data backup/mirroring/synch, accessibility

• Data Acessibility – blockage by opponents or a foreign power

• Compatibility – software, versions, protocols, data formats

• FlexibilityCustomisationForward-Compatibility to migrate to new levelsBackward-Compatibility to protect legacy systemsLateral Compatibility to enable dual-sourcing and escape

Copyright2009-11

18

2. Contingent Risks• Major Service Interruptions• Service Survival – supplier collapse or withdrawal

Safeguards include software escrow; escrow inspection; proven recovery procedures; rights that are proof against actions by receivers

• Data Survival – data backup/mirroring/synch, accessibility

• Data Acessibility – blockage by opponents or a foreign power

• Compatibility – software, versions, protocols, data formats

• FlexibilityCustomisationForward-Compatibility to migrate to new levelsBackward-Compatibility to protect legacy systemsLateral Compatibility to enable dual-sourcing and escape

Copyright2009-11

19

3. Security Risks

• Service Security Environmental, second-party and third-party threats to any aspect of reliability or integrity

• Data SecurityEnvironmental, second-party and third-party threats to content, both in remote storage and in transit

• Authentication and AuthorisationHow to provide clients with convenient access to data and processes in the cloud, while denying access to imposters?

• Susceptibility to DDOSMultiple, separate servers; but choke-points will exist

Copyright2009-11

20

3. Security Risks

• Service Security Environmental, second-party and third-party threats to any aspect of reliability or integrity

• Data SecurityEnvironmental, second-party and third-party threats to content, both in remote storage and in transit

• Authentication and AuthorisationHow to provide clients with convenient access to data and processes in the cloud, while denying access to imposters?

• Susceptibility to DDOSMultiple, separate servers; but choke-points will exist

Copyright2009-11

21

4. Commercial Disbenefits and Risks• Acquisition

• Lack of information• Non-Negotiability of Terms and SLA

• Ongoing• Loss of Corporate Expertise

re apps, IT services, costs to deliver• Inherent Lock-In Effect

from high switching costs, formats, protocols• High-volume Data Transfers

from large datasets, replication/synchronisation

• Service Levels to the Organisation's Customers

Copyright2009-11

22

4. Commercial Disbenefits and Risks• Acquisition

• Lack of information• Non-Negotiability of Terms and SLA

• Ongoing• Loss of Corporate Expertise

re apps, IT services, costs to deliver• Inherent Lock-In Effect

from high switching costs, formats, protocols• High-volume Data Transfers

from large datasets, replication/synchronisation

• Service Levels to the Organisation's Customers

Copyright2009-11

23

5. Compliance Disbenefits and Risks• General Statutory & Common Law Obligations

• Evidence Discovery Law• Financial Regulations• Company Directors' obligations re asset protection,

due diligence, business continuity, risk management• Security Treaty Obligations

• Confidentiality – incl. against foreign governments• Strategic• Commercial• Governmental

• Privacy – particularly Unauthorised Use and DisclosureSecond-Party (service-provider abuse), Third-Party ('data breach','unauthorised disclosure'), Storage in Data Havens (India, Arkansas)

Copyright2009-11

24






Copyright2009-11

25






Copyright2009-11

26


• Evidence Discovery Law• Financial Services Regulations• Company Directors' obligations re asset protection,


• Confidentiality – incl. against foreign governments

• Strategic• Commercial• Governmental


Copyright2009-11

27

Risk Management Strategies

Processes• Risk Assessment

=> Risk Management

Copyright2009-11

28



=> Risk Management

Legal Aspects• Service Level

Agreement (SLA)

Copyright2009-11

29

SLA Checklist (ITILv3 Edited Down)1. Service name

2. Clearance information (with location and date)

1. Service Level Manager

2. Customer

3. Contract duration

1. Start and end dates

2. Rules regarding termination of the agreement

4. Description/ desired customer outcome

1. Business justification

2. Business processes/ activities oncust side supported by the service

3. Desired outcome in terms of utility

4. Desired outcome in terms of warranty

5. Service and asset criticality

1. Identification of business-critical assets connected with the service

1. Vital Business Functions (VBFs) supported by the service

2. Other critical assets used within the service

2. Estimation of the business impact caused by a loss of service or assets

6. Reference to further contracts which also apply (e.g. SLA)

7. Service times

1. Hours when the service is available

2. Exceptions (e.g. weekends, public holidays)

3. Maintenance slots

8. Required types and levels of support

1. On-site support

1. Area/ locations

2. Types of users

3. Types of infrastructure to be supported

4. Reaction and resolution times

2. Remote support

1. Area/ locations

2. Types of users (user groups granted access to the service)

3. Types of infrastructure to be supported

4. Reaction and resolution times

9. Service level requirements/ targets 1. Availability targets and commitments 1. Conditions under which the service is considered to be unavailable 2. Availability targets 3. Reliability targets (usually defined as MTBF or MTBSI ) 4. Maintainability targets (usually defined as MTRS) 5. Downtimes for maintenance 6. Restrictions on maintenance 7. Procedures for announcing interruptions to the service 8. Requirements regarding availability reporting 2. Capacity/ performance targets and commitments 1. Required capacity (lower/upper limit) for the service, e.g. 1. Numbers and types of transactions 2. Numbers and types of users 3. Business cycles (daily, weekly) and seasonal variations 2. Response times from applications 3. Requirements for scalability 4. Requirements regarding capacity and performance reporting 3. Service Continuity commitments 1. Time within which a defined level of service must be re-established 2. Time within which normal service levels must be restored 10. Mandated technical standards and spec of the technical service interface11. Responsibilities 1. Duties of the service provider 2. Duties of the customer (contract partner for the service) 3. Responsibilities of service users (e.g. with respect to IT security) 4. IT Security aspects to be observed when using the service 12. Costs and pricing 1. Cost for the service provision 2. Rules for penalties/ charge backs 13. Change history14. List of annexes

http://wiki.en.it-processmaps.com/index.php/Checklist_SLA_OLA_UC

Copyright2009-11

30



=> Risk Management

LegalAspects• Service Level

Agreement (SLA)• Contract Terms

Copyright2009-11

31



=> Risk Management



Ongoing Due Diligence• Audit and Certification

Copyright2009-11

32



=> Risk Management




Multi-Sourcing• Several Suppliers

Copyright2009-11

33



=> Risk Management





Of necessity compatible

Copyright2009-11

34



=> Risk Management





Of necessity compatible

• Parallel, In-House

Copyright2009-11

35



=> Risk Management





Of necessity compatible• Parallel, In-House

• Redundancy – Multiple and Independent

• Processing Facilities

• Hot/Warm-Site• Data Storage

Copyright2009-11

36

A New Digital Security Model

• In a highly-interconnected world,Perimeter Security / The Walled Fortressdoesn't work any more

• The new Core Principle:

When unauthorised access happens,

make sure that the data is valueless

to anyone other than the user-organisation

Copyright2009-11

37

A New Digital Security ModelSome Implementation Techniques• Obscure the content and identities

(Only the user-organisation has the decryption-key)

• Use pseudo-identifiers not identifiers(Only the user-organisation has the cross-index)

• Split the content into 'small enough' morsels(Only the user-organisation has the whole picture)

• Authenticate attributes rather than identities

NITTA (2011) 'New Digital Security Models' National IT and Telecom Agency, Copenhagen, February 2011, http://digitaliser.dk/resource/896495

Copyright2009-11

38

Categories of Use-Profile• CC is very well-suited for ...

Uses of computing that are highly price-sensitiveAdjuncts to analysis and decision-makingTrade off loss of control, uncertain reliability and contingent risks against cost-advantages, convenience, scalability, etc.

Copyright2009-11

39


Uses of computing that are highly price-sensitiveAdjuncts to analysis and decision-makingTrade off loss of control, uncertain reliability and contingent risks against cost-advantages, convenience, scalability, etc.

• CC is completely inappropriate for ...• 'mission-critical systems'• systems embodying the organisation's 'core

competencies'• applications whose failure or extended

malperformance would threaten the organisation's health or survival

Copyright2009-11

40


Uses of computing that are highly price-sensitiveAdjuncts to analysis and decision-makingTrade off loss of control, uncertain reliability and contingent risks

against cost-advantages, convenience, scalability, etc.• CC is completely inappropriate for ...

• 'Mission-critical systems'• Systems embodying the organisation's 'core competencies'• Applications whose failure or extended malperformance

would threaten the organisation's health or survival• CC may be applicable, it all depends ...

• Can the risks be adequately understood and managed?• Trade-offs between potential benefits vs. uncontrollable

risks

Copyright2009-11

41

Questions to ask CloudSourcing Tenderers

• How do you ensure that natural disasters and DDOS won't interrupt or delay my services?

Copyright2009-11

42



• What's your Vulnerability Testing regime?

Copyright2009-11

43



• What's your Vulnerability Testing regime?Managed Vulnerability Assessment Service

MVASPSARN

Management & Engineering

Copyright2009-11

44



• What's your Vulnerability Testing regime?• How do you know, & how do I know, at all

times, the Jurisdictional Location(s) of my data?

• How do you assure me that my unencrypted data is never in, and never crosses, particular jurisdictions?

Copyright2009-11

45



• What's your Vulnerability Testing regime?• How do you know, & how do I know, at all

times, the Jurisdictional Location(s) of my data?

• How do you assure me that my unencrypted data is never in, and never crosses, particular jurisdictions?

• After 3 hours' delay, what's your Contingency Plan?

Copyright2009-11

46



• What's your Vulnerability Testing regime?• How do you know, & how do I know, at all times,

the Jurisdictional Location(s) of my data?• How do you assure me that my unencrypted data is

never in, and never crosses, particular jurisdictions?• After 3 hours' delay, what's your Contingency

Plan?

http://www.smh.com.au/travel/travel-news/backup-for-airlines-checkin-system-delayed-for-18-hours-20100927-15u5f.html

Remember Virgin Blue and Accenture/Navitaire

"The Virgin Blue check-in system that crashed and left tens of thousands of passengers stranded was meant to be backed up by a

parallel 'disaster recovery system' within 3 hours, but it did not work for 21 hours"

Copyright2009-11

47




the Jurisdictional Location(s) of my data?• How do you assure me that my unencrypted

data is never in, and never crosses, particular jurisdictions?

• After 3 hours' delay, what's your Contingency Plan?

• Where are the Backups of my data?

Copyright2009-11

48




the Jurisdictional Location(s) of my data?• How do you assure me that my unencrypted data is

never in, and never crosses, particular jurisdictions?• After 3 hours' delay, what's your Contingency

Plan?• Where are the Backups of my data?• If I choose someone else, what's involved in

Switching Suppliers, to you, at a later date?

Copyright2009-11

49

Conclusion• "Past efforts at utility computing failed,

and we note that in each case one or two ... critical characteristics were missing" (Armbrust et al. 2008, p. 5 – UC Berkeley)

• CC may be just another marketing buzz-phrase that leaves corporate wreckage in its wake

• CC service-providers need to invest a great deal

in many aspects of architecture, infrastructure, applications, and terms of contract and SLA

• User organisations need to trial CC with care

Copyright2009-11

50

Security and CloudsourcingAGENDA

• CloudSourcing• Why Cloudsourcing Challenges Security• Downsides of CloudSourcing

(Security in the Broadest)• Operational Disbenefits and Risks• Contingent Risks• Security Risks (Security in the Less Broad)• Commercial Disbenefits and Risks• Compliance Disbenefits and Risks

• Risk Management Strategies• Questions To Ask Cloudsourcing

Tenderers

Copyright2009-11

51

Roger ClarkeXamax Consultancy and PSARN Security, Canberra

Visiting Professor in Computer Science, ANUand in Cyberspace Law & Policy, UNSW

Cloud Computing ForumRealm Hotel, Canberra – 24 February 2011

http://www.rogerclarke.com/EC/CCSec {.html,.ppt}

Security and Cloudsourcing

Copyright 2009-11 1 Roger Clarke Xamax Consultancy and PSARN Security, Canberra Visiting Professor in Computer Science, ANU and in Cyberspace Law & Policy,

Documents

cloudsourcing slide

risks compliance disbenefits

cloudsourcing changes

risks dependability

cloudsourcing tenderers

user perspective security

resumption integrity

psarn security