Copyright 2009-11 1 Roger Clarke Xamax Consultancy and PSARN Security, Canberra Visiting Professor in Computer Science, ANU and in Cyberspace Law & Policy, UNSW Cloud Computing Forum Realm Hotel, Canberra – 24 February 2011 http://www.rogerclarke.com/EC/CCSec {.html,.ppt} Security and Cloudsourcing
51
Embed
Copyright 2009-11 1 Roger Clarke Xamax Consultancy and PSARN Security, Canberra Visiting Professor in Computer Science, ANU and in Cyberspace Law & Policy,
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Copyright2009-11
1
Roger ClarkeXamax Consultancy and PSARN Security, Canberra
Visiting Professor in Computer Science, ANUand in Cyberspace Law & Policy, UNSW
Cloud Computing ForumRealm Hotel, Canberra – 24 February 2011
http://www.rogerclarke.com/EC/CCSec {.html,.ppt}
Security and Cloudsourcing
Copyright2009-11
2
Security and CloudsourcingAGENDA
• CloudSourcing• Why Cloudsourcing Challenges Security• Downsides of CloudSourcing
(Security in the Broadest)• Operational Disbenefits and Risks• Contingent Risks• Security Risks (Security in the Less Broad)• Commercial Disbenefits and Risks• Compliance Disbenefits and Risks
• Risk Management Strategies• Questions To Ask Cloudsourcing
Tenderers
Copyright2009-11
3
Cloudsourcing from the User Perspective
A service that satisfies all of the following conditions:
1. It is delivered over a telecommunications network
2. The service depends on virtualised resourcesi.e. the user has no technical need to be aware which server(s) running on which host(s) is/are delivering the service, nor where the host(s) is/are located
3. The service is acquired under a relatively flexible contractual arrangement, at least re the quantum used
Copyright2009-11
4
Cloudsourcing from the User Perspective
A service that satisfies all of the following conditions:1. It is delivered over a telecommunications network2. The service depends on virtualised resources
i.e. the user does not know which server(s) running on which host(s) is/are delivering the service, nor where the host(s) is/are located
3. The service is acquired under a relatively flexible contractual arrangement, at least re the quantum used
4. The user organisation places reliance on the service for data access and/or data processing
5. The user organisation has legal responsibilities
Copyright2009-11
5
From Insourcing to Cloudsourcing
Off-Site Hosting
Outsourced Facility
Multiple Outsourced Facilities
Copyright2009-11
6
From Insourcing to Cloudsourcing
Integrated Multi-Site Outsourced Facilities
Copyright2009-11
7
From Insourcing to Cloudsourcing
CloudSourced Facilities
Copyright2009-11
8
From Insourcing to Cloudsourcing
CloudSourced Facilities
Copyright2009-11
9
From Insourcing to CloudsourcingChanges in Risk-Exposure
• Robustness frequency of un/planned unavailability (97% uptime = 5 hr per week offline)
• Resilience speed of resumption after outages
• Recoverability service readiness after resumption
• Integrity – sustained correctness of the service, and the data
• Maintainability – fit, reliability, integrity after bug-fixes & mods
Copyright2009-11
17
2. Contingent Risks• Major Service Interruptions• Service Survival – supplier collapse or withdrawal
Safeguards include software escrow; escrow inspection; proven recovery procedures; rights that are proof against actions by receivers
• Data Survival – data backup/mirroring/synch, accessibility
• Data Acessibility – blockage by opponents or a foreign power
• Compatibility – software, versions, protocols, data formats
• FlexibilityCustomisationForward-Compatibility to migrate to new levelsBackward-Compatibility to protect legacy systemsLateral Compatibility to enable dual-sourcing and escape
Copyright2009-11
18
2. Contingent Risks• Major Service Interruptions• Service Survival – supplier collapse or withdrawal
Safeguards include software escrow; escrow inspection; proven recovery procedures; rights that are proof against actions by receivers
• Data Survival – data backup/mirroring/synch, accessibility
• Data Acessibility – blockage by opponents or a foreign power
• Compatibility – software, versions, protocols, data formats
• FlexibilityCustomisationForward-Compatibility to migrate to new levelsBackward-Compatibility to protect legacy systemsLateral Compatibility to enable dual-sourcing and escape
Copyright2009-11
19
3. Security Risks
• Service Security Environmental, second-party and third-party threats to any aspect of reliability or integrity
• Data SecurityEnvironmental, second-party and third-party threats to content, both in remote storage and in transit
• Authentication and AuthorisationHow to provide clients with convenient access to data and processes in the cloud, while denying access to imposters?
• Susceptibility to DDOSMultiple, separate servers; but choke-points will exist
Copyright2009-11
20
3. Security Risks
• Service Security Environmental, second-party and third-party threats to any aspect of reliability or integrity
• Data SecurityEnvironmental, second-party and third-party threats to content, both in remote storage and in transit
• Authentication and AuthorisationHow to provide clients with convenient access to data and processes in the cloud, while denying access to imposters?
• Susceptibility to DDOSMultiple, separate servers; but choke-points will exist
Copyright2009-11
21
4. Commercial Disbenefits and Risks• Acquisition
• Lack of information• Non-Negotiability of Terms and SLA
• Ongoing• Loss of Corporate Expertise
re apps, IT services, costs to deliver• Inherent Lock-In Effect
from high switching costs, formats, protocols• High-volume Data Transfers
from large datasets, replication/synchronisation
• Service Levels to the Organisation's Customers
Copyright2009-11
22
4. Commercial Disbenefits and Risks• Acquisition
• Lack of information• Non-Negotiability of Terms and SLA
• Ongoing• Loss of Corporate Expertise
re apps, IT services, costs to deliver• Inherent Lock-In Effect
from high switching costs, formats, protocols• High-volume Data Transfers
from large datasets, replication/synchronisation
• Service Levels to the Organisation's Customers
Copyright2009-11
23
5. Compliance Disbenefits and Risks• General Statutory & Common Law Obligations
• Evidence Discovery Law• Financial Regulations• Company Directors' obligations re asset protection,
due diligence, business continuity, risk management• Security Treaty Obligations
• Confidentiality – incl. against foreign governments• Strategic• Commercial• Governmental
• Privacy – particularly Unauthorised Use and DisclosureSecond-Party (service-provider abuse), Third-Party ('data breach','unauthorised disclosure'), Storage in Data Havens (India, Arkansas)
Copyright2009-11
24
5. Compliance Disbenefits and Risks• General Statutory & Common Law Obligations
• Evidence Discovery Law• Financial Regulations• Company Directors' obligations re asset protection,
due diligence, business continuity, risk management• Security Treaty Obligations
• Confidentiality – incl. against foreign governments• Strategic• Commercial• Governmental
• Privacy – particularly Unauthorised Use and DisclosureSecond-Party (service-provider abuse), Third-Party ('data breach','unauthorised disclosure'), Storage in Data Havens (India, Arkansas)
Copyright2009-11
25
5. Compliance Disbenefits and Risks• General Statutory & Common Law Obligations
• Evidence Discovery Law• Financial Regulations• Company Directors' obligations re asset protection,
due diligence, business continuity, risk management• Security Treaty Obligations
• Confidentiality – incl. against foreign governments• Strategic• Commercial• Governmental
• Privacy – particularly Unauthorised Use and DisclosureSecond-Party (service-provider abuse), Third-Party ('data breach','unauthorised disclosure'), Storage in Data Havens (India, Arkansas)
Copyright2009-11
26
5. Compliance Disbenefits and Risks• General Statutory & Common Law Obligations
• Evidence Discovery Law• Financial Services Regulations• Company Directors' obligations re asset protection,
due diligence, business continuity, risk management• Security Treaty Obligations
• Confidentiality – incl. against foreign governments
• Strategic• Commercial• Governmental
• Privacy – particularly Unauthorised Use and DisclosureSecond-Party (service-provider abuse), Third-Party ('data breach','unauthorised disclosure'), Storage in Data Havens (India, Arkansas)
Copyright2009-11
27
Risk Management Strategies
Processes• Risk Assessment
=> Risk Management
Copyright2009-11
28
Risk Management Strategies
Processes• Risk Assessment
=> Risk Management
Legal Aspects• Service Level
Agreement (SLA)
Copyright2009-11
29
SLA Checklist (ITILv3 Edited Down)1. Service name
2. Clearance information (with location and date)
1. Service Level Manager
2. Customer
3. Contract duration
1. Start and end dates
2. Rules regarding termination of the agreement
4. Description/ desired customer outcome
1. Business justification
2. Business processes/ activities oncust side supported by the service
3. Desired outcome in terms of utility
4. Desired outcome in terms of warranty
5. Service and asset criticality
1. Identification of business-critical assets connected with the service
1. Vital Business Functions (VBFs) supported by the service
2. Other critical assets used within the service
2. Estimation of the business impact caused by a loss of service or assets
6. Reference to further contracts which also apply (e.g. SLA)
7. Service times
1. Hours when the service is available
2. Exceptions (e.g. weekends, public holidays)
3. Maintenance slots
8. Required types and levels of support
1. On-site support
1. Area/ locations
2. Types of users
3. Types of infrastructure to be supported
4. Reaction and resolution times
2. Remote support
1. Area/ locations
2. Types of users (user groups granted access to the service)
3. Types of infrastructure to be supported
4. Reaction and resolution times
9. Service level requirements/ targets 1. Availability targets and commitments 1. Conditions under which the service is considered to be unavailable 2. Availability targets 3. Reliability targets (usually defined as MTBF or MTBSI ) 4. Maintainability targets (usually defined as MTRS) 5. Downtimes for maintenance 6. Restrictions on maintenance 7. Procedures for announcing interruptions to the service 8. Requirements regarding availability reporting 2. Capacity/ performance targets and commitments 1. Required capacity (lower/upper limit) for the service, e.g. 1. Numbers and types of transactions 2. Numbers and types of users 3. Business cycles (daily, weekly) and seasonal variations 2. Response times from applications 3. Requirements for scalability 4. Requirements regarding capacity and performance reporting 3. Service Continuity commitments 1. Time within which a defined level of service must be re-established 2. Time within which normal service levels must be restored 10. Mandated technical standards and spec of the technical service interface11. Responsibilities 1. Duties of the service provider 2. Duties of the customer (contract partner for the service) 3. Responsibilities of service users (e.g. with respect to IT security) 4. IT Security aspects to be observed when using the service 12. Costs and pricing 1. Cost for the service provision 2. Rules for penalties/ charge backs 13. Change history14. List of annexes
• In a highly-interconnected world,Perimeter Security / The Walled Fortressdoesn't work any more
• The new Core Principle:
When unauthorised access happens,
make sure that the data is valueless
to anyone other than the user-organisation
Copyright2009-11
37
A New Digital Security ModelSome Implementation Techniques• Obscure the content and identities
(Only the user-organisation has the decryption-key)
• Use pseudo-identifiers not identifiers(Only the user-organisation has the cross-index)
• Split the content into 'small enough' morsels(Only the user-organisation has the whole picture)
• Authenticate attributes rather than identities
NITTA (2011) 'New Digital Security Models' National IT and Telecom Agency, Copenhagen, February 2011, http://digitaliser.dk/resource/896495
Copyright2009-11
38
Categories of Use-Profile• CC is very well-suited for ...
Uses of computing that are highly price-sensitiveAdjuncts to analysis and decision-makingTrade off loss of control, uncertain reliability and contingent risks against cost-advantages, convenience, scalability, etc.
Copyright2009-11
39
Categories of Use-Profile• CC is very well-suited for ...
Uses of computing that are highly price-sensitiveAdjuncts to analysis and decision-makingTrade off loss of control, uncertain reliability and contingent risks against cost-advantages, convenience, scalability, etc.
• CC is completely inappropriate for ...• 'mission-critical systems'• systems embodying the organisation's 'core
competencies'• applications whose failure or extended
malperformance would threaten the organisation's health or survival
Copyright2009-11
40
Categories of Use-Profile• CC is very well-suited for ...
Uses of computing that are highly price-sensitiveAdjuncts to analysis and decision-makingTrade off loss of control, uncertain reliability and contingent risks
against cost-advantages, convenience, scalability, etc.• CC is completely inappropriate for ...
• 'Mission-critical systems'• Systems embodying the organisation's 'core competencies'• Applications whose failure or extended malperformance
would threaten the organisation's health or survival• CC may be applicable, it all depends ...
• Can the risks be adequately understood and managed?• Trade-offs between potential benefits vs. uncontrollable
risks
Copyright2009-11
41
Questions to ask CloudSourcing Tenderers
• How do you ensure that natural disasters and DDOS won't interrupt or delay my services?
Copyright2009-11
42
Questions to ask CloudSourcing Tenderers
• How do you ensure that natural disasters and DDOS won't interrupt or delay my services?
• What's your Vulnerability Testing regime?
Copyright2009-11
43
Questions to ask CloudSourcing Tenderers
• How do you ensure that natural disasters and DDOS won't interrupt or delay my services?
• What's your Vulnerability Testing regime?Managed Vulnerability Assessment Service
MVASPSARN
Management & Engineering
Copyright2009-11
44
Questions to ask CloudSourcing Tenderers
• How do you ensure that natural disasters and DDOS won't interrupt or delay my services?
• What's your Vulnerability Testing regime?• How do you know, & how do I know, at all
times, the Jurisdictional Location(s) of my data?
• How do you assure me that my unencrypted data is never in, and never crosses, particular jurisdictions?
Copyright2009-11
45
Questions to ask CloudSourcing Tenderers
• How do you ensure that natural disasters and DDOS won't interrupt or delay my services?
• What's your Vulnerability Testing regime?• How do you know, & how do I know, at all
times, the Jurisdictional Location(s) of my data?
• How do you assure me that my unencrypted data is never in, and never crosses, particular jurisdictions?
• After 3 hours' delay, what's your Contingency Plan?
Copyright2009-11
46
Questions to ask CloudSourcing Tenderers
• How do you ensure that natural disasters and DDOS won't interrupt or delay my services?
• What's your Vulnerability Testing regime?• How do you know, & how do I know, at all times,
the Jurisdictional Location(s) of my data?• How do you assure me that my unencrypted data is
never in, and never crosses, particular jurisdictions?• After 3 hours' delay, what's your Contingency
"The Virgin Blue check-in system that crashed and left tens of thousands of passengers stranded was meant to be backed up by a
parallel 'disaster recovery system' within 3 hours, but it did not work for 21 hours"
Copyright2009-11
47
Questions to ask CloudSourcing Tenderers
• How do you ensure that natural disasters and DDOS won't interrupt or delay my services?
• What's your Vulnerability Testing regime?• How do you know, & how do I know, at all times,
the Jurisdictional Location(s) of my data?• How do you assure me that my unencrypted
data is never in, and never crosses, particular jurisdictions?
• After 3 hours' delay, what's your Contingency Plan?
• Where are the Backups of my data?
Copyright2009-11
48
Questions to ask CloudSourcing Tenderers
• How do you ensure that natural disasters and DDOS won't interrupt or delay my services?
• What's your Vulnerability Testing regime?• How do you know, & how do I know, at all times,
the Jurisdictional Location(s) of my data?• How do you assure me that my unencrypted data is
never in, and never crosses, particular jurisdictions?• After 3 hours' delay, what's your Contingency
Plan?• Where are the Backups of my data?• If I choose someone else, what's involved in
Switching Suppliers, to you, at a later date?
Copyright2009-11
49
Conclusion• "Past efforts at utility computing failed,
and we note that in each case one or two ... critical characteristics were missing" (Armbrust et al. 2008, p. 5 – UC Berkeley)
• CC may be just another marketing buzz-phrase that leaves corporate wreckage in its wake
• CC service-providers need to invest a great deal
in many aspects of architecture, infrastructure, applications, and terms of contract and SLA
• User organisations need to trial CC with care
Copyright2009-11
50
Security and CloudsourcingAGENDA
• CloudSourcing• Why Cloudsourcing Challenges Security• Downsides of CloudSourcing
(Security in the Broadest)• Operational Disbenefits and Risks• Contingent Risks• Security Risks (Security in the Less Broad)• Commercial Disbenefits and Risks• Compliance Disbenefits and Risks
• Risk Management Strategies• Questions To Ask Cloudsourcing
Tenderers
Copyright2009-11
51
Roger ClarkeXamax Consultancy and PSARN Security, Canberra
Visiting Professor in Computer Science, ANUand in Cyberspace Law & Policy, UNSW
Cloud Computing ForumRealm Hotel, Canberra – 24 February 2011