https://www.isecpartners.com
Raining on the Trendy New Parade
Andrew Becherer, Alex Stamos, Nathan Wilcox
BlackHat USA 2009
Cloud Computing Security
2
Agenda
Cloud Computing Defined
Software as a Service
Platform as a Service
Infrastructure as a Service
3
Special Thanks
Chris Clark
Alex Vidergar
Scott Stender
Andreas Junestam
4
Cloud Computing
“am i the only one who has an urge to punch myself in the
neck whenever i hear about 'the cloud'?”
- Arshan Dabirsiaghi
Commenter at Jeremiah’s Blog
No, Arshan, you are not the only one.
5
Cloud Computing
Term is useless
What is it not?
Virtualization
Remote backup
Most of the stuff called cloud computing
6
Cloud Computing
Generally means:
Lots of general purpose hosts
Central management
Distributed data storage
Ability to move applications from system to system
Low-touch provisioning system
Soft failover/redundancy
If you aren’t re-writing your software, it’s not Cloud
Computing
7
Cloud Computing
All technological and policy assessments must be
based on:
Specific deployment model
Specific implementation
Anybody who talks about “Cloud Computing
Security” in general is selling you something
Software as a Service
Authentication
Audit
Taking Back Control
9
Software as a Service
Hypervisor
Datacenter (Power, Cooling, Physical Security)
CPU
Networking
Storage
Backup
Application
Server
Middleware
Database
Operating System
Application
Your Data
10
Cloudy Authentication
Recent Twitter incident reinforces an important
point:
“No matter how low an opinion you have of your
users, they will figure out a way to disappoint you.”
-Stamos’ Law
11
Authentication and Credentials
What controls do we lose when using SaaS?
Physical and logical network barriers
Endpoint restrictions and management
Non-password auth
Fine grained credential quality controls
Password reset process
Real-time anomaly detection
Most IT departments believe in some of these
Many people doubt usefulness of perimeter
Hackers aren’t unicorns
1