SECURITY IN COMPUTING FIETH EDITION Chapter 11: Cloud Computing 授课教师:高海波 可南中医药大学 信息管理与信息系统教研室 From Security in Computing, Fifth Edition, by Charles P Pfleeger, et al. (ISBN: 9780134085043) Copyright 2015 by Pearson Education, Inc. All rights reserved
SECURITY IN COMPUTING, FIFTH EDITION Chapter 11: Cloud Computing From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved. 1 授课教师:高海波 河南中医药大学 信息管理与信息系统教研室
2 Objectives for Chapter 11 Define cloud services, including types and service models How to define cloud service requirements and identify appropriate services Survey cloud-based security capabilities and offerings Discuss cloud storage encryption considerations Protection of cloud-based applications and infrastructures Explain the major federated identity management standards and how they differ From Security in Computing, Fifth Edition, by Charles P Pfleeger, et al. (ISBN: 9780134085043) Copyright 2015 by Pearson Education, Inc. All rights reserved
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved. Objectives for Chapter 11 • Define cloud services, including types and service models • How to define cloud service requirements and identify appropriate services • Survey cloud-based security capabilities and offerings • Discuss cloud storage encryption considerations • Protection of cloud-based applications and infrastructures • Explain the major federated identity management standards and how they differ 2
3 What Is cloud Computing? On-demand self-service Add or subtract resources as necessary Broad network access Mobile, desktop, mainframe Resource pooling Multiple tenants share resources that can be reassigned dynamically according to need and invisibly to the tenants Rapid elasticity Services can quickly and automatically scale up or down to meet customer need Measure service Like water, gas, or telephone service, usage can be monitored for billing From Security in Computing, Fifth Edition, by Charles P Pfleeger, et al. (ISBN: 9780134085043) Copyright 2015 by Pearson Education, Inc. All rights reserved
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved. What Is Cloud Computing? • On-demand self-service • Add or subtract resources as necessary • Broad network access • Mobile, desktop, mainframe • Resource pooling • Multiple tenants share resources that can be reassigned dynamically according to need and invisibly to the tenants • Rapid elasticity • Services can quickly and automatically scale up or down to meet customer need • Measure service • Like water, gas, or telephone service, usage can be monitored for billing 3
Service Models Software as a service(SaaS) The cloud provider gives the customer access to applications running in the cloud Platform as a service(PaaS The customer has his or her own applications but the cloud provides the languages and tools for creating and running them Infrastructure as a service (laaS) The cloud provider offers processing, storage, networks, and other computing resources that enable customers to run any kind of software From Security in Computing, Fifth Edition, by Charles P Pfleeger, et al. (ISBN: 9780134085043) Copyright 2015 by Pearson Education, Inc. All rights reserved
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved. Service Models • Software as a service (SaaS) • The cloud provider gives the customer access to applications running in the cloud • Platform as a service (PaaS) • The customer has his or her own applications, but the cloud provides the languages and tools for creating and running them • Infrastructure as a service (IaaS) • The cloud provider offers processing, storage, networks, and other computing resources that enable customers to run any kind of software 4
5 Service Models Administered Applications by the saas Provider Application Platform: Tools and APIs for Building and Deploying Applications Administered by the paaS Virtual machines. Virtual volume Provider Storage, Virtual Networking Equipment Hypervisor Administered by the laas Provider Hardware: Servers, Storage Devices and Networking Equipment From Security in Computing, Fifth Edition, by Charles P Pfleeger, et al. (ISBN: 9780134085043) Copyright 2015 by Pearson Education, Inc. All rights reserved
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved. Service Models 5
6 Deployment Models Private cloud Infrastructure that is operated exclusively by and for the organization that owns it Community cloud Shared by several organizations with common needs, interests, or goals Public cloud Owned by a cloud service provider and offered to the general public Hybrid cloud Composed of two or more types of clouds, connected by technology that enables data and applications to balance loads among those clouds From Security in Computing, Fifth Edition, by Charles P Pfleeger, et al. (ISBN: 9780134085043) Copyright 2015 by Pearson Education, Inc. All rights reserved
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved. Deployment Models • Private cloud • Infrastructure that is operated exclusively by and for the organization that owns it • Community cloud • Shared by several organizations with common needs, interests, or goals • Public cloud • Owned by a cloud service provider and offered to the general public • Hybrid cloud • Composed of two or more types of clouds, connected by technology that enables data and applications to balance loads among those clouds 6
7 Cloud Migration Risk Analysis Identify assets Determine vulnerabilities Estimate likelihood of exploitation Compute expected loss Survey and select new controls Project savings From Security in Computing, Fifth Edition, by Charles P Pfleeger, et al. (ISBN: 9780134085043) Copyright 2015 by Pearson Education, Inc. All rights reserved
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved. Cloud Migration Risk Analysis • Identify assets • Determine vulnerabilities • Estimate likelihood of exploitation • Compute expected loss • Survey and select new controls • Project savings 7
8 Cloud Provider Assessment Security issues to consider Authentication authorization and access control options Encryption options Audit logging capabilities Incident response capabilities Reliability and uptime Resources to help with assessment FedRAMP PCI DSS CSA STAR From Security in Computing, Fifth Edition, by Charles P Pfleeger, et al. (ISBN: 9780134085043) Copyright 2015 by Pearson Education, Inc. All rights reserved
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved. Cloud Provider Assessment • Security issues to consider: • Authentication, authorization, and access control options • Encryption options • Audit logging capabilities • Incident response capabilities • Reliability and uptime • Resources to help with assessment: • FedRAMP • PCI DSS • CSA STAR 8
9 Switching Cloud Providers Switching cloud providers is expensive and difficult but sometimes becomes necessary and urgent It is best to have backup options in place in case a migration away from a cloud provider is necessary, but many cloud providers make that practically impossible SaaS providers are generally hardest to migrate away from followed by Paas, then laas From Security in Computing, Fifth Edition, by Charles P Pfleeger, et al. (ISBN: 9780134085043) Copyright 2015 by Pearson Education, Inc. All rights reserved
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved. Switching Cloud Providers • Switching cloud providers is expensive and difficult but sometimes becomes necessary and urgent • It is best to have backup options in place in case a migration away from a cloud provider is necessary, but many cloud providers make that practically impossible • SaaS providers are generally hardest to migrate away from, followed by PaaS, then IaaS 9
Security Benefits of Cloud Services Geographic diversity Many cloud providers run data centers in disparate geographic locations and mirror data across locations, providing protection from natural and other local disasters Platform and infrastructure diversity Different platforms and infrastructures mean different bugs and vulnerabilities, which makes a single attack or error less likely to bring a system down. Using cloud services as part of a larger system can be a good way to diversify your technology stack From Security in Computing, Fifth Edition, by Charles P Pfleeger, et al. (ISBN: 9780134085043) Copyright 2015 by Pearson Education, Inc. All rights reserved
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved. Security Benefits of Cloud Services • Geographic diversity • Many cloud providers run data centers in disparate geographic locations and mirror data across locations, providing protection from natural and other local disasters. • Platform and infrastructure diversity • Different platforms and infrastructures mean different bugs and vulnerabilities, which makes a single attack or error less likely to bring a system down. Using cloud services as part of a larger system can be a good way to diversify your technology stack. 10