Professional Documents
Culture Documents
WOMEN
Pre Final Year
C.DIVYA
divyancm@gmail.com
ABSTRACT
Cloud computing is basically an Internet-based network made up of large numbers of
servers - mostly based on open standards, modular and inexpensive. Clouds contain vast
amounts of information and provide a variety of services to large numbers of people. The
benefits of cloud computing are Reduced Data Leakage, Decrease evidence acquisition
time, they eliminate or reduce service downtime, they Forensic readiness, they Decrease
evidence transfer time. The main factor to be discussed is security of cloud computing,
which is a risk factor involved in major computing fields
A. CENTRALIZED DATA:
• Reduced Data Leakage: this is
A typical cloud computing system the benefit I hear most from
Soon, there may be an alternative for Cloud providers - and in my view
executives like you. Instead of installing they are right. How many laptops
a suite of software for each computer, do we need to lose before we get
you'd only have to load one application. this? How many backup tapes?
That application would allow workers to The data “landmines” of today
log into a Web-based service which could be greatly reduced by the
hosts all the programs the user would Cloud as thin client technology
need for his or her job. Remote machines becomes prevalent. Small,
owned by another company would run temporary caches on handheld
everything from e-mail to word devices or Net book computers
processing to complex data analysis pose less risk than transporting
programs. It's called cloud computing, data buckets in the form of
and it could change the entire computer laptops.
industry. In a cloud computing system, Ask the CISO of any large company if
there's a significant workload shift. all laptops have company ‘mandated’
Local computers no longer have controls consistently applied; e.g. full
to do all the heavy lifting when it comes disk encryption. You’ll see the answer
to running applications. The network of by looking at the whites of their eyes.
computers that make up the cloud Despite best efforts around asset
handles them instead. Hardware and management and endpoint security we
software demands on the user's side continue to see embarrassing and
decrease. The only thing the user's disturbing misses. And what about
computer needs to be able to run is the SMBs? How many use encryption for
cloud computing systems interface sensitive data, or even have a data
software, which can be as simple as a classification policy in place?
• Monitoring benefits: central licensing schemes to a network
storage is easier to control and licensing model.
monitor. The flipside is the
nightmare scenario of
comprehensive data theft.
However, I would rather spend
my time as a security
professional figuring out smart
ways to protect and monitor
access to data stored in one place
(with the benefit of situational
advantage) than trying to figure
out all the places where the
company data resides across a
myriad of thick clients! You can • Decrease evidence acquisition
get the benefits of Thin Clients time: if a server in the Cloud gets
today but Cloud Storage provides compromised (i.e. broken into), I can
a way to centralize the data faster now clone that server at the click of a
and potentially cheaper. The mouse and make the cloned disks
logistical challenge today is instantly available to my Cloud
getting Terabytes of data to the Forensics server. I didn’t need to
Cloud in the first place. “find” storage
B. INCIDENT RESPONSE / or have it “ready, waiting and unused” -
FORENSICS: it’s just there.
• Forensic readiness: with • Eliminate or reduce service
Infrastructure as a Service (IaaS) downtime: Note that in the above
providers, I can build a dedicated scenario I didn’t have to go tell the
forensic server in the same Cloud as COO that the system needs to be
my company and place it offline, taken offline for hours whilst I dig
ready for use when needed. I would around in the RAID Array hoping
only need pay for storage until an that my physical acquisition toolkit
incident happens and I need to bring is compatible (and that the version of
it online. I don’t need to call RAID firmware isn’t supported by
someone to bring it online or install my forensic software). Abstracting
some kind of remote boot software - the hardware removes a barrier to
I just click a button in the Cloud even doing forensics in some
Providers web interface. If I have situations.
multiple incident responders, I can • Decrease evidence transfer time: In
give them a copy of the VM so we the same Cloud, bit fot bit copies are
can distribute the forensic workload super fast - made faster by that
based on the job at hand or as new replicated, distributed file system my
sources of evidence arise and need Cloud provider engineered for me.
analysis. To fully realize this benefit, From a network traffic perspective, it
commercial forensic software may even be free to make the copy in
vendors would need to move away the same Cloud. Without the Cloud,
from archaic, physical dongle based I would have to a lot of time
consuming and expensive D. LOGGING:
provisioning of physical devices. I • “Unlimited”, pay per drink
only pay for the storage as long as I storage: logging is often an
need the evidence. afterthought, consequently
• Eliminate forensic image insufficient disk space is allocated
verification time: Some Cloud and logging is either non-existant or
Storage implementations expose a minimal. Cloud Storage changes all
cryptographic checksum or hash. For this - no more ‘guessing’ how much
example, Amazon S3 generates an storage you need for standard logs.
MD5 hash automagically when you • Improve log indexing and search:
store an object. In theory you no with your logs in the Cloud you can
longer need to generate time- leverage Cloud Compute to index
consuming MD5 checksums using those logs in real-time and get the
external tools - it’s already there. benefit of instant search results.
• Decrease time to access protected What is different here? The Compute
documents: Immense CPU power instances can be plumbed in and
opens some doors. Did the suspect scale as needed based on the logging
password protect a document that is load - meaning a true real-time view.
relevant to the investigation? You • Getting compliant with Extended
can now test a wider range of logging: most modern operating
candidate passwords in less time to systems offer extended logging in
speed investigations. the form of a C2 audit trail. This is
C. PASSWORD ASSURANCE rarely enabled for fear of
TESTING (AKA performance degradation and log
CRACKING): size. Now you can ‘opt-in’ easily - if
• Decrease password cracking you are willing to pay for the
time: if your organization enhanced logging, you can do so.
regularly tests password strength Granular logging makes compliance
by running password crackers and investigations easier.
you can use Cloud Compute to E. IMPROVE THE STATE OF
decrease crack time and you only SECURITY SOFTWARE
pay for what you use. Ironically, (PERFORMANCE):
your cracking costs go up as • Drive vendors to create more
people choose better efficient security software:
passwords ;-). Billable CPU cycles get noticed.
• Keep cracking activities to More attention will be paid to
dedicated machines: if today inefficient processes; e.g. poorly
you use a distributed password tuned security agents. Process
cracker to spread the load across accounting will make a
non-production machines, you comeback as customers target
can now put those agents in ‘expensive’ processes. Security
dedicated Compute instances - vendors that understand how to
and thus stop mixing sensitive squeeze the most performance
credentials with other workloads. from their software will win.
F. SECURE BUILDS: tools that sweep source code for
• Pre-hardened, change control security weaknesses).
builds: this is primarily a benefit Adoption fears and strategic
of virtualization based Cloud innovation opportunities
Computing. Now you get a Adoption-fears
chance to start ’secure’ (by your Security: Many IT executives make
own definition) - you create your decisions based on the perceived
Gold Image VM and clone away. security risk instead of the real security
There are ways to do this today risk. IT has traditionally feared the loss
with bare-metal OS installs but of control for SaaS deployments based
frequently these require on an assumption that if you cannot
additional 3rd party tools, are control something it must be unsecured.
time consuming to clone or add I recall the anxiety about the web
yet another agent to each services deployment where people got
endpoint. really worked up on the security of web
• Reduce exposure through services because the users could invoke
patching offline: Gold images an internal business process from outside
can be kept up securely kept up of a firewall.
to date. Offline VMs can be The IT will have to get used to the idea
conveniently patched “off” the of software being delivered outside from
network. a firewall that gets meshed up with on-
• Easier to test impact of security premise software before it reaches the
changes: this is a big one. Spin end user. The intranet, extranet, DMZ,
up a copy of your production and the internet boundaries have started
environment, implement a to blur and this indeed imposes some
security change and test the serious security challenges such as
impact at low cost, with minimal relying on a cloud vendor for the
startup time. This is a big deal physical and logical security of the data,
and removes a major barrier to authenticating users across firewalls by
‘doing’ security in production relying on vendor's authentication
environments. schemes etc., but assuming challenges as
G. SECURITY TESTING: fears is not a smart strategy.
• Reduce cost of testing security:
a SaaS provider only passes on a Latency: Just because something runs
portion of their security testing on a cloud it does not mean it has
costs. By sharing the same latency. My opinion is quite the
application as a service, you opposite. The cloud computing if done
don’t foot the expensive security properly has opportunities to reduce
code review and/or penetration latency based on its architectural
test. Even with Platform as a advantages such as massively parallel
Service (PaaS) where your processing capabilities and distributed
developers get to write code, computing. The web-based applications
there are potential cost in early days went through the same
economies of scale (particularly perception issues and now people don't
around use of code scanning worry about latency while shopping at
Amazon.com or editing a document on
Google docs served to them over a challenge. I am glad to see IBM's
cloud. The cloud is going to get better attempt to create a virtual cloud inside
and better and the IT has no strategic firewall to deploy some of the regions of
advantages to own and maintain the data the Second Life with seamless
centers. In fact the data centers are easy navigation in and out of the firewall.
to shut down but the applications are not This is a great example of a single sign
and the CIOs should take any and all on that extends beyond the network and
opportunities that they get to move the hardware virtualization to form
data centers away if they can. infrastructure virtualization with
seamless security.
SLA: Recent Amazon EC2 meltdown
and RIM's network outage created a Hybrid systems: The IBM example also
debate around the availability of a highly illustrates the potential of a hybrid
centralized infrastructure and their system that combines an on-premise
SLAs. The real problem is not a bad system with remote infrastructure to
SLA but lack of one. The IT needs a support seamless cloud computing. This
phone number that they can call in an could be a great start for many
unexpected event and have an up front organizations that are on the bottom of
estimate about the downtime to manage the S curve of cloud computing
the expectations. May be I am adoption. Organizations should consider
simplifying it too much but this is the pushing non-critical applications on a
crux of the situation. The fear is not so cloud with loose integration with on-
much about 24x7 availability since an premise systems to begin the cloud
on-premise system hardly promises that computing journey and as the cloud
but what bothers IT the most is inability infrastructure matures and some
to quantify the impact on business in an concerns are alleviated IT could consider
event of non-availability of a system and pushing more and more applications on
set and manage expectations upstream the cloud. Google App Engine for cloud
and downstream. The non-existent SLA computing is a good example to start
is a real issue and I believe there is a creating applications on-premise that can
great service innovation opportunity for eventually run on Google's cloud and
ISVs and partners to help CIOs with the Amazon's AMI is expanding day-by-day
adoption of the cloud computing by to allow people to push their applications
providing a rock solid SLA and on Amazon's cloud. Here is a quick
transparency into the defect resolution comparison of Google and Amazon in
process. their cloud computing efforts. Elastra's
solution to deploy EnterpriseDB on the
Strategic innovation opportunities cloud is also a good example of how
Seamless infrastructure virtualization: organizations can outsource IT on the
If you have ever attempted to connect to cloud.
Second Life behind the firewall you 6.BENEFITS:
would know that it requires punching Cloud computing infrastructures can
few holes into the firewall to let certain allow enterprises to achieve more
unique transports pass through and that's efficient use of their IT Hardware and
not a viable option in many cases. This software investments. They do this by
is an intra-infrastructure communication breaking down the physical inherent in
isolated systems, and automating the new paradigm come challenges and
management of the group of systems as opportunities. The challenges are getting
a single entity. plenty of attention - I’m regularly
Cloud computing is an example of an afforded the opportunity to comment on
ultimately virtualized system, and a them, plus obviously I cover them on
natural evolution for Data centers that this blog. However, let’s not lose sight
employ automated systems management, of the potential upside.
workload balancing, and virtualization Some benefits depend on the Cloud
technologies. A cloud infrastructure can service used and therefore do not apply
be a cost efficient model for delivering across the board. For example; I see no
information services solid forensic benefits with SaaS. Also,
Application: for space reasons, I’m purposely not
A cloud application leverages cloud including the ‘flip side’ to these benefits,
computing in software architecture, however if you read this blog regularly
often aminating the need to install and you should recognize some.
run the application on the customer's We believe the Cloud offers Small and
own computer, thus alleviating the Medium Businesses major potential
burden of software maintenance, security benefits. Frequently SMBs
ongoing operation, and support. For struggle with limited or non-existent in-
example: house INFOSEC resources and budgets.
Peer-to-peer / volunteer computing The caveat is that the Cloud market is
(BOINC, Skype) still very new - security offerings are
Web applications (Webmail, Face somewhat foggy - making selection
book, Twitter, YouTube, Yammer) tricky. Clearly, not all Cloud providers
Security as a service (Message Labs, will offer the same security.
Pure wire, Scan Safe, Zscaler)
Software as a service (Google Apps, REFERENCES:
Salesforce,Nivio,Learn.com, Zoho, Web guild.org
BigGyan.com) http://www.webguild.org/
Software plus services (Microsoft How stuff works.com
Online Services) http://communication.howstuffworks.co
m/
Storage [Distributed]
Cloud security.org
Content distribution (BitTorrent, http://cloudsecurity.org
Amazon Cloud Front) IBM
Synchronization (Drop box, Live http://www.ibm.com/developerworks/we
Mesh, Spider Oak, ZumoDrive bsphere/zones/hipods/
Google suggest
http://www.google.com/webhp?
7. CONCLUSION: complete=1&hl=en
In my view, there are some strong
technical security arguments in favour of
Cloud Computing - assuming we can
find ways to manage the risks. With this