Uploaded byptaglephd
505 views

Info Sec 2010 Possibilities And Security Challenges Of Cloud Computing (Handout)

The document discusses the possibilities and security challenges of cloud computing, emphasizing its role as a business evolution rather than a technology revolution. It outlines various cloud service models, deployment models, and critical governance domains, while also addressing major concerns such as data protection, compliance, and incident management. Ultimately, it stresses the importance of understanding both operational and security implications when considering cloud adoption.

Downloaded 38 times
Possibilities and Security Challenges of Cloud Computing InfoSec Conference 2010 Hotel Intercontinental Makati City, Philippines 25 August 2010 Pierre U. Tagle, Ph.D., CISA pierre.tagle@mobiliance.com Outline 1 Introduction 2 What is Cloud Computing? 3 Possibilities and Security Challenges 4 Critical Areas for Cloud Implementations 2
Introduction Mobiliance Incorporated is an We offer services to: INDEPENDENT technology • EVALUATE and understand consulting and software services your business needs; firm which partners with • Recommend ways to commercial and government ENHANCE how technology, establishments/organisations to people and processes fits solve their toughest Information into your business; Technology problems and issues. • INTEGRATE new and existing technology to better suit your business; • MAINTAIN your technology investments; and • Help you PRESERVE your investment to carry your business into the future. 3 Our Services • Security Assessment and • Technology Assessment Design and Design – Security Architecture • IT Governance / Risk Assessment / Design Management – Disaster Recovery / – Vulnerability Business Continuity Assessment – IT Governance • Network Assessment and – IT Risk Assessments Design • Technology Management – Alignment with Advice (Virtual CIO/CTO) business • Software Development requirements – From complete SDLC – Performance, or to assist in reliability and specific phases availability analysis 4
What is Cloud Computing? • Virtually every vendor or provider has jumped on the cloud computing bandwagon and has slapped the “cloud” label on it, e.g. hosting, outsourcing, ASP, on-demand computing, grid computing, utility computing, etc. – Some reports indicate that there were at least 22 different definitions of the cloud in use. • Cloud computing is NOT a technology revolution, but rather a process and business evolution – on how many technologies and services are used in enabling what is referred to as Cloud Computing. • A simplified definition can be that cloud computing allows businesses to increase IT capacity on the fly without investing in new infrastructure, training new personnel and/or licensing new software, and are able to use it as a pay-per-use service. 5 NIST Cloud Definition Framework “Cloud computing is a model for enabling convenient, on- demand network access to a shared pool of configurable computing resources that can be rapidly provisioned and released with minimal management effort or service provider The NIST cloud model promotes availability interaction.” and is composed of 5 essential characteristics, 3 service models and 4 deployment models. 6
5 Essential Characteristics • On-demand self-service • Broad network access • Resource pooling – Location independence • Rapid elasticity • Measure service Source: Techmixer.com 7 3 Cloud Service / Delivery Models • Cloud Software as a Service (SaaS) – Use provider’s apps over a network • Cloud Platform as a Service (PaaS) – Deploy customer- created applications to a cloud • Cloud Infrastructure as a Service (IaaS) Source: NIST Presentations – Rent processing, storage, network Note: To be considered “cloud” these must be capacity, etc. deployed on top of a cloud infrastructure with the key characteristics. 8
Cloud Services Examples • SaaS – Salesforce.com – Google Apps • PaaS – Google AppsEngine, Force.com, IBM IT Factory • IaaS – Amazon Elastic Compute Cloud (Amazon EC2), IBM Blue Cloud, Sun Grid – Amazon Simple Storage Service (Amazon S3) 9 Cloud Deployment Models • Private cloud – Enterprise owned or leased • Community cloud – Shared infrastructure for specific communitiy • Public cloud – Available to the public, typically mega-scale infrastructure • Hybrid cloud – Composition of 2 or more clouds 10
Possibilities and Benefits 11 Adoption Areas 12
Cloud Computing Challenges & Risks • Data Protection – Where is my data? – How does my data securely enter/exit the cloud? (and how is it protected during transit?) – Who has access to my • Integration and Cost data? – How easy is it to integrate • Risk / Incident Management with in-house IT? – Who is accountable if – Are there customization something goes wrong? options to suit my needs? – What’s the disaster – Will on-demand cost recovery plan? more? – What happens if my cloud – How difficult to migrate provider disappears? back to an in-house – How is the environment system? (if possible) monitored? How are we • Compliance notified in the event of – Are there any regulatory failures/outages? requirements? 13 Challenges and Risks Security remains the top concern and was raised by 87.5% of respondents in IDC 2009 survey (up from 74.6% in 2008) 14
Service Provider Requirements • Pricing is key area BUT • security and related concerns can be “seen” in user wish-list of the service features SLAs, option to move back on-premise, allow managing on-premise , offer both on-premise and public cloud services, have local presence 15 Security in the Cloud • Security controls in cloud computing are no different than security controls in an IT environment BUT... – the various cloud service models, operational models, and technologies used to enable cloud services may present different risks to the Source: Cloud Security Alliance organisation. • Understanding the “Cloud computing is about gracefully losing differences between service control while maintaining accountability models and their even if the operational responsibility implementation is critical to falls upon one or more third parties.” the management of risk to – Cloud Security Alliance the organisation. 16
Security Advantages • Reduction of exposure of internal sensitive data with move to external cloud – Data fragmentation and dispersal are managed by unbiased party (cloud vendor assertion) – Various studies show that a large amount of abuse are done by internal IT professionals • Cloud homogeneity makes security auditing / testing simpler • Clouds enable automated security management • Redundancy / Disaster Recovery 17 Security Challenges • Trusting vendor’s security model • Customer inability to respond to audit findings • Indirect administrator accountability • Obtaining support for investigations • Indirect administrator accountability • Proprietary implementations cannot be examined • Loss of physical control • Data dispersal and international privacy laws • Logging challenges • Quality of service guarantees 18
Ensuring Compliance in the Cloud • The use of cloud computing by itself does not provide for or prevent achieving compliance. • Cloud services must be mapped against compensating controls to determine which exists and which do not – either by the end user, service provider or a third party. • Gaps analysis results are fed into the risk assessment framework – accept, transfer or Source: Cloud Security Alliance mitigate. 19 Cloud Implementation Use Case Taxonomy • Service Consumer – SaaS is consumed by end users, e.g. employees, clients, partners – PaaS is consumed by software developers – IaaS is consumed by IT managers Source: Cloud Computing Use Case Discussion Group • The various components must be managed by the company or a third party solution provider. 20
Determining Candidates for the Cloud • Review applications and IT • Typical Rules of Thumb: resources / systems – If mission-critical and • Categorise into: non-core then possibly – Mission-critical, i.e. good candidate for the business will not cloud survive without it – If mission-critical and – Non-mission critical core, possibly keep • Sub-categorise into: internal or in private cloud – Core business practices, i.e. provides – If non-mission critical service differentiation and non-core then okay for public clouds – Non-core, i.e. internal activities – If non-mission critical and core, possibly keep internal or in private cloud 21 Candidates for the Public Cloud GOOD BAD • Applications used by mobile • Applications with very workers, particularly those sensitive data (with possible used to manage time, regulatory or legal risk) activities, etc. • Applications that require very • Software development intensive data workloads or environments very performance sensitive • Applications that require applications hardware/software not – Possible cost issue normally available within the • Applications that require company extensive or high • Applications that run customization infrequently but require considerable resources, e.g. test and pre-production systems • Backup for critical applications • Distributed server and data centre locations 22
Cloud Adoption Model Example • Prepare IT portfolio – Virtualization not necessary but can simplify migration, updates, etc. • Cloud experimentation – Usage, experimentation and laying of groundwork • Cloud foundations – Finalize application architecture and platform • Cloud exploitation – Deployment (either private or public) in the cloud – Get apps into production, along with processes, policies and procedures Source: eWeek.com • Cloud actualization / HyperCloud – Fully dynamic and autonomic compute environment 23 Cloud Usage Examples • Nasdaq – uses Amazon S3 to deliver historical stock and mutual fund information, rather than add load to its database/computing infra • Animoto – start-up used Amazon’s cloud services was able to keep up with soaring demand and scale up from 50 to 3,500 instances over a three-day period • Times – wanted to place 60-year period worth of images (i.e. 15-million news stories) moved 4-TB into Amazon S3, ran the software on EC2 then launched the product • Mogulus – streams 120,000 live TV channels over the Internet but owns no hardware except for its laptops. 24
Recommended Areas of Critical Focus GOVERNANCE DOMAINS OPERATIONAL DOMAINS • Governance & Enterprise • Security, Business Risk Management Continuity & Disaster • Legal Recovery • Compliance and Audit • Data Centre Operations • Information Life Cycle • Incident Management Management • Application Security • Portability and • Encryption & Key Interoperability Management • Identity & Access Management • Virtualisation 25 Governance Domains
Governance & Enterprise Risk Management • Ability of an organisation to govern and measure enterprise risk introduced with the use of Cloud Computing – Legal precedence for agreements – Assess risk of a cloud provider – Responsibility to protect data – How international boundaries affects issues • Risk management approaches – Include provider’s security governance, risk management and compliance structures and processes – Consistency between provider and end user risk assessment approaches • provider’s design of the cloud service vs. user’s assessment of the cloud service risk. – Adjust DRP/BCP to include new scenarios, e.g. loss of provider services RECOMMENDATIONS 27 Legal Aspects Potential legal issues with the use of Cloud Computing – Protection requirements for information & computer systems – Security disclosure laws – Regulatory requirements – Privacy requirements – International laws RECOMMENDATIONS 28
Compliance and Audit • Ensuring and proving compliance when using Cloud Computing – Company security policies – Industry standards and/or certifications – Regulatory, legislative and other compliance requirements • The end user must understand: – Regulatory application for the use of a cloud service – Division of compliance responsibilities (vs. provider) – Provider’s ability to produce evidence needed for compliance – End user’s role in bridging the gap between provider and audit requirements RECOMMENDATIONS 29 Information Lifecycle Management • Management of data that • The Data Security Lifecycle is placed within the Cloud. – Identification and control of data – Compensating controls to deal with loss of physical control – Data confidentiality, integrity and availability Source: Cloud Security Alliance • Maps to the more general Information Lifecycle Management (ILM) RECOMMENDATIONS 30
Portability and Interoperability • Ability to move data and/or services from one cloud provider to another, or move it back in- house – Portability – Interoperability • Companies may need to switch providers due to: – Unacceptable increase in cost – Provider ceases operation – Provider ceases one or more services – Unacceptable decrease in service quality – Business disputes RECOMMENDATIONS 31 Operational Domains
Security, Business Continuity and Disaster Recovery • How does cloud computing affect the current operational processes and procedures in relation to security, business continuity and disaster recovery • How does cloud computing assist in diminishing risks in certain areas? While possibly increasing in others? RECOMMENDATIONS 33 Data Centre Operations • Identifying common data centre characteristics that are: – Disadvantageous to on-going services and/or – Fundamental to long-term stability. • Technology architectures will differ across providers but they all must support compartmentalization with controls segregating each layer of the infrastructure – Note that some cloud providers may be users of other cloud services, e.g. a SaaS vendor uses PaaS or IaaS vendor(s). RECOMMENDATIONS 34
Incident Management • Proper and adequate incident detection, response, notification and remediation. – Includes processes and procedures at both provider and end user levels • Does the cloud bring about complexities to current incident management procedures? RECOMMENDATIONS 35 Application Security • What type of Application cloud platform to Security Compliance use? SaaS, Architecture PaaS, or IaaS? Cloud • Cloud Apps applications will Tools both impact and SDLC & be impacted by Services various factors • Migrate existing app or design a new app for cloud deployment? Vulnerabilities RECOMMENDATIONS 36
Encryption and Key Management • Cloud environments Encrypt data Secure sensitive information even are shared, within provider’s environment. and providers in transit for Confidentiality generally have privileged and Integrity access Encryption • Encryption offers benefits Encrypt data Differences in implementation from of less reliance at rest IaaS to PaaS to SaaS on provider • Identifying proper encryption usage and Encrypt data Protect against misuse of key on backup lost/stolen media. management media RECOMMENDATIONS 37 Identity and Access Management • Even without the cloud, the management of identities and access control remains one of the key challenges facing IT in any organisation. • Management of identities to provide access control when extending the organisation into the cloud. Identity Provisioning Authentication • Secure and time management of provisioning Address authentication related and deprovisioning of users challenges, e.g. strong authentication in the cloud. (multi-factor), delegated • Extension of current user authentication, and trust management management processes to across cloud services. the cloud. Authorization and User Profile Management Federation Establishment of trusted user profile and policy information, Authenticate users of using it to control access within cloud services using the the cloud, and using this in an organisation’s chosen auditable way. identity provider. RECOMMENDATIONS 38
IDaaS • Identity as a Service (IDaaS) should follow the same best practices used for internal IAM implementations • For internal users: – Review provider’s options to provide secure access to the cloud – Review cost reduction vs. risk mitigation measures to address risks of having employee information with IDaaS. • For external users (e.g. partners) the information owners need to incorporate interactions with IAM providers into the SDLC and in threat assessments • PaaS users should review use of industry standards by IDaaS vendors • Proprietary solutions represent a significant risk, the use of open standards is recommended. 39 Virtualisation • Use of virtualisation technology in cloud computing, particularly the security issues related to the system/hardware virtualisation. RECOMMENDATIONS 40
Conclusion • In any move towards an emerging technology and business model, you need in-depth understanding of: – Your IT team (whether in-house or 3rd party including consultants / partners) and capabilities – The Solutions, and – The Service Providers and/or Vendors • No difference with cloud computing any decision to move to the cloud should involve at least the enterprise architects, developers, product/service owners and stakeholders, IT management and if needed, outsourcing partners. • Concerns with cloud computing are valid but not insurmountable. Credible solutions do exist and continuously being improved / fine-tuned to meet the perceived challenges and user requirements. 41

More Related Content

PDF
Going to the Cloud
byJosé Ferreiro
 
PDF
Cloud computing 2012
byUni Systems S.M.S.A.
 
PDF
Lax breakfast forum_developing_your_cloud_strategy_05_10_2012
byInternap
 
PDF
Developing Your Cloud Strategy
byInternap
 
PDF
IDC it security dc_transformation_roadshow2012
byUni Systems S.M.S.A.
 
PDF
Dr. Michael Valivullah, NASS/USDA - Cloud Computing
byikanow
 
PPTX
Nyc lunch and learn 03 15 2012 final
byInternap
 
PDF
IBM Global Technology Services - Resilience - The Silver Lining to Cloud Comp...
byVincent Kwon
 
Going to the Cloud
byJosé Ferreiro
 
Cloud computing 2012
byUni Systems S.M.S.A.
 
Lax breakfast forum_developing_your_cloud_strategy_05_10_2012
byInternap
 
Developing Your Cloud Strategy
byInternap
 
IDC it security dc_transformation_roadshow2012
byUni Systems S.M.S.A.
 
Dr. Michael Valivullah, NASS/USDA - Cloud Computing
byikanow
 
Nyc lunch and learn 03 15 2012 final
byInternap
 
IBM Global Technology Services - Resilience - The Silver Lining to Cloud Comp...
byVincent Kwon
 

What's hot

PPTX
considering the cloud? From IaaS to SaaS and Beyond - Find Your Path to the C...
byWeb2Present
 
PDF
Cloud Computing - Jan 2011 - Chandna
byAsheem Chandna
 
PDF
Build 4 The Cloud By Cisco V Mware2
byAzlan NL
 
PDF
Business and Online Services - Ben Kepes
byIntergen
 
PDF
IBM SmartCloudEnterprise use of IBM Rational Solutions
byAlex Amies
 
PPTX
Lets Do the Cloud-CFO Summit 2013
byAimi Aizal Nasharuddin
 
PDF
Enterprise Private Cloud Computing
byCisco Canada
 
PDF
Leaders in the Cloud: Identifying Cloud Business Value for Customers
byOpSource
 
PDF
Sukhbir jasuja digital_trends_11
byHellenic Professionals Informatics Society
 
PDF
Isc2conferancepremay15final
byMahmoud Moustafa
 
PDF
So you’ve bought into the concept of “cloud” technology
byCisco Canada
 
PDF
Running SagePFW in a Private Cloud
byVertical Solutions
 
PDF
IT__forum_11
byUni Systems S.M.S.A.
 
PPTX
Why We Fail: How an architect learned to stop worrying and love the cloud
byAlex Jauch
 
PPTX
Making Sense of the Cloud
bySpiceworks
 
PPTX
The Move to the Cloud for Regulated Industries
bydirkbeth
 
PDF
The cloud talk
byPethuru Raj PhD
 
PPTX
Secure adn Contained Access for Everybody, at Anytime
byUni Systems S.M.S.A.
 
PPTX
Cloud Is Built, Now Who's Managing It?
bydoan_slideshares
 
considering the cloud? From IaaS to SaaS and Beyond - Find Your Path to the C...
byWeb2Present
 
Cloud Computing - Jan 2011 - Chandna
byAsheem Chandna
 
Build 4 The Cloud By Cisco V Mware2
byAzlan NL
 
Business and Online Services - Ben Kepes
byIntergen
 
IBM SmartCloudEnterprise use of IBM Rational Solutions
byAlex Amies
 
Lets Do the Cloud-CFO Summit 2013
byAimi Aizal Nasharuddin
 
Enterprise Private Cloud Computing
byCisco Canada
 
Leaders in the Cloud: Identifying Cloud Business Value for Customers
byOpSource
 
Sukhbir jasuja digital_trends_11
byHellenic Professionals Informatics Society
 
Isc2conferancepremay15final
byMahmoud Moustafa
 
So you’ve bought into the concept of “cloud” technology
byCisco Canada
 
Running SagePFW in a Private Cloud
byVertical Solutions
 
IT__forum_11
byUni Systems S.M.S.A.
 
Why We Fail: How an architect learned to stop worrying and love the cloud
byAlex Jauch
 
Making Sense of the Cloud
bySpiceworks
 
The Move to the Cloud for Regulated Industries
bydirkbeth
 
The cloud talk
byPethuru Raj PhD
 
Secure adn Contained Access for Everybody, at Anytime
byUni Systems S.M.S.A.
 
Cloud Is Built, Now Who's Managing It?
bydoan_slideshares
 

Viewers also liked

PDF
CLOUD & SKY COLORATION
bys11012
 
PPTX
Security Issues in Cloud Computing
byJyotika Pandey
 
PPTX
What is cloud ?
byDibyadip Das
 
PPTX
Cloud Security Issues 1.04.10
byRugby7277
 
PPTX
Security in the cloud Workshop HSTC 2014
byAkash Mahajan
 
PDF
SEO: Getting Personal
byKirsty Hulse
 
PDF
Lightning Talk #9: How UX and Data Storytelling Can Shape Policy by Mika Aldaba
byux singapore
 
PDF
32 Ways a Digital Marketing Consultant Can Help Grow Your Business
byBarry Feldman
 
CLOUD & SKY COLORATION
bys11012
 
Security Issues in Cloud Computing
byJyotika Pandey
 
What is cloud ?
byDibyadip Das
 
Cloud Security Issues 1.04.10
byRugby7277
 
Security in the cloud Workshop HSTC 2014
byAkash Mahajan
 
SEO: Getting Personal
byKirsty Hulse
 
Lightning Talk #9: How UX and Data Storytelling Can Shape Policy by Mika Aldaba
byux singapore
 
32 Ways a Digital Marketing Consultant Can Help Grow Your Business
byBarry Feldman
 

Similar to Info Sec 2010 Possibilities And Security Challenges Of Cloud Computing (Handout)

PDF
MISA Cloud workshop - Cloud 101
byMISA Ontario Cloud SIG
 
PDF
SoftwareGuru 2009 - Cloud Computing
byJose Tam
 
PPT
Cloud Computing Webinar
bySaif Ahmad
 
PDF
null Bangalore meet - Cloud Computing and Security
byn|u - The Open Security Community
 
PDF
Eo navigating the cloud
byeophiladelphia
 
PDF
Eo navigating the cloud v8
byNerve2012
 
PDF
IBM Point of View: Security and Cloud Computing
byIBM India Smarter Computing
 
PDF
IBM Point of view -- Security and Cloud Computing (Tivoli)
byIBM India Smarter Computing
 
PPT
Cloud computing
bysaralaanuj
 
PDF
Cloud Computing Tutorial - Jens Nimis
byJensNimis
 
PPTX
Cloud Computing : Security and Forensics
byGovind Maheswaran
 
PDF
Windstream Webinar: The Latest Trends in Virtualization: Is the cloud right f...
byWindstream Enterprise
 
PPTX
Leverage the cloud 2012 li
byCornerStone
 
PDF
Taiye Lambo - Auditing the cloud
bynooralmousa
 
PDF
Cloud Security Alliance - Guidance
bySubra Kumaraswamy CISSP CISM
 
PDF
Virtualization And Cloud Impact Overview Auditor Spin Enterprise Gr Cv4
byEnterpriseGRC Solutions, Inc.
 
PPT
The Cloud and Next Gen IT Gordon Haff - p camp-boston2012
byProductCamp Boston
 
PPTX
Basics of cloud computing & salesforce.com
byDeepu S Nath
 
PPTX
Introduction Cloud Computing
byRoel Honning
 
PDF
Virtualization Into Cloud
byIBM India Smarter Computing
 
MISA Cloud workshop - Cloud 101
byMISA Ontario Cloud SIG
 
SoftwareGuru 2009 - Cloud Computing
byJose Tam
 
Cloud Computing Webinar
bySaif Ahmad
 
null Bangalore meet - Cloud Computing and Security
byn|u - The Open Security Community
 
Eo navigating the cloud
byeophiladelphia
 
Eo navigating the cloud v8
byNerve2012
 
IBM Point of View: Security and Cloud Computing
byIBM India Smarter Computing
 
IBM Point of view -- Security and Cloud Computing (Tivoli)
byIBM India Smarter Computing
 
Cloud computing
bysaralaanuj
 
Cloud Computing Tutorial - Jens Nimis
byJensNimis
 
Cloud Computing : Security and Forensics
byGovind Maheswaran
 
Windstream Webinar: The Latest Trends in Virtualization: Is the cloud right f...
byWindstream Enterprise
 
Leverage the cloud 2012 li
byCornerStone
 
Taiye Lambo - Auditing the cloud
bynooralmousa
 
Cloud Security Alliance - Guidance
bySubra Kumaraswamy CISSP CISM
 
Virtualization And Cloud Impact Overview Auditor Spin Enterprise Gr Cv4
byEnterpriseGRC Solutions, Inc.
 
The Cloud and Next Gen IT Gordon Haff - p camp-boston2012
byProductCamp Boston
 
Basics of cloud computing & salesforce.com
byDeepu S Nath
 
Introduction Cloud Computing
byRoel Honning
 
Virtualization Into Cloud
byIBM India Smarter Computing
 

Info Sec 2010 Possibilities And Security Challenges Of Cloud Computing (Handout)

  • 1.
    Possibilities and Security Challengesof Cloud Computing InfoSec Conference 2010 Hotel Intercontinental Makati City, Philippines 25 August 2010 Pierre U. Tagle, Ph.D., CISA [email protected] Outline 1 Introduction 2 What is Cloud Computing? 3 Possibilities and Security Challenges 4 Critical Areas for Cloud Implementations 2
  • 2.
    Introduction Mobiliance Incorporated is an We offer services to: INDEPENDENT technology • EVALUATE and understand consulting and software services your business needs; firm which partners with • Recommend ways to commercial and government ENHANCE how technology, establishments/organisations to people and processes fits solve their toughest Information into your business; Technology problems and issues. • INTEGRATE new and existing technology to better suit your business; • MAINTAIN your technology investments; and • Help you PRESERVE your investment to carry your business into the future. 3 Our Services • Security Assessment and • Technology Assessment Design and Design – Security Architecture • IT Governance / Risk Assessment / Design Management – Disaster Recovery / – Vulnerability Business Continuity Assessment – IT Governance • Network Assessment and – IT Risk Assessments Design • Technology Management – Alignment with Advice (Virtual CIO/CTO) business • Software Development requirements – From complete SDLC – Performance, or to assist in reliability and specific phases availability analysis 4
  • 3.
    What is CloudComputing? • Virtually every vendor or provider has jumped on the cloud computing bandwagon and has slapped the “cloud” label on it, e.g. hosting, outsourcing, ASP, on-demand computing, grid computing, utility computing, etc. – Some reports indicate that there were at least 22 different definitions of the cloud in use. • Cloud computing is NOT a technology revolution, but rather a process and business evolution – on how many technologies and services are used in enabling what is referred to as Cloud Computing. • A simplified definition can be that cloud computing allows businesses to increase IT capacity on the fly without investing in new infrastructure, training new personnel and/or licensing new software, and are able to use it as a pay-per-use service. 5 NIST Cloud Definition Framework “Cloud computing is a model for enabling convenient, on- demand network access to a shared pool of configurable computing resources that can be rapidly provisioned and released with minimal management effort or service provider The NIST cloud model promotes availability interaction.” and is composed of 5 essential characteristics, 3 service models and 4 deployment models. 6
  • 4.
    5 Essential Characteristics • On-demand self-service • Broad network access • Resource pooling – Location independence • Rapid elasticity • Measure service Source: Techmixer.com 7 3 Cloud Service / Delivery Models • Cloud Software as a Service (SaaS) – Use provider’s apps over a network • Cloud Platform as a Service (PaaS) – Deploy customer- created applications to a cloud • Cloud Infrastructure as a Service (IaaS) Source: NIST Presentations – Rent processing, storage, network Note: To be considered “cloud” these must be capacity, etc. deployed on top of a cloud infrastructure with the key characteristics. 8
  • 5.
    Cloud Services Examples • SaaS – Salesforce.com – Google Apps • PaaS – Google AppsEngine, Force.com, IBM IT Factory • IaaS – Amazon Elastic Compute Cloud (Amazon EC2), IBM Blue Cloud, Sun Grid – Amazon Simple Storage Service (Amazon S3) 9 Cloud Deployment Models • Private cloud – Enterprise owned or leased • Community cloud – Shared infrastructure for specific communitiy • Public cloud – Available to the public, typically mega-scale infrastructure • Hybrid cloud – Composition of 2 or more clouds 10
  • 6.
    Possibilities and Benefits 11 Adoption Areas 12
  • 7.
    Cloud Computing Challenges& Risks • Data Protection – Where is my data? – How does my data securely enter/exit the cloud? (and how is it protected during transit?) – Who has access to my • Integration and Cost data? – How easy is it to integrate • Risk / Incident Management with in-house IT? – Who is accountable if – Are there customization something goes wrong? options to suit my needs? – What’s the disaster – Will on-demand cost recovery plan? more? – What happens if my cloud – How difficult to migrate provider disappears? back to an in-house – How is the environment system? (if possible) monitored? How are we • Compliance notified in the event of – Are there any regulatory failures/outages? requirements? 13 Challenges and Risks Security remains the top concern and was raised by 87.5% of respondents in IDC 2009 survey (up from 74.6% in 2008) 14
  • 8.
    Service Provider Requirements • Pricing is key area BUT • security and related concerns can be “seen” in user wish-list of the service features SLAs, option to move back on-premise, allow managing on-premise , offer both on-premise and public cloud services, have local presence 15 Security in the Cloud • Security controls in cloud computing are no different than security controls in an IT environment BUT... – the various cloud service models, operational models, and technologies used to enable cloud services may present different risks to the Source: Cloud Security Alliance organisation. • Understanding the “Cloud computing is about gracefully losing differences between service control while maintaining accountability models and their even if the operational responsibility implementation is critical to falls upon one or more third parties.” the management of risk to – Cloud Security Alliance the organisation. 16
  • 9.
    Security Advantages • Reductionof exposure of internal sensitive data with move to external cloud – Data fragmentation and dispersal are managed by unbiased party (cloud vendor assertion) – Various studies show that a large amount of abuse are done by internal IT professionals • Cloud homogeneity makes security auditing / testing simpler • Clouds enable automated security management • Redundancy / Disaster Recovery 17 Security Challenges • Trusting vendor’s security model • Customer inability to respond to audit findings • Indirect administrator accountability • Obtaining support for investigations • Indirect administrator accountability • Proprietary implementations cannot be examined • Loss of physical control • Data dispersal and international privacy laws • Logging challenges • Quality of service guarantees 18
  • 10.
    Ensuring Compliance inthe Cloud • The use of cloud computing by itself does not provide for or prevent achieving compliance. • Cloud services must be mapped against compensating controls to determine which exists and which do not – either by the end user, service provider or a third party. • Gaps analysis results are fed into the risk assessment framework – accept, transfer or Source: Cloud Security Alliance mitigate. 19 Cloud Implementation Use Case Taxonomy • Service Consumer – SaaS is consumed by end users, e.g. employees, clients, partners – PaaS is consumed by software developers – IaaS is consumed by IT managers Source: Cloud Computing Use Case Discussion Group • The various components must be managed by the company or a third party solution provider. 20
  • 11.
    Determining Candidates forthe Cloud • Review applications and IT • Typical Rules of Thumb: resources / systems – If mission-critical and • Categorise into: non-core then possibly – Mission-critical, i.e. good candidate for the business will not cloud survive without it – If mission-critical and – Non-mission critical core, possibly keep • Sub-categorise into: internal or in private cloud – Core business practices, i.e. provides – If non-mission critical service differentiation and non-core then okay for public clouds – Non-core, i.e. internal activities – If non-mission critical and core, possibly keep internal or in private cloud 21 Candidates for the Public Cloud GOOD BAD • Applications used by mobile • Applications with very workers, particularly those sensitive data (with possible used to manage time, regulatory or legal risk) activities, etc. • Applications that require very • Software development intensive data workloads or environments very performance sensitive • Applications that require applications hardware/software not – Possible cost issue normally available within the • Applications that require company extensive or high • Applications that run customization infrequently but require considerable resources, e.g. test and pre-production systems • Backup for critical applications • Distributed server and data centre locations 22
  • 12.
    Cloud Adoption ModelExample • Prepare IT portfolio – Virtualization not necessary but can simplify migration, updates, etc. • Cloud experimentation – Usage, experimentation and laying of groundwork • Cloud foundations – Finalize application architecture and platform • Cloud exploitation – Deployment (either private or public) in the cloud – Get apps into production, along with processes, policies and procedures Source: eWeek.com • Cloud actualization / HyperCloud – Fully dynamic and autonomic compute environment 23 Cloud Usage Examples • Nasdaq – uses Amazon S3 to deliver historical stock and mutual fund information, rather than add load to its database/computing infra • Animoto – start-up used Amazon’s cloud services was able to keep up with soaring demand and scale up from 50 to 3,500 instances over a three-day period • Times – wanted to place 60-year period worth of images (i.e. 15-million news stories) moved 4-TB into Amazon S3, ran the software on EC2 then launched the product • Mogulus – streams 120,000 live TV channels over the Internet but owns no hardware except for its laptops. 24
  • 13.
    Recommended Areas ofCritical Focus GOVERNANCE DOMAINS OPERATIONAL DOMAINS • Governance & Enterprise • Security, Business Risk Management Continuity & Disaster • Legal Recovery • Compliance and Audit • Data Centre Operations • Information Life Cycle • Incident Management Management • Application Security • Portability and • Encryption & Key Interoperability Management • Identity & Access Management • Virtualisation 25 Governance Domains
  • 14.
    Governance & EnterpriseRisk Management • Ability of an organisation to govern and measure enterprise risk introduced with the use of Cloud Computing – Legal precedence for agreements – Assess risk of a cloud provider – Responsibility to protect data – How international boundaries affects issues • Risk management approaches – Include provider’s security governance, risk management and compliance structures and processes – Consistency between provider and end user risk assessment approaches • provider’s design of the cloud service vs. user’s assessment of the cloud service risk. – Adjust DRP/BCP to include new scenarios, e.g. loss of provider services RECOMMENDATIONS 27 Legal Aspects Potential legal issues with the use of Cloud Computing – Protection requirements for information & computer systems – Security disclosure laws – Regulatory requirements – Privacy requirements – International laws RECOMMENDATIONS 28
  • 15.
    Compliance and Audit • Ensuring and proving compliance when using Cloud Computing – Company security policies – Industry standards and/or certifications – Regulatory, legislative and other compliance requirements • The end user must understand: – Regulatory application for the use of a cloud service – Division of compliance responsibilities (vs. provider) – Provider’s ability to produce evidence needed for compliance – End user’s role in bridging the gap between provider and audit requirements RECOMMENDATIONS 29 Information Lifecycle Management • Management of data that • The Data Security Lifecycle is placed within the Cloud. – Identification and control of data – Compensating controls to deal with loss of physical control – Data confidentiality, integrity and availability Source: Cloud Security Alliance • Maps to the more general Information Lifecycle Management (ILM) RECOMMENDATIONS 30
  • 16.
    Portability and Interoperability • Ability to move data and/or services from one cloud provider to another, or move it back in- house – Portability – Interoperability • Companies may need to switch providers due to: – Unacceptable increase in cost – Provider ceases operation – Provider ceases one or more services – Unacceptable decrease in service quality – Business disputes RECOMMENDATIONS 31 Operational Domains
  • 17.
    Security, Business Continuityand Disaster Recovery • How does cloud computing affect the current operational processes and procedures in relation to security, business continuity and disaster recovery • How does cloud computing assist in diminishing risks in certain areas? While possibly increasing in others? RECOMMENDATIONS 33 Data Centre Operations • Identifying common data centre characteristics that are: – Disadvantageous to on-going services and/or – Fundamental to long-term stability. • Technology architectures will differ across providers but they all must support compartmentalization with controls segregating each layer of the infrastructure – Note that some cloud providers may be users of other cloud services, e.g. a SaaS vendor uses PaaS or IaaS vendor(s). RECOMMENDATIONS 34
  • 18.
    Incident Management • Proper and adequate incident detection, response, notification and remediation. – Includes processes and procedures at both provider and end user levels • Does the cloud bring about complexities to current incident management procedures? RECOMMENDATIONS 35 Application Security • What type of Application cloud platform to Security Compliance use? SaaS, Architecture PaaS, or IaaS? Cloud • Cloud Apps applications will Tools both impact and SDLC & be impacted by Services various factors • Migrate existing app or design a new app for cloud deployment? Vulnerabilities RECOMMENDATIONS 36
  • 19.
    Encryption and KeyManagement • Cloud environments Encrypt data Secure sensitive information even are shared, within provider’s environment. and providers in transit for Confidentiality generally have privileged and Integrity access Encryption • Encryption offers benefits Encrypt data Differences in implementation from of less reliance at rest IaaS to PaaS to SaaS on provider • Identifying proper encryption usage and Encrypt data Protect against misuse of key on backup lost/stolen media. management media RECOMMENDATIONS 37 Identity and Access Management • Even without the cloud, the management of identities and access control remains one of the key challenges facing IT in any organisation. • Management of identities to provide access control when extending the organisation into the cloud. Identity Provisioning Authentication • Secure and time management of provisioning Address authentication related and deprovisioning of users challenges, e.g. strong authentication in the cloud. (multi-factor), delegated • Extension of current user authentication, and trust management management processes to across cloud services. the cloud. Authorization and User Profile Management Federation Establishment of trusted user profile and policy information, Authenticate users of using it to control access within cloud services using the the cloud, and using this in an organisation’s chosen auditable way. identity provider. RECOMMENDATIONS 38
  • 20.
    IDaaS • Identity as a Service (IDaaS) should follow the same best practices used for internal IAM implementations • For internal users: – Review provider’s options to provide secure access to the cloud – Review cost reduction vs. risk mitigation measures to address risks of having employee information with IDaaS. • For external users (e.g. partners) the information owners need to incorporate interactions with IAM providers into the SDLC and in threat assessments • PaaS users should review use of industry standards by IDaaS vendors • Proprietary solutions represent a significant risk, the use of open standards is recommended. 39 Virtualisation • Use of virtualisation technology in cloud computing, particularly the security issues related to the system/hardware virtualisation. RECOMMENDATIONS 40
  • 21.
    Conclusion • In any move towards an emerging technology and business model, you need in-depth understanding of: – Your IT team (whether in-house or 3rd party including consultants / partners) and capabilities – The Solutions, and – The Service Providers and/or Vendors • No difference with cloud computing any decision to move to the cloud should involve at least the enterprise architects, developers, product/service owners and stakeholders, IT management and if needed, outsourcing partners. • Concerns with cloud computing are valid but not insurmountable. Credible solutions do exist and continuously being improved / fine-tuned to meet the perceived challenges and user requirements. 41