Cloud computing - Assessing the Security Risks - Jared Carstensen
- 1. Cloud Computing Assessing the Security RisksJared Carstensen
- 2. AgendaWhat is the cloud?Why Cloud Computing?Decomposing the CloudUnderstanding ImplementationsTop Security RisksPrivileged User AccessRegulatory ComplianceData LocationData SegregationRecoveryInvestigationsLong Term ViabilityMyths and TruthsRoadmap to Success
- 5. What is the Cloud?Cloud computing:Private Cloud:Virtual PrivateCloud:is Internet-based computing, whereby shared resources, software, and information are provided to computers and other devices on demand, like the electricity grid.utilisestechnologies of the public cloud but are operated solely for an organisation. It could be managed by the organisation itself or by a third party on, or off site…..a cloud deployed solely for use of an organisation. This cloud utilisesstandardised technology, and processes of a service provider, which leverages shared resources with dedicated resource pools and tailored Service Model (determined by each provider).
- 6. Why Cloud Computing?We are in the midst of a Sea Change‖Collaboration and sharing on a scale never imaginedNEW ECONOMICSINCREASED PRODUCTIVITYREDUCED MANAGEMENTPay for what you use
- 7. Lower and predictable costs
- 8. Shift from CapEx to OpEx
- 9. Accelerate speed to value
- 14. Latest software for users
- 16. Anywhere access
- 17. Instant self-provisioning Decomposing the Cloud3 Primary Models for Cloud Computing include:Software as a Services (SaaS)Platform as a Services (PaaS)Infrastructure as a Service (IaaS)
- 18. Understanding Implementations?Cloud Computing Service CategoriesOn PremisesInfrastructure as a Service (IaaS)Platform as a Service (PaaS)Software as a Service (SaaS)You manageApplicationsApplicationsApplicationsApplicationsDataDataDataDataYou manageRuntimeRuntimeRuntimeRuntimeManaged by vendorMiddlewareMiddlewareMiddlewareMiddlewareYou manageManaged by vendorO/SO/SO/SO/SVirtualizationVirtualizationVirtualizationVirtualizationManaged by vendorServersServersServersServersStorageStorageStorageStorageNetworkingNetworkingNetworkingNetworking
- 19. Top Security RisksPrivileged User AccessSensitive Data processed outside the organisation / enterprise brings with it an inherent level risk, as the outsourced services tend to bypass the “physical, logical and personnel controls”.Know your provider! Get as much information as you can about the people who will manage your data! Best practice – what standards do they follow or are they certified to?How often are they assessed and controls tested and verified?You wouldn’t give someone all your data without asking what they are going to do with it would you?
- 20. Regulatory ComplianceIt remains YOUR responsibility!Customers are ultimately responsible for the security and integrity of the data they collect, even when held by a service provider. You cannot “surrender or transfer” your responsibilities under the Data Protection Act (Irish and UK). If you collect the information, you need to ensure the information is held in accordance with the 8 key principles of the Data Protection Act.International Data Transfer
- 21. Data LocationWhere is It? What laws is it governed by?When organisations use the cloud – most probably don’t even know where their data is held or hosted?What country is it in?What laws govern it?Who has access to it?“smaller cloud providers are not carrying cyber insurance, and have no plans to do so until the larger customers push back”-Hartford Financial Services Group (New York)
- 22. Data SegregationData SegregationIn the vast majority of cases, data in the cloud is stored and hosted in a shared environment alongside data from other customers.How is this controlled?What accountability is there?How is CIA enforced?What happens in the case of an investigation?Can I get my data back if I need it?
- 23. Data RecoveryDisaster Recovery / Business ContinuityData Backup and replication are NOT a given when utilising cloud computing. There is often little to no continuity around data backup and replication in standard agreements. Most of these agreements tend to ensure availability around the service provided by the provider and not the contents or data.Always check to ensure your provider can tell you what will happen to your data in the event of a disaster!Service Level Agreements should be thoroughly checked and reviewed to ensure they align with the business requirements before proceeding.
- 24. Investigations & SupportIllegal / Inappropriate activityThe investigation of inappropriate or illegal activities may be impossible in cloud computing for a number of reasons. What technology / systems are being utilised by the provider?Is there an intelligent system being used to detect anomalies or attacks?What processes / procedures are in place to ensure any breaches can be detected?Will your provider notify you of any breaches (most don’t)?What happens if my information is taken as part of an investigation?
- 25. Long Term ViabilityHow viable is my provider long term?In an ideal world, your cloud computing provider will never go broke, get acquired or swallowed up by a larger company.Recent stories:SAP acquire Coghead (Cloud Computing)HP acquires ArcSight (from RSA)IBM acquires CastIron (Cloud Computing)Dell acquires Perot Systems“The most mature cloud services are only 3 years old”
- 26. Myths and Truths
- 27. Roadmap to SuccessKeys to successEnsure your Cloud is future proofEnsure you have a detailed and realistic plan which is scalable
- 28. If your organisation is fast paced, ensure your provider is tooKnow your organisation and its requirementsClearly define your cloud users, admins and roles upfront
- 29. No plans stay the same - make sure you are flexible and be realisticPlan your services and ensure you have support (both internally and externally)Ensure you “remove” redundant services effectively (unless for continuity)Evaluate your internal processes before and afterDo current processes make sense? Can these be improved on? If so, how?
- 30. Why are we moving? Know the benefits and the business case before movingJared Carstensenjared@teaminfosec.comhttp://www.TeamInfoSec.comTel: +353 1 813 5551Thank You