Cloud Security: Is My Data Safe?
0 likes515 views
The document discusses cloud security concerns, particularly regarding data safety and user perceptions around its vulnerabilities. It emphasizes the importance of due diligence, understanding risks, and ensuring alignment with existing security and governance policies when adopting cloud services. The text also highlights the need for transparency and independent auditing in cloud environments amidst emerging standards.
Cloud Security: Is My Data Safe?
- 1. Cloud Security- Is my data safe?Justin Pirie@justinpirieblog.mimecast.comjpirie@mimecast.comCloud Circle - LondonNovember 29th2010matthewbradley
- 5. Where I work
- 6. Cloud Services for Microsoft Exchangetipiro
- 11. How the problem used to be solved...
- 12. Benefits of Google Apps
- 14. What do users get?minifig
- 17. Uptimeszeke
- 18. Over 600,000 users can’t be wrong!
- 19. Cloud Security- Is my data safe?matthewbradley
- 20. 2010 Hype Cycle
- 21. 2010 Hype Cycle
- 22. Grand Canyon between adoptersJames Marvin Phelps (mandj98)
- 23. Adopters: Cloud Improved Security57%
- 24. Non Adopters: Cloud = Security Risk62%
- 25. Unsure about Cloud Security?jessicafm
- 26. Security Presented as BinaryMarkOMeara
- 27. Reality...cdw9
- 29. BUT with Technical Detail AbstractedRev. XanatosSatanicosBombasticos (ClintJCL)
- 30. Which makes Clouds OpaqueAndrew Coulter Enright
- 31. The reason Cloud is powerfuldok1
- 32. Is also it’s Achilles HeelMoff
- 34. While Protecting Vendor IP... schoschie
- 35. AND Cloud is embryonicviralbus
- 38. And why it sometimes feels like this...gxdoyle
- 41. Independent 3rd Parties: SAS70, CESGwallyg
- 44. Should you adopt ISO 27001?massdistraction
- 45. Best Practice Policy: ENISATheTruthAbout
- 46. Investigate Availability GuaranteesYukon White Light
- 48. Who has control of your data?DumindaJayasena
- 49. Baseline Current RisksChuck “Caveman” Coker
- 50. i.e. Where are we today?Chris D 2006
- 51. Trusting Users....Thai Jasmine (Take good care :-))
- 57. Got the budget?The Prime Minister's Office
- 61. #1. It’s their BusinessEsthr
- 63. #3. Scalelaffy4k
- 65. #5. Cumulative Effect of Multiple CustomersLeo Reynolds
- 66. #6. Best Practice: Embedded, Distributed Lars Plougmann
- 68. Want to be the Guards Guard?
- 70. But proportional to Riskgxdoyle
- 71. Over to DamienJustin Pirie@justinpirieblog.mimecast.comjpirie@mimecast.commatthewbradley
- 72. Security, reliability, compliance and governance; the importance of aligning the Cloud with your existing security and governance policies Damien BehanIT Director, Brodies LLP
- 73. “The internet is not for private things, do not put them there” – a twittererhttp://datavis.tumblr.com/post/1372863949/internet-vs-privacy-a-helpful-venn-diagram
- 74. Perceptions of the cloud?SECURITYTHE CLOUD
- 75. “The fact of the matter is that the cloud is just another boring make vs. buy decision, and the sooner those in IT management realize this, the less likely they are to build potentially career-ending plans based on clouds and rainbows.” Patrick Gray on zdnet.com
- 76. Due diligenceLike any outsourcing service, ask…Why?
- 77. Who?
- 78. What?
- 79. Where?
- 80. How?
- 81. … and don’t forget “what happens if it all goes wrong?”Then verify what you are told.
- 82. The contractWatch out for:Jurisdiction
- 83. Data Protection
- 84. Confidentiality
- 85. IPR/Licensing
- 86. Service levels & limitations
- 87. Remedies…in other words, the same as any other services contract
- 88. Risk Averse? Tell me about it…Even law firms with their low tolerance for risk are going into the cloud – gingerly.Understand the risks, mitigate and manage where you can, then take a view…Know the answers to the questions your clients will ask about your information security in the cloud
- 89. How has it worked in practice?Our story so far
- 90. Future plans?Questions?Email: damien.behan@brodies.comTwitter: @damienbehanBlog: techblog.brodies.com
Editor's Notes
- #2: Intro Myself and where I workAnswer the key question- is my data safeWhat are the hurdles we have to cross? What are the actionable things we can do?Why should you consider going to the cloud?
- #9: Security
- #10: Continutity
- #11: Archive
- #13: Bringing all the benefits of Google apps- horizontal scalability, reliability, etc
- #14: To Microsoft Exchange
- #21: 2010 Gartner Hype Cycle for emerging technologies
- #22: 2010 Gartner Hype Cycle for emerging technologies
- #24: From the Mimecast Cloud Adoption Survey http://www.mimecast.com/events-press/press-releases/article/view/cloud-computing-delivering-on-its-promise-but-doubts-still-hold-back-adoption/462/
- #25: From the Mimecast Cloud Adoption Survey http://www.mimecast.com/events-press/press-releases/article/view/cloud-computing-delivering-on-its-promise-but-doubts-still-hold-back-adoption/462/
- #26: Why are some People are unsure about Cloud Security
- #27: Security is often presented as a binary object. It’s not.
- #28: It’s much more complex than that.
- #30: Technical details are abstracted
- #31: Probably because of the relative opacity of Cloud compared to the transparency of a private network and the control you can exert on it
- #33: Are it’s Achilles heel
- #35: Without revealing to much intellectual property- the main differentiator in Cloud
- #37: Standards are only just emerging
- #38: Buyer Beware- http://en.wikipedia.org/wiki/Caveat_emptorUnder the doctrine of caveat emptor, the buyer could not recover from the seller for defects on the property that rendered the property unfit for ordinary purposes. The only exception was if the seller actively concealed latent defects or otherwise made material misrepresentations amounting to fraud.Before statutory law, the buyer had no warranty of the quality of goods. In many jurisdictions now, the law requires that goods must be of "merchantable quality". However, this implied warranty can be difficult to enforce and may not apply to all products. Hence, buyers are still advised to be cautious.
- #39: Which is why we in cloud feel like we’re being beaten up...
- #40: Independent Audit?
- #41: There are no standards...There is not a best practice independent security methodology for cloud. Clouds are opaque. Technical complexity is abstracted. Proper audit / DD requires transparency. But transparency would reveal IP.
- #42: Independent 3rd party is so important to validate claims in depthSAS 70, CESG etc
- #43: Spot the missing one?
- #44: ISO 27001- ISO 27001 doesn’t fit the cloud- 5 year old standard currently- to be reviewed in 2012- CSA helping update controls for the Cloud
- #45: · Should you adopt ISO 20071? What sort of protection will it grant you? Yes. Because it’s a framework for managing security. A process. Set of Documentation. Set of controls. Working out how much acceptable risk What risk are you exposed to Which are greater than the accpectablerisck What controls do you need to manage- taken from annex A Deploy the controls in an auditable way- constantly approve Compliance- testing Governance Risk Complaince- testing to make sure your controls It Scales
- #46: Control and governance; what should be the basis of your Cloud Data Best Practice Policy- ENISA
- #47: · Investigating availability guarantees and penalties and examining your supplier’s disaster recovery strategy Important- they do what they say the do The bar to what you set that at needs to be relevant to what you have already- BASELINE!!! Realistic expectation Based on the data you’re going to outsource Look at historical performance- not a predictor for the future- but relevant Look at their DR strategy- if you have 2 data centres- that should be the expectation Map your requirements to the provider
- #48: · Data compliance; the importance of clarifying where your data will be stored and who will have access to your information Jurisdiction EU/ Patriot / RIPA / Safe Harbour
- #49: · Ultimately, who has control over your data? When you save your data- need to understand Look at service providers to the same extent MBTF- encryption look at service providers Cloud should be architected differently People shouldn’t be fooled by “cloud” technology See behind the fog Often it’s really hard because of the opaqueness Integretity of Data Critical End to end vs middleware Designed to hook together Managing service provider obligations Asses the risk- make sure the risk you’re willing to accept is related in the SLA Review- annually? Any deviation look for recompense or additional controls Blunt instrument Make sure compliance and information governance are involved early on in the process of negotiating SLA- lawyers don’t know about GRC
- #50: The key is to understand your current risks- baseline them
- #51: i.e. Where are we today?
- #52: Users Applications File shares Email Document management
- #53: Sysadmins User based access Server access Database access
- #54: Others: Internet VPN Extranet Customer/Partner portals API’s Suppliers Telco’s Tape warehousing Backup delivery personnel
- #55: Ends up in a Permissions Nightmare- or a brittle infrastructure
- #56: How are we managing those risks today?
- #58: Are you given the budget / skills to do it?
- #59: “Quiscustodietipsoscustodes?”Who will guard the guards themselves?DecimusIuniusIuvenalis
- #60: Cloud can be a way to become a guard’s guard, instead of the guard
- #61: Reasons to go Cloud Security
- #62: Reason to go Cloud security #1 It’s their business- and their reputation depends on it
- #63: #2 Money - they are held financially responsible
- #64: Reason #3 Scale- Cloud platforms have scale that customers could never achieve on their own- protecting against large scale attacks
- #65: Reason #4 Specialised Skills- employ specific people to do specialised job. Cumulative effect of multiple customers
- #66: Cumulative effect of multiple customers
- #67: Best Practice embedded in organisation and distributed. Not dependent on one person
- #68: Not just about competence and budget- but focus. It’s all they do.
- #69: Cloud can be a way to become a guard’s guard, instead of the guard
- #70: Buyer Beware- http://en.wikipedia.org/wiki/Caveat_emptorUnder the doctrine of caveat emptor, the buyer could not recover from the seller for defects on the property that rendered the property unfit for ordinary purposes. The only exception was if the seller actively concealed latent defects or otherwise made material misrepresentations amounting to fraud.Before statutory law, the buyer had no warranty of the quality of goods. In many jurisdictions now, the law requires that goods must be of "merchantable quality". However, this implied warranty can be difficult to enforce and may not apply to all products. Hence, buyers are still advised to be cautious.
- #71: But make it proportional to risk- especially to CURRENT RISKS