The security of SAAS and private cloud
Download as PPSX, PDF1 like765 views
Ian Farquhar outlines key considerations for CFOs regarding security of SaaS and private cloud environments. For SaaS and public cloud, it is important to thoroughly read contracts, conduct cost-benefit analyses, plan for contingencies like provider termination, and verify security claims while maintaining healthy skepticism. For private cloud, best practices from traditional IT still apply while some security aspects are improved, but the main focus areas are operational issues around administration, licensing, change control and data management.
The security of SAAS and private cloud
- 1. Security of SaaS and Private CloudConsiderations for CFO’sIan FarquharAdvisory Technology Consultant
- 2. Profile: Ian FarquharCareer:RSA, The Security Division of EMC (2008-Present)Cisco Systems (2004-2008)Sun Microsystems (1999-2004)Silicon Graphics/Cray Research (1994-1999)Macquarie University Department of Research Electronics (1993-1994)Macquarie University Office of Computing Services (1988-1993)Twenty years of experience in computer and information securityTechnology Evangelist for RSARSA specialist for ANZ in:Data Loss PreventionCryptographyPolicySecurity evaluation
- 3. Definitions: Public vs. Private CloudAccording to Gartner: The distinguishing characteristics of a private cloud environment are that the infrastructure is internally owned and operated, and that systems can be dynamically provisioned and activated. The distinguishing characteristics of a public cloud environment that are most important for security assessment and monitoring are that the infrastructure is not owned by the customer and that the service is provided via a shared infrastructure. Or... (from the RSA Conference):A private cloud is inside the firewall, a private cloud is outside. Security CIA:Confidentiality, Integrity and Availability
- 4. Definition: Software-as-a-Service (SaaS)SaaS is the provision of software in a services model.Gartner defines SaaS as "software that's owned, delivered and managed remotely by one or more providers." In a pure SaaS model, the provider delivers software based on a single set of common code and data definitions that are consumed in a one-to-many model by all contracted customers anytime, on a pay-for-use basis, or as a subscription based on use metrics. Other *aaS acronyms:PaaS: Platform-as-a-ServiceIaaS: Infrastructure-as-a-ServiceSaaS and PaaS are not really new conceptsMainframe-era “Bureau Services” were just SaaS or PaaSEven virtualization is not new: IBM/VM circa 1969
- 5. Issues to Consider: SaaS (and Public Cloud)Legal issuesIf it isn’t in the contract, it should beWhat are the service level agreements? How are they measured?Do they match your expectations? What is the dispute process?Who owns your data?Where is it processed?Where is the DR site? Where is it replicated?Jurisdictional issuesData location (compliance)Legal issues (eg. US Patriot Act)Legal search and seizure considerationsSaaS provider closure or acquisitionWhat legal rights do you have?If you can access the data, in what form? (and don’t forget the backups)How quickly could you migrate this business function?
- 6. Issues to Consider: SaaS (and Public Cloud)Provider Terminating ContractHow much notice do you get?Do you have any right of appeal?Can they terminate your service and leave you without access to “your” data?“The Forced March”Will upgrades at the SaaS provider introduce unexpected work (cost)?Forced up-sell due to discontinuation of an older versionHow much notice do you get?What guarantees are in the contract?Connectivity and Performance IssuesSaaS makes your business dependent on Internet accessDon’t forget the SLA’s from your ISP or carrierHow would your business cope with a network outage?Don’t forget to factor in the cost of network managementIs your network traffic protected in transit? (SSL issues.)
- 7. Issues to Consider: SaaS (and Public Cloud)ExpertiseIf you find you need expertise above basic support, where does it come from and how much does it cost?Generic “Security” IssuesEndpoint security still is criticalWhat is the SaaS provider’s security posture?How do they authenticate users?What guarantees do you have that the SaaS provider is implementing best practice?Who can access your data? (Separation).(Not applicable for “pay as you go”). How is the service funded?Fundamentally, HOW DO YOU KNOW?Or, WHAT IS THE RATIONAL BASIS FOR YOUR TRUST?
- 8. Issues to Consider: Private CloudMost of the security issues with Private Cloud are not newSome security features are better on private cloud than on raw hardware (eg. DR)Limiting this to private-cloud specific issuesAll best IT practice applies similarly to private cloud, as it does to existing IT infrastructurePrivate cloud is fundamentally about increasing efficiencyIssues:Network infrastructure and designAdministrative access – a rogue or careless admin can do a lot of damageProliferation – change control is still critical for a well-run virtual infrastructureSoftware licensingOrphaned VMsData sprawlSecurity patching and offline VMsLegal search and seizureCapacity planningExcellent resource: Cloud Security Alliancehttp://www.cloudsecurityalliance.org/
- 9. In SummarySaaS and Public CloudRead and understand the contractDo a thorough cost-benefit analysisPlan for the contingenciesTrust but verifyPrivate CloudAll current best practices apply to private clouds tooPrivate clouds have some security characteristics which are superior to “raw metal” ITThe majority of issues are operational – this is where to focus