The Cloud is in the details webinar - Policy & Requirements in the era of cloud computing, by Ben Rothke. March 2011

1. The cloud is in the details –
policy and requirements in
the era of cloud computing
Ben Rothke, CISSP CISA
BT Global Services
Senior Security Consultant

2. About me
• Ben Rothke (too many certifications)
• Senior Security Consultant – British
Telecom
• Frequent writer and speaker
• Author - Computer Security: 20 Things
Every Employee Should Know

3. Agenda/Key take-away thought
• Agenda
– Overview of the need to create specific
requirements & policies for a cloud initiative
• Take-away
– Contractors would never start building without
plans and designs; a cloud project similarly
shouldn’t be started without appropriate plans
and designs and requirements definition

4. The cloud is here to stay

5. Don’t let your cloud project drive you bananas

6. Cloud computing-choose your definition
• Definition #1
– Process you don’t full understand, manage poorly and is out
of control, that you give to a cloud provider, with the hope
and prayer that they can make sense of it and miraculously
make it work; and be HIPAA, SoX and PCI compliant
• Definition #2
– Corporate strategic decision to use service-oriented
architecture and utility computing to on-demand network
access to a shared pool of configurable computing
resources; that support the firm’s tactical IT plans and long-
term goals

7. Cloud challenges
• Making cloud meet business requirements
• integrating cloud into applications
• producing documentation to deliver trust
• management and reliability
• planning and deployment
• managing migration and scalability

8. Cloud security challenges
• Authentication, identity management
• compliance and regulatory
• access control
• trust management
• policy
• logging and accounting
• privacy and data protection

9. CSA Top Threats
1. Abuse and Nefarious Use of Cloud
Computing
2. Insecure Interfaces and APIs
3. Malicious Insiders
4. Shared Technology Issues
5. Data Loss or Leakage
6. Account or Service Hijacking
7. Unknown Risk Profile

10. The $64,000 cloud question
What is your security problem and how
do you expect cloud services to solve it?
• Biggest mistake with cloud computing is
that firms run to it without knowing why
• Then they use it with no plan for
deployment

11. Other ill-defined projects
• Information Week, Computer World, etc.,
continuously have stories about large
projects ($25 - $200 million) that fail
• Why do these large Oracle, ERP, cloud,
SAP projects continuously fail?
– often inadequate, changing or conflicting
requirements

12. Cloud success metrics
Cloud success is measured with the
following business questions:
– does it deliver real business benefits?
– was it deployed quickly and cost-effectively?
– is it secure and does it provide trust?
– is it reliable and easy to use?
– can it be managed?
– can it evolve and scale?

13. What is your deployment plan?
• Typical cloud project is likely to be more complex than
previous experience of typical IT projects may suggest
• As well as project management, technical and
operational aspects, there are many policy, legal and
security issues which must not be neglected
• By understanding and defining appropriate
requirements, many of the potential traps and pitfalls
can be avoided
• The risks to the business and the project are reduced
and those that remain are quantified at an early stage

14. Successful cloud deployment steps
1. Requirements Analysis
– Identify business, operational, commercial and security requirements
2. Architecture Definition
– Detailed definition of the operating model and cloud architecture
3. Operations
– Production of operational policies and procedures
4. Security Review
– Security review of the proposed system design, architecture and operations
5. Integration
– System piloting, integration of cloud enabled applications and testing
6. Deployment
– Operational deployment and production roll-out
7. Post-Deployment
– Management of upgrades and change processes for the production cloud

15. Step 1 - Requirements Analysis
• First step in implementing any cloud based
solution is to understand the requirements:
– what’s the problem and how do you expect a
cloud to solve it?
– what are the business drivers?
– what level of security is appropriate?
– where are the system vulnerabilities?
– what are the legal and regulatory compliance
constraints?

16. Step 1 - Requirements Analysis
• These requirements must be clearly
identified and analyzed
• Analysis of the costs and business
benefits and the provision of suitable
project planning schemes are integral to
step 1
– If the requirements aren’t clear, do not go
forward

17. Step 1 - Requirements Analysis – Project Planning
• Project manager is essential
– Some large-scale projects may need multiple
managers
• PM must be given the resources,
responsibility and authority to successfully
deliver the cloud project
• Attempts to implement a cloud without PM
have invariably resulted in failed projects

18. Step 2 - Architecture Definitions
• Once the requirements are known, the
next step is to produce an operating model
and to design the chosen cloud
architecture
• At this stage, cloud enabling of end user
applications is also considered, allowing
parallel development

19. Step 2 - Architecture Definitions
Create set of documentation templates and
checklists to:
– define how the cloud will be operated
– define how trust will be passed between entities
– define the cloud architecture, taking account of practical issues
such as resilience, management, performance, security,
scalability and current industry standards and best practices
– specify what the architecture will comprise
– specify how end-entity applications are to be cloud-enabled
– specify how the complete cloud will be tested and supported
– produce a detailed project plan

20. Step 2 – Cloud architecture
• Public
• private
• hybrid
• community
• What is the best architecture for you?
• The one that meets your specific
requirements and needs

21. Step 3 Operations
• Identify the policies, procedures, support
issues and SLA
• Organizational issues delineate who is
responsible for the various parts of the cloud
• Any security system is only as effective to
the degree it is correctly operated
– define the operating procedures and controls
necessary to make sure that that the cloud
security system remains effective

22. Step 4 – Security Review
• With any system it is important to
understand where the risks are and where
the system is most vulnerable
– Nothing will ever be 100% secure
• At this stage, the cloud is well specified and
therefore it is important that the proposed
system is subjected to an independent
review and risk analysis and, where
appropriate, corrective action is taken

23. Step 4 – Security Review
• The cloud is inherently unsafe and
untrusted
• your job is to add the controls necessary
to be a safe and trusted environment

24. Step 4 – Security Review
• Detailed lists of the threats, vulnerabilities
and countermeasures
– If you have an insecure infrastructure, then
you will have an insecure cloud
• Creation of the system security policy
provides a baseline level of security
controls that must be implemented during
cloud deployment

25. Step 4 - Risk analysis & assessment
• Effective risk assessment and analysis
ensures you are worrying about the right
things
• Ultimate outcome of a risk analysis should
be to see if you really can benefit from the
product
– Don’t worry about missing the bus

26. Step 4 - Risk analysis & assessment
• Some companies have determined at Step
4 that they really do not want to / can’t
move forward
• Don’t be afraid to cancel a cloud project if
there is not a business need for it, or if the
security risks are too great

27. Step 4 – Cloud web applications
• Browsers are very complicated security
environments
• understand how malware can thrive in a
cloud environment

28. Step 4 - Policy
• Create and maintain policies on how you
will address the many cloud security issues
– identify threats to the cloud environment & its
contents; ensure you address current threats
– metrics for monitoring
– accountability
– incident response
– adequate training for new/transitioned staff

29. Step 4 – Shared responsibilities
• Cloud provider
– Responsible for security from the data center
to the hypervisor
• Client
– Responsible for security for the operating
system and all applications
• But Saas, PaaS & IaaS will have different
shared responsibility models

30. Step 5 Integration
• Integration of all the cloud components
and the building of a pilot system against
which all the functional, performance and
operational requirements can be tested
• Integration testing of any cloud-enabled
applications is also performed
• DR/BCP
– Enterprise cloud be available 24 x 7 x 365

31. Step 6 Deployment
• This step involves the installation and
validation of the operational cloud,
followed by acceptance testing
• A security review and penetration test is
included to ensure that the actual
implementation meets all the security
requirements
• Documentation is finalized and published
• Acceptance testing

32. Step 6 Deployment
• Project closure meeting and report
– Customer agrees that all planned project
activities have been completed, project
performance information has been captured
and the cloud project is properly closed
– Projects have a defined duration, but without
a formal project closure activity, a project can
drift and never be satisfactorily concluded

33. Step 7 Post-deployment
• All systems are subject to change and
cloud is no exception
– Well-designed cloud should be able to
integrate new requirements without having
to be re-engineered

34. References
• Cloud Computing Risk Assessment
– www.enisa.europa.eu/act/rm/files/deliverables/loud-computing-risk-assessment
• Security Guidance for Critical Areas of Focus
– www.cloudsecurityalliance.org/csaguide.pdf
• Cloud Security Guidance
– www.redbooks.ibm.com/redpapers/pdfs/redp4614.pdf
• Top Threats to Cloud Computing
– www.cloudsecurityalliance.org/topthreats/csathreats.v1.0.pdf
• Cloud Security and Compliance: A Primer
– www.sans.org/reading_room/analysts_program/mcafee_carbird_08_2010.pdf

35. Conclusion
• Cloud computing is a powerful platform
• But don’t attempt to roll-out an enterprise-
wide cloud without a well-defined plan and
adequate security requirements

36. Contact information
• Ben Rothke, CISSP CISA
• Senior Security Consultant
• BT Professional Services
• ben.rothke@bt.com
• www.linkedin.com/in/benrothke
• www.twitter.com/benrothke
• www.slideshare.net/benrothke

37. Click on the questions tab on your screen, type in your question, name
and e-mail address; then hit submit.