Cloud computing due diligence WTF?

•

1 like•486 views

BSidesLondon 20th April 2011- @Jimmy Blake ----------------------------------------------------------------- The media hype, both positive and negative, around cloud computing is often sensationalist. The reality is that cloud computing has a place as a tool in the modern computing environment – but how do you realistically balance the benefits with the risks? ---- for more about Jimmy jimmyblake.com

Technology

Cloud Computing Due Diligence - WTF?
Jimmy Blake
@jimmyblake

Security B-Sides London: Cloud Computing - WTF?

Wednesday, 20 April 2011

Jimmy Who?

• CSO for one of the UK’s largest SaaS providers
• Talking mainly from a SaaS perspective
• Dozens of client risk assessments a month
• ISO 27001 Lead Auditor
• These are my opinions, not necessarily those of
my employer

Security B-Sides London: Cloud Computing - WTF?

Wednesday, 20 April 2011

Cloud Computing
Don’t
make me APT
your cyber-
defences http://csrc.nist.gov/groups/SNS/cloud-computing/

Essential Characteristics
Service Model
Deployment Model
...blah blah blah

Security B-Sides London: Cloud Computing - WTF?

Wednesday, 20 April 2011

Businesses Are Moving to the Cloud

Well governed organisations
make decisions after
consideration of risk

Security B-Sides London: Cloud Computing - WTF?

Wednesday, 20 April 2011

Businesses Are Moving to the Cloud

Well governed organisations
make decisions after
consideration of risk

...and we all know how many
well governed organisations
there are out there.

Security B-Sides London: Cloud Computing - WTF?

Wednesday, 20 April 2011

Who Does the Due Diligence??

• Understands security, not risk
• Knows on-premise, not cloud
• Still thinks he has a secure
perimeter
• Likes to be able to hug servers
• He, and his toys, may be
displaced by the solution

Security B-Sides London: Cloud Computing - WTF?

Wednesday, 20 April 2011

The Cost of Due Diligence: Do The Math

Average Due Diligence Questionnaire = 2 hours
Average Audit = 6 man hours

4,000 customers = 3,000 working days per annum

...and you want cost savings???

Security B-Sides London: Cloud Computing - WTF?

Wednesday, 20 April 2011

Certiﬁcation: ISO:IEC 27001:2005

• Scope?
• Very few scopes include production
platforms

• Is your acceptable risk < or >
then the provider’s?

Security B-Sides London: Cloud Computing - WTF?

Wednesday, 20 April 2011

ISO 27001: What They Really Mean

Cloud
Our On-Premise
Provider’s
27002 controls
27002 controls
Security B-Sides London: Cloud Computing - WTF?

Wednesday, 20 April 2011

Certiﬁcation: SAS-70 (soon SSAE16)

• Control Statements
• Great for auditing against SOX
404 controls

Security B-Sides London: Cloud Computing - WTF?

Wednesday, 20 April 2011

Getting Real

How do you ensure
physical access to your data
centres is restricted to those who
need it for a job function?

By not having 100 customers a
day walking through on audits...

Security B-Sides London: Cloud Computing - WTF?

Wednesday, 20 April 2011

Getting Real

So I hope that answers your
question on how we handle key
rotation on our distributed ﬁling system
utilising AES 256-bit encryption? Can I
The IT Manager backs up to ask how you do it at the moment?
tape and leaves the tapes in the back of
his car overnight.

The tapes are encrypted of course?

....

Please tell me the car isn’t left on
his driveway overnight?

....

Security B-Sides London: Cloud Computing - WTF?

Wednesday, 20 April 2011

Turning the Tables
RFP responses contain a lot of sensitive information

How do you classify How many people
completed RFP have access to completed
responses? RFP responses?

How do
you ensure access How do you dispose
control and prevent leakage of printed copies of RFP
of completed RFP responses?
responses?

Security B-Sides London: Cloud Computing - WTF?

Wednesday, 20 April 2011

Industry Representation or Prospects?

Security B-Sides London: Cloud Computing - WTF?

Wednesday, 20 April 2011

What We Need
Software-as-a-Service is often about replacing
speciﬁc on-premise solutions within the business

Security B-Sides London: Cloud Computing - WTF?

Wednesday, 20 April 2011

What We Need
Software-as-a-Service is often about replacing
speciﬁc on-premise solutions within the business

baseline

Cloud
On-premise Provider
risk risk

Security B-Sides London: Cloud Computing - WTF?

Wednesday, 20 April 2011

What We Need

baseline

On-premise
risk
Cloud
Provider
risk

Security B-Sides London: Cloud Computing - WTF?

Wednesday, 20 April 2011

What We’re Getting

Great, now I’ve got 6 lots of audit and certiﬁcation....

Security B-Sides London: Cloud Computing - WTF?

Wednesday, 20 April 2011

A Final Plea
Customers:
Baseline on your current risk exposure

Due your due diligence, but make it proportionate

If you want champagne, expect to pay for it

Industry Bodies:
Come together for a uniﬁed standard of audit and assessment

Represent cloud customers and the service provider, not infrastructure vendors

Cloud Providers:
Embrace transparency

Security B-Sides London: Cloud Computing - WTF?

Wednesday, 20 April 2011

Cloud Computing Due Diligence - WTF?
Jimmy Blake
@jimmyblake
http://jimmyblake.com

Security B-Sides London: Cloud Computing - WTF?

Wednesday, 20 April 2011

Similar to Cloud computing due diligence WTF?

Cloud Security: Perception Vs. Reality

Internap

Cloud security and cyber security v 3.1

CloudExpoEurope

DTS Solution - ISACA UAE Chapter - ISAFE 2014 - RU PWNED - Living a Life as a...

Shah Sheikh

Build a network to thrive in the Digital age

Fiona Sexton

DevOps and the cloud: all hail the (developer) king - Daniel Bryant, Steve Poole

JAXLondon_Conference

Last year we talked about DevOps, what it was, why it was important and how to get started. Boy, was it scary. Now we’re wiser. More battle-scarred. The scale of the challenge for application writers exploiting cloud and DevOps is clearer, but so is the path forward. Understanding the DevOps approach is important but equally you must understand specific deployment technologies. How to exploit them and how they effect the design of applications. Whether creating simple applications or sophisticated microservice architectures many of the challenges are the same. Presented at JAXLondon 2015 with Steve Poole

JAXLondon 2015 "DevOps and the Cloud: All Hail the (Developer) King"

Daniel Bryant

Can we spend less on IT, work less, but accomplish more? Join us at The Ritz to discover how Exponential-e’s innovative hybrid services combine the best of traditional IT competencies, with world leading connectivity, Cloud and communication services - and make the impossible, possible. Our CEO, Lee Wade, will be amongst a selection of key speakers, who will share their views on how innovations in Cloud services can be combined with advanced networking technology and service provider experience to deliver the real benefits businesses have been seeking. We'll seek to explain how you can spend less on IT, work less and still accomplish more. We'll demonstrate why your Cloud is only as good as your network, and how you can transition to the Cloud efficiently and securely. Seems too good to be true? Come and see for yourself. View our Cloud video and more on YouTube: https://www.youtube.com/user/Exponentialltd

Exponential-e | Cloud Revolution Seminar at the Ritz, 20th November 2014

Exponential_e

A Blueprint for Cloud-Native Financial Institutions

Angelo Agatino Nicolosi

Cloud Team Alliance @ EU Buxelles

Mariano Cunietti

AWS per il settore pubblico in Italia

Amazon Web Services

Jet Propulsion Laboratory is a well-known innovator in outer space, particularly in its search for "life out there". JPL is now innovating in the physical space to improve “life here". AWS IoT is critical to their innovations. See a re:Invent preview about how JPL, as an early adopter of AWS IoT, has prototyped voice control to ask questions of the room, the budget, or the system. They’ve also used it for controlling lights and sound to detect cyber security threats, rapid prototyping of robots, low-cost virtual windows to the outside, and much more. The results have been excellent. JPL will demonstrate and talk about these prototypes, including what worked and what didn’t. They will also share the promise integrated serverless computing holds.

AWS re:Invent 2016: IoT and Beyond: Building IoT Solutions for Exploring the ...

Amazon Web Services

Structure 2014 - Launchpad Competition

Gigaom

2011 VMI DEMO Conference Highlights

Julie_Vasquez

DevOps Con 2015: Radical Agility with Autonomous Teams and Microservices in t...

Henning Jacobs

What we've built at Zalando is complex. Supporting – profitably – a publicly traded e-commerce company that does business in 15 diverse European markets, with more than 15 million active users who all speak different languages, use different payment methods, prefer different shipping methods, and have different product tastes, has required nonstop innovation. Until recently we've focused on building a unified, comprehensive retail system, quickly, that solves just our problems. But to truly fight against complexity – particularly the accidental complexity that slows down our development process – we have adopted a microservices architecture. And when it comes to DevOps, we’ve gone a step beyond the "You build it, you run it" motto--working in autonomous teams with DevOps treated as a "first-class entity.” In this talk, Henning Jacobs (Software Architect) and Jan Löffler (Head of Platform Engineering) will share their experience implementing “Radical Agility” from a DevOps perspective. “Radical Agility” is the Zalando technology team’s multi-pronged approach to managing the complexity that results from building an architecture of massive size. Henning and Jan will focus on how microservices enable Zalando’s engineers to move faster and build systems that scale, at scale, and avoid dependencies. They will show how microservices, in conjunction with a cloud infrastructure, support teams as they try strive for autonomy. Finally, they will draw upon their experiences to show how this all works in practice, and discuss what is organizationally and architecturally necessary to make DevOps a top priority for all members of your tech organization.

Dev ops con 2015 radical agility with autonomous teams and microservices in...

Jan Löffler

Radical Agility with Autonomous Teams and Microservices in the Cloud

Zalando Technology

E Crime Symposium June 10

Simon Wardley

Was asked by In-Q-Tel leadership to present on how Open Source competes with larger technology companies (e.g. VMWare) and how household cloud providers (SalesForce, Amazon...) are embedding open source for competitive advantages. Step through Navy CANES program as example of DoD usage. Covers IBM and DreamWorks commercial references. Illustrates DISA Anti-Drug Network (ADNET) and U.S. Intelligence Community Persons of Interest programs. Talk about Open Source initiatives at NGA lead by Bert Beaulieu (Director, Innovision, NGA) and Michael Cline (R&D Technologist, NGA).

2011-08-10 In-Q-Tel Technology Focus Day, Trends & Observations in Open Sourc...

Shawn Wells

Bridging the Enterprise and the Cloud from Layer 7

CA API Management

CIO Summit Berlin 2011

Jitscale

Similar to Cloud computing due diligence WTF? (20)

Cloud Security: Perception Vs. Reality

Cloud security and cyber security v 3.1

DTS Solution - ISACA UAE Chapter - ISAFE 2014 - RU PWNED - Living a Life as a...

Build a network to thrive in the Digital age

DevOps and the cloud: all hail the (developer) king - Daniel Bryant, Steve Poole

JAXLondon 2015 "DevOps and the Cloud: All Hail the (Developer) King"

Exponential-e | Cloud Revolution Seminar at the Ritz, 20th November 2014

A Blueprint for Cloud-Native Financial Institutions

Cloud Team Alliance @ EU Buxelles

AWS per il settore pubblico in Italia

AWS re:Invent 2016: IoT and Beyond: Building IoT Solutions for Exploring the ...

Structure 2014 - Launchpad Competition

2011 VMI DEMO Conference Highlights

DevOps Con 2015: Radical Agility with Autonomous Teams and Microservices in t...

Dev ops con 2015 radical agility with autonomous teams and microservices in...

Radical Agility with Autonomous Teams and Microservices in the Cloud

E Crime Symposium June 10

2011-08-10 In-Q-Tel Technology Focus Day, Trends & Observations in Open Sourc...

Bridging the Enterprise and the Cloud from Layer 7

CIO Summit Berlin 2011

More from Security BSides London

BSidesLondon 20th April 2011 - David Rook (@securityninja) ----------------------- This demonstration filled talk will start by discussing the problems with the security code review approaches most people follow and the reasons why I created Agnitio. This will include a look at existing manual and automated static analysis procedures and tools. The talk will move onto exploring the Principles of Secure Development and how the principles have been mapped to over 60 different checklist items in Agnitio. ---- for more about David go to http://www.securityninja.co.uk/ ---- for more about Agnito go to http://sourceforge.net/projects/agnitiotool/

Agnitio: its static analysis, but not as we know it

Security BSides London

BSidesLondon 20th April 2011 - Jim Shields (@JimShout) Note: watch this video before the presentation http://vimeo.com/22580155 --------------------------- addressing the human factor with Jim from Twist & Shout, Jim not only shared his technical expertise recording the BSides sessions but also share some useful insight of "user awareness" ------ due to copyright issues, many of the images/clips cannot be shown ------------ for more about Jim www.twistandshout.co.uk

The Funny Thing About Information Security

Security BSides London

Breaking out of restricted RDP

Security BSides London

BSidesLondon 20th April 2011 - Steve Lord (@stevelord) ---------------------------------------------------------------- The majority of Penetration testing teams have staff falling into 3 of four categories: Nessus Monkeys, Experts-in-Training and Jaded Cynicists. This is a talk about improving penetration testing skills to get to the rare fourth Jedi master level normally occupied by less than 1% of the team where nothing is impossible. The talk will be backed up by video footage from actual penetration tests as well as live demos and a Q&A session. ---- for more about Steve http://www.mandalorian.com

Breaking, Entering and Pentesting

Security BSides London

BSidesLondon 20th April 2011 - Xavier Mertens (@xme) ======================== Your IT infrastructure generates thousands(millions?) of events a day. They are stored in several places under multiple forms and contain a lot of very interesting information. Using free tools, This presentation will give you some ideas how to properly manage this continuous flow of information and how to make them more valuable. for more about Xavier http://blog.rootshell.be

All your logs are belong to you!

Security BSides London

BSidesLondon 20th April 2011 - Justin Clarke (@connectjunkie) ---------------------------------------------------------------------- This talk is intended to provide a high level overview of some of the areas where cryptographic operations such as encryption and hashing can provide far less security than was planned, and concrete examples of how these were found and exploited. --- for more about Justin http://www.gdssecurity.com

Practical Crypto Attacks Against Web Applications

Security BSides London

BSidesLondon 20th April 2011 - David Rook and Chris Wysopal (@securityninja & @WeldPond) -------------------------------------------------------------------- From the perspective of both an employee of a financial transaction provider and a security vendor, this presentation will focus on how to effectively sell the business value of application security to executives, middle management, and development groups -----------for more about David & Chris go to http://www.securityninja.co.uk/blog http://www.veracode.com/blog/

Jedi mind tricks for building application security programs

Security BSides London

BSidesLondon 20Th April 2011 - Arron "finux" Finnon --------------------------------------------------------------------- The presentations aim is to talk about how simple it is to deploy DNS Tunnelling infrastructure at little or no cost. Also shows how to establish a ssh connection from target to attacker, and act as a taster for peoples further research. ----- for more about @F1nux go to www.finux.co.uk

Dns tunnelling its all in the name

Security BSides London

More from Security BSides London (8)

Agnitio: its static analysis, but not as we know it

The Funny Thing About Information Security

Breaking out of restricted RDP

Breaking, Entering and Pentesting

All your logs are belong to you!

Practical Crypto Attacks Against Web Applications

Jedi mind tricks for building application security programs

Dns tunnelling its all in the name

Recently uploaded

Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving

Edi Saputra

FWD Group - Insurer Innovation Award 2024

The Digital Insurer

AWS Community Day CPH - Three problems of Terraform

Andrey Devyatkin

The Good, the Bad and the Governed - Why is governance a dirty word? David O'Neill, Chief Operating Officer - APIContext Apidays New York 2024: The API Economy in the AI Era (April 30 & May 1, 2024) ------ Check out our conferences at https://www.apidays.global/ Do you want to sponsor or talk at one of our conferences? https://apidays.typeform.com/to/ILJeAaV8 Learn more on APIscene, the global media made by the community for the community: https://www.apiscene.io Explore the API ecosystem with the API Landscape: https://apilandscape.apiscene.io/

Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...

apidays

Dubai, known for its towering skyscrapers, luxurious lifestyle, and relentless pursuit of innovation, often finds itself in the global spotlight. However, amidst the glitz and glamour, the emirate faces its own set of challenges, including the occasional threat of flooding. In recent years, Dubai has experienced sporadic but significant floods, disrupting normalcy and posing unique challenges to its infrastructure. Among the critical nodes in this bustling metropolis is the Dubai International Airport, a vital hub connecting the world. This article delves into the intersection of Dubai flood events and the resilience demonstrated by the Dubai International Airport in the face of such challenges.

Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf

Orbitshub

💥 You’re lucky! We’ve found two different (lead) developers that are willing to share their valuable lessons learned about using UiPath Document Understanding! Based on recent implementations in appealing use cases at Partou and SPIE. Don’t expect fancy videos or slide decks, but real and practical experiences that will help you with your own implementations. 📕 Topics that will be addressed: • Training the ML-model by humans: do or don't? • Rule-based versus AI extractors • Tips for finding use cases • How to start 👨‍🏫👨‍💻 Speakers: o Dion Morskieft, RPA Product Owner @Partou o Jack Klein-Schiphorst, Automation Developer @Tacstone Technology

DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam

UiPathCommunity

presentation ICT roal in 21st century education

jfdjdjcjdnsjd

EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER

MadyBayot

The microservices honeymoon is over. When starting a new project or revamping a legacy monolith, teams started looking for alternatives to microservices. The Modular Monolith, or 'Modulith', is an architecture that reaps the benefits of (vertical) functional decoupling without the high costs associated with separate deployments. This talk will delve into the advantages and challenges of this progressive architecture, beginning with exploring the concept of a 'module', its internal structure, public API, and inter-module communication patterns. Supported by spring-modulith, the talk provides practical guidance on addressing the main challenges of a Modultith Architecture: finding and guarding module boundaries, data decoupling, and integration module-testing. You should not miss this talk if you are a software architect or tech lead seeking practical, scalable solutions. About the author With two decades of experience, Victor is a Java Champion working as a trainer for top companies in Europe. Five thousands developers in 120 companies attended his workshops, so he gets to debate every week the challenges that various projects struggle with. In return, Victor summarizes key points from these workshops in conference talks and online meetups for the European Software Crafters, the world’s largest developer community around architecture, refactoring, and testing. Discover how Victor can help you on victorrentea.ro : company training catalog, consultancy and YouTube playlists.

Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024

Victor Rentea

Sidekick Solutions uses Bonterra Impact Management (fka Social Solutions Apricot) and automation solutions to integrate data for business workflows. We believe integration and automation are essential to user experience and the promise of efficient work through technology. Automation is the critical ingredient to realizing that full vision. We develop integration products and services for Bonterra Case Management software to support the deployment of automations for a variety of use cases. This video focuses on the deployment of external web forms using Jotform for Bonterra Impact Management. This solution can be customized to your organization’s needs and deployed to support the common use cases below: - Intake and consent - Assessments - Surveys - Applications - Program registration Interested in deploying web form automations for Bonterra Impact Management? Contact us at sales@sidekicksolutionsllc.com to discuss next steps.

Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...

Jeffrey Haguewood

Webinar Recording: https://www.panagenda.com/webinars/why-teams-call-analytics-is-critical-to-your-entire-business Nothing is as frustrating and noticeable as being in an important call and being unable to see or hear the other person. Not surprising then, that issues with Teams calls are among the most common problems users call their helpdesk for. Having in depth insight into everything relevant going on at the user’s device, local network, ISP and Microsoft itself during the call is crucial for good Microsoft Teams Call quality support. To ensure a quick and adequate solution and to ensure your users get the most out of their Microsoft 365. But did you know that ‘bad calls’ are also an excellent indicator of other problems arising? Precisely because it is so noticeable!? Like the canary in the mine, bad calls can be early indicators of problems. Problems that might otherwise not have been noticed for a while but can have a big impact on productivity and satisfaction. Join this session by Christoph Adler to learn how true Microsoft Teams call quality analytics helped other organizations troubleshoot bad calls and identify and fix problems that impacted Teams calls or the use of Microsoft365 in general. See what it can do to keep your users happy and productive! In this session we will cover - Why CQD data alone is not enough to troubleshoot call problems - The importance of attributing call problems to the right call participant - What call quality analytics can do to help you quickly find, fix-, and prevent problems - Why having retrospective detailed insights matters - Real life examples of how others have used Microsoft Teams call quality monitoring to problem shoot problems with their ISP, network, device health and more.

Why Teams call analytics are critical to your entire business

panagenda

Artificial Intelligence Chap.5 : Uncertainty

Khushali Kathiriya

Three things you will take away from the session: • How to run an effective tenant-to-tenant migration • Best practices for before, during, and after migration • Tips for using migration as a springboard to prepare for Copilot in Microsoft 365 Main ideas: Migration Overview: The presentation covers the current reality of cross-tenant migrations, the triggers, phases, best practices, and benefits of a successful tenant migration Considerations: When considering a migration, it is important to consider the migration scope, performance, customization, flexibility, user-friendly interface, automation, monitoring, support, training, scalability, data integrity, data security, cost, and licensing structure Next Wave: The next wave of change includes the launch of Copilot, which requires businesses to be prepared for upcoming changes related to Copilot and the cloud, and to consolidate data and tighten governance ShareGate: ShareGate can help with pre-migration analysis, configurable migration tool, and automated, end-user driven collaborative governance

Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff

sammart93

Effective data discovery is crucial for maintaining compliance and mitigating risks in today's rapidly evolving privacy landscape. However, traditional manual approaches often struggle to keep pace with the growing volume and complexity of data. Join us for an insightful webinar where industry leaders from TrustArc and Privya will share their expertise on leveraging AI-powered solutions to revolutionize data discovery. You'll learn how to: - Effortlessly maintain a comprehensive, up-to-date data inventory - Harness code scanning insights to gain complete visibility into data flows leveraging the advantages of code scanning over DB scanning - Simplify compliance by leveraging Privya's integration with TrustArc - Implement proven strategies to mitigate third-party risks Our panel of experts will discuss real-world case studies and share practical strategies for overcoming common data discovery challenges. They'll also explore the latest trends and innovations in AI-driven data management, and how these technologies can help organizations stay ahead of the curve in an ever-changing privacy landscape.

TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery

TrustArc

Boost Fertility New Invention Ups Success Rates.pdf

sudhanshuwaghmare1

Keynote 2: APIs in 2030: The Risk of Technological Sleepwalk Paolo Malinverno, Growth Advisor - The Business of Technology Apidays New York 2024: The API Economy in the AI Era (April 30 & May 1, 2024) ------ Check out our conferences at https://www.apidays.global/ Do you want to sponsor or talk at one of our conferences? https://apidays.typeform.com/to/ILJeAaV8 Learn more on APIscene, the global media made by the community for the community: https://www.apiscene.io Explore the API ecosystem with the API Landscape: https://apilandscape.apiscene.io/

Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...

apidays

Corporate and higher education. Two industries that, in the past, have had a clear divide with very little crossover. The difference in goals, learning styles and objectives paved the way for differing learning technologies platforms to evolve. Now, those stark lines are blurring as both sides are discovering they have content that’s relevant to the other. Join Tammy Rutherford as she walks through the pros and cons of corporate and higher ed collaborating. And the challenges of these different technology platforms working together for a brighter future.

Corporate and higher education May webinar.pptx

Rustici Software

ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke

Product Anonymous

Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood

Juan lago vázquez

Six Myths about Ontologies: The Basics of Formal Ontology

johnbeverley2021

Recently uploaded (20)

Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving

FWD Group - Insurer Innovation Award 2024

AWS Community Day CPH - Three problems of Terraform

Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...

Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf

DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam

presentation ICT roal in 21st century education

EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER

Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024

Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...

Why Teams call analytics are critical to your entire business

Artificial Intelligence Chap.5 : Uncertainty

Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff

TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery

Boost Fertility New Invention Ups Success Rates.pdf

Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...

Corporate and higher education May webinar.pptx

ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke

Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood

Six Myths about Ontologies: The Basics of Formal Ontology

Cloud computing due diligence WTF?

1. Cloud Computing Due Diligence - WTF? Jimmy Blake @jimmyblake Security B-Sides London: Cloud Computing - WTF? Wednesday, 20 April 2011

2. Jimmy Who? • CSO for one of the UK’s largest SaaS providers • Talking mainly from a SaaS perspective • Dozens of client risk assessments a month • ISO 27001 Lead Auditor • These are my opinions, not necessarily those of my employer Security B-Sides London: Cloud Computing - WTF? Wednesday, 20 April 2011

3. Cloud Computing Don’t make me APT your cyber- defences http://csrc.nist.gov/groups/SNS/cloud-computing/ Essential Characteristics Service Model Deployment Model ...blah blah blah Security B-Sides London: Cloud Computing - WTF? Wednesday, 20 April 2011

4. Businesses Are Moving to the Cloud Well governed organisations make decisions after consideration of risk Security B-Sides London: Cloud Computing - WTF? Wednesday, 20 April 2011

5. Businesses Are Moving to the Cloud Well governed organisations make decisions after consideration of risk ...and we all know how many well governed organisations there are out there. Security B-Sides London: Cloud Computing - WTF? Wednesday, 20 April 2011

6. Who Does the Due Diligence?? • Understands security, not risk • Knows on-premise, not cloud • Still thinks he has a secure perimeter • Likes to be able to hug servers • He, and his toys, may be displaced by the solution Security B-Sides London: Cloud Computing - WTF? Wednesday, 20 April 2011

7. The Cost of Due Diligence: Do The Math Average Due Diligence Questionnaire = 2 hours Average Audit = 6 man hours 4,000 customers = 3,000 working days per annum ...and you want cost savings??? Security B-Sides London: Cloud Computing - WTF? Wednesday, 20 April 2011

8. Certiﬁcation: ISO:IEC 27001:2005 • Scope? • Very few scopes include production platforms • Is your acceptable risk < or > then the provider’s? Security B-Sides London: Cloud Computing - WTF? Wednesday, 20 April 2011

9. ISO 27001: What They Really Mean Cloud Our On-Premise Provider’s 27002 controls 27002 controls Security B-Sides London: Cloud Computing - WTF? Wednesday, 20 April 2011

10. Certiﬁcation: SAS-70 (soon SSAE16) • Control Statements • Great for auditing against SOX 404 controls Security B-Sides London: Cloud Computing - WTF? Wednesday, 20 April 2011

11. Getting Real How do you ensure physical access to your data centres is restricted to those who need it for a job function? By not having 100 customers a day walking through on audits... Security B-Sides London: Cloud Computing - WTF? Wednesday, 20 April 2011

12. Getting Real So I hope that answers your question on how we handle key rotation on our distributed ﬁling system utilising AES 256-bit encryption? Can I The IT Manager backs up to ask how you do it at the moment? tape and leaves the tapes in the back of his car overnight. The tapes are encrypted of course? .... Please tell me the car isn’t left on his driveway overnight? .... Security B-Sides London: Cloud Computing - WTF? Wednesday, 20 April 2011

13. Turning the Tables RFP responses contain a lot of sensitive information How do you classify How many people completed RFP have access to completed responses? RFP responses? How do you ensure access How do you dispose control and prevent leakage of printed copies of RFP of completed RFP responses? responses? Security B-Sides London: Cloud Computing - WTF? Wednesday, 20 April 2011

14. Industry Representation or Prospects? Security B-Sides London: Cloud Computing - WTF? Wednesday, 20 April 2011

15. What We Need Software-as-a-Service is often about replacing speciﬁc on-premise solutions within the business Security B-Sides London: Cloud Computing - WTF? Wednesday, 20 April 2011

16. What We Need Software-as-a-Service is often about replacing speciﬁc on-premise solutions within the business baseline Cloud On-premise Provider risk risk Security B-Sides London: Cloud Computing - WTF? Wednesday, 20 April 2011

17. What We Need baseline On-premise risk Cloud Provider risk Security B-Sides London: Cloud Computing - WTF? Wednesday, 20 April 2011

18. What We’re Getting Great, now I’ve got 6 lots of audit and certiﬁcation.... Security B-Sides London: Cloud Computing - WTF? Wednesday, 20 April 2011

19. A Final Plea Customers: Baseline on your current risk exposure Due your due diligence, but make it proportionate If you want champagne, expect to pay for it Industry Bodies: Come together for a uniﬁed standard of audit and assessment Represent cloud customers and the service provider, not infrastructure vendors Cloud Providers: Embrace transparency Security B-Sides London: Cloud Computing - WTF? Wednesday, 20 April 2011

20. Cloud Computing Due Diligence - WTF? Jimmy Blake @jimmyblake http://jimmyblake.com Security B-Sides London: Cloud Computing - WTF? Wednesday, 20 April 2011

Cloud computing due diligence WTF?

Recommended

Recommended

More Related Content

Similar to Cloud computing due diligence WTF?

Similar to Cloud computing due diligence WTF? (20)

More from Security BSides London

More from Security BSides London (8)

Recently uploaded

Recently uploaded (20)

Cloud computing due diligence WTF?