1. Security of SaaS and Private CloudConsiderations for CFO’s Ian Farquhar Advisory Technology Consultant
2. Profile: Ian Farquhar Career: RSA, The Security Division of EMC (2008-Present) Cisco Systems (2004-2008) Sun Microsystems (1999-2004) Silicon Graphics/Cray Research (1994-1999) Macquarie University Department of Research Electronics (1993-1994) Macquarie University Office of Computing Services (1988-1993) Twenty years of experience in computer and information security Technology Evangelist for RSA RSA specialist for ANZ in: Data Loss Prevention Cryptography Policy Security evaluation
3. Definitions: Public vs. Private Cloud According to Gartner: The distinguishing characteristics of a private cloud environment are that the infrastructure is internally owned and operated, and that systems can be dynamically provisioned and activated. The distinguishing characteristics of a public cloud environment that are most important for security assessment and monitoring are that the infrastructure is not owned by the customer and that the service is provided via a shared infrastructure. Or... (from the RSA Conference): A private cloud is inside the firewall, a private cloud is outside. Security CIA: Confidentiality, Integrity and Availability
4. Definition: Software-as-a-Service (SaaS) SaaS is the provision of software in a services model. Gartner defines SaaS as "software that's owned, delivered and managed remotely by one or more providers." In a pure SaaS model, the provider delivers software based on a single set of common code and data definitions that are consumed in a one-to-many model by all contracted customers anytime, on a pay-for-use basis, or as a subscription based on use metrics. Other *aaS acronyms: PaaS: Platform-as-a-Service IaaS: Infrastructure-as-a-Service SaaS and PaaS are not really new concepts Mainframe-era “Bureau Services” were just SaaS or PaaS Even virtualization is not new: IBM/VM circa 1969
5. Issues to Consider: SaaS (and Public Cloud) Legal issues If it isn’t in the contract, it should be What are the service level agreements? How are they measured? Do they match your expectations? What is the dispute process? Who owns your data? Where is it processed? Where is the DR site? Where is it replicated? Jurisdictional issues Data location (compliance) Legal issues (eg. US Patriot Act) Legal search and seizure considerations SaaS provider closure or acquisition What legal rights do you have? If you can access the data, in what form? (and don’t forget the backups) How quickly could you migrate this business function?
6. Issues to Consider: SaaS (and Public Cloud) Provider Terminating Contract How much notice do you get? Do you have any right of appeal? Can they terminate your service and leave you without access to “your” data? “The Forced March” Will upgrades at the SaaS provider introduce unexpected work (cost)? Forced up-sell due to discontinuation of an older version How much notice do you get? What guarantees are in the contract? Connectivity and Performance Issues SaaS makes your business dependent on Internet access Don’t forget the SLA’s from your ISP or carrier How would your business cope with a network outage? Don’t forget to factor in the cost of network management Is your network traffic protected in transit? (SSL issues.)
7. Issues to Consider: SaaS (and Public Cloud) Expertise If you find you need expertise above basic support, where does it come from and how much does it cost? Generic “Security” Issues Endpoint security still is critical What is the SaaS provider’s security posture? How do they authenticate users? What guarantees do you have that the SaaS provider is implementing best practice? Who can access your data? (Separation). (Not applicable for “pay as you go”). How is the service funded? Fundamentally, HOW DO YOU KNOW? Or, WHAT IS THE RATIONAL BASIS FOR YOUR TRUST?
8. Issues to Consider: Private Cloud Most of the security issues with Private Cloud are not new Some security features are better on private cloud than on raw hardware (eg. DR) Limiting this to private-cloud specific issues All best IT practice applies similarly to private cloud, as it does to existing IT infrastructure Private cloud is fundamentally about increasing efficiency Issues: Network infrastructure and design Administrative access – a rogue or careless admin can do a lot of damage Proliferation – change control is still critical for a well-run virtual infrastructure Software licensing Orphaned VMs Data sprawl Security patching and offline VMs Legal search and seizure Capacity planning Excellent resource: Cloud Security Alliance http://www.cloudsecurityalliance.org/
9. In Summary SaaS and Public Cloud Read and understand the contract Do a thorough cost-benefit analysis Plan for the contingencies Trust but verify Private Cloud All current best practices apply to private clouds too Private clouds have some security characteristics which are superior to “raw metal” IT The majority of issues are operational – this is where to focus