Cloud computing - Risks and Mitigation - GTS

Anchises Moraes
Anchises MoraesCyber Evangelist à C6 Bank
Cloud Computing Enterprise Risks and Mitigation Anchises M. G. de Paula iDefense Intelligence Analyst Nov. 2009 GTS - 14
Agenda source: sxc.hu Overview of cloud computing Cloud computing risks and generic mitigation strategies Cloud Computing for Malicious Intent Questions and answers GTS - 14 2 22 Copyright iDefense 2009
Overview of cloud computing 3 GTS - 14 3 Copyright iDefense 2009
Overview The term “cloud computing” is poorly defined GTS - 14 4 44 Copyright iDefense 2009
Overview The term “cloud computing” is poorly defined “Cloud computing is a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction.” Source: http://csrc.nist.gov/groups/SNS/cloud-computing/index.html GTS - 14 5 55 Copyright iDefense 2009
Overview The term “cloud computing” is poorly defined “Essential Cloud Characteristics: • On-demand self-service • Broad network access • Resource pooling • Location independence • Rapid elasticity • Measured service” GTS - 14 6 66 Copyright iDefense 2009
Overview The term “cloud computing” is poorly defined GTS - 14 7 77 Copyright iDefense 2009
Overview The term “cloud computing” is poorly defined Multiple vendors, multiple definitions Utility pricing model Cloud-based Service Provider (CSP) handle burden of resources GTS - 14 8 88 Copyright iDefense 2009
Overview Three basic categories for cloud computing technologies: – Infrastructure as a Service (IaaS) Resource Abstraction – Platform as a Service (PaaS) – Software as a Service (SaaS) GTS - 14 9 99 Copyright iDefense 2009
Variations on a Theme Public Cloud 10 GTS - 14 10 10 Copyright iDefense 2009
Variations on a Theme Public Cloud Private Cloud 11 GTS - 14 11 11 Copyright iDefense 2009
Variations on a Theme Public Cloud Private Cloud Hybrid Cloud 12 GTS - 14 12 12 Copyright iDefense 2009
Cloud computing risks and generic mitigation strategies 13 GTS - 14 13 Copyright iDefense 2009
Areas of Risk ▪ Privileged User Access ▪ Data Segregation ▪ Regulatory Compliance ▪ Physical Location of Data ▪ Availability ▪ Recovery ▪ Investigative Support ▪ Viability and Longevity 14 GTS - 14 14 14 Copyright iDefense 2009
Mitigation Strategies Understand the risks Evaluate any potential cloud-based solution and CSP Unique solution, generic risks source: sxc.hu 15 GTS - 14 15 15 Copyright iDefense 2009
Risks Privileged User Access: • CSP must have access • Improper access -> Data Exposure • HR policies • 3rd party of a 3rd party 16 GTS - 14 16 16 Copyright iDefense 2009
Mitigation Privileged User Access: • CSP must have access • Improper access -> Data Exposure • HR policies • 3rd party of a 3rd party Privilege Access Control Mitigation: – Support to HR and data policies – Outsourcing involved? – Evaluate the access controls 17 GTS - 14 17 17 Copyright iDefense 2009
Risks Data Segregation: • Shared common resources • Multiple consumers, same physical machine • Failure to segregate data: data exposure, loss or corruption 18 GTS - 14 18 18 Copyright iDefense 2009
Risks Data Segregation: • Shared common resources • Multiple consumers, same physical machine • Failure to segregate data: data exposure, loss or corruption 19 GTS - 14 19 19 Copyright iDefense 2009
Risks Data Segregation: • Shared common resources • Multiple consumers, same physical machine • Failure to segregate data: data exposure, loss or corruption 20 GTS - 14 20 20 Copyright iDefense 2009
Mitigation Data Segregation: • Shared common resources • Multiple consumers, same physical machine • Failure to segregate data: data exposure, loss or corruption Data Segregation Mitigation: – What’s the risk of data segregation failure? – Encryption of data: shifting of risks – Understand the “how, where, when” of consumer data storage 21 GTS - 14 21 21 Copyright iDefense 2009
Risks Regulatory Compliance: – Regulations for sensitive information and outsourcing – Conflicting regulations and laws – Failure to comply: significant legal risks 22 GTS - 14 22 22 Copyright iDefense 2009
Mitigation Regulatory Compliance: – Regulations for sensitive information and outsourcing – Conflicting regulations and laws – Failure to comply: significant legal risks Regulatory Control Mitigation: FISMA – Know your regulatory obligation HIPAA – Know your CSP’s regulatory obligations SOX PCI – Understand your liabilities SAS 70 – Location may change regulatory obligations Audits 23 GTS - 14 23 23 Copyright iDefense 2009
Risks Physical Location of Data: – Location, location, location – Location tied to regulatory issues – Volatile regions introduce a higher degree of risk – Hostile/Unethical governments have unforeseen risk of data exposure 24 GTS - 14 24 24 Copyright iDefense 2009
Risks Physical Location of Data: – Location, location, location – Location tied to regulatory issues – Volatile regions introduce a higher degree of risk – Hostile/Unethical governments have unforeseen risk of data exposure 10/9/09 SA pigeon 'faster than broadband' BBC News Cyber A Durban IT company pitted an 11-month- old bird armed with a 4GB memory stick against the ADSL service from the country's biggest web firm, Telkom. Winston the pigeon took two hours to carry the data 60 miles - in the same time the ADSL had sent 4% of the data. computers. 25 GTS - 14 25 25 Copyright iDefense 2009
Mitigation Physical Location of Data: – Location, location, location – Location tied to regulatory issues – Volatile regions introduce a higher degree of risk – Hostile/Unethical governments have unforeseen risk of data exposure Physical Location of Data Mitigation: – Identify your data’s location – Avoid CSPs that cannot guarantee the location – Avoid CSPs that use data centers in hostile countries – Use CSPs that reside in consumer’s country 26 GTS - 14 26 26 Copyright iDefense 2009
Risks Availability: – Constant connectivity required – Any failure terminating connectivity is a risk – Data loss and downtime risks 27 GTS - 14 27 27 Copyright iDefense 2009
Risks Availability: – Constant connectivity required – Any failure terminating connectivity is a risk – Data loss and downtime risks 28 GTS - 14 28 28 Copyright iDefense 2009
Mitigation Service Availability Mitigation: – Availability is the greatest risk ! – Understand the CSP’s infrastructure: avoid single points of failure – Private clouds may reduce the availability risk, but introduce additional cost and overhead – Establish service-level agreements (SLAs) with their CSPs – Balance the risk introduced by using multiple data centers with the risk of a single site failure – Assume at least one outage, what’s the impact to you? 29 GTS - 14 29 29 Copyright iDefense 2009
Risks Recovery: – Improper backups or system failure – The more data, more data loss risk – Recovery time is operational downtime 30 GTS - 14 30 30 Copyright iDefense 2009
Mitigation Recovery: – Improper backups or system failure – The more data, more data loss risk – Recovery time is operational downtime Recovery Mitigation: – Understand backed up systems (Encrypted? Multiple sites?) – Identify the time required to completely recover data – Practice a full recovery to test the CSP’s response time 31 GTS - 14 31 31 Copyright iDefense 2009
Risks Investigative Support: – Multiple consumers, aggregated logs – CSPs may hinder incident responses – Uncooperative CSPs: lost forensic data and investigation hindrances 32 GTS - 14 32 32 Copyright iDefense 2009
Mitigation Investigative Support: – Multiple consumers, aggregated logs – CSPs may hinder incident responses – Uncooperative CSPs: lost forensic data and investigation hindrances Investigative Support Mitigation: – Establish policies and procedures with the CSP – Avoid CSPs unwilling to participate in incident 33 GTS - 14 33 33 Copyright iDefense 2009
Risks Viability and Longevity: – CSP failure can occur at any time, for any reason – Risk of data loss and operational downtime – Large companies sometimes terminate services – Abrupt shutdowns are a more significant risk 34 GTS - 14 34 34 Copyright iDefense 2009
Mitigation Viability and Longevity: – CSP failure can occur at any time, for any reason – Risk of data loss and operational downtime – Large companies sometimes terminate services – Abrupt shutdowns are a more significant risk Viability and Longevity Mitigation: – Understand the way a CSP can “going dark” – Have a secondary CSP in mind – Review the history and financial stability of any CSP prior to engaging 35 GTS - 14 35 35 Copyright iDefense 2009
Cloud Computing for Malicious Intent 36 GTS - 14 36 Copyright iDefense 2009
Malicious use source: sxc.hu Bad guys are already using such technology ;) – Botnets – Hacking as a Service, SPAM 37 GTS - 14 37 37 Copyright iDefense 2009
Malicious use source: sxc.hu Bad guys are already using such technology – Botnets – Hacking as a Service, SPAM 11/9/09 Bot herders hide master control channel in Google cloud by Dan Goodin, The Register Cyber criminals' love affair with cloud computing Malicious use of Cloud Services just got steamier with the discovery that Google's AppEngine was tapped to act as the master control channel that feeds commands to large – C&C Server on the cloud networks of infected computers. – Storage of malicious data – Cracking passwords 38 GTS - 14 38 38 Copyright iDefense 2009
Conclusion 39 GTS - 14 39 Copyright iDefense 2009
Conclusions Understanding the risk of cloud-based solutions Understand the level of sensitivity of your data Perform due diligence when evaluating a CSP Identify the location of your data Get assurance that your data will remain where it is placed. Cloud computing is a new technology still experiencing growing pains. Enterprises must be aware of this and anticipate the risks the technology introduces. 40 GTS - 14 40 40 Copyright iDefense 2009
Additional Reading Cloud Security Alliance (CSA): “Security Guidance for Critical Areas of Focus in Cloud Computing” http://www.cloudsecurityalliance.org/guidance/csaguide.pdf NIST Cloud Computing Project http://csrc.nist.gov/groups/SNS/cloud-computing/index.html ENISA report on “Cloud Computing: Benefits, risks and recommendations for information security” http://www.enisa.europa.eu/act/rm/files/deliverables/cloud-computing-risk- assessment iDefense Topical Research Paper: “Cloud Computing” 41 GTS - 14 41 41 Copyright iDefense 2009
Q&A GTS - 14 42 Copyright iDefense 2009
Thank You Anchises M. G. de Paula iDefense Intelligence Analyst 43
1 sur 43

Cloud computing - Risks and Mitigation - GTS

Télécharger pour lire hors ligne
TechnologieBusiness

Cloud Computing Risks and Mitigation presentation at GTS 14, São Paulo, Brazil, November 2009

Anchises Moraes
Anchises MoraesCyber Evangelist à C6 Bank

Recommandé

Cloud computing Risk management par
Cloud computing Risk management Cloud computing Risk management
Cloud computing Risk management Padma Jella
8.9K vues19 diapositives
Cloud computing-security-issues par
Cloud computing-security-issuesCloud computing-security-issues
Cloud computing-security-issuesAleem Mohammed
3.9K vues40 diapositives
Legal issues in cloud computing par
Legal issues in cloud computingLegal issues in cloud computing
Legal issues in cloud computingmovinghats
18.8K vues20 diapositives
Cloud Computing Risk Management (Multi Venue) par
Cloud Computing Risk Management (Multi Venue)Cloud Computing Risk Management (Multi Venue)
Cloud Computing Risk Management (Multi Venue)Brian K. Dickard
2.7K vues56 diapositives
Cloud computing and data security par
Cloud computing and data securityCloud computing and data security
Cloud computing and data securityMohammed Fazuluddin
17.7K vues28 diapositives
Cloud Computing par
Cloud ComputingCloud Computing
Cloud ComputingSamit Kumar Kapat
2K vues41 diapositives

Contenu connexe

Tendances

Cloud computing risk & challenges par
Cloud computing risk & challengesCloud computing risk & challenges
Cloud computing risk & challengesParag Deodhar
2K vues10 diapositives
Cloud security Presentation par
Cloud security PresentationCloud security Presentation
Cloud security PresentationAjay p
4.9K vues46 diapositives
Security in Cloud Computing par
Security in Cloud ComputingSecurity in Cloud Computing
Security in Cloud ComputingRohit Buddabathina
485 vues14 diapositives
Cloud computing par
Cloud computingCloud computing
Cloud computingDebrajKarmakar
2.1K vues41 diapositives
Cloud Computing Security Threats and Responses par
Cloud Computing Security Threats and ResponsesCloud Computing Security Threats and Responses
Cloud Computing Security Threats and Responsesshafzonly
2.3K vues16 diapositives
Introduction to cloud computing par
Introduction to cloud computingIntroduction to cloud computing
Introduction to cloud computingJithin Parakka
4.6K vues45 diapositives

Tendances(20)

Cloud computing risk & challenges par Parag Deodhar
Cloud computing risk & challengesCloud computing risk & challenges
Cloud computing risk & challenges
Parag Deodhar2K vues
Cloud security Presentation par Ajay p
Cloud security PresentationCloud security Presentation
Cloud security Presentation
Ajay p4.9K vues
Security in Cloud Computing par Rohit Buddabathina
Security in Cloud ComputingSecurity in Cloud Computing
Security in Cloud Computing
Rohit Buddabathina485 vues
Cloud computing par DebrajKarmakar
Cloud computingCloud computing
Cloud computing
DebrajKarmakar2.1K vues
Cloud Computing Security Threats and Responses par shafzonly
Cloud Computing Security Threats and ResponsesCloud Computing Security Threats and Responses
Cloud Computing Security Threats and Responses
shafzonly2.3K vues
Introduction to cloud computing par Jithin Parakka
Introduction to cloud computingIntroduction to cloud computing
Introduction to cloud computing
Jithin Parakka4.6K vues
Cloud computing and its security issues par Jyoti Srivastava
Cloud computing and its security issuesCloud computing and its security issues
Cloud computing and its security issues
Jyoti Srivastava1.5K vues
Cloud computing seminar par ANKIT KUMAR
Cloud computing seminarCloud computing seminar
Cloud computing seminar
ANKIT KUMAR1.1K vues
Cloud Computing par nitinw25
Cloud ComputingCloud Computing
Cloud Computing
nitinw255.4K vues
Cloud Migration.pdf par Zen Bit Tech
Cloud Migration.pdfCloud Migration.pdf
Cloud Migration.pdf
Zen Bit Tech79 vues
Cloud Computing par Avinash Saklani
Cloud ComputingCloud Computing
Cloud Computing
Avinash Saklani474 vues
Security Issues of Cloud Computing par Falgun Rathod
Security Issues of Cloud ComputingSecurity Issues of Cloud Computing
Security Issues of Cloud Computing
Falgun Rathod9K vues
Introduction to cloud and Cloud Computing par NIKHILKUMAR SHARDOOR
Introduction to cloud and Cloud ComputingIntroduction to cloud and Cloud Computing
Introduction to cloud and Cloud Computing
NIKHILKUMAR SHARDOOR329 vues
Cloud computing par Tushar Jain
Cloud computingCloud computing
Cloud computing
Tushar Jain333 vues
Cloud Security par AWS User Group Bengaluru
Cloud SecurityCloud Security
Cloud Security
AWS User Group Bengaluru12.4K vues
Infrastructure as a Service ( IaaS) par Ravindra Dastikop
Infrastructure as a Service ( IaaS)Infrastructure as a Service ( IaaS)
Infrastructure as a Service ( IaaS)
Ravindra Dastikop14.8K vues
Cloud Security par Devyani Vaidya
Cloud SecurityCloud Security
Cloud Security
Devyani Vaidya247 vues
INTRODUCTION TO CLOUD COMPUTING par Tanmoy Barman
INTRODUCTION TO CLOUD COMPUTINGINTRODUCTION TO CLOUD COMPUTING
INTRODUCTION TO CLOUD COMPUTING
Tanmoy Barman6.4K vues
Cloud Migration Strategy and Best Practices par QBurst
Cloud Migration Strategy and Best PracticesCloud Migration Strategy and Best Practices
Cloud Migration Strategy and Best Practices
QBurst11.2K vues
Introduction to Infrastructure as a Service (IaaS) par rgtechnologies
Introduction to Infrastructure as a Service (IaaS)Introduction to Infrastructure as a Service (IaaS)
Introduction to Infrastructure as a Service (IaaS)
rgtechnologies920 vues

En vedette

Annova Consulting - Final Presentation par
Annova Consulting - Final PresentationAnnova Consulting - Final Presentation
Annova Consulting - Final Presentationmabar207
4K vues137 diapositives
Legacy Software to Cloud Progression - Part 1 par
Legacy Software to Cloud Progression - Part 1Legacy Software to Cloud Progression - Part 1
Legacy Software to Cloud Progression - Part 1Dreamztech Solutions
305 vues13 diapositives
Security Problem With Cloud Computing par
Security Problem With Cloud ComputingSecurity Problem With Cloud Computing
Security Problem With Cloud ComputingMartin Bioh
769 vues12 diapositives
Gillian Cafiero - "Codifying the Harm of Cybercrime": Injecting zemiology in ... par
Gillian Cafiero - "Codifying the Harm of Cybercrime": Injecting zemiology in ...Gillian Cafiero - "Codifying the Harm of Cybercrime": Injecting zemiology in ...
Gillian Cafiero - "Codifying the Harm of Cybercrime": Injecting zemiology in ...Tech and Law Center
787 vues4 diapositives
data storage security technique for cloud computing par
data storage security technique for cloud computingdata storage security technique for cloud computing
data storage security technique for cloud computinghasimshah
628 vues34 diapositives

En vedette(20)

Manage Your Risks in the Cloud! par geoportal of the federal authorities of the Swiss Confederation
Manage Your Risks in the Cloud!Manage Your Risks in the Cloud!
Manage Your Risks in the Cloud!
geoportal of the federal authorities of the Swiss Confederation365 vues
Annova Consulting - Final Presentation par mabar207
Annova Consulting - Final PresentationAnnova Consulting - Final Presentation
Annova Consulting - Final Presentation
mabar2074K vues
Legacy Software to Cloud Progression - Part 1 par Dreamztech Solutions
Legacy Software to Cloud Progression - Part 1Legacy Software to Cloud Progression - Part 1
Legacy Software to Cloud Progression - Part 1
Dreamztech Solutions305 vues
Security Problem With Cloud Computing par Martin Bioh
Security Problem With Cloud ComputingSecurity Problem With Cloud Computing
Security Problem With Cloud Computing
Martin Bioh769 vues
Gillian Cafiero - "Codifying the Harm of Cybercrime": Injecting zemiology in ... par Tech and Law Center
Gillian Cafiero - "Codifying the Harm of Cybercrime": Injecting zemiology in ...Gillian Cafiero - "Codifying the Harm of Cybercrime": Injecting zemiology in ...
Gillian Cafiero - "Codifying the Harm of Cybercrime": Injecting zemiology in ...
Tech and Law Center787 vues
data storage security technique for cloud computing par hasimshah
data storage security technique for cloud computingdata storage security technique for cloud computing
data storage security technique for cloud computing
hasimshah628 vues
CS III.1 T. Jorgensen par IAU_Past_Conferences
CS III.1 T. JorgensenCS III.1 T. Jorgensen
CS III.1 T. Jorgensen
IAU_Past_Conferences729 vues
CyberCrime in the Cloud and How to defend Yourself par Alert Logic
CyberCrime in the Cloud and How to defend Yourself CyberCrime in the Cloud and How to defend Yourself
CyberCrime in the Cloud and How to defend Yourself
Alert Logic 763 vues
Cloud Computing security Challenges for Defense Forces par commandersaini
Cloud Computing security Challenges for Defense ForcesCloud Computing security Challenges for Defense Forces
Cloud Computing security Challenges for Defense Forces
commandersaini1.1K vues
Cloud computing ppt par Yogi Dadhich
Cloud computing pptCloud computing ppt
Cloud computing ppt
Yogi Dadhich733 vues
Ensuring data storage security in cloud computing par Uday Wankar
Ensuring data storage security in cloud computingEnsuring data storage security in cloud computing
Ensuring data storage security in cloud computing
Uday Wankar3.1K vues
Are you using mail policies effectively to secure your mail par Mithi SkyConnect
Are you using mail policies effectively to secure your mail Are you using mail policies effectively to secure your mail
Are you using mail policies effectively to secure your mail
Mithi SkyConnect440 vues
Telenor par Waseem Ahmed
TelenorTelenor
Telenor
Waseem Ahmed1.4K vues
From byod to cyod par Mithi SkyConnect
From byod to cyodFrom byod to cyod
From byod to cyod
Mithi SkyConnect658 vues
Migrating To Cloud & Security @ FOBE 2011 par commandersaini
Migrating To Cloud & Security @ FOBE 2011Migrating To Cloud & Security @ FOBE 2011
Migrating To Cloud & Security @ FOBE 2011
commandersaini659 vues
Cloud computing ppt par Amex Ka
Cloud computing pptCloud computing ppt
Cloud computing ppt
Amex Ka1.8K vues
Cloud computing par Rohith Shankar
Cloud computingCloud computing
Cloud computing
Rohith Shankar348 vues
4 approaches to securing documents and email attachment assets par Mithi SkyConnect
4 approaches to securing documents and email attachment assets4 approaches to securing documents and email attachment assets
4 approaches to securing documents and email attachment assets
Mithi SkyConnect129 vues
Email phising and spoofing hurting your business par Mithi SkyConnect
Email phising and spoofing hurting your businessEmail phising and spoofing hurting your business
Email phising and spoofing hurting your business
Mithi SkyConnect920 vues
Cloud computing par gk28
Cloud computingCloud computing
Cloud computing
gk28166 vues

Similaire à Cloud computing - Risks and Mitigation - GTS

Executive Briefing: Strategic Issues Surrounding Cloud Services par
Executive Briefing: Strategic Issues Surrounding Cloud ServicesExecutive Briefing: Strategic Issues Surrounding Cloud Services
Executive Briefing: Strategic Issues Surrounding Cloud ServicesWhitmeyerTuffin
1.2K vues24 diapositives
The Changing Data Quality & Data Governance Landscape par
The Changing Data Quality & Data Governance LandscapeThe Changing Data Quality & Data Governance Landscape
The Changing Data Quality & Data Governance LandscapeTrillium Software
2.3K vues37 diapositives
The Complexities of Cloud Computing - The Rules are New, But is the Game par
The Complexities of Cloud Computing - The Rules are New, But is the GameThe Complexities of Cloud Computing - The Rules are New, But is the Game
The Complexities of Cloud Computing - The Rules are New, But is the GameJanine Anthony Bowen, Esq.
1.1K vues38 diapositives
Cloud Computing par
Cloud ComputingCloud Computing
Cloud ComputingMatti Neustadt Storie
230 vues18 diapositives
Security in cloud (and grid) computing Overview par
Security in cloud (and grid) computing OverviewSecurity in cloud (and grid) computing Overview
Security in cloud (and grid) computing OverviewTawanda Douglas Muringani
2.2K vues37 diapositives
The Myths And Magic Of Cloud Computing par
The Myths And Magic Of Cloud ComputingThe Myths And Magic Of Cloud Computing
The Myths And Magic Of Cloud Computingjayroy
1.1K vues57 diapositives

Similaire à Cloud computing - Risks and Mitigation - GTS(20)

Executive Briefing: Strategic Issues Surrounding Cloud Services par WhitmeyerTuffin
Executive Briefing: Strategic Issues Surrounding Cloud ServicesExecutive Briefing: Strategic Issues Surrounding Cloud Services
Executive Briefing: Strategic Issues Surrounding Cloud Services
WhitmeyerTuffin1.2K vues
The Changing Data Quality & Data Governance Landscape par Trillium Software
The Changing Data Quality & Data Governance LandscapeThe Changing Data Quality & Data Governance Landscape
The Changing Data Quality & Data Governance Landscape
Trillium Software2.3K vues
The Complexities of Cloud Computing - The Rules are New, But is the Game par Janine Anthony Bowen, Esq.
The Complexities of Cloud Computing - The Rules are New, But is the GameThe Complexities of Cloud Computing - The Rules are New, But is the Game
The Complexities of Cloud Computing - The Rules are New, But is the Game
Janine Anthony Bowen, Esq. 1.1K vues
Cloud Computing par Matti Neustadt Storie
Cloud ComputingCloud Computing
Cloud Computing
Matti Neustadt Storie230 vues
Security in cloud (and grid) computing Overview par Tawanda Douglas Muringani
Security in cloud (and grid) computing OverviewSecurity in cloud (and grid) computing Overview
Security in cloud (and grid) computing Overview
Tawanda Douglas Muringani2.2K vues
The Myths And Magic Of Cloud Computing par jayroy
The Myths And Magic Of Cloud ComputingThe Myths And Magic Of Cloud Computing
The Myths And Magic Of Cloud Computing
jayroy1.1K vues
Symantec Webinar Part 2 of 6 GDPR Compliance par Symantec
Symantec Webinar Part 2 of 6 GDPR ComplianceSymantec Webinar Part 2 of 6 GDPR Compliance
Symantec Webinar Part 2 of 6 GDPR Compliance
Symantec363 vues
Bird&Bird par Frits Bussemaker
Bird&BirdBird&Bird
Bird&Bird
Frits Bussemaker708 vues
Session19 Globus par ISSGC Summer School
Session19 GlobusSession19 Globus
Session19 Globus
ISSGC Summer School1.2K vues
Roadmap and Technology Incubators par Angelo Corsaro
Roadmap and Technology IncubatorsRoadmap and Technology Incubators
Roadmap and Technology Incubators
Angelo Corsaro1.5K vues
OMG DDS Tutorial - Part I par Angelo Corsaro
OMG DDS Tutorial - Part IOMG DDS Tutorial - Part I
OMG DDS Tutorial - Part I
Angelo Corsaro2K vues
MISA Cloud workshop - Cloud 101 par MISA Ontario Cloud SIG
MISA Cloud workshop - Cloud 101MISA Cloud workshop - Cloud 101
MISA Cloud workshop - Cloud 101
MISA Ontario Cloud SIG1K vues
Tutorial 4 peter kustor par egovernment
Tutorial 4 peter kustorTutorial 4 peter kustor
Tutorial 4 peter kustor
egovernment381 vues
Cloud Computing par Gowtham Reddy
Cloud ComputingCloud Computing
Cloud Computing
Gowtham Reddy334 vues
OMG DDS: The Data Distribution Service for Real-Time Systems par Angelo Corsaro
OMG DDS: The Data Distribution Service for Real-Time SystemsOMG DDS: The Data Distribution Service for Real-Time Systems
OMG DDS: The Data Distribution Service for Real-Time Systems
Angelo Corsaro4.1K vues
Emc vi pr global data services par solarisyougood
Emc vi pr global data servicesEmc vi pr global data services
Emc vi pr global data services
solarisyougood529 vues
Cloud Computing - Is it the Future of ESI? par trentlivingston
Cloud Computing - Is it the Future of ESI?Cloud Computing - Is it the Future of ESI?
Cloud Computing - Is it the Future of ESI?
trentlivingston263 vues
Understanding the Cloud par www.datatrak.com
Understanding the CloudUnderstanding the Cloud
Understanding the Cloud
www.datatrak.com1.9K vues
Cloudcoputing par Ramesh Sigdel
CloudcoputingCloudcoputing
Cloudcoputing
Ramesh Sigdel218 vues
Cloud Computing par Ramesh Sigdel
Cloud ComputingCloud Computing
Cloud Computing
Ramesh Sigdel266 vues

Plus de Anchises Moraes

Post pandemics threat scenario par
Post pandemics threat scenarioPost pandemics threat scenario
Post pandemics threat scenarioAnchises Moraes
178 vues5 diapositives
Como se proteger na internet par
Como se proteger na internetComo se proteger na internet
Como se proteger na internetAnchises Moraes
252 vues29 diapositives
Fatos, mitos e palpites do cenário de segurança pós-pandemia par
Fatos, mitos e palpites do cenário de segurança pós-pandemiaFatos, mitos e palpites do cenário de segurança pós-pandemia
Fatos, mitos e palpites do cenário de segurança pós-pandemiaAnchises Moraes
646 vues33 diapositives
A Case Study of the Capital One Data Breach par
A Case Study of the Capital One Data BreachA Case Study of the Capital One Data Breach
A Case Study of the Capital One Data BreachAnchises Moraes
1.7K vues27 diapositives
Vamos caçar bugs!? par
Vamos caçar bugs!?Vamos caçar bugs!?
Vamos caçar bugs!?Anchises Moraes
142 vues40 diapositives
Praticas de gestão de segurança par
Praticas de gestão de segurançaPraticas de gestão de segurança
Praticas de gestão de segurançaAnchises Moraes
57 vues39 diapositives

Plus de Anchises Moraes(20)

Post pandemics threat scenario par Anchises Moraes
Post pandemics threat scenarioPost pandemics threat scenario
Post pandemics threat scenario
Anchises Moraes178 vues
Como se proteger na internet par Anchises Moraes
Como se proteger na internetComo se proteger na internet
Como se proteger na internet
Anchises Moraes252 vues
Fatos, mitos e palpites do cenário de segurança pós-pandemia par Anchises Moraes
Fatos, mitos e palpites do cenário de segurança pós-pandemiaFatos, mitos e palpites do cenário de segurança pós-pandemia
Fatos, mitos e palpites do cenário de segurança pós-pandemia
Anchises Moraes646 vues
A Case Study of the Capital One Data Breach par Anchises Moraes
A Case Study of the Capital One Data BreachA Case Study of the Capital One Data Breach
A Case Study of the Capital One Data Breach
Anchises Moraes1.7K vues
Vamos caçar bugs!? par Anchises Moraes
Vamos caçar bugs!?Vamos caçar bugs!?
Vamos caçar bugs!?
Anchises Moraes142 vues
Praticas de gestão de segurança par Anchises Moraes
Praticas de gestão de segurançaPraticas de gestão de segurança
Praticas de gestão de segurança
Anchises Moraes57 vues
Ciber crime e desafios de segurança durante uma pandemia e home office par Anchises Moraes
Ciber crime e desafios de segurança durante uma pandemia e home officeCiber crime e desafios de segurança durante uma pandemia e home office
Ciber crime e desafios de segurança durante uma pandemia e home office
Anchises Moraes387 vues
Cyber Cultura em tempos de Coronavírus par Anchises Moraes
Cyber Cultura em tempos de CoronavírusCyber Cultura em tempos de Coronavírus
Cyber Cultura em tempos de Coronavírus
Anchises Moraes1K vues
Hunting bugs - C0r0n4con par Anchises Moraes
Hunting bugs - C0r0n4conHunting bugs - C0r0n4con
Hunting bugs - C0r0n4con
Anchises Moraes295 vues
Fintechs e os desafios de segurança par Anchises Moraes
Fintechs e os desafios de segurançaFintechs e os desafios de segurança
Fintechs e os desafios de segurança
Anchises Moraes507 vues
5 passos para a Lei Geral de Proteção de Dados (LGPD) - CryptoRave 2019 par Anchises Moraes
5 passos para a Lei Geral de Proteção de Dados (LGPD) - CryptoRave 20195 passos para a Lei Geral de Proteção de Dados (LGPD) - CryptoRave 2019
5 passos para a Lei Geral de Proteção de Dados (LGPD) - CryptoRave 2019
Anchises Moraes1.1K vues
Segurança além do Pentest par Anchises Moraes
Segurança além do PentestSegurança além do Pentest
Segurança além do Pentest
Anchises Moraes1.3K vues
Só o Pentest não resolve! par Anchises Moraes
Só o Pentest não resolve!Só o Pentest não resolve!
Só o Pentest não resolve!
Anchises Moraes231 vues
Carreira em Segurança da Informação par Anchises Moraes
Carreira em Segurança da InformaçãoCarreira em Segurança da Informação
Carreira em Segurança da Informação
Anchises Moraes253 vues
IoT Fofoqueiro par Anchises Moraes
IoT FofoqueiroIoT Fofoqueiro
IoT Fofoqueiro
Anchises Moraes1.1K vues
Carta de oposição ao Sindpd 2018 par Anchises Moraes
Carta de oposição ao Sindpd 2018Carta de oposição ao Sindpd 2018
Carta de oposição ao Sindpd 2018
Anchises Moraes8.7K vues
Segurança na Internet par Anchises Moraes
Segurança na InternetSegurança na Internet
Segurança na Internet
Anchises Moraes431 vues
Como se tornar um Jedi na área de Segurança par Anchises Moraes
Como se tornar um Jedi na área de SegurançaComo se tornar um Jedi na área de Segurança
Como se tornar um Jedi na área de Segurança
Anchises Moraes952 vues
Deep Web e Ciber Crime par Anchises Moraes
Deep Web e Ciber CrimeDeep Web e Ciber Crime
Deep Web e Ciber Crime
Anchises Moraes3.1K vues
É possível existir segurança para IoT? par Anchises Moraes
É possível existir segurança para IoT?É possível existir segurança para IoT?
É possível existir segurança para IoT?
Anchises Moraes271 vues

Dernier

Scaling Knowledge Graph Architectures with AI par
Scaling Knowledge Graph Architectures with AIScaling Knowledge Graph Architectures with AI
Scaling Knowledge Graph Architectures with AIEnterprise Knowledge
30 vues15 diapositives
Microsoft Power Platform.pptx par
Microsoft Power Platform.pptxMicrosoft Power Platform.pptx
Microsoft Power Platform.pptxUni Systems S.M.S.A.
53 vues38 diapositives
Vertical User Stories par
Vertical User StoriesVertical User Stories
Vertical User StoriesMoisés Armani Ramírez
14 vues16 diapositives
TrustArc Webinar - Managing Online Tracking Technology Vendors_ A Checklist f... par
TrustArc Webinar - Managing Online Tracking Technology Vendors_ A Checklist f...TrustArc Webinar - Managing Online Tracking Technology Vendors_ A Checklist f...
TrustArc Webinar - Managing Online Tracking Technology Vendors_ A Checklist f...TrustArc
10 vues29 diapositives
SAP Automation Using Bar Code and FIORI.pdf par
SAP Automation Using Bar Code and FIORI.pdfSAP Automation Using Bar Code and FIORI.pdf
SAP Automation Using Bar Code and FIORI.pdfVirendra Rai, PMP
23 vues38 diapositives
GDG Cloud Southlake 28 Brad Taylor and Shawn Augenstein Old Problems in the N... par
GDG Cloud Southlake 28 Brad Taylor and Shawn Augenstein Old Problems in the N...GDG Cloud Southlake 28 Brad Taylor and Shawn Augenstein Old Problems in the N...
GDG Cloud Southlake 28 Brad Taylor and Shawn Augenstein Old Problems in the N...James Anderson
85 vues32 diapositives

Dernier(20)

Scaling Knowledge Graph Architectures with AI par Enterprise Knowledge
Scaling Knowledge Graph Architectures with AIScaling Knowledge Graph Architectures with AI
Scaling Knowledge Graph Architectures with AI
Enterprise Knowledge30 vues
Microsoft Power Platform.pptx par Uni Systems S.M.S.A.
Microsoft Power Platform.pptxMicrosoft Power Platform.pptx
Microsoft Power Platform.pptx
Uni Systems S.M.S.A.53 vues
Vertical User Stories par Moisés Armani Ramírez
Vertical User StoriesVertical User Stories
Vertical User Stories
Moisés Armani Ramírez14 vues
TrustArc Webinar - Managing Online Tracking Technology Vendors_ A Checklist f... par TrustArc
TrustArc Webinar - Managing Online Tracking Technology Vendors_ A Checklist f...TrustArc Webinar - Managing Online Tracking Technology Vendors_ A Checklist f...
TrustArc Webinar - Managing Online Tracking Technology Vendors_ A Checklist f...
TrustArc10 vues
SAP Automation Using Bar Code and FIORI.pdf par Virendra Rai, PMP
SAP Automation Using Bar Code and FIORI.pdfSAP Automation Using Bar Code and FIORI.pdf
SAP Automation Using Bar Code and FIORI.pdf
Virendra Rai, PMP23 vues
GDG Cloud Southlake 28 Brad Taylor and Shawn Augenstein Old Problems in the N... par James Anderson
GDG Cloud Southlake 28 Brad Taylor and Shawn Augenstein Old Problems in the N...GDG Cloud Southlake 28 Brad Taylor and Shawn Augenstein Old Problems in the N...
GDG Cloud Southlake 28 Brad Taylor and Shawn Augenstein Old Problems in the N...
James Anderson85 vues
Zero to Automated in Under a Year par Network Automation Forum
Zero to Automated in Under a YearZero to Automated in Under a Year
Zero to Automated in Under a Year
Network Automation Forum15 vues
Piloting & Scaling Successfully With Microsoft Viva par Richard Harbridge
Piloting & Scaling Successfully With Microsoft VivaPiloting & Scaling Successfully With Microsoft Viva
Piloting & Scaling Successfully With Microsoft Viva
Richard Harbridge12 vues
Melek BEN MAHMOUD.pdf par MelekBenMahmoud
Melek BEN MAHMOUD.pdfMelek BEN MAHMOUD.pdf
Melek BEN MAHMOUD.pdf
MelekBenMahmoud14 vues
STKI Israeli Market Study 2023 corrected forecast 2023_24 v3.pdf par Dr. Jimmy Schwarzkopf
STKI Israeli Market Study 2023 corrected forecast 2023_24 v3.pdfSTKI Israeli Market Study 2023 corrected forecast 2023_24 v3.pdf
STKI Israeli Market Study 2023 corrected forecast 2023_24 v3.pdf
Dr. Jimmy Schwarzkopf19 vues
"Running students' code in isolation. The hard way", Yurii Holiuk par Fwdays
"Running students' code in isolation. The hard way", Yurii Holiuk "Running students' code in isolation. The hard way", Yurii Holiuk
"Running students' code in isolation. The hard way", Yurii Holiuk
Fwdays11 vues
Serverless computing with Google Cloud (2023-24) par wesley chun
Serverless computing with Google Cloud (2023-24)Serverless computing with Google Cloud (2023-24)
Serverless computing with Google Cloud (2023-24)
wesley chun11 vues
Design Driven Network Assurance par Network Automation Forum
Design Driven Network AssuranceDesign Driven Network Assurance
Design Driven Network Assurance
Network Automation Forum15 vues
MVP and prioritization.pdf par rahuldharwal141
MVP and prioritization.pdfMVP and prioritization.pdf
MVP and prioritization.pdf
rahuldharwal14131 vues
virtual reality.pptx par G036GaikwadSnehal
virtual reality.pptxvirtual reality.pptx
virtual reality.pptx
G036GaikwadSnehal11 vues
Special_edition_innovator_2023.pdf par WillDavies22
Special_edition_innovator_2023.pdfSpecial_edition_innovator_2023.pdf
Special_edition_innovator_2023.pdf
WillDavies2217 vues
Network Source of Truth and Infrastructure as Code revisited par Network Automation Forum
Network Source of Truth and Infrastructure as Code revisitedNetwork Source of Truth and Infrastructure as Code revisited
Network Source of Truth and Infrastructure as Code revisited
Network Automation Forum26 vues
Voice Logger - Telephony Integration Solution at Aegis par Nirmal Sharma
Voice Logger - Telephony Integration Solution at AegisVoice Logger - Telephony Integration Solution at Aegis
Voice Logger - Telephony Integration Solution at Aegis
Nirmal Sharma39 vues
STPI OctaNE CoE Brochure.pdf par madhurjyapb
STPI OctaNE CoE Brochure.pdfSTPI OctaNE CoE Brochure.pdf
STPI OctaNE CoE Brochure.pdf
madhurjyapb14 vues
Unit 1_Lecture 2_Physical Design of IoT.pdf par StephenTec
Unit 1_Lecture 2_Physical Design of IoT.pdfUnit 1_Lecture 2_Physical Design of IoT.pdf
Unit 1_Lecture 2_Physical Design of IoT.pdf
StephenTec12 vues

Cloud computing - Risks and Mitigation - GTS

  • 1. Cloud Computing Enterprise Risks and Mitigation Anchises M. G. de Paula iDefense Intelligence Analyst Nov. 2009 GTS - 14
  • 2. Agenda source: sxc.hu Overview of cloud computing Cloud computing risks and generic mitigation strategies Cloud Computing for Malicious Intent Questions and answers GTS - 14 2 22 Copyright iDefense 2009
  • 3. Overview of cloud computing 3 GTS - 14 3 Copyright iDefense 2009
  • 4. Overview The term “cloud computing” is poorly defined GTS - 14 4 44 Copyright iDefense 2009
  • 5. Overview The term “cloud computing” is poorly defined “Cloud computing is a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction.” Source: http://csrc.nist.gov/groups/SNS/cloud-computing/index.html GTS - 14 5 55 Copyright iDefense 2009
  • 6. Overview The term “cloud computing” is poorly defined “Essential Cloud Characteristics: • On-demand self-service • Broad network access • Resource pooling • Location independence • Rapid elasticity • Measured service” GTS - 14 6 66 Copyright iDefense 2009
  • 7. Overview The term “cloud computing” is poorly defined GTS - 14 7 77 Copyright iDefense 2009
  • 8. Overview The term “cloud computing” is poorly defined Multiple vendors, multiple definitions Utility pricing model Cloud-based Service Provider (CSP) handle burden of resources GTS - 14 8 88 Copyright iDefense 2009
  • 9. Overview Three basic categories for cloud computing technologies: – Infrastructure as a Service (IaaS) Resource Abstraction – Platform as a Service (PaaS) – Software as a Service (SaaS) GTS - 14 9 99 Copyright iDefense 2009
  • 10. Variations on a Theme Public Cloud 10 GTS - 14 10 10 Copyright iDefense 2009
  • 11. Variations on a Theme Public Cloud Private Cloud 11 GTS - 14 11 11 Copyright iDefense 2009
  • 12. Variations on a Theme Public Cloud Private Cloud Hybrid Cloud 12 GTS - 14 12 12 Copyright iDefense 2009
  • 13. Cloud computing risks and generic mitigation strategies 13 GTS - 14 13 Copyright iDefense 2009
  • 14. Areas of Risk ▪ Privileged User Access ▪ Data Segregation ▪ Regulatory Compliance ▪ Physical Location of Data ▪ Availability ▪ Recovery ▪ Investigative Support ▪ Viability and Longevity 14 GTS - 14 14 14 Copyright iDefense 2009
  • 15. Mitigation Strategies Understand the risks Evaluate any potential cloud-based solution and CSP Unique solution, generic risks source: sxc.hu 15 GTS - 14 15 15 Copyright iDefense 2009
  • 16. Risks Privileged User Access: • CSP must have access • Improper access -> Data Exposure • HR policies • 3rd party of a 3rd party 16 GTS - 14 16 16 Copyright iDefense 2009
  • 17. Mitigation Privileged User Access: • CSP must have access • Improper access -> Data Exposure • HR policies • 3rd party of a 3rd party Privilege Access Control Mitigation: – Support to HR and data policies – Outsourcing involved? – Evaluate the access controls 17 GTS - 14 17 17 Copyright iDefense 2009
  • 18. Risks Data Segregation: • Shared common resources • Multiple consumers, same physical machine • Failure to segregate data: data exposure, loss or corruption 18 GTS - 14 18 18 Copyright iDefense 2009
  • 19. Risks Data Segregation: • Shared common resources • Multiple consumers, same physical machine • Failure to segregate data: data exposure, loss or corruption 19 GTS - 14 19 19 Copyright iDefense 2009
  • 20. Risks Data Segregation: • Shared common resources • Multiple consumers, same physical machine • Failure to segregate data: data exposure, loss or corruption 20 GTS - 14 20 20 Copyright iDefense 2009
  • 21. Mitigation Data Segregation: • Shared common resources • Multiple consumers, same physical machine • Failure to segregate data: data exposure, loss or corruption Data Segregation Mitigation: – What’s the risk of data segregation failure? – Encryption of data: shifting of risks – Understand the “how, where, when” of consumer data storage 21 GTS - 14 21 21 Copyright iDefense 2009
  • 22. Risks Regulatory Compliance: – Regulations for sensitive information and outsourcing – Conflicting regulations and laws – Failure to comply: significant legal risks 22 GTS - 14 22 22 Copyright iDefense 2009
  • 23. Mitigation Regulatory Compliance: – Regulations for sensitive information and outsourcing – Conflicting regulations and laws – Failure to comply: significant legal risks Regulatory Control Mitigation: FISMA – Know your regulatory obligation HIPAA – Know your CSP’s regulatory obligations SOX PCI – Understand your liabilities SAS 70 – Location may change regulatory obligations Audits 23 GTS - 14 23 23 Copyright iDefense 2009
  • 24. Risks Physical Location of Data: – Location, location, location – Location tied to regulatory issues – Volatile regions introduce a higher degree of risk – Hostile/Unethical governments have unforeseen risk of data exposure 24 GTS - 14 24 24 Copyright iDefense 2009
  • 25. Risks Physical Location of Data: – Location, location, location – Location tied to regulatory issues – Volatile regions introduce a higher degree of risk – Hostile/Unethical governments have unforeseen risk of data exposure 10/9/09 SA pigeon 'faster than broadband' BBC News Cyber A Durban IT company pitted an 11-month- old bird armed with a 4GB memory stick against the ADSL service from the country's biggest web firm, Telkom. Winston the pigeon took two hours to carry the data 60 miles - in the same time the ADSL had sent 4% of the data. computers. 25 GTS - 14 25 25 Copyright iDefense 2009
  • 26. Mitigation Physical Location of Data: – Location, location, location – Location tied to regulatory issues – Volatile regions introduce a higher degree of risk – Hostile/Unethical governments have unforeseen risk of data exposure Physical Location of Data Mitigation: – Identify your data’s location – Avoid CSPs that cannot guarantee the location – Avoid CSPs that use data centers in hostile countries – Use CSPs that reside in consumer’s country 26 GTS - 14 26 26 Copyright iDefense 2009
  • 27. Risks Availability: – Constant connectivity required – Any failure terminating connectivity is a risk – Data loss and downtime risks 27 GTS - 14 27 27 Copyright iDefense 2009
  • 28. Risks Availability: – Constant connectivity required – Any failure terminating connectivity is a risk – Data loss and downtime risks 28 GTS - 14 28 28 Copyright iDefense 2009
  • 29. Mitigation Service Availability Mitigation: – Availability is the greatest risk ! – Understand the CSP’s infrastructure: avoid single points of failure – Private clouds may reduce the availability risk, but introduce additional cost and overhead – Establish service-level agreements (SLAs) with their CSPs – Balance the risk introduced by using multiple data centers with the risk of a single site failure – Assume at least one outage, what’s the impact to you? 29 GTS - 14 29 29 Copyright iDefense 2009
  • 30. Risks Recovery: – Improper backups or system failure – The more data, more data loss risk – Recovery time is operational downtime 30 GTS - 14 30 30 Copyright iDefense 2009
  • 31. Mitigation Recovery: – Improper backups or system failure – The more data, more data loss risk – Recovery time is operational downtime Recovery Mitigation: – Understand backed up systems (Encrypted? Multiple sites?) – Identify the time required to completely recover data – Practice a full recovery to test the CSP’s response time 31 GTS - 14 31 31 Copyright iDefense 2009
  • 32. Risks Investigative Support: – Multiple consumers, aggregated logs – CSPs may hinder incident responses – Uncooperative CSPs: lost forensic data and investigation hindrances 32 GTS - 14 32 32 Copyright iDefense 2009
  • 33. Mitigation Investigative Support: – Multiple consumers, aggregated logs – CSPs may hinder incident responses – Uncooperative CSPs: lost forensic data and investigation hindrances Investigative Support Mitigation: – Establish policies and procedures with the CSP – Avoid CSPs unwilling to participate in incident 33 GTS - 14 33 33 Copyright iDefense 2009
  • 34. Risks Viability and Longevity: – CSP failure can occur at any time, for any reason – Risk of data loss and operational downtime – Large companies sometimes terminate services – Abrupt shutdowns are a more significant risk 34 GTS - 14 34 34 Copyright iDefense 2009
  • 35. Mitigation Viability and Longevity: – CSP failure can occur at any time, for any reason – Risk of data loss and operational downtime – Large companies sometimes terminate services – Abrupt shutdowns are a more significant risk Viability and Longevity Mitigation: – Understand the way a CSP can “going dark” – Have a secondary CSP in mind – Review the history and financial stability of any CSP prior to engaging 35 GTS - 14 35 35 Copyright iDefense 2009
  • 36. Cloud Computing for Malicious Intent 36 GTS - 14 36 Copyright iDefense 2009
  • 37. Malicious use source: sxc.hu Bad guys are already using such technology ;) – Botnets – Hacking as a Service, SPAM 37 GTS - 14 37 37 Copyright iDefense 2009
  • 38. Malicious use source: sxc.hu Bad guys are already using such technology – Botnets – Hacking as a Service, SPAM 11/9/09 Bot herders hide master control channel in Google cloud by Dan Goodin, The Register Cyber criminals' love affair with cloud computing Malicious use of Cloud Services just got steamier with the discovery that Google's AppEngine was tapped to act as the master control channel that feeds commands to large – C&C Server on the cloud networks of infected computers. – Storage of malicious data – Cracking passwords 38 GTS - 14 38 38 Copyright iDefense 2009
  • 39. Conclusion 39 GTS - 14 39 Copyright iDefense 2009
  • 40. Conclusions Understanding the risk of cloud-based solutions Understand the level of sensitivity of your data Perform due diligence when evaluating a CSP Identify the location of your data Get assurance that your data will remain where it is placed. Cloud computing is a new technology still experiencing growing pains. Enterprises must be aware of this and anticipate the risks the technology introduces. 40 GTS - 14 40 40 Copyright iDefense 2009
  • 41. Additional Reading Cloud Security Alliance (CSA): “Security Guidance for Critical Areas of Focus in Cloud Computing” http://www.cloudsecurityalliance.org/guidance/csaguide.pdf NIST Cloud Computing Project http://csrc.nist.gov/groups/SNS/cloud-computing/index.html ENISA report on “Cloud Computing: Benefits, risks and recommendations for information security” http://www.enisa.europa.eu/act/rm/files/deliverables/cloud-computing-risk- assessment iDefense Topical Research Paper: “Cloud Computing” 41 GTS - 14 41 41 Copyright iDefense 2009
  • 42. Q&A GTS - 14 42 Copyright iDefense 2009
  • 43. Thank You Anchises M. G. de Paula iDefense Intelligence Analyst 43