SlideShare une entreprise Scribd logo

Info Sec 2010 Possibilities And Security Challenges Of Cloud Computing (Handout)

P
ptaglephd

Handout of a presentation given at the InfoSec 2010 Conference in Manila, Philippines last 25 August 2010.

1  sur  21
Télécharger pour lire hors ligne
Possibilities and Security Challenges of Cloud Computing InfoSec Conference 2010 Hotel Intercontinental Makati City, Philippines 25 August 2010 Pierre U. Tagle, Ph.D., CISA pierre.tagle@mobiliance.com Outline 1 Introduction 2 What is Cloud Computing? 3 Possibilities and Security Challenges 4 Critical Areas for Cloud Implementations 2
Introduction Mobiliance Incorporated is an We offer services to: INDEPENDENT technology • EVALUATE and understand consulting and software services your business needs; firm which partners with • Recommend ways to commercial and government ENHANCE how technology, establishments/organisations to people and processes fits solve their toughest Information into your business; Technology problems and issues. • INTEGRATE new and existing technology to better suit your business; • MAINTAIN your technology investments; and • Help you PRESERVE your investment to carry your business into the future. 3 Our Services • Security Assessment and • Technology Assessment Design and Design – Security Architecture • IT Governance / Risk Assessment / Design Management – Disaster Recovery / – Vulnerability Business Continuity Assessment – IT Governance • Network Assessment and – IT Risk Assessments Design • Technology Management – Alignment with Advice (Virtual CIO/CTO) business • Software Development requirements – From complete SDLC – Performance, or to assist in reliability and specific phases availability analysis 4
What is Cloud Computing? • Virtually every vendor or provider has jumped on the cloud computing bandwagon and has slapped the “cloud” label on it, e.g. hosting, outsourcing, ASP, on-demand computing, grid computing, utility computing, etc. – Some reports indicate that there were at least 22 different definitions of the cloud in use. • Cloud computing is NOT a technology revolution, but rather a process and business evolution – on how many technologies and services are used in enabling what is referred to as Cloud Computing. • A simplified definition can be that cloud computing allows businesses to increase IT capacity on the fly without investing in new infrastructure, training new personnel and/or licensing new software, and are able to use it as a pay-per-use service. 5 NIST Cloud Definition Framework “Cloud computing is a model for enabling convenient, on- demand network access to a shared pool of configurable computing resources that can be rapidly provisioned and released with minimal management effort or service provider The NIST cloud model promotes availability interaction.” and is composed of 5 essential characteristics, 3 service models and 4 deployment models. 6
5 Essential Characteristics • On-demand self-service • Broad network access • Resource pooling – Location independence • Rapid elasticity • Measure service Source: Techmixer.com 7 3 Cloud Service / Delivery Models • Cloud Software as a Service (SaaS) – Use provider’s apps over a network • Cloud Platform as a Service (PaaS) – Deploy customer- created applications to a cloud • Cloud Infrastructure as a Service (IaaS) Source: NIST Presentations – Rent processing, storage, network Note: To be considered “cloud” these must be capacity, etc. deployed on top of a cloud infrastructure with the key characteristics. 8
Cloud Services Examples • SaaS – Salesforce.com – Google Apps • PaaS – Google AppsEngine, Force.com, IBM IT Factory • IaaS – Amazon Elastic Compute Cloud (Amazon EC2), IBM Blue Cloud, Sun Grid – Amazon Simple Storage Service (Amazon S3) 9 Cloud Deployment Models • Private cloud – Enterprise owned or leased • Community cloud – Shared infrastructure for specific communitiy • Public cloud – Available to the public, typically mega-scale infrastructure • Hybrid cloud – Composition of 2 or more clouds 10
Possibilities and Benefits 11 Adoption Areas 12
Cloud Computing Challenges & Risks • Data Protection – Where is my data? – How does my data securely enter/exit the cloud? (and how is it protected during transit?) – Who has access to my • Integration and Cost data? – How easy is it to integrate • Risk / Incident Management with in-house IT? – Who is accountable if – Are there customization something goes wrong? options to suit my needs? – What’s the disaster – Will on-demand cost recovery plan? more? – What happens if my cloud – How difficult to migrate provider disappears? back to an in-house – How is the environment system? (if possible) monitored? How are we • Compliance notified in the event of – Are there any regulatory failures/outages? requirements? 13 Challenges and Risks Security remains the top concern and was raised by 87.5% of respondents in IDC 2009 survey (up from 74.6% in 2008) 14
Service Provider Requirements • Pricing is key area BUT • security and related concerns can be “seen” in user wish-list of the service features SLAs, option to move back on-premise, allow managing on-premise , offer both on-premise and public cloud services, have local presence 15 Security in the Cloud • Security controls in cloud computing are no different than security controls in an IT environment BUT... – the various cloud service models, operational models, and technologies used to enable cloud services may present different risks to the Source: Cloud Security Alliance organisation. • Understanding the “Cloud computing is about gracefully losing differences between service control while maintaining accountability models and their even if the operational responsibility implementation is critical to falls upon one or more third parties.” the management of risk to – Cloud Security Alliance the organisation. 16
Security Advantages • Reduction of exposure of internal sensitive data with move to external cloud – Data fragmentation and dispersal are managed by unbiased party (cloud vendor assertion) – Various studies show that a large amount of abuse are done by internal IT professionals • Cloud homogeneity makes security auditing / testing simpler • Clouds enable automated security management • Redundancy / Disaster Recovery 17 Security Challenges • Trusting vendor’s security model • Customer inability to respond to audit findings • Indirect administrator accountability • Obtaining support for investigations • Indirect administrator accountability • Proprietary implementations cannot be examined • Loss of physical control • Data dispersal and international privacy laws • Logging challenges • Quality of service guarantees 18
Ensuring Compliance in the Cloud • The use of cloud computing by itself does not provide for or prevent achieving compliance. • Cloud services must be mapped against compensating controls to determine which exists and which do not – either by the end user, service provider or a third party. • Gaps analysis results are fed into the risk assessment framework – accept, transfer or Source: Cloud Security Alliance mitigate. 19 Cloud Implementation Use Case Taxonomy • Service Consumer – SaaS is consumed by end users, e.g. employees, clients, partners – PaaS is consumed by software developers – IaaS is consumed by IT managers Source: Cloud Computing Use Case Discussion Group • The various components must be managed by the company or a third party solution provider. 20
Determining Candidates for the Cloud • Review applications and IT • Typical Rules of Thumb: resources / systems – If mission-critical and • Categorise into: non-core then possibly – Mission-critical, i.e. good candidate for the business will not cloud survive without it – If mission-critical and – Non-mission critical core, possibly keep • Sub-categorise into: internal or in private cloud – Core business practices, i.e. provides – If non-mission critical service differentiation and non-core then okay for public clouds – Non-core, i.e. internal activities – If non-mission critical and core, possibly keep internal or in private cloud 21 Candidates for the Public Cloud GOOD BAD • Applications used by mobile • Applications with very workers, particularly those sensitive data (with possible used to manage time, regulatory or legal risk) activities, etc. • Applications that require very • Software development intensive data workloads or environments very performance sensitive • Applications that require applications hardware/software not – Possible cost issue normally available within the • Applications that require company extensive or high • Applications that run customization infrequently but require considerable resources, e.g. test and pre-production systems • Backup for critical applications • Distributed server and data centre locations 22
Cloud Adoption Model Example • Prepare IT portfolio – Virtualization not necessary but can simplify migration, updates, etc. • Cloud experimentation – Usage, experimentation and laying of groundwork • Cloud foundations – Finalize application architecture and platform • Cloud exploitation – Deployment (either private or public) in the cloud – Get apps into production, along with processes, policies and procedures Source: eWeek.com • Cloud actualization / HyperCloud – Fully dynamic and autonomic compute environment 23 Cloud Usage Examples • Nasdaq – uses Amazon S3 to deliver historical stock and mutual fund information, rather than add load to its database/computing infra • Animoto – start-up used Amazon’s cloud services was able to keep up with soaring demand and scale up from 50 to 3,500 instances over a three-day period • Times – wanted to place 60-year period worth of images (i.e. 15-million news stories) moved 4-TB into Amazon S3, ran the software on EC2 then launched the product • Mogulus – streams 120,000 live TV channels over the Internet but owns no hardware except for its laptops. 24
Recommended Areas of Critical Focus GOVERNANCE DOMAINS OPERATIONAL DOMAINS • Governance & Enterprise • Security, Business Risk Management Continuity & Disaster • Legal Recovery • Compliance and Audit • Data Centre Operations • Information Life Cycle • Incident Management Management • Application Security • Portability and • Encryption & Key Interoperability Management • Identity & Access Management • Virtualisation 25 Governance Domains
Governance & Enterprise Risk Management • Ability of an organisation to govern and measure enterprise risk introduced with the use of Cloud Computing – Legal precedence for agreements – Assess risk of a cloud provider – Responsibility to protect data – How international boundaries affects issues • Risk management approaches – Include provider’s security governance, risk management and compliance structures and processes – Consistency between provider and end user risk assessment approaches • provider’s design of the cloud service vs. user’s assessment of the cloud service risk. – Adjust DRP/BCP to include new scenarios, e.g. loss of provider services RECOMMENDATIONS 27 Legal Aspects Potential legal issues with the use of Cloud Computing – Protection requirements for information & computer systems – Security disclosure laws – Regulatory requirements – Privacy requirements – International laws RECOMMENDATIONS 28
Compliance and Audit • Ensuring and proving compliance when using Cloud Computing – Company security policies – Industry standards and/or certifications – Regulatory, legislative and other compliance requirements • The end user must understand: – Regulatory application for the use of a cloud service – Division of compliance responsibilities (vs. provider) – Provider’s ability to produce evidence needed for compliance – End user’s role in bridging the gap between provider and audit requirements RECOMMENDATIONS 29 Information Lifecycle Management • Management of data that • The Data Security Lifecycle is placed within the Cloud. – Identification and control of data – Compensating controls to deal with loss of physical control – Data confidentiality, integrity and availability Source: Cloud Security Alliance • Maps to the more general Information Lifecycle Management (ILM) RECOMMENDATIONS 30
Portability and Interoperability • Ability to move data and/or services from one cloud provider to another, or move it back in- house – Portability – Interoperability • Companies may need to switch providers due to: – Unacceptable increase in cost – Provider ceases operation – Provider ceases one or more services – Unacceptable decrease in service quality – Business disputes RECOMMENDATIONS 31 Operational Domains
Security, Business Continuity and Disaster Recovery • How does cloud computing affect the current operational processes and procedures in relation to security, business continuity and disaster recovery • How does cloud computing assist in diminishing risks in certain areas? While possibly increasing in others? RECOMMENDATIONS 33 Data Centre Operations • Identifying common data centre characteristics that are: – Disadvantageous to on-going services and/or – Fundamental to long-term stability. • Technology architectures will differ across providers but they all must support compartmentalization with controls segregating each layer of the infrastructure – Note that some cloud providers may be users of other cloud services, e.g. a SaaS vendor uses PaaS or IaaS vendor(s). RECOMMENDATIONS 34
Incident Management • Proper and adequate incident detection, response, notification and remediation. – Includes processes and procedures at both provider and end user levels • Does the cloud bring about complexities to current incident management procedures? RECOMMENDATIONS 35 Application Security • What type of Application cloud platform to Security Compliance use? SaaS, Architecture PaaS, or IaaS? Cloud • Cloud Apps applications will Tools both impact and SDLC & be impacted by Services various factors • Migrate existing app or design a new app for cloud deployment? Vulnerabilities RECOMMENDATIONS 36
Encryption and Key Management • Cloud environments Encrypt data Secure sensitive information even are shared, within provider’s environment. and providers in transit for Confidentiality generally have privileged and Integrity access Encryption • Encryption offers benefits Encrypt data Differences in implementation from of less reliance at rest IaaS to PaaS to SaaS on provider • Identifying proper encryption usage and Encrypt data Protect against misuse of key on backup lost/stolen media. management media RECOMMENDATIONS 37 Identity and Access Management • Even without the cloud, the management of identities and access control remains one of the key challenges facing IT in any organisation. • Management of identities to provide access control when extending the organisation into the cloud. Identity Provisioning Authentication • Secure and time management of provisioning Address authentication related and deprovisioning of users challenges, e.g. strong authentication in the cloud. (multi-factor), delegated • Extension of current user authentication, and trust management management processes to across cloud services. the cloud. Authorization and User Profile Management Federation Establishment of trusted user profile and policy information, Authenticate users of using it to control access within cloud services using the the cloud, and using this in an organisation’s chosen auditable way. identity provider. RECOMMENDATIONS 38
IDaaS • Identity as a Service (IDaaS) should follow the same best practices used for internal IAM implementations • For internal users: – Review provider’s options to provide secure access to the cloud – Review cost reduction vs. risk mitigation measures to address risks of having employee information with IDaaS. • For external users (e.g. partners) the information owners need to incorporate interactions with IAM providers into the SDLC and in threat assessments • PaaS users should review use of industry standards by IDaaS vendors • Proprietary solutions represent a significant risk, the use of open standards is recommended. 39 Virtualisation • Use of virtualisation technology in cloud computing, particularly the security issues related to the system/hardware virtualisation. RECOMMENDATIONS 40
Conclusion • In any move towards an emerging technology and business model, you need in-depth understanding of: – Your IT team (whether in-house or 3rd party including consultants / partners) and capabilities – The Solutions, and – The Service Providers and/or Vendors • No difference with cloud computing any decision to move to the cloud should involve at least the enterprise architects, developers, product/service owners and stakeholders, IT management and if needed, outsourcing partners. • Concerns with cloud computing are valid but not insurmountable. Credible solutions do exist and continuously being improved / fine-tuned to meet the perceived challenges and user requirements. 41

Recommandé

Hybride Cloud Strategy
Hybride Cloud StrategyHybride Cloud Strategy
Hybride Cloud StrategyDekkinga, Ewout
 
Going to the Cloud
Going to the Cloud Going to the Cloud
Going to the Cloud José Ferreiro
 
Cloud computing 2012
Cloud computing 2012Cloud computing 2012
Cloud computing 2012Uni Systems S.M.S.A.
 
Lax breakfast forum_developing_your_cloud_strategy_05_10_2012
Lax breakfast forum_developing_your_cloud_strategy_05_10_2012Lax breakfast forum_developing_your_cloud_strategy_05_10_2012
Lax breakfast forum_developing_your_cloud_strategy_05_10_2012Internap
 
Developing Your Cloud Strategy
Developing Your Cloud StrategyDeveloping Your Cloud Strategy
Developing Your Cloud StrategyInternap
 
IDC it security dc_transformation_roadshow2012
IDC it security dc_transformation_roadshow2012IDC it security dc_transformation_roadshow2012
IDC it security dc_transformation_roadshow2012Uni Systems S.M.S.A.
 
Dr. Michael Valivullah, NASS/USDA - Cloud Computing
Dr. Michael Valivullah, NASS/USDA - Cloud ComputingDr. Michael Valivullah, NASS/USDA - Cloud Computing
Dr. Michael Valivullah, NASS/USDA - Cloud Computingikanow
 
Nyc lunch and learn 03 15 2012 final
Nyc lunch and learn 03 15 2012 finalNyc lunch and learn 03 15 2012 final
Nyc lunch and learn 03 15 2012 finalInternap
 

Recommandé

Hybride Cloud Strategy
Hybride Cloud StrategyHybride Cloud Strategy
Hybride Cloud StrategyDekkinga, Ewout
 
Going to the Cloud
Going to the Cloud Going to the Cloud
Going to the Cloud José Ferreiro
 
Cloud computing 2012
Cloud computing 2012Cloud computing 2012
Cloud computing 2012Uni Systems S.M.S.A.
 
Lax breakfast forum_developing_your_cloud_strategy_05_10_2012
Lax breakfast forum_developing_your_cloud_strategy_05_10_2012Lax breakfast forum_developing_your_cloud_strategy_05_10_2012
Lax breakfast forum_developing_your_cloud_strategy_05_10_2012Internap
 
Developing Your Cloud Strategy
Developing Your Cloud StrategyDeveloping Your Cloud Strategy
Developing Your Cloud StrategyInternap
 
IDC it security dc_transformation_roadshow2012
IDC it security dc_transformation_roadshow2012IDC it security dc_transformation_roadshow2012
IDC it security dc_transformation_roadshow2012Uni Systems S.M.S.A.
 
Dr. Michael Valivullah, NASS/USDA - Cloud Computing
Dr. Michael Valivullah, NASS/USDA - Cloud ComputingDr. Michael Valivullah, NASS/USDA - Cloud Computing
Dr. Michael Valivullah, NASS/USDA - Cloud Computingikanow
 
Nyc lunch and learn 03 15 2012 final
Nyc lunch and learn 03 15 2012 finalNyc lunch and learn 03 15 2012 final
Nyc lunch and learn 03 15 2012 finalInternap
 
IBM Global Technology Services - Resilience - The Silver Lining to Cloud Comp...
IBM Global Technology Services - Resilience - The Silver Lining to Cloud Comp...IBM Global Technology Services - Resilience - The Silver Lining to Cloud Comp...
IBM Global Technology Services - Resilience - The Silver Lining to Cloud Comp...Vincent Kwon
 
considering the cloud? From IaaS to SaaS and Beyond - Find Your Path to the C...
considering the cloud? From IaaS to SaaS and Beyond - Find Your Path to the C...considering the cloud? From IaaS to SaaS and Beyond - Find Your Path to the C...
considering the cloud? From IaaS to SaaS and Beyond - Find Your Path to the C...Web2Present
 
Cloud Computing - Jan 2011 - Chandna
Cloud Computing - Jan 2011 - ChandnaCloud Computing - Jan 2011 - Chandna
Cloud Computing - Jan 2011 - ChandnaAsheem Chandna
 
Build 4 The Cloud By Cisco V Mware2
Build 4 The Cloud By Cisco V Mware2Build 4 The Cloud By Cisco V Mware2
Build 4 The Cloud By Cisco V Mware2Azlan NL
 
Business and Online Services - Ben Kepes
Business and Online Services - Ben KepesBusiness and Online Services - Ben Kepes
Business and Online Services - Ben KepesIntergen
 
IBM SmartCloudEnterprise use of IBM Rational Solutions
IBM SmartCloudEnterprise use of IBM Rational SolutionsIBM SmartCloudEnterprise use of IBM Rational Solutions
IBM SmartCloudEnterprise use of IBM Rational SolutionsAlex Amies
 
Lets Do the Cloud-CFO Summit 2013
Lets Do the Cloud-CFO Summit 2013Lets Do the Cloud-CFO Summit 2013
Lets Do the Cloud-CFO Summit 2013Aimi Aizal Nasharuddin
 
Enterprise Private Cloud Computing
Enterprise Private Cloud ComputingEnterprise Private Cloud Computing
Enterprise Private Cloud ComputingCisco Canada
 
Leaders in the Cloud: Identifying Cloud Business Value for Customers
Leaders in the Cloud: Identifying Cloud Business Value for CustomersLeaders in the Cloud: Identifying Cloud Business Value for Customers
Leaders in the Cloud: Identifying Cloud Business Value for CustomersOpSource
 
Sukhbir jasuja digital_trends_11
Sukhbir jasuja digital_trends_11Sukhbir jasuja digital_trends_11
Sukhbir jasuja digital_trends_11Hellenic Professionals Informatics Society
 
Isc2conferancepremay15final
Isc2conferancepremay15finalIsc2conferancepremay15final
Isc2conferancepremay15finalMahmoud Moustafa
 
So you’ve bought into the concept of “cloud” technology
So you’ve bought into the concept of “cloud” technologySo you’ve bought into the concept of “cloud” technology
So you’ve bought into the concept of “cloud” technologyCisco Canada
 
Running SagePFW in a Private Cloud
Running SagePFW in a Private CloudRunning SagePFW in a Private Cloud
Running SagePFW in a Private CloudVertical Solutions
 
IT__forum_11
IT__forum_11IT__forum_11
IT__forum_11Uni Systems S.M.S.A.
 
Why We Fail: How an architect learned to stop worrying and love the cloud
Why We Fail: How an architect learned to stop worrying and love the cloudWhy We Fail: How an architect learned to stop worrying and love the cloud
Why We Fail: How an architect learned to stop worrying and love the cloudAlex Jauch
 
Making Sense of the Cloud
Making Sense of the CloudMaking Sense of the Cloud
Making Sense of the CloudSpiceworks
 
The Move to the Cloud for Regulated Industries
The Move to the Cloud for Regulated IndustriesThe Move to the Cloud for Regulated Industries
The Move to the Cloud for Regulated Industriesdirkbeth
 
The cloud talk
The cloud talkThe cloud talk
The cloud talkPethuru Raj PhD
 
Secure adn Contained Access for Everybody, at Anytime
Secure adn Contained Access for Everybody, at Anytime Secure adn Contained Access for Everybody, at Anytime
Secure adn Contained Access for Everybody, at Anytime Uni Systems S.M.S.A.
 
Cloud Is Built, Now Who's Managing It?
Cloud Is Built, Now Who's Managing It?Cloud Is Built, Now Who's Managing It?
Cloud Is Built, Now Who's Managing It?doan_slideshares
 
CLOUD & SKY COLORATION
CLOUD & SKY COLORATIONCLOUD & SKY COLORATION
CLOUD & SKY COLORATIONs11012
 
Security Issues in Cloud Computing
Security Issues in Cloud ComputingSecurity Issues in Cloud Computing
Security Issues in Cloud ComputingJyotika Pandey
 

Contenu connexe

Tendances

IBM Global Technology Services - Resilience - The Silver Lining to Cloud Comp...
IBM Global Technology Services - Resilience - The Silver Lining to Cloud Comp...IBM Global Technology Services - Resilience - The Silver Lining to Cloud Comp...
IBM Global Technology Services - Resilience - The Silver Lining to Cloud Comp...Vincent Kwon
 
considering the cloud? From IaaS to SaaS and Beyond - Find Your Path to the C...
considering the cloud? From IaaS to SaaS and Beyond - Find Your Path to the C...considering the cloud? From IaaS to SaaS and Beyond - Find Your Path to the C...
considering the cloud? From IaaS to SaaS and Beyond - Find Your Path to the C...Web2Present
 
Cloud Computing - Jan 2011 - Chandna
Cloud Computing - Jan 2011 - ChandnaCloud Computing - Jan 2011 - Chandna
Cloud Computing - Jan 2011 - ChandnaAsheem Chandna
 
Build 4 The Cloud By Cisco V Mware2
Build 4 The Cloud By Cisco V Mware2Build 4 The Cloud By Cisco V Mware2
Build 4 The Cloud By Cisco V Mware2Azlan NL
 
Business and Online Services - Ben Kepes
Business and Online Services - Ben KepesBusiness and Online Services - Ben Kepes
Business and Online Services - Ben KepesIntergen
 
IBM SmartCloudEnterprise use of IBM Rational Solutions
IBM SmartCloudEnterprise use of IBM Rational SolutionsIBM SmartCloudEnterprise use of IBM Rational Solutions
IBM SmartCloudEnterprise use of IBM Rational SolutionsAlex Amies
 
Enterprise Private Cloud Computing
Enterprise Private Cloud ComputingEnterprise Private Cloud Computing
Enterprise Private Cloud ComputingCisco Canada
 
Leaders in the Cloud: Identifying Cloud Business Value for Customers
Leaders in the Cloud: Identifying Cloud Business Value for CustomersLeaders in the Cloud: Identifying Cloud Business Value for Customers
Leaders in the Cloud: Identifying Cloud Business Value for CustomersOpSource
 
Isc2conferancepremay15final
Isc2conferancepremay15finalIsc2conferancepremay15final
Isc2conferancepremay15finalMahmoud Moustafa
 
So you’ve bought into the concept of “cloud” technology
So you’ve bought into the concept of “cloud” technologySo you’ve bought into the concept of “cloud” technology
So you’ve bought into the concept of “cloud” technologyCisco Canada
 
Running SagePFW in a Private Cloud
Running SagePFW in a Private CloudRunning SagePFW in a Private Cloud
Running SagePFW in a Private CloudVertical Solutions
 
Why We Fail: How an architect learned to stop worrying and love the cloud
Why We Fail: How an architect learned to stop worrying and love the cloudWhy We Fail: How an architect learned to stop worrying and love the cloud
Why We Fail: How an architect learned to stop worrying and love the cloudAlex Jauch
 
Making Sense of the Cloud
Making Sense of the CloudMaking Sense of the Cloud
Making Sense of the CloudSpiceworks
 
The Move to the Cloud for Regulated Industries
The Move to the Cloud for Regulated IndustriesThe Move to the Cloud for Regulated Industries
The Move to the Cloud for Regulated Industriesdirkbeth
 
Secure adn Contained Access for Everybody, at Anytime
Secure adn Contained Access for Everybody, at Anytime Secure adn Contained Access for Everybody, at Anytime
Secure adn Contained Access for Everybody, at Anytime Uni Systems S.M.S.A.
 
Cloud Is Built, Now Who's Managing It?
Cloud Is Built, Now Who's Managing It?Cloud Is Built, Now Who's Managing It?
Cloud Is Built, Now Who's Managing It?doan_slideshares
 

Tendances (20)

IBM Global Technology Services - Resilience - The Silver Lining to Cloud Comp...
IBM Global Technology Services - Resilience - The Silver Lining to Cloud Comp...IBM Global Technology Services - Resilience - The Silver Lining to Cloud Comp...
IBM Global Technology Services - Resilience - The Silver Lining to Cloud Comp...
 
considering the cloud? From IaaS to SaaS and Beyond - Find Your Path to the C...
considering the cloud? From IaaS to SaaS and Beyond - Find Your Path to the C...considering the cloud? From IaaS to SaaS and Beyond - Find Your Path to the C...
considering the cloud? From IaaS to SaaS and Beyond - Find Your Path to the C...
 
Cloud Computing - Jan 2011 - Chandna
Cloud Computing - Jan 2011 - ChandnaCloud Computing - Jan 2011 - Chandna
Cloud Computing - Jan 2011 - Chandna
 
Build 4 The Cloud By Cisco V Mware2
Build 4 The Cloud By Cisco V Mware2Build 4 The Cloud By Cisco V Mware2
Build 4 The Cloud By Cisco V Mware2
 
Business and Online Services - Ben Kepes
Business and Online Services - Ben KepesBusiness and Online Services - Ben Kepes
Business and Online Services - Ben Kepes
 
IBM SmartCloudEnterprise use of IBM Rational Solutions
IBM SmartCloudEnterprise use of IBM Rational SolutionsIBM SmartCloudEnterprise use of IBM Rational Solutions
IBM SmartCloudEnterprise use of IBM Rational Solutions
 
Lets Do the Cloud-CFO Summit 2013
Lets Do the Cloud-CFO Summit 2013Lets Do the Cloud-CFO Summit 2013
Lets Do the Cloud-CFO Summit 2013
 
Enterprise Private Cloud Computing
Enterprise Private Cloud ComputingEnterprise Private Cloud Computing
Enterprise Private Cloud Computing
 
Leaders in the Cloud: Identifying Cloud Business Value for Customers
Leaders in the Cloud: Identifying Cloud Business Value for CustomersLeaders in the Cloud: Identifying Cloud Business Value for Customers
Leaders in the Cloud: Identifying Cloud Business Value for Customers
 
Sukhbir jasuja digital_trends_11
Sukhbir jasuja digital_trends_11Sukhbir jasuja digital_trends_11
Sukhbir jasuja digital_trends_11
 
Isc2conferancepremay15final
Isc2conferancepremay15finalIsc2conferancepremay15final
Isc2conferancepremay15final
 
So you’ve bought into the concept of “cloud” technology
So you’ve bought into the concept of “cloud” technologySo you’ve bought into the concept of “cloud” technology
So you’ve bought into the concept of “cloud” technology
 
Running SagePFW in a Private Cloud
Running SagePFW in a Private CloudRunning SagePFW in a Private Cloud
Running SagePFW in a Private Cloud
 
IT__forum_11
IT__forum_11IT__forum_11
IT__forum_11
 
Why We Fail: How an architect learned to stop worrying and love the cloud
Why We Fail: How an architect learned to stop worrying and love the cloudWhy We Fail: How an architect learned to stop worrying and love the cloud
Why We Fail: How an architect learned to stop worrying and love the cloud
 
Making Sense of the Cloud
Making Sense of the CloudMaking Sense of the Cloud
Making Sense of the Cloud
 
The Move to the Cloud for Regulated Industries
The Move to the Cloud for Regulated IndustriesThe Move to the Cloud for Regulated Industries
The Move to the Cloud for Regulated Industries
 
The cloud talk
The cloud talkThe cloud talk
The cloud talk
 
Secure adn Contained Access for Everybody, at Anytime
Secure adn Contained Access for Everybody, at Anytime Secure adn Contained Access for Everybody, at Anytime
Secure adn Contained Access for Everybody, at Anytime
 
Cloud Is Built, Now Who's Managing It?
Cloud Is Built, Now Who's Managing It?Cloud Is Built, Now Who's Managing It?
Cloud Is Built, Now Who's Managing It?
 

En vedette

CLOUD & SKY COLORATION
CLOUD & SKY COLORATIONCLOUD & SKY COLORATION
CLOUD & SKY COLORATIONs11012
 
Security Issues in Cloud Computing
Security Issues in Cloud ComputingSecurity Issues in Cloud Computing
Security Issues in Cloud ComputingJyotika Pandey
 
Cloud Security Issues 1.04.10
Cloud Security Issues 1.04.10Cloud Security Issues 1.04.10
Cloud Security Issues 1.04.10Rugby7277
 
Security in the cloud Workshop HSTC 2014
Security in the cloud Workshop HSTC 2014Security in the cloud Workshop HSTC 2014
Security in the cloud Workshop HSTC 2014Akash Mahajan
 
SEO: Getting Personal
SEO: Getting PersonalSEO: Getting Personal
SEO: Getting PersonalKirsty Hulse
 
Lightning Talk #9: How UX and Data Storytelling Can Shape Policy by Mika Aldaba
Lightning Talk #9: How UX and Data Storytelling Can Shape Policy by Mika AldabaLightning Talk #9: How UX and Data Storytelling Can Shape Policy by Mika Aldaba
Lightning Talk #9: How UX and Data Storytelling Can Shape Policy by Mika Aldabaux singapore
 
32 Ways a Digital Marketing Consultant Can Help Grow Your Business
32 Ways a Digital Marketing Consultant Can Help Grow Your Business32 Ways a Digital Marketing Consultant Can Help Grow Your Business
32 Ways a Digital Marketing Consultant Can Help Grow Your BusinessBarry Feldman
 

En vedette (8)

CLOUD & SKY COLORATION
CLOUD & SKY COLORATIONCLOUD & SKY COLORATION
CLOUD & SKY COLORATION
 
Security Issues in Cloud Computing
Security Issues in Cloud ComputingSecurity Issues in Cloud Computing
Security Issues in Cloud Computing
 
What is cloud ?
What is cloud ?What is cloud ?
What is cloud ?
 
Cloud Security Issues 1.04.10
Cloud Security Issues 1.04.10Cloud Security Issues 1.04.10
Cloud Security Issues 1.04.10
 
Security in the cloud Workshop HSTC 2014
Security in the cloud Workshop HSTC 2014Security in the cloud Workshop HSTC 2014
Security in the cloud Workshop HSTC 2014
 
SEO: Getting Personal
SEO: Getting PersonalSEO: Getting Personal
SEO: Getting Personal
 
Lightning Talk #9: How UX and Data Storytelling Can Shape Policy by Mika Aldaba
Lightning Talk #9: How UX and Data Storytelling Can Shape Policy by Mika AldabaLightning Talk #9: How UX and Data Storytelling Can Shape Policy by Mika Aldaba
Lightning Talk #9: How UX and Data Storytelling Can Shape Policy by Mika Aldaba
 
32 Ways a Digital Marketing Consultant Can Help Grow Your Business
32 Ways a Digital Marketing Consultant Can Help Grow Your Business32 Ways a Digital Marketing Consultant Can Help Grow Your Business
32 Ways a Digital Marketing Consultant Can Help Grow Your Business
 

Similaire à Info Sec 2010 Possibilities And Security Challenges Of Cloud Computing (Handout)

Taiye Lambo - Auditing the cloud
Taiye Lambo - Auditing the cloudTaiye Lambo - Auditing the cloud
Taiye Lambo - Auditing the cloudnooralmousa
 
Cloud Computing Webinar
Cloud Computing WebinarCloud Computing Webinar
Cloud Computing WebinarSaif Ahmad
 
Cloud computing by Luqman
Cloud computing by LuqmanCloud computing by Luqman
Cloud computing by LuqmanLuqman Shareef
 
Lovett introducing cloud computing nov 2009
Lovett introducing cloud computing nov 2009Lovett introducing cloud computing nov 2009
Lovett introducing cloud computing nov 2009Hilde Lovett
 
Oracle Cloud Reference Architecture
Oracle Cloud Reference ArchitectureOracle Cloud Reference Architecture
Oracle Cloud Reference ArchitectureBob Rhubart
 
Cloudcomputingoct2009 100301142544-phpapp02
Cloudcomputingoct2009 100301142544-phpapp02Cloudcomputingoct2009 100301142544-phpapp02
Cloudcomputingoct2009 100301142544-phpapp02abhisheknayak29
 
Plenary_three_Cloud_computing_-_is_social_housing_ready_for_it_-_Phil_Copperw...
Plenary_three_Cloud_computing_-_is_social_housing_ready_for_it_-_Phil_Copperw...Plenary_three_Cloud_computing_-_is_social_housing_ready_for_it_-_Phil_Copperw...
Plenary_three_Cloud_computing_-_is_social_housing_ready_for_it_-_Phil_Copperw...Phil Copperwheat
 
Why Soa Governance Is Critical To Cloud Computing David Linthicum 022510
Why Soa Governance Is Critical To Cloud Computing David Linthicum 022510Why Soa Governance Is Critical To Cloud Computing David Linthicum 022510
Why Soa Governance Is Critical To Cloud Computing David Linthicum 022510David Linthicum
 
Telecoms in the Clouds Issue 1
Telecoms in the Clouds Issue 1Telecoms in the Clouds Issue 1
Telecoms in the Clouds Issue 1Alan Quayle
 
Fosec2011 keynote address
Fosec2011 keynote addressFosec2011 keynote address
Fosec2011 keynote addressthreesixty
 
Cloud Computing For Enterprises
Cloud Computing For EnterprisesCloud Computing For Enterprises
Cloud Computing For EnterprisesOne App Cloud
 
JISC11_Cloud Solutions Henry Hughes
JISC11_Cloud Solutions Henry HughesJISC11_Cloud Solutions Henry Hughes
JISC11_Cloud Solutions Henry HughesJisc
 
Trend and Future of Cloud Computing
Trend and Future of Cloud ComputingTrend and Future of Cloud Computing
Trend and Future of Cloud Computinghybrid cloud
 
Cloud conference & expo presentation
Cloud conference & expo presentationCloud conference & expo presentation
Cloud conference & expo presentationTelstra
 
Cloud Computing and Big Data
Cloud Computing and Big DataCloud Computing and Big Data
Cloud Computing and Big DataRobert Keahey
 
Perfect Storm: HR in the Cloud
Perfect Storm: HR in the CloudPerfect Storm: HR in the Cloud
Perfect Storm: HR in the CloudStanton Jones
 
110307 cloud security requirements gourley
110307 cloud security requirements gourley110307 cloud security requirements gourley
110307 cloud security requirements gourleyGovCloud Network
 
Cloud Computing And Soa Convergence Linthicum 02 09 10
Cloud Computing And Soa Convergence Linthicum 02 09 10Cloud Computing And Soa Convergence Linthicum 02 09 10
Cloud Computing And Soa Convergence Linthicum 02 09 10David Linthicum
 

Similaire à Info Sec 2010 Possibilities And Security Challenges Of Cloud Computing (Handout) (20)

Taiye Lambo - Auditing the cloud
Taiye Lambo - Auditing the cloudTaiye Lambo - Auditing the cloud
Taiye Lambo - Auditing the cloud
 
MISA Cloud workshop - Cloud 101
MISA Cloud workshop - Cloud 101MISA Cloud workshop - Cloud 101
MISA Cloud workshop - Cloud 101
 
Cloud Computing Webinar
Cloud Computing WebinarCloud Computing Webinar
Cloud Computing Webinar
 
Cloud computing by Luqman
Cloud computing by LuqmanCloud computing by Luqman
Cloud computing by Luqman
 
Lovett introducing cloud computing nov 2009
Lovett introducing cloud computing nov 2009Lovett introducing cloud computing nov 2009
Lovett introducing cloud computing nov 2009
 
Oracle Cloud Reference Architecture
Oracle Cloud Reference ArchitectureOracle Cloud Reference Architecture
Oracle Cloud Reference Architecture
 
Star storage m cloud week
Star storage m cloud weekStar storage m cloud week
Star storage m cloud week
 
Cloudcomputingoct2009 100301142544-phpapp02
Cloudcomputingoct2009 100301142544-phpapp02Cloudcomputingoct2009 100301142544-phpapp02
Cloudcomputingoct2009 100301142544-phpapp02
 
Plenary_three_Cloud_computing_-_is_social_housing_ready_for_it_-_Phil_Copperw...
Plenary_three_Cloud_computing_-_is_social_housing_ready_for_it_-_Phil_Copperw...Plenary_three_Cloud_computing_-_is_social_housing_ready_for_it_-_Phil_Copperw...
Plenary_three_Cloud_computing_-_is_social_housing_ready_for_it_-_Phil_Copperw...
 
Why Soa Governance Is Critical To Cloud Computing David Linthicum 022510
Why Soa Governance Is Critical To Cloud Computing David Linthicum 022510Why Soa Governance Is Critical To Cloud Computing David Linthicum 022510
Why Soa Governance Is Critical To Cloud Computing David Linthicum 022510
 
Telecoms in the Clouds Issue 1
Telecoms in the Clouds Issue 1Telecoms in the Clouds Issue 1
Telecoms in the Clouds Issue 1
 
Fosec2011 keynote address
Fosec2011 keynote addressFosec2011 keynote address
Fosec2011 keynote address
 
Cloud Computing For Enterprises
Cloud Computing For EnterprisesCloud Computing For Enterprises
Cloud Computing For Enterprises
 
JISC11_Cloud Solutions Henry Hughes
JISC11_Cloud Solutions Henry HughesJISC11_Cloud Solutions Henry Hughes
JISC11_Cloud Solutions Henry Hughes
 
Trend and Future of Cloud Computing
Trend and Future of Cloud ComputingTrend and Future of Cloud Computing
Trend and Future of Cloud Computing
 
Cloud conference & expo presentation
Cloud conference & expo presentationCloud conference & expo presentation
Cloud conference & expo presentation
 
Cloud Computing and Big Data
Cloud Computing and Big DataCloud Computing and Big Data
Cloud Computing and Big Data
 
Perfect Storm: HR in the Cloud
Perfect Storm: HR in the CloudPerfect Storm: HR in the Cloud
Perfect Storm: HR in the Cloud
 
110307 cloud security requirements gourley
110307 cloud security requirements gourley110307 cloud security requirements gourley
110307 cloud security requirements gourley
 
Cloud Computing And Soa Convergence Linthicum 02 09 10
Cloud Computing And Soa Convergence Linthicum 02 09 10Cloud Computing And Soa Convergence Linthicum 02 09 10
Cloud Computing And Soa Convergence Linthicum 02 09 10
 

Info Sec 2010 Possibilities And Security Challenges Of Cloud Computing (Handout)

  • 1. Possibilities and Security Challenges of Cloud Computing InfoSec Conference 2010 Hotel Intercontinental Makati City, Philippines 25 August 2010 Pierre U. Tagle, Ph.D., CISA pierre.tagle@mobiliance.com Outline 1 Introduction 2 What is Cloud Computing? 3 Possibilities and Security Challenges 4 Critical Areas for Cloud Implementations 2
  • 2. Introduction Mobiliance Incorporated is an We offer services to: INDEPENDENT technology • EVALUATE and understand consulting and software services your business needs; firm which partners with • Recommend ways to commercial and government ENHANCE how technology, establishments/organisations to people and processes fits solve their toughest Information into your business; Technology problems and issues. • INTEGRATE new and existing technology to better suit your business; • MAINTAIN your technology investments; and • Help you PRESERVE your investment to carry your business into the future. 3 Our Services • Security Assessment and • Technology Assessment Design and Design – Security Architecture • IT Governance / Risk Assessment / Design Management – Disaster Recovery / – Vulnerability Business Continuity Assessment – IT Governance • Network Assessment and – IT Risk Assessments Design • Technology Management – Alignment with Advice (Virtual CIO/CTO) business • Software Development requirements – From complete SDLC – Performance, or to assist in reliability and specific phases availability analysis 4
  • 3. What is Cloud Computing? • Virtually every vendor or provider has jumped on the cloud computing bandwagon and has slapped the “cloud” label on it, e.g. hosting, outsourcing, ASP, on-demand computing, grid computing, utility computing, etc. – Some reports indicate that there were at least 22 different definitions of the cloud in use. • Cloud computing is NOT a technology revolution, but rather a process and business evolution – on how many technologies and services are used in enabling what is referred to as Cloud Computing. • A simplified definition can be that cloud computing allows businesses to increase IT capacity on the fly without investing in new infrastructure, training new personnel and/or licensing new software, and are able to use it as a pay-per-use service. 5 NIST Cloud Definition Framework “Cloud computing is a model for enabling convenient, on- demand network access to a shared pool of configurable computing resources that can be rapidly provisioned and released with minimal management effort or service provider The NIST cloud model promotes availability interaction.” and is composed of 5 essential characteristics, 3 service models and 4 deployment models. 6
  • 4. 5 Essential Characteristics • On-demand self-service • Broad network access • Resource pooling – Location independence • Rapid elasticity • Measure service Source: Techmixer.com 7 3 Cloud Service / Delivery Models • Cloud Software as a Service (SaaS) – Use provider’s apps over a network • Cloud Platform as a Service (PaaS) – Deploy customer- created applications to a cloud • Cloud Infrastructure as a Service (IaaS) Source: NIST Presentations – Rent processing, storage, network Note: To be considered “cloud” these must be capacity, etc. deployed on top of a cloud infrastructure with the key characteristics. 8
  • 5. Cloud Services Examples • SaaS – Salesforce.com – Google Apps • PaaS – Google AppsEngine, Force.com, IBM IT Factory • IaaS – Amazon Elastic Compute Cloud (Amazon EC2), IBM Blue Cloud, Sun Grid – Amazon Simple Storage Service (Amazon S3) 9 Cloud Deployment Models • Private cloud – Enterprise owned or leased • Community cloud – Shared infrastructure for specific communitiy • Public cloud – Available to the public, typically mega-scale infrastructure • Hybrid cloud – Composition of 2 or more clouds 10
  • 6. Possibilities and Benefits 11 Adoption Areas 12
  • 7. Cloud Computing Challenges & Risks • Data Protection – Where is my data? – How does my data securely enter/exit the cloud? (and how is it protected during transit?) – Who has access to my • Integration and Cost data? – How easy is it to integrate • Risk / Incident Management with in-house IT? – Who is accountable if – Are there customization something goes wrong? options to suit my needs? – What’s the disaster – Will on-demand cost recovery plan? more? – What happens if my cloud – How difficult to migrate provider disappears? back to an in-house – How is the environment system? (if possible) monitored? How are we • Compliance notified in the event of – Are there any regulatory failures/outages? requirements? 13 Challenges and Risks Security remains the top concern and was raised by 87.5% of respondents in IDC 2009 survey (up from 74.6% in 2008) 14
  • 8. Service Provider Requirements • Pricing is key area BUT • security and related concerns can be “seen” in user wish-list of the service features SLAs, option to move back on-premise, allow managing on-premise , offer both on-premise and public cloud services, have local presence 15 Security in the Cloud • Security controls in cloud computing are no different than security controls in an IT environment BUT... – the various cloud service models, operational models, and technologies used to enable cloud services may present different risks to the Source: Cloud Security Alliance organisation. • Understanding the “Cloud computing is about gracefully losing differences between service control while maintaining accountability models and their even if the operational responsibility implementation is critical to falls upon one or more third parties.” the management of risk to – Cloud Security Alliance the organisation. 16
  • 9. Security Advantages • Reduction of exposure of internal sensitive data with move to external cloud – Data fragmentation and dispersal are managed by unbiased party (cloud vendor assertion) – Various studies show that a large amount of abuse are done by internal IT professionals • Cloud homogeneity makes security auditing / testing simpler • Clouds enable automated security management • Redundancy / Disaster Recovery 17 Security Challenges • Trusting vendor’s security model • Customer inability to respond to audit findings • Indirect administrator accountability • Obtaining support for investigations • Indirect administrator accountability • Proprietary implementations cannot be examined • Loss of physical control • Data dispersal and international privacy laws • Logging challenges • Quality of service guarantees 18
  • 10. Ensuring Compliance in the Cloud • The use of cloud computing by itself does not provide for or prevent achieving compliance. • Cloud services must be mapped against compensating controls to determine which exists and which do not – either by the end user, service provider or a third party. • Gaps analysis results are fed into the risk assessment framework – accept, transfer or Source: Cloud Security Alliance mitigate. 19 Cloud Implementation Use Case Taxonomy • Service Consumer – SaaS is consumed by end users, e.g. employees, clients, partners – PaaS is consumed by software developers – IaaS is consumed by IT managers Source: Cloud Computing Use Case Discussion Group • The various components must be managed by the company or a third party solution provider. 20
  • 11. Determining Candidates for the Cloud • Review applications and IT • Typical Rules of Thumb: resources / systems – If mission-critical and • Categorise into: non-core then possibly – Mission-critical, i.e. good candidate for the business will not cloud survive without it – If mission-critical and – Non-mission critical core, possibly keep • Sub-categorise into: internal or in private cloud – Core business practices, i.e. provides – If non-mission critical service differentiation and non-core then okay for public clouds – Non-core, i.e. internal activities – If non-mission critical and core, possibly keep internal or in private cloud 21 Candidates for the Public Cloud GOOD BAD • Applications used by mobile • Applications with very workers, particularly those sensitive data (with possible used to manage time, regulatory or legal risk) activities, etc. • Applications that require very • Software development intensive data workloads or environments very performance sensitive • Applications that require applications hardware/software not – Possible cost issue normally available within the • Applications that require company extensive or high • Applications that run customization infrequently but require considerable resources, e.g. test and pre-production systems • Backup for critical applications • Distributed server and data centre locations 22
  • 12. Cloud Adoption Model Example • Prepare IT portfolio – Virtualization not necessary but can simplify migration, updates, etc. • Cloud experimentation – Usage, experimentation and laying of groundwork • Cloud foundations – Finalize application architecture and platform • Cloud exploitation – Deployment (either private or public) in the cloud – Get apps into production, along with processes, policies and procedures Source: eWeek.com • Cloud actualization / HyperCloud – Fully dynamic and autonomic compute environment 23 Cloud Usage Examples • Nasdaq – uses Amazon S3 to deliver historical stock and mutual fund information, rather than add load to its database/computing infra • Animoto – start-up used Amazon’s cloud services was able to keep up with soaring demand and scale up from 50 to 3,500 instances over a three-day period • Times – wanted to place 60-year period worth of images (i.e. 15-million news stories) moved 4-TB into Amazon S3, ran the software on EC2 then launched the product • Mogulus – streams 120,000 live TV channels over the Internet but owns no hardware except for its laptops. 24
  • 13. Recommended Areas of Critical Focus GOVERNANCE DOMAINS OPERATIONAL DOMAINS • Governance & Enterprise • Security, Business Risk Management Continuity & Disaster • Legal Recovery • Compliance and Audit • Data Centre Operations • Information Life Cycle • Incident Management Management • Application Security • Portability and • Encryption & Key Interoperability Management • Identity & Access Management • Virtualisation 25 Governance Domains
  • 14. Governance & Enterprise Risk Management • Ability of an organisation to govern and measure enterprise risk introduced with the use of Cloud Computing – Legal precedence for agreements – Assess risk of a cloud provider – Responsibility to protect data – How international boundaries affects issues • Risk management approaches – Include provider’s security governance, risk management and compliance structures and processes – Consistency between provider and end user risk assessment approaches • provider’s design of the cloud service vs. user’s assessment of the cloud service risk. – Adjust DRP/BCP to include new scenarios, e.g. loss of provider services RECOMMENDATIONS 27 Legal Aspects Potential legal issues with the use of Cloud Computing – Protection requirements for information & computer systems – Security disclosure laws – Regulatory requirements – Privacy requirements – International laws RECOMMENDATIONS 28
  • 15. Compliance and Audit • Ensuring and proving compliance when using Cloud Computing – Company security policies – Industry standards and/or certifications – Regulatory, legislative and other compliance requirements • The end user must understand: – Regulatory application for the use of a cloud service – Division of compliance responsibilities (vs. provider) – Provider’s ability to produce evidence needed for compliance – End user’s role in bridging the gap between provider and audit requirements RECOMMENDATIONS 29 Information Lifecycle Management • Management of data that • The Data Security Lifecycle is placed within the Cloud. – Identification and control of data – Compensating controls to deal with loss of physical control – Data confidentiality, integrity and availability Source: Cloud Security Alliance • Maps to the more general Information Lifecycle Management (ILM) RECOMMENDATIONS 30
  • 16. Portability and Interoperability • Ability to move data and/or services from one cloud provider to another, or move it back in- house – Portability – Interoperability • Companies may need to switch providers due to: – Unacceptable increase in cost – Provider ceases operation – Provider ceases one or more services – Unacceptable decrease in service quality – Business disputes RECOMMENDATIONS 31 Operational Domains
  • 17. Security, Business Continuity and Disaster Recovery • How does cloud computing affect the current operational processes and procedures in relation to security, business continuity and disaster recovery • How does cloud computing assist in diminishing risks in certain areas? While possibly increasing in others? RECOMMENDATIONS 33 Data Centre Operations • Identifying common data centre characteristics that are: – Disadvantageous to on-going services and/or – Fundamental to long-term stability. • Technology architectures will differ across providers but they all must support compartmentalization with controls segregating each layer of the infrastructure – Note that some cloud providers may be users of other cloud services, e.g. a SaaS vendor uses PaaS or IaaS vendor(s). RECOMMENDATIONS 34
  • 18. Incident Management • Proper and adequate incident detection, response, notification and remediation. – Includes processes and procedures at both provider and end user levels • Does the cloud bring about complexities to current incident management procedures? RECOMMENDATIONS 35 Application Security • What type of Application cloud platform to Security Compliance use? SaaS, Architecture PaaS, or IaaS? Cloud • Cloud Apps applications will Tools both impact and SDLC & be impacted by Services various factors • Migrate existing app or design a new app for cloud deployment? Vulnerabilities RECOMMENDATIONS 36
  • 19. Encryption and Key Management • Cloud environments Encrypt data Secure sensitive information even are shared, within provider’s environment. and providers in transit for Confidentiality generally have privileged and Integrity access Encryption • Encryption offers benefits Encrypt data Differences in implementation from of less reliance at rest IaaS to PaaS to SaaS on provider • Identifying proper encryption usage and Encrypt data Protect against misuse of key on backup lost/stolen media. management media RECOMMENDATIONS 37 Identity and Access Management • Even without the cloud, the management of identities and access control remains one of the key challenges facing IT in any organisation. • Management of identities to provide access control when extending the organisation into the cloud. Identity Provisioning Authentication • Secure and time management of provisioning Address authentication related and deprovisioning of users challenges, e.g. strong authentication in the cloud. (multi-factor), delegated • Extension of current user authentication, and trust management management processes to across cloud services. the cloud. Authorization and User Profile Management Federation Establishment of trusted user profile and policy information, Authenticate users of using it to control access within cloud services using the the cloud, and using this in an organisation’s chosen auditable way. identity provider. RECOMMENDATIONS 38
  • 20. IDaaS • Identity as a Service (IDaaS) should follow the same best practices used for internal IAM implementations • For internal users: – Review provider’s options to provide secure access to the cloud – Review cost reduction vs. risk mitigation measures to address risks of having employee information with IDaaS. • For external users (e.g. partners) the information owners need to incorporate interactions with IAM providers into the SDLC and in threat assessments • PaaS users should review use of industry standards by IDaaS vendors • Proprietary solutions represent a significant risk, the use of open standards is recommended. 39 Virtualisation • Use of virtualisation technology in cloud computing, particularly the security issues related to the system/hardware virtualisation. RECOMMENDATIONS 40
  • 21. Conclusion • In any move towards an emerging technology and business model, you need in-depth understanding of: – Your IT team (whether in-house or 3rd party including consultants / partners) and capabilities – The Solutions, and – The Service Providers and/or Vendors • No difference with cloud computing any decision to move to the cloud should involve at least the enterprise architects, developers, product/service owners and stakeholders, IT management and if needed, outsourcing partners. • Concerns with cloud computing are valid but not insurmountable. Credible solutions do exist and continuously being improved / fine-tuned to meet the perceived challenges and user requirements. 41