The security of SAAS and private cloud


Published on

Ian Farquhar from RAS shares his slides on the security aspects of cloud computing

Published in: Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

The security of SAAS and private cloud

  1. 1. Security of SaaS and Private CloudConsiderations for CFO’s<br />Ian Farquhar<br />Advisory Technology Consultant<br />
  2. 2. Profile: Ian Farquhar<br />Career:<br />RSA, The Security Division of EMC (2008-Present)<br />Cisco Systems (2004-2008)<br />Sun Microsystems (1999-2004)<br />Silicon Graphics/Cray Research (1994-1999)<br />Macquarie University Department of Research Electronics (1993-1994)<br />Macquarie University Office of Computing Services (1988-1993)<br />Twenty years of experience in computer and information security<br />Technology Evangelist for RSA<br />RSA specialist for ANZ in:<br />Data Loss Prevention<br />Cryptography<br />Policy<br />Security evaluation<br />
  3. 3. Definitions: Public vs. Private Cloud<br />According to Gartner: <br />The distinguishing characteristics of a private cloud environment are that the infrastructure is internally owned and operated, and that systems can be dynamically provisioned and activated. <br />The distinguishing characteristics of a public cloud environment that are most important for security assessment and monitoring are that the infrastructure is not owned by the customer and that the service is provided via a shared infrastructure. <br />Or... (from the RSA Conference):<br />A private cloud is inside the firewall, a private cloud is outside. <br />Security CIA:<br />Confidentiality, Integrity and Availability<br />
  4. 4. Definition: Software-as-a-Service (SaaS)<br />SaaS is the provision of software in a services model.<br />Gartner defines SaaS as "software that's owned, delivered and managed remotely by one or more providers." In a pure SaaS model, the provider delivers software based on a single set of common code and data definitions that are consumed in a one-to-many model by all contracted customers anytime, on a pay-for-use basis, or as a subscription based on use metrics. <br />Other *aaS acronyms:<br />PaaS: Platform-as-a-Service<br />IaaS: Infrastructure-as-a-Service<br />SaaS and PaaS are not really new concepts<br />Mainframe-era “Bureau Services” were just SaaS or PaaS<br />Even virtualization is not new: IBM/VM circa 1969<br />
  5. 5. Issues to Consider: SaaS (and Public Cloud)<br />Legal issues<br />If it isn’t in the contract, it should be<br />What are the service level agreements? How are they measured?<br />Do they match your expectations? What is the dispute process?<br />Who owns your data?<br />Where is it processed?<br />Where is the DR site? <br />Where is it replicated?<br />Jurisdictional issues<br />Data location (compliance)<br />Legal issues (eg. US Patriot Act)<br />Legal search and seizure considerations<br />SaaS provider closure or acquisition<br />What legal rights do you have?<br />If you can access the data, in what form? (and don’t forget the backups)<br />How quickly could you migrate this business function?<br />
  6. 6. Issues to Consider: SaaS (and Public Cloud)<br />Provider Terminating Contract<br />How much notice do you get?<br />Do you have any right of appeal?<br />Can they terminate your service and leave you without access to “your” data?<br />“The Forced March”<br />Will upgrades at the SaaS provider introduce unexpected work (cost)?<br />Forced up-sell due to discontinuation of an older version<br />How much notice do you get?<br />What guarantees are in the contract?<br />Connectivity and Performance Issues<br />SaaS makes your business dependent on Internet access<br />Don’t forget the SLA’s from your ISP or carrier<br />How would your business cope with a network outage?<br />Don’t forget to factor in the cost of network management<br />Is your network traffic protected in transit? (SSL issues.)<br />
  7. 7. Issues to Consider: SaaS (and Public Cloud)<br />Expertise<br />If you find you need expertise above basic support, where does it come from and how much does it cost?<br />Generic “Security” Issues<br />Endpoint security still is critical<br />What is the SaaS provider’s security posture?<br />How do they authenticate users?<br />What guarantees do you have that the SaaS provider is implementing best practice?<br />Who can access your data? (Separation).<br />(Not applicable for “pay as you go”). How is the service funded?<br />Fundamentally, HOW DO YOU KNOW?<br />Or, WHAT IS THE RATIONAL BASIS FOR YOUR TRUST?<br />
  8. 8. Issues to Consider: Private Cloud<br />Most of the security issues with Private Cloud are not new<br />Some security features are better on private cloud than on raw hardware (eg. DR)<br />Limiting this to private-cloud specific issues<br />All best IT practice applies similarly to private cloud, as it does to existing IT infrastructure<br />Private cloud is fundamentally about increasing efficiency<br />Issues:<br />Network infrastructure and design<br />Administrative access – a rogue or careless admin can do a lot of damage<br />Proliferation – change control is still critical for a well-run virtual infrastructure<br />Software licensing<br />Orphaned VMs<br />Data sprawl<br />Security patching and offline VMs<br />Legal search and seizure<br />Capacity planning<br />Excellent resource: Cloud Security Alliance<br /><br />
  9. 9. In Summary<br />SaaS and Public Cloud<br />Read and understand the contract<br />Do a thorough cost-benefit analysis<br />Plan for the contingencies<br />Trust but verify<br />Private Cloud<br />All current best practices apply to private clouds too<br />Private clouds have some security characteristics which are superior to “raw metal” IT<br />The majority of issues are operational – this is where to focus<br />