The security of SAAS and private cloud
Upcoming SlideShare
Loading in...5

Like this? Share it with your network


The security of SAAS and private cloud



Ian Farquhar from RAS shares his slides on the security aspects of cloud computing

Ian Farquhar from RAS shares his slides on the security aspects of cloud computing



Total Views
Views on SlideShare
Embed Views



1 Embed 38 38



Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
Post Comment
Edit your comment

The security of SAAS and private cloud Presentation Transcript

  • 1. Security of SaaS and Private CloudConsiderations for CFO’s
    Ian Farquhar
    Advisory Technology Consultant
  • 2. Profile: Ian Farquhar
    RSA, The Security Division of EMC (2008-Present)
    Cisco Systems (2004-2008)
    Sun Microsystems (1999-2004)
    Silicon Graphics/Cray Research (1994-1999)
    Macquarie University Department of Research Electronics (1993-1994)
    Macquarie University Office of Computing Services (1988-1993)
    Twenty years of experience in computer and information security
    Technology Evangelist for RSA
    RSA specialist for ANZ in:
    Data Loss Prevention
    Security evaluation
  • 3. Definitions: Public vs. Private Cloud
    According to Gartner:
    The distinguishing characteristics of a private cloud environment are that the infrastructure is internally owned and operated, and that systems can be dynamically provisioned and activated.
    The distinguishing characteristics of a public cloud environment that are most important for security assessment and monitoring are that the infrastructure is not owned by the customer and that the service is provided via a shared infrastructure.
    Or... (from the RSA Conference):
    A private cloud is inside the firewall, a private cloud is outside.
    Security CIA:
    Confidentiality, Integrity and Availability
  • 4. Definition: Software-as-a-Service (SaaS)
    SaaS is the provision of software in a services model.
    Gartner defines SaaS as "software that's owned, delivered and managed remotely by one or more providers." In a pure SaaS model, the provider delivers software based on a single set of common code and data definitions that are consumed in a one-to-many model by all contracted customers anytime, on a pay-for-use basis, or as a subscription based on use metrics.
    Other *aaS acronyms:
    PaaS: Platform-as-a-Service
    IaaS: Infrastructure-as-a-Service
    SaaS and PaaS are not really new concepts
    Mainframe-era “Bureau Services” were just SaaS or PaaS
    Even virtualization is not new: IBM/VM circa 1969
  • 5. Issues to Consider: SaaS (and Public Cloud)
    Legal issues
    If it isn’t in the contract, it should be
    What are the service level agreements? How are they measured?
    Do they match your expectations? What is the dispute process?
    Who owns your data?
    Where is it processed?
    Where is the DR site?
    Where is it replicated?
    Jurisdictional issues
    Data location (compliance)
    Legal issues (eg. US Patriot Act)
    Legal search and seizure considerations
    SaaS provider closure or acquisition
    What legal rights do you have?
    If you can access the data, in what form? (and don’t forget the backups)
    How quickly could you migrate this business function?
  • 6. Issues to Consider: SaaS (and Public Cloud)
    Provider Terminating Contract
    How much notice do you get?
    Do you have any right of appeal?
    Can they terminate your service and leave you without access to “your” data?
    “The Forced March”
    Will upgrades at the SaaS provider introduce unexpected work (cost)?
    Forced up-sell due to discontinuation of an older version
    How much notice do you get?
    What guarantees are in the contract?
    Connectivity and Performance Issues
    SaaS makes your business dependent on Internet access
    Don’t forget the SLA’s from your ISP or carrier
    How would your business cope with a network outage?
    Don’t forget to factor in the cost of network management
    Is your network traffic protected in transit? (SSL issues.)
  • 7. Issues to Consider: SaaS (and Public Cloud)
    If you find you need expertise above basic support, where does it come from and how much does it cost?
    Generic “Security” Issues
    Endpoint security still is critical
    What is the SaaS provider’s security posture?
    How do they authenticate users?
    What guarantees do you have that the SaaS provider is implementing best practice?
    Who can access your data? (Separation).
    (Not applicable for “pay as you go”). How is the service funded?
    Fundamentally, HOW DO YOU KNOW?
  • 8. Issues to Consider: Private Cloud
    Most of the security issues with Private Cloud are not new
    Some security features are better on private cloud than on raw hardware (eg. DR)
    Limiting this to private-cloud specific issues
    All best IT practice applies similarly to private cloud, as it does to existing IT infrastructure
    Private cloud is fundamentally about increasing efficiency
    Network infrastructure and design
    Administrative access – a rogue or careless admin can do a lot of damage
    Proliferation – change control is still critical for a well-run virtual infrastructure
    Software licensing
    Orphaned VMs
    Data sprawl
    Security patching and offline VMs
    Legal search and seizure
    Capacity planning
    Excellent resource: Cloud Security Alliance
  • 9. In Summary
    SaaS and Public Cloud
    Read and understand the contract
    Do a thorough cost-benefit analysis
    Plan for the contingencies
    Trust but verify
    Private Cloud
    All current best practices apply to private clouds too
    Private clouds have some security characteristics which are superior to “raw metal” IT
    The majority of issues are operational – this is where to focus