The security of SAAS and private cloud
Upcoming SlideShare
Loading in...5

The security of SAAS and private cloud



Ian Farquhar from RAS shares his slides on the security aspects of cloud computing

Ian Farquhar from RAS shares his slides on the security aspects of cloud computing



Total Views
Slideshare-icon Views on SlideShare
Embed Views



1 Embed 38 38



Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
Post Comment
Edit your comment

    The security of SAAS and private cloud The security of SAAS and private cloud Presentation Transcript

    • Security of SaaS and Private CloudConsiderations for CFO’s
      Ian Farquhar
      Advisory Technology Consultant
    • Profile: Ian Farquhar
      RSA, The Security Division of EMC (2008-Present)
      Cisco Systems (2004-2008)
      Sun Microsystems (1999-2004)
      Silicon Graphics/Cray Research (1994-1999)
      Macquarie University Department of Research Electronics (1993-1994)
      Macquarie University Office of Computing Services (1988-1993)
      Twenty years of experience in computer and information security
      Technology Evangelist for RSA
      RSA specialist for ANZ in:
      Data Loss Prevention
      Security evaluation
    • Definitions: Public vs. Private Cloud
      According to Gartner:
      The distinguishing characteristics of a private cloud environment are that the infrastructure is internally owned and operated, and that systems can be dynamically provisioned and activated.
      The distinguishing characteristics of a public cloud environment that are most important for security assessment and monitoring are that the infrastructure is not owned by the customer and that the service is provided via a shared infrastructure.
      Or... (from the RSA Conference):
      A private cloud is inside the firewall, a private cloud is outside.
      Security CIA:
      Confidentiality, Integrity and Availability
    • Definition: Software-as-a-Service (SaaS)
      SaaS is the provision of software in a services model.
      Gartner defines SaaS as "software that's owned, delivered and managed remotely by one or more providers." In a pure SaaS model, the provider delivers software based on a single set of common code and data definitions that are consumed in a one-to-many model by all contracted customers anytime, on a pay-for-use basis, or as a subscription based on use metrics.
      Other *aaS acronyms:
      PaaS: Platform-as-a-Service
      IaaS: Infrastructure-as-a-Service
      SaaS and PaaS are not really new concepts
      Mainframe-era “Bureau Services” were just SaaS or PaaS
      Even virtualization is not new: IBM/VM circa 1969
    • Issues to Consider: SaaS (and Public Cloud)
      Legal issues
      If it isn’t in the contract, it should be
      What are the service level agreements? How are they measured?
      Do they match your expectations? What is the dispute process?
      Who owns your data?
      Where is it processed?
      Where is the DR site?
      Where is it replicated?
      Jurisdictional issues
      Data location (compliance)
      Legal issues (eg. US Patriot Act)
      Legal search and seizure considerations
      SaaS provider closure or acquisition
      What legal rights do you have?
      If you can access the data, in what form? (and don’t forget the backups)
      How quickly could you migrate this business function?
    • Issues to Consider: SaaS (and Public Cloud)
      Provider Terminating Contract
      How much notice do you get?
      Do you have any right of appeal?
      Can they terminate your service and leave you without access to “your” data?
      “The Forced March”
      Will upgrades at the SaaS provider introduce unexpected work (cost)?
      Forced up-sell due to discontinuation of an older version
      How much notice do you get?
      What guarantees are in the contract?
      Connectivity and Performance Issues
      SaaS makes your business dependent on Internet access
      Don’t forget the SLA’s from your ISP or carrier
      How would your business cope with a network outage?
      Don’t forget to factor in the cost of network management
      Is your network traffic protected in transit? (SSL issues.)
    • Issues to Consider: SaaS (and Public Cloud)
      If you find you need expertise above basic support, where does it come from and how much does it cost?
      Generic “Security” Issues
      Endpoint security still is critical
      What is the SaaS provider’s security posture?
      How do they authenticate users?
      What guarantees do you have that the SaaS provider is implementing best practice?
      Who can access your data? (Separation).
      (Not applicable for “pay as you go”). How is the service funded?
      Fundamentally, HOW DO YOU KNOW?
    • Issues to Consider: Private Cloud
      Most of the security issues with Private Cloud are not new
      Some security features are better on private cloud than on raw hardware (eg. DR)
      Limiting this to private-cloud specific issues
      All best IT practice applies similarly to private cloud, as it does to existing IT infrastructure
      Private cloud is fundamentally about increasing efficiency
      Network infrastructure and design
      Administrative access – a rogue or careless admin can do a lot of damage
      Proliferation – change control is still critical for a well-run virtual infrastructure
      Software licensing
      Orphaned VMs
      Data sprawl
      Security patching and offline VMs
      Legal search and seizure
      Capacity planning
      Excellent resource: Cloud Security Alliance
    • In Summary
      SaaS and Public Cloud
      Read and understand the contract
      Do a thorough cost-benefit analysis
      Plan for the contingencies
      Trust but verify
      Private Cloud
      All current best practices apply to private clouds too
      Private clouds have some security characteristics which are superior to “raw metal” IT
      The majority of issues are operational – this is where to focus