Cloud Computing Due Diligence - WTF?                                                                  Jimmy Blake         ...
Jimmy Who?            • CSO for one of the UK’s largest SaaS providers            • Talking mainly from a SaaS perspective...
Cloud Computing                                         Don’t                                      make me APT            ...
Businesses Are Moving to the Cloud                                                            Well governed organisations ...
Businesses Are Moving to the Cloud                                                            Well governed organisations ...
Who Does the Due Diligence??          • Understands security, not risk          • Knows on-premise, not cloud          • S...
The Cost of Due Diligence: Do The Math                  Average Due Diligence Questionnaire = 2 hours                  Ave...
Certification: ISO:IEC 27001:2005          • Scope?                •      Very few scopes include production               ...
ISO 27001: What They Really Mean                                                                     Cloud                ...
Certification: SAS-70 (soon SSAE16)          • Control Statements          • Great for auditing against SOX                ...
Getting Real                      How do you ensure                  physical access to your data               centres is...
Getting Real                                                                         So I hope that answers your          ...
Turning the Tables         RFP responses contain a lot of sensitive information                   How do you classify     ...
Industry Representation or Prospects?               Security B-Sides London: Cloud Computing - WTF?Wednesday, 20 April 2011
What We Need                Software-as-a-Service is often about replacing               specific on-premise solutions with...
What We Need                Software-as-a-Service is often about replacing               specific on-premise solutions with...
What We Need                           baseline                      On-premise                         risk              ...
What We’re Getting          Great, now I’ve got 6 lots of audit and certification....               Security B-Sides London...
A Final Plea          Customers:          Baseline on your current risk exposure          Due your due diligence, but make...
Cloud Computing Due Diligence - WTF?                                                                            Jimmy Blak...
Upcoming SlideShare
Loading in...5
×

Cloud computing due diligence WTF?

634

Published on

BSidesLondon 20th April 2011- @Jimmy Blake
-----------------------------------------------------------------
The media hype, both positive and negative, around cloud computing is often sensationalist. The reality is that cloud computing has a place as a tool in the modern computing environment – but how do you realistically balance the benefits with the risks?
---- for more about Jimmy
jimmyblake.com

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
634
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
0
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Transcript of "Cloud computing due diligence WTF?"

  1. 1. Cloud Computing Due Diligence - WTF? Jimmy Blake @jimmyblake Security B-Sides London: Cloud Computing - WTF?Wednesday, 20 April 2011
  2. 2. Jimmy Who? • CSO for one of the UK’s largest SaaS providers • Talking mainly from a SaaS perspective • Dozens of client risk assessments a month • ISO 27001 Lead Auditor • These are my opinions, not necessarily those of my employer Security B-Sides London: Cloud Computing - WTF?Wednesday, 20 April 2011
  3. 3. Cloud Computing Don’t make me APT your cyber- defences http://csrc.nist.gov/groups/SNS/cloud-computing/ Essential Characteristics Service Model Deployment Model ...blah blah blah Security B-Sides London: Cloud Computing - WTF?Wednesday, 20 April 2011
  4. 4. Businesses Are Moving to the Cloud Well governed organisations make decisions after consideration of risk Security B-Sides London: Cloud Computing - WTF?Wednesday, 20 April 2011
  5. 5. Businesses Are Moving to the Cloud Well governed organisations make decisions after consideration of risk ...and we all know how many well governed organisations there are out there. Security B-Sides London: Cloud Computing - WTF?Wednesday, 20 April 2011
  6. 6. Who Does the Due Diligence?? • Understands security, not risk • Knows on-premise, not cloud • Still thinks he has a secure perimeter • Likes to be able to hug servers • He, and his toys, may be displaced by the solution Security B-Sides London: Cloud Computing - WTF?Wednesday, 20 April 2011
  7. 7. The Cost of Due Diligence: Do The Math Average Due Diligence Questionnaire = 2 hours Average Audit = 6 man hours 4,000 customers = 3,000 working days per annum ...and you want cost savings??? Security B-Sides London: Cloud Computing - WTF?Wednesday, 20 April 2011
  8. 8. Certification: ISO:IEC 27001:2005 • Scope? • Very few scopes include production platforms • Is your acceptable risk < or > then the provider’s? Security B-Sides London: Cloud Computing - WTF?Wednesday, 20 April 2011
  9. 9. ISO 27001: What They Really Mean Cloud Our On-Premise Provider’s 27002 controls 27002 controls Security B-Sides London: Cloud Computing - WTF?Wednesday, 20 April 2011
  10. 10. Certification: SAS-70 (soon SSAE16) • Control Statements • Great for auditing against SOX 404 controls Security B-Sides London: Cloud Computing - WTF?Wednesday, 20 April 2011
  11. 11. Getting Real How do you ensure physical access to your data centres is restricted to those who need it for a job function? By not having 100 customers a day walking through on audits... Security B-Sides London: Cloud Computing - WTF?Wednesday, 20 April 2011
  12. 12. Getting Real So I hope that answers your question on how we handle key rotation on our distributed filing system utilising AES 256-bit encryption? Can I The IT Manager backs up to ask how you do it at the moment? tape and leaves the tapes in the back of his car overnight. The tapes are encrypted of course? .... Please tell me the car isn’t left on his driveway overnight? .... Security B-Sides London: Cloud Computing - WTF?Wednesday, 20 April 2011
  13. 13. Turning the Tables RFP responses contain a lot of sensitive information How do you classify How many people completed RFP have access to completed responses? RFP responses? How do you ensure access How do you dispose control and prevent leakage of printed copies of RFP of completed RFP responses? responses? Security B-Sides London: Cloud Computing - WTF?Wednesday, 20 April 2011
  14. 14. Industry Representation or Prospects? Security B-Sides London: Cloud Computing - WTF?Wednesday, 20 April 2011
  15. 15. What We Need Software-as-a-Service is often about replacing specific on-premise solutions within the business Security B-Sides London: Cloud Computing - WTF?Wednesday, 20 April 2011
  16. 16. What We Need Software-as-a-Service is often about replacing specific on-premise solutions within the business baseline Cloud On-premise Provider risk risk Security B-Sides London: Cloud Computing - WTF?Wednesday, 20 April 2011
  17. 17. What We Need baseline On-premise risk Cloud Provider risk Security B-Sides London: Cloud Computing - WTF?Wednesday, 20 April 2011
  18. 18. What We’re Getting Great, now I’ve got 6 lots of audit and certification.... Security B-Sides London: Cloud Computing - WTF?Wednesday, 20 April 2011
  19. 19. A Final Plea Customers: Baseline on your current risk exposure Due your due diligence, but make it proportionate If you want champagne, expect to pay for it Industry Bodies: Come together for a unified standard of audit and assessment Represent cloud customers and the service provider, not infrastructure vendors Cloud Providers: Embrace transparency Security B-Sides London: Cloud Computing - WTF?Wednesday, 20 April 2011
  20. 20. Cloud Computing Due Diligence - WTF? Jimmy Blake @jimmyblake http://jimmyblake.com Security B-Sides London: Cloud Computing - WTF?Wednesday, 20 April 2011

×