Cloud computing due diligence WTF?

  • 592 views
Uploaded on

BSidesLondon 20th April 2011- @Jimmy Blake …

BSidesLondon 20th April 2011- @Jimmy Blake
-----------------------------------------------------------------
The media hype, both positive and negative, around cloud computing is often sensationalist. The reality is that cloud computing has a place as a tool in the modern computing environment – but how do you realistically balance the benefits with the risks?
---- for more about Jimmy
jimmyblake.com

More in: Technology
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads

Views

Total Views
592
On Slideshare
0
From Embeds
0
Number of Embeds
0

Actions

Shares
Downloads
0
Comments
0
Likes
0

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. Cloud Computing Due Diligence - WTF? Jimmy Blake @jimmyblake Security B-Sides London: Cloud Computing - WTF?Wednesday, 20 April 2011
  • 2. Jimmy Who? • CSO for one of the UK’s largest SaaS providers • Talking mainly from a SaaS perspective • Dozens of client risk assessments a month • ISO 27001 Lead Auditor • These are my opinions, not necessarily those of my employer Security B-Sides London: Cloud Computing - WTF?Wednesday, 20 April 2011
  • 3. Cloud Computing Don’t make me APT your cyber- defences http://csrc.nist.gov/groups/SNS/cloud-computing/ Essential Characteristics Service Model Deployment Model ...blah blah blah Security B-Sides London: Cloud Computing - WTF?Wednesday, 20 April 2011
  • 4. Businesses Are Moving to the Cloud Well governed organisations make decisions after consideration of risk Security B-Sides London: Cloud Computing - WTF?Wednesday, 20 April 2011
  • 5. Businesses Are Moving to the Cloud Well governed organisations make decisions after consideration of risk ...and we all know how many well governed organisations there are out there. Security B-Sides London: Cloud Computing - WTF?Wednesday, 20 April 2011
  • 6. Who Does the Due Diligence?? • Understands security, not risk • Knows on-premise, not cloud • Still thinks he has a secure perimeter • Likes to be able to hug servers • He, and his toys, may be displaced by the solution Security B-Sides London: Cloud Computing - WTF?Wednesday, 20 April 2011
  • 7. The Cost of Due Diligence: Do The Math Average Due Diligence Questionnaire = 2 hours Average Audit = 6 man hours 4,000 customers = 3,000 working days per annum ...and you want cost savings??? Security B-Sides London: Cloud Computing - WTF?Wednesday, 20 April 2011
  • 8. Certification: ISO:IEC 27001:2005 • Scope? • Very few scopes include production platforms • Is your acceptable risk < or > then the provider’s? Security B-Sides London: Cloud Computing - WTF?Wednesday, 20 April 2011
  • 9. ISO 27001: What They Really Mean Cloud Our On-Premise Provider’s 27002 controls 27002 controls Security B-Sides London: Cloud Computing - WTF?Wednesday, 20 April 2011
  • 10. Certification: SAS-70 (soon SSAE16) • Control Statements • Great for auditing against SOX 404 controls Security B-Sides London: Cloud Computing - WTF?Wednesday, 20 April 2011
  • 11. Getting Real How do you ensure physical access to your data centres is restricted to those who need it for a job function? By not having 100 customers a day walking through on audits... Security B-Sides London: Cloud Computing - WTF?Wednesday, 20 April 2011
  • 12. Getting Real So I hope that answers your question on how we handle key rotation on our distributed filing system utilising AES 256-bit encryption? Can I The IT Manager backs up to ask how you do it at the moment? tape and leaves the tapes in the back of his car overnight. The tapes are encrypted of course? .... Please tell me the car isn’t left on his driveway overnight? .... Security B-Sides London: Cloud Computing - WTF?Wednesday, 20 April 2011
  • 13. Turning the Tables RFP responses contain a lot of sensitive information How do you classify How many people completed RFP have access to completed responses? RFP responses? How do you ensure access How do you dispose control and prevent leakage of printed copies of RFP of completed RFP responses? responses? Security B-Sides London: Cloud Computing - WTF?Wednesday, 20 April 2011
  • 14. Industry Representation or Prospects? Security B-Sides London: Cloud Computing - WTF?Wednesday, 20 April 2011
  • 15. What We Need Software-as-a-Service is often about replacing specific on-premise solutions within the business Security B-Sides London: Cloud Computing - WTF?Wednesday, 20 April 2011
  • 16. What We Need Software-as-a-Service is often about replacing specific on-premise solutions within the business baseline Cloud On-premise Provider risk risk Security B-Sides London: Cloud Computing - WTF?Wednesday, 20 April 2011
  • 17. What We Need baseline On-premise risk Cloud Provider risk Security B-Sides London: Cloud Computing - WTF?Wednesday, 20 April 2011
  • 18. What We’re Getting Great, now I’ve got 6 lots of audit and certification.... Security B-Sides London: Cloud Computing - WTF?Wednesday, 20 April 2011
  • 19. A Final Plea Customers: Baseline on your current risk exposure Due your due diligence, but make it proportionate If you want champagne, expect to pay for it Industry Bodies: Come together for a unified standard of audit and assessment Represent cloud customers and the service provider, not infrastructure vendors Cloud Providers: Embrace transparency Security B-Sides London: Cloud Computing - WTF?Wednesday, 20 April 2011
  • 20. Cloud Computing Due Diligence - WTF? Jimmy Blake @jimmyblake http://jimmyblake.com Security B-Sides London: Cloud Computing - WTF?Wednesday, 20 April 2011