Cloud Security Strategy

2,101 views

Published on

Understanding and evaluating the real risks in the cloud

By Lee Newcombe
Infrastructure Services

0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
2,101
On SlideShare
0
From Embeds
0
Number of Embeds
22
Actions
Shares
0
Downloads
149
Comments
0
Likes
2
Embeds 0
No embeds

No notes for slide

Cloud Security Strategy

  1. 1. Cloud security strategy:understanding andevaluating the real risksin the cloudLee Newcombe (lee.newcombe@capgemini.com)Infrastructure ServicesNovember 2012
  2. 2. Session Agenda Introduction 5 minutes Presentation 15 minutes  “Securing Cloud Services” Facilitated Round Table Discussions 20 minutes  What are the genuine security issues that hold back Cloud adoption?  Are services in the cloud less secure than those on-premise?  How much of the threat is human (malicious or accidental), and how much IT, devices and hardware?  What is the best way to manage security in a world of self‐service IT, mobile devices and social media? Sharing of outcomes from Discussions 20 minutes 12th Cloud Circle Forum Copyright © Capgemini 2012. All Rights Reserved 2
  3. 3. Agenda Introduction Establishing a common point of view Cloud Threats – who may attack your services? ? Cloud Risks. And Benefits? An approach to secure adoption of cloud services Conclusions 12th Cloud Circle Forum Copyright © Capgemini 2012. All Rights Reserved 3
  4. 4. The questions you asked… What are the genuine security issues that hold back Cloud adoption? Where do the main security threats come from and where should you focus your attention? Are services in the cloud less secure than those on-premise? How much of the threat is human (malicious or accidental), and how much IT, devices and hardware? Eliminating the human security risk: educating your workforce What is the best way to manage security in a world of self‐service IT, mobile devices and social media? How do emerging social business technologies complicate security strategies? 12th Cloud Circle Forum Copyright © Capgemini 2012. All Rights Reserved 4
  5. 5. The ones I will tackle! What are the genuine security issues that hold back Cloud adoption? Where do the main security threats come from and where should you focus your attention? Are services in the cloud less secure than those on-premise? How much of the threat is human (malicious or accidental), and how much IT, devices and hardware? Eliminating the human security risk: educating your workforce What is the best way to manage security in a world of self‐service IT, mobile devices and social media? How do emerging social business technologies complicate security strategies? 12th Cloud Circle Forum Copyright © Capgemini 2012. All Rights Reserved 5
  6. 6. Agenda Introduction Establishing a common point of view Cloud Threats – who may attack your services? ? Cloud Risks. And Benefits? An approach to secure adoption of cloud services Conclusions 12th Cloud Circle Forum Copyright © Capgemini 2012. All Rights Reserved 6
  7. 7. Cloud Computing – NIST Cloud Computing: “…a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g. networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction…”• On-demand self-service• Broad network access• Resource pooling Essential Characteristics• Rapid elasticity; and of Cloud Computing• Measured service.csrc.nist.gov/publications/nistpubs/800-145/SP800-145.pdf 12th Cloud Circle Forum Copyright © Capgemini 2012. All Rights Reserved 7
  8. 8. Service Models 12th Cloud Circle Forum Copyright © Capgemini 2012. All Rights Reserved 8
  9. 9. NIST Deployment Models and Jericho Cloud CubeModel Strengths Weaknesses The Jericho Forum® Cloud Model representsPublic Agile, cost-effective, Multi-tenant an alternative mechanism to represent “Illusion of infinite Data residency deployment models. resource” Assurance Standard contractsPrivate Dedicated use Expensive cf Public Assurance No “illusion of infinite Scope to negotiate resource” SLAs etcCommunity Designed for a specific, Difficult to govern; need to shared, set of security manage all stakeholders requirementsHybrid “Best of breed” “Weakest link” suppliers can be Must cater for security switched in and out. issues across ALL suppliers http://www.opengroup.org/jericho/cloud_cube_model_v1.0.pdf 12th Cloud Circle Forum Copyright © Capgemini 2012. All Rights Reserved 9
  10. 10. Agenda Introduction Establishing a common point of view Cloud Threats – who may attack your services? ? Cloud Risks. And Benefits? An approach to secure adoption of cloud services Conclusions 12th Cloud Circle Forum Copyright © Capgemini 2012. All Rights Reserved 10
  11. 11. “Where do the main security threats come from and where should you focus your attention?” -> Cloud Threats 12th Cloud Circle Forum Copyright © Capgemini 2012. All Rights Reserved 11
  12. 12. Agenda Introduction Establishing a common point of view Cloud Threats – who may attack your services? ? Cloud Risks. And Benefits? An approach to secure adoption of cloud services Conclusions 12th Cloud Circle Forum Copyright © Capgemini 2012. All Rights Reserved 12
  13. 13. “What are the genuine security issues that hold back Cloud adoption?”-> Cloud Risks Compliance Multi-tenancy Assurance ? Supply chain – cloud, on cloud, on cloud, on… Lock-in Standard Terms and Conditions 12th Cloud Circle Forum Copyright © Capgemini 2012. All Rights Reserved 13
  14. 14. “Are services in the cloud less secure than those on-premise?” -> Cloud Benefits? Cost-effective datacentre security Improved resilience More efficient security patching Improved security expertise, including application-specific expertise, at the ? centre Cloud data storage and sharing vs removable media Encourages adoption of Jericho principles 12th Cloud Circle Forum Copyright © Capgemini 2012. All Rights Reserved 14
  15. 15. Agenda Introduction Establishing a common point of view Cloud Threats – who may attack your services? ? Cloud Risks. And Benefits? An approach to secure adoption of cloud services Conclusions 12th Cloud Circle Forum Copyright © Capgemini 2012. All Rights Reserved 15
  16. 16. “What is the best way to manage security in a world of self‐service IT, mobile devices and socialmedia?” -> Security Architecture “The fundamental security organization of a system, embodied in its components, their relationships to each other and the environment, and the security principles governing its design and evolution” Adapted from: ISO/IEC 42010:2007 12th Cloud Circle Forum Copyright © Capgemini 2012. All Rights Reserved 16
  17. 17. Security Reference Model 12th Cloud Circle Forum Copyright © Capgemini 2012. All Rights Reserved 17
  18. 18. Modelling Different Delivery Responsibilities The delivery responsibilities for the security services shifts from the consumer to the provider as you move from IaaS to SaaS.Interfaces between consumer and provider present arisk of gaps in capability and poor/no/mis-communication between provider and consumer. 12th Cloud Circle Forum Copyright © Capgemini 2012. All Rights Reserved 18
  19. 19. Procurement Usage 12th Cloud Circle Forum Copyright © Capgemini 2012. All Rights Reserved 19
  20. 20. Agenda Introduction Establishing a common point of view Cloud Threats – who may attack your services? ? Cloud Risks. And Benefits? An approach to secure adoption of cloud services Conclusions 12th Cloud Circle Forum Copyright © Capgemini 2012. All Rights Reserved 20
  21. 21. Conclusions • All delivery models are unique. Cloud computing models have unique security challenges. So do other delivery models including on-premise and traditional outsourcing. • Cloud is an evolution not a revolution. • The threat actors remain mostly the same, cloud or on-premise • The risks remain mostly the same, whether your applications are hosted on-premise or on-cloud, however • increased sharing of resources due to multi-tenancy introduces new attack surfaces • assurance difficulties can cause compliance issues (data residency, data deletion, segregation etc) • Security architecture approach can help to enable cloud adoption. • Architecture methodologies help to enforce consistency across an enterprise, no matter the IT delivery model. • Architecture methodologies help to identify the security services required from a Provider • Architecture helps to identify areas of overlap or interface (or confusion or omission) between Provider and Consumer • Architecture helps to inform service procurement 12th Cloud Circle Forum Copyright © Capgemini 2012. All Rights Reserved 21
  22. 22. Conclusions • What are the genuine security issues that hold back Cloud adoption? • Compliance • Assurance • Where do the main security threats come from and where should you focus your attention? • The usual… • Are services in the cloud less secure than those on-premise? • It depends! • How much of the threat is human (malicious or accidental), and how much IT, devices and hardware? • Confidentiality? Human. Availability? Mixture. •What is the best way to manage security in a world of self‐service IT, mobile devices and social media? • Adopt an architectural approach. 12th Cloud Circle Forum Copyright © Capgemini 2012. All Rights Reserved 22
  23. 23. Session Agenda Introduction 5 minutes Presentation 15 minutes  “Securing Cloud Services” Facilitated Round Table Discussions 20 minutes  What are the genuine security issues that hold back Cloud adoption?  Are services in the cloud less secure than those on-premise?  How much of the threat is human (malicious or accidental), and how much IT, devices and hardware?  What is the best way to manage security in a world of self‐service IT, mobile devices and social media? Sharing of outcomes from Discussions 20 minutes 12th Cloud Circle Forum Copyright © Capgemini 2012. All Rights Reserved 23
  24. 24. About CapgeminiWith more than 120,000 people in 40 countries, Capgemini is oneof the worlds foremost providers of consulting, technology andoutsourcing services. The Group reported 2011 global revenuesof EUR 9.7 billion.Together with its clients, Capgemini creates and deliversbusiness and technology solutions that fit their needs and drivethe results they want. A deeply multicultural organization,Capgemini has developed its own way of working, theCollaborative Business ExperienceTM, and draws on Rightshore ®,its worldwide delivery model. www.capgemini.com The information contained in this presentation is proprietary. Rightshore® is a trademark belonging to Capgemini © 2012 Capgemini. All rights reserved.

×