Cloud security: A matter of trust?                 Dr Mark Ian Williams                CEO, Muon Consulting
I wandered lonely as a cloud...•   The academic, globe-trotting years:     • 1992–1993: Parallel software for PET scanner ...
Benefits of cloud computing•   Pay-as-you-go IT, online and on-demand•   Operational versus capital expenditure•   Less ti...
Cloud computing concerns• Public clouds are multi-tenanted and therefore open to your competitors• Common business concern...
Horror stories like this don’t help...• High profile cloud security breaches in 2011:    • Sony: over a dozen data breache...
Security attack techniques• Public and/or private clouds create more targets for security attacks  like this, and your emp...
Risk mitigation in and out of clouds• Minimise internal security breaches through education, user account  management proc...
Questioning cloud providers          Cartoon by Dave Blazek - http://blog.shicloud.com/
Questions on systems and processes• Do the cloud provider’s systems satisfy your internal requirements for  governance and...
Questions on data security• Do your cloud providers support federated identity?• How are your data stored, backed-up, encr...
Related data questions•   Who owns the data you store on the provider’s servers?•   Where are your data and backups stored...
Cloud control
Top tips for cloud control• Classify your data in terms of sensitivity and business criticality and  define roles and resp...
More top tips for cloud control• Choose cloud providers with transparent and adequate security  processes and request evid...
The future of cloud security• Further development and wider adoption of cloud security standards• More use of hybrid cloud...
Who do you trust?• Renowned cloud providers?           • Your inhouse IT?   • The clouds of Amazon, Google,       • Is you...
Further information• Online resources:   • NIST: Guidelines on Security and Privacy in Public Cloud Computing     http://w...
Conclusion• Cloud computing is a matter of trust• But trust can be earned by cloud providers and you can manage and  mitig...
Any questions?         Cartoon by Dave Blazek - http://blog.shicloud.com/             Contact me at miw@muon.co.uk
Upcoming SlideShare
Loading in …5
×

Cloud Security: A matter of trust?

2,280 views
2,253 views

Published on

Your organisation’s data are now everywhere: on your servers and your desktop PCs; on your employees’ smart phones, tablet computers and laptops; on social networks; and in public clouds. Some of these data require special protection but they also need to be accessed remotely, which makes security a considerable challenge. Can you trust public clouds to keep your data safe and secure? Can you trust your own internal systems? And on what criteria and risk management strategies should you base your trust? -- Dr Mark Ian Williams's presentation at the April 2012 'Why Cloud? Why now?' conference at the headquarters of the Institute of Chartered of Accountants of England Wales.

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
2,280
On SlideShare
0
From Embeds
0
Number of Embeds
5
Actions
Shares
0
Downloads
0
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Cloud Security: A matter of trust?

  1. 1. Cloud security: A matter of trust? Dr Mark Ian Williams CEO, Muon Consulting
  2. 2. I wandered lonely as a cloud...• The academic, globe-trotting years: • 1992–1993: Parallel software for PET scanner images in Geneva Hospital • 1993–1998: Particle Physics PhD research at CERN for Lancaster University • 1998: Senior Software Developer at SLAC, Stanford, USA • 1998–2000: RA for QMUL and webmaster for BaBar experiment at SLAC• The stepping stone: • 2000–2001: Business idea development as RSE/PPARC Enterprise Fellow• And down to business: • 2001–2005: Web developer and accessibility consultant as CEO of Surfability • 2005–2009: Managed Extrasys cloud computing business for NG Bailey • 2009–Present: Cloud consultant, author and CEO of Muon Consulting
  3. 3. Benefits of cloud computing• Pay-as-you-go IT, online and on-demand• Operational versus capital expenditure• Less time spent administering non-core commodity IT systems internally• Faster development and deployment of business applications• Data storage and compute resources scale seamlessly with your business• Faster entry to new markets using cloud-based software delivery and content distribution services, and online application marketplaces• Fewer hardware assets and software licenses to track• Always use latest version of cloud-based software with no upgrade costs• Mobile services, online collaboration and remote access ‘out of the box’
  4. 4. Cloud computing concerns• Public clouds are multi-tenanted and therefore open to your competitors• Common business concerns include: • The inherent dependency upon internet access • The potential for vendor lock-in • Unexpected cloud service charges and internal costs • Contractual liability for services if SLAs are missed• But surveys consistently reveal that data security and data privacy in public clouds are the primary concerns for businesses• And data protection and data privacy are your organisation’s responsibility not your cloud provider’s
  5. 5. Horror stories like this don’t help...• High profile cloud security breaches in 2011: • Sony: over a dozen data breaches affecting 100 million user records • Epsilon, a cloud-based email provider: estimated 60 million customer emails addresses breached • EMC’s RSA two-factor authentication system breached and SecurID data stolen, putting tens of thousands of their customers at riskSource : http://www.informationweek.com/news/security/attacks/232301079• But internal (non-cloud) networks can be breached too: • In a survey of USA-based SMBs 40% claim to have suffered a security breach due to unsafe web surfingSource: http://www.gfi.com/page/97539
  6. 6. Security attack techniques• Public and/or private clouds create more targets for security attacks like this, and your employees hold the keys to your data: • Physical theft of unencrypted laptops that may have copies of data or have browsers with saved passwords for accessing web applications • Hacking servers to access unencrypted passwords (e.g. SONY) • Spear-phishing – targeted email spoofing fraud (e.g. Epsilon and RSA) • Social engineering attacks via social media and personal webmail to gain access to web-based systems • Exploits of web browser vulnerabilities and apps on mobile devices • Downloads of backdoor Trojans, keystroke loggers and other malware
  7. 7. Risk mitigation in and out of clouds• Minimise internal security breaches through education, user account management processes and security technologies such as two-factor authentication and identity federation (e.g. single sign-on)• Involve your IT and legal departments throughout your cloud adoption programme, and consult and engage other stakeholders too• Institute a strict device management regime and/or educate your employees how to use their devices securely• Avoid data protection litigation by storing only non-sensitive data in public clouds unless the cloud/s are a safer place for all your data• Reduce the risk of cloud security breaches by ensuring your providers have adequate controls verified by a reputable third party
  8. 8. Questioning cloud providers Cartoon by Dave Blazek - http://blog.shicloud.com/
  9. 9. Questions on systems and processes• Do the cloud provider’s systems satisfy your internal requirements for governance and compliance?• Do they follow any industry best practices for IT service management, such as the Information Technology Infrastructure Library (ITIL)?• Do they have independently audited internal controls of IT systems and processes to ISAE 3402 (successor to SAS 70) specifications?• Do they have ISO 27001 certification for their information security management system?• Do they have favourable independent and verifiable online reviews and client endorsements?
  10. 10. Questions on data security• Do your cloud providers support federated identity?• How are your data stored, backed-up, encrypted and kept separate from other organisations’ data in the cloud?• How and when are security tests performed, especially during service updates?• How are the data centres secured physically?• Who, including system administrators, has access to your data, and how are they vetted?• How is data access controlled and logged?• What happens to your data if a service agreement is terminated or if the provider’s business fails?
  11. 11. Related data questions• Who owns the data you store on the provider’s servers?• Where are your data and backups stored geographically?• Where is the provider based?• Do they have controlled facilities for making automated and authorised backups to other clouds, including private clouds?• Do they have flexible data retention facilities for regulatory purposes?• What are their standard procedures for responding to government inquiries and legal investigations of their customers’ data, and the costs to be incurred by individual customers being investigated?• What assurances that your data will not be compromised or seized if another customer of theirs is being investigated?• What is the provider’s disaster recovery plan?
  12. 12. Cloud control
  13. 13. Top tips for cloud control• Classify your data in terms of sensitivity and business criticality and define roles and responsibilities for data protection• Document your security and privacy requirements with clouds in mind before entering public clouds• Extend your governance practices to cloud environments• Configure your cloud systems to meet your requirements• Consider compensating controls to work around any cloud security defects• Revisit security and privacy issues throughout the system lifecycle• Formulate an identity management system
  14. 14. More top tips for cloud control• Choose cloud providers with transparent and adequate security processes and request evidence that they have effectively provisioned your systems in line with your controls• Continually monitor and maintain your information systems, test their security and document your findings• Review your existing security measures to take into account the client side of cloud services – e.g. web browser vulnerabilities and applications on mobile devices
  15. 15. The future of cloud security• Further development and wider adoption of cloud security standards• More use of hybrid clouds, which combine public and private clouds• More use of virtual private clouds for sensitive data• Independent and standardised security audits so similar providers can be compared like for like
  16. 16. Who do you trust?• Renowned cloud providers? • Your inhouse IT? • The clouds of Amazon, Google, • Is your internal network a Microsoft and others have been secure hosting environment hardened through surviving for a private cloud exposed to continual hacking attempts multiple devices etc? • Attract and employ the best • Do your people have the security people necessary competencies? • Have the best and most up-to- • Is your hardware and software date security hardware and fit for purpose? software
  17. 17. Further information• Online resources: • NIST: Guidelines on Security and Privacy in Public Cloud Computing http://www.nist.gov/manuscript-publication-search.cfm?pub_id=909494 • Cloud Security Alliance guidance document https://cloudsecurityalliance.org/research/security-guidance/• ICAEW IT faculty guides: • ‘Cloud computing: A guide for business managers‘, by Barnaby Page • ‘Making the move to cloud computing’, by yours truly
  18. 18. Conclusion• Cloud computing is a matter of trust• But trust can be earned by cloud providers and you can manage and mitigate internal and external security risks• Many public cloud providers know what they are doing and some will have the right answers to your questions• There is a balance between the potential cost and productivity benefits of using public clouds versus the data security and privacy risks• Could your business create a more trustworthy private cloud?• Plan carefully with security in mind, and be vigilant, but don’t let the clouds pass by your window without taking a good look
  19. 19. Any questions? Cartoon by Dave Blazek - http://blog.shicloud.com/ Contact me at miw@muon.co.uk

×