Collaborative Contingency in the Cloud

945 views

Published on

Presented by Glen Roberts to the NCUA (National Credit Union Administration) and the OCCU (Office of Corporate Credit Unions) in Alexandria, VA on April 10, 2012.

Published in: Technology, Business
0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
945
On SlideShare
0
From Embeds
0
Number of Embeds
7
Actions
Shares
0
Downloads
7
Comments
0
Likes
2
Embeds 0
No embeds

No notes for slide

Collaborative Contingency in the Cloud

  1. 1. Collaborative  Contingency     in  the  Cloud   Glen  Roberts,  CISSP  
  2. 2. About  the  Presenter   *  Glen  Roberts,  CISSP   *  IT  Infrastructure  Manager  at  UFCU   *  President  at  Cloud  Security  Alliance,   Austin  Chapter  
  3. 3. Agenda  *  Cloud  Computing  Overview  *  Cloud  Benefits  and  Risks  *  Myths  and  Reality  of  the  Cloud  *  Community  Clouds  *  What  a  CUSO  Model  Offers  *  CUSO  Model  Benefits  *  Case  Study:  2nd  Node  *  Foundational  Issues  *  Abbreviated  Risk  Framework  *  Addressing  Common  Security  Concerns  
  4. 4. Cloud  Computing  Definition   A  model  for  enabling  ubiquitous,   convenient,  on-­‐demand  network   access  to  a  shared  pool  of   configurable  computing  resources   (NIST:  September,  2011)    
  5. 5. Cloud  Computing  Model   !
  6. 6. Interactive  Slide     What  are  some  of  the  benefits   cloud  computing  can  offer   credit  unions?  
  7. 7. Top  10  Cloud  Benefits  1.  Faster  implementation,  ready  to  use,  automation  2.  Access  anywhere,  on  any  device  3.  Reduced  cost,  pay  for  use  4.  Scalability,  right-­‐sized,  flex  up  and  down  5.  Collective  benefits,  GRC  alignment,  new  functionality  6.  Improved  productivity,  shift  focus  to  further  innovate  7.  Integrated  security  and  patching  8.  Leverage  vendor  expertise,  economy  of  scale  9.  High  performance,  reliability,  uptime  10.  Environment-­‐friendly,  computing  efficiency  
  8. 8. Interactive  Slide     What  risks  might  cloud  computing   expose  a  credit  union  to?  
  9. 9. Top  10  Cloud  Risks  1.  Data  loss,  alteration,  disclosure  2.  Unable  to  prove  security  of  provider  or  solution  3.  Provider  insider  threat,  insecure  APIs,  hypervisor  flaws  4.  Multi-­‐tenancy  trust  issues  5.  Account  hijacking  6.  Regulatory  problems,  lack  of  forensics  support  7.  Blurred  responsibilities    8.  Internet/external  network  dependency  9.  Poor  support,  scalability  issues  10.  Complexity,  hidden  costs  
  10. 10. Myths  and  Reality  of  the  Cloud  *  The  cloud  is  just  a  fad  *  The  cloud  is  less  secure  *  The  cloud  is  not  compliant  *  Moving  to  the  cloud  is  too  challenging  *  Moving  to  the  cloud  is  too  costly  
  11. 11. Community  Clouds  *  Shared  by  several  organizations  *  Supports  a  community  with  common  interests   *  Business  purpose   *  Standardization   *  GRC  requirements:  GLBA,  NCUA  *  Many  of  the  benefits  of  public  cloud  with  less  risk  *  Better  cost  savings  than  private  cloud  or  traditional   infrastructure  
  12. 12. What  a  CUSO  Model  Offers  *  Trust  *  Transparency  *  Dependable  SLAs  *  Clear  roles  &  responsibilities  *  Shared  improvements  *  Data  sharing  
  13. 13. CUSO  Model  Benefits  *  Do  more  with  less  *  Reduce  maintenance  &  operations  costs  *  Sharing  of  assets  *  Share  the  expense  of  implementations  *  Free  up  staff  to  innovate  for  members  
  14. 14. More  CUSO  Model  Benefits  *  Cloud  service  brokerage  *  Cooperatively  select  vendors    *  Improved  bargaining  power  as  a  collective  *  Shared  cost  of  vendor  solutions  *  Leverage  shared  integration  with  vendors  
  15. 15. Case  Study:  2nd  Node   *  Formed  by  UFCU  and  AFCU   in  2009   *  CUSO   *  Second  data  center   *  Business  Continuity/Disaster   Recovery  
  16. 16. 2nd  Node:  Facility   *  Facility   *  SAS  70  Type  II  Facility   *  Working  on  SSAE  16  Type  II   *  Generator,  UPS,  HVAC   *  Environmental  security  
  17. 17. 2nd  Node:  Infrastructure   *  Utility  pricing  per  cabinet:     *  Telecom   *  Internet  connectivity  –  100  mbps   *  SAN   *  Separate  LUNS,  partitions   *  EqualLogic,  Compellent   *  IDS/IPS   *  Individual  consoles/customer   *  2nd  Node  as  the  oracle    
  18. 18. 2nd  Node:  Cloud  Services   *  Private  clouds   *  SAN  replication   *  System  backups   *  Silver  Peak  network   concentrators   *  Hosted  failover  (Symitar)  
  19. 19. Foundational  Issues   *  Many  have  tried  and  failed   *  Control  issues  vs.  cooperation   *  Visibility  of  operations   *  Differing  visions   *  Undefined  SLAs   *  Security  concerns  
  20. 20. Addressing  Common  Security   Concerns  *  Security   *  Not  necessarily  more  or  less  secure   *  Enormous  potential  to  be  more  secure   *  Collaborate  to  implement  controls  *  Standards  gaps   *  Traditional  standards  still  apply   *  NIST  and  CSA  are  helping  accelerate  catch-­‐up  
  21. 21. Data  Protection  *  What  data  needs  to  be  protected?  *  Common  options:   *  Encryption  of  data   *  Tokenization   *  Sanitization,  anonymization   *  Object  security   *  Hashing  
  22. 22. Abbreviated  Risk  Framework:   Identify  Assets  *  Identify  potential  assets  to  be  moved  to  a  community   cloud   *  Infrastructure   *  Data   *  Applications   *  Functions/Processes  
  23. 23. Abbreviated  Risk  Framework:   Community  Cloud  Risks  *  Assess  DAD  risks  of  moving  assets  to  community   cloud  *  What  is  the  impact  if  the  provider  accesses  the  asset   or  if  data  goes  public?  *  What  is  the  impact  if  processes  are  manipulated  or  fail   to  function?  
  24. 24. Abbreviated  Risk  Framework:   Community  Cloud  Requirements  *  Location  *  Identification  of  other  tenants  *  Degree  of  control  *  Who  manages  assets  and  how  *  Security  and  compliance  controls  
  25. 25. Abbreviated  Risk  Framework:   Community  Cloud  Evaluation  *  Providers  *  Partners  *  Solutions  
  26. 26. Thanks!     Glen  Roberts   groberts@ufcu.org   (512)  966-­‐3425  

×