Collaborative Contingency in the Cloud Glen Roberts, CISSP
About the Presenter * Glen Roberts, CISSP * IT Infrastructure Manager at UFCU * President at Cloud Security Alliance, Austin Chapter
Agenda * Cloud Computing Overview * Cloud Beneﬁts and Risks * Myths and Reality of the Cloud * Community Clouds * What a CUSO Model Oﬀers * CUSO Model Beneﬁts * Case Study: 2nd Node * Foundational Issues * Abbreviated Risk Framework * Addressing Common Security Concerns
Cloud Computing Deﬁnition A model for enabling ubiquitous, convenient, on-‐demand network access to a shared pool of conﬁgurable computing resources (NIST: September, 2011)
Interactive Slide What are some of the beneﬁts cloud computing can oﬀer credit unions?
Top 10 Cloud Beneﬁts 1. Faster implementation, ready to use, automation 2. Access anywhere, on any device 3. Reduced cost, pay for use 4. Scalability, right-‐sized, ﬂex up and down 5. Collective beneﬁts, GRC alignment, new functionality 6. Improved productivity, shift focus to further innovate 7. Integrated security and patching 8. Leverage vendor expertise, economy of scale 9. High performance, reliability, uptime 10. Environment-‐friendly, computing eﬃciency
Interactive Slide What risks might cloud computing expose a credit union to?
Top 10 Cloud Risks 1. Data loss, alteration, disclosure 2. Unable to prove security of provider or solution 3. Provider insider threat, insecure APIs, hypervisor ﬂaws 4. Multi-‐tenancy trust issues 5. Account hijacking 6. Regulatory problems, lack of forensics support 7. Blurred responsibilities 8. Internet/external network dependency 9. Poor support, scalability issues 10. Complexity, hidden costs
Myths and Reality of the Cloud * The cloud is just a fad * The cloud is less secure * The cloud is not compliant * Moving to the cloud is too challenging * Moving to the cloud is too costly
Community Clouds * Shared by several organizations * Supports a community with common interests * Business purpose * Standardization * GRC requirements: GLBA, NCUA * Many of the beneﬁts of public cloud with less risk * Better cost savings than private cloud or traditional infrastructure
What a CUSO Model Oﬀers * Trust * Transparency * Dependable SLAs * Clear roles & responsibilities * Shared improvements * Data sharing
CUSO Model Beneﬁts * Do more with less * Reduce maintenance & operations costs * Sharing of assets * Share the expense of implementations * Free up staﬀ to innovate for members
More CUSO Model Beneﬁts * Cloud service brokerage * Cooperatively select vendors * Improved bargaining power as a collective * Shared cost of vendor solutions * Leverage shared integration with vendors
Case Study: 2nd Node * Formed by UFCU and AFCU in 2009 * CUSO * Second data center * Business Continuity/Disaster Recovery
2nd Node: Facility * Facility * SAS 70 Type II Facility * Working on SSAE 16 Type II * Generator, UPS, HVAC * Environmental security
2nd Node: Infrastructure * Utility pricing per cabinet: * Telecom * Internet connectivity – 100 mbps * SAN * Separate LUNS, partitions * EqualLogic, Compellent * IDS/IPS * Individual consoles/customer * 2nd Node as the oracle
Foundational Issues * Many have tried and failed * Control issues vs. cooperation * Visibility of operations * Diﬀering visions * Undeﬁned SLAs * Security concerns
Addressing Common Security Concerns * Security * Not necessarily more or less secure * Enormous potential to be more secure * Collaborate to implement controls * Standards gaps * Traditional standards still apply * NIST and CSA are helping accelerate catch-‐up
Data Protection * What data needs to be protected? * Common options: * Encryption of data * Tokenization * Sanitization, anonymization * Object security * Hashing
Abbreviated Risk Framework: Identify Assets * Identify potential assets to be moved to a community cloud * Infrastructure * Data * Applications * Functions/Processes
Abbreviated Risk Framework: Community Cloud Risks * Assess DAD risks of moving assets to community cloud * What is the impact if the provider accesses the asset or if data goes public? * What is the impact if processes are manipulated or fail to function?
Abbreviated Risk Framework: Community Cloud Requirements * Location * Identiﬁcation of other tenants * Degree of control * Who manages assets and how * Security and compliance controls