Your SlideShare is downloading. ×
0
Sharing the Cloud
Sharing the Cloud
Sharing the Cloud
Sharing the Cloud
Sharing the Cloud
Sharing the Cloud
Sharing the Cloud
Sharing the Cloud
Sharing the Cloud
Sharing the Cloud
Sharing the Cloud
Sharing the Cloud
Sharing the Cloud
Sharing the Cloud
Sharing the Cloud
Sharing the Cloud
Sharing the Cloud
Sharing the Cloud
Sharing the Cloud
Sharing the Cloud
Sharing the Cloud
Sharing the Cloud
Sharing the Cloud
Sharing the Cloud
Sharing the Cloud
Sharing the Cloud
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Sharing the Cloud

557

Published on

Sharing the Cloud by Glen Roberts, CISSP …

Sharing the Cloud by Glen Roberts, CISSP

Presented at CUISPA 2012 Conference in Austin, TX on 2/21/2012.

CUISPA (Credit Union Information Security Professionals Association) is a national association of credit union information technology professionals focused on improving security and risk management through cooperation.

Published in: Technology, Business
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
557
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
10
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Sharing  the  Cloud   Glen  Roberts,  CISSP  
  • 2. About  the  Presenter   *  Glen  Roberts,  CISSP   *  IT  Infrastructure  Manager  at  UFCU   *  President  at  Cloud  Security  Alliance,   Austin  Chapter  
  • 3. Agenda  *  Cloud  Computing  Overview  *  Cloud  Benefits  and  Risks  *  Community  Cloud  Deployment  Model  *  Case  Study:  2nd  Node  *  Foundational  Issues  *  Abbreviated  Risk  Framework  *  Addressing  Common  Security  Concerns  
  • 4. Cloud  Computing  Definition   A  model  for  enabling  ubiquitous,   convenient,  on-­‐demand  network   access  to  a  shared  pool  of   configurable  computing  resources   (NIST:  September,  2011)    
  • 5. Cloud  Computing  Model   !
  • 6. Interactive  Slide     What  are  some  of  the  benefits   cloud  computing  can  offer   credit  unions?  
  • 7. Top  10  Cloud  Benefits  1.  Faster  implementation,  ready  to  use,  automation  2.  Access  anywhere,  on  any  device  3.  Reduced  cost,  pay  for  use  4.  Scalability,  right-­‐sized,  flex  up  and  down  5.  Collective  benefits,  GRC  alignment,  new  functionality  6.  Improved  productivity,  shift  focus  to  further  innovate  7.  Integrated  security  and  patching  8.  Leverage  vendor  expertise,  economy  of  scale  9.  High  performance,  reliability,  uptime  10.  Environment-­‐friendly,  computing  efficiency  
  • 8. Interactive  Slide     What  risks  might  cloud  computing   expose  a  credit  union  to?  
  • 9. Top  10  Cloud  Risks  1.  Data  loss,  alteration,  disclosure  2.  Unable  to  prove  security  of  provider  or  solution  3.  Provider  insider  threat,  insecure  APIs,  hypervisor  flaws  4.  Multi-­‐tenancy  trust  issues  5.  Account  hijacking  6.  Regulatory  problems,  lack  of  forensics  support  7.  Blurred  responsibilities    8.  Internet/external  network  dependency  9.  Poor  support,  scalability  issues  10.  Complexity,  hidden  costs  
  • 10. Enter  Community  Clouds  *  Shared  by  several  organizations  *  Supports  a  community  with  common  interests   *  Business  purpose   *  Standardization   *  GRC  requirements:  GLBA,  NCUA  *  Many  of  the  benefits  of  public  cloud  with  less  risk  *  Better  cost  savings  than  private  cloud  or  traditional   infrastructure  
  • 11. What  Community  Offers  *  Transparency  *  Dependable  SLAs  *  Clear  roles  &  responsibilities  *  Shared  improvements  *  Data  sharing  
  • 12. Cloud  Service  Brokerage  *  Cooperatively  select  vendors    *  Improved  bargaining  power  as  a  collective  *  Shared  cost  of  vendor  solutions  *  Leverage  shared  integration  with  vendors  
  • 13. Do  More  with  Less  *  Reduce  maintenance  &  operations  costs  *  Share  the  expense  of  implementations  *  Free  up  staff  to  innovate  for  members  
  • 14. Case  Study:  2nd  Node   *  Formed  by  UFCU  and  AFCU   in  2009   *  CUSO   *  Second  data  center   *  Business  Continuity/Disaster   Recovery  
  • 15. 2nd  Node:  Facility   *  Facility   *  SAS  70  Type  II  Facility   *  Working  on  SSAE  16  Type  II   *  Generator,  UPS,  HVAC   *  Environmental  security  
  • 16. 2nd  Node:  Infrastructure   *  Utility  pricing  per  cabinet:     *  Telecom   *  Internet  connectivity  –  100  mbps   *  SAN   *  Separate  LUNS,  partitions   *  EqualLogic,  Compellent   *  IDS/IPS   *  Individual  consoles/customer   *  2nd  Node  as  the  oracle    
  • 17. 2nd  Node:  Cloud  Services   *  Private  clouds   *  SAN  replication   *  System  backups   *  Silver  Peak  network   concentrators   *  Hosted  failover  (Symitar)  
  • 18. Some  Community  Clouds  *  NYSE  Capital  Markets  Community  Platform  *  IBM  Federal  Community  Cloud  *  G-­‐Cloud  *  News  Corporation  NC3  
  • 19. Foundational  Issues   *  Many  have  tried  and  failed   *  Control  issues  vs.  cooperation   *  Visibility  of  operations   *  Differing  visions   *  Undefined  SLAs  
  • 20. Addressing  Common  Security   Concerns  *  Security   *  Not  necessarily  more  or  less  secure   *  Enormous  potential  to  be  more  secure   *  Collaborate  to  implement  controls  *  Standards  gaps   *  Traditional  standards  still  apply   *  NIST  and  CSA  are  helping  accelerate  catch-­‐up  
  • 21. Data  Protection  *  What  data  needs  to  be  protected?  *  Common  options:   *  Encryption  of  data  at  rest  and  in  motion   *  Tokenization   *  Sanitization,  anonymization   *  Object  security  (SQL)   *  Hashing  
  • 22. Abbreviated  Risk  Framework:   Identify  Assets  *  Identify  potential  assets  to  be  moved  to  a  community   cloud   *  Infrastructure   *  Data   *  Applications   *  Functions/Processes  
  • 23. Abbreviated  Risk  Framework:   Community  Cloud  Risks  *  Assess  DAD  risks  of  moving  assets  to  community   cloud  *  What  is  the  impact  if  the  provider  accesses  the  asset   or  if  data  goes  public?  *  What  is  the  impact  if  processes  are  manipulated  or  fail   to  function?  
  • 24. Abbreviated  Risk  Framework:   Community  Cloud  Requirements  *  Location  *  Identification  of  other  tenants  *  Degree  of  control  *  Who  manages  assets  and  how  *  Security  and  compliance  controls  
  • 25. Abbreviated  Risk  Framework:   Community  Cloud  Evaluation  *  Providers  *  Partners  *  Solutions  
  • 26. Thanks!     Glen  Roberts   groberts@ufcu.org   (512)  966-­‐3425  

×