Peering Through the Cloud Forrester EMEA 2010
Upcoming SlideShare
Loading in...5

Peering Through the Cloud Forrester EMEA 2010



A detailed conversation on the cloud, including risks, benefits and recommendations for enterprise use.

A detailed conversation on the cloud, including risks, benefits and recommendations for enterprise use.



Total Views
Slideshare-icon Views on SlideShare
Embed Views



2 Embeds 9 6 3



Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
Post Comment
Edit your comment

    Peering Through the Cloud Forrester EMEA 2010 Peering Through the Cloud Forrester EMEA 2010 Presentation Transcript

    • Peering Through*the Cloud*Presented toForresters Security Forum EMEA 2010ByGray Williams
    • IntroductionSlide Title• Gray Williams ‐ Biography – TATA Communications (GM & Sr Dir PLM; 06 to present) – KillPhish (Founder) – Cybertrust (Dir Prod Mngmnt) – SafeNet (VP/Dir Prod Mngmnt & Marketing) – INS/Lucent Technologies (Sales & Biz Dev) – AT&T (Sales NAM)
    • -The Business Slide Titlethe soothing - Pro-Cloud Crowdlight at the end of the tunnel……is it just afreight traincomin’ your way? - Metallica - Anti-Cloud HW/SW crowd - Assorted CSO’s
    • Framing the Debate Slide Title Confidentiality Integrity The APT Business IT/DC Availability CNA SECURITY Efficiency RISK Econom i cs Effectiveness Cost Legal What it is CLOUD Agility Why it is Technical Private Public CONTROL? SOACompliance VM *aaS NIST ENISA Jericho Forum Tomorrow? CloudAudit/A6 Today Bilons$$ ats ake li t Cloud Security i a t l gr n ech and- ab Alliance
    • “A model for enabling convenient on-demand network access to a Slide Title shared pool of configurable computing resources that can be rapidly provisioned and released with minimal management effort or service provider interaction.” - NIST Oct 091. Illusion of infinite, on-demand resources2. No upfront capex commit3. Pay for what you need, as you go- Above the Clouds: A Berkeley View of Cloud Computing Feb 2009 “Everything we think of as a computer today is really just a device that connects to the big computer that we are all collectively building” -Tim OReilly
    • 1. Illusion of infinite, on-demand resources2. No upfront capex commit3. Pay for what you need, as you go- Above the Clouds: A Berkeley View of Cloud Computing Feb 2009
    • Enterprise: Slide TitleSlow Adoption – Want ROI on existing investment & time invested making IT a trusted resource – 53% fail to see how cloud can save them money – 57% surveyed said they were not happy to run applications and store data on servers outside their country for security •Single tenancy / reasons Multi-tenancy – 21% think that doing business in the cloud is not a security concern. •Isolated data / co- – 53% are concerned about IP being stored in mingledcloud a public data because of potential security breaches Source: BTs Enterprise Intelligence survey security / •Dedicated – 44% believe they deal with information that is so sensitive it socialist security could never be stored in the cloud. •On-premise / Off- premise
    • The overall risk profile for cloud compute has Slide Title not yet come into full view
    • “Cloud Computing is great™…Slide Title …until it isn’t.” Source: Me
    • CLOUD SECURITY ISSUES ARE REAL Slide Title Traditional Security Issues: New Challenges: 1. Shared Tech - VM Attacks 1. Privacy 2. Provider Vulnerabilities 2. Nefarious Use (DDoS, 3. Phishing Provider Malware) 4. Expanded Network Attack 3. Effective Authentication Surface 4. Authorization (mashup) 5. Authentication & 3rd party Control: Authorization 1. Due Diligence 6. Forensics Availability: 2. Audit (Geo-Regulated Data)1. Uptime 3. Contractual Obligations2. Single Point of Failure 4. Espionage3. Integrity assurance 5. Data Lock-In - Controlling Data in the Cloud Nov 2009 6. Transitive (Subcontractors)
    • % of 62 real‐world UK breaches in various Slide Titlelevels of PCI‐DSS compliance Source: 7Safe Breach Report Jan 2010
    • INTERNAL IT SECURITY IS CRASHING & BURNING ISSUES ARE REAL.120 of 600 surveyed had been victimized by attacks similar to Google66% said the attacks had harmed company operations54% said their company had been the subject of infiltration in the last 2 yrs24% expect a major cybersecurity incident in the next year - McAfee Critical Infrastructure in the age of Cyberwar Feb 2010
    • Top 3 Objections: Public vs Private1. SecurityTitle Slide2. Availability3. Performance4. CONTROL Source: IDC
    • Slide Title Public cloud providers can’t  have their cake and eat it too… Must Have: • Sufficient Security Defenses • Sufficient Monitoring • Adequate Support • Transparency
    • Slide TitlePrivate Cloud Top 3 Objectives:1. Preserving confidentiality, integrity and availability2. Maintaining appropriate levels of identity and access Control3. Ensuring appropriate audit and compliance capability
    • Slide Title
    • Recommendations Slide TitleGENERAL: Create policy on acceptable useSPECIFIC:• Identify candidate data/processes/functions• Perform risk assessment on each asset – Explore legal, regulatory and audit issues 1st – Conduct 3rd party internal/external VA and audit – Explore geo-location specific offerings – Demand full subcontracting disclosures, detailed security framework and DR procedures for the whole ecosystem (partner chain)• Map findings to potential deployment models & vendors• Standard risk and governance controls apply (ISO 27001/2 and BS25999; NIST SP 800-70/60/53/37/30/18; FIPS 199/200)
    • What if…Title Slide• the asset became widely public and widely distributed?• the process or function were manipulated by an outsider?• the process or function failed to provide expected results?• the information/data were unexpectedly changed?• the asset were unavailable for a period of time?• we could not satisfy regulatory/compliance requirements? Source: Cloud Security Alliance
    • Recommended ReadingSlide Title
    • Special ThanksSlide Title• Chris Hoff• PARC Richard Chow, Philippe Golle, Markus Jakobsson, Ryusuke Masuoka, Jesus Molina; Fujitsu Elaine Shi, Jessica Staddon• Lisa J. Sotto, Bridget C. Treacy, Melinda L. McLellan Hunton & Williams• Andrew Becherer, Alex Stamos, Nathan Wilcox ISEC Partners• David Linthicum• Paul Murphy• Peter Mell, Tim Grance NIST• Prof Carsten Maple Univ Bedfordshire• Alan Phillips, Ben Morris 7Safe• Gunnar Perterson• Joel Dubin, CISSP• Richard Bejtlich,• ENISA• Cloud Security Forum Source: Chris Hoff
    • Thank you.ContactGray Williams+ locationAddress line 1Address line 2Address line 3
    • Back‐up Slides& other DVD extras+ locationAddress line 1Address line 2Address line 3
    • TCO to Public Cloud2.4 Xenon Dual Core 16Gb RAM; Slide Title 140GbHD Windows Pro plus Public Install/Support CAPEX Finance Cloud Capex $3,589 Cost of capital 12% Term in months $48 $48 Cost MRC $98 $98Management & Power $100k per admin 100 servers $83 $83 (Watts*hrs used/1000)x cost kw/hr) $18 $18 TOTAL Monthly Cost $200 $199 $54100% Utilization during Biz Hrs 160 160 160 Hourly Recurring Charge $1.25 $1.25 $0.34
    • In Conclusion Slide Title• This is actually something to be really happy about;  people who would not ordinarily think about security  are doing so• While we’re scrambling to adapt, we’re turning over  rocks and shining lights in dark crevices• Sure, Bad Things™ will happen• But, Really Smart People™ are engaging in  meaningful dialog & starting to work on solutions• You’ll find that much of what you have  works...perhaps just differently; setting expectations  is critical
    • Slide Title• Adopt a risk assessment methodology.  Classify  assets and data and segment.• Interrogate providers; use the same diligence for  outsourced services and focus on resilience/recovery,• SLA’s, confidentiality, privacy and segmentation• Match both business and security requirements  against the various deliver models and define the  gaps
    • Who has Control?Slide Title
    • Services likely to be outsourcedSlide Title1. Lack of standards. All clouds are different. Each one must be investigated and analyzed to understand its capabilities and weaknesses. The technical basis for digital trust must be created for each cloud.2. Lack of portability. Every cloud creates its own processing climate. Any digital trust obtained by one cloud environment does not transfer to any other.3. Lack of transparency. All clouds are opaque. Neither technology nor process is easily visible. It is almost impossible to generate digital trust when transparency is absent. Source: ENISA
    • BusinessSlide TitleDrivers Source: ENISA
    • IssuesSlide Title Source: ENISA
    • SMB vs EnterpriseSlide Title Case Studies
    • NASDAQ and the New York Times Slide Title• New York Times – Didn’t coordinate with Amazon, used a credit card! – Used EC2 and S3 to convert 15M scanned news articles to PDF (4TB data) – Took 100 Linux computers 24 hours (would have taken months on NYT  computers – “It was cheap experimentation, and the learning curve isnt steep.” – Derrick Gottfrid, Nasdaq• Nasdaq – Uses S3 to deliver historic stock and fund information – Millions of files showing price changes over 10 minute segments – “The expenses of keeping all that data online [in Nasdaq servers] was too  high.” – Claude Courbois, Nasdaq VP – Created lightweight Adobe AIR application to let users view data
    • Government Use of Public Cloud Slide Title• 5,000+ Public Sector and Nonprofit Customers use Salesforce• President Obama’s Citizen’s Briefing Book Based on Ideas application – Concept to Live in Three Weeks – 134,077 Registered Users – 1.4 M Votes  – 52,015 Ideas – Peak traffic of 149 hits per second• US Census Bureau Uses Cloud Application – Project implemented in under 12 weeks  – 2,500+ partnership agents use for 2010 decennial census  – Allows projects to scale from 200 to 2,000 users overnight to meet peak periods  with no capital expenditure
    • “CyberSlide Title crime isn’t conducted by 15-year-olds experimenting with viruses” ”Well-funded…..pursued by professionals with deep financial and technical resources, often with government toleration if not outright support.” “Responsible for billions of dollars in losses…it is growing and becoming more capable.”60-minutess-secureworks-russian-cybercriminal-goof Source: Eugene Spafford, Purdue; “CyberWarriors”, the Atlantic March 2010
    • “More than 40 states have developed IO doctrines or capabilities…” and Title Slidethis…"Militaries now have the capability to launch damaging cyber attacks against critical - CSIS, America’s failure to protect cyberspace, 2008infrastructure, but serious cyber attack independent of a larger military conflict is unlikely.“
    • “…but the main damage done to date through cyberwar has  involved not theft of military secrets nor acts of electronic  Slide Title sabotage but rather business‐versus‐business spying.”  “A shortcut on the ‘D’ of R&D” - CyberWarriors, The Atlantic, March 2010
    • New Issues, Same GovernanceSlide Title Source:
    • EnvironmentSlide Title Source: 7Safe Breach Report Jan 2010
    • Attack SophisticationSlide Title
    • Government Use of Public Cloud Slide Title• New Jersey Transit Wins InfoWorld 100 Award for its  Cloud Computing Project – Use to run their call center, incident management,  complaint tracking, and service portal – 600% More Inquiries Handled – 0 New Agents Required – 36% Improved Response Time• U.S. Army uses Salesforce CRM for Cloud‐based  Recruiting – U.S. Army needed a new tool to track potential recruits who visited its  Army Experience Center. – Use to track all core recruitment functions and allows the  Army to save time and resources. 
    • PCI DSS Dirty DozenSlide Title
    • Slide Title - Symantec 2009
    • SMB: TitleSlide – Minimize complexity & cost – Eliminate the need to own – Value outweighs risk, Outsource everything
    • What businesses were breached:Slide Title Source: 7Safe Breach Report Jan 2010
    • What information was targeted:Slide Title Source: 7Safe Breach Report Jan 2010
    • Not an inside job…Slide Title Source: 7Safe Breach Report Jan 2010
    • Targeted AssetSlide Title Source: 7Safe Breach Report Jan 2010
    • ExploitSlide Title
    • OriginTitleSlide
    • SaaS Division of Responsibilities Slide TitleCustomer Provider• Compliance with data protection  • Physical support infrastructure (facilities,  law in respect of customer data  rack space, power, cooling, cabling, etc)  collected and processed  • Physical infrastructure security and • Maintenance of identity  availability (servers, storage, network  management system  bandwidth, etc) • Management of identity  • OS patch management and hardening  management system  procedures (check also any conflict • Management of authentication  between customer hardening procedure  platform (including enforcing  and provider security policy)  password policy  • Security platform configuration (Firewall  rules, IDS/IPS tuning, etc)  • Systems monitoring  • Security platform maintenance (Firewall,  Host IDS/IPS, antivirus, packet filtering)  • Log collection and security monitoring Source: ENISA
    • Reducing RiskSlide Title• Identify what’s most important • Identify where vulnerabilities exist • Isolate the probable • Quantify• Identify the most effective & efficient prevention• Have a pre‐approved incidence response plan  • Test, Evaluate and Improve
    • Examples
    • One Proposal for the Here and Now…Slide Title
    • The best defense is a good offense? Slide Title “We spend more time on the computer network attack business than we do on computer network defense because so many people at very high levels are interested" - Former CNA commander, Air Force Maj. Gen. John Bradley“…but Mr. Obama is expected to say little or nothing about the nation’s offensivecapabilities, on which the military and intelligence agencies have been spendingbillions.”