Heather Axworthy May 2010 Moving to the Cloud?
Agenda <ul><li>Cloud Computing…..What Is It? </li></ul><ul><li>Before Moving To The Cloud </li></ul><ul><li>Questions to a...
Cloud Computing <ul><li>It Is  Not  a New Technology. </li></ul><ul><li>It Is a Service Offering. </li></ul><ul><li>It Is ...
Types of cloud offerings
Moving to the Cloud… <ul><li>Decide Which Assets Are Going to Be in the Cloud </li></ul><ul><li>Document the Security Post...
<ul><li>What Is the Risk If: </li></ul><ul><li>Assets Become Widely Public and Widely Distributed </li></ul><ul><li>Employ...
<ul><ul><li>The SAS 70 Is No Longer Enough. </li></ul></ul><ul><ul><li>Cloud Vendor Must Provide Full Disclosure Regarding...
<ul><li>Abuse and Nefarious Use – Criminals Using Cloud Vendors to Serve  Malware, Phishing E-mails, Spam etc. </li></ul><...
<ul><li>There is no “set it and forget it” once the asset is in the cloud. </li></ul><ul><li>Whatever you used to do to th...
Cloud Security Alliance http://cloudsecurityalliance.org LinkedIn group:  Cloud Security Alliance Resources
Upcoming SlideShare
Loading in...5
×

Cloud Security Overview

851

Published on

A few things to think about before moving to the cloud.

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
851
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
27
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Cloud Security Overview

  1. 1. Heather Axworthy May 2010 Moving to the Cloud?
  2. 2. Agenda <ul><li>Cloud Computing…..What Is It? </li></ul><ul><li>Before Moving To The Cloud </li></ul><ul><li>Questions to ask yourself and the vendor </li></ul><ul><li>Security Implications – Top Threats </li></ul><ul><li>After Moving To The Cloud </li></ul>
  3. 3. Cloud Computing <ul><li>It Is Not a New Technology. </li></ul><ul><li>It Is a Service Offering. </li></ul><ul><li>It Is Outsourcing of Your Internal Assets to a 3rd Party Provider (Hardware, Software or Both.) </li></ul><ul><li>Often Referred to As “Internet Based Computing.” </li></ul>
  4. 4. Types of cloud offerings
  5. 5. Moving to the Cloud… <ul><li>Decide Which Assets Are Going to Be in the Cloud </li></ul><ul><li>Document the Security Posture for the Asset – Most Important </li></ul><ul><li>Why? </li></ul><ul><li>3 Reasons - CIA </li></ul><ul><ul><li>C – Confidentiality </li></ul></ul><ul><li> I – Integrity </li></ul><ul><li>A – Availability </li></ul><ul><li>Multi-tenancy – Do I want to share resources with other entities? </li></ul><ul><li>Sketch Out the Data Flow – Visio, Whiteboard, Post-its Etc. </li></ul><ul><li>Figure Out Which Cloud Model Works Best Based on Compliance, Security Posture and Data Flow </li></ul>
  6. 6. <ul><li>What Is the Risk If: </li></ul><ul><li>Assets Become Widely Public and Widely Distributed </li></ul><ul><li>Employee of the Cloud Provider Accessed the Data </li></ul><ul><li>Process or Function Was Manipulated by the Outsider </li></ul><ul><li>Process or Function Failed to Provide Expected Results </li></ul><ul><li>Data Was Unexpectedly Changed </li></ul><ul><li>Asset Was Unavailable for a Period of Time </li></ul>Ask yourself these questions..
  7. 7. <ul><ul><li>The SAS 70 Is No Longer Enough. </li></ul></ul><ul><ul><li>Cloud Vendor Must Provide Full Disclosure Regarding Security Practices and Procedures That Are Stated in the SLA. </li></ul></ul><ul><ul><li>Cloud Vendor’s ISO 27001 Security Roadmap </li></ul></ul><ul><ul><li>Examine and Assess the Provider’s Supply Chain (Service Provider Relationships and Dependencies.) </li></ul></ul><ul><ul><li>BCP and DR Plan </li></ul></ul><ul><ul><li>Right to Audit Clause </li></ul></ul><ul><ul><li>Encryption Options – Encrypting Data at Rest and While in Motion </li></ul></ul><ul><ul><li>Authentication – Two Factor, make it mandatory. </li></ul></ul>What to ask the vendor…
  8. 8. <ul><li>Abuse and Nefarious Use – Criminals Using Cloud Vendors to Serve Malware, Phishing E-mails, Spam etc. </li></ul><ul><li>Insecure Interfaces and API’s – Anonymous Access, Clear-text Passwords, Reusable Session Tokens or Passwords </li></ul><ul><li>Malicious Insiders </li></ul><ul><li>Shared Technology Issues </li></ul><ul><li>Data Loss or Leakage – strong AAA, strong API access control </li></ul><ul><li>Account or Service Hijacking – monitor activity, two-factor authentication </li></ul><ul><li>Unknown Risk Profile – vendor disclosure of infrastructure </li></ul>Top threats to cloud computing
  9. 9. <ul><li>There is no “set it and forget it” once the asset is in the cloud. </li></ul><ul><li>Whatever you used to do to the asset while on prem, you still have to do when it’s in the cloud. It might be modified slightly based on your SLA, but it must incorporate monitoring and auditing. </li></ul>After you move to the cloud…
  10. 10. Cloud Security Alliance http://cloudsecurityalliance.org LinkedIn group: Cloud Security Alliance Resources
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×