Cloud computing - Assessing the Security Risks - Jared Carstensen

3,076 views

Published on

This is the presentation I recently gave regarding cloud computing and the risks which are often not thought through.

Looks at the cloud from an Information Security and compliance aspect which is often forgotten.

Best wishes,

Jared Carstensen

Published in: Technology

Cloud computing - Assessing the Security Risks - Jared Carstensen

  1. 1. Cloud Computing Assessing the Security RisksJared Carstensen<br />
  2. 2. Agenda<br />What is the cloud?<br />Why Cloud Computing?<br />Decomposing the Cloud<br />Understanding Implementations<br />Top Security Risks<br />Privileged User Access<br />Regulatory Compliance<br />Data Location<br />Data Segregation<br />Recovery<br />Investigations<br />Long Term Viability<br />Myths and Truths<br />Roadmap to Success<br />
  3. 3. Awards / Credentials<br />
  4. 4. Sample of Clients<br />
  5. 5. What is the Cloud?<br />Cloud computing:<br />Private Cloud:<br />Virtual Private<br />Cloud:<br />is Internet-based computing, whereby shared resources, software, and information are provided to computers and other devices on demand, like the electricity grid.<br />utilisestechnologies of the public cloud but are operated solely for an organisation. It could be managed by the organisation itself or by a third party on, or off site…..<br />a cloud deployed solely for use of an organisation. This cloud utilisesstandardised technology, and processes of a service provider, which leverages shared resources with dedicated resource pools and tailored Service Model (determined by each provider).<br />
  6. 6. Why Cloud Computing?<br />We are in the midst of a Sea Change‖<br />Collaboration and sharing on a scale never imagined<br />NEW ECONOMICS<br />INCREASED PRODUCTIVITY<br />REDUCED MANAGEMENT<br /><ul><li>Pay for what you use
  7. 7. Lower and predictable costs
  8. 8. Shift from CapEx to OpEx
  9. 9. Accelerate speed to value
  10. 10. No patching, maintenance
  11. 11. Faster deployment
  12. 12. Robust multi-layered security
  13. 13. Reliability and fault-tolerance
  14. 14. Latest software for users
  15. 15. Internet collaboration
  16. 16. Anywhere access
  17. 17. Instant self-provisioning </li></li></ul><li>Decomposing the Cloud<br />3 Primary Models for Cloud Computing include:<br />Software as a Services (SaaS)<br />Platform as a Services (PaaS)<br />Infrastructure as a Service (IaaS)<br />
  18. 18. Understanding Implementations?<br />Cloud Computing Service Categories<br />On Premises<br />Infrastructure as a Service (IaaS)<br />Platform as a Service (PaaS)<br />Software as a Service (SaaS)<br />You manage<br />Applications<br />Applications<br />Applications<br />Applications<br />Data<br />Data<br />Data<br />Data<br />You manage<br />Runtime<br />Runtime<br />Runtime<br />Runtime<br />Managed by vendor<br />Middleware<br />Middleware<br />Middleware<br />Middleware<br />You manage<br />Managed by vendor<br />O/S<br />O/S<br />O/S<br />O/S<br />Virtualization<br />Virtualization<br />Virtualization<br />Virtualization<br />Managed by vendor<br />Servers<br />Servers<br />Servers<br />Servers<br />Storage<br />Storage<br />Storage<br />Storage<br />Networking<br />Networking<br />Networking<br />Networking<br />
  19. 19. Top Security Risks<br />Privileged User Access<br />Sensitive Data processed outside the organisation / enterprise brings with it an inherent level risk, as the outsourced services tend to bypass the “physical, logical and personnel controls”.<br />Know your provider! Get as much information as you can about the people who will manage your data! <br />Best practice – what standards do they follow or are they certified to?<br />How often are they assessed and controls tested and verified?<br />You wouldn’t give someone all your data without asking what they are going to do with it would you?<br />
  20. 20. Regulatory Compliance<br />It remains YOUR responsibility!<br />Customers are ultimately responsible for the security and integrity of the data they collect, even when held by a service provider. You cannot “surrender or transfer” your responsibilities under the Data Protection Act (Irish and UK). If you collect the information, you need to ensure the information is held in accordance with the 8 key principles of the Data Protection Act.<br />International Data Transfer<br />
  21. 21. Data Location<br />Where is It? What laws is it governed by?<br />When organisations use the cloud – most probably don’t even know where their data is held or hosted?<br />What country is it in?<br />What laws govern it?<br />Who has access to it?<br />“smaller cloud providers are not carrying cyber insurance, and have no plans to do so until the larger customers push back”<br />-Hartford Financial Services Group (New York)<br />
  22. 22. Data Segregation<br />Data Segregation<br />In the vast majority of cases, data in the cloud is stored and hosted in a shared environment alongside data from other customers.<br />How is this controlled?<br />What accountability is there?<br />How is CIA enforced?<br />What happens in the case of an investigation?<br />Can I get my data back if I need it?<br />
  23. 23. Data Recovery<br />Disaster Recovery / Business Continuity<br />Data Backup and replication are NOT a given when utilising cloud computing. There is often little to no continuity around data backup and replication in standard agreements. Most of these agreements tend to ensure availability around the service provided by the provider and not the contents or data.<br />Always check to ensure your provider can tell you what will happen to your data in the event of a disaster!<br />Service Level Agreements should be thoroughly checked and reviewed to ensure they align with the business requirements before proceeding.<br />
  24. 24. Investigations & Support<br />Illegal / Inappropriate activity<br />The investigation of inappropriate or illegal activities may be impossible in cloud computing for a number of reasons. <br />What technology / systems are being utilised by the provider?<br />Is there an intelligent system being used to detect anomalies or attacks?<br />What processes / procedures are in place to ensure any breaches can be detected?<br />Will your provider notify you of any breaches (most don’t)?<br />What happens if my information is taken as part of an investigation?<br />
  25. 25. Long Term Viability<br />How viable is my provider long term?<br />In an ideal world, your cloud computing provider will never go broke, get acquired or swallowed up by a larger company.<br />Recent stories:<br />SAP acquire Coghead (Cloud Computing)<br />HP acquires ArcSight (from RSA)<br />IBM acquires CastIron (Cloud Computing)<br />Dell acquires Perot Systems<br />“The most mature cloud services are only 3 years old”<br />
  26. 26. Myths and Truths<br />
  27. 27. Roadmap to Success<br />Keys to success<br />Ensure your Cloud is future proof<br /><ul><li>Ensure you have a detailed and realistic plan which is scalable
  28. 28. If your organisation is fast paced, ensure your provider is too</li></ul>Know your organisation and its requirements<br /><ul><li>Clearly define your cloud users, admins and roles upfront
  29. 29. No plans stay the same - make sure you are flexible and be realistic</li></ul>Plan your services and ensure you have support (both internally and externally)<br /><ul><li>Ensure you “remove” redundant services effectively (unless for continuity)</li></ul>Evaluate your internal processes before and after<br /><ul><li>Do current processes make sense? Can these be improved on? If so, how?
  30. 30. Why are we moving? Know the benefits and the business case before moving</li></li></ul><li>Jared Carstensen<br />jared@teaminfosec.com<br />http://www.TeamInfoSec.com<br />Tel: +353 1 813 5551<br />Thank You<br />

×