Cloud risk and business continuity v21


Published on

Risk of moving to cloud computing, implications on availability and business continuity, security and risk management.

Published in: Business
1 Like
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • The NIST diagram provides a good visualization of what it is, what types of services are delivered and how it is deployed.
  • The security approach and role varies depending on the delivery model
  • Cloud risk and business continuity v21

    1. 1. Risks in the Cloud and Business Continuity BCP/DRP Summit
    2. 2. What is the Cloud?
    3. 3. Evolution of Cloud IaaS Infrastructure as a Service PaaS Platform as a Service SaaS Software as a Service
    4. 4. Complexity of the Cloud
    5. 5. 5 Spread of Code Red Worm in the Cloud July 19 01:05:00 2001
    6. 6. 6 Spread of Worm in the Cloud July 19 20:15:00 2001 Financial Cost: CodeRED Worm: $2.6 billion
    7. 7. SQL Slammer Worm: 30min - Infections doubled every 8.5 seconds - Spread 100X faster than Code Red -At peak, scanned 55 million hosts per second. -COST: $1.2 billion
    8. 8. Cloud Challenges 8 Dynamic threats Limited IT resources Pressure to demonstrate risk reduction and compliance Process complexity Reduce operating costs Must show value Proactive versus reactive
    9. 9. 9 Cloud Focus Challenges
    10. 10. Cloud Reliability Enterprise are setting their SLAs uptimes at 99.99% or higher, cloud providers are not fully ready Amazon’s cloud outages receive a lot of exposure … July 20, 2008 Failure due to stranded zombies, lasts 5 hours Feb 15, 2008 Authentication overload leads to two-hour service outage October 2007 Service failure lasts two days October 2006 Security breach where users could see other users data … and their current SLAs don’t match those of enterprises* Amazon EC2 99.95% Amazon S3 99.9% * SLAs expressed in Monthly Uptime Percentages; Source : McKinsey & Company • Not clear that all applications require such high services • IT shops do not always deliver on their SLAs but their failures are less public and customers can’t switch easily
    11. 11. Source: Copyright © 2007 Boeing. All rights reserved. Services Application Development Platform Storage Hosting Cloud Service Layers Description Services – Complete business services such as PayPal, OpenID, OAuth, Google Maps, Alexa Services Application Focused Infrastructure Focused Application – Cloud based software that eliminates the need for local installation such as Google Apps, Microsoft Online Storage – Data storage or cloud based NAS such as CTERA, iDisk, CloudNAS Development – Software development platforms used to build custom cloud based applications (PAAS & SAAS) such as SalesForce Platform – Cloud based platforms, typically provided using virtualization, such as Amazon ECC, Sun Grid Hosting – Physical data centers such as those run by IBM, HP, NaviSite, etc.
    12. 12. Services Application Development Platform Storage Hosting Cloud and Risk Services Information Risk Relative effectiveness of technical controls Inter- operability Risk Difficulty of enterprise integration Capability Maturity Source: Copyright © 2007 Boeing. All rights reserved.
    13. 13. Network Policy Applications Inside and outside groups default deny Hundreds of groups default allow Tens of applications Web, mail, domain name server (DNS) Hundreds of applications custom protocols, payroll, trading Tens of targets Megabits of traffic Thousands of targets Gigabits of traffic Past Present + Cloud more challenges
    14. 14. Reorganizing the roles in the cloud
    15. 15. Cloud Impact on your Business
    16. 16. Threats sources Environmental Natural Disasters Unexpected (“OOPS” factor) Cyber terrorism Viruses Threats Industrial Espionage
    17. 17. Business Impacts and Risks Employee & customer privacy Legislative violations Financial loss Intellectual capital Litigation Public Image/Trust Business Risks
    18. 18. Importance of Critical Infrastructures
    19. 19. India Pakistan Egypt Saudi Arabia UAE Kuwait Qatar Bahrain 60m 12m 6m 4.7m 1.7m 0.8m 0.3m 0.2m Recent Middle East  Dragging anchor cut two critical cables  85+ million users impact across eight countries  Incident highlights potential terrorist opportunities Resiliency is ABSOLUTELY CRITICAL Critical Infrastructure - cable cuts
    20. 20. 20 Complexity: Increased Risk “The Future of digital systems is complexity, and complexity is the worst enemy of security.” Bruce Schneier Crypto-Gram Newsletter, March 2000
    21. 21. 21 More complexity more Security Flaws Complexity & Reliability Risk 1 – 10 Simple procedure, little risk 11- 20 More Complex, moderate risk 21 – 50 Complex , high risk >50 Untestable, VERY HIGH RISK Complexity & Bad Fix Probability Essential Complexity (Un-structuredness) & Maintainability (future Reliability) Risk 1 – 4 Structured, little risk > 4 Unstructured, High Risk Structural Analysis … Providing Actionable Metrics Complexity and Risk
    22. 22. Framework must address Risk Threats Vulnerabilities Controls Risks Assets Security Requirements Business Impact exploit exposeincreaseincrease increase have protect against met by indicate reduce
    23. 23. Risk Analysis provides focus High Medium Low Low Medium High Area of Major Concern
    24. 24. Managing risk?
    25. 25. End User Phishing • Target customers of banks and online payment services • Obtain sensitive data from U.S. taxpayers by pretended IRS- emails • Identity theft for social network sites, e.g. • Recently more non-financial brands were attacked including social networking, VOIP, and numerous large web-based email providers. Phishing only started in 2004, but in 2006 it cost the UK £35m and the USA perhaps $200m
    26. 26. End User is biggest problem Farce of the Facebook spy: MI6 chief faces probe after wife exposes their life on Net “ MI6 faced calls for an inquiry last night after an extraordinary lapse of judgment led to the new head of MI6's personal detailsbeing plastered over Facebook. Millions of people could have gained access to compromising photographs of Sir John Sawers and his family on the social networking website. ...“ faces-probe-wife-exposes-life-Facebook.html
    27. 27. When all fails….are you ready? Everybody’s got a plan until they get hit! -- Mike Tyson
    28. 28. Business Continuity Management Business Impact Analysis Risk Analysis Recovery Strategy Group Plans and Procedures Business Continuity Planning Initiation Risk Reduction Implement Standby Facilities Create Planning Organization Testing PROCESS Change Management Education Testing Review Policy ScopeResourcesOrganization BCM Ongoing Process BCM Project
    29. 29. Business Continuity timeline Active Business A successful recovery
    30. 30. Processes - Workflow
    31. 31. Risk Transfer Elimination Reduction/Controls Transfer/Outsource Insurance Residual Not all risk can be eliminated via controls
    32. 32. Strategy Optimization Recovery strategy must be optimized to business requirements Time CostofStrategy Mitigation LostRevenue Optimum Mitigation Strategy
    33. 33. Response and Risk approach Risk Management and Business Controls Events Incidents Crises Impact Monitor & resolve the “critical few” with crisis management team Assess impact of events & implement appropriate controls Monitor & resolve at appropriate level using processesIncident Management Process Crisis Management Process
    34. 34. Standardisation bodies ISO/IEC - Wide scope of standardization. 27xxx and 13335 IETF – Focuses on Internet related technical Security requirements NIST-CSRC ( – Wide scope of coverage for both government and enterprise needs. OASIS ( - Application Vulnerability Description Language OGSF (Open Group Security Forum, - started Intrusion Attack and Response Workshop Best practices and recommendations CERT/CC ( SANS (System Administration, Networking, and Security) Institute – ISACA ( – Most noted for CoBIT framework fIT Governance ISSA ( – GAISP (Generally Accepted Information Security Principles)
    35. 35. Standards, Guidelines ISMS family of standards (ISO/IEC 27xxx) ISO/IEC 27001 – ISMS (BS 7799-2) ISO/IEC 27002 – ISO/IEC 17799 (BS 7799-1) ISO/IEC 27005 –Infosec risk management ISO/IEC 27006 – Guide to ISMS certification process ISO/IEC 27003 – ISMS implementation guide ISO/IEC 27004 – Infosec Metrics ISO/IEC 27007 - Guideline for ISMS auditing ISO/IEC 27011 - ISMS implementation guideline for the telecommunications industry ISO/IEC 27034 - a guideline for application security
    36. 36. Standard provide Controls So how do you implement security controls? Technical controls: Site implements a firewall to stop external attackers but allow academic collaboration. Education: Explain to users why there is a firewall (to stop attackers) and how to ask for exceptions (to allow collaboration). Administrative controls: The Security Policy states that Internet services must be used safely.
    37. 37. ISO 27004 : Metrics & Measurement ISO/IEC has a new project to develop an ISMS Metrics and Measurements Standard This development is aimed at addressing how to measure the effectiveness of ISMS implementations (processes and controls) Performance targets What to measure How to measure When to measure
    38. 38. Security Metrics
    39. 39. Infrastructure-Centric Metrics Infrastructure-centric metric – measure of efficiency, speed, and/or capacity of technology Throughput – amount of information that can pass through a system in a given amount of time Transaction speed – speed at which a system can process a transaction System availability – measured inversely as downtime, or the average amount of time a system is down or unavailable Response time – average time to respond to a user- generated event like a mouse click Scalability – conceptual metric related to how well a system can be adapted to increased demands 7-39
    40. 40. IT Metrics and SLAs Service level agreement (SLA) – formal, contractually obligated agreement SLAs must include IT success metrics SLAs are between you and outsourcer SLAs define how you will measure KPI Measures are in service level specifications (SLS) or service level objectives (SLO) 7-40
    41. 41. Incident Handling Life Cycle Email Hotline/ Phone Analyze Coordinate Information and Response Obtain Contact Information Provide Technical Assistance Incident Report Triage Vulnerability Report Information Request IDS Other
    42. 42. Incident Response Components (from RFC 2350) CSIRT’s Organisational form depends on type of organisation and required level of support to community Security Policy Define what is required/allowed/acceptable Incident Response Policy What is provided, who receives it and who provides support Incident Response Plan Which incidents will be responded and how
    43. 43. EU CERTS
    44. 44. Action Plan 1 Build resilience / Harden the infrastructure Servers and links redundancy Security of routing protocol / traffic exchange Security of DNS service Profiling attackers and understanding their objectives (know your enemies) Response preparedness National contingency plan for the Internet Cyber exercises on National/international level are crucial Strengthen multinational cooperation for rapid response (formal rather than informal) Importance of CERTs/CSIRTs and their role for national and international cooperation Measurement - monitoring of traffic to understand what is going on
    45. 45. Action Plan - 2 Technology will not be sufficient Study the economics of security and cyber crime Set-up Public Private Partnership (PPP) Example Develop cross-sector and cross-organisational cooperation on National, EU and international levels Agree on responsibility’s allocation Information and best practices sharing  importance of trust Raising awareness and education of individuals, public bodies, corporate users and service providers
    46. 46. Questions