Damien Behan and Justin Pirie present on Cloud Security- from a customer and an Industry perspective.
Damien Behan leads the IT function at Brodies, focusing on delivering value to the firm through its investment in technology. He is responsible for the smooth running of the firm's IT, while also setting the strategy and aligning it to that of the business. He has a wide range of experience within the legal sector, and specialises in the innovative use of technology to address business requirements. Damien has a keen interest and a wide experience in Knowledge Management and has been involved in driving the use of social software within the firm.
Intro Myself and where I workAnswer the key question- is my data safeWhat are the hurdles we have to cross? What are the actionable things we can do?Why should you consider going to the cloud?
Security
Continutity
Archive
Bringing all the benefits of Google apps- horizontal scalability, reliability, etc
To Microsoft Exchange
2010 Gartner Hype Cycle for emerging technologies
2010 Gartner Hype Cycle for emerging technologies
From the Mimecast Cloud Adoption Survey http://www.mimecast.com/events-press/press-releases/article/view/cloud-computing-delivering-on-its-promise-but-doubts-still-hold-back-adoption/462/
From the Mimecast Cloud Adoption Survey http://www.mimecast.com/events-press/press-releases/article/view/cloud-computing-delivering-on-its-promise-but-doubts-still-hold-back-adoption/462/
Why are some People are unsure about Cloud Security
Security is often presented as a binary object. It’s not.
It’s much more complex than that.
Technical details are abstracted
Probably because of the relative opacity of Cloud compared to the transparency of a private network and the control you can exert on it
Are it’s Achilles heel
Without revealing to much intellectual property- the main differentiator in Cloud
Standards are only just emerging
Buyer Beware- http://en.wikipedia.org/wiki/Caveat_emptorUnder the doctrine of caveat emptor, the buyer could not recover from the seller for defects on the property that rendered the property unfit for ordinary purposes. The only exception was if the seller actively concealed latent defects or otherwise made material misrepresentations amounting to fraud.Before statutory law, the buyer had no warranty of the quality of goods. In many jurisdictions now, the law requires that goods must be of "merchantable quality". However, this implied warranty can be difficult to enforce and may not apply to all products. Hence, buyers are still advised to be cautious.
Which is why we in cloud feel like we’re being beaten up...
Independent Audit?
There are no standards...There is not a best practice independent security methodology for cloud. Clouds are opaque. Technical complexity is abstracted. Proper audit / DD requires transparency. But transparency would reveal IP.
Independent 3rd party is so important to validate claims in depthSAS 70, CESG etc
Spot the missing one?
ISO 27001- ISO 27001 doesn’t fit the cloud- 5 year old standard currently- to be reviewed in 2012- CSA helping update controls for the Cloud
· Should you adopt ISO 20071? What sort of protection will it grant you? Yes. Because it’s a framework for managing security. A process. Set of Documentation. Set of controls. Working out how much acceptable risk What risk are you exposed to Which are greater than the accpectablerisck What controls do you need to manage- taken from annex A Deploy the controls in an auditable way- constantly approve Compliance- testing Governance Risk Complaince- testing to make sure your controls It Scales
Control and governance; what should be the basis of your Cloud Data Best Practice Policy- ENISA
· Investigating availability guarantees and penalties and examining your supplier’s disaster recovery strategy Important- they do what they say the do The bar to what you set that at needs to be relevant to what you have already- BASELINE!!! Realistic expectation Based on the data you’re going to outsource Look at historical performance- not a predictor for the future- but relevant Look at their DR strategy- if you have 2 data centres- that should be the expectation Map your requirements to the provider
· Data compliance; the importance of clarifying where your data will be stored and who will have access to your information Jurisdiction EU/ Patriot / RIPA / Safe Harbour
· Ultimately, who has control over your data? When you save your data- need to understand Look at service providers to the same extent MBTF- encryption look at service providers Cloud should be architected differently People shouldn’t be fooled by “cloud” technology See behind the fog Often it’s really hard because of the opaqueness Integretity of Data Critical End to end vs middleware Designed to hook together Managing service provider obligations Asses the risk- make sure the risk you’re willing to accept is related in the SLA Review- annually? Any deviation look for recompense or additional controls Blunt instrument Make sure compliance and information governance are involved early on in the process of negotiating SLA- lawyers don’t know about GRC
The key is to understand your current risks- baseline them
Ends up in a Permissions Nightmare- or a brittle infrastructure
How are we managing those risks today?
Are you given the budget / skills to do it?
“Quiscustodietipsoscustodes?”Who will guard the guards themselves?DecimusIuniusIuvenalis
Cloud can be a way to become a guard’s guard, instead of the guard
Reasons to go Cloud Security
Reason to go Cloud security #1 It’s their business- and their reputation depends on it
#2 Money - they are held financially responsible
Reason #3 Scale- Cloud platforms have scale that customers could never achieve on their own- protecting against large scale attacks
Reason #4 Specialised Skills- employ specific people to do specialised job. Cumulative effect of multiple customers
Cumulative effect of multiple customers
Best Practice embedded in organisation and distributed. Not dependent on one person
Not just about competence and budget- but focus. It’s all they do.
Cloud can be a way to become a guard’s guard, instead of the guard
Buyer Beware- http://en.wikipedia.org/wiki/Caveat_emptorUnder the doctrine of caveat emptor, the buyer could not recover from the seller for defects on the property that rendered the property unfit for ordinary purposes. The only exception was if the seller actively concealed latent defects or otherwise made material misrepresentations amounting to fraud.Before statutory law, the buyer had no warranty of the quality of goods. In many jurisdictions now, the law requires that goods must be of "merchantable quality". However, this implied warranty can be difficult to enforce and may not apply to all products. Hence, buyers are still advised to be cautious.
But make it proportional to risk- especially to CURRENT RISKS