Your SlideShare is downloading. ×
0
Losing Control to the Cloud
Losing Control to the Cloud
Losing Control to the Cloud
Losing Control to the Cloud
Losing Control to the Cloud
Losing Control to the Cloud
Losing Control to the Cloud
Losing Control to the Cloud
Losing Control to the Cloud
Losing Control to the Cloud
Losing Control to the Cloud
Losing Control to the Cloud
Losing Control to the Cloud
Losing Control to the Cloud
Losing Control to the Cloud
Losing Control to the Cloud
Losing Control to the Cloud
Losing Control to the Cloud
Losing Control to the Cloud
Losing Control to the Cloud
Losing Control to the Cloud
Losing Control to the Cloud
Losing Control to the Cloud
Losing Control to the Cloud
Losing Control to the Cloud
Losing Control to the Cloud
Losing Control to the Cloud
Losing Control to the Cloud
Losing Control to the Cloud
Losing Control to the Cloud
Losing Control to the Cloud
Losing Control to the Cloud
Losing Control to the Cloud
Losing Control to the Cloud
Losing Control to the Cloud
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Losing Control to the Cloud

836

Published on

Published in: Technology, Business
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
836
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
38
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. How to Gain Comfort in Using the Cloud by Jason Falciola, GCIH, GAWN! Technical Account Manager, Northeast October 20th 2010
  • 2. Agenda   What Perspective does Qualys bring to this discussion? −  Security & Compliance Software as a Service (SaaS) provider since 1999 −  Continuously expanding platform to address evolving challenges   Rapid Market and Technology Changes   The Security & Compliance Conundrum   Cloud Definition   Cloud Questions   Reliance on Existing Frameworks   Tackling the Cloud   Moving Forward   Q&A COMPANY  CONFIDENTIAL   1!
  • 3. Private Clouds" SaaS" PaaS
 IaaS" Internet" COMPANY  CONFIDENTIAL   2! Technology and Market Trends" Cloud Computing a disruptive technology    Accelerated Industry " Consolidation  Moving toward thin clients and a Data Center centric model  Security moving into the " Infrastructure and toward " Cloud Services QualysGuard 
 Service"
  • 4.  “In  our  February  2010  survey  of  518   business  technology  pros,  security   concerns  again  led  the  list  of  reasons  not   to  use  cloud  services,  while  on  the  roster   of  drivers,  77%  cited  cost  savings.”       -­‐-­‐  InformaPon  Week   hSp://www.informaPonweek.com/news/security/management/showArPcle.jhtml?arPcleID=224202319   Survey Says… (Information Week)
  • 5. Key  Findings:   • Sixty  percent  (60%)  more  survey  respondents  are  willing  to  use  soaware  as  a  service  (SaaS)  for   sensiPve  data  than  are  willing  to  use  tradiPonal  outsourcing.   • The  quesPonnaire  is  the  most  common  form  of  external  party  risk  assessment,  with  half  of  the   quesPonnaires  based  on  industry-­‐standard  frameworks  and  the  other  half  being  organizaPonally   unique.   Recommenda1ons:   • Develop  internal  experPse  on  external  risk  assessment,  and  on  the  contractual  clauses  that   address  security,  privacy,  regulatory  compliance,  conPnuity  and  disaster  recovery.   • Take  an  organized  approach  to  SaaS  and  public  cloud  purchases,  and  build  a  team  and  processes   to  work  with  the  business  to  address  all  security,  compliance,  integraPon  and  contractual  needs   so  that  a  decision  can  be  made  on  whether  a  potenPal  seller  can  meet  those  requirements.          -­‐-­‐  Gartner  “Assessment  Prac1ces  for  Cloud,  SaaS  and  Partner  Risks”,  April  2010   hSp://www.gartner.com/DisplayDocument?doc_cd=175916   Survey Says… (Gartner)
  • 6. Agenda   What Perspective does Qualys bring to this discussion? −  Security & Compliance Software as a Service (SaaS) provider since 1999 −  Continuously expanding platform to address evolving challenges   Rapid Market and Technology Changes   The Security & Compliance Conundrum   Cloud Definition   Cloud Questions   Reliance on Existing Frameworks   Tackling the Cloud   Moving Forward   Q&A COMPANY  CONFIDENTIAL   5!
  • 7. Security & Compliance Conundrum " Having to address the New and Old Challenges   New and multiplying attack vectors   Authentication still an! unresolved issue   Security & compliance silos, fragmented tools & data   Lack of enterprise/ agency wide visibility and policy enforcement! COMPANY  CONFIDENTIAL   6! Private Clouds SaaS PaaS/ IaaS Regulations, Industry Standards, Internal Policies PCI HIPAA SOX FISMA NERC FFIEC
  • 8. Agenda   What Perspective does Qualys bring to this discussion? −  Security & Compliance Software as a Service (SaaS) provider since 1999 −  Continuously expanding platform to address evolving challenges   Rapid Market and Technology Changes   The Security & Compliance Conundrum   Cloud Definition   Cloud Questions   Reliance on Existing Frameworks   Tackling the Cloud   Moving Forward   Q&A COMPANY  CONFIDENTIAL   7!
  • 9. What is the Cloud? Definition 8 Defini1on:     “The  cloud  is  a  model  for  enabling  convenient,   on-­‐demand  network  access  to  a  shared  pool  of   configurable  compuPng  resources  (e.g.,   networks,  servers,  storage,  applicaPons,  and   services)  that  can  be  rapidly  provisioned  and   released  with  minimal  management  effort  or   service  provider  interacPon”     –  NIST  Informa,on  Technology  Laboratory    
  • 10. What is the Cloud? Essentials 9 Five Essential Characteristics:! 1.  On-demand, self-service – Ability to unilaterally provision computing capabilities 2.  Broad network access – Available over the network and accessed through standard mechanisms that promote heterogonous thin or thick client platforms 3.  Resource pooling – Resources are pooled to serve multiple consumers using a multi tenant model (location independence) 4.  Rapid elasticity – capabilities can be rapidly and elastically provisioned 5.  Measured service – Resource usage can be monitored, controlled and reported
  • 11. What is the Cloud? Service Models Three Service Models 1.  Software As A Service (SaaS) – Managed application/service where customers consume application resources as needed, without impact to internal computing resources. Security provided by cloud vendor 2.  Platform as a Service (PaaS) - Developers build and manage their own custom applications on top of platform provided by the cloud vendor. Application and data security managed by cloud customer. 3.  Infrastructure as a Service (IaaS) - Cloud vendor provides storage, networks, and other fundamental computing resources where the consumer is able to deploy and run arbitrary software which can include operating systems and applications. Cloud vendor protects infrastructure, but operating systems, applications, and content is managed and secured by the cloud consumer. 10 Key Takeaway - The lower down the stack the cloud service provider goes, the more security capabilities and management enterprises are responsible for.
  • 12. What is the Cloud? Deployment Models Four Deployment Models 1.  Public: Made available to the general public or large industry group and is owned by an organization selling cloud services. 2.  Private: Operated solely for a single or group of organizations isolated among peers. May be managed by the organization or a third party and may exist on- premise or off-premise. 3.  Community: Shared by several organizations and supports a specific community that has shared concerns. May be managed by the organization or a third party and may exist on-premise or off-premise. 4.  Hybrid: Composed of two or more clouds (Private, Community, or Public) that remain unique, but are bound together standardized or proprietary technology that enables data and application portability (cloud bursting for load balancing between clouds). 11
  • 13. What is the Cloud? Visual Definition
  • 14. Agenda   What Perspective does Qualys bring to this discussion? −  Security & Compliance Software as a Service (SaaS) provider since 1999 −  Continuously expanding platform to address evolving challenges   Rapid Market and Technology Changes   The Security & Compliance Conundrum   Cloud Definition   Cloud Questions   Reliance on Existing Frameworks   Tackling the Cloud   Moving Forward   Q&A COMPANY  CONFIDENTIAL   13!
  • 15. Cloud Questions   New technology combined with un-proven vendors / service providers   Innovative technology in the hands of the users   Data leaving the perimeter   Growing number of third parties requiring connectivity   Control validation changes to trust   Transparency limited to what you know   Challenging to report Risk back to the business
  • 16. Critical Challenges for Security Professionals Security  Program   Ques1onnaires   On-­‐Site  Review   Third  Party   15! Security   Budgets   Staffing/   Resources   Reduce   Confusion  
  • 17. Audit Activities and Costs  Up to 5 man days of work to complete  Hotel  Transportation  Any Corrective Actions  Hidden costs (e.g., require pen test, out of office work, regulatory)  What would the average cost be
  • 18. Multiple Reviews Cloud   User   SaaS   SP  1   IaaS   SP   SaaS   SP  2   PaaS   SP     SaaS   SP  3   SaaS   SP  4    No standard  Scalability  After the fact  Custom Reviews
  • 19. S-P-I Framework IaaS   Infrastructure  as  a  Service   You  build   security  in   You  “RFP”   security  in   PaaS   Plajorm  as  a  Service   SaaS   Soaware  as  a  Service   Source:  hSp://www.cloudsecurityalliance.org  
  • 20. Agenda   What Perspective does Qualys bring to this discussion? −  Security & Compliance Software as a Service (SaaS) provider since 1999 −  Continuously expanding platform to address evolving challenges   Rapid Market and Technology Changes   The Security & Compliance Conundrum   Cloud Definition   Cloud Questions   Reliance on Existing Frameworks   Tackling the Cloud   Moving Forward   Q&A COMPANY  CONFIDENTIAL   19!
  • 21. Existing Frameworks in Use  Security Questionnaires  OnSite Review  ISO 27002  SAS-70 Type II  SysTrust  PCI  Third Party Penetration Test
  • 22. Agenda   What Perspective does Qualys bring to this discussion? −  Security & Compliance Software as a Service (SaaS) provider since 1999 −  Continuously expanding platform to address evolving challenges   Rapid Market and Technology Changes   The Security & Compliance Conundrum   Cloud Definition   Cloud Questions   Reliance on Existing Frameworks   Tackling the Cloud   Moving Forward   Q&A COMPANY  CONFIDENTIAL   21!
  • 23. Available Resources for Cloud Users – NIST & ENISA  NIST − Cloud Definition − SCAP – Security Content Automation Protocol! http://scap.nist.gov − Continuous Monitoring!  ENISA − Report: “Cloud Computing: Benefits,! Risks and Recommendations for ! Information Security” −  http://www.enisa.europa.eu/act/rm/files/deliverables/cloud-computing-risk-assessment
  • 24. Available Resources (cont’d)" - Cloud Security Alliance (CSA)  Cloud Security Alliance − CSA Guide − Research Papers!  Initiatives in Progress/Released − CSA Guidance V2.1 – Released Dec 2009! http://cloudsecurityalliance.org/guidance/csaguide.v2.1.pdf − CSA Top Threats Research – Released March 2010 − CSA Cloud Controls Matrix – Released April 2010 − Trusted Cloud Initiative – Release Q4 2010 − CSA Cloud Metrics Working Group − Consensus Assessment Initiative
  • 25. Available Resources (cont’d) " - CSA Guidance Research Guidance  >  100k  downloads:  cloudsecurityalliance.org/guidance   Governance and Enterprise Risk Management Legal and Electronic Discovery Compliance and Audit Information Lifecycle Management Portability and Interoperability Security, Bus. Cont,, and Disaster Recovery Data Center Operations Incident Response, Notification, Remediation Application Security Encryption and Key Management Identity and Access Management Virtualization Cloud Architecture OperatingintheCloud Governingthe Cloud
  • 26. Available Resources (cont’d) " – CSA Cloud Controls Matrix Tool   Controls derived from guidance   Rated as applicable to S-P-I   Customer vs Provider role   Mapped to ISO 27001, COBIT, PCI, HIPAA   Help bridge the gap for IT & IT auditors between existing controls and cloud controls www.cloudsecurityalliance.org/cm.html      
  • 27. Available Resources (cont’d) – CAMM, Shared Assessments  Common Assurance Maturity Model (CAMM)!  Shared Assessments − Target Data Tracker − Self Information Gathering (SIG) – Level I, Level II − AUP – Agreed upon Procedures − Business Continuity Questions, Privacy Questions, Other tools − Mapped to ISO 27002:2005, COBIT 4.0 / 4.1, PCI 1.1 / 1.2, FFIEC
  • 28. Available Resources (cont’d) – Jericho Forum Cloud Cube Model
  • 29. Available Resources (cont’d) – Jericho Forum Self-Assessment
  • 30. 29   Proprietary,  Blended   Approach   PCI   CoBIT   ISO-­‐27001   CAMM   ENISA   CSA   Recommendation: Use a Proprietary, Blended Approach  One size does not fit all  Same if not stronger controls  Reliance on periodic audits
  • 31. Agenda   What Perspective does Qualys bring to this discussion? −  Security & Compliance Software as a Service (SaaS) provider since 1999 −  Continuously expanding platform to address evolving challenges   Rapid Market and Technology Changes   The Security & Compliance Conundrum   Cloud Definition   Cloud Questions   Reliance on Existing Frameworks   Tackling the Cloud   Moving Forward   Q&A COMPANY  CONFIDENTIAL   30!
  • 32. Moving Forward  Collaborative effort amongst associations required  Joint Paper with CSA, CloudAudit/A6, ISACA, and ISF  Hope to include NIST, PCI and BITS  Cloud Users will continue to use available resources for assessments
  • 33. Assessing Cloud Security: References   Cloud Audit / A6 (Automated Audit, Assertion, Assessment, and Assurance API) – Now a project of CSA −  http://www.cloudaudit.org   Cloud Security Alliance - CSA −  http://www.cloudsecurityalliance.org/   Common Assurance Maturity Model −  http://common-assurance.com/   JERICHO Forum −  http://www.opengroup.org/jericho/   Shared Assessments −  http://www.sharedassessments.org/   Qualys −  http://www.qualys.com/efficient_ciso - Strategies for the Efficient CISO −  http://www.qualys.com/products/qg_suite/malware_detection/ - Free Tool −  http://www.qualys.com/aurora - Research by iSec Partners
  • 34. QualysGuard Freemium Services" More than just “free” services – leverage the cloud www.qualys.com/stopmalware www.ssllabs.com https://browsercheck.qualys.com Other Freemium services in the making: Malware Research Portal HoneyNet Research Portal Automated Generation of IDS Signatures COMPANY  CONFIDENTIAL   33! https://community.qualys.com/docs/DOC-1351
  • 35. Thank You Thanks! Q&A? Jason Falciola, GCIH, GAWN jfalciola AT qualys.com +1 973-464-5659 http://www.qualys.com

×