Cloud Security CISO club -April 2011 v2

  • 798 views
Uploaded on

Cloud Security: risks and awareness. …

Cloud Security: risks and awareness.
CISO club -April 2011

More in: Technology , Business
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads

Views

Total Views
798
On Slideshare
0
From Embeds
0
Number of Embeds
0

Actions

Shares
Downloads
48
Comments
0
Likes
0

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. Cloud Security: Risks and Awareness Shahar Geiger Maor, Senior Analyst www.shaharmaor.blogspot.com http://www.facebook.com/shahar.maor http://twitter.com/shaharmaor
  • 2. We Should Know, by now, What Cloud Means http://www.opengroup.org/jericho/cloud_cube_model_v1.0.pdf Shahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion of graphic 2
  • 3. Game Changer #7 Hybrid Clouds Private Clouds Public Clouds – BPaaS – PaaS – SaaS – IaaSShahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion of graphic 3
  • 4. 4 types: Enterprise Cloudshttp://www.readwriteweb.com/cloud/2011/04/the-cloud-stratosphere-infogra.php source or attribution from any graphic or portion of graphic Shahar Maor’s work Copyright 2011 @STKI Do not remove 4
  • 5. Cloudy IT: the hybrid world ISPs will become strategic Developers are now doing most of theirBy 2014 : development work for public cloud versions.80% of Israeli companies But will have private cloud versions 2015Will run hybrid clouds Shahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion of graphic 5
  • 6. How does a private “cloud” looks Like ? Shahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion of graphic 6
  • 7. Enterprise Benefits from Cloud Computing Capability From ToServer/Storage 10-20% 70-90% Utilization Cloud accelerates business value Self service None Unlimited across a wide Test variety of Weeks Minutes Provisioning domains. Change Months Days/Hours Management Release Weeks Minutes ManagementTime to market bad Better Fixed costMetering/Billing Granular model Focus on the Not really Much better Core Legacy environments Cloud enabled enterprise Shahar Maor’s work Copyright 2011 @STKI Do IBM STKI modifications from any graphic or portion of graphic Source: not remove source or attribution 7
  • 8. Technologies Categorization 20102011 Cyber Warfare Market Curiosity Mobile “Social” Sec Security IT Project Major DLP Changes IRM Cloud Size of figure = Application Security complexity/ Security cost of project Endpoint Security Security Management Network Security Using Implementing Looking Market Maturity Shahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion of graphic Source: STKI 8
  • 9. Cloud SecurityShahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion of graphic http://securosis.com/research 9
  • 10. Top Threats To Cloud Computing Abuse and Nefarious Use of Cloud Computing Unknown Risk Malicious Profile Insiders Shared Account or Technology Service Hijacking Issues Insecure Data Loss or Interfaces and Leakage APIs http://www.cloudsecurityalliance.org/topthreats/csathreats.v1.0.pdf Shahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion of graphic 10
  • 11. Cloud Provider Vs. Organization Governance Compliance Trust Identity and Access Software Architecture Isolation Management IncidentData Protection Availability Response Shahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion of graphic http://csrc.nist.gov/publications/drafts/800-144/Draft-SP-800-144_cloud-computing.pdf 11
  • 12. Division of Liabilities in the Cloud http://www.enisa.europa.eu/act/rm/files/deliverables/cloud-computing-information-assurance- Shahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion of graphic framework/ 12
  • 13. How to Secure the Cloud? –Provider’s SideTechnologies believed to be most important in securing the cloud computing environment Shahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion of graphic http://www.ca.com/files/IndustryResearch/security-cloud-computing-users_235659.pdf 13
  • 14. Cloud Services Concerns –Client’s SideSecurity (especiallyaccess issues) is still considered a top concern Shahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion of graphic Source: InformationWeek, State of Cloud, Jan 2011 14
  • 15. Cloud Services Concerns –Client’s Side“We won’t be involving our securityteam in this project until the lastpossible moment,because the answer will be ‘no.’”-VP at one of the largest retailers inthe world Shahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion of graphic Source: InformationWeek, State of Cloud, Jan 2011 15
  • 16. Lack of Confidence in IT?Who is responsible for ensuring a secure cloud computing environment? Isnt cloud security an IT responsibility??? -So why is it 3rd? Don’t let it scatter Shahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion of graphic http://www.ca.com/files/IndustryResearch/security-cloud-computing-users_235659.pdf 16
  • 17. Regulations, Standards and Certifications Regulations????? Looking for regulations? …Please wait for the next -Nothing (so far…) disaster Shahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion of graphic 17
  • 18. Regulations, Standards and Certifications• Standards: – AICPA: SAS 70: • there is no published list of SAS 70 standards (Recommendation: ask to review your cloud provider’s SAS 70 type Ⅰ/Ⅱ report!!!)• Certifications: – NIST (National Institute of Standards and Technology) • Recommended Security Controls for Federal Information Systems and Organizations* === > FISMA (Federal Information Security Management Act) ATO (Authorization to Operate). – CSA: • CCSK –Certified Cloud Security Knowledge * Not related directly to cloud security Shahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion of graphic 18
  • 19. Regulations, Standards and Certifications• Guidelines: – CSA (Cloud Security Alliance): • CCM -Cloud Controls Matrix – NIST (National Institute of Standards and Technology): • DRAFT Guidelines on Security and Privacy in Public Cloud Computing – ENISA (European Network and Information Security Agency): • Cloud Security Information Assurance Framework Shahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion of graphic 19
  • 20. Addressing Cloud Issues in the Israeli Government‫0102/01 מתוך נייר עמדה בנושא: עקרונות להגנת הפרטיות במידע אישי במיקור חוץ בישראל‬ http://www.justice.gov.il/NR/rdonlyres/1FB266DE-95A0-4C31-939B-3796DCB0C232/23065/positionmikurhuz.pdf ? Shahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion of graphic 20
  • 21. In Short Security is an …”We putThe cloud is EASY our money in No rush!here to stay showstopper the cloud” Find yourself Look for a solid standards partner Shahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion of graphic 21
  • 22. Thank you!Shahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion of graphic 22