Cloud Security: Risks and Awareness                               Shahar Geiger Maor, Senior Analyst www.shaharmaor.blogsp...
We Should Know, by now, What Cloud            Means   http://www.opengroup.org/jericho/cloud_cube_model_v1.0.pdf   Shahar ...
Game Changer #7                                                                        Hybrid Clouds                      ...
4 types: Enterprise Cloudshttp://www.readwriteweb.com/cloud/2011/04/the-cloud-stratosphere-infogra.php source or attributi...
Cloudy IT: the hybrid world                              ISPs will become strategic                                       ...
How does a private “cloud” looks Like ?     Shahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution fr...
Enterprise Benefits from Cloud Computing  Capability                From                                                  ...
Technologies Categorization 20102011                                                                                      ...
Cloud SecurityShahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion of g...
Top Threats To Cloud Computing                                                  Abuse and                                 ...
Cloud Provider Vs. Organization Governance                                     Compliance                                 ...
Division of Liabilities in the Cloud  http://www.enisa.europa.eu/act/rm/files/deliverables/cloud-computing-information-ass...
How to Secure the Cloud?                  –Provider’s SideTechnologies believed to be most important in securing the cloud...
Cloud Services Concerns                     –Client’s SideSecurity (especiallyaccess issues) is still considered a top    ...
Cloud Services Concerns              –Client’s Side“We won’t be involving our securityteam in this project until the lastp...
Lack of Confidence in IT?Who is responsible for ensuring a secure cloud computing environment?                            ...
Regulations, Standards and Certifications     Regulations?????                                                            ...
Regulations, Standards and Certifications• Standards:   – AICPA: SAS 70:      • there is no published list of SAS 70 stand...
Regulations, Standards and Certifications• Guidelines:  – CSA (Cloud Security Alliance):     • CCM -Cloud Controls Matrix ...
Addressing Cloud Issues in the Israeli           Government‫0102/01 מתוך נייר עמדה בנושא: עקרונות להגנת הפרטיות במידע אישי...
In Short                                 Security is an                               …”We putThe cloud is                ...
Thank you!Shahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion of graph...
Upcoming SlideShare
Loading in...5
×

Cloud Security CISO club -April 2011 v2

892

Published on

Cloud Security: risks and awareness.
CISO club -April 2011

Published in: Technology, Business
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
892
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
50
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Cloud Security CISO club -April 2011 v2

  1. 1. Cloud Security: Risks and Awareness Shahar Geiger Maor, Senior Analyst www.shaharmaor.blogspot.com http://www.facebook.com/shahar.maor http://twitter.com/shaharmaor
  2. 2. We Should Know, by now, What Cloud Means http://www.opengroup.org/jericho/cloud_cube_model_v1.0.pdf Shahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion of graphic 2
  3. 3. Game Changer #7 Hybrid Clouds Private Clouds Public Clouds – BPaaS – PaaS – SaaS – IaaSShahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion of graphic 3
  4. 4. 4 types: Enterprise Cloudshttp://www.readwriteweb.com/cloud/2011/04/the-cloud-stratosphere-infogra.php source or attribution from any graphic or portion of graphic Shahar Maor’s work Copyright 2011 @STKI Do not remove 4
  5. 5. Cloudy IT: the hybrid world ISPs will become strategic Developers are now doing most of theirBy 2014 : development work for public cloud versions.80% of Israeli companies But will have private cloud versions 2015Will run hybrid clouds Shahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion of graphic 5
  6. 6. How does a private “cloud” looks Like ? Shahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion of graphic 6
  7. 7. Enterprise Benefits from Cloud Computing Capability From ToServer/Storage 10-20% 70-90% Utilization Cloud accelerates business value Self service None Unlimited across a wide Test variety of Weeks Minutes Provisioning domains. Change Months Days/Hours Management Release Weeks Minutes ManagementTime to market bad Better Fixed costMetering/Billing Granular model Focus on the Not really Much better Core Legacy environments Cloud enabled enterprise Shahar Maor’s work Copyright 2011 @STKI Do IBM STKI modifications from any graphic or portion of graphic Source: not remove source or attribution 7
  8. 8. Technologies Categorization 20102011 Cyber Warfare Market Curiosity Mobile “Social” Sec Security IT Project Major DLP Changes IRM Cloud Size of figure = Application Security complexity/ Security cost of project Endpoint Security Security Management Network Security Using Implementing Looking Market Maturity Shahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion of graphic Source: STKI 8
  9. 9. Cloud SecurityShahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion of graphic http://securosis.com/research 9
  10. 10. Top Threats To Cloud Computing Abuse and Nefarious Use of Cloud Computing Unknown Risk Malicious Profile Insiders Shared Account or Technology Service Hijacking Issues Insecure Data Loss or Interfaces and Leakage APIs http://www.cloudsecurityalliance.org/topthreats/csathreats.v1.0.pdf Shahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion of graphic 10
  11. 11. Cloud Provider Vs. Organization Governance Compliance Trust Identity and Access Software Architecture Isolation Management IncidentData Protection Availability Response Shahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion of graphic http://csrc.nist.gov/publications/drafts/800-144/Draft-SP-800-144_cloud-computing.pdf 11
  12. 12. Division of Liabilities in the Cloud http://www.enisa.europa.eu/act/rm/files/deliverables/cloud-computing-information-assurance- Shahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion of graphic framework/ 12
  13. 13. How to Secure the Cloud? –Provider’s SideTechnologies believed to be most important in securing the cloud computing environment Shahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion of graphic http://www.ca.com/files/IndustryResearch/security-cloud-computing-users_235659.pdf 13
  14. 14. Cloud Services Concerns –Client’s SideSecurity (especiallyaccess issues) is still considered a top concern Shahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion of graphic Source: InformationWeek, State of Cloud, Jan 2011 14
  15. 15. Cloud Services Concerns –Client’s Side“We won’t be involving our securityteam in this project until the lastpossible moment,because the answer will be ‘no.’”-VP at one of the largest retailers inthe world Shahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion of graphic Source: InformationWeek, State of Cloud, Jan 2011 15
  16. 16. Lack of Confidence in IT?Who is responsible for ensuring a secure cloud computing environment? Isnt cloud security an IT responsibility??? -So why is it 3rd? Don’t let it scatter Shahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion of graphic http://www.ca.com/files/IndustryResearch/security-cloud-computing-users_235659.pdf 16
  17. 17. Regulations, Standards and Certifications Regulations????? Looking for regulations? …Please wait for the next -Nothing (so far…) disaster Shahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion of graphic 17
  18. 18. Regulations, Standards and Certifications• Standards: – AICPA: SAS 70: • there is no published list of SAS 70 standards (Recommendation: ask to review your cloud provider’s SAS 70 type Ⅰ/Ⅱ report!!!)• Certifications: – NIST (National Institute of Standards and Technology) • Recommended Security Controls for Federal Information Systems and Organizations* === > FISMA (Federal Information Security Management Act) ATO (Authorization to Operate). – CSA: • CCSK –Certified Cloud Security Knowledge * Not related directly to cloud security Shahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion of graphic 18
  19. 19. Regulations, Standards and Certifications• Guidelines: – CSA (Cloud Security Alliance): • CCM -Cloud Controls Matrix – NIST (National Institute of Standards and Technology): • DRAFT Guidelines on Security and Privacy in Public Cloud Computing – ENISA (European Network and Information Security Agency): • Cloud Security Information Assurance Framework Shahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion of graphic 19
  20. 20. Addressing Cloud Issues in the Israeli Government‫0102/01 מתוך נייר עמדה בנושא: עקרונות להגנת הפרטיות במידע אישי במיקור חוץ בישראל‬ http://www.justice.gov.il/NR/rdonlyres/1FB266DE-95A0-4C31-939B-3796DCB0C232/23065/positionmikurhuz.pdf ? Shahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion of graphic 20
  21. 21. In Short Security is an …”We putThe cloud is EASY our money in No rush!here to stay showstopper the cloud” Find yourself Look for a solid standards partner Shahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion of graphic 21
  22. 22. Thank you!Shahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion of graphic 22
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×