The Cloud is in the details webinar - Rothke


Published on

The Cloud is in the details webinar - Policy & Requirements in the era of cloud computing, by Ben Rothke. March 2011

Published in: Technology, Business
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

The Cloud is in the details webinar - Rothke

  1. 1. The cloud is in the details –policy and requirements inthe era of cloud computing Ben Rothke, CISSP CISA BT Global Services Senior Security Consultant
  2. 2. About me• Ben Rothke (too many certifications)• Senior Security Consultant – British Telecom• Frequent writer and speaker• Author - Computer Security: 20 Things Every Employee Should Know
  3. 3. Agenda/Key take-away thought• Agenda – Overview of the need to create specific requirements & policies for a cloud initiative• Take-away – Contractors would never start building without plans and designs; a cloud project similarly shouldn’t be started without appropriate plans and designs and requirements definition
  4. 4. The cloud is here to stay
  5. 5. Don’t let your cloud project drive you bananas
  6. 6. Cloud computing-choose your definition• Definition #1 – Process you don’t full understand, manage poorly and is out of control, that you give to a cloud provider, with the hope and prayer that they can make sense of it and miraculously make it work; and be HIPAA, SoX and PCI compliant• Definition #2 – Corporate strategic decision to use service-oriented architecture and utility computing to on-demand network access to a shared pool of configurable computing resources; that support the firm’s tactical IT plans and long- term goals
  7. 7. Cloud challenges• Making cloud meet business requirements• integrating cloud into applications• producing documentation to deliver trust• management and reliability• planning and deployment• managing migration and scalability
  8. 8. Cloud security challenges• Authentication, identity management• compliance and regulatory• access control• trust management• policy• logging and accounting• privacy and data protection
  9. 9. CSA Top Threats1. Abuse and Nefarious Use of Cloud Computing2. Insecure Interfaces and APIs3. Malicious Insiders4. Shared Technology Issues5. Data Loss or Leakage6. Account or Service Hijacking7. Unknown Risk Profile
  10. 10. The $64,000 cloud question What is your security problem and howdo you expect cloud services to solve it?• Biggest mistake with cloud computing is that firms run to it without knowing why• Then they use it with no plan for deployment
  11. 11. Other ill-defined projects• Information Week, Computer World, etc., continuously have stories about large projects ($25 - $200 million) that fail• Why do these large Oracle, ERP, cloud, SAP projects continuously fail? – often inadequate, changing or conflicting requirements
  12. 12. Cloud success metricsCloud success is measured with thefollowing business questions: – does it deliver real business benefits? – was it deployed quickly and cost-effectively? – is it secure and does it provide trust? – is it reliable and easy to use? – can it be managed? – can it evolve and scale?
  13. 13. What is your deployment plan?• Typical cloud project is likely to be more complex than previous experience of typical IT projects may suggest• As well as project management, technical and operational aspects, there are many policy, legal and security issues which must not be neglected• By understanding and defining appropriate requirements, many of the potential traps and pitfalls can be avoided• The risks to the business and the project are reduced and those that remain are quantified at an early stage
  14. 14. Successful cloud deployment steps1. Requirements Analysis – Identify business, operational, commercial and security requirements2. Architecture Definition – Detailed definition of the operating model and cloud architecture3. Operations – Production of operational policies and procedures4. Security Review – Security review of the proposed system design, architecture and operations5. Integration – System piloting, integration of cloud enabled applications and testing6. Deployment – Operational deployment and production roll-out7. Post-Deployment – Management of upgrades and change processes for the production cloud
  15. 15. Step 1 - Requirements Analysis• First step in implementing any cloud based solution is to understand the requirements: – what’s the problem and how do you expect a cloud to solve it? – what are the business drivers? – what level of security is appropriate? – where are the system vulnerabilities? – what are the legal and regulatory compliance constraints?
  16. 16. Step 1 - Requirements Analysis• These requirements must be clearly identified and analyzed• Analysis of the costs and business benefits and the provision of suitable project planning schemes are integral to step 1 – If the requirements aren’t clear, do not go forward
  17. 17. Step 1 - Requirements Analysis – Project Planning • Project manager is essential – Some large-scale projects may need multiple managers • PM must be given the resources, responsibility and authority to successfully deliver the cloud project • Attempts to implement a cloud without PM have invariably resulted in failed projects
  18. 18. Step 2 - Architecture Definitions• Once the requirements are known, the next step is to produce an operating model and to design the chosen cloud architecture• At this stage, cloud enabling of end user applications is also considered, allowing parallel development
  19. 19. Step 2 - Architecture DefinitionsCreate set of documentation templates andchecklists to: – define how the cloud will be operated – define how trust will be passed between entities – define the cloud architecture, taking account of practical issues such as resilience, management, performance, security, scalability and current industry standards and best practices – specify what the architecture will comprise – specify how end-entity applications are to be cloud-enabled – specify how the complete cloud will be tested and supported – produce a detailed project plan
  20. 20. Step 2 – Cloud architecture• Public• private• hybrid• community• What is the best architecture for you?• The one that meets your specific requirements and needs
  21. 21. Step 3 Operations• Identify the policies, procedures, support issues and SLA• Organizational issues delineate who is responsible for the various parts of the cloud• Any security system is only as effective to the degree it is correctly operated – define the operating procedures and controls necessary to make sure that that the cloud security system remains effective
  22. 22. Step 4 – Security Review• With any system it is important to understand where the risks are and where the system is most vulnerable – Nothing will ever be 100% secure• At this stage, the cloud is well specified and therefore it is important that the proposed system is subjected to an independent review and risk analysis and, where appropriate, corrective action is taken
  23. 23. Step 4 – Security Review• The cloud is inherently unsafe and untrusted• your job is to add the controls necessary to be a safe and trusted environment
  24. 24. Step 4 – Security Review• Detailed lists of the threats, vulnerabilities and countermeasures – If you have an insecure infrastructure, then you will have an insecure cloud• Creation of the system security policy provides a baseline level of security controls that must be implemented during cloud deployment
  25. 25. Step 4 - Risk analysis & assessment• Effective risk assessment and analysis ensures you are worrying about the right things• Ultimate outcome of a risk analysis should be to see if you really can benefit from the product – Don’t worry about missing the bus
  26. 26. Step 4 - Risk analysis & assessment• Some companies have determined at Step 4 that they really do not want to / can’t move forward• Don’t be afraid to cancel a cloud project if there is not a business need for it, or if the security risks are too great
  27. 27. Step 4 – Cloud web applications• Browsers are very complicated security environments• understand how malware can thrive in a cloud environment
  28. 28. Step 4 - Policy• Create and maintain policies on how you will address the many cloud security issues – identify threats to the cloud environment & its contents; ensure you address current threats – metrics for monitoring – accountability – incident response – adequate training for new/transitioned staff
  29. 29. Step 4 – Shared responsibilities• Cloud provider – Responsible for security from the data center to the hypervisor• Client – Responsible for security for the operating system and all applications• But Saas, PaaS & IaaS will have different shared responsibility models
  30. 30. Step 5 Integration• Integration of all the cloud components and the building of a pilot system against which all the functional, performance and operational requirements can be tested• Integration testing of any cloud-enabled applications is also performed• DR/BCP – Enterprise cloud be available 24 x 7 x 365
  31. 31. Step 6 Deployment• This step involves the installation and validation of the operational cloud, followed by acceptance testing• A security review and penetration test is included to ensure that the actual implementation meets all the security requirements• Documentation is finalized and published• Acceptance testing
  32. 32. Step 6 Deployment• Project closure meeting and report – Customer agrees that all planned project activities have been completed, project performance information has been captured and the cloud project is properly closed – Projects have a defined duration, but without a formal project closure activity, a project can drift and never be satisfactorily concluded
  33. 33. Step 7 Post-deployment• All systems are subject to change and cloud is no exception – Well-designed cloud should be able to integrate new requirements without having to be re-engineered
  34. 34. References• Cloud Computing Risk Assessment –• Security Guidance for Critical Areas of Focus –• Cloud Security Guidance –• Top Threats to Cloud Computing –• Cloud Security and Compliance: A Primer –
  35. 35. Conclusion• Cloud computing is a powerful platform• But don’t attempt to roll-out an enterprise- wide cloud without a well-defined plan and adequate security requirements
  36. 36. Contact information• Ben Rothke, CISSP CISA• Senior Security Consultant• BT Professional Services••••
  37. 37. Click on the questions tab on your screen, type in your question, name and e-mail address; then hit submit.