Rob livingstone Canberra Cloud Security Conference Nov 2011


Published on

Australian Security Government Strategies and considerations in Cloud computing: The speed of technological change associated with next generation networks is challenging traditional notions of what constitutes computer networks and how we should secure them. When it comes to the adoption of new technologies such as Cloud, Australian Federal government agencies face a set of challenges that are somewhat different to those faced in the commercial world. This primarily involves legislative and policy mandates for on-shore data residency, increased emphasis on jurisdictional risk, trans-border data transmission security and compliance with the Privacy Act and associated Principles. On the commercial side of the coin, Government agencies are also under constant budgetary restraints, and the potential for realising significant reductions in ICT costs, whilst improving data and information collaboration using cloud technologies is very real. Another key driver for Government is in achieving significant reduction in CO2 emissions from the current substantial ICT presence throughout all levels of Government by using virtualisation and cloud technologies. In this presentation, Rob will be providing some practical insights and offering guidance on how Federal Government can meet its legislative and other mandates and without compromising risk and security, by using cloud technologies in an appropriate and relevant manner.

Published in: Technology, Business
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • (Read them out) So lets get started – by the way if you have questions at any time please feel free to raise your hand.
  • (Read them out) So lets get started – by the way if you have questions at any time please feel free to raise your hand.
  • (Read them out) So lets get started – by the way if you have questions at any time please feel free to raise your hand.
  • Rob livingstone Canberra Cloud Security Conference Nov 2011

    1. 2. Cloud Computing Security Considerations in Federal Government Today Rob Livingstone • Principal
    2. 3. What I’ll be covering: <ul><li>G-Clouds: Current international landscape </li></ul><ul><li>Australian G-Clouds </li></ul><ul><li>The 4 flavours of Cloud computing – security and risk considerations </li></ul><ul><li>Cloud – Getting the security-risk-benefit balance right </li></ul><ul><li>The death of Public Cloud – Security? What security? </li></ul><ul><li>Key risk considerations in moving to the cloud </li></ul><ul><li>Governments: The case for community or hybrid G-cloud </li></ul><ul><li>The future is now </li></ul><ul><li>Questions and discussion </li></ul>Government Cloud computing, or the G-Cloud:
    3. 4. 1. G-Clouds: Current international landscape Much activity across all governments and agencies, globally
    4. 5. <ul><li>All governments, worldwide, are coming to grips with Cloud. </li></ul><ul><li>Rapidly maturing appreciation for security, risk and other factors in cloud computing for both public and private sectors </li></ul><ul><ul><li>US Federal and State governments do not face the risks associated with international jurisdictional issues, as most cloud providers are US corporations </li></ul></ul><ul><li>Consensus is to: </li></ul><ul><ul><li>Proceed cautiously and with deliberation </li></ul></ul><ul><ul><li>Test on the edge, or with non-core applications </li></ul></ul>1. G-Clouds: Current international landscape Much activity across all governments and agencies, globally
    5. 6. 2. Australian G-Clouds <ul><li>Australian Government Data Centre Strategy 2010-2025 is a cornerstone for data centre consolidation, however it makes no explicit reference to, or associations with, cloud technologies. </li></ul><ul><li>The Data Centre as a Service (DCaaS) supplier submissions commencing 30th November, imply future cloud capabilities, but not explicitly stated </li></ul><ul><li>The data centre  cloud association should be stated: </li></ul><ul><ul><li>All cloud technologies are absolutely dependent on data centre strategies , and in particular data centre consolidation </li></ul></ul><ul><ul><li>An integrated view is recommended to avoid missed opportunities, and consistently manage risks and security at the national, ‘whole of government’ level </li></ul></ul>
    6. 7. <ul><li>Intergovernmental collaboration – security considerations: </li></ul><ul><li>Are State Governments and Territories to be included in a national cloud or data centre agenda in any way? </li></ul><ul><li>Benefits of aligning DCaaS, PaaS, IaaS strategies across all governments will: </li></ul><ul><ul><li>Provide Federal, State and local governments with a consistent security and risk (discovery, assessment and mitigation) frameworks </li></ul></ul><ul><ul><li>Allow for improved inter ICT agency collaboration in the setting of security and risk policies and mitigation procedures at all levels of government, nationally </li></ul></ul><ul><li>Is this a missed opportunity for Australia as a whole? </li></ul>2. Australian G-Clouds
    7. 8. 3. The 4 flavours of cloud computing and their relevance for Governments – basic attributes Public <ul><li>No control </li></ul><ul><li>No ownership </li></ul><ul><li>You own data </li></ul><ul><li>Apps stay behind </li></ul><ul><li>You control all </li></ul><ul><li>You may own </li></ul><ul><li>You define architecture </li></ul><ul><li>You determine your own security position </li></ul><ul><li>Combination of 2 or more models </li></ul><ul><li>Can be more complex </li></ul><ul><li>Need to manage interfaces, integration </li></ul>Private Hybrid Community <ul><li>Multiple business units or agencies share same private cloud infrastructure </li></ul>
    8. 9. Public Private Hybrid Community <ul><li>No control over security and risk profile </li></ul><ul><li>Vulnerabilities identified </li></ul><ul><li>Recent outages – reliability? </li></ul><ul><li>You control security posture and counter-measures </li></ul><ul><li>You manage and mitigate risks </li></ul><ul><li>Maximum flexibility </li></ul><ul><li>Increases complexity of managing identities, security and risk, hence cost </li></ul><ul><li>Allows for standardisation of risk and security systems and policies </li></ul><ul><li>Concentrates the risk of a security breach </li></ul>3. The 4 flavours of cloud computing and their relevance for Governments – risk and security considerations G-Clouds
    9. 10. <ul><li>Benefits </li></ul><ul><li> IT cost </li></ul><ul><li>IT Project timelines </li></ul><ul><li>IT Complexity </li></ul><ul><li> Project speed </li></ul><ul><li> Energy / CO 2 </li></ul><ul><li>Issues & Considerations </li></ul><ul><li>Risk & Security tolerance </li></ul><ul><li>Existing infrastructure </li></ul><ul><li>Regulatory mandates </li></ul><ul><li>Legislation </li></ul><ul><li>Policy restrictions </li></ul>4. Cloud – Getting the security-risk-benefit balance right G-Cloud: Is this achievable using public cloud technologies?
    10. 11. Private Sector Governments <ul><li>Private sector has, generally…. </li></ul><ul><ul><li>Fewer layers of mandated governance </li></ul></ul><ul><ul><li>Ability to dynamically trade off risk and security with promise of greater profitability </li></ul></ul><ul><ul><li>Due diligence and compliance seen as a impost to be minimised </li></ul></ul><ul><ul><li>Accountability to shareholders, and not the public at large </li></ul></ul><ul><li>Private sector is therefore more able to dial up the appetite for risk. </li></ul><ul><li>Can therefore be more aggressive adopters of Cloud technologies </li></ul>4. Cloud – Getting the security-risk-benefit balance right
    11. 12. The Public Cloud security and risk paradox <ul><li>One of the fundamental benefits of public cloud is the removal of IT complexity. </li></ul><ul><li>It’s invisible to the end user. </li></ul><ul><li>Paradoxically, this presents those organisations concerned about IT security, risk and governance with a challenge because lack of visibility of what’s ‘under the covers’ may present unacceptable risks if fully disclosed and understood. </li></ul><ul><li>Let’s look at 3 recent security reports involving public Cloud. </li></ul>5. Death of Public G-Cloud – Security? What security?
    12. 13. Security Vulnerabilities in public cloud -- #1 5. Death of Public G-Cloud – Security? What security?
    13. 14. A team of researchers * from Germany's Ruhr University of Bochum reveal cloud security vulnerabilities in common public cloud platforms …. Security Vulnerabilities in public cloud -- #2 * Presented at 18th ACM Conference on Computer and Communications Security, October 21, 2011, Chicago, USA 5. Death of Public G-Cloud – Security? What security?
    14. 15. Security Vulnerabilities in public cloud -- #3 5. Death of Public G-Cloud – Security? What security?
    15. 16. <ul><li>G-Cloud and jurisdictional security considerations </li></ul><ul><li>Identity management and access control </li></ul><ul><li>The concentration of risk through consolidation </li></ul><ul><li>Agility Risk </li></ul><ul><li>Dealing with legacy systems </li></ul><ul><li>Staff and contractor risk considerations </li></ul><ul><li>Network carriage security risks </li></ul>6. Key risk and security considerations in moving to the cloud
    16. 17. <ul><li>a) G-Cloud and Jurisdictional security considerations </li></ul><ul><li>Department of Defence specifies jurisdictional </li></ul><ul><li>controls (0873 and 1073) </li></ul><ul><li>Default position being on-shore data location </li></ul><ul><li>Physical and legislative jurisdictions are separate </li></ul><ul><li>considerations: </li></ul><ul><li>Hosting G-Cloud in an Australian data centre owned </li></ul><ul><li>by an Australian registered business but a controlling </li></ul><ul><li>interest by a US firm , may be subject to legislation under the US Patriot Act </li></ul><ul><li>Other countries (Russia, China, Singapore, etc) have similar laws of investigation or seizure without cause </li></ul><ul><li>This may pose an unacceptable security risk for Australian Governments </li></ul>6. Key risk and security considerations in moving to the cloud
    17. 18. <ul><li>b) Identity management and access control </li></ul><ul><ul><li>Core and critical to any cloud implementation </li></ul></ul><ul><ul><li>Utmost due diligence is required in the design, implementation, governance and ongoing management of all systems handing digital identities, access controls and related security credentials </li></ul></ul><ul><ul><li>Do not place your credential management system in the public cloud </li></ul></ul><ul><ul><li>Complexity of managing identities and access controls rises exponentially with the number of systems requiring integration </li></ul></ul>6. Key risk and security considerations in moving to the cloud
    18. 19. <ul><li>c) Concentration of risk: </li></ul><ul><ul><li>Consolidation of data centres, applications (cloud or otherwise), and critical ICT Infrastructure has potential for concentrating the risk of any adverse security event </li></ul></ul><ul><ul><li>Any failure at the infrastructure core could bring down multiple nationwide services concurrently. </li></ul></ul><ul><ul><li>A breach of security at the perimeter (hack, intrusion, etc) could jeopardise the entire infrastructure </li></ul></ul><ul><ul><li>The system administrators responsibilities are further concentrated into a few key staff, and the countermeasures against malicious damages by disgruntled employees, (or social engineering attacks) needs to be robust and systemically effective </li></ul></ul>6. Key risk and security considerations in moving to the cloud
    19. 20. <ul><li>d) Agility Risk : </li></ul><ul><ul><li>The entire cloud stack must be agile enough to keep pace with changes in usage demands, legislation or new industry standards. </li></ul></ul><ul><ul><li>Due to the standardised nature of SaaS offerings, local customisations may be problematic, which increases the risks associated with management of concurrent multiple versions of software </li></ul></ul><ul><li>e) Dealing with legacy systems </li></ul><ul><ul><li>Governments at all levels have significant legacy infrastructure at all levels, from data centres through to applications. </li></ul></ul><ul><ul><li>Integrating new cloud services with existing legacy environments increases the complexity of an implementation. With this complexity, comes the added risks of error in change control, for example. </li></ul></ul>6. Key risk and security considerations in moving to the cloud
    20. 21. <ul><li>Staff and contractor risk considerations </li></ul><ul><ul><li>Changes to IT Department’s structures and staff skills mix will invariably be needed to effectively support G-Cloud initiatives </li></ul></ul><ul><ul><li>Transitioning and upskilling staff into doing new and different tasks, can increase the error rate in designing, maintaining and managing all ICT infrastructure </li></ul></ul><ul><li>Network carriage security risks </li></ul><ul><ul><li>The much publicised, deep and extensive hack earlier this year of the NBN by a self taught unemployed truck driver living in regional NSW, underlies the importance of being vigilant for attacks at the network and transport layer. </li></ul></ul><ul><ul><li>Trusted private networks should be the default position </li></ul></ul>6. Key risk and security considerations in moving to the cloud
    21. 22. <ul><li>The G-Cloud concept has the potential to enable significant savings, as it provides an access point for ICT services, applications and assets. </li></ul><ul><li>Agencies can source capacity on an ‘on demand’ basis, avoiding the costs and delays involved in purchasing and running their own IT infrastructure. </li></ul><ul><li>The hosting of government applications and websites can be undertaken strategically, rather than individually implemented using multiple third parties. </li></ul><ul><li>The G-Cloud has the potential to reduce energy consumption, by consolidation of existing ICT hardware – reducing the number of data centres and associated infrastructure. </li></ul><ul><li>Will government agencies ‘trust’ a centralised cloud provider? </li></ul><ul><ul><li>ie: They know better and can do a better job! </li></ul></ul>7. Governments: The case for community or hybrid G-cloud
    22. 23. 8. Cloud – The future is now <ul><li>Cloud technology, as with any other innovation, has the potential to do things cheaper, faster and better. </li></ul><ul><li>For governments at all levels: The use of public clouds for anything other than information that is to be placed in the public domain should be questioned </li></ul><ul><li>Exposure to international jurisdictional issues needs careful consideration in any G-cloud </li></ul><ul><ul><li>In particular those that are resident overseas or </li></ul></ul><ul><ul><li>Have a local presence, but with a direct or indirect controlling foreign interest </li></ul></ul><ul><li>The cloud marketplace is volatile, full of conflicting messages, and compelling offers </li></ul><ul><li>Rigorous due diligence is called for and independence of opinion from experts that have no financial interests in the outcome should be sought to act at the ‘canary in the coalmine’ </li></ul>
    23. 24. <ul><li>Rob Livingstone, </li></ul><ul><li>Principal, Rob Livingstone Advisory Pty Ltd </li></ul><ul><li>Fellow, University of Technology (Sydney) </li></ul><ul><li>W1: </li></ul><ul><li>W2: </li></ul><ul><li>E: [email_address] </li></ul><ul><li>P: +61 2 8005 1972 </li></ul><ul><li>P: +1 609 843 0349 </li></ul><ul><li>M : +61 419 632 673 </li></ul><ul><li>F: +61 2 9879 5004 </li></ul><ul><li>rladvisory </li></ul><ul><li>© All rights reserved. Unauthorised redistribution not without prior approval </li></ul>9. Discussions and questions