Your organisation’s data are now everywhere: on your servers and your desktop PCs; on your employees’ smart phones, tablet computers and laptops; on social networks; and in public clouds. Some of these data require special protection but they also need to be accessed remotely, which makes security a considerable challenge. Can you trust public clouds to keep your data safe and secure? Can you trust your own internal systems? And on what criteria and risk management strategies should you base your trust? -- Dr Mark Ian Williams's presentation at the April 2012 'Why Cloud? Why now?' conference at the headquarters of the Institute of Chartered of Accountants of England Wales.

1. Cloud security: A matter of trust?
Dr Mark Ian Williams
CEO, Muon Consulting

2. I wandered lonely as a cloud...
• The academic, globe-trotting years:
• 1992–1993: Parallel software for PET scanner images in Geneva Hospital
• 1993–1998: Particle Physics PhD research at CERN for Lancaster University
• 1998: Senior Software Developer at SLAC, Stanford, USA
• 1998–2000: RA for QMUL and webmaster for BaBar experiment at SLAC
• The stepping stone:
• 2000–2001: Business idea development as RSE/PPARC Enterprise Fellow
• And down to business:
• 2001–2005: Web developer and accessibility consultant as CEO of Surfability
• 2005–2009: Managed Extrasys cloud computing business for NG Bailey
• 2009–Present: Cloud consultant, author and CEO of Muon Consulting

3. Benefits of cloud computing
• Pay-as-you-go IT, online and on-demand
• Operational versus capital expenditure
• Less time spent administering non-core commodity IT systems internally
• Faster development and deployment of business applications
• Data storage and compute resources scale seamlessly with your business
• Faster entry to new markets using cloud-based software delivery and
content distribution services, and online application marketplaces
• Fewer hardware assets and software licenses to track
• Always use latest version of cloud-based software with no upgrade costs
• Mobile services, online collaboration and remote access ‘out of the box’

4. Cloud computing concerns
• Public clouds are multi-tenanted and therefore open to your competitors
• Common business concerns include:
• The inherent dependency upon internet access
• The potential for vendor lock-in
• Unexpected cloud service charges and internal costs
• Contractual liability for services if SLAs are missed
• But surveys consistently reveal that data security and data privacy in
public clouds are the primary concerns for businesses
• And data protection and data privacy are your organisation’s
responsibility not your cloud provider’s

5. Horror stories like this don’t help...
• High profile cloud security breaches in 2011:
• Sony: over a dozen data breaches affecting 100 million user records
• Epsilon, a cloud-based email provider: estimated 60 million customer
emails addresses breached
• EMC’s RSA two-factor authentication system breached and SecurID data
stolen, putting tens of thousands of their customers at risk
Source : http://www.informationweek.com/news/security/attacks/232301079
• But internal (non-cloud) networks can be breached too:
• In a survey of USA-based SMBs 40% claim to have suffered a security
breach due to unsafe web surfing
Source: http://www.gfi.com/page/97539

6. Security attack techniques
• Public and/or private clouds create more targets for security attacks
like this, and your employees hold the keys to your data:
• Physical theft of unencrypted laptops that may have copies of data or have
browsers with saved passwords for accessing web applications
• Hacking servers to access unencrypted passwords (e.g. SONY)
• Spear-phishing – targeted email spoofing fraud (e.g. Epsilon and RSA)
• Social engineering attacks via social media and personal webmail to gain
access to web-based systems
• Exploits of web browser vulnerabilities and apps on mobile devices
• Downloads of backdoor Trojans, keystroke loggers and other malware

7. Risk mitigation in and out of clouds
• Minimise internal security breaches through education, user account
management processes and security technologies such as two-factor
authentication and identity federation (e.g. single sign-on)
• Involve your IT and legal departments throughout your cloud adoption
programme, and consult and engage other stakeholders too
• Institute a strict device management regime and/or educate your
employees how to use their devices securely
• Avoid data protection litigation by storing only non-sensitive data in
public clouds unless the cloud/s are a safer place for all your data
• Reduce the risk of cloud security breaches by ensuring your providers
have adequate controls verified by a reputable third party

8. Questioning cloud providers
Cartoon by Dave Blazek - http://blog.shicloud.com/

9. Questions on systems and processes
• Do the cloud provider’s systems satisfy your internal requirements for
governance and compliance?
• Do they follow any industry best practices for IT service management,
such as the Information Technology Infrastructure Library (ITIL)?
• Do they have independently audited internal controls of IT systems and
processes to ISAE 3402 (successor to SAS 70) specifications?
• Do they have ISO 27001 certification for their information security
management system?
• Do they have favourable independent and verifiable online reviews and
client endorsements?

10. Questions on data security
• Do your cloud providers support federated identity?
• How are your data stored, backed-up, encrypted and kept separate
from other organisations’ data in the cloud?
• How and when are security tests performed, especially during service
updates?
• How are the data centres secured physically?
• Who, including system administrators, has access to your data, and how
are they vetted?
• How is data access controlled and logged?
• What happens to your data if a service agreement is terminated or if
the provider’s business fails?

11. Related data questions
• Who owns the data you store on the provider’s servers?
• Where are your data and backups stored geographically?
• Where is the provider based?
• Do they have controlled facilities for making automated and authorised
backups to other clouds, including private clouds?
• Do they have flexible data retention facilities for regulatory purposes?
• What are their standard procedures for responding to government inquiries
and legal investigations of their customers’ data, and the costs to be
incurred by individual customers being investigated?
• What assurances that your data will not be compromised or seized if
another customer of theirs is being investigated?
• What is the provider’s disaster recovery plan?

12. Cloud control

13. Top tips for cloud control
• Classify your data in terms of sensitivity and business criticality and
define roles and responsibilities for data protection
• Document your security and privacy requirements with clouds in mind
before entering public clouds
• Extend your governance practices to cloud environments
• Configure your cloud systems to meet your requirements
• Consider compensating controls to work around any cloud security
defects
• Revisit security and privacy issues throughout the system lifecycle
• Formulate an identity management system

14. More top tips for cloud control
• Choose cloud providers with transparent and adequate security
processes and request evidence that they have effectively provisioned
your systems in line with your controls
• Continually monitor and maintain your information systems, test their
security and document your findings
• Review your existing security measures to take into account the client
side of cloud services – e.g. web browser vulnerabilities and
applications on mobile devices

15. The future of cloud security
• Further development and wider adoption of cloud security standards
• More use of hybrid clouds, which combine public and private clouds
• More use of virtual private clouds for sensitive data
• Independent and standardised security audits so similar providers can
be compared like for like

16. Who do you trust?
• Renowned cloud providers? • Your inhouse IT?
• The clouds of Amazon, Google, • Is your internal network a
Microsoft and others have been secure hosting environment
hardened through surviving for a private cloud exposed to
continual hacking attempts multiple devices etc?
• Attract and employ the best • Do your people have the
security people necessary competencies?
• Have the best and most up-to- • Is your hardware and software
date security hardware and fit for purpose?
software

17. Further information
• Online resources:
• NIST: Guidelines on Security and Privacy in Public Cloud Computing
http://www.nist.gov/manuscript-publication-search.cfm?pub_id=909494
• Cloud Security Alliance guidance document
https://cloudsecurityalliance.org/research/security-guidance/
• ICAEW IT faculty guides:
• ‘Cloud computing: A guide for business managers‘, by Barnaby Page
• ‘Making the move to cloud computing’, by yours truly

18. Conclusion
• Cloud computing is a matter of trust
• But trust can be earned by cloud providers and you can manage and
mitigate internal and external security risks
• Many public cloud providers know what they are doing and some will
have the right answers to your questions
• There is a balance between the potential cost and productivity benefits
of using public clouds versus the data security and privacy risks
• Could your business create a more trustworthy private cloud?
• Plan carefully with security in mind, and be vigilant, but don’t let the
clouds pass by your window without taking a good look

19. Any questions?
Cartoon by Dave Blazek - http://blog.shicloud.com/
Contact me at miw@muon.co.uk