Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Cloud security and cloud adoption public


Published on

  • Be the first to comment

  • Be the first to like this

Cloud security and cloud adoption public

  1. 1. Cloud Security and Technology Adoption By John Mathon February 28, 2014
  2. 2. About the Author o I am a 30+ year veteran of the computer industry, 10 patents, publish / subscribe, founder of TIBCO, also have started a company in the DLP space as well as worked at one of the most secure companies (Bridgewater). o I am not a security expert. o I have implemented SaaS solutions in a number of companies including a company I founded and a large multibillion dollar company.
  3. 3. Introduction o The statement that is heard frequently: “Cloud security is the biggest factor inhibiting adoption of the cloud in most companies.” o The premise of this statement is that cloud security is a black hole or is much more risky than traditional enterprise security.
  4. 4. History o New Technologies that were described as being too insecure to do business with: o Internet and credit cards o Internet and email o Internet and business transactions o Electronic Signatures o B2B o I questioned the reality of these claims o I believe I was right o However, economic / business realities forced these things to happen o So, are the following the same? Are they safe for personal or business use? o Cloud IaaS o Mobile Devices o Cloud SaaS applications o Cloud Data Storage o Cloud PaaS o Internet of Things o Personal Cloud
  5. 5. The Cloud is a large business today growing very fast considering it’s size o Today o IaaS - $6Billion 2013 business (8yrs from start) o 136% annual growth rate today o SaaS companies - $130Billion o Mobile – 1.5 Billion smartphones o Social – 1.2 Billion followers (22% of world population, 50% of US population) o Future 2017 (4 years) o Total Cloud Services: $0.5Trillion (4X) o IaaS - $100Billion (16X) o PaaS - $14Billion (40X) o SaaS - $0.4Trillion (3X) o 2/3rds of all workloads will be processed in the cloud (*Cisco) o 3 Billion smartphones
  6. 6. Cloud Adoption o 9/2013 According to a survey from Spiceworks, 70% of IT professionals are using cloud-based web hosting applications, with 60% using cloud-based security and 30% backup applications. o Numbers climbing very fast with near universal adoption possible within a few years o
  7. 7. Why is the Cloud growing so fast? o For Small Companies o Less capital needed o Grow as fast as your business o Self Service / DevOps o Cloud providers provide superior service to in-house o For Large Companies o Less Capital needed means faster to market o DevOps efficiencies to compete be more nimble o Less Excess hardware - A waste of energy, money, space, time… o SaaS apps can increase productivity o APIs, Social, Cloud Services enable new lines of revenue
  8. 8. The potential is almost incalculable in just the next 5-7 years o Datacenters of 50% of companies in the world o SaaS/PaaS and other services o Becoming the dominant and maybe only way most software is delivered o Other impacts o Social, Behavioral o Life without the cloud will be essentially impossible for most people
  9. 9. Why is this overwhelmingly good? o Most companies are not/should not be managing technology at the level they are o They are not competent at security, cost management, optimization or technology in general o vastly underutilization of what they acquire o unnecessary duplicative work of many people doing the same technology over and over o technology that is being used way beyond it’s productive life. o Universal Connectivity - People, Things, Applications o Network Effect - Spurring massive cascading unpredictable innovation o Possibly not all positive o Overall huge cost savings and improved efficiency o Due to the first and second points the US/World economy will see massive gains in productivity and improvements in services and technology usage
  10. 10. Financial Firms have a higher standard o Generally well endowed compared to many other businesses. o Federal regulation, International regulation (Basel and individual country rules) and State regulation. o Fines assessed regularly. o Financial data among the most sensitive and private of all information of any corporation. Of great concern to customers. o 37% of all breaches (2012*) *
  11. 11. Other Industries with similar constraints: o Health o Aerospace
  12. 12. Ecosystem PaaS’s o Boeing Ecosystem PaaS o Encourage airlines to buy Boeing Airplanes o Create a PaaS for all Airlines and service providers o Make it easier to buy Boeing, cheaper easier to run an airline with Boeing airplanes o Cars o Google Android, OpenCar, OpenXC, Webinos, Apple, Blackberry / QNX o Entertainment o Finance
  13. 13. Should you adopt a technology? Technology Benefit or Cost Gives Employees Choice (BYOD, applications, …) Increased productivity (and morale, retention) Is better than an internal technology Increased productivity (anything from slight to huge benefit) Is necessary for business with customers or partners Increased sales (unavoidable) saves money over internal service Reduced costs (depends if productivity improvement or loss accompanies) Faster time to market Increased sales (potentially huge benefit) Lack of cohesive common technology Decreased productivity Increased support costs and difficult integration or sometimes collaboration More expensive than internal service Increasing costs (not very frequently true especially when one considers all lifecycle costs). There can be variable costs that are uncontrolled. Productivity gains may offset higher cost. Increased Security Risk Can be mitigated to some extent
  14. 14. These benefits can be substantial o A new technology can easily give a 30% increase in productivity, reduced costs or increased income. o In many cases it is not optional to use a certain technology, but how do we do it safely? o Security must find ways to minimize risk of the new technology.
  15. 15. The point of this talk is perspective o Security is part of a business decision o The cloud will be made safe for business o A strategy to minimize risk and maximize adoption by segregating information and applications in a fine grained way as they make sense to migrate is essential o The safety of the cloud is not great but it is no worse than where we are in business, possibly better. This may be sad but it is expected in my opinion.
  16. 16. Agenda o What is the cloud? o Security in General o Cloud vs Enterprise o Best practices to adopt cloud services o Enhanced Security Services for the Cloud
  17. 17. What is the cloud? Many things o IaaS and Infrastructure Services (compute, data) o *6B 2013, 136% annual YOY growth o SaaS (Web Services and applications) o APIs (at least 20,000 today doubling annually) o PaaS and Platform Services (iPaaS, DaaS, APIMaaS, BPMaaS…) o *14B by 2016 o Mobile Apps, Web and BaaS o Personal Cloud o Internet of Things *Gartner, 2013
  18. 18. Not all information is the same o Customer information o Extremely sensitive customer information o Passwords, pins, personal data, health data, SS# o Company employee information o Extremely sensitive employee information o passwords, SS# o Company information o Extremely sensitive company information o Sales projections, roadmaps, customer interactions, information that you would be liable for releasing o Information that gives you significant market advantage
  19. 19. Risks you face: o Loss of personal data of employees o Loss of customer personal data o Loss of Corporate data that results in lost business (customers upset, competitors find advantage) o Loss of Service (Caused by security lapse) o Lawsuits (loss of data/service related) o Fines (Loss of data/service considered regulated) o Reputation Damage o Transitive Loss (you help someone compromise someone else) o And more…
  20. 20. Sources of loss (irrespective of cloud or not cloud) o Technology o External hacking o Infection / malware o Denial of service o Processes o Physical penetration or data lost in transit o Poor IT Practices o People o Internal o Employee mistakes / phishing
  21. 21. The Enterprise “physical and electronic” 4 walls is being continuously eroded by new stuff: o Employees taking home data or electronics that contain data on them (cell phones, USB, computers, …) o SaaS (corporate data contained within) o APIs and Web services, EDI or partner electronic interfaces o Personal Cloud o Internet of Things (coming) o Cloud Services (IaaS) o Higher level Cloud Services (PaaS and other) o Social - Discussion boards, twitter o Skunkworks/Unauthorized use: o Personal Cloud(Dropbox, Google docs and apps, …) o POC’s being done in PaaS or IaaS environments o Enterprise Apps being used with corporate data o Interactions with partners through cloud o The people who violate controls most : IT people and executives
  22. 22. 2013 Examples of breaches Cloud Severity Attack Company Loss Not Cloud Major undisclosed Target, Adobe 200+ million email, passwords, credit stolen, Adobe source code Cloud Major Malware Facebook, Dropbox, Linkedin 8 Million emails and passwords lost Not Cloud Major Internal Federal Reserve, NSA, Dept Homeland Sec Secrets Disclosed , personal information Not Cloud Major Internal Goldman Sachs Trading Algorithms Stolen Cloud Minor Human Error NYTimes, Twitter, Cloudflare Google email reset policies allowed individuals to be hacked Cloud Minor API Penetration Linkedin Thousands of profiles
  23. 23. 2013 Examples of breaches Cloud Severity Attack Company Loss Cloud Minor Outage Amazon Heroku didn’t have multiple regions Not Cloud Minor undisclosed Department of Energy 53,000 employee records Not Cloud Major Physical Penetration Advocate Medical Group 4 million medical records lost Cloud Major Human Error CorporateCarOnline 850,000 credit cards, personal information Cloud Minor Human Error MongoHQ Thousands of emails
  24. 24. Cloud vs Enterprise o Anything that can be accessed from the outside is under identical attack* o However, on-premises environment users or customers actually suffer more incidents than those of service provider environments. On-premises environment users experience an average of 61.4 attacks, while service provider environment customers averaged only 27.8.* o After looking at both, there is no proof that cloud computing is any more of a security risk than traditional internet usage. The research in this paper has shown that there is no significant difference that makes one better than the other. o It is not provable that the cloud is less secure than enterprise security o * o ** / Cloud Computing vs Traditional Internet Setting: Which One is More Secur
  25. 25. Security is a problem o At least 200+million emails disclosed with passwords. Credit cards of at least 40-80 million people with social sec#’s in some cases. o Medical records for 4 million people. o Average of 60 attacks / year reported o 37% of breaches affected financial organizations o 14% insiders o 19% china related breaches o 35% involve physical compromise o 76% exploited weak passwords o vulnerability discovered to patch: 25-60 days at enterprises! A Very High Percentage of these losses are non-cloud, possibly as high as 80% It is unclear what percentage of private companies disclose breaches Cloud Companies are required by law to disclose any loss* *
  26. 26. Cloud Companies are responding to threats o Most cloud companies now enforce multi- factor authentication o Most cloud companies employ encryption with salted passwords o Google and others changing policies on password resets o AWS wiping disks now as default o The feeling is the cloud service companies are learning and becoming more and more astute o What we really need is transparency!
  27. 27. Cloud is theoretically worse on security o Ability to attack from anywhere and from anyone could lead to many more attacks o Specific cloud-based attacks such as exploiting virtual machine vulnerability, building mobile apps to exploit APIs o Ubiquitous connectivity seems to imply more chance for attacks – o yet so far not the case
  28. 28. I am not saying: o Cloud companies are all safer generically o All Private companies enterprise security is rotten o That cloud is better than enterprise for security if enterprise is done well
  29. 29. I am saying: o Cloud is not blatantly more insecure than enterprises o For whatever reason the attention of hackers has not become focused on cloud YET because the number of incidents and severity is still clearly more in the enterprise o Some cloud companies are way better than many enterprises in security today o For the vast majority of companies large and small the cloud is probably better
  30. 30. Cloud Companies use the same technology and approaches as private companies o Antivirus / Malware detection / Scanning o Patching regimes o Audits / Penetration testing o Personnel training o DLP technology / hardware o Multiple authentication schemes o Automated Event Detection o Multiple Region backups / DR o Physical Security
  31. 31. Vast majority of non-cloud companies not competent in security* * why This is NOT true in Finance Companies like Fidelity …hopefully
  32. 32. Actual Losses – some data o 400 cases of fraudulent ACH transactions of $255 million with actual loss of $85 million o July 2009, two U.S. stock exchanges were victims of a sustained DDoS attack o Outages have real cost o Adobe lost actual source code for photoshop o Reputation risk is an extreme concern
  33. 33. The cloud is not a black hole of security o No evidence cloud computing IS riskier than enterprise based computing o More attacks reported both anecdotally, statistically as well as admitted by private companies than companies using cloud services o Full disclosure at private companies doubtful o Over the last 4 years as incidents happen the strength of cloud security has increased. Most companies now support 2 factor authentication for instance. But problems clearly still exist.
  34. 34. Cloud vs NonCloud Security
  35. 35. Nine Top Threats 1. Data Breaches 2. Data Loss 3. Account Hijacking 4. Insecure APIs 5. Denial of Service 6. Malicious Insiders 7. Abuse of Cloud Services 8. Insufficient Due Diligence 9. Shared Technology Issues CLOUD SECURITY ALLIANCE The Notorious Nine: Cloud Computing Top Threats in 2013 © 2013, Cloud Security Alliance. All rights reserved. 7 Infoworld 2/2013
  36. 36. Cloud Specific Security Concerns o Data from one company leaking to another (multi-tenancy isolation failure) o Demand from one company leaking to another (poor service) o Inability to control specific policies and personnel or change them at will o Lack of transparency o Inability to conduct effective investigations o Naïveté in using the cloud* o *
  37. 37. Good Ideas
  38. 38. Cloud Services o Let’s look at various types of Cloud Services and specific security concerns that don’t exist necessarily in the enterprise
  39. 39. aaS’es o IaaS o Multi-tenancy isolation failures o Virtualization vulnerabilities o SaaS o Multi-tenancy isolation failures o PaaS - Poorly behaving apps can threaten other apps o One app taking down another o Multiplicative SLA weakening o Very dynamic demand can stress other tenants
  40. 40. New types of security/service concerns o APIs o Conscious Malicious Rogue Applications o inadvertent usage of Applications causing ability to access information inappropriately o Demand variations can be chaotic and result in wide SLAs o Mobile o Loss of device o Containerization problems o Bad Applications (like virus) o Employee termination issues o Hardware hijacking
  41. 41. New types of security/service concerns o Personal Cloud (moving of my life to the cloud) o Type of information allowed may be inappropriate o Sharing less controlled by the enterprise o Termination – what happens to the information? o Internet of things o Privacy o Potential damage to security depending on type of device (camera, gps, activity tracking, cars, …) o Social o Reputation risk o Lack of control of information shared by employees and others
  42. 42. I admit o It’s tiring and scary to consider all the possibilities. o So one has to take perspective. o You’re not 100% in control o You need to delegate but monitor o Being a good manager
  43. 43. Best Practices o Segregate data and applications in a fine grained way and move to cloud incrementally as benefits promote adoption (see adoption slide) o Establish Service Provider SLA’s o Negotiate hard for transparency not damages o Make demands o Ask questions, audit, stay involved o Do not settle for applications or vendors which don’t meet your security requirements. They will want your business and I bet many will adapt if asked with reasonable proposals o Watch for changes in the risk profiles o As the cloud gains more and more adoption it is likely to start seeing more and more attacks , more sophisticated attacks
  44. 44. What is happening? o SaaS o API Management huge (mostly focused on external but internal growing) o Reuse and Community collaboration o BigData, data collection and intelligence o PaaS Ecosystem and DevOps o Mobile Apps o iPaaS o Personal Cloud / Internet of Things happening
  45. 45. Enterprise Reuse and Refactoring o Most companies I see are doing this o Reuse is hard o It’s not just a registry o Growing Mobile, API and Web service application storm presages new era in enterprise software
  46. 46. New Types of Security Available o EMM (MDM, MAM) – o Enterprise Mobility Management, provides control and monitoring of mobile devices o API Management – o app based security, fine grained authorization, SLA management o Ecosystem Private PaaS o Control of information shared to partners as well as applications that use information o Complex Event Processing o Detect complex events that indicate intrusion, theft, accidental behavior, suspicious behavior, alert, escalate o 2 factor authentication, fine grained authorization o New protocols and technologies support more control o SDN o Fingerprint scanners
  47. 47. WSO2 Commercial o Completely Open Source – No enterprise versions o The only complete composable API Centric Enterprise Application Platform o Built entirely by WSO2 o Multi-tenant, Cloud Native, Componentized Integrated Platform o Built to API Centric, BigData, Mobile, Social, Cloud, SOA Platform
  48. 48. WSO2 Commercial o 200 customers worldwide o In business 8 years o Leading Enterprises in almost every vertical industry: o Retail, Aerospace, Health, Finance, Logistics, Telecommunications, Government, Travel, … o Ebay does 5 billion transactions/day on peak days on our servers o Boeing, Cisco and other industry leading companies are starting to build their future technology vision with WSO2
  49. 49. WSO2 Commercial o Identity Management o WSO2 has full suite of identity products supporting all new protocols and features o EMM (Enterprise Mobility Management) o WSO2 has a full EMM suite with both device and application management o Ecosystem PaaS o WSO2 is working with several industry leaders to create PaaS’s for their industry. This gives the leader control over the data and applications like Apple has for Ios Apps and also encourages development of communities with the first social enterprise store o Hybrid Polyglot PaaS technology for sophisticated enterprise deployments o API Management and Enterprise Store combining API, Mobile and Web services to promote API Centric Enterprises o NSA for you – our bigdata and CEP technology gives you the ability to identify in real time and respond to security events AND MORE. I have listed just the products relevant to security.
  50. 50. Conclusion o We have seen the enemy and it is us. o The issues for the cloud are the issues we deal with everyday in the enterprise. It’s not a reason to not adopt the cloud. o For more info on WSO2: o Services Oxygenated o John Mathon: VP, Product Strategy o