Cloud Security: Is My Data Safe?

1,373 views

Published on

Damien Behan and Justin Pirie present on Cloud Security- from a customer and an Industry perspective.

Damien Behan leads the IT function at Brodies, focusing on delivering value to the firm through its investment in technology. He is responsible for the smooth running of the firm's IT, while also setting the strategy and aligning it to that of the business. He has a wide range of experience within the legal sector, and specialises in the innovative use of technology to address business requirements. Damien has a keen interest and a wide experience in Knowledge Management and has been involved in driving the use of social software within the firm.

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
1,373
On SlideShare
0
From Embeds
0
Number of Embeds
12
Actions
Shares
0
Downloads
0
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide
  • Intro Myself and where I workAnswer the key question- is my data safeWhat are the hurdles we have to cross? What are the actionable things we can do?Why should you consider going to the cloud?
  • Security
  • Continutity
  • Archive
  • Bringing all the benefits of Google apps- horizontal scalability, reliability, etc
  • To Microsoft Exchange
  • 2010 Gartner Hype Cycle for emerging technologies
  • 2010 Gartner Hype Cycle for emerging technologies
  • From the Mimecast Cloud Adoption Survey http://www.mimecast.com/events-press/press-releases/article/view/cloud-computing-delivering-on-its-promise-but-doubts-still-hold-back-adoption/462/
  • From the Mimecast Cloud Adoption Survey http://www.mimecast.com/events-press/press-releases/article/view/cloud-computing-delivering-on-its-promise-but-doubts-still-hold-back-adoption/462/
  • Why are some People are unsure about Cloud Security
  • Security is often presented as a binary object. It’s not.
  • It’s much more complex than that.
  • Technical details are abstracted
  • Probably because of the relative opacity of Cloud compared to the transparency of a private network and the control you can exert on it
  • Are it’s Achilles heel
  • Without revealing to much intellectual property- the main differentiator in Cloud
  • Standards are only just emerging
  • Buyer Beware- http://en.wikipedia.org/wiki/Caveat_emptorUnder the doctrine of caveat emptor, the buyer could not recover from the seller for defects on the property that rendered the property unfit for ordinary purposes. The only exception was if the seller actively concealed latent defects or otherwise made material misrepresentations amounting to fraud.Before statutory law, the buyer had no warranty of the quality of goods. In many jurisdictions now, the law requires that goods must be of "merchantable quality". However, this implied warranty can be difficult to enforce and may not apply to all products. Hence, buyers are still advised to be cautious.
  • Which is why we in cloud feel like we’re being beaten up...
  • Independent Audit?
  • There are no standards...There is not a best practice independent security methodology for cloud. Clouds are opaque. Technical complexity is abstracted. Proper audit / DD requires transparency. But transparency would reveal IP.
  • Independent 3rd party is so important to validate claims in depthSAS 70, CESG etc
  • Spot the missing one?
  • ISO 27001- ISO 27001 doesn’t fit the cloud- 5 year old standard currently- to be reviewed in 2012- CSA helping update controls for the Cloud
  • ·          Should you adopt ISO 20071? What sort of protection will it grant you? Yes. Because it’s a framework for managing security. A process. Set of Documentation. Set of controls. Working out how much acceptable risk What risk are you exposed to Which are greater than the accpectablerisck What controls do you need to manage- taken from annex A Deploy the controls in an auditable way- constantly approve Compliance- testing Governance Risk Complaince- testing to make sure your controls It Scales
  • Control and governance; what should be the basis of your Cloud Data Best Practice Policy- ENISA
  • ·          Investigating availability guarantees and penalties and examining your supplier’s disaster recovery strategy Important- they do what they say the do The bar to what you set that at needs to be relevant to what you have already- BASELINE!!! Realistic expectation Based on the data you’re going to outsource Look at historical performance- not a predictor for the future- but relevant Look at their DR strategy- if you have 2 data centres- that should be the expectation Map your requirements to the provider
  • ·          Data compliance; the importance of clarifying where your data will be stored and who will have access to your information Jurisdiction EU/ Patriot / RIPA / Safe Harbour
  • ·          Ultimately, who has control over your data? When you save your data- need to understand Look at service providers to the same extent MBTF- encryption look at service providers Cloud should be architected differently People shouldn’t be fooled by “cloud” technology See behind the fog Often it’s really hard because of the opaqueness   Integretity of Data Critical End to end vs middleware Designed to hook together  Managing service provider obligations Asses the risk- make sure the risk you’re willing to accept is related in the SLA Review- annually? Any deviation look for recompense or additional controls Blunt instrument Make sure compliance and information governance are involved early on in the process of negotiating SLA- lawyers don’t know about GRC
  • The key is to understand your current risks- baseline them
  • i.e. Where are we today?
  • Users Applications File shares Email Document management
  • Sysadmins User based access Server access Database access
  • Others: Internet VPN Extranet Customer/Partner portals API’s Suppliers Telco’s Tape warehousing Backup delivery personnel
  • Ends up in a Permissions Nightmare- or a brittle infrastructure
  • How are we managing those risks today?
  • Are you given the budget / skills to do it?
  • “Quiscustodietipsoscustodes?”Who will guard the guards themselves?DecimusIuniusIuvenalis
  • Cloud can be a way to become a guard’s guard, instead of the guard
  • Reasons to go Cloud Security
  • Reason to go Cloud security #1 It’s their business- and their reputation depends on it
  • #2 Money - they are held financially responsible
  • Reason #3 Scale- Cloud platforms have scale that customers could never achieve on their own- protecting against large scale attacks
  • Reason #4 Specialised Skills- employ specific people to do specialised job. Cumulative effect of multiple customers
  • Cumulative effect of multiple customers
  • Best Practice embedded in organisation and distributed. Not dependent on one person
  • Not just about competence and budget- but focus. It’s all they do.
  • Cloud can be a way to become a guard’s guard, instead of the guard
  • Buyer Beware- http://en.wikipedia.org/wiki/Caveat_emptorUnder the doctrine of caveat emptor, the buyer could not recover from the seller for defects on the property that rendered the property unfit for ordinary purposes. The only exception was if the seller actively concealed latent defects or otherwise made material misrepresentations amounting to fraud.Before statutory law, the buyer had no warranty of the quality of goods. In many jurisdictions now, the law requires that goods must be of "merchantable quality". However, this implied warranty can be difficult to enforce and may not apply to all products. Hence, buyers are still advised to be cautious.
  • But make it proportional to risk- especially to CURRENT RISKS
  • Cloud Security: Is My Data Safe?

    1. 1. Cloud Security- Is my data safe?<br />Justin Pirie<br />@justinpirie<br />blog.mimecast.com<br />jpirie@mimecast.com<br />Cloud Circle - London<br />November 29th2010<br />matthewbradley<br />
    2. 2. Analyst Blogger<br />
    3. 3. Community Manager<br />
    4. 4. Social Media Influence<br />
    5. 5. Where I work<br />
    6. 6. Cloud Services for Microsoft Exchange<br />tipiro<br />
    7. 7. Cloud Wrapper<br />
    8. 8. Email Security<br />matthewbradley<br />
    9. 9. Email Continuity<br />neilalderney123<br />
    10. 10. Email Archive<br />dolescum<br />
    11. 11. How the problem used to be solved...<br />
    12. 12. Benefits of Google Apps<br />
    13. 13. For Microsoft Exchange<br />
    14. 14. What do users get?<br />minifig<br />
    15. 15. Unlimited Storage<br />mescon<br />
    16. 16. Fast Search<br />Ronan_C<br />
    17. 17. Uptime<br />szeke<br />
    18. 18. Over 600,000 users can’t be wrong!<br />
    19. 19. Cloud Security- Is my data safe?<br />matthewbradley<br />
    20. 20. 2010 Hype Cycle<br />
    21. 21. 2010 Hype Cycle<br />
    22. 22. Grand Canyon between adopters<br />James Marvin Phelps (mandj98)<br />
    23. 23. Adopters: Cloud Improved Security<br />57%<br />
    24. 24. Non Adopters: Cloud = Security Risk<br />62%<br />
    25. 25. Unsure about Cloud Security?<br />jessicafm<br />
    26. 26. Security Presented as Binary<br />MarkOMeara<br />
    27. 27. Reality...<br />cdw9<br />
    28. 28. Cloud = Outsourcing<br />stev.ie<br />
    29. 29. BUT with Technical Detail Abstracted<br />Rev. XanatosSatanicosBombasticos (ClintJCL)<br />
    30. 30. Which makes Clouds Opaque<br />Andrew Coulter Enright<br />
    31. 31. The reason Cloud is powerful<br />dok1<br />
    32. 32. Is also it’s Achilles Heel<br />Moff<br />
    33. 33. Need for Transparency<br />salmannas<br />
    34. 34. While Protecting Vendor IP...<br /> schoschie<br />
    35. 35. AND Cloud is embryonic<br />viralbus<br />
    36. 36. Standards just emerging<br />mayakamina<br />
    37. 37. So.... Caveat Emptor<br /> jeffc5000<br />
    38. 38. And why it sometimes feels like this...<br />gxdoyle<br />
    39. 39. Independent Audit?<br />ScottMJones<br />
    40. 40. No Standards!!!<br />Leo Reynolds<br />
    41. 41. Independent 3rd Parties: SAS70, CESG<br />wallyg<br />
    42. 42. Missing Piece?<br />MyklRoventine<br />
    43. 43. ISO 27001...<br />Leo Reynolds<br />
    44. 44. Should you adopt ISO 27001?<br />massdistraction<br />
    45. 45. Best Practice Policy: ENISA<br />TheTruthAbout<br />
    46. 46. Investigate Availability Guarantees<br />Yukon White Light<br />
    47. 47. Data Jurisdiction: clarify<br /> IXQUICK<br />
    48. 48. Who has control of your data?<br />DumindaJayasena<br />
    49. 49. Baseline Current Risks<br />Chuck “Caveman” Coker<br />
    50. 50. i.e. Where are we today?<br />Chris D 2006<br />
    51. 51. Trusting Users....<br />Thai Jasmine (Take good care :-))<br />
    52. 52. And Sysadmins....<br />leftcase<br />
    53. 53. Others...<br />Tambako the Jaguar<br />
    54. 54. Permissions Nightmare<br />marimoon<br />
    55. 55. Managing those risks?<br />Patrick Q<br />
    56. 56. Is expensive<br />jo'nas<br />
    57. 57. Got the budget?<br />The Prime Minister's Office<br />
    58. 58. “Quiscustodiet<br />ipsoscustodes?”<br />
    59. 59. Cloud: Guards Guard<br />
    60. 60. Cloud Security?<br />matt.hintsa<br />
    61. 61. #1. It’s their Business<br />Esthr<br />
    62. 62. #2. Financially Responsible<br />wwarby<br />
    63. 63. #3. Scale<br />laffy4k<br />
    64. 64. #4. Specialised Skills<br />SarahMcDॐ<br />
    65. 65. #5. Cumulative Effect of Multiple Customers<br />Leo Reynolds<br />
    66. 66. #6. Best Practice: Embedded, Distributed <br />Lars Plougmann<br />
    67. 67. #7. Focus<br />Chris Campbell<br />
    68. 68. Want to be the Guards Guard?<br />
    69. 69. Remember: Caveat Emptor<br /> jeffc5000<br />
    70. 70. But proportional to Risk<br />gxdoyle<br />
    71. 71. Over to Damien<br />Justin Pirie<br />@justinpirie<br />blog.mimecast.com<br />jpirie@mimecast.com<br />matthewbradley<br />
    72. 72. Security, reliability, compliance and governance; the importance of aligning the Cloud with your existing security and governance policies <br />Damien Behan<br />IT Director, Brodies LLP<br />
    73. 73. “The internet is not for private things, do not put them there” – a twitterer<br />http://datavis.tumblr.com/post/1372863949/internet-vs-privacy-a-helpful-venn-diagram<br />
    74. 74. Perceptions of the cloud?<br />SECURITY<br />THE CLOUD<br />
    75. 75. “The fact of the matter is that the cloud is just another boring make vs. buy decision, and the sooner those in IT management realize this, the less likely they are to build potentially career-ending plans based on clouds and rainbows.” Patrick Gray on zdnet.com<br />
    76. 76. Due diligence<br />Like any outsourcing service, ask…<br /><ul><li>Why?
    77. 77. Who?
    78. 78. What?
    79. 79. Where?
    80. 80. How?
    81. 81. … and don’t forget “what happens if it all goes wrong?”</li></ul>Then verify what you are told.<br />
    82. 82. The contract<br />Watch out for:<br /><ul><li>Jurisdiction
    83. 83. Data Protection
    84. 84. Confidentiality
    85. 85. IPR/Licensing
    86. 86. Service levels & limitations
    87. 87. Remedies</li></ul>…in other words, the same as any other services contract<br />
    88. 88. Risk Averse? Tell me about it…<br />Even law firms with their low tolerance for risk are going into the cloud – gingerly.<br />Understand the risks, mitigate and manage where you can, then take a view…<br />Know the answers to the questions your clients will ask about your information security in the cloud<br />
    89. 89. How has it worked in practice?<br /><ul><li>Our story so far
    90. 90. Future plans?</li></li></ul><li>Questions?<br />Email: damien.behan@brodies.com<br />Twitter: @damienbehan<br />Blog: techblog.brodies.com<br />

    ×