Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Positive Hack Days. Christopher Gould. Head in the Clouds…Can we overcome security fears for cloud computing?


Published on

Преимущества, которые несут в себе облачная и виртуальная инфраструктура очевидны. Также очевидны и дополнительные риски. На семинаре будут обсуждаться следующие вопросы: какие проблемы связаны с обеспечением ИБ инфраструктур виртуализации; что перевешивает, экономика или безопасность; в чем ограничения средств защиты для виртуальных инфраструктур; взлом облака и взлом из облака.

Published in: Business
  • Be the first to comment

  • Be the first to like this

Positive Hack Days. Christopher Gould. Head in the Clouds…Can we overcome security fears for cloud computing?

  1. 1. Head in the Clouds…Can we overcome security fears for cloud computing?<br />19 May 2011<br /><br />
  2. 2. Cloud benefits are real<br />So much promise due to a buyer centric approach to technology<br /><ul><li>Flexibility
  3. 3. Scalability
  4. 4. Demand Driven</li></ul>For CFO it is attractive as a ‘pay as you go’ soluton<br /><ul><li>Post financial crisis and tight budgets
  5. 5. Clearer link between costs and the service received</li></ul>For the CIO it is a comprehensive virtualization model from infrastructure design through to testing and delivery<br /><ul><li>Enabling IT to cut costs and increase efficiencies
  6. 6. Increased agility and ability to ‘try new technologies’
  7. 7. Access to up to date technologies without investment
  8. 8. Less wastage through underutilized hardware (PCs and Servers) and outdated software
  9. 9. «Built-in redundancy»</li></ul>This is why it will happen<br />2<br />
  10. 10. But there are concerns<br />There is a high fear factor<br /><ul><li>Availability and reliability
  11. 11. Data loss or leakage
  12. 12. Fraud
  13. 13. Regulatory constraints
  14. 14. Theft of confidential information or intellectual property
  15. 15. Data privacy
  16. 16. Financial and company stability for the service provider</li></ul>The balance of risks against the efficiencies and values of cloud computing need to be considered...<br />Which still leaves many CISOs feeling it is safer to manage the data in house, is that really the case?<br /><ul><li>Security budgets already stretched in-house
  17. 17. We can’t protect everything
  18. 18. Is ‘our security’ that much better – security is not our ‘core business’</li></ul>It all comes down to ‘trust’<br />3<br />
  19. 19. Cloud vendors are aware of the need for security<br />During recent years, cloud providers have developed a control infrastructure and implemented technologies to mitigate risks<br /><ul><li>Providing secure services is ‘core business’
  20. 20. Security is used as a key ‘differentiator’
  21. 21. Significant investments in security have been made by all the ‘top-tier’ vendors
  22. 22. Reputation is imperative for cloud vendors to survive</li></ul>Security controls include traditional and innovative<br /><ul><li>Identity and Access Management
  23. 23. Intrusion Detection
  24. 24. Vulnerability assessments
  25. 25. Anti DDOS
  26. 26. Web Application Firewalls and virtual firewalls
  27. 27. Splitting of encrypted data across various systems</li></ul>Vendors have the budgets and the technology to do it<br />4<br />
  28. 28. That doesn’t mean ‘secure enough’ for everything<br />Good for non-differentiating business functions<br /><ul><li>HR (perhaps)
  29. 29. Accounting
  30. 30. CRM
  31. 31. Email
  32. 32. Web conferencing</li></ul>For other areas, a detailed risk assessment and analysis should be performed before migrating to the cloud<br /><ul><li>Governance
  33. 33. Mission critical data
  34. 34. Medical data or highly regulated data (like personal data)
  35. 35. Intellectual property
  36. 36. Card processing</li></ul>But people will still want to leverage the technology<br />5<br />
  37. 37. We need to assess our risks and the vendors capabilities<br /><ul><li>We need to understand our risks before we start to think about benefits
  38. 38. Due diligence on vendor (ownership, financial health, legal status)
  39. 39. Full scope review of access management, policies, patch management, incident management, etc
  40. 40. Certification and third party audits
  41. 41. ISO27001
  42. 42. SAS 70
  43. 43. Contractual agreements
  44. 44. Data rights and ownership
  45. 45. Availability, reliability and resilience
  46. 46. Recourses for security and availability
  47. 47. Service levels and performance
  48. 48. Decomissioning and destruction of data
  49. 49. Incident response
  50. 50. Regulatory compliance requirements</li></ul>We need to verify, we need a trust mechanism<br />6<br />
  51. 51. And we need to have a comprehensive approach<br /><ul><li>Have strong DLP controls to prevent unwanted data leaking to the cloud
  52. 52. Update incident management to deal with the cloud
  53. 53. Understand where there are gaps with cloud vendor and implement compensating controls
  54. 54. Defining clearly requirements for encryption, data segregation, user access
  55. 55. Ensure vendor can meet our internal risk management requirements
  56. 56. Consider scalability
  57. 57. Understand cost structure and get comfort on the security and integrity of billing/cost systems
  58. 58. Obtain results of security and scalability tests (e.g. Pentests, stress tests)
  59. 59. Above all, people will still pose the biggest threat!</li></ul>We don’t absolve ourselves of our responsibilities<br />7<br />
  60. 60. Summary<br /><ul><li>Moving certain applications the cloud is inevitable due to the benefits offered
  61. 61. Risks need to be balanced with rewards (as they are today when services are managed in-house)
  62. 62. Cloud vendors have a vested interest in providing secure services – their entire business model hangs on their reputation
  63. 63. Not every application will go to the cloud
  64. 64. Due diligence and assessment of the vendor is vital
  65. 65. Get 3rd party reports/assessments for the vendor
  66. 66. We are still responsible for our information and need to maintain control of access to it
  67. 67. Use a trusted partner to help in intial vendor selection
  68. 68. Remember assessment is an ongoing process
  69. 69. Moving non-core information and services to the cloud may allow the CISO to focus resources on protecting higher value information within the organization.</li></ul>8<br />Right Service + Right Vendor + Due Diligence + Contracting + Ongoing Monitoring = Success<br />
  70. 70. Focus on the risks and compliance will follow...<br />This publication has been prepared for general guidance on matters of interest only, and does not constitute professional advice. You should not act upon the information contained in this publication without obtaining specific professional advice. No representation or warranty (express or implied) is given as to the accuracy or completeness of the information contained in this publication, and, to the extent permitted by law, [insert legal name of the PwC firm], its members, employees and agents do not accept or assume any liability, responsibility or duty of care for any consequences of you or anyone else acting, or refraining to act, in reliance on the information contained in this publication or for any decision based on it. © 2010 ZAO PricewaterhouseCoopers Audit. All rights reserved. In this document, “PwC” refers to ZAO PricewaterhouseCoopers Audit which is a member firm of PricewaterhouseCoopers International Limited, each member firm of which is a separate legal entity. <br />Christopher Gould<br />Director<br />+7 (495) 967 6000<br /><br />