Cloud Perspectives - Ottawa Seminar - Oct 6

Cloud Perspectives
Neil Bunn, P.Eng. - Chief Technology Officer
Theo van Wyk – Security Solution Architect Manager
October 6th
, 2016

© 2015 Scalar Decisions Inc. Not for distribution outside of intended audience.
Defining Cloud
“Cloud Computing” by the NIST Definition is:
Cloud computing is a model for enabling ubiquitous, convenient, on-demand network access
to a shared pool of configurable computing resources (e.g., networks, servers, storage,
applications, and services) that can be rapidly provisioned and released with minimal
management effort or service provider interaction. This cloud model is composed of five
essential characteristics, three service models, and four deployment models.
Which really means…..
2

Pragmatic View of Industry Change
§ Cloud is just another delivery model, but largely predicated on:
§ Automation
§ Elasticity
§ Pay-as-you-go (public cloud)
§ Cloud creates challenges for clients in security, processes, automation, internal governance,
and controls.
§ Hyperscale IaaS providers will dominate the market
§ Hybrid-Cloud (multi-provider / hybridization) required for business success and security
§ Most clients forget about:
§ SLAs & Service
§ Governance and Financial controls - lead to accidently “breaking the bank”
§ Security
3

© 2015 Scalar Decisions Inc. Not for distribution outside of intended audience. 4
Cloud Primer
Broad
Network Access
Automation Flexible Costing
On-Demand
Self-Service
Resource Pooling
Cloud
Characteristics
Software as a Service
(SaaS)
Platform as a Service
(PaaS)
Infrastructure as a
Service (IaaS)
Service Models
Deployment
Models
Public Cloud Hybrid Cloud Private Cloud

Primary reasons for adopting cloud
Source: Cloud Security Alliance, “HOW CLOUD IS BEING
USED IN THE FINANCIAL SECTOR” SURVEY REPORT –
March 2015

Top Cloud Applications Adopted
Source: Cloud Security Alliance, “HOW CLOUD IS BEING
USED IN THE FINANCIAL SECTOR” SURVEY REPORT –
March 2015

Successful Client Outcomes
Rapid Deployment &
Flexibility
Higher Return on
Technology Spend
Matching
CapEx/OpEx to the
Budget
Lower Cost of
Development
Measurable
Outcomes

“Multi-Cloud Platform approach…not all
workloads are the same…and not all clouds are
the same!”

Our approach and strategic cloud partnerships
§ Partner with Multiple Providers (multi-cloud)
§ Amazon Web Services (AWS)
§ Microsoft Azure
§ IBM Softlayer
§ Provide consistent-feel managed services across client deployment options
§ Scalar Owned/Operated
§ Client Owned/Operated
§ HyperScale Provider
§ Traditional Hosting Provider
Implement automation, policy and
governance consistent across
deployment option
10

Getting Started
Assess Perform a visibility
assessment
Classify applications &
data for public and
private approaches
Design Design architecture
& approach
Design for loose-coupling,
scaling & security with
spend management
Deploy Select a provider &
deploy an application
Manage & monitor the
environment like any
other infrastructure

Scalar Cloud Offerings
SELF-MANAGED
CLOUD
1
CONSULTING &
ADVISORY
2
MANAGED CLOUD
3

CONSULTING AND ADVISORY1
READINESS GOVERNANCEDESIGN TRANSFORMATION

Consulting and Advisory - Service Offerings
Scalar Consulting and Advisory services help customers plan, execute, and derive
maximum value from their cloud environment. Engagements are typically
project/deliverable-based, and include services such as:
• Cloud migration planning
• Cloud readiness assessments
• Workload analysis
• Architecture and design
• Deployment services
• Cloud optimization
• Training

SELF-MANAGED CLOUD
BILLING SUPPORT CONTROL
2

Self-managed Cloud - Service Offerings
• Itemized billing
• Customer Billing Portal with chargeback reporting
• Scalar-led support and escalation
Self-management appeals to customers who have the ability to manage their own
cloud-based environment, and for whom maintaining that level of control is preferred.
Customers select Scalar as their resell partner of choice, but otherwise access and
manage the cloud via the selected Cloud Provider’s portal. There are 3 distinct
values to purchasing your public cloud resources through Scalar:

MANAGED CLOUD3
MIGRATE SECURE MANAGE OPTIMIZE

Scalar Managed Cloud - Service Offerings
STANDARD - Includes basic deployment and monitoring services with SLO-backed response, and is generally
appropriate for non-mission critical workloads.
PREMIUM - Provides a complete monitoring and optimization suite, along with rapid, SLA-backed response suitable for
production workloads and other mission-critical environments.
Designed for customers who prefer to have Scalar provide management of their cloud
infrastructure. Scalar provisions and manages cloud resources on the customer’s behalf along
with providing access management, 24x7 monitoring and incident response, and continuous
optimization. Cloud Management comes in 2 tiers:

Today’s Security Landscape
Traditional
Countermeasures are
Proving Ineffective
Rapidly Changing Threat
Types
Regulatory Compliance &
Corporate Governance
Demands are Increasing
Security Budgets are
Often Insufficient
Many Organizations are
Blind to Security Threats
that are Already Known
Hackers are Increasingly
Motivated
!
!
0 1 0 0
1 0 0 0
0 0 1 0

Why Security Breaches Continue to be Prevalent
Every technology
eventually fails
Compliance programs
often ignore business risk
Trying to keep hackers
out is a losing battle
!

Cyber Incidents by Industry
Source: IBM Cyber Security Intelligence Index

Cloud Security Elements
Global Threat Intelligence &
Research
Advanced Analytics
Protect Critical Assets
Robust Incident
Handling
Understand Business
Impact
Continuous Validation of
Controls
!

Understand the Security Continuum
Integration & Middleware
Facilities
Hardware
APIs
Data Metadata Content
Applications
APIs
Presentation
Modality
Presentation
Platform
Abstraction
Core Connection & Delivery
Integration & Middleware
Facilities
Hardware
APIs
Abstraction
Facilities
Hardware
APIs
Abstraction
IaaS
INFRASTRUCTURE AS A SERVICE
PaaS
PLATFORM AS A SERVICE
SaaS
SOFTWARE AS A SERVICE
Service Provider Security
Your Security
24

Unmanaged Shared Responsibility Model
25

Cloud Provider
Responsibility
Your
Responsibility
Foundation Services
Global Infrastructure
Endpoints
Compute Storage Database Networking
Regions
Availability
Zones
Edge Locations
Operating System & Network Configuration at Rest
Platform & Application Management
Customer Data
Client-side Data Encryption & Data Integrity
Authentication
Server-side Encryption Provided by the Platform
/ Protection of Data at Rest
Network Traffic Protection Provided by the
Platform / Protection of Data in Transit
Optional –
Opaque
Data OS (in
transit / at
rest)
Identity&AccessManagement
Managed Shared Responsibility Model
26

SECURITY BY DESIGN
PREPARE DEFEND RESPOND

Getting Started
Prepare Perform a risk
assessment
Build an effective
security program
Defend Deploy security
infrastructure
Properly configure
and continuously tune
security elements
Respond Detect & respond to
incidents quickly
Continuously validate the
effectiveness of security
controls
28

Steps forward….
1. Ensure effective governance, risk, and compliance processes exist
2. Audit operational & business processes
3. Manage, people, roles and identities
4. Ensure proper protection of data
5. Enforce privacy policies
6. Assess security provisions for cloud applications
7. Ensure secure cloud networks and connections
8. Evaluate security of physical infrastructure and facilities
9. Manage security terms in the service agreement
10.Understand the security requirements of the exit process
29

Step 1 - Ensure effective Governance, Risk, and Compliance
Governance Risk Compliance
Ensure that you have a
data asset inventory and
it is classified based on its
CIA protection
requirements.
Established security and
compliance policies &
procedures.
Assess vendors,
applications, processes
and policies against a
formalized threat-risk-
assessment process.
Identify and map regulatory
and legislative requirements.
FedRAMP, ITAR
FFIEC,GLBA, OSFI, PIPEDA
30

Step 2 - Audit operational & business processes
Assurance Certification Audit
Review independent
auditor’s report on cloud
provider’s operations.
SSAE16 SOC2 Type 2
CSAE3416, ISAE3402
Beyond audit assurance
reports. Review current
security certifications.
ISO27001
ISO27018
Ensure access to the
corporate audit trail.
Shared Information Gathering
(SIG) Questionnaire
CSA Cloud Controls Matrix
3.0.1
31

Step 3 – Manage People, Roles, and Identities
Identity and
Access
Management
Authentication Role, Entitlement
and Policy
Management
Federated Identity
Management,
Provisioning and
delegation,
Single Sign-On, and
Identity & Access Audit.
Ensure support for strong,
multi-factor authentication.
Ensure provider is able to
describe and enforce security
policies, user roles, and
groups based on
requirements.
32

Step 4 – Ensure protection of data
Encryption /
Tokenization
Create a data
asset catalog
Consider all
forms of data
Encrypted for data privacy
with approved algorithms
and long, random keys;;
Encrypted before it passes
from the enterprise to the
cloud provider;;
Should remain encrypted in
transit, at rest, and in use;;
Provider should never have
access to decryption keys
Identify all data assets,
classify them in terms of
business criticality,
ownership. Identify
relationships between data
assets.
Unstructured vs Structured
data.
33

Step 5 – Enforce privacy policies
PIPEDA Security Privacy
Standards
Ensure privacy
requirements
within the SLA
June 2015 - new data
breach notification
provisions, with the
enactment of the Digital
Privacy Act.
ISO / IEC 27018 standard
addresses the controls
required for the protection
of PII.
Specific clauses around
privacy of information.
34

Step 6 – Assess security provisions for cloud applications
IaaS PaaS SaaS
Customer has responsibility
for the complete software
stack including security.
Focus on provider’s network,
physical environment, audit,
authorization, and
authentication
considerations.
Customer has responsibility
for application development
and securing application.
Focus on audit, authorization,
and authentication
considerations.
Provider is responsible for
application-tier security and are
dependent upon terms in the
SLA.
Understand the provider’s
patching schedule, controls
against malware, and release
cycle.
35

Step 7 – Ensure secure cloud networks and connections
External
Network
Internal Network
Traffic screening
DOS protection
Intrusion
Detection/Prevention
Logging and Notification
Client separation and
protection from one another
Monitoring for intrusion
attempts
36

Step 8 – Evaluate security of physical infrastructure and facilities
Facilities Continuity Plans Human
Resources
Security controls related to
facilities. Environmental,
Equipment,
telecommunications, etc.
Continuity of service in the
face of environmental threats
or equipment failures
Security controls on their staff.
Background checks / screening,
role changes, termination.
Security Awareness and Training
37

Step 9 – Manage security terms in the service agreement
Breach
Notification
Incident
Response
Measuring
Performance
Include pertinent information
with regards to notification
Containment of security
incidents
Restoration of secure access
Forensics in investigating
circumstances and causes of
breach.
Metrics and standards for
measuring performance and
effectiveness of information
security should be established in
the service agreement.
ISO27004:2009
ISO19086
NIST 800-55 Rev.1
38

Step 10 – Understand the security requirements of the exit process
Exit Process Data Destruction
Documented exit process as
part of the service
agreement.
Customer data is deleted from
the provider’s environment at
the end of the exit process.
39

Setting yourself up for success
Leveraging cloud providers can enable companies in being*more* secure and compliant
than before, in contrast to leveraging your own on premise systems.
Spend sufficient time to ensure:
§ Information Governance Policy/Programs are defined and in place
§ Services are Policy Compliant
§ Improved Security Awareness & Actions Plans documented
40

Cloud Perspectives - Ottawa Seminar - Oct 6

More Related Content

What's hot

Viewers also liked

Similar to Cloud Perspectives - Ottawa Seminar - Oct 6

More from Scalar Decisions

Recently uploaded

Cloud Perspectives - Ottawa Seminar - Oct 6