The document discusses the evolution of cloud services and highlights the challenges associated with cloud security, business continuity, and risk management. It addresses historical cybersecurity incidents, the need for reliable service level agreements (SLAs), and outlines the impact of complexity on security vulnerabilities. The text emphasizes the importance of proactive risk management, continuous monitoring, and collaboration among organizations to enhance cloud security and resilience.

1. Risks in the Cloud
and Business Continuity
BCP/DRP Summit
jorge.sebastiao@its.ws

2. What is the Cloud?

3. Evolution of Cloud
IaaS
Infrastructure as a Service
PaaS
Platform as a Service
SaaS
Software as a Service

4. Complexity of the Cloud

5. 5
Spread of Code Red Worm in the Cloud
July 19 01:05:00 2001

6. 6
Spread of Worm in the Cloud
July 19 20:15:00 2001
Financial Cost: CodeRED Worm: $2.6 billion

7. SQL Slammer Worm: 30min
- Infections doubled every 8.5 seconds
- Spread 100X faster than Code Red
-At peak, scanned 55 million hosts per second.
-COST: $1.2 billion

8. Cloud Challenges
8
Dynamic threats
Limited IT resources
Pressure to demonstrate risk
reduction and compliance
Process complexity
Reduce operating costs
Must show value
Proactive versus reactive

9. 9
Cloud Focus Challenges

10. Cloud Reliability
Enterprise are setting their SLAs uptimes at 99.99% or
higher, cloud providers are not fully ready
Amazon’s cloud outages receive a lot of exposure …
July 20, 2008 Failure due to stranded zombies, lasts 5 hours
Feb 15, 2008 Authentication overload leads to two-hour service outage
October 2007 Service failure lasts two days
October 2006 Security breach where users could see other users data
… and their current SLAs don’t match those of enterprises*
Amazon EC2 99.95% Amazon S3 99.9%
* SLAs expressed in Monthly Uptime Percentages; Source : McKinsey & Company
• Not clear that all applications require such high services
• IT shops do not always deliver on their SLAs but their
failures are less public and customers can’t switch easily

11. Source: Copyright © 2007 Boeing. All rights reserved.
Services
Application
Development
Platform
Storage
Hosting
Cloud Service Layers
Description
Services – Complete business services such as
PayPal, OpenID, OAuth, Google Maps, Alexa
Services
Application
Focused
Infrastructure
Focused
Application – Cloud based software that eliminates
the need for local installation such as Google Apps,
Microsoft Online
Storage – Data storage or cloud based NAS such as
CTERA, iDisk, CloudNAS
Development – Software development platforms used
to build custom cloud based applications (PAAS &
SAAS) such as SalesForce
Platform – Cloud based platforms, typically provided
using virtualization, such as Amazon ECC, Sun Grid
Hosting – Physical data centers such as those run by
IBM, HP, NaviSite, etc.

12. Services
Application
Development
Platform
Storage
Hosting
Cloud and Risk
Services
Information
Risk
Relative
effectiveness
of technical
controls
Inter-
operability
Risk
Difficulty of
enterprise
integration
Capability
Maturity
Source: Copyright © 2007 Boeing. All rights reserved.

13. Network
Policy
Applications
Inside and outside groups
default deny
Hundreds of groups
default allow
Tens of applications
Web, mail, domain name
server (DNS)
Hundreds of applications
custom protocols,
payroll, trading
Tens of targets
Megabits of traffic
Thousands of targets
Gigabits of traffic
Past Present +
Cloud more challenges

14. Reorganizing the roles in the cloud

15. Cloud Impact on your Business

16. Threats sources
Environmental
Natural
Disasters
Unexpected
(“OOPS” factor)
Cyber terrorism Viruses
Threats
Industrial
Espionage

17. Business Impacts and Risks
Employee &
customer
privacy
Legislative
violations
Financial
loss
Intellectual
capital
Litigation
Public
Image/Trust
Business
Risks

18. Importance of Critical Infrastructures

19. India
Pakistan
Egypt
Saudi Arabia
UAE
Kuwait
Qatar
Bahrain
60m
12m
6m
4.7m
1.7m
0.8m
0.3m
0.2m
Recent Middle East
 Dragging anchor cut two critical cables
 85+ million users impact across eight countries
 Incident highlights potential terrorist opportunities
Resiliency is ABSOLUTELY CRITICAL
Critical Infrastructure - cable cuts

20. 20
Complexity: Increased Risk
“The Future of digital systems is
complexity, and complexity is the
worst enemy of security.”
Bruce Schneier
Crypto-Gram Newsletter, March 2000

21. 21
More complexity more Security Flaws
Complexity & Reliability Risk
1 – 10 Simple procedure, little risk
11- 20 More Complex, moderate risk
21 – 50 Complex , high risk
>50 Untestable, VERY HIGH RISK
Complexity & Bad Fix Probability
Essential Complexity (Un-structuredness) &
Maintainability (future Reliability) Risk
1 – 4 Structured, little risk
> 4 Unstructured, High Risk
Structural Analysis … Providing Actionable Metrics
Complexity and Risk

22. Framework must address Risk
Threats Vulnerabilities
Controls Risks Assets
Security
Requirements
Business
Impact
exploit
exposeincreaseincrease
increase have
protect against
met by indicate
reduce

23. Risk Analysis provides focus
High
Medium
Low
Low Medium High
Area of
Major
Concern

24. Managing risk?

25. End User Phishing
http://www.antiphishing.org/
• Target customers of banks
and online payment services
• Obtain sensitive data from
U.S. taxpayers by pretended
IRS- emails
• Identity theft for social
network sites, e.g.
myspace.com
• Recently more non-financial
brands were attacked
including social networking,
VOIP, and numerous large
web-based email providers.
Phishing only started in 2004, but in 2006 it cost the UK
£35m and the USA perhaps $200m

26. End User is biggest problem
Farce of the Facebook spy: MI6 chief
faces probe after wife exposes their
life on Net
“ MI6 faced calls for an inquiry last night after an
extraordinary lapse of judgment led to the new
head of MI6's personal detailsbeing plastered
over Facebook.
Millions of people could have gained access to
compromising photographs of Sir John Sawers
and his family on the social networking website.
...“
http://www.dailymail.co.uk/news/article-1197757/New-MI6-chief-
faces-probe-wife-exposes-life-Facebook.html

27. When all fails….are you ready?
Everybody’s got a plan until they get
hit! -- Mike Tyson

28. Business Continuity Management
Business Impact Analysis
Risk Analysis
Recovery Strategy
Group Plans
and Procedures
Business Continuity Planning Initiation
Risk
Reduction
Implement
Standby Facilities
Create Planning Organization
Testing
PROCESS
Change Management Education Testing Review
Policy ScopeResourcesOrganization
BCM
Ongoing
Process
BCM
Project

29. Business Continuity timeline
Active
Business
A successful
recovery

30. Processes - Workflow

31. Risk Transfer
Elimination
Reduction/Controls
Transfer/Outsource
Insurance
Residual
Not all risk can be
eliminated via
controls

32. Strategy Optimization
Recovery strategy must be optimized to business requirements
Time
CostofStrategy
Mitigation
LostRevenue
Optimum Mitigation
Strategy

33. Response and Risk approach
Risk Management and Business Controls
Events
Incidents
Crises
Impact Monitor & resolve the
“critical few” with crisis
management team
Assess impact of events &
implement appropriate controls
Monitor & resolve at
appropriate level using
processesIncident Management
Process
Crisis Management
Process

34. Standardisation bodies
ISO/IEC - Wide scope of standardization. 27xxx and 13335
IETF – Focuses on Internet related technical Security requirements
NIST-CSRC (http://www.nist.gov/) – Wide scope of coverage for both
government and enterprise needs.
OASIS (http://www.oasis-open.org/) - Application Vulnerability
Description Language
OGSF (Open Group Security Forum,
http://www.opengroup.org/security/) - started Intrusion Attack and
Response Workshop
Best practices and recommendations
CERT/CC (http://www.cert.org/)
SANS (System Administration, Networking, and Security) Institute –
http://www.sans.org/
ISACA (http://www.isaca.org/) – Most noted for CoBIT framework fIT
Governance
ISSA (http://www.issa.org/) – GAISP (Generally Accepted Information
Security Principles)

35. Standards, Guidelines
ISMS family of standards (ISO/IEC 27xxx)
ISO/IEC 27001 – ISMS (BS 7799-2)
ISO/IEC 27002 – ISO/IEC 17799 (BS 7799-1)
ISO/IEC 27005 –Infosec risk management
ISO/IEC 27006 – Guide to ISMS certification process
ISO/IEC 27003 – ISMS implementation guide
ISO/IEC 27004 – Infosec Metrics
ISO/IEC 27007 - Guideline for ISMS auditing
ISO/IEC 27011 - ISMS implementation guideline for
the telecommunications industry
ISO/IEC 27034 - a guideline for application security

36. Standard provide Controls
So how do you implement security controls?
Technical controls:
Site implements a firewall to stop external attackers
but allow academic collaboration.
Education:
Explain to users why there is a firewall (to stop
attackers) and how to ask for exceptions (to allow
collaboration).
Administrative controls:
The Security Policy states that Internet services must
be used safely.

37. ISO 27004 : Metrics & Measurement
ISO/IEC has a new project to develop an
ISMS Metrics and Measurements Standard
This development is aimed at addressing
how to measure the effectiveness of ISMS
implementations (processes and controls)
Performance targets
What to measure
How to measure
When to measure

38. Security Metrics

39. Infrastructure-Centric Metrics
Infrastructure-centric metric – measure of efficiency,
speed, and/or capacity of technology
Throughput – amount of information that can pass
through a system in a given amount of time
Transaction speed – speed at which a system can
process a transaction
System availability – measured inversely as downtime,
or the average amount of time a system is down or
unavailable
Response time – average time to respond to a user-
generated event like a mouse click
Scalability – conceptual metric related to how well a
system can be adapted to increased demands
7-39

40. IT Metrics and SLAs
Service level agreement (SLA) – formal,
contractually obligated agreement
SLAs must include IT success metrics
SLAs are between you and outsourcer
SLAs define how you will measure KPI
Measures are in service level specifications (SLS)
or service level objectives (SLO)
7-40

41. Incident Handling Life Cycle
Email
Hotline/
Phone
Analyze
Coordinate
Information
and
Response
Obtain
Contact
Information
Provide
Technical
Assistance
Incident
Report
Triage
Vulnerability
Report
Information
Request
IDS
Other

42. Incident Response Components
(from RFC 2350)
CSIRT’s
Organisational form depends on
type of organisation and
required level of support to community
Security Policy
Define what is required/allowed/acceptable
Incident Response Policy
What is provided, who receives it and who provides support
Incident Response Plan
Which incidents will be responded and how

43. EU CERTS

44. Action Plan 1
Build resilience / Harden the infrastructure
Servers and links redundancy
Security of routing protocol / traffic exchange
Security of DNS service
Profiling attackers and understanding their objectives
(know your enemies)
Response preparedness
National contingency plan for the Internet
Cyber exercises on National/international level are crucial
Strengthen multinational cooperation for rapid response (formal
rather than informal)
Importance of CERTs/CSIRTs and their role for national and
international cooperation
Measurement - monitoring of traffic to understand what is
going on

45. Action Plan - 2
Technology will not be sufficient
Study the economics of security and cyber crime
Set-up Public Private Partnership (PPP)
Example www.antiphishing.org
Develop cross-sector and cross-organisational
cooperation on National, EU and international levels
Agree on responsibility’s allocation
Information and best practices sharing  importance
of trust
Raising awareness and education of individuals, public
bodies, corporate users and service providers

46. Questions