2. About the Author
o I am a 30+ year veteran of the computer
industry, 10 patents, publish / subscribe,
founder of TIBCO, also have started a
company in the DLP space as well as worked
at one of the most secure companies
(Bridgewater).
o I am not a security expert.
o I have implemented SaaS solutions in a
number of companies including a company I
founded and a large multibillion dollar
company.
3. Introduction
o The statement that is heard frequently:
“Cloud security is the biggest factor inhibiting
adoption of the cloud in most companies.”
o The premise of this statement is that cloud
security is a black hole or is much more risky
than traditional enterprise security.
4. History
o New Technologies that were described as being too insecure to do business with:
o Internet and credit cards
o Internet and email
o Internet and business transactions
o Electronic Signatures
o B2B
o I questioned the reality of these claims
o I believe I was right
o However, economic / business realities forced these things to happen
o So, are the following the same? Are they safe for personal or business use?
o Cloud IaaS
o Mobile Devices
o Cloud SaaS applications
o Cloud Data Storage
o Cloud PaaS
o Internet of Things
o Personal Cloud
5. The Cloud is a large business today growing
very fast considering it’s size
o Today
o IaaS - $6Billion 2013 business (8yrs from start)
o 136% annual growth rate today
o SaaS companies - $130Billion
o Mobile – 1.5 Billion smartphones
o Social – 1.2 Billion followers (22% of world population, 50% of US
population)
o Future 2017 (4 years)
o Total Cloud Services: $0.5Trillion (4X)
o IaaS - $100Billion (16X)
o PaaS - $14Billion (40X)
o SaaS - $0.4Trillion (3X)
o 2/3rds of all workloads will be processed in the cloud (*Cisco)
o 3 Billion smartphones
6. Cloud Adoption
o 9/2013 According to a survey from
Spiceworks, 70% of IT professionals are using
cloud-based web hosting applications, with
60% using cloud-based security and 30%
backup applications.
o Numbers climbing very fast with near universal
adoption possible within a few years
o http://www.computerweekly.com/news/2240206038/70-of-IT-professionals-using-cloud-at-work
7. Why is the Cloud growing so fast?
o For Small Companies
o Less capital needed
o Grow as fast as your business
o Self Service / DevOps
o Cloud providers provide superior service to in-house
o For Large Companies
o Less Capital needed means faster to market
o DevOps efficiencies to compete be more nimble
o Less Excess hardware - A waste of energy, money, space,
time…
o SaaS apps can increase productivity
o APIs, Social, Cloud Services enable new lines of revenue
8. The potential is almost incalculable in just
the next 5-7 years
o Datacenters of 50% of companies in the world
o SaaS/PaaS and other services
o Becoming the dominant and maybe only way
most software is delivered
o Other impacts
o Social, Behavioral
o Life without the cloud will be essentially
impossible for most people
9. Why is this overwhelmingly good?
o Most companies are not/should not be managing
technology at the level they are
o They are not competent at security, cost management, optimization or technology in general
o vastly underutilization of what they acquire
o unnecessary duplicative work of many people doing the same technology over and over
o technology that is being used way beyond it’s productive life.
o Universal Connectivity - People, Things, Applications
o Network Effect - Spurring massive cascading unpredictable
innovation
o Possibly not all positive
o Overall huge cost savings and improved efficiency
o Due to the first and second points the US/World economy
will see massive gains in productivity and improvements in
services and technology usage
10. Financial Firms have a higher standard
o Generally well endowed compared to many
other businesses.
o Federal regulation, International regulation
(Basel and individual country rules) and State
regulation.
o Fines assessed regularly.
o Financial data among the most sensitive and
private of all information of any corporation.
Of great concern to customers.
o 37% of all breaches (2012*)
*http://www.verizonenterprise.com/DBIR/2013/
12. Ecosystem PaaS’s
o Boeing Ecosystem PaaS
o Encourage airlines to buy Boeing Airplanes
o Create a PaaS for all Airlines and service providers
o Make it easier to buy Boeing, cheaper easier to
run an airline with Boeing airplanes
o Cars
o Google Android, OpenCar, OpenXC, Webinos, Apple, Blackberry / QNX
o Entertainment
o Finance
13. Should you adopt a technology?
Technology Benefit or Cost
Gives Employees Choice (BYOD,
applications, …)
Increased productivity (and morale, retention)
Is better than an internal technology Increased productivity (anything from slight to huge
benefit)
Is necessary for business with
customers or partners
Increased sales (unavoidable)
saves money over internal service Reduced costs (depends if productivity improvement or
loss accompanies)
Faster time to market Increased sales (potentially huge benefit)
Lack of cohesive common technology Decreased productivity Increased support costs and
difficult integration or sometimes collaboration
More expensive than internal service Increasing costs (not very frequently true especially
when one considers all lifecycle costs). There can be
variable costs that are uncontrolled. Productivity gains
may offset higher cost.
Increased Security Risk Can be mitigated to some extent
14. These benefits can be substantial
o A new technology can easily give a 30%
increase in productivity, reduced costs or
increased income.
o In many cases it is not optional to use a
certain technology, but how do we do it
safely?
o Security must find ways to minimize risk of the
new technology.
15. The point of this talk is perspective
o Security is part of a business decision
o The cloud will be made safe for business
o A strategy to minimize risk and maximize adoption
by segregating information and applications in a
fine grained way as they make sense to migrate is
essential
o The safety of the cloud is not great but it is no
worse than where we are in business, possibly
better. This may be sad but it is expected in
my opinion.
16. Agenda
o What is the cloud?
o Security in General
o Cloud vs Enterprise
o Best practices to adopt cloud services
o Enhanced Security Services for the Cloud
17. What is the cloud? Many things
o IaaS and Infrastructure Services (compute, data)
o *6B 2013, 136% annual YOY growth
o SaaS (Web Services and applications)
o APIs (at least 20,000 today doubling annually)
o PaaS and Platform Services (iPaaS, DaaS,
APIMaaS, BPMaaS…)
o *14B by 2016
o Mobile Apps, Web and BaaS
o Personal Cloud
o Internet of Things
*Gartner, 2013
18. Not all information is the same
o Customer information
o Extremely sensitive customer information
o Passwords, pins, personal data, health data, SS#
o Company employee information
o Extremely sensitive employee information
o passwords, SS#
o Company information
o Extremely sensitive company information
o Sales projections, roadmaps, customer interactions,
information that you would be liable for releasing
o Information that gives you significant market
advantage
19. Risks you face:
o Loss of personal data of employees
o Loss of customer personal data
o Loss of Corporate data that results in lost business
(customers upset, competitors find advantage)
o Loss of Service (Caused by security lapse)
o Lawsuits (loss of data/service related)
o Fines (Loss of data/service considered regulated)
o Reputation Damage
o Transitive Loss (you help someone compromise
someone else)
o And more…
20. Sources of loss
(irrespective of cloud or not cloud)
o Technology
o External hacking
o Infection / malware
o Denial of service
o Processes
o Physical penetration or data lost in transit
o Poor IT Practices
o People
o Internal
o Employee mistakes / phishing
21. The Enterprise “physical and electronic” 4 walls is
being continuously eroded by new stuff:
o Employees taking home data or electronics that contain data on
them (cell phones, USB, computers, …)
o SaaS (corporate data contained within)
o APIs and Web services, EDI or partner electronic interfaces
o Personal Cloud
o Internet of Things (coming)
o Cloud Services (IaaS)
o Higher level Cloud Services (PaaS and other)
o Social - Discussion boards, twitter
o Skunkworks/Unauthorized use:
o Personal Cloud(Dropbox, Google docs and apps, …)
o POC’s being done in PaaS or IaaS environments
o Enterprise Apps being used with corporate data
o Interactions with partners through cloud
o The people who violate controls most : IT people and executives
22. 2013 Examples of breaches
Cloud Severity Attack Company Loss
Not
Cloud
Major undisclosed Target, Adobe 200+ million email,
passwords, credit stolen,
Adobe source code
Cloud Major Malware Facebook, Dropbox,
Linkedin
8 Million emails and
passwords lost
Not
Cloud
Major Internal Federal Reserve, NSA,
Dept Homeland Sec
Secrets Disclosed ,
personal information
Not
Cloud
Major Internal Goldman Sachs Trading Algorithms Stolen
Cloud Minor Human Error NYTimes, Twitter,
Cloudflare
Google email reset policies
allowed individuals to be
hacked
Cloud Minor API
Penetration
Linkedin Thousands of profiles
http://thinkprogress.org/security/2013/12/31/3108661/10-biggest-privacy-security-breaches-rocked-2013/#
23. 2013 Examples of breaches
Cloud Severity Attack Company Loss
Cloud Minor Outage Amazon Heroku didn’t have
multiple regions
Not
Cloud
Minor undisclosed Department of
Energy
53,000 employee records
Not
Cloud
Major Physical
Penetration
Advocate Medical
Group
4 million medical records
lost
Cloud Major Human Error CorporateCarOnline 850,000 credit cards,
personal information
Cloud Minor Human Error MongoHQ Thousands of emails
http://thinkprogress.org/security/2013/12/31/3108661/10-biggest-privacy-security-breaches-rocked-2013/#
24. Cloud vs Enterprise
o Anything that can be accessed from the outside is under identical attack*
o However, on-premises environment users or customers actually suffer
more incidents than those of service provider environments. On-premises
environment users experience an average of 61.4 attacks, while service
provider environment customers averaged only 27.8.*
o After looking at both, there is no proof that cloud computing is any more
of a security risk than traditional internet usage. The research in this paper
has shown that there is no significant difference that makes one better
than the other.
o It is not provable that the cloud is less secure than enterprise security
o *http://searchcloudcomputing.techtarget.com/opinion/Clouds-are-more-secure-than-traditional-IT-systems-and-heres-why
o **http://www.cameron.edu/uploads/34/f4/34f4b845dca4fb2125ba03f0964efed1/3.pdf / Cloud Computing vs Traditional Internet Setting: Which One is More Secur
25. Security is a problem
o At least 200+million emails disclosed with passwords. Credit
cards of at least 40-80 million people with social sec#’s in
some cases.
o Medical records for 4 million people.
o Average of 60 attacks / year reported
o 37% of breaches affected financial organizations
o 14% insiders
o 19% china related breaches
o 35% involve physical compromise
o 76% exploited weak passwords
o vulnerability discovered to patch: 25-60 days at enterprises!
A Very High Percentage of these losses are non-cloud, possibly as
high as 80%
It is unclear what percentage of private companies disclose
breaches
Cloud Companies are required by law to disclose any loss*
*http://www.csoonline.com/article/221322/cso-disclosure-series-data-breach-notification-laws-state-by-state
26. Cloud Companies are responding to
threats
o Most cloud companies now enforce multi-
factor authentication
o Most cloud companies employ encryption
with salted passwords
o Google and others changing policies on
password resets
o AWS wiping disks now as default
o The feeling is the cloud service companies are
learning and becoming more and more astute
o What we really need is transparency!
27. Cloud is theoretically worse on security
o Ability to attack from anywhere and from
anyone could lead to many more attacks
o Specific cloud-based attacks such as exploiting
virtual machine vulnerability, building mobile
apps to exploit APIs
o Ubiquitous connectivity seems to imply more
chance for attacks –
o yet so far not the case
28. I am not saying:
o Cloud companies are all safer generically
o All Private companies enterprise security is
rotten
o That cloud is better than enterprise for
security if enterprise is done well
29. I am saying:
o Cloud is not blatantly more insecure than
enterprises
o For whatever reason the attention of hackers
has not become focused on cloud YET because
the number of incidents and severity is still
clearly more in the enterprise
o Some cloud companies are way better than
many enterprises in security today
o For the vast majority of companies large and
small the cloud is probably better
30. Cloud Companies use the same technology and
approaches as private companies
o Antivirus / Malware detection / Scanning
o Patching regimes
o Audits / Penetration testing
o Personnel training
o DLP technology / hardware
o Multiple authentication schemes
o Automated Event Detection
o Multiple Region backups / DR
o Physical Security
31. Vast majority of non-cloud companies not
competent in security*
*http://searchcloudcomputing.techtarget.com/opinion/Clouds-are-more-secure-than-traditional-IT-systems-and-heres-
why
This is NOT true in Finance
Companies like Fidelity …hopefully
32. Actual Losses – some data
o 400 cases of fraudulent ACH transactions of
$255 million with actual loss of $85 million
o July 2009, two U.S. stock exchanges were
victims of a sustained DDoS attack
o Outages have real cost
o Adobe lost actual source code for photoshop
o Reputation risk is an extreme concern
33. The cloud is not a black hole of security
o No evidence cloud computing IS riskier than
enterprise based computing
o More attacks reported both anecdotally,
statistically as well as admitted by private
companies than companies using cloud services
o Full disclosure at private companies doubtful
o Over the last 4 years as incidents happen the
strength of cloud security has increased. Most
companies now support 2 factor authentication
for instance. But problems clearly still exist.
36. Cloud Specific Security Concerns
o Data from one company leaking to another
(multi-tenancy isolation failure)
o Demand from one company leaking to
another (poor service)
o Inability to control specific policies and
personnel or change them at will
o Lack of transparency
o Inability to conduct effective investigations
o Naïveté in using the cloud*
o *http://blog.cloudpassage.com/2012/09/13/10-mom-didnt-warn-cloud/
38. Cloud Services
o Let’s look at various types of Cloud Services
and specific security concerns that don’t exist
necessarily in the enterprise
39. aaS’es
o IaaS
o Multi-tenancy isolation failures
o Virtualization vulnerabilities
o SaaS
o Multi-tenancy isolation failures
o PaaS - Poorly behaving apps can threaten other apps
o One app taking down another
o Multiplicative SLA weakening
o Very dynamic demand can stress other tenants
40. New types of security/service concerns
o APIs
o Conscious Malicious Rogue Applications
o inadvertent usage of Applications causing ability to
access information inappropriately
o Demand variations can be chaotic and result in wide
SLAs
o Mobile
o Loss of device
o Containerization problems
o Bad Applications (like virus)
o Employee termination issues
o Hardware hijacking
41. New types of security/service concerns
o Personal Cloud (moving of my life to the cloud)
o Type of information allowed may be inappropriate
o Sharing less controlled by the enterprise
o Termination – what happens to the information?
o Internet of things
o Privacy
o Potential damage to security depending on type of
device (camera, gps, activity tracking, cars, …)
o Social
o Reputation risk
o Lack of control of information shared by employees
and others
42. I admit
o It’s tiring and scary to consider all the
possibilities.
o So one has to take perspective.
o You’re not 100% in control
o You need to delegate but monitor
o Being a good manager
43. Best Practices
o Segregate data and applications in a fine grained way and
move to cloud incrementally as benefits promote adoption
(see adoption slide)
o Establish Service Provider SLA’s
o Negotiate hard for transparency not damages
o Make demands
o Ask questions, audit, stay involved
o Do not settle for applications or vendors which don’t meet your
security requirements. They will want your business and I bet
many will adapt if asked with reasonable proposals
o Watch for changes in the risk profiles
o As the cloud gains more and more adoption it is likely to start
seeing more and more attacks , more sophisticated attacks
44. What is happening?
o SaaS
o API Management huge (mostly focused on
external but internal growing)
o Reuse and Community collaboration
o BigData, data collection and intelligence
o PaaS Ecosystem and DevOps
o Mobile Apps
o iPaaS
o Personal Cloud / Internet of Things happening
45. Enterprise Reuse and Refactoring
o Most companies I see are doing this
o Reuse is hard
o It’s not just a registry
o Growing Mobile, API and Web service
application storm presages new era in
enterprise software
46. New Types of Security Available
o EMM (MDM, MAM) –
o Enterprise Mobility Management, provides control and monitoring of mobile devices
o API Management –
o app based security, fine grained authorization, SLA management
o Ecosystem Private PaaS
o Control of information shared to partners as well as applications
that use information
o Complex Event Processing
o Detect complex events that indicate intrusion, theft, accidental
behavior, suspicious behavior, alert, escalate
o 2 factor authentication, fine grained authorization
o New protocols and technologies support more control
o SDN
o Fingerprint scanners
47. WSO2 Commercial
o Completely Open Source – No enterprise
versions
o The only complete composable API Centric
Enterprise Application Platform
o Built entirely by WSO2
o Multi-tenant, Cloud Native, Componentized
Integrated Platform
o Built to API Centric, BigData, Mobile, Social,
Cloud, SOA Platform
48. WSO2 Commercial
o 200 customers worldwide
o In business 8 years
o Leading Enterprises in almost every vertical
industry:
o Retail, Aerospace, Health, Finance, Logistics,
Telecommunications, Government, Travel, …
o Ebay does 5 billion transactions/day on peak days on
our servers
o Boeing, Cisco and other industry leading companies
are starting to build their future technology vision
with WSO2
49. WSO2 Commercial
o Identity Management
o WSO2 has full suite of identity products supporting all new protocols and
features
o EMM (Enterprise Mobility Management)
o WSO2 has a full EMM suite with both device and application management
o Ecosystem PaaS
o WSO2 is working with several industry leaders to create PaaS’s for their
industry. This gives the leader control over the data and applications like
Apple has for Ios Apps and also encourages development of communities with
the first social enterprise store
o Hybrid Polyglot PaaS technology for sophisticated enterprise deployments
o API Management and Enterprise Store combining API, Mobile and Web
services to promote API Centric Enterprises
o NSA for you – our bigdata and CEP technology gives you the ability to
identify in real time and respond to security events
AND MORE. I have listed just the products relevant to security.
50. Conclusion
o We have seen the enemy and it is us.
o The issues for the cloud are the issues we deal
with everyday in the enterprise. It’s not a
reason to not adopt the cloud.
o For more info on WSO2: wso2.com
o Services Oxygenated
o John Mathon: VP, Product Strategy
o john@wso2.com
