John Mathon, profile picture
Uploaded byJohn Mathon
PPTX, PDF967 views

Cloud security and cloud adoption public

The document discusses cloud security and technology adoption. It argues that cloud security is not inherently riskier than traditional enterprise security, citing statistics showing more breaches occur within enterprises. The cloud is growing rapidly due to cost savings and agility benefits. While security concerns remain, cloud providers are improving practices like multi-factor authentication. Overall risks are similar between cloud and non-cloud, including data breaches, loss, and hijacking. The cloud introduces some new concerns around APIs, mobile access, and sharing of customer data.

Embed presentation

Downloaded 39 times
Cloud Security and Technology Adoption By John Mathon February 28, 2014
About the Author o I am a 30+ year veteran of the computer industry, 10 patents, publish / subscribe, founder of TIBCO, also have started a company in the DLP space as well as worked at one of the most secure companies (Bridgewater). o I am not a security expert. o I have implemented SaaS solutions in a number of companies including a company I founded and a large multibillion dollar company.
Introduction o The statement that is heard frequently: “Cloud security is the biggest factor inhibiting adoption of the cloud in most companies.” o The premise of this statement is that cloud security is a black hole or is much more risky than traditional enterprise security.
History o New Technologies that were described as being too insecure to do business with: o Internet and credit cards o Internet and email o Internet and business transactions o Electronic Signatures o B2B o I questioned the reality of these claims o I believe I was right o However, economic / business realities forced these things to happen o So, are the following the same? Are they safe for personal or business use? o Cloud IaaS o Mobile Devices o Cloud SaaS applications o Cloud Data Storage o Cloud PaaS o Internet of Things o Personal Cloud
The Cloud is a large business today growing very fast considering it’s size o Today o IaaS - $6Billion 2013 business (8yrs from start) o 136% annual growth rate today o SaaS companies - $130Billion o Mobile – 1.5 Billion smartphones o Social – 1.2 Billion followers (22% of world population, 50% of US population) o Future 2017 (4 years) o Total Cloud Services: $0.5Trillion (4X) o IaaS - $100Billion (16X) o PaaS - $14Billion (40X) o SaaS - $0.4Trillion (3X) o 2/3rds of all workloads will be processed in the cloud (*Cisco) o 3 Billion smartphones
Cloud Adoption o 9/2013 According to a survey from Spiceworks, 70% of IT professionals are using cloud-based web hosting applications, with 60% using cloud-based security and 30% backup applications. o Numbers climbing very fast with near universal adoption possible within a few years o http://www.computerweekly.com/news/2240206038/70-of-IT-professionals-using-cloud-at-work
Why is the Cloud growing so fast? o For Small Companies o Less capital needed o Grow as fast as your business o Self Service / DevOps o Cloud providers provide superior service to in-house o For Large Companies o Less Capital needed means faster to market o DevOps efficiencies to compete be more nimble o Less Excess hardware - A waste of energy, money, space, time… o SaaS apps can increase productivity o APIs, Social, Cloud Services enable new lines of revenue
The potential is almost incalculable in just the next 5-7 years o Datacenters of 50% of companies in the world o SaaS/PaaS and other services o Becoming the dominant and maybe only way most software is delivered o Other impacts o Social, Behavioral o Life without the cloud will be essentially impossible for most people
Why is this overwhelmingly good? o Most companies are not/should not be managing technology at the level they are o They are not competent at security, cost management, optimization or technology in general o vastly underutilization of what they acquire o unnecessary duplicative work of many people doing the same technology over and over o technology that is being used way beyond it’s productive life. o Universal Connectivity - People, Things, Applications o Network Effect - Spurring massive cascading unpredictable innovation o Possibly not all positive o Overall huge cost savings and improved efficiency o Due to the first and second points the US/World economy will see massive gains in productivity and improvements in services and technology usage
Financial Firms have a higher standard o Generally well endowed compared to many other businesses. o Federal regulation, International regulation (Basel and individual country rules) and State regulation. o Fines assessed regularly. o Financial data among the most sensitive and private of all information of any corporation. Of great concern to customers. o 37% of all breaches (2012*) *http://www.verizonenterprise.com/DBIR/2013/
Other Industries with similar constraints: o Health o Aerospace
Ecosystem PaaS’s o Boeing Ecosystem PaaS o Encourage airlines to buy Boeing Airplanes o Create a PaaS for all Airlines and service providers o Make it easier to buy Boeing, cheaper easier to run an airline with Boeing airplanes o Cars o Google Android, OpenCar, OpenXC, Webinos, Apple, Blackberry / QNX o Entertainment o Finance
Should you adopt a technology? Technology Benefit or Cost Gives Employees Choice (BYOD, applications, …) Increased productivity (and morale, retention) Is better than an internal technology Increased productivity (anything from slight to huge benefit) Is necessary for business with customers or partners Increased sales (unavoidable) saves money over internal service Reduced costs (depends if productivity improvement or loss accompanies) Faster time to market Increased sales (potentially huge benefit) Lack of cohesive common technology Decreased productivity Increased support costs and difficult integration or sometimes collaboration More expensive than internal service Increasing costs (not very frequently true especially when one considers all lifecycle costs). There can be variable costs that are uncontrolled. Productivity gains may offset higher cost. Increased Security Risk Can be mitigated to some extent
These benefits can be substantial o A new technology can easily give a 30% increase in productivity, reduced costs or increased income. o In many cases it is not optional to use a certain technology, but how do we do it safely? o Security must find ways to minimize risk of the new technology.
The point of this talk is perspective o Security is part of a business decision o The cloud will be made safe for business o A strategy to minimize risk and maximize adoption by segregating information and applications in a fine grained way as they make sense to migrate is essential o The safety of the cloud is not great but it is no worse than where we are in business, possibly better. This may be sad but it is expected in my opinion.
Agenda o What is the cloud? o Security in General o Cloud vs Enterprise o Best practices to adopt cloud services o Enhanced Security Services for the Cloud
What is the cloud? Many things o IaaS and Infrastructure Services (compute, data) o *6B 2013, 136% annual YOY growth o SaaS (Web Services and applications) o APIs (at least 20,000 today doubling annually) o PaaS and Platform Services (iPaaS, DaaS, APIMaaS, BPMaaS…) o *14B by 2016 o Mobile Apps, Web and BaaS o Personal Cloud o Internet of Things *Gartner, 2013
Not all information is the same o Customer information o Extremely sensitive customer information o Passwords, pins, personal data, health data, SS# o Company employee information o Extremely sensitive employee information o passwords, SS# o Company information o Extremely sensitive company information o Sales projections, roadmaps, customer interactions, information that you would be liable for releasing o Information that gives you significant market advantage
Risks you face: o Loss of personal data of employees o Loss of customer personal data o Loss of Corporate data that results in lost business (customers upset, competitors find advantage) o Loss of Service (Caused by security lapse) o Lawsuits (loss of data/service related) o Fines (Loss of data/service considered regulated) o Reputation Damage o Transitive Loss (you help someone compromise someone else) o And more…
Sources of loss (irrespective of cloud or not cloud) o Technology o External hacking o Infection / malware o Denial of service o Processes o Physical penetration or data lost in transit o Poor IT Practices o People o Internal o Employee mistakes / phishing
The Enterprise “physical and electronic” 4 walls is being continuously eroded by new stuff: o Employees taking home data or electronics that contain data on them (cell phones, USB, computers, …) o SaaS (corporate data contained within) o APIs and Web services, EDI or partner electronic interfaces o Personal Cloud o Internet of Things (coming) o Cloud Services (IaaS) o Higher level Cloud Services (PaaS and other) o Social - Discussion boards, twitter o Skunkworks/Unauthorized use: o Personal Cloud(Dropbox, Google docs and apps, …) o POC’s being done in PaaS or IaaS environments o Enterprise Apps being used with corporate data o Interactions with partners through cloud o The people who violate controls most : IT people and executives
2013 Examples of breaches Cloud Severity Attack Company Loss Not Cloud Major undisclosed Target, Adobe 200+ million email, passwords, credit stolen, Adobe source code Cloud Major Malware Facebook, Dropbox, Linkedin 8 Million emails and passwords lost Not Cloud Major Internal Federal Reserve, NSA, Dept Homeland Sec Secrets Disclosed , personal information Not Cloud Major Internal Goldman Sachs Trading Algorithms Stolen Cloud Minor Human Error NYTimes, Twitter, Cloudflare Google email reset policies allowed individuals to be hacked Cloud Minor API Penetration Linkedin Thousands of profiles http://thinkprogress.org/security/2013/12/31/3108661/10-biggest-privacy-security-breaches-rocked-2013/#
2013 Examples of breaches Cloud Severity Attack Company Loss Cloud Minor Outage Amazon Heroku didn’t have multiple regions Not Cloud Minor undisclosed Department of Energy 53,000 employee records Not Cloud Major Physical Penetration Advocate Medical Group 4 million medical records lost Cloud Major Human Error CorporateCarOnline 850,000 credit cards, personal information Cloud Minor Human Error MongoHQ Thousands of emails http://thinkprogress.org/security/2013/12/31/3108661/10-biggest-privacy-security-breaches-rocked-2013/#
Cloud vs Enterprise o Anything that can be accessed from the outside is under identical attack* o However, on-premises environment users or customers actually suffer more incidents than those of service provider environments. On-premises environment users experience an average of 61.4 attacks, while service provider environment customers averaged only 27.8.* o After looking at both, there is no proof that cloud computing is any more of a security risk than traditional internet usage. The research in this paper has shown that there is no significant difference that makes one better than the other. o It is not provable that the cloud is less secure than enterprise security o *http://searchcloudcomputing.techtarget.com/opinion/Clouds-are-more-secure-than-traditional-IT-systems-and-heres-why o **http://www.cameron.edu/uploads/34/f4/34f4b845dca4fb2125ba03f0964efed1/3.pdf / Cloud Computing vs Traditional Internet Setting: Which One is More Secur
Security is a problem o At least 200+million emails disclosed with passwords. Credit cards of at least 40-80 million people with social sec#’s in some cases. o Medical records for 4 million people. o Average of 60 attacks / year reported o 37% of breaches affected financial organizations o 14% insiders o 19% china related breaches o 35% involve physical compromise o 76% exploited weak passwords o vulnerability discovered to patch: 25-60 days at enterprises! A Very High Percentage of these losses are non-cloud, possibly as high as 80% It is unclear what percentage of private companies disclose breaches Cloud Companies are required by law to disclose any loss* *http://www.csoonline.com/article/221322/cso-disclosure-series-data-breach-notification-laws-state-by-state
Cloud Companies are responding to threats o Most cloud companies now enforce multi- factor authentication o Most cloud companies employ encryption with salted passwords o Google and others changing policies on password resets o AWS wiping disks now as default o The feeling is the cloud service companies are learning and becoming more and more astute o What we really need is transparency!
Cloud is theoretically worse on security o Ability to attack from anywhere and from anyone could lead to many more attacks o Specific cloud-based attacks such as exploiting virtual machine vulnerability, building mobile apps to exploit APIs o Ubiquitous connectivity seems to imply more chance for attacks – o yet so far not the case
I am not saying: o Cloud companies are all safer generically o All Private companies enterprise security is rotten o That cloud is better than enterprise for security if enterprise is done well
I am saying: o Cloud is not blatantly more insecure than enterprises o For whatever reason the attention of hackers has not become focused on cloud YET because the number of incidents and severity is still clearly more in the enterprise o Some cloud companies are way better than many enterprises in security today o For the vast majority of companies large and small the cloud is probably better
Cloud Companies use the same technology and approaches as private companies o Antivirus / Malware detection / Scanning o Patching regimes o Audits / Penetration testing o Personnel training o DLP technology / hardware o Multiple authentication schemes o Automated Event Detection o Multiple Region backups / DR o Physical Security
Vast majority of non-cloud companies not competent in security* *http://searchcloudcomputing.techtarget.com/opinion/Clouds-are-more-secure-than-traditional-IT-systems-and-heres- why This is NOT true in Finance Companies like Fidelity …hopefully
Actual Losses – some data o 400 cases of fraudulent ACH transactions of $255 million with actual loss of $85 million o July 2009, two U.S. stock exchanges were victims of a sustained DDoS attack o Outages have real cost o Adobe lost actual source code for photoshop o Reputation risk is an extreme concern
The cloud is not a black hole of security o No evidence cloud computing IS riskier than enterprise based computing o More attacks reported both anecdotally, statistically as well as admitted by private companies than companies using cloud services o Full disclosure at private companies doubtful o Over the last 4 years as incidents happen the strength of cloud security has increased. Most companies now support 2 factor authentication for instance. But problems clearly still exist.
Cloud vs NonCloud Security
Nine Top Threats 1. Data Breaches 2. Data Loss 3. Account Hijacking 4. Insecure APIs 5. Denial of Service 6. Malicious Insiders 7. Abuse of Cloud Services 8. Insufficient Due Diligence 9. Shared Technology Issues CLOUD SECURITY ALLIANCE The Notorious Nine: Cloud Computing Top Threats in 2013 © 2013, Cloud Security Alliance. All rights reserved. 7 http://bit.ly/1brlej6 Infoworld 2/2013 http://www.infoworld.com/t/cloud-security/9-top-threats-cloud-computing-security-213428
Cloud Specific Security Concerns o Data from one company leaking to another (multi-tenancy isolation failure) o Demand from one company leaking to another (poor service) o Inability to control specific policies and personnel or change them at will o Lack of transparency o Inability to conduct effective investigations o Naïveté in using the cloud* o *http://blog.cloudpassage.com/2012/09/13/10-mom-didnt-warn-cloud/
Good Ideas http://www.intel.com/content/www/us/en/cloud-computing/whats-holding-back-the-cloud-peer-research-report.html
Cloud Services o Let’s look at various types of Cloud Services and specific security concerns that don’t exist necessarily in the enterprise
aaS’es o IaaS o Multi-tenancy isolation failures o Virtualization vulnerabilities o SaaS o Multi-tenancy isolation failures o PaaS - Poorly behaving apps can threaten other apps o One app taking down another o Multiplicative SLA weakening o Very dynamic demand can stress other tenants
New types of security/service concerns o APIs o Conscious Malicious Rogue Applications o inadvertent usage of Applications causing ability to access information inappropriately o Demand variations can be chaotic and result in wide SLAs o Mobile o Loss of device o Containerization problems o Bad Applications (like virus) o Employee termination issues o Hardware hijacking
New types of security/service concerns o Personal Cloud (moving of my life to the cloud) o Type of information allowed may be inappropriate o Sharing less controlled by the enterprise o Termination – what happens to the information? o Internet of things o Privacy o Potential damage to security depending on type of device (camera, gps, activity tracking, cars, …) o Social o Reputation risk o Lack of control of information shared by employees and others
I admit o It’s tiring and scary to consider all the possibilities. o So one has to take perspective. o You’re not 100% in control o You need to delegate but monitor o Being a good manager
Best Practices o Segregate data and applications in a fine grained way and move to cloud incrementally as benefits promote adoption (see adoption slide) o Establish Service Provider SLA’s o Negotiate hard for transparency not damages o Make demands o Ask questions, audit, stay involved o Do not settle for applications or vendors which don’t meet your security requirements. They will want your business and I bet many will adapt if asked with reasonable proposals o Watch for changes in the risk profiles o As the cloud gains more and more adoption it is likely to start seeing more and more attacks , more sophisticated attacks
What is happening? o SaaS o API Management huge (mostly focused on external but internal growing) o Reuse and Community collaboration o BigData, data collection and intelligence o PaaS Ecosystem and DevOps o Mobile Apps o iPaaS o Personal Cloud / Internet of Things happening
Enterprise Reuse and Refactoring o Most companies I see are doing this o Reuse is hard o It’s not just a registry o Growing Mobile, API and Web service application storm presages new era in enterprise software
New Types of Security Available o EMM (MDM, MAM) – o Enterprise Mobility Management, provides control and monitoring of mobile devices o API Management – o app based security, fine grained authorization, SLA management o Ecosystem Private PaaS o Control of information shared to partners as well as applications that use information o Complex Event Processing o Detect complex events that indicate intrusion, theft, accidental behavior, suspicious behavior, alert, escalate o 2 factor authentication, fine grained authorization o New protocols and technologies support more control o SDN o Fingerprint scanners
WSO2 Commercial o Completely Open Source – No enterprise versions o The only complete composable API Centric Enterprise Application Platform o Built entirely by WSO2 o Multi-tenant, Cloud Native, Componentized Integrated Platform o Built to API Centric, BigData, Mobile, Social, Cloud, SOA Platform
WSO2 Commercial o 200 customers worldwide o In business 8 years o Leading Enterprises in almost every vertical industry: o Retail, Aerospace, Health, Finance, Logistics, Telecommunications, Government, Travel, … o Ebay does 5 billion transactions/day on peak days on our servers o Boeing, Cisco and other industry leading companies are starting to build their future technology vision with WSO2
WSO2 Commercial o Identity Management o WSO2 has full suite of identity products supporting all new protocols and features o EMM (Enterprise Mobility Management) o WSO2 has a full EMM suite with both device and application management o Ecosystem PaaS o WSO2 is working with several industry leaders to create PaaS’s for their industry. This gives the leader control over the data and applications like Apple has for Ios Apps and also encourages development of communities with the first social enterprise store o Hybrid Polyglot PaaS technology for sophisticated enterprise deployments o API Management and Enterprise Store combining API, Mobile and Web services to promote API Centric Enterprises o NSA for you – our bigdata and CEP technology gives you the ability to identify in real time and respond to security events AND MORE. I have listed just the products relevant to security.
Conclusion o We have seen the enemy and it is us. o The issues for the cloud are the issues we deal with everyday in the enterprise. It’s not a reason to not adopt the cloud. o For more info on WSO2: wso2.com o Services Oxygenated o John Mathon: VP, Product Strategy o john@wso2.com

More Related Content

PDF
Bringing Cloud Computing Out of the Shadows: Shine the light on Shadow IT wit...
byDivvyCloud
 
PDF
Quick Start Guide to IT Security for Businesses
byCompTIA
 
PDF
Networking Plus December 2014: Connecting Mobile Workers
byEric Wong
 
PDF
Deloitte the case for disruptive technology in the legal profession 2017
byIan Beckett
 
PDF
News letter oct 12
byCapt SB Tyagi, COAC'CC*,FISM,CSC,
 
PDF
Insights success the 10 most trusted networking solution provider companies 2...
byInsights success media and technology pvt ltd
 
PDF
Signacure Brochure
byDave Lloyd
 
PDF
The Long White Cloud: Addressing Privacy, Residency and Security in the Cloud...
byDoug Newdick
 
Bringing Cloud Computing Out of the Shadows: Shine the light on Shadow IT wit...
byDivvyCloud
 
Quick Start Guide to IT Security for Businesses
byCompTIA
 
Networking Plus December 2014: Connecting Mobile Workers
byEric Wong
 
Deloitte the case for disruptive technology in the legal profession 2017
byIan Beckett
 
News letter oct 12
byCapt SB Tyagi, COAC'CC*,FISM,CSC,
 
Insights success the 10 most trusted networking solution provider companies 2...
byInsights success media and technology pvt ltd
 
Signacure Brochure
byDave Lloyd
 
The Long White Cloud: Addressing Privacy, Residency and Security in the Cloud...
byDoug Newdick
 

What's hot

PPTX
Internet of Things Ecosystem
byCompTIA
 
PPTX
What Are The Latest Trends in Data Science?
byBernard Marr
 
PDF
Uk Security Breach Investigations Report 2010
byHongyang Wang
 
PPTX
Cisco IoE Value Index event presentation - 19 june 2013
byJohn Earnhardt
 
PDF
The fourth industrial revolution
byEversheds Sutherland
 
PDF
Is Your Organization in Crisis?
byBlackBerry
 
PPTX
Why Cybersecurity is a Data Problem
byBernard Marr
 
PDF
Internet_of_Things_CEO_ magazine
byIngrid Fernandez, PhD
 
PDF
11 things IT leaders need to know about the internet of things
byWGroup
 
PDF
Judicial Frameworks and Privacy Issues of Cloud Computing
byInternational Journal of Science and Research (IJSR)
 
PPTX
Internet of things enabling tech - challenges - opportunities (2016)
byDavor Dokonal
 
PPTX
Internet of things ecosystem: The quest for value
byDeloitte United States
 
PPTX
The Secure Business in the Digital Age - 27th September 2017
byExponential_e
 
PDF
HIPAA Compliance in the Cloud
byOnline Tech
 
PPTX
Ritz 4th-july-gdpr
byExponential_e
 
PDF
Enterprise Mobility Applications: Addressing a Growing Gap
byBlackBerry
 
PPTX
Wax Switch
byProf John Walker FRSA Purveyor Dark Intelligence
 
PPTX
These Fascinating Examples Show Why Streaming Data And Real-Time Analytics Ma...
byBernard Marr
 
PDF
Iowa Weighs in on Ethics of Cloud Computing for Lawyers
byNicole Black
 
PPTX
How Smart Products Help Companies Profit From Data
byBernard Marr
 
Internet of Things Ecosystem
byCompTIA
 
What Are The Latest Trends in Data Science?
byBernard Marr
 
Uk Security Breach Investigations Report 2010
byHongyang Wang
 
Cisco IoE Value Index event presentation - 19 june 2013
byJohn Earnhardt
 
The fourth industrial revolution
byEversheds Sutherland
 
Is Your Organization in Crisis?
byBlackBerry
 
Why Cybersecurity is a Data Problem
byBernard Marr
 
Internet_of_Things_CEO_ magazine
byIngrid Fernandez, PhD
 
11 things IT leaders need to know about the internet of things
byWGroup
 
Judicial Frameworks and Privacy Issues of Cloud Computing
byInternational Journal of Science and Research (IJSR)
 
Internet of things enabling tech - challenges - opportunities (2016)
byDavor Dokonal
 
Internet of things ecosystem: The quest for value
byDeloitte United States
 
The Secure Business in the Digital Age - 27th September 2017
byExponential_e
 
HIPAA Compliance in the Cloud
byOnline Tech
 
Ritz 4th-july-gdpr
byExponential_e
 
Enterprise Mobility Applications: Addressing a Growing Gap
byBlackBerry
 
Wax Switch
byProf John Walker FRSA Purveyor Dark Intelligence
 
These Fascinating Examples Show Why Streaming Data And Real-Time Analytics Ma...
byBernard Marr
 
Iowa Weighs in on Ethics of Cloud Computing for Lawyers
byNicole Black
 
How Smart Products Help Companies Profit From Data
byBernard Marr
 

Viewers also liked

PPTX
Indian Information Technology Act
byKaran Bhagatwala
 
PPTX
E commerce law and ethics
byXophia Montawal
 
PPTX
E commerce ppt
byMunish Singla
 
PPTX
IT Act,2000 - Law
byApurva Kavishwar
 
PPTX
Cyber law
byArnab Roy Chowdhury
 
PPTX
E-commerce Law in the Philippines
byRaiaR
 
PPT
Information Technology Act 2000
byVijay Dalmia
 
PPTX
Information technology act 2000
byAkash Varaiya
 
PPTX
Real time Operating System
byTech_MX
 
PPTX
Security in Cloud Computing
byRohit Buddabathina
 
Indian Information Technology Act
byKaran Bhagatwala
 
E commerce law and ethics
byXophia Montawal
 
E commerce ppt
byMunish Singla
 
IT Act,2000 - Law
byApurva Kavishwar
 
Cyber law
byArnab Roy Chowdhury
 
E-commerce Law in the Philippines
byRaiaR
 
Information Technology Act 2000
byVijay Dalmia
 
Information technology act 2000
byAkash Varaiya
 
Real time Operating System
byTech_MX
 
Security in Cloud Computing
byRohit Buddabathina
 

Similar to Cloud security and cloud adoption public

PPTX
Business in the cloud
byDestiny Chilton
 
PPT
Cloud Computing and Records Management
bygbroadbent67
 
PPTX
Securing your digital world cybersecurity for sb es
bySonny Hashmi
 
PPTX
Unit-1_Cloud Security and Privacy with AWS.pptx
byPrathamAgarwal69
 
PPTX
Securing your Cloud Deployment
byHrusostomos Vicatos
 
PDF
Moving enterprise IT to the cloud
byJan Wiersma
 
PDF
How Secure Is Cloud
byWilliam Lam
 
PPT
Presentation to Irish ISSA Conference 12-May-11
byMichael Ofarrell
 
PDF
The benefits of cloud technology for remote working
byAbaram Network Solutions
 
PDF
The benefits of cloud technology for remote working
byAbaram Network Solutions
 
PDF
EMEA10: Trepidation in Moving to the Cloud
byCompTIA UK
 
PPTX
Cloud computing - Assessing the Security Risks - Jared Carstensen
byjaredcarst
 
PDF
Security & Privacy in Cloud Computing
byJohn D. Johnson
 
PPTX
Securing your digital world - Cybersecurity for SBEs
bySonny Hashmi
 
PPTX
Leverage the cloud 2012 li
byCornerStone
 
PDF
MS TechDays 2011 - Generate Revenue on Azure
bySpiffy
 
PDF
Cloud presentatie bug 2011 v2
byFrank de Jong
 
PPTX
Why the cloud is more secure than your existing systems
byErnest Mueller
 
PPTX
Rubik cloud risks-jun2012
byShelf Companies Aust
 
PDF
Peering Through the Cloud Forrester EMEA 2010
bygraywilliams
 
Business in the cloud
byDestiny Chilton
 
Cloud Computing and Records Management
bygbroadbent67
 
Securing your digital world cybersecurity for sb es
bySonny Hashmi
 
Unit-1_Cloud Security and Privacy with AWS.pptx
byPrathamAgarwal69
 
Securing your Cloud Deployment
byHrusostomos Vicatos
 
Moving enterprise IT to the cloud
byJan Wiersma
 
How Secure Is Cloud
byWilliam Lam
 
Presentation to Irish ISSA Conference 12-May-11
byMichael Ofarrell
 
The benefits of cloud technology for remote working
byAbaram Network Solutions
 
The benefits of cloud technology for remote working
byAbaram Network Solutions
 
EMEA10: Trepidation in Moving to the Cloud
byCompTIA UK
 
Cloud computing - Assessing the Security Risks - Jared Carstensen
byjaredcarst
 
Security & Privacy in Cloud Computing
byJohn D. Johnson
 
Securing your digital world - Cybersecurity for SBEs
bySonny Hashmi
 
Leverage the cloud 2012 li
byCornerStone
 
MS TechDays 2011 - Generate Revenue on Azure
bySpiffy
 
Cloud presentatie bug 2011 v2
byFrank de Jong
 
Why the cloud is more secure than your existing systems
byErnest Mueller
 
Rubik cloud risks-jun2012
byShelf Companies Aust
 
Peering Through the Cloud Forrester EMEA 2010
bygraywilliams
 

More from John Mathon

PPTX
Enterprise platform 3.0v4 for webinar
byJohn Mathon
 
PPTX
Successful Industrial IoT patterns
byJohn Mathon
 
PPTX
Tesla iot case study
byJohn Mathon
 
PPTX
Artificial Intelligence is back, Deep Learning Networks and Quantum possibili...
byJohn Mathon
 
PPTX
IOT Success depends on Integration
byJohn Mathon
 
PPTX
Wso2 con 2014 event driven architecture Publish/Subscribe Pubsub
byJohn Mathon
 
PPTX
Iot my buy dont buy maybe
byJohn Mathon
 
PPTX
Choosing a dev ops paas platform
byJohn Mathon
 
PPTX
Wso2 con building the api centric enterprise - towards a connected business
byJohn Mathon
 
PPTX
Choosing a dev ops paas platform svccd presentation v2 for slideshare
byJohn Mathon
 
PPTX
Wso2 v ision api centric
byJohn Mathon
 
PPTX
Fraudless voting with blockchain
byJohn Mathon
 
Enterprise platform 3.0v4 for webinar
byJohn Mathon
 
Successful Industrial IoT patterns
byJohn Mathon
 
Tesla iot case study
byJohn Mathon
 
Artificial Intelligence is back, Deep Learning Networks and Quantum possibili...
byJohn Mathon
 
IOT Success depends on Integration
byJohn Mathon
 
Wso2 con 2014 event driven architecture Publish/Subscribe Pubsub
byJohn Mathon
 
Iot my buy dont buy maybe
byJohn Mathon
 
Choosing a dev ops paas platform
byJohn Mathon
 
Wso2 con building the api centric enterprise - towards a connected business
byJohn Mathon
 
Choosing a dev ops paas platform svccd presentation v2 for slideshare
byJohn Mathon
 
Wso2 v ision api centric
byJohn Mathon
 
Fraudless voting with blockchain
byJohn Mathon
 

Cloud security and cloud adoption public

  • 1.
    Cloud Security andTechnology Adoption By John Mathon February 28, 2014
  • 2.
    About the Author oI am a 30+ year veteran of the computer industry, 10 patents, publish / subscribe, founder of TIBCO, also have started a company in the DLP space as well as worked at one of the most secure companies (Bridgewater). o I am not a security expert. o I have implemented SaaS solutions in a number of companies including a company I founded and a large multibillion dollar company.
  • 3.
    Introduction o The statementthat is heard frequently: “Cloud security is the biggest factor inhibiting adoption of the cloud in most companies.” o The premise of this statement is that cloud security is a black hole or is much more risky than traditional enterprise security.
  • 4.
    History o New Technologiesthat were described as being too insecure to do business with: o Internet and credit cards o Internet and email o Internet and business transactions o Electronic Signatures o B2B o I questioned the reality of these claims o I believe I was right o However, economic / business realities forced these things to happen o So, are the following the same? Are they safe for personal or business use? o Cloud IaaS o Mobile Devices o Cloud SaaS applications o Cloud Data Storage o Cloud PaaS o Internet of Things o Personal Cloud
  • 5.
    The Cloud isa large business today growing very fast considering it’s size o Today o IaaS - $6Billion 2013 business (8yrs from start) o 136% annual growth rate today o SaaS companies - $130Billion o Mobile – 1.5 Billion smartphones o Social – 1.2 Billion followers (22% of world population, 50% of US population) o Future 2017 (4 years) o Total Cloud Services: $0.5Trillion (4X) o IaaS - $100Billion (16X) o PaaS - $14Billion (40X) o SaaS - $0.4Trillion (3X) o 2/3rds of all workloads will be processed in the cloud (*Cisco) o 3 Billion smartphones
  • 6.
    Cloud Adoption o 9/2013According to a survey from Spiceworks, 70% of IT professionals are using cloud-based web hosting applications, with 60% using cloud-based security and 30% backup applications. o Numbers climbing very fast with near universal adoption possible within a few years o http://www.computerweekly.com/news/2240206038/70-of-IT-professionals-using-cloud-at-work
  • 7.
    Why is theCloud growing so fast? o For Small Companies o Less capital needed o Grow as fast as your business o Self Service / DevOps o Cloud providers provide superior service to in-house o For Large Companies o Less Capital needed means faster to market o DevOps efficiencies to compete be more nimble o Less Excess hardware - A waste of energy, money, space, time… o SaaS apps can increase productivity o APIs, Social, Cloud Services enable new lines of revenue
  • 8.
    The potential isalmost incalculable in just the next 5-7 years o Datacenters of 50% of companies in the world o SaaS/PaaS and other services o Becoming the dominant and maybe only way most software is delivered o Other impacts o Social, Behavioral o Life without the cloud will be essentially impossible for most people
  • 9.
    Why is thisoverwhelmingly good? o Most companies are not/should not be managing technology at the level they are o They are not competent at security, cost management, optimization or technology in general o vastly underutilization of what they acquire o unnecessary duplicative work of many people doing the same technology over and over o technology that is being used way beyond it’s productive life. o Universal Connectivity - People, Things, Applications o Network Effect - Spurring massive cascading unpredictable innovation o Possibly not all positive o Overall huge cost savings and improved efficiency o Due to the first and second points the US/World economy will see massive gains in productivity and improvements in services and technology usage
  • 10.
    Financial Firms havea higher standard o Generally well endowed compared to many other businesses. o Federal regulation, International regulation (Basel and individual country rules) and State regulation. o Fines assessed regularly. o Financial data among the most sensitive and private of all information of any corporation. Of great concern to customers. o 37% of all breaches (2012*) *http://www.verizonenterprise.com/DBIR/2013/
  • 11.
    Other Industries withsimilar constraints: o Health o Aerospace
  • 12.
    Ecosystem PaaS’s o BoeingEcosystem PaaS o Encourage airlines to buy Boeing Airplanes o Create a PaaS for all Airlines and service providers o Make it easier to buy Boeing, cheaper easier to run an airline with Boeing airplanes o Cars o Google Android, OpenCar, OpenXC, Webinos, Apple, Blackberry / QNX o Entertainment o Finance
  • 13.
    Should you adopta technology? Technology Benefit or Cost Gives Employees Choice (BYOD, applications, …) Increased productivity (and morale, retention) Is better than an internal technology Increased productivity (anything from slight to huge benefit) Is necessary for business with customers or partners Increased sales (unavoidable) saves money over internal service Reduced costs (depends if productivity improvement or loss accompanies) Faster time to market Increased sales (potentially huge benefit) Lack of cohesive common technology Decreased productivity Increased support costs and difficult integration or sometimes collaboration More expensive than internal service Increasing costs (not very frequently true especially when one considers all lifecycle costs). There can be variable costs that are uncontrolled. Productivity gains may offset higher cost. Increased Security Risk Can be mitigated to some extent
  • 14.
    These benefits canbe substantial o A new technology can easily give a 30% increase in productivity, reduced costs or increased income. o In many cases it is not optional to use a certain technology, but how do we do it safely? o Security must find ways to minimize risk of the new technology.
  • 15.
    The point ofthis talk is perspective o Security is part of a business decision o The cloud will be made safe for business o A strategy to minimize risk and maximize adoption by segregating information and applications in a fine grained way as they make sense to migrate is essential o The safety of the cloud is not great but it is no worse than where we are in business, possibly better. This may be sad but it is expected in my opinion.
  • 16.
    Agenda o What isthe cloud? o Security in General o Cloud vs Enterprise o Best practices to adopt cloud services o Enhanced Security Services for the Cloud
  • 17.
    What is thecloud? Many things o IaaS and Infrastructure Services (compute, data) o *6B 2013, 136% annual YOY growth o SaaS (Web Services and applications) o APIs (at least 20,000 today doubling annually) o PaaS and Platform Services (iPaaS, DaaS, APIMaaS, BPMaaS…) o *14B by 2016 o Mobile Apps, Web and BaaS o Personal Cloud o Internet of Things *Gartner, 2013
  • 18.
    Not all informationis the same o Customer information o Extremely sensitive customer information o Passwords, pins, personal data, health data, SS# o Company employee information o Extremely sensitive employee information o passwords, SS# o Company information o Extremely sensitive company information o Sales projections, roadmaps, customer interactions, information that you would be liable for releasing o Information that gives you significant market advantage
  • 19.
    Risks you face: oLoss of personal data of employees o Loss of customer personal data o Loss of Corporate data that results in lost business (customers upset, competitors find advantage) o Loss of Service (Caused by security lapse) o Lawsuits (loss of data/service related) o Fines (Loss of data/service considered regulated) o Reputation Damage o Transitive Loss (you help someone compromise someone else) o And more…
  • 20.
    Sources of loss (irrespectiveof cloud or not cloud) o Technology o External hacking o Infection / malware o Denial of service o Processes o Physical penetration or data lost in transit o Poor IT Practices o People o Internal o Employee mistakes / phishing
  • 21.
    The Enterprise “physicaland electronic” 4 walls is being continuously eroded by new stuff: o Employees taking home data or electronics that contain data on them (cell phones, USB, computers, …) o SaaS (corporate data contained within) o APIs and Web services, EDI or partner electronic interfaces o Personal Cloud o Internet of Things (coming) o Cloud Services (IaaS) o Higher level Cloud Services (PaaS and other) o Social - Discussion boards, twitter o Skunkworks/Unauthorized use: o Personal Cloud(Dropbox, Google docs and apps, …) o POC’s being done in PaaS or IaaS environments o Enterprise Apps being used with corporate data o Interactions with partners through cloud o The people who violate controls most : IT people and executives
  • 22.
    2013 Examples ofbreaches Cloud Severity Attack Company Loss Not Cloud Major undisclosed Target, Adobe 200+ million email, passwords, credit stolen, Adobe source code Cloud Major Malware Facebook, Dropbox, Linkedin 8 Million emails and passwords lost Not Cloud Major Internal Federal Reserve, NSA, Dept Homeland Sec Secrets Disclosed , personal information Not Cloud Major Internal Goldman Sachs Trading Algorithms Stolen Cloud Minor Human Error NYTimes, Twitter, Cloudflare Google email reset policies allowed individuals to be hacked Cloud Minor API Penetration Linkedin Thousands of profiles http://thinkprogress.org/security/2013/12/31/3108661/10-biggest-privacy-security-breaches-rocked-2013/#
  • 23.
    2013 Examples ofbreaches Cloud Severity Attack Company Loss Cloud Minor Outage Amazon Heroku didn’t have multiple regions Not Cloud Minor undisclosed Department of Energy 53,000 employee records Not Cloud Major Physical Penetration Advocate Medical Group 4 million medical records lost Cloud Major Human Error CorporateCarOnline 850,000 credit cards, personal information Cloud Minor Human Error MongoHQ Thousands of emails http://thinkprogress.org/security/2013/12/31/3108661/10-biggest-privacy-security-breaches-rocked-2013/#
  • 24.
    Cloud vs Enterprise oAnything that can be accessed from the outside is under identical attack* o However, on-premises environment users or customers actually suffer more incidents than those of service provider environments. On-premises environment users experience an average of 61.4 attacks, while service provider environment customers averaged only 27.8.* o After looking at both, there is no proof that cloud computing is any more of a security risk than traditional internet usage. The research in this paper has shown that there is no significant difference that makes one better than the other. o It is not provable that the cloud is less secure than enterprise security o *http://searchcloudcomputing.techtarget.com/opinion/Clouds-are-more-secure-than-traditional-IT-systems-and-heres-why o **http://www.cameron.edu/uploads/34/f4/34f4b845dca4fb2125ba03f0964efed1/3.pdf / Cloud Computing vs Traditional Internet Setting: Which One is More Secur
  • 25.
    Security is aproblem o At least 200+million emails disclosed with passwords. Credit cards of at least 40-80 million people with social sec#’s in some cases. o Medical records for 4 million people. o Average of 60 attacks / year reported o 37% of breaches affected financial organizations o 14% insiders o 19% china related breaches o 35% involve physical compromise o 76% exploited weak passwords o vulnerability discovered to patch: 25-60 days at enterprises! A Very High Percentage of these losses are non-cloud, possibly as high as 80% It is unclear what percentage of private companies disclose breaches Cloud Companies are required by law to disclose any loss* *http://www.csoonline.com/article/221322/cso-disclosure-series-data-breach-notification-laws-state-by-state
  • 26.
    Cloud Companies areresponding to threats o Most cloud companies now enforce multi- factor authentication o Most cloud companies employ encryption with salted passwords o Google and others changing policies on password resets o AWS wiping disks now as default o The feeling is the cloud service companies are learning and becoming more and more astute o What we really need is transparency!
  • 27.
    Cloud is theoreticallyworse on security o Ability to attack from anywhere and from anyone could lead to many more attacks o Specific cloud-based attacks such as exploiting virtual machine vulnerability, building mobile apps to exploit APIs o Ubiquitous connectivity seems to imply more chance for attacks – o yet so far not the case
  • 28.
    I am notsaying: o Cloud companies are all safer generically o All Private companies enterprise security is rotten o That cloud is better than enterprise for security if enterprise is done well
  • 29.
    I am saying: oCloud is not blatantly more insecure than enterprises o For whatever reason the attention of hackers has not become focused on cloud YET because the number of incidents and severity is still clearly more in the enterprise o Some cloud companies are way better than many enterprises in security today o For the vast majority of companies large and small the cloud is probably better
  • 30.
    Cloud Companies usethe same technology and approaches as private companies o Antivirus / Malware detection / Scanning o Patching regimes o Audits / Penetration testing o Personnel training o DLP technology / hardware o Multiple authentication schemes o Automated Event Detection o Multiple Region backups / DR o Physical Security
  • 31.
    Vast majority ofnon-cloud companies not competent in security* *http://searchcloudcomputing.techtarget.com/opinion/Clouds-are-more-secure-than-traditional-IT-systems-and-heres- why This is NOT true in Finance Companies like Fidelity …hopefully
  • 32.
    Actual Losses –some data o 400 cases of fraudulent ACH transactions of $255 million with actual loss of $85 million o July 2009, two U.S. stock exchanges were victims of a sustained DDoS attack o Outages have real cost o Adobe lost actual source code for photoshop o Reputation risk is an extreme concern
  • 33.
    The cloud isnot a black hole of security o No evidence cloud computing IS riskier than enterprise based computing o More attacks reported both anecdotally, statistically as well as admitted by private companies than companies using cloud services o Full disclosure at private companies doubtful o Over the last 4 years as incidents happen the strength of cloud security has increased. Most companies now support 2 factor authentication for instance. But problems clearly still exist.
  • 34.
  • 35.
    Nine Top Threats 1.Data Breaches 2. Data Loss 3. Account Hijacking 4. Insecure APIs 5. Denial of Service 6. Malicious Insiders 7. Abuse of Cloud Services 8. Insufficient Due Diligence 9. Shared Technology Issues CLOUD SECURITY ALLIANCE The Notorious Nine: Cloud Computing Top Threats in 2013 © 2013, Cloud Security Alliance. All rights reserved. 7 http://bit.ly/1brlej6 Infoworld 2/2013 http://www.infoworld.com/t/cloud-security/9-top-threats-cloud-computing-security-213428
  • 36.
    Cloud Specific SecurityConcerns o Data from one company leaking to another (multi-tenancy isolation failure) o Demand from one company leaking to another (poor service) o Inability to control specific policies and personnel or change them at will o Lack of transparency o Inability to conduct effective investigations o Naïveté in using the cloud* o *http://blog.cloudpassage.com/2012/09/13/10-mom-didnt-warn-cloud/
  • 37.
  • 38.
    Cloud Services o Let’slook at various types of Cloud Services and specific security concerns that don’t exist necessarily in the enterprise
  • 39.
    aaS’es o IaaS o Multi-tenancyisolation failures o Virtualization vulnerabilities o SaaS o Multi-tenancy isolation failures o PaaS - Poorly behaving apps can threaten other apps o One app taking down another o Multiplicative SLA weakening o Very dynamic demand can stress other tenants
  • 40.
    New types ofsecurity/service concerns o APIs o Conscious Malicious Rogue Applications o inadvertent usage of Applications causing ability to access information inappropriately o Demand variations can be chaotic and result in wide SLAs o Mobile o Loss of device o Containerization problems o Bad Applications (like virus) o Employee termination issues o Hardware hijacking
  • 41.
    New types ofsecurity/service concerns o Personal Cloud (moving of my life to the cloud) o Type of information allowed may be inappropriate o Sharing less controlled by the enterprise o Termination – what happens to the information? o Internet of things o Privacy o Potential damage to security depending on type of device (camera, gps, activity tracking, cars, …) o Social o Reputation risk o Lack of control of information shared by employees and others
  • 42.
    I admit o It’stiring and scary to consider all the possibilities. o So one has to take perspective. o You’re not 100% in control o You need to delegate but monitor o Being a good manager
  • 43.
    Best Practices o Segregatedata and applications in a fine grained way and move to cloud incrementally as benefits promote adoption (see adoption slide) o Establish Service Provider SLA’s o Negotiate hard for transparency not damages o Make demands o Ask questions, audit, stay involved o Do not settle for applications or vendors which don’t meet your security requirements. They will want your business and I bet many will adapt if asked with reasonable proposals o Watch for changes in the risk profiles o As the cloud gains more and more adoption it is likely to start seeing more and more attacks , more sophisticated attacks
  • 44.
    What is happening? oSaaS o API Management huge (mostly focused on external but internal growing) o Reuse and Community collaboration o BigData, data collection and intelligence o PaaS Ecosystem and DevOps o Mobile Apps o iPaaS o Personal Cloud / Internet of Things happening
  • 45.
    Enterprise Reuse andRefactoring o Most companies I see are doing this o Reuse is hard o It’s not just a registry o Growing Mobile, API and Web service application storm presages new era in enterprise software
  • 46.
    New Types ofSecurity Available o EMM (MDM, MAM) – o Enterprise Mobility Management, provides control and monitoring of mobile devices o API Management – o app based security, fine grained authorization, SLA management o Ecosystem Private PaaS o Control of information shared to partners as well as applications that use information o Complex Event Processing o Detect complex events that indicate intrusion, theft, accidental behavior, suspicious behavior, alert, escalate o 2 factor authentication, fine grained authorization o New protocols and technologies support more control o SDN o Fingerprint scanners
  • 47.
    WSO2 Commercial o CompletelyOpen Source – No enterprise versions o The only complete composable API Centric Enterprise Application Platform o Built entirely by WSO2 o Multi-tenant, Cloud Native, Componentized Integrated Platform o Built to API Centric, BigData, Mobile, Social, Cloud, SOA Platform
  • 48.
    WSO2 Commercial o 200customers worldwide o In business 8 years o Leading Enterprises in almost every vertical industry: o Retail, Aerospace, Health, Finance, Logistics, Telecommunications, Government, Travel, … o Ebay does 5 billion transactions/day on peak days on our servers o Boeing, Cisco and other industry leading companies are starting to build their future technology vision with WSO2
  • 49.
    WSO2 Commercial o IdentityManagement o WSO2 has full suite of identity products supporting all new protocols and features o EMM (Enterprise Mobility Management) o WSO2 has a full EMM suite with both device and application management o Ecosystem PaaS o WSO2 is working with several industry leaders to create PaaS’s for their industry. This gives the leader control over the data and applications like Apple has for Ios Apps and also encourages development of communities with the first social enterprise store o Hybrid Polyglot PaaS technology for sophisticated enterprise deployments o API Management and Enterprise Store combining API, Mobile and Web services to promote API Centric Enterprises o NSA for you – our bigdata and CEP technology gives you the ability to identify in real time and respond to security events AND MORE. I have listed just the products relevant to security.
  • 50.
    Conclusion o We haveseen the enemy and it is us. o The issues for the cloud are the issues we deal with everyday in the enterprise. It’s not a reason to not adopt the cloud. o For more info on WSO2: wso2.com o Services Oxygenated o John Mathon: VP, Product Strategy o john@wso2.com