The document discusses cloud security strategies, focusing on the risks and genuine security issues that impede cloud adoption. It emphasizes the human element in threats, compliance challenges, and the need for an architectural approach to manage security effectively in cloud environments. The presentation aims to guide organizations in understanding the security landscape of cloud services compared to on-premise solutions.

1. Cloud security strategy:
understanding and
evaluating the real risks
in the cloud
Lee Newcombe (lee.newcombe@capgemini.com)
Infrastructure Services
November 2012

2. Session Agenda
 Introduction 5 minutes
 Presentation 15 minutes
 “Securing Cloud Services”
 Facilitated Round Table Discussions 20 minutes
 What are the genuine security issues that hold back Cloud adoption?
 Are services in the cloud less secure than those on-premise?
 How much of the threat is human (malicious or accidental), and how
much IT, devices and hardware?
 What is the best way to manage security in a world of self‐service IT,
mobile devices and social media?
 Sharing of outcomes from Discussions 20 minutes
12th Cloud Circle Forum
Copyright © Capgemini 2012. All Rights Reserved 2

3. Agenda
Introduction
Establishing a common point of view
Cloud Threats – who may attack your services?
? Cloud Risks. And Benefits?
An approach to secure adoption of cloud services
Conclusions
12th Cloud Circle Forum
Copyright © Capgemini 2012. All Rights Reserved 3

4. The questions you asked…
 What are the genuine security issues that hold back Cloud adoption?
 Where do the main security threats come from and where should you focus
your attention?
 Are services in the cloud less secure than those on-premise?
 How much of the threat is human (malicious or accidental), and how much IT,
devices and hardware?
 Eliminating the human security risk: educating your workforce
 What is the best way to manage security in a world of self‐service IT,
mobile devices and social media?
 How do emerging social business technologies complicate security strategies?
12th Cloud Circle Forum
Copyright © Capgemini 2012. All Rights Reserved 4

5. The ones I will tackle!
 What are the genuine security issues that hold back Cloud adoption?
 Where do the main security threats come from and where should you focus
your attention?
 Are services in the cloud less secure than those on-premise?
 How much of the threat is human (malicious or accidental), and how much IT,
devices and hardware?
 Eliminating the human security risk: educating your workforce
 What is the best way to manage security in a world of self‐service IT,
mobile devices and social media?
 How do emerging social business technologies complicate security strategies?
12th Cloud Circle Forum
Copyright © Capgemini 2012. All Rights Reserved 5

6. Agenda
Introduction
Establishing a common point of view
Cloud Threats – who may attack your services?
? Cloud Risks. And Benefits?
An approach to secure adoption of cloud services
Conclusions
12th Cloud Circle Forum
Copyright © Capgemini 2012. All Rights Reserved 6

7. Cloud Computing – NIST
Cloud Computing: “…a model for enabling ubiquitous, convenient, on-demand network
access to a shared pool of configurable computing resources (e.g. networks, servers, storage,
applications, and services) that can be rapidly provisioned and released with minimal
management effort or service provider interaction…”
• On-demand self-service
• Broad network access
• Resource pooling Essential Characteristics
• Rapid elasticity; and of Cloud Computing
• Measured service.
csrc.nist.gov/publications/nistpubs/800-145/SP800-145.pdf
12th Cloud Circle Forum
Copyright © Capgemini 2012. All Rights Reserved 7

8. Service Models
12th Cloud Circle Forum
Copyright © Capgemini 2012. All Rights Reserved 8

9. NIST Deployment Models and Jericho Cloud Cube
Model Strengths Weaknesses The Jericho Forum® Cloud Model represents
Public Agile, cost-effective, Multi-tenant an alternative mechanism to represent
“Illusion of infinite Data residency deployment models.
resource” Assurance
Standard contracts
Private Dedicated use Expensive cf Public
Assurance No “illusion of infinite
Scope to negotiate resource”
SLAs etc
Community Designed for a specific, Difficult to govern; need to
shared, set of security manage all stakeholders
requirements
Hybrid “Best of breed” “Weakest link”
suppliers can be Must cater for security
switched in and out. issues across ALL suppliers http://www.opengroup.org/jericho/cloud_cube_model_v1.0.pdf
12th Cloud Circle Forum
Copyright © Capgemini 2012. All Rights Reserved 9

10. Agenda
Introduction
Establishing a common point of view
Cloud Threats – who may attack your services?
? Cloud Risks. And Benefits?
An approach to secure adoption of cloud services
Conclusions
12th Cloud Circle Forum
Copyright © Capgemini 2012. All Rights Reserved 10

11. “Where do the main security threats come from and where should you focus
your attention?” -> Cloud Threats
12th Cloud Circle Forum
Copyright © Capgemini 2012. All Rights Reserved 11

12. Agenda
Introduction
Establishing a common point of view
Cloud Threats – who may attack your services?
? Cloud Risks. And Benefits?
An approach to secure adoption of cloud services
Conclusions
12th Cloud Circle Forum
Copyright © Capgemini 2012. All Rights Reserved 12

13. “What are the genuine security issues that hold back Cloud adoption?”
-> Cloud Risks
Compliance
Multi-tenancy
Assurance
? Supply chain – cloud, on cloud, on cloud, on…
Lock-in
Standard Terms and Conditions
12th Cloud Circle Forum
Copyright © Capgemini 2012. All Rights Reserved 13

14. “Are services in the cloud less secure than those on-premise?” -> Cloud Benefits?
Cost-effective datacentre security
Improved resilience
More efficient security patching
Improved security expertise, including application-specific expertise, at the
? centre
Cloud data storage and sharing vs removable media
Encourages adoption of Jericho principles
12th Cloud Circle Forum
Copyright © Capgemini 2012. All Rights Reserved 14

15. Agenda
Introduction
Establishing a common point of view
Cloud Threats – who may attack your services?
? Cloud Risks. And Benefits?
An approach to secure adoption of cloud services
Conclusions
12th Cloud Circle Forum
Copyright © Capgemini 2012. All Rights Reserved 15

16. “What is the best way to manage security in a world of self‐service IT, mobile devices and social
media?” -> Security Architecture
“The fundamental
security organization of a
system, embodied in its
components, their
relationships to each
other and the
environment, and the
security principles
governing its design and
evolution”
Adapted from: ISO/IEC 42010:2007
12th Cloud Circle Forum
Copyright © Capgemini 2012. All Rights Reserved 16

17. Security Reference Model
12th Cloud Circle Forum
Copyright © Capgemini 2012. All Rights Reserved 17

18. Modelling Different Delivery Responsibilities
The delivery responsibilities for the security
services shifts from the consumer to the provider
as you move from IaaS to SaaS.
Interfaces between consumer and provider present a
risk of gaps in capability and poor/no/mis-
communication between provider and consumer.
12th Cloud Circle Forum
Copyright © Capgemini 2012. All Rights Reserved 18

19. Procurement Usage
12th Cloud Circle Forum
Copyright © Capgemini 2012. All Rights Reserved 19

20. Agenda
Introduction
Establishing a common point of view
Cloud Threats – who may attack your services?
? Cloud Risks. And Benefits?
An approach to secure adoption of cloud services
Conclusions
12th Cloud Circle Forum
Copyright © Capgemini 2012. All Rights Reserved 20

21. Conclusions
• All delivery models are unique. Cloud computing models have unique security challenges. So do other delivery models
including on-premise and traditional outsourcing.
• Cloud is an evolution not a revolution.
• The threat actors remain mostly the same, cloud or on-premise
• The risks remain mostly the same, whether your applications are hosted on-premise or on-cloud, however
• increased sharing of resources due to multi-tenancy introduces new attack surfaces
• assurance difficulties can cause compliance issues (data residency, data deletion, segregation etc)
• Security architecture approach can help to enable cloud adoption.
• Architecture methodologies help to enforce consistency across an enterprise, no matter the IT delivery model.
• Architecture methodologies help to identify the security services required from a Provider
• Architecture helps to identify areas of overlap or interface (or confusion or omission) between Provider and
Consumer
• Architecture helps to inform service procurement
12th Cloud Circle Forum
Copyright © Capgemini 2012. All Rights Reserved 21

22. Conclusions
• What are the genuine security issues that hold back Cloud adoption?
• Compliance
• Assurance
• Where do the main security threats come from and where should you focus your attention?
• The usual…
• Are services in the cloud less secure than those on-premise?
• It depends!
• How much of the threat is human (malicious or accidental), and how much IT, devices and hardware?
• Confidentiality? Human. Availability? Mixture.
•What is the best way to manage security in a world of self‐service IT, mobile devices and social media?
• Adopt an architectural approach.
12th Cloud Circle Forum
Copyright © Capgemini 2012. All Rights Reserved 22

23. Session Agenda
 Introduction 5 minutes
 Presentation 15 minutes
 “Securing Cloud Services”
 Facilitated Round Table Discussions 20 minutes
 What are the genuine security issues that hold back Cloud adoption?
 Are services in the cloud less secure than those on-premise?
 How much of the threat is human (malicious or accidental), and how
much IT, devices and hardware?
 What is the best way to manage security in a world of self‐service IT,
mobile devices and social media?
 Sharing of outcomes from Discussions 20 minutes
12th Cloud Circle Forum
Copyright © Capgemini 2012. All Rights Reserved 23

24. About Capgemini
With more than 120,000 people in 40 countries, Capgemini is one
of the world's foremost providers of consulting, technology and
outsourcing services. The Group reported 2011 global revenues
of EUR 9.7 billion.
Together with its clients, Capgemini creates and delivers
business and technology solutions that fit their needs and drive
the results they want. A deeply multicultural organization,
Capgemini has developed its own way of working, the
Collaborative Business ExperienceTM, and draws on Rightshore ®,
its worldwide delivery model.
www.capgemini.com
The information contained in this presentation is proprietary.
Rightshore® is a trademark belonging to Capgemini
© 2012 Capgemini. All rights reserved.