The document discusses cloud security, outlining its definition as a sub-domain of computer security and reviewing its growing importance due to increasing cloud computing adoption and associated risks. It identifies key dimensions of cloud security, critical areas to focus on, and approaches to mitigating risks, including the necessity for standardized frameworks and transparency in services. Key takeaways emphasize the evolving nature of cloud security and the collaborative efforts required from government, industry, and academia to enhance protections.

1. Hector Del Castillo
AIPMM
linkd.in/hdelcastillo

2. What We Will Discuss
1. What is cloud security
2. Current situation
3. Dimensions of cloud security
4. Security risks
5. Critical areas
6. Approaches to reduce risk
7. Key takeaways

3. What is Cloud Security?
• An evolving sub-domain of computer security
• A broad set of policies, technologies, and
controls deployed to protect data,
applications, and the associated infrastructure
of cloud computing
• Should not be confused with ‘cloud-based’
security software offerings
• Many commercial software vendors have
cloud-based offerings such as anti-virus or
vulnerability management

4. Current Situation
• Analysts estimate that cloud computing
adoption will continue to rapidly increase
• A single, massive cloud data center contains
more computers than were on the entire
internet just a few years ago
• Security experts agree that the number of
attacks and their level of sophistication will
continue to grow

5. Source: NIST Special Publication 800-144, Jan 2011

6. Service Models
Software Platform Infrastructure
Deployment Models
as a Service as a Service as a Service
(SaaS) (PaaS) (IaaS)
Private X X
Hybrid X X X
Public X X X
Community X X X
Source: NIST Special Publication 800-144, Jan 2011

7. Cloud Solutions

8. “Cloud Services
market to grow to
$42B by 2012.”
- IDC
Source: ZDNet Blogs

9. Cloud Security Reference Model
Source: Cloud Security Alliance

10. Dimensions of Cloud Security
• Security and Privacy
– Data protection
– Identity management
– Physical and personnel security
– Availability
– Application security
– Privacy
Source: "Cloud Security Front and Center,” Forrester Research, 2009.

11. Dimensions of Cloud Security
• Compliance
– Business continuity and data recovery
– Logs and audit trails
– Unique compliance requirements
Source: "Cloud Security Front and Center,” Forrester Research, 2009.

12. Dimensions of Cloud Security
• Legal or Contractual Issues
– Public records
Source: "Cloud Security Front and Center,” Forrester Research, 2009.

13. Security Risks
1. Privileged user access
2. Regulatory compliance
3. Data location
4. Data segregation
5. Recovery
6. Investigative support
7. Long-term viability
Source: “Assessing the Security Risks of Cloud Computing,” Gartner, 2008.

14. Critical Areas
• Cloud Architecture
– Cloud Computing Architectural Framework
Source: "Security Guidance for Critical Areas of Focus in Cloud Computing V2.1,” CSA, 2009.

15. Critical Areas
• Governing in the Cloud
– Governance and Enterprise Risk Management
– Legal and Electronic Discovery
– Compliance and Audit
– Information Lifecycle Management
– Portability and Interoperability
Source: "Security Guidance for Critical Areas of Focus in Cloud Computing V2.1,” CSA, 2009.

16. Critical Areas
• Operating in the Cloud
– Traditional Security, Business Continuity, and Disaster
Recovery
– Data Center Operations
– Incident Response, Notification, and Remediation
– Application Security
– Encryption and Key Management
– Identity and Access Management
– Virtualization
Source: "Security Guidance for Critical Areas of Focus in Cloud Computing V2.1,” CSA, 2009.

17. Recommendations
 Trust (4)
 Transnational Data Flows (4)
 Transparency (2)
 Transformation (4)
Source: “CLOUD2 Summary Report,” TechAmerica, 2011.

18. Approaches to Reduce Risk
Trust
1. (Security & Assurance Frameworks): Industry
and government should support and participate
in the development and implementation of
international, standardized frameworks for
securing, assessing, certifying and accrediting
cloud solutions.
Source: “CLOUD2 Summary Report,” TechAmerica, 2011.

19. Approaches to Reduce Risk
Trust
2. (Identity Management): Should accelerate the
development of a private sector-led identity
management ecosystem as envisioned by the
National Strategy for Trusted Identities in
Cyberspace (NSTIC) to facilitate the adoption of
strong authentication technologies and enable
users to gain secure access to cloud services and
websites.
Source: “CLOUD2 Summary Report,” TechAmerica, 2011.

20. Approaches to Reduce Risk
Trust
3. (Responses to Data Breaches): Government
should enact a national data breach law to
clarify breach notification responsibilities and
commitments of companies to their customers,
and also update and strengthen criminal laws
against those who attack computer systems and
networks, including cloud computing services.
Source: “CLOUD2 Summary Report,” TechAmerica, 2011.

21. Approaches to Reduce Risk
Trust
4. (Research): Government, industry, and
academia should develop and execute a joint
cloud computing research agenda.
Source: “CLOUD2 Summary Report,” TechAmerica, 2011.

22. Approaches to Reduce Risk
Transnational Data Flows
5. (Privacy): The U.S. government and industry
should promote a comprehensive,
technology-neutral privacy framework,
consistent with commonly accepted privacy
and data protection principles-based
frameworks such as the OECD principles
and/or APEC privacy frameworks.
Source: “CLOUD2 Summary Report,” TechAmerica, 2011.

23. Approaches to Reduce Risk
Transnational Data Flows
6. (Government/Law Enforcement Access to
Data): The U.S. government should
demonstrate leadership in identifying and
implementing mechanisms for lawful access
by law enforcement or government to data
stored in the cloud.
Source: “CLOUD2 Summary Report,” TechAmerica, 2011.

24. Approaches to Reduce Risk
Transnational Data Flows
7. (E-Discovery and Forensics): Government
and industry should enable effective
practices for collecting information from the
cloud to meet forensic or e-discovery needs
in ways that fully support legal due process
while minimizing impact on cloud provider
operations.
Source: “CLOUD2 Summary Report,” TechAmerica, 2011.

25. Approaches to Reduce Risk
Transnational Data Flows
8. (Lead by Example): The U.S. government
should demonstrate its willingness to trust
cloud computing environments in other
countries for appropriate government
workloads.
Source: “CLOUD2 Summary Report,” TechAmerica, 2011.

26. Approaches to Reduce Risk
Transparency
9. (Transparency): Industry should publicly
disclose information about relevant
operational aspects of their cloud services,
including portability, interoperability,
security, certifications, performance and
reliability.
Source: “CLOUD2 Summary Report,” TechAmerica, 2011.

27. Approaches to Reduce Risk
Transparency
10. (Data Portability): Cloud providers should
enable portability of user data through
documents, tools, and support for agreed-
upon industry standards and best practices.
Source: “CLOUD2 Summary Report,” TechAmerica, 2011.

28. Approaches to Reduce Risk
Transformation
11. (Federal Acquisition and Budgeting):
Agencies should demonstrate flexibility in
adapting existing procurement models to
facilitate acquisition of cloud services and
solutions. Congress and OMB should
demonstrate flexibility in changing budget
models to help agencies acquire cloud
services and solutions.
Source: “CLOUD2 Summary Report,” TechAmerica, 2011.

29. Approaches to Reduce Risk
Transformation
12. (Incentives): Government should establish
policies and processes for providing fiscal
incentives, rewards and support for agencies
as they take steps towards implementing
cloud deployments.
Source: “CLOUD2 Summary Report,” TechAmerica, 2011.

30. Approaches to Reduce Risk
Transformation
13. (Improve Infrastructure): Government and
industry should embrace the modernization
of broadband infrastructure and the current
move to IPv6 to improve the bandwidth and
reliable connectivity necessary for the
growth of cloud services.
Source: “CLOUD2 Summary Report,” TechAmerica, 2011.

31. Approaches to Reduce Risk
Transformation
14. (Education/Training): Government, industry,
and academia should develop and
disseminate resources for major stakeholder
communities to be educated on the
technical, business, and policy issues around
acquisition, deployment and operation of
cloud services.
Source: “CLOUD2 Summary Report,” TechAmerica, 2011.

32. Key Takeaways
1 • Cloud security continues to evolve
• Security issues are global and impact providers
2 and customers
• Cloud security requires action for government,
3 industry and academia
• Data owner must implement traditional layered
4 security approach
• Data owner must segregate data from
5 application

33. Recommended AFCOM Sessions
1. "DCM18: Securing the Virtualized Environment,”
Robert Klotz, Akibia, 2011.
2. "DCP10: How Social Media and the Cloud Impact
Data Center Security,” James Danburg, SA2, 2011.
3. "Cloud07: Managing the Transition Cloud,” Brent
Eubanks, Latisys, 2011.
4. "Cloud04: The Ins and Outs of Virtual Private
Clouds,” Sundar Raghavan, Skytap, 2011.

34. Recommended Reading
1. “Assessing the Security Risks of Cloud Computing,”
Gartner, 3 June 2008.
2. "Cloud Security Front and Center,” Forrester Research,
18 Nov 2009.
3. "Security Guidance for Critical Areas of Focus in Cloud
Computing V2.1,” Cloud Security Alliance, 2009.
4. “Guidelines on Security and Privacy in Public Cloud
Computing, NIST Special Publication 800-144, Jan 2011.
5. “Summary Report of the Commission on the Leadership
Opportunity in U.S. Deployment of the Cloud,”
TechAmerica Foundation, July 2011.

35. Join My Professional Network!
Hector Del Castillo, PMP, CPM, CPMM
linkd.in/hdelcastillo
hmdelcastillo@aipmm.com