Jon G. Hall, profile picture
Uploaded byJon G. Hall
1,067 views

Deadly Sins Bcs Elite

The document discusses the 'seven deadly sins' of cloud computing, highlighting the risks associated with not understanding cloud usage and compliance, as well as the management of cloud services. It provides ten key questions to consider for effective cloud governance and security, including selecting the right deployment model and ensuring business continuity. To avoid these pitfalls, it suggests implementing best practices, such as proper governance, compliance assurance, identity management, and managing potential provider lock-in.

Embed presentation

Deadly Sins of Cloud Computing (and how to avoid them) Mike Small CEng, FBCS, CITP Senior Analyst KuppingerCole
Agenda • The Seven Deadly sins • Ten Key Questions for Cloud Computing • Summary 3
Seven Cardinal Vices used by the Christian church to teach the origins of sin: Wrath, Greed, Pride, Lust, Envy, Gluttony and Sloth SEVEN CARDINAL VICES 4
Cloud Computing Deadly Sins • Sloth – Not knowing you are using the Cloud – Not assuring legal and regulatory compliance – Not knowing what data is in the cloud – Not managing identity and access to the cloud – Not managing business continuity and the cloud – Becoming Locked-in to one provider. – Not managing your Cloud provider. 5
TEN KEY QUESTIONS FOR CLOUD COMPUTING 6
#1 Do you know that you are using the Cloud? 7
Probability Very High Loss of Governance Impact High • Is your organization already using the Cloud? You only need a credit card – Is there a process for getting the Cloud? 8
#2 How can you ensure governance of the Cloud?
Governance Frameworks Used Governance Frameworks and Security Standards Used 80 70 60 50 40 30 20 10 0 ISO 2700x COBIT ITIL TOGAF Other Custom None Frameworks ENISA Survey of SLAs across EU Public Sector, Dec 2011 10
Provider Standards Are your IT service providers obliged to adhere to these standards too? Don't know, 13% Yes, 22% No, 19% Yes, some, 46% ENISA Survey of SLAs across EU Public Sector, Dec 2011 11
Cloud Governance Identify Business Requirements Specify Service to meet business needs Assess Risk Probability and Impact and Risk Response Clarify who is responsible for what Assure and Monitor Delivery of Cloud Service 12
#3 Which is the right Cloud for my business needs?
Choose the Right Cloud Deployment Management Service Model Model Considerations IaaS Private Governance Community Security PaaS Public Integration SaaS Hybrid Orchestration 14
Cloud Service Models Application Delivery In House Commercial Software as a Developed Applications Service Applications In House IT Commercial Platform as a Cloud In House Platform Platform Service In House IT Managed IT Infrastructure Deployment Service as a Service Speed of Deployment Functional Elasticity of Flexibility Infrastructure Delivery Supply Service Characteristics Bespoke Commodity Highest Cost Lowest Cost 15
Service Models - Strengths and Weaknesses Strength Weakness General • No capital investment • Compliance issues like • Fast deployment geographic location • Fast response to increasing • Confidentiality, Integrity and demand Availability • Price may not go down when demand falls • You may pay more over time IaaS • Runs Existing Workload and • Your application must conform applications • You have to manage your own environment PaaS • When developed the • Locked into PaaS APIs and application is immediately environment ready for Cloud deployment SaaS • Application ready to use • Functionality may not meet your precise needs. • Ownership and return of data 16
Cloud Delivery Model Public Cloud Community Private Cloud You are sharing with Cloud everyone and anyone You are not sharing You are sharing with selected others Hybrid Cloud You may be sharing sometimes 17
Community/Private Cloud • Secure – approved for the transmission of patient data. Government accredited to 'RESTRICTED' status. • Resilient - based in two data centres - disaster recovery design has been fully tested and proved. • Available - via secured encrypted devices. It is available over the NHS N3 network and the internet. http://www.connectingforhealth.nhs.uk/systemsandservices/nhsmail 18
Delivery Models - Strengths and Weaknesses Strength Weakness Public • Availability and reliability • Legal and regulatory compliance • Tolerance and Elasticity • Control over the supply chain • Physical security • Logging capabilities • Patch & vulnerability Mgt. • Auditing • Intrusion prevention and • Accessing forensic data detection • Data Location Private • Control over policies, • Less economy of scale, tolerance logging, auditing, etc. to attack, less flexibility to meet • Granular access control peak demand and resilience • Control over legal compliance Community • Similar benefits of scale of • Similar to private Cloud the public cloud while retaining greater control over compliance and data privacy 19
#4 How can I assure compliance?
Probability High Compliance Example Impact High EU Data Protection Laws to include large fines Firms face being fined up to 2% of their global annual turnover if they breach proposed EU data laws. The European Commission has put forward the suggestion as part of a new directive and regulation. These include:  A right to be forgotten  Explicit consent  Right of data portability  Breach notification – within 24 hours  Single set of rules across the EU  Companies governed by a single DPA  EU rules apply to non EU organizations  Unnecessary administrative burdens removed  National Data Protection Authorities strengthened http://ec.europa.eu/justice/newsroom/data-protection/news/120125_en.htm 21
Compliance Responsibilities – Data Privacy Example ISO 27001 Control 15.1.4: • Data protection and privacy should be ensured as required in relevant legislation, regulations, and, if applicable, contractual clauses. Customer Identify legal and Responsibility regulatory requirements and ensure these are in contract/SLAs. Provider Hold and process data in Responsibility accordance with legal and regulatory requirements. 22
Compliance Checklist – Data Privacy Example ISO 27001 Control 15.1.4: CCM Control references • Metrics/SLA Checklist – CO-01 to CO-03 Cloud Provider provides evidence of meeting compliance requirements. – Geographic Location of data and Cloud Provider Infrastructure: EU, US Safe Harbor. – Cloud provider does not use other companies whose infrastructure is located outside that of the cloud provider. – Cloud provider’s services are not subcontracted or outsourced. 23
#5 How can I assure information security
Probability Medium Industrialized Cyber Threats Impact High RSA Offers to Replace Secure ID Tokens http://www.bbc.co.uk/news/technology-13681566 June 7th, 2011 Security firm RSA has offered to replace the SecurID tokens used by its customers to log into company systems and banks. It follows a hack against the company in March where information related to the tokens was stolen. RSA has now revealed that some of that information was used during the hack attack on defence firm Lockheed Martin. X It is estimated that there are around 40 million SecurID tokens in circulation around the world. In an open letter to customers, RSA executive chairman Art Coviello confirmed that "information taken from RSA in March had been used as an element of an attempted broader attack on Lockheed Martin". 25
Data Classification – The Essential Foundation ISO 27001 Control 7.2: • Information should be classified in terms of its value, legal requirements, sensitivity, and criticality to the organization. Customer Classify data being moved to Responsibility the Cloud in terms of its value to the business and the impact of loss. Provider To ensure the confidentiality, Responsibility integrity and availability of customer data. 26
Internet Security Responsibilities ISO 27001 Control 10.6 • Networks should be adequately managed and controlled, in order to be protected from threats, and to maintain security for the systems and applications using the network. Customer To protect own systems and Responsibility infrastructure. To configure and patch the guest (IaaS) systems. Provider To protect the provider services Responsibility and infrastructure against internet threats. 27
Internet Security Checklist ISO 27001 Control 10.6 • Metrics – SA-08 Network Security Architecture – SA-14 Intrusion Detection Controls – Controls to mitigate DDoS attacks. – Defences against internal as well as external threats. – Network architecture supports continuous operation – Network infrastructure secured to best practice • SLA Checklist – Metrics and reporting on vulnerability detection and management – Metrics and reporting on isolation (e.g. penetration testing)? 28
#6 Who is responsible for Identity and Access?
Probability Medium Impersonating the User Impact High Carbon Thieves Force European Union to Improve Security, Close Spot Market www.bloomberg.com January 21st, 2011 The European Union, whose decision to suspend registries halted the region’s spot carbon- emissions market following the theft of permits, said it won’t lift restrictions until member states step up identification checks. It suspended most operations at Europe’s 30 registries for greenhouse-gas emissions on Jan. 19 after a Czech trader reviewing his $9 million account found “nothing was there.” The EU estimates permits worth as many as 29 million Euros may be missing. “At minimum they need to have second authorization in place, such as electronic certificates or ID cards,” said Simone Ruiz, European policy director of the Geneva-based IETA. 30
Probability Medium Impersonating the Service Impact High Google users targeted by forged security certificate http://www.telegraph.co.uk/technology/google/8730785/Google-users-targeted-by-forged-security-certificate.html August 30th, 2011 Security researchers have discovered a forged internet security certificate designed to allow hackers to spy on Google users’ private emails and other communications. The forgery was first reported by an Iranian web user, which has raised fears it may be part of efforts by the government in Tehran to monitor dissidents.... X The forgery was issued to the unknown attackers on 10 July by DigiNotar, a Dutch SSL certificate authority. For more than two months it would have allowed them to set up fake versions of Google websites that appeared genuine to users and their web browsers. This would in turn have allowed the hackers to collect usernames and passwords for their targets’ genuine Google accounts. The forged certificate was valid for google.com and all its sub-domains, including mail.google.com. 31
Identity Management Responsibilities ISO 27001 Control 11.2 • To ensure authorized user access and to prevent unauthorized access to information systems. Customer To vet, manage and control Responsibility identity and access of users to their guest services and systems. Provider To vet, manage and control the Responsibility systems administrators who manage the service, host systems and infrastructure. 32
#7 How can I avoid breaches of privilege?
Probability Medium Insider Abuse of Privilege Impact Very High Houston Computer Administrator Sentenced to 12 Months Prison http://www.justice.gov/opa/pr/2010/July/10-crm-775.html July 6, 2010 WASHINGTON – A former senior database administrator for GEXA Energy in Houston was sentenced today to 12 months in prison for hacking into his former employer’s computer network, announced Assistant Attorney General Lanny A. Breuer of the Criminal Division and U.S. Attorney Jose Angel Moreno for the Southern District of Texas…. According to court documents.. In pleading guilty, Kim admitted that in the early hours of April 30, 2008, he used his home computer to connect to the GEXA Energy computer network and a database that contained information on approximately 150,000 GEXA Energy customers. While connected to the computer network, Kim recklessly caused damage to the computer network and the customer database by inputting various Oracle database commands. Kim also copied and saved to his home computer a database file containing personal information on the GEXA Energy customers, including names, billing addresses, social security numbers, dates of birth and drivers license numbers. According to court documents, Kim’s actions caused a $100,000 loss to GEXA Energy. 34
Privilege Management Checklist ISO 27001 Control 11.2.2: • Metrics/SLA Checklist – HR-01 Background checks on infrastructure administrators. – IS-08 Privileges are only allocated to users only when required. – IS-07 Authorization process for privileges and Privileged record kept of privileges allocated. User Mgt – IS-34 Steps taken to minimize the need for privileged access. – Tamper proof log of privileged activities. 35
#8 How can I ensure Business Continuity?
Probability Low Business Continuity Impact High Lightning Strike in Dublin Downs Amazon, Microsoft Clouds http://www.pcworld.com/businesscenter/article/237476/lightning_strike_in_dublin_downs_amazon_microsoft_cl ouds.html/ August 8th, 2011 A lightning strike in Dublin on August 8th caused a power failure in data centers belonging to Amazon and Microsoft, causing the companies' cloud services to go offline. Lightning struck a transformer, sparking an explosion and fire which caused the power outage at 10:41 AM PDT, according to preliminary information, Amazon wrote on its Service Health Dashboard. Under normal circumstances, backup generators would seamlessly kick in, but the explosion also managed to knock out some of those generators. By 1:56 PM PDT, power to the majority of network devices had been restored, allowing Amazon to focus on bringing EC2 (Elastic Compute Cloud) instances and EBS (Elastic Block Storage) volumes back online. But progress was slower than expected, Amazon said a couple of hours later. 37
Business Continuity Responsibilities ISO 27001 Control 14: • A business continuity management process should be implemented to minimize the impact on the organization and recover from loss of information assets to an acceptable level. Customer Prepare and test business Responsibility continuity plan based on business need. Provider Prepare and test service Responsibility continuity plans for hosted services. 38
#9 How can I avoid becoming “Locked-in” to one provider?
Probability High Lock in Impact Medium • “…to offer a true utility in a truly competitive digital single market, users must be able to change their cloud provider easily. It must be as fast and easy as changing one’s internet or mobile phone provider has become in many places…” – Neelie Kroes, Vice-President of the European Commission responsible for Digital Agenda European Cloud Computing Strategy 40
Lock in Example – Data Return ISO 27001 Control 8.3.2 • All employees, contractors and third party users should return all of the organization’s assets in their possession upon termination of their employment, contract or agreement. Customer Ensure that the service contract Responsibility specifies data ownership and return Provider Provide mechanisms for customer Responsibility to upload and download data to and from hosted systems. 41
#10 How can I Manage the Cloud Service Provider?
Many Assurance Frameworks • Which Assurance Framework is right for you? – COBIT – ISO/IEC 27001-27005 – AICPA Service Organization Control Reports – AICPA/CICA Trust Services (SysTrust and WebTrust) – Cloud Security Alliance Controls Matrix – BITS Shared Assessment Program – Jericho Forum® Self-Assessment Scheme (SAS) – CSA Shared Assessments – ENISA Procuresecure – German BSI Security Recommendations for Cloud Computing Providers. – NIST Cloud Computing Synopsis and recommendations 43
SSAE 16 Service Organizational Controls Reports SOC Type 1 Report SOC Type 2 Report • Auditor opinion: • Auditor opinion: – Description is fairly – As type 1 plus: presented. (i.e. Describes – Whether Controls were what exists) operating effectively. – Whether controls are (i.e.do achieve control suitably designed. (i.e. objectives) Controls are able to achieve – Describes auditors tests and described objectives) results Statement on Standards for Attestation Engagements No. 16 http://www.aicpa.org/Research/Standards/AuditAttest/Pages/SSAE.aspx 44
IaaS Example - Amazon Web Services • SOC 1 Attestation: Control Objectives Attested: – Security Organization – Amazon Employee Lifecycle – Logical Security – Secure Data Handling – Physical Security – Environmental Safeguards – Change Management – Data Integrity, Availability and Redundancy – Incident Handling http://aws.amazon.com/security/ 45
AICPA Trust Services (SysTrust/WebTrust) • Criteria established by AICPA for use when providing attestation services on following areas of systems: – Security Principle and Criteria – Availability Principle and Criteria – Processing Integrity Principle and Criteria – Confidentiality Principle and Criteria – Privacy Principles and Criteria http://www.webtrust.org/principles-and-criteria/item27818.pdf 46
SaaS Example - SalesForce.com • Example based on AICPA Trust Services principles and criteria for: – Confidentiality, – Availability and – Security. https://trust.salesforce.com/trust/assets/pdf/Misc_SysTrust.pdf 47
ISO/IEC 27002 • Code of practice for information security management • 134 Controls covering: – Organization and Information Security Confidentiality – Asset Management – Human Resources Security – Physical and Environmental Security – Communications and Operations Information Management – Access Control – Information Systems Acquisition, Maintenance and Control Availability Integrity – Information Security Incident Management – Business Continuity Management http://www.iso.ch 48
PaaS Example - Microsoft Azure • Confidentiality assured by: • Availability – Identity and access – Worldwide data centres management – Data triplication – Isolation – logical and physical • Compliance containers – ISO 27001 certification of parts – Encryption of internal channels of infrastructure – User must encrypt own data – Safe Harbor signatory – Destruction of storage media – Choice data being located • Integrity within EU – Fabric protected from – New contracts for Office 365 unauthorized change customers in Germany to end – Secure Development Lifecycle uncertainty about the Patriot Act. http://www.globalfoundationservices.com/security/ 49
SUMMARY
Summary • To Avoid the Seven Deadly Sins of Cloud Computing follow the ten commandments: 1. Know that you are using the Cloud 2. Use Good Governance for the Cloud and other IT Services 3. Choose the right Cloud for your needs 4. Assure Compliance 5. Assure Information Security 6. Manage Identity and Access 7. Assure privilege management 8. Include the Cloud in your Business Continuity Plan 9. Avoid Lock-in 10. Manage the Cloud Service Provider 51
QUESTIONS?
Mike Small CEng, FBCS, CITP Senior Analyst, KuppingerCole www.kuppingercole.com Email: Mike.Small@kuppingercole.com Mobile: +44 7777 697 300 53

More Related Content

PDF
Developing Your Cloud Strategy
byInternap
 
PDF
Going to the Cloud
byJosé Ferreiro
 
PPTX
Making Sense of the Cloud
bySpiceworks
 
PPTX
PCI and the Cloud
byCloudPassage
 
PDF
Be Prepared for Tomorrow's IT Forecast Great Chance of Hybrid Clouds
byEucalyptus Systems, Inc.
 
PDF
Rackforce the cloud
bysdeconf
 
PDF
Building a Strong Foundation for Your Cloud with Identity Management
byNishant Kaushik
 
PPTX
Build Resilient Private Cloud
bySymantec APJ
 
Developing Your Cloud Strategy
byInternap
 
Going to the Cloud
byJosé Ferreiro
 
Making Sense of the Cloud
bySpiceworks
 
PCI and the Cloud
byCloudPassage
 
Be Prepared for Tomorrow's IT Forecast Great Chance of Hybrid Clouds
byEucalyptus Systems, Inc.
 
Rackforce the cloud
bysdeconf
 
Building a Strong Foundation for Your Cloud with Identity Management
byNishant Kaushik
 
Build Resilient Private Cloud
bySymantec APJ
 

What's hot

PPT
Cloud Networking: Network aspects of the cloud
bySAIL
 
PDF
Layer 7 & Burton Group: New Cloud Security Model Requirements
byCA API Management
 
PPT
Oracle Cloud Computing Strategy (EMO)
byrachgregs
 
PDF
How Cloud Providers' Business Needs Drive Enterprise Identity & Security
byNovell
 
PPTX
considering the cloud? From IaaS to SaaS and Beyond - Find Your Path to the C...
byWeb2Present
 
PDF
Day 3 p4 - cloud strategy
byLilian Schaffer
 
PPTX
Cloud marketplaces will open standards makes dreams of profitability a realit...
byKhazret Sapenov
 
PDF
ODCA Solutions Panel at IDF 2011
byOpen Data Center Alliance
 
PDF
Day 2 p2 - business services management
byLilian Schaffer
 
PDF
The Revolution in Licensing - Cloud-Based Licensing
byLicensingLive! - SafeNet
 
PDF
Oracle cloud strategy
byAgora Group
 
PPTX
Application Performance Management in the Clouds - Lessons Learned
byMichael Kopp
 
PDF
Clouds: Beyond Compute and Storage
byVirtela Technology Services Incorporated
 
PDF
MassTLC Cloud summit keynote presentation from CTO of VMWare, Scott Davis
byMassTLC
 
PPT
Meta soft corporate profile
byMetasoftSolutionsPvtLtd
 
PPTX
The Exinda WAN Optimization Appliance - Jason Whitaker, Transylvania University
byAssociation of Independent Kentucky Colleges and Universities
 
Cloud Networking: Network aspects of the cloud
bySAIL
 
Layer 7 & Burton Group: New Cloud Security Model Requirements
byCA API Management
 
Oracle Cloud Computing Strategy (EMO)
byrachgregs
 
How Cloud Providers' Business Needs Drive Enterprise Identity & Security
byNovell
 
considering the cloud? From IaaS to SaaS and Beyond - Find Your Path to the C...
byWeb2Present
 
Day 3 p4 - cloud strategy
byLilian Schaffer
 
Cloud marketplaces will open standards makes dreams of profitability a realit...
byKhazret Sapenov
 
ODCA Solutions Panel at IDF 2011
byOpen Data Center Alliance
 
Day 2 p2 - business services management
byLilian Schaffer
 
The Revolution in Licensing - Cloud-Based Licensing
byLicensingLive! - SafeNet
 
Oracle cloud strategy
byAgora Group
 
Application Performance Management in the Clouds - Lessons Learned
byMichael Kopp
 
Clouds: Beyond Compute and Storage
byVirtela Technology Services Incorporated
 
MassTLC Cloud summit keynote presentation from CTO of VMWare, Scott Davis
byMassTLC
 
Meta soft corporate profile
byMetasoftSolutionsPvtLtd
 
The Exinda WAN Optimization Appliance - Jason Whitaker, Transylvania University
byAssociation of Independent Kentucky Colleges and Universities
 

Viewers also liked

PPTX
Sports Marketing Buffalo Bills
byDaniel Couvreur
 
PDF
The relationship between customer value and pricing strategies
byshampy kamboj
 
PPT
Joomla! mongolian 18-may-12 - sukh
byaxe1203
 
PPTX
Original Marketing Campaign - Case Competition
bykremerica2016
 
PPT
How to teach listening
byMeli Meliati
 
PDF
Mara malloraca spreekbeurt
byMara Louis
 
PPTX
Предизвикателства пред омниканалните вериги за доставки
byМарияна Кътева
 
PPT
Experts at work
byLeon Dhaene
 
PDF
BCS Elite Mark Evans
byJon G. Hall
 
PDF
NAOME N2FINANCE at work 20150401
byLeon Dhaene
 
PPTX
Change initiative trailer2
byTalent-Match
 
PPTX
„ROPO-ефектът“ – тенденция в потребителското поведение в омниканална среда
byМарияна Кътева
 
PDF
Jvo presentatie
byMara Louis
 
PPT
Sibiu by night
byCarmen Popescu
 
DOCX
Xplorace perbayu
byNorwahidah Anang
 
PPTX
Spoof
byMeli Meliati
 
PPTX
Narrative
byMeli Meliati
 
PDF
Ad410luxury
byToffie Aekkasitt
 
Sports Marketing Buffalo Bills
byDaniel Couvreur
 
The relationship between customer value and pricing strategies
byshampy kamboj
 
Joomla! mongolian 18-may-12 - sukh
byaxe1203
 
Original Marketing Campaign - Case Competition
bykremerica2016
 
How to teach listening
byMeli Meliati
 
Mara malloraca spreekbeurt
byMara Louis
 
Предизвикателства пред омниканалните вериги за доставки
byМарияна Кътева
 
Experts at work
byLeon Dhaene
 
BCS Elite Mark Evans
byJon G. Hall
 
NAOME N2FINANCE at work 20150401
byLeon Dhaene
 
Change initiative trailer2
byTalent-Match
 
„ROPO-ефектът“ – тенденция в потребителското поведение в омниканална среда
byМарияна Кътева
 
Jvo presentatie
byMara Louis
 
Sibiu by night
byCarmen Popescu
 
Xplorace perbayu
byNorwahidah Anang
 
Spoof
byMeli Meliati
 
Narrative
byMeli Meliati
 
Ad410luxury
byToffie Aekkasitt
 

Similar to Deadly Sins Bcs Elite

PPTX
Oracle cloud computing strategy
byjameskenney
 
PDF
Info Sec 2010 Possibilities And Security Challenges Of Cloud Computing (Han...
byptaglephd
 
PDF
Towards a Federated Cloud Ecosystem
byClovis Chapman
 
PDF
Oracle Cloud Reference Architecture
byBob Rhubart
 
PPTX
Basics of cloud computing & salesforce.com
byDeepu S Nath
 
PPTX
HIX Reusability
bycommed
 
PDF
MISA Cloud workshop - Cloud 101
byMISA Ontario Cloud SIG
 
PPT
Cloud Computing Webinar
bySaif Ahmad
 
PDF
null Bangalore meet - Cloud Computing and Security
byn|u - The Open Security Community
 
PPT
The Cloud and Next Gen IT Gordon Haff - p camp-boston2012
byProductCamp Boston
 
PDF
Windstream Webinar: The Latest Trends in Virtualization: Is the cloud right f...
byWindstream Enterprise
 
PDF
Cloud Computing - Jan 2011 - Chandna
byAsheem Chandna
 
PPTX
Intel Cloud Summit 2012 ODCA + NAB
byIntelAPAC
 
PDF
Build 4 The Cloud By Cisco V Mware2
byAzlan NL
 
PDF
Virtualization Into Cloud
byIBM India Smarter Computing
 
PDF
Ssc cloud computing vision afac dec17 12 final english
byKBIZEAU
 
PDF
Cloud services 101
byInnoTech
 
PPTX
Cloud Computing 101
byKamal Arora
 
PPTX
Cloud computing 101
bykriggins
 
PDF
Govind ioug120505
bygshare
 
Oracle cloud computing strategy
byjameskenney
 
Info Sec 2010 Possibilities And Security Challenges Of Cloud Computing (Han...
byptaglephd
 
Towards a Federated Cloud Ecosystem
byClovis Chapman
 
Oracle Cloud Reference Architecture
byBob Rhubart
 
Basics of cloud computing & salesforce.com
byDeepu S Nath
 
HIX Reusability
bycommed
 
MISA Cloud workshop - Cloud 101
byMISA Ontario Cloud SIG
 
Cloud Computing Webinar
bySaif Ahmad
 
null Bangalore meet - Cloud Computing and Security
byn|u - The Open Security Community
 
The Cloud and Next Gen IT Gordon Haff - p camp-boston2012
byProductCamp Boston
 
Windstream Webinar: The Latest Trends in Virtualization: Is the cloud right f...
byWindstream Enterprise
 
Cloud Computing - Jan 2011 - Chandna
byAsheem Chandna
 
Intel Cloud Summit 2012 ODCA + NAB
byIntelAPAC
 
Build 4 The Cloud By Cisco V Mware2
byAzlan NL
 
Virtualization Into Cloud
byIBM India Smarter Computing
 
Ssc cloud computing vision afac dec17 12 final english
byKBIZEAU
 
Cloud services 101
byInnoTech
 
Cloud Computing 101
byKamal Arora
 
Cloud computing 101
bykriggins
 
Govind ioug120505
bygshare
 

Deadly Sins Bcs Elite

  • 1.
    Deadly Sins ofCloud Computing (and how to avoid them) Mike Small CEng, FBCS, CITP Senior Analyst KuppingerCole
  • 2.
    Agenda • The SevenDeadly sins • Ten Key Questions for Cloud Computing • Summary 3
  • 3.
    Seven Cardinal Vicesused by the Christian church to teach the origins of sin: Wrath, Greed, Pride, Lust, Envy, Gluttony and Sloth SEVEN CARDINAL VICES 4
  • 4.
    Cloud Computing DeadlySins • Sloth – Not knowing you are using the Cloud – Not assuring legal and regulatory compliance – Not knowing what data is in the cloud – Not managing identity and access to the cloud – Not managing business continuity and the cloud – Becoming Locked-in to one provider. – Not managing your Cloud provider. 5
  • 5.
    TEN KEY QUESTIONS FORCLOUD COMPUTING 6
  • 6.
    #1 Do youknow that you are using the Cloud? 7
  • 7.
    Probability Very High Loss of Governance Impact High • Is your organization already using the Cloud? You only need a credit card – Is there a process for getting the Cloud? 8
  • 8.
    #2 How canyou ensure governance of the Cloud?
  • 9.
    Governance Frameworks Used Governance Frameworks and Security Standards Used 80 70 60 50 40 30 20 10 0 ISO 2700x COBIT ITIL TOGAF Other Custom None Frameworks ENISA Survey of SLAs across EU Public Sector, Dec 2011 10
  • 10.
    Provider Standards Are your IT service providers obliged to adhere to these standards too? Don't know, 13% Yes, 22% No, 19% Yes, some, 46% ENISA Survey of SLAs across EU Public Sector, Dec 2011 11
  • 11.
    Cloud Governance Identify Business Requirements Specify Service to meet business needs Assess Risk Probability and Impact and Risk Response Clarify who is responsible for what Assure and Monitor Delivery of Cloud Service 12
  • 12.
    #3 Which isthe right Cloud for my business needs?
  • 13.
    Choose the RightCloud Deployment Management Service Model Model Considerations IaaS Private Governance Community Security PaaS Public Integration SaaS Hybrid Orchestration 14
  • 14.
    Cloud Service Models Application Delivery In House Commercial Software as a Developed Applications Service Applications In House IT Commercial Platform as a Cloud In House Platform Platform Service In House IT Managed IT Infrastructure Deployment Service as a Service Speed of Deployment Functional Elasticity of Flexibility Infrastructure Delivery Supply Service Characteristics Bespoke Commodity Highest Cost Lowest Cost 15
  • 15.
    Service Models -Strengths and Weaknesses Strength Weakness General • No capital investment • Compliance issues like • Fast deployment geographic location • Fast response to increasing • Confidentiality, Integrity and demand Availability • Price may not go down when demand falls • You may pay more over time IaaS • Runs Existing Workload and • Your application must conform applications • You have to manage your own environment PaaS • When developed the • Locked into PaaS APIs and application is immediately environment ready for Cloud deployment SaaS • Application ready to use • Functionality may not meet your precise needs. • Ownership and return of data 16
  • 16.
    Cloud Delivery Model Public Cloud Community Private Cloud You are sharing with Cloud everyone and anyone You are not sharing You are sharing with selected others Hybrid Cloud You may be sharing sometimes 17
  • 17.
    Community/Private Cloud • Secure – approved for the transmission of patient data. Government accredited to 'RESTRICTED' status. • Resilient - based in two data centres - disaster recovery design has been fully tested and proved. • Available - via secured encrypted devices. It is available over the NHS N3 network and the internet. http://www.connectingforhealth.nhs.uk/systemsandservices/nhsmail 18
  • 18.
    Delivery Models -Strengths and Weaknesses Strength Weakness Public • Availability and reliability • Legal and regulatory compliance • Tolerance and Elasticity • Control over the supply chain • Physical security • Logging capabilities • Patch & vulnerability Mgt. • Auditing • Intrusion prevention and • Accessing forensic data detection • Data Location Private • Control over policies, • Less economy of scale, tolerance logging, auditing, etc. to attack, less flexibility to meet • Granular access control peak demand and resilience • Control over legal compliance Community • Similar benefits of scale of • Similar to private Cloud the public cloud while retaining greater control over compliance and data privacy 19
  • 19.
    #4 How canI assure compliance?
  • 20.
    Probability High Compliance Example Impact High EU Data Protection Laws to include large fines Firms face being fined up to 2% of their global annual turnover if they breach proposed EU data laws. The European Commission has put forward the suggestion as part of a new directive and regulation. These include:  A right to be forgotten  Explicit consent  Right of data portability  Breach notification – within 24 hours  Single set of rules across the EU  Companies governed by a single DPA  EU rules apply to non EU organizations  Unnecessary administrative burdens removed  National Data Protection Authorities strengthened http://ec.europa.eu/justice/newsroom/data-protection/news/120125_en.htm 21
  • 21.
    Compliance Responsibilities –Data Privacy Example ISO 27001 Control 15.1.4: • Data protection and privacy should be ensured as required in relevant legislation, regulations, and, if applicable, contractual clauses. Customer Identify legal and Responsibility regulatory requirements and ensure these are in contract/SLAs. Provider Hold and process data in Responsibility accordance with legal and regulatory requirements. 22
  • 22.
    Compliance Checklist –Data Privacy Example ISO 27001 Control 15.1.4: CCM Control references • Metrics/SLA Checklist – CO-01 to CO-03 Cloud Provider provides evidence of meeting compliance requirements. – Geographic Location of data and Cloud Provider Infrastructure: EU, US Safe Harbor. – Cloud provider does not use other companies whose infrastructure is located outside that of the cloud provider. – Cloud provider’s services are not subcontracted or outsourced. 23
  • 23.
    #5 How canI assure information security
  • 24.
    Probability Medium Industrialized Cyber Threats Impact High RSA Offers to Replace Secure ID Tokens http://www.bbc.co.uk/news/technology-13681566 June 7th, 2011 Security firm RSA has offered to replace the SecurID tokens used by its customers to log into company systems and banks. It follows a hack against the company in March where information related to the tokens was stolen. RSA has now revealed that some of that information was used during the hack attack on defence firm Lockheed Martin. X It is estimated that there are around 40 million SecurID tokens in circulation around the world. In an open letter to customers, RSA executive chairman Art Coviello confirmed that "information taken from RSA in March had been used as an element of an attempted broader attack on Lockheed Martin". 25
  • 25.
    Data Classification –The Essential Foundation ISO 27001 Control 7.2: • Information should be classified in terms of its value, legal requirements, sensitivity, and criticality to the organization. Customer Classify data being moved to Responsibility the Cloud in terms of its value to the business and the impact of loss. Provider To ensure the confidentiality, Responsibility integrity and availability of customer data. 26
  • 26.
    Internet Security Responsibilities ISO27001 Control 10.6 • Networks should be adequately managed and controlled, in order to be protected from threats, and to maintain security for the systems and applications using the network. Customer To protect own systems and Responsibility infrastructure. To configure and patch the guest (IaaS) systems. Provider To protect the provider services Responsibility and infrastructure against internet threats. 27
  • 27.
    Internet Security Checklist ISO27001 Control 10.6 • Metrics – SA-08 Network Security Architecture – SA-14 Intrusion Detection Controls – Controls to mitigate DDoS attacks. – Defences against internal as well as external threats. – Network architecture supports continuous operation – Network infrastructure secured to best practice • SLA Checklist – Metrics and reporting on vulnerability detection and management – Metrics and reporting on isolation (e.g. penetration testing)? 28
  • 28.
    #6 Who isresponsible for Identity and Access?
  • 29.
    Probability Medium Impersonating the User Impact High Carbon Thieves Force European Union to Improve Security, Close Spot Market www.bloomberg.com January 21st, 2011 The European Union, whose decision to suspend registries halted the region’s spot carbon- emissions market following the theft of permits, said it won’t lift restrictions until member states step up identification checks. It suspended most operations at Europe’s 30 registries for greenhouse-gas emissions on Jan. 19 after a Czech trader reviewing his $9 million account found “nothing was there.” The EU estimates permits worth as many as 29 million Euros may be missing. “At minimum they need to have second authorization in place, such as electronic certificates or ID cards,” said Simone Ruiz, European policy director of the Geneva-based IETA. 30
  • 30.
    Probability Medium Impersonating the Service Impact High Google users targeted by forged security certificate http://www.telegraph.co.uk/technology/google/8730785/Google-users-targeted-by-forged-security-certificate.html August 30th, 2011 Security researchers have discovered a forged internet security certificate designed to allow hackers to spy on Google users’ private emails and other communications. The forgery was first reported by an Iranian web user, which has raised fears it may be part of efforts by the government in Tehran to monitor dissidents.... X The forgery was issued to the unknown attackers on 10 July by DigiNotar, a Dutch SSL certificate authority. For more than two months it would have allowed them to set up fake versions of Google websites that appeared genuine to users and their web browsers. This would in turn have allowed the hackers to collect usernames and passwords for their targets’ genuine Google accounts. The forged certificate was valid for google.com and all its sub-domains, including mail.google.com. 31
  • 31.
    Identity Management Responsibilities ISO27001 Control 11.2 • To ensure authorized user access and to prevent unauthorized access to information systems. Customer To vet, manage and control Responsibility identity and access of users to their guest services and systems. Provider To vet, manage and control the Responsibility systems administrators who manage the service, host systems and infrastructure. 32
  • 32.
    #7 How canI avoid breaches of privilege?
  • 33.
    Probability Medium Insider Abuse of Privilege Impact Very High Houston Computer Administrator Sentenced to 12 Months Prison http://www.justice.gov/opa/pr/2010/July/10-crm-775.html July 6, 2010 WASHINGTON – A former senior database administrator for GEXA Energy in Houston was sentenced today to 12 months in prison for hacking into his former employer’s computer network, announced Assistant Attorney General Lanny A. Breuer of the Criminal Division and U.S. Attorney Jose Angel Moreno for the Southern District of Texas…. According to court documents.. In pleading guilty, Kim admitted that in the early hours of April 30, 2008, he used his home computer to connect to the GEXA Energy computer network and a database that contained information on approximately 150,000 GEXA Energy customers. While connected to the computer network, Kim recklessly caused damage to the computer network and the customer database by inputting various Oracle database commands. Kim also copied and saved to his home computer a database file containing personal information on the GEXA Energy customers, including names, billing addresses, social security numbers, dates of birth and drivers license numbers. According to court documents, Kim’s actions caused a $100,000 loss to GEXA Energy. 34
  • 34.
    Privilege Management Checklist ISO27001 Control 11.2.2: • Metrics/SLA Checklist – HR-01 Background checks on infrastructure administrators. – IS-08 Privileges are only allocated to users only when required. – IS-07 Authorization process for privileges and Privileged record kept of privileges allocated. User Mgt – IS-34 Steps taken to minimize the need for privileged access. – Tamper proof log of privileged activities. 35
  • 35.
    #8 How canI ensure Business Continuity?
  • 36.
    Probability Low Business Continuity Impact High Lightning Strike in Dublin Downs Amazon, Microsoft Clouds http://www.pcworld.com/businesscenter/article/237476/lightning_strike_in_dublin_downs_amazon_microsoft_cl ouds.html/ August 8th, 2011 A lightning strike in Dublin on August 8th caused a power failure in data centers belonging to Amazon and Microsoft, causing the companies' cloud services to go offline. Lightning struck a transformer, sparking an explosion and fire which caused the power outage at 10:41 AM PDT, according to preliminary information, Amazon wrote on its Service Health Dashboard. Under normal circumstances, backup generators would seamlessly kick in, but the explosion also managed to knock out some of those generators. By 1:56 PM PDT, power to the majority of network devices had been restored, allowing Amazon to focus on bringing EC2 (Elastic Compute Cloud) instances and EBS (Elastic Block Storage) volumes back online. But progress was slower than expected, Amazon said a couple of hours later. 37
  • 37.
    Business Continuity Responsibilities ISO27001 Control 14: • A business continuity management process should be implemented to minimize the impact on the organization and recover from loss of information assets to an acceptable level. Customer Prepare and test business Responsibility continuity plan based on business need. Provider Prepare and test service Responsibility continuity plans for hosted services. 38
  • 38.
    #9 How canI avoid becoming “Locked-in” to one provider?
  • 39.
    Probability High Lock in Impact Medium • “…to offer a true utility in a truly competitive digital single market, users must be able to change their cloud provider easily. It must be as fast and easy as changing one’s internet or mobile phone provider has become in many places…” – Neelie Kroes, Vice-President of the European Commission responsible for Digital Agenda European Cloud Computing Strategy 40
  • 40.
    Lock in Example– Data Return ISO 27001 Control 8.3.2 • All employees, contractors and third party users should return all of the organization’s assets in their possession upon termination of their employment, contract or agreement. Customer Ensure that the service contract Responsibility specifies data ownership and return Provider Provide mechanisms for customer Responsibility to upload and download data to and from hosted systems. 41
  • 41.
    #10 How canI Manage the Cloud Service Provider?
  • 42.
    Many Assurance Frameworks •Which Assurance Framework is right for you? – COBIT – ISO/IEC 27001-27005 – AICPA Service Organization Control Reports – AICPA/CICA Trust Services (SysTrust and WebTrust) – Cloud Security Alliance Controls Matrix – BITS Shared Assessment Program – Jericho Forum® Self-Assessment Scheme (SAS) – CSA Shared Assessments – ENISA Procuresecure – German BSI Security Recommendations for Cloud Computing Providers. – NIST Cloud Computing Synopsis and recommendations 43
  • 43.
    SSAE 16 ServiceOrganizational Controls Reports SOC Type 1 Report SOC Type 2 Report • Auditor opinion: • Auditor opinion: – Description is fairly – As type 1 plus: presented. (i.e. Describes – Whether Controls were what exists) operating effectively. – Whether controls are (i.e.do achieve control suitably designed. (i.e. objectives) Controls are able to achieve – Describes auditors tests and described objectives) results Statement on Standards for Attestation Engagements No. 16 http://www.aicpa.org/Research/Standards/AuditAttest/Pages/SSAE.aspx 44
  • 44.
    IaaS Example -Amazon Web Services • SOC 1 Attestation: Control Objectives Attested: – Security Organization – Amazon Employee Lifecycle – Logical Security – Secure Data Handling – Physical Security – Environmental Safeguards – Change Management – Data Integrity, Availability and Redundancy – Incident Handling http://aws.amazon.com/security/ 45
  • 45.
    AICPA Trust Services(SysTrust/WebTrust) • Criteria established by AICPA for use when providing attestation services on following areas of systems: – Security Principle and Criteria – Availability Principle and Criteria – Processing Integrity Principle and Criteria – Confidentiality Principle and Criteria – Privacy Principles and Criteria http://www.webtrust.org/principles-and-criteria/item27818.pdf 46
  • 46.
    SaaS Example -SalesForce.com • Example based on AICPA Trust Services principles and criteria for: – Confidentiality, – Availability and – Security. https://trust.salesforce.com/trust/assets/pdf/Misc_SysTrust.pdf 47
  • 47.
    ISO/IEC 27002 • Codeof practice for information security management • 134 Controls covering: – Organization and Information Security Confidentiality – Asset Management – Human Resources Security – Physical and Environmental Security – Communications and Operations Information Management – Access Control – Information Systems Acquisition, Maintenance and Control Availability Integrity – Information Security Incident Management – Business Continuity Management http://www.iso.ch 48
  • 48.
    PaaS Example -Microsoft Azure • Confidentiality assured by: • Availability – Identity and access – Worldwide data centres management – Data triplication – Isolation – logical and physical • Compliance containers – ISO 27001 certification of parts – Encryption of internal channels of infrastructure – User must encrypt own data – Safe Harbor signatory – Destruction of storage media – Choice data being located • Integrity within EU – Fabric protected from – New contracts for Office 365 unauthorized change customers in Germany to end – Secure Development Lifecycle uncertainty about the Patriot Act. http://www.globalfoundationservices.com/security/ 49
  • 49.
  • 50.
    Summary • To Avoidthe Seven Deadly Sins of Cloud Computing follow the ten commandments: 1. Know that you are using the Cloud 2. Use Good Governance for the Cloud and other IT Services 3. Choose the right Cloud for your needs 4. Assure Compliance 5. Assure Information Security 6. Manage Identity and Access 7. Assure privilege management 8. Include the Cloud in your Business Continuity Plan 9. Avoid Lock-in 10. Manage the Cloud Service Provider 51
  • 51.
  • 52.
    Mike Small CEng,FBCS, CITP Senior Analyst, KuppingerCole www.kuppingercole.com Email: Mike.Small@kuppingercole.com Mobile: +44 7777 697 300 53