1. Practical tips for securing your cloud
James Turner, IBRS Advisor
August 2012
2. Building a smarter planet
Warning
This presentation has a lot of pictures of clouds
2
3. Building a smarter planet
Practical tips to securing your cloud
Defining the cloud
What IBRS clients are asking &
What the experts say
Four interesting areas of risk
Summary
A glimpse of the future
Questions
3
4. Building a smarter planet
Defining cloud
The most widely accepted definition
of cloud comes from the National
Institute of Science and Technology
(NIST) :
1. On demand self-service
2. Broad network access
3. Resource pooling
4. Rapid elasticity
5. Pay-per-use measured service
I’m talking about SaaS
4
Morning Glory clouds – Gulf of Carpentaria. Source: NASA. Credit: Mick Petroff
5. Building a smarter planet
What IBRS clients are asking & what the experts say
“Review our SaaS contracts for
technical risks”
– Defence Signals Directorate (DSD)
•availability of data and business functionality;
•protecting data from unauthorised access; and,
•handling security incidents.
– Australian Government Information
Management Office (AGIMO)
•Liability
•Performance management
•Ending the arrangement
– National Archives of Australia
5
6. Building a smarter planet
Four SaaS vendor contract reviews
Findings – there are 4 core areas of
risk in these vendor MSAs:
1. Light on specifics
2. Heavy on indemnity
3. Default customer referencing
4. Flimsy data portability
6
7. Building a smarter planet
Light on specifics
Will protect customer data “in a
manner consistent with general
industry standards reasonably
applicable”
Will use “commercially reasonable
efforts to make the purchased services
available 24 hours a day, 7 days a
week”.
Impact: nothing to hold them to!
7 Light and wispy cirrus clouds
8. Building a smarter planet
Heavy on indemnity
They will not be held liable for any loss
of data, or revenue, or profits.
Service credits, if available, are like
eating lettuce
– You expend more energy chewing than you
get from the consumption
Impact: nothing to hold them to!
– (and look at how well that worked in the
software industry!)
8
9. Building a smarter planet
Customer reference by default
“Customer agrees to work with
<vendor’s> Marketing Department to
produce a news release to Customer’s
use of the Service”
Risks of being outed as a customer:
– “kick me”
– Collateral damage
– Target rich environment
– Economy of effort for attackers
Impact: what has this done to your risk
profile?
9
10. Building a smarter planet
Flimsy data portability
Only 1 of the 4 mentioned a format
Proprietary data formats help create
lock-in
One source of truth?
Migrating to another vendor?
– Who owns the metadata?
– Can you access security logs?
Impact: Vendor lock in, paying for
migration, rivals being sold your work
10 Storm front over Phillip Island, Nov 11, 2011. Source: ABC.net.au
11. Building a smarter planet
Conclusion: Practical tips to securing your cloud
Understand the risks
– Create a list of the technical risks
– War game different scenarios, attacks, or
failures
– Walk these through with business
stakeholders
Contract management
– involved vs. committed?
– Be biased toward vendors who commit to
standards
– Note: Take-it-or-leave-it contracts are
positively viewed by some
11
Asperatus Cloud, New Zealand, undated photo. Source: National Geographic
12. Building a smarter planet
An interconnected world...
12
... leads to exponential complexity and unforeseen interdependencies!
14. Building a smarter planet
References
“Cloud Computing Security Considerations”, Defence Signals Directorate (Australian Department of Defence), April 2011.
“Better Practice Guide: Negotiating the cloud – legal issues in cloud computing agreements”, Australian Government Information Management
Office, February 2012.
“A Checklist for Records Management and the Cloud”, National Archives of Australia, 2011.
IBRS research:
– "The Next Perfect IT Storm: The Red Shift, Utility Computing", IBRS, April 2008.
– "Cloud computing, you may need a parachute", IBRS, April 2009.
– "Legal considerations that apply in cloud computing", IBRS, May 2009.
– "Cloud computing and the law - data considerations", IBRS, June 2009.
– "Cloud computing and the law - business implication", IBRS, July 2009.
– "A legal checklist before taking off into the cloud", IBRS, August 2009.
– "APRA offers timely advice against losing your head in the cloud", IBRS, November 2010.
– "Two tests to evaluate Cloud economics", IBRS, March 2011.
– "A matrix for cloud computing risk analysis", IBRS, October 2011.
– "Cloud security - the real risks", IBRS, January 2012.
– “How do you catch a cloud and pin it down? Part 1”, IBRS, May 2012
– “How do you catch a cloud and pin it down? Part 2”, IBRS, July 2012
14