1. Cloud Security
Duncan Unwin, Business Aspect
ISACA, Brisbane, 16th July 2013
Why Cloud will happen,
Why it changes how you need to manage security, and
How you can address it
2. A Fresh Perspective 2
Cloud Security
— The overwhelming economics of Cloud
– Why cloud is here and why you better get used to it
— Seven Reasons why Cloud is a new type of security challenge
– why every technique you have used to manage security needs to be
reconsidered
— How you can manage cloud security
– Introducing a total lifecycle approach to security management
3. A Fresh Perspective 3
The overwhelming economics of Cloud
— Supply-Side Saving
— Demand-side aggregation
— Multi-tenancy efficiency
— Telecommunications is becoming cheap
— Cloud is nearly a perfect commodity
4. A Fresh Perspective 4
Supply-Side Saving
— Cost of electricity
– 15-20% of TCO for server infrastructure
– Power Usage Effectiveness (PUE) significantly higher for large DCs
– Green electricity costs will drive Cloud DC location
— Infrastructure labour costs
– Large DCs operate at ratios of 1 engineer to 1000s of servers
— Security and Reliability Compliance
– Increasing requirements will make it less affordable to run IT in-house
– Market demand and scale favour large players (e.g. AWS is ISO 27001)
— Buying Power
– Hardware
– Software
– Telecommunications
– Electricity
5. A Fresh Perspective 5
Demand-side aggregation
— Demand is not stable
– Randomness
– Time-of-day patterns
– Industry-specific patterns
– Large clouds aggregate and smooth demand
— Uncertain growth pattern
– In-house capacity planning targets provisioning for peak load
– Chronic over-provisioning
– User demands for performance increasing
– Loads are moving from batch to real-time
– Demand when massively aggregated become predictable
6. A Fresh Perspective 6
Multi-tenancy Economies of Scale
— Fixed costs amortised over 1000s of customers
— Management Costs
— Implementation Costs
— Base processing overhead
8. A Fresh Perspective 8
Cloud is a near perfect commodity
— True Commodities
– No qualitative difference in the market
– Price set for the market as a whole
– Fungible
– Traded via commodity markets
— Existing barriers limit the total commoditisation of cloud
– Lack of interoperability
– Lack of consistency in governance standards
– Market immaturity
– Cultural
— We predict these will be substantively solved over the next
few years, resulting in commodity markets emerging
9. A Fresh Perspective 9
The overwhelming economics of Cloud
— Supply-Side Saving. Large scale data centres have lower cost per
CPU unit
— Demand-side aggregation. Aggregating demand for computing
smooths overall variability, allowing server utilization rates to
increase.
— Multi-tenancy efficiency. When changing to a multi-tenant
application model, increasing the number of tenants
(i.e., customers or users) lowers the application management and
server cost per tenant.
— Telecommunications is becoming cheap. Much of the reason for
in-house IT was driven by the historically high cost to ship data
— Cloud is nearly a perfect commodity. Supply will not be able to
extract price premiums from the market. They win by scale not
margin.
10. A Fresh Perspective 10
For now accept that cloud computing will happen..
Let us reset and consider security
11. 7 Reasons why Cloud
presents a Security
Challenge
A Fresh Perspective 11
12. A Fresh Perspective 12
1. Loss of network perimeter
— Current model of security based on ‘egg shell’ design
– Depends upon bad people being mainly outside the network
– Data inside the perimeter
– No real idea of where the ‘valuables’ are kept
— Cloud breaks this
– Data is outside the perimeter
– Systems are outside the perimeter
— Organisations that have been practicing good security such as
maintaining asset inventories and protection-in-depth are
well postured
– For the rest of us there is significant risk
13. A Fresh Perspective 13
2. Loss of directive control and audit
— Cloud means that you have limited control over Infrastructure
— You can’t fix emerging risks by direction
— You have very limited ability to audit (not a managed service)
– This includes engaging external auditors
– Developing but immature and inflexible assurance standards
—SAS 70 / SSAE 16
—Cloud Security Alliance
Application
Middleware
Guest OS
Hypervisor
Storage
Hardware
Network
L
N
N
N
N
N
N
M
F
F
F
F
F
F
Customer
Provider
Application
Middleware
Guest OS
Hypervisor
Storage
Hardware
Network
L
L
N
N
N
N
N
M
M
F
F
F
F
F
Customer
Provider
Application
Middleware
Guest OS
Hypervisor
Storage
Hardware
Network
F
F
F
N
N
N
N
N
N
N
F
F
F
F
Customer
Provider
SaaS PaaS IaaS
N=none M=mostly
L=limited F=full
Customer and provider
control
14. A Fresh Perspective 14
3. Risks from the physical location of servers
— Legal risks
– Where your data is stored determines the legal jurisdiction and data
and privacy protection laws
– Your obligations are not reduced
— Potential for not knowing where your data is
– This needs to be addressed in specification of the service
15. A Fresh Perspective 15
4. Risks from multi-tenancy
— Who are the neighbours?
— Virtualisation security is highly dependent on good
administration
— Neighbours pose risks because of malfeasance and negligence
— The driving idea behind ‘Community Clouds’ – a digital gated
community
16. A Fresh Perspective 16
5. Risks from Internet accessibility
— Why is the Internet a threat? Because that is where the bad
people are
— Access to User Interfaces
– Reliance solely based on application security
– Often supporting only single-factor authentication
— Access to APIs
– History of poor implementation of security
— Tools to help
– Virtual firewalls and VPNs
– Integration of federated identity and access management
17. A Fresh Perspective 17
6. Difficulty in implementing effective records
management protocols
— Cloud providers do not generally offer effective data archiving
and record management services – this problem is left to you
— Need to ensure backup and archive regimes meet the
organisation’s requirements
— Today this generally involves a bespoke solution
18. A Fresh Perspective 18
7. Risks to service availability
— Cloud creates perverse risks of Disaster
– Wild fires in the USA threaten Australian
SaaS services.
– Amazon EC2 affected by powerful
thunderstorms in Northern Virginia. Tools
to move processing to another data centre
did not function correctly.
– 2011 Brisbane floods: cloud services
enabled email and remote access to
remain available – an example of a positive
risk of a cloud service
19. A Fresh Perspective 19
Reasons why Cloud presents a Security Challenge
1. Loss of the network perimeter
2. Loss of directive control and audit
3. Risks from the physical location of servers
4. Risks from multi-tenancy
5. Risks from Internet accessibility
6. Difficulty in implementing effective records management
protocols
7. Risks to service availability
21. Business Aspect’s Lifecycle Approach to Cloud Security
Requirements
Procurement
ImplementationOperation
Transition Out
Cloud Service
Lifecycle
22. Requirements Phase
Requirements
Procurement
ImplementationOperation
Transition Out
Cloud Service
Lifecycle
• Risk Assessment - Harm if…
• asset widely public and widely distributed?
• a cloud provider employee accessed asset?
• the function was manipulated by outsider?
• the function failed to provide results?
• the information/data was unexpectedly changed?
• the asset was unavailable for a period of time?
• Control Requirements
• DSD’s advice on Cloud controls
• Traditional normative control frameworks need to be
adapted (e.g. ISM, IS18, ISO/IEC 27002, ISO17799)
• Compliance with…
• Legislation
• Mandated standards
23. Procurement and Vendor Selection Phase
Requirements
Procurement
ImplementationOperation
Transition Out
Cloud Service
Lifecycle
• Vendor Selection
• Capability
• Contract
• Fit
• The Contract is the mechanism of control
• The SLA
• Service Availability and Reliability requirements
• Minimum security levels that may be further defined in
separate specifications and / or policies and standards
• Processes for monitoring the performance of the
provider, specifically in relation to security and availability
• Business continuity and disaster recovery requirements and
arrangements
• Liability and indemnity, including zones of responsibility
• Termination and transition arrangements
• Auditing and reporting requirements
• Event and incident management processes
• Account management
24. Implementation and Transition In Phase
Requirements
Procurement
ImplementationOperation
Transition Out
Cloud Service
Lifecycle
• Planning & Project Management
• De-risk by piloting and phasing
• Formal Project e.g. Prince2
• Design key processes with Vendor
• Service governance model
• Data conversion and assurance
• Information Management and Data
Custodianship
• Meeting recordkeeping requirements
• appointing key roles for information governance
• Establishing capacity planning and service
monitoring
• Setting up support processes
• Provisioning of initial services
• Establishing security incident management
25. Operations Phase
Requirements
Procurement
ImplementationOperation
Transition Out
Cloud Service
Lifecycle
• You as client may have a limited role
• Depending on the type of cloud
• Understand limits
• But is essential you know what it is
• Who internally manages the Vendor
• Are we clear about the ‘governance gap’ – the
difference between what the vendor provides
and what our stakeholders expect
• Vendor management is vital
• Establish a performance measurement
framework and share with the vendor
• Keep touch points fresh
Just because you don’t operate the service does not mean you have no responsibilities
- Cloud may save money but it is no free lunch
27. Cease Operation & Transition Out Phase
Requirements
Procurement
ImplementationOperation
Transition Out
Cloud Service
Lifecycle
• Assume this will happen
• Manage as project not BAU
• Considerations
• Data ownership and retention
• Notice and transition arrangement
• Service transition
31. A Fresh Perspective 31
References
— Anon. (2012). About FedRAMP. Retrieved 10 July, 2013, from
http://www.gsa.gov/portal/category/102375
— Anon. (2012). CLOUD COMPUTING STRATEGIC DIRECTION PAPER: Opportunities and applicability
for use by the Australian Government. Retrieved 12 Jul 2013, 2013, from
http://agimo.gov.au/files/2012/04/final_cloud_computing_strategy_version_1.pdf
— Anon. (2012). Cloud Security Considerations. Retrieved 14 July, 2013, from
http://www.dsd.gov.au/infosec/cloudsecurity.htm
— Buyya, R., Yeo, C. S., Venugopal, S., Broberg, J., & Brandic, I. (2009). Cloud computing and emerging
IT platforms: Vision, hype, and reality for delivering computing as the 5th utility. Future Generation
Computer Systems, 25(6), 599-616. doi: http://dx.doi.org/10.1016/j.future.2008.12.001
— Harms, R., & Yamartino, M. (2010). The economics of the cloud. Retrieved 13 June, 2013, from
http://www.microsoft.com/en-us/news/presskits/cloud/docs/the-economics-of-the-cloud.pdf
— Maxwell, W. (2012). A Global Reality: Governmental Access to Data in the Cloud. Retrieved 13
July, 2013, from http://m.hoganlovells.com/files/News/c6edc1e2-d57b-402e-9cab-
a7be4e004c59/Presentation/NewsAttachment/a17af284-7d04-4008-b557-
5888433b292d/Revised%20Government%20Access%20to%20Cloud%20Data%20Paper%20(18%20
July%2012).pdf
— Reed, A., Rezek, C., & Simmonds, P. (2011). Critical Areas of Focus in Cloud Computing. Retrieved
13 July, 2013, from https://cloudsecurityalliance.org/research/security-guidance/
32. A Fresh Perspective 32
About Business Aspect
Business Aspect assists clients with the execution of their business strategy
through either large scale business transformation or through the
addressing of smaller challenges in specific areas of the business. We focus
on the business first, and then address technology needs as an enabler of
required business outcomes. We have skills, experience and expertise in;
business and technology
strategy, architecture, risk, control, planning, design and governance. In
delivering services, we address all layers of the business, including
people, organisational change, process change, information
management, information and communications technology (ICT)
applications and technology infrastructure.
We solve complex business problems through the collaborative efforts of
our team of highly experienced personnel, and through the application of
proven intellectual property. One of our key strengths is the diversity of the
background and skills our senior consultants bring to planning initiatives
involving people, process and systems.
Our ability to extend from business focused domains into architecture and
complex program management builds a bond of trust with our clients and
fosters more effective relationships. For our clients, we serve as the
interpreter between ICT and the demands of individual business
units, translating business needs into ICT outcomes. We complement this
with our ability to work with all parts of the organisation, therefore
maximising the benefits collectively gained from ICT.
We believe the use of senior consultants for the delivery of our clients’
projects is the cornerstone of our success. We also hand pick specialists
from our extensive network of associates and industry partners to
complement our consulting teams. We guarantee senior people with the
right balance of qualifications and real-world industry experience, and our
delivery capability extends across Australia.
Duncan Unwin
M: 0407 032 755
E: dunwin@businessaspect.com.au
Brisbane / Sydney / Canberra / Melbourne
www.businessaspect.com.au
T +61 7 3831 7600
F +61 7 3831 7900
Head Office - 588 Boundary St
Spring Hill Brisbane QLD 4000
Editor's Notes
e.g a well known SaaS vendor had the primary DC for their Australian service in country with common-law but generally suitable data protection provision but their DR (and backups) in a country that has legal provisions that provides for state access to data without warrant and restrictions on disclosure of said access.A Queensland business had their ERP service threatened by bush fires in North America.Of course there are positive risks as well for the same reason
Vendor selection consideration:Whether the service levels are formally documented and publishedWhether the service levels and performance penalties are negotiable or fixedThe financial penalties for failure to meet service levels and performanceAutomated monitoring and reporting of service levels and performanceAutomatic processing of financial penalties when accruedWhether SLA’s can be changed by the provider without approval or consultation with the client.