SlideShare a Scribd company logo

Isaca cloud security presentation duncan unwin 16 jul13

Download as PPTX, PDF
Duncan Unwin
Duncan Unwin
TechnologyBusiness
1 of 32
Cloud Security Duncan Unwin, Business Aspect ISACA, Brisbane, 16th July 2013 Why Cloud will happen, Why it changes how you need to manage security, and How you can address it
A Fresh Perspective 2 Cloud Security — The overwhelming economics of Cloud – Why cloud is here and why you better get used to it — Seven Reasons why Cloud is a new type of security challenge – why every technique you have used to manage security needs to be reconsidered — How you can manage cloud security – Introducing a total lifecycle approach to security management
A Fresh Perspective 3 The overwhelming economics of Cloud — Supply-Side Saving — Demand-side aggregation — Multi-tenancy efficiency — Telecommunications is becoming cheap — Cloud is nearly a perfect commodity
A Fresh Perspective 4 Supply-Side Saving — Cost of electricity – 15-20% of TCO for server infrastructure – Power Usage Effectiveness (PUE) significantly higher for large DCs – Green electricity costs will drive Cloud DC location — Infrastructure labour costs – Large DCs operate at ratios of 1 engineer to 1000s of servers — Security and Reliability Compliance – Increasing requirements will make it less affordable to run IT in-house – Market demand and scale favour large players (e.g. AWS is ISO 27001) — Buying Power – Hardware – Software – Telecommunications – Electricity
A Fresh Perspective 5 Demand-side aggregation — Demand is not stable – Randomness – Time-of-day patterns – Industry-specific patterns – Large clouds aggregate and smooth demand — Uncertain growth pattern – In-house capacity planning targets provisioning for peak load – Chronic over-provisioning – User demands for performance increasing – Loads are moving from batch to real-time – Demand when massively aggregated become predictable
A Fresh Perspective 6 Multi-tenancy Economies of Scale — Fixed costs amortised over 1000s of customers — Management Costs — Implementation Costs — Base processing overhead
A Fresh Perspective 7 Telecommunications costs are becoming cheap
A Fresh Perspective 8 Cloud is a near perfect commodity — True Commodities – No qualitative difference in the market – Price set for the market as a whole – Fungible – Traded via commodity markets — Existing barriers limit the total commoditisation of cloud – Lack of interoperability – Lack of consistency in governance standards – Market immaturity – Cultural — We predict these will be substantively solved over the next few years, resulting in commodity markets emerging
A Fresh Perspective 9 The overwhelming economics of Cloud — Supply-Side Saving. Large scale data centres have lower cost per CPU unit — Demand-side aggregation. Aggregating demand for computing smooths overall variability, allowing server utilization rates to increase. — Multi-tenancy efficiency. When changing to a multi-tenant application model, increasing the number of tenants (i.e., customers or users) lowers the application management and server cost per tenant. — Telecommunications is becoming cheap. Much of the reason for in-house IT was driven by the historically high cost to ship data — Cloud is nearly a perfect commodity. Supply will not be able to extract price premiums from the market. They win by scale not margin.
A Fresh Perspective 10 For now accept that cloud computing will happen.. Let us reset and consider security
7 Reasons why Cloud presents a Security Challenge A Fresh Perspective 11
A Fresh Perspective 12 1. Loss of network perimeter — Current model of security based on ‘egg shell’ design – Depends upon bad people being mainly outside the network – Data inside the perimeter – No real idea of where the ‘valuables’ are kept — Cloud breaks this – Data is outside the perimeter – Systems are outside the perimeter — Organisations that have been practicing good security such as maintaining asset inventories and protection-in-depth are well postured – For the rest of us there is significant risk
A Fresh Perspective 13 2. Loss of directive control and audit — Cloud means that you have limited control over Infrastructure — You can’t fix emerging risks by direction — You have very limited ability to audit (not a managed service) – This includes engaging external auditors – Developing but immature and inflexible assurance standards —SAS 70 / SSAE 16 —Cloud Security Alliance Application Middleware Guest OS Hypervisor Storage Hardware Network L N N N N N N M F F F F F F Customer Provider Application Middleware Guest OS Hypervisor Storage Hardware Network L L N N N N N M M F F F F F Customer Provider Application Middleware Guest OS Hypervisor Storage Hardware Network F F F N N N N N N N F F F F Customer Provider SaaS PaaS IaaS N=none M=mostly L=limited F=full Customer and provider control
A Fresh Perspective 14 3. Risks from the physical location of servers — Legal risks – Where your data is stored determines the legal jurisdiction and data and privacy protection laws – Your obligations are not reduced — Potential for not knowing where your data is – This needs to be addressed in specification of the service
A Fresh Perspective 15 4. Risks from multi-tenancy — Who are the neighbours? — Virtualisation security is highly dependent on good administration — Neighbours pose risks because of malfeasance and negligence — The driving idea behind ‘Community Clouds’ – a digital gated community
A Fresh Perspective 16 5. Risks from Internet accessibility — Why is the Internet a threat? Because that is where the bad people are — Access to User Interfaces – Reliance solely based on application security – Often supporting only single-factor authentication — Access to APIs – History of poor implementation of security — Tools to help – Virtual firewalls and VPNs – Integration of federated identity and access management
A Fresh Perspective 17 6. Difficulty in implementing effective records management protocols — Cloud providers do not generally offer effective data archiving and record management services – this problem is left to you — Need to ensure backup and archive regimes meet the organisation’s requirements — Today this generally involves a bespoke solution
A Fresh Perspective 18 7. Risks to service availability — Cloud creates perverse risks of Disaster – Wild fires in the USA threaten Australian SaaS services. – Amazon EC2 affected by powerful thunderstorms in Northern Virginia. Tools to move processing to another data centre did not function correctly. – 2011 Brisbane floods: cloud services enabled email and remote access to remain available – an example of a positive risk of a cloud service
A Fresh Perspective 19 Reasons why Cloud presents a Security Challenge 1. Loss of the network perimeter 2. Loss of directive control and audit 3. Risks from the physical location of servers 4. Risks from multi-tenancy 5. Risks from Internet accessibility 6. Difficulty in implementing effective records management protocols 7. Risks to service availability
Treatment Strategy A Fresh Perspective 20
Business Aspect’s Lifecycle Approach to Cloud Security Requirements Procurement ImplementationOperation Transition Out Cloud Service Lifecycle
Requirements Phase Requirements Procurement ImplementationOperation Transition Out Cloud Service Lifecycle • Risk Assessment - Harm if… • asset widely public and widely distributed? • a cloud provider employee accessed asset? • the function was manipulated by outsider? • the function failed to provide results? • the information/data was unexpectedly changed? • the asset was unavailable for a period of time? • Control Requirements • DSD’s advice on Cloud controls • Traditional normative control frameworks need to be adapted (e.g. ISM, IS18, ISO/IEC 27002, ISO17799) • Compliance with… • Legislation • Mandated standards
Procurement and Vendor Selection Phase Requirements Procurement ImplementationOperation Transition Out Cloud Service Lifecycle • Vendor Selection • Capability • Contract • Fit • The Contract is the mechanism of control • The SLA • Service Availability and Reliability requirements • Minimum security levels that may be further defined in separate specifications and / or policies and standards • Processes for monitoring the performance of the provider, specifically in relation to security and availability • Business continuity and disaster recovery requirements and arrangements • Liability and indemnity, including zones of responsibility • Termination and transition arrangements • Auditing and reporting requirements • Event and incident management processes • Account management
Implementation and Transition In Phase Requirements Procurement ImplementationOperation Transition Out Cloud Service Lifecycle • Planning & Project Management • De-risk by piloting and phasing • Formal Project e.g. Prince2 • Design key processes with Vendor • Service governance model • Data conversion and assurance • Information Management and Data Custodianship • Meeting recordkeeping requirements • appointing key roles for information governance • Establishing capacity planning and service monitoring • Setting up support processes • Provisioning of initial services • Establishing security incident management
Operations Phase Requirements Procurement ImplementationOperation Transition Out Cloud Service Lifecycle • You as client may have a limited role • Depending on the type of cloud • Understand limits • But is essential you know what it is • Who internally manages the Vendor • Are we clear about the ‘governance gap’ – the difference between what the vendor provides and what our stakeholders expect • Vendor management is vital • Establish a performance measurement framework and share with the vendor • Keep touch points fresh Just because you don’t operate the service does not mean you have no responsibilities - Cloud may save money but it is no free lunch
A Fresh Perspective 26 Operations processes - example
Cease Operation & Transition Out Phase Requirements Procurement ImplementationOperation Transition Out Cloud Service Lifecycle • Assume this will happen • Manage as project not BAU • Considerations • Data ownership and retention • Notice and transition arrangement • Service transition
A Fresh Perspective 28 Transition out process - example
Lifecycle Approach to Cloud Security – Key Points Requirements Procurement ImplementationOperation Transition Out Cloud Service Lifecycle • Risk Assessment • Control frameworks • Compliance with legislation & standards • Vendor selection • Capability • Contract • Fit • Contract / SLA • Account Management • Project management • Design key processes with vendor • Assume it will happen • Manage as a project • Consider • Data retention • Service transition • Notice and contract • Understand roles & responsibilities • Manage the gap • Vendor management
A Fresh Perspective 30
A Fresh Perspective 31 References — Anon. (2012). About FedRAMP. Retrieved 10 July, 2013, from http://www.gsa.gov/portal/category/102375 — Anon. (2012). CLOUD COMPUTING STRATEGIC DIRECTION PAPER: Opportunities and applicability for use by the Australian Government. Retrieved 12 Jul 2013, 2013, from http://agimo.gov.au/files/2012/04/final_cloud_computing_strategy_version_1.pdf — Anon. (2012). Cloud Security Considerations. Retrieved 14 July, 2013, from http://www.dsd.gov.au/infosec/cloudsecurity.htm — Buyya, R., Yeo, C. S., Venugopal, S., Broberg, J., & Brandic, I. (2009). Cloud computing and emerging IT platforms: Vision, hype, and reality for delivering computing as the 5th utility. Future Generation Computer Systems, 25(6), 599-616. doi: http://dx.doi.org/10.1016/j.future.2008.12.001 — Harms, R., & Yamartino, M. (2010). The economics of the cloud. Retrieved 13 June, 2013, from http://www.microsoft.com/en-us/news/presskits/cloud/docs/the-economics-of-the-cloud.pdf — Maxwell, W. (2012). A Global Reality: Governmental Access to Data in the Cloud. Retrieved 13 July, 2013, from http://m.hoganlovells.com/files/News/c6edc1e2-d57b-402e-9cab- a7be4e004c59/Presentation/NewsAttachment/a17af284-7d04-4008-b557- 5888433b292d/Revised%20Government%20Access%20to%20Cloud%20Data%20Paper%20(18%20 July%2012).pdf — Reed, A., Rezek, C., & Simmonds, P. (2011). Critical Areas of Focus in Cloud Computing. Retrieved 13 July, 2013, from https://cloudsecurityalliance.org/research/security-guidance/
A Fresh Perspective 32 About Business Aspect Business Aspect assists clients with the execution of their business strategy through either large scale business transformation or through the addressing of smaller challenges in specific areas of the business. We focus on the business first, and then address technology needs as an enabler of required business outcomes. We have skills, experience and expertise in; business and technology strategy, architecture, risk, control, planning, design and governance. In delivering services, we address all layers of the business, including people, organisational change, process change, information management, information and communications technology (ICT) applications and technology infrastructure. We solve complex business problems through the collaborative efforts of our team of highly experienced personnel, and through the application of proven intellectual property. One of our key strengths is the diversity of the background and skills our senior consultants bring to planning initiatives involving people, process and systems. Our ability to extend from business focused domains into architecture and complex program management builds a bond of trust with our clients and fosters more effective relationships. For our clients, we serve as the interpreter between ICT and the demands of individual business units, translating business needs into ICT outcomes. We complement this with our ability to work with all parts of the organisation, therefore maximising the benefits collectively gained from ICT. We believe the use of senior consultants for the delivery of our clients’ projects is the cornerstone of our success. We also hand pick specialists from our extensive network of associates and industry partners to complement our consulting teams. We guarantee senior people with the right balance of qualifications and real-world industry experience, and our delivery capability extends across Australia. Duncan Unwin M: 0407 032 755 E: dunwin@businessaspect.com.au Brisbane / Sydney / Canberra / Melbourne www.businessaspect.com.au T +61 7 3831 7600 F +61 7 3831 7900 Head Office - 588 Boundary St Spring Hill Brisbane QLD 4000

Recommended

Cybersecurity for Industrial Plants: Threats and Defense Approach - Dave Hreha
Cybersecurity for Industrial Plants: Threats and Defense Approach - Dave Hreha Cybersecurity for Industrial Plants: Threats and Defense Approach - Dave Hreha
Cybersecurity for Industrial Plants: Threats and Defense Approach - Dave Hreha Schneider Electric
 
Datacenter best practices design and implementation
Datacenter best practices design and implementationDatacenter best practices design and implementation
Datacenter best practices design and implementationAnton An
 
Cyber security: A roadmap to secure solutions
Cyber security: A roadmap to secure solutionsCyber security: A roadmap to secure solutions
Cyber security: A roadmap to secure solutionsSchneider Electric
 
Creating a Reliable and Secure Advanced Distribution Management System
Creating a Reliable and Secure Advanced Distribution Management SystemCreating a Reliable and Secure Advanced Distribution Management System
Creating a Reliable and Secure Advanced Distribution Management SystemSchneider Electric
 
Best Practices for Creating Your Smart Grid Network Model
Best Practices for Creating Your Smart Grid Network ModelBest Practices for Creating Your Smart Grid Network Model
Best Practices for Creating Your Smart Grid Network ModelSchneider Electric
 
Holistic Efficiency
Holistic EfficiencyHolistic Efficiency
Holistic EfficiencySchneider Electric
 
Branndon Kelley Keynote on Cybersecurity and the Smart Utility
Branndon Kelley Keynote on Cybersecurity and the Smart Utility Branndon Kelley Keynote on Cybersecurity and the Smart Utility
Branndon Kelley Keynote on Cybersecurity and the Smart Utility EnergyTech2015
 
NERC Critical Infrastructure Protection (CIP) and Security for Field Devices
NERC Critical Infrastructure Protection (CIP) and Security for Field DevicesNERC Critical Infrastructure Protection (CIP) and Security for Field Devices
NERC Critical Infrastructure Protection (CIP) and Security for Field DevicesSchneider Electric
 

Recommended

Cybersecurity for Industrial Plants: Threats and Defense Approach - Dave Hreha
Cybersecurity for Industrial Plants: Threats and Defense Approach - Dave Hreha Cybersecurity for Industrial Plants: Threats and Defense Approach - Dave Hreha
Cybersecurity for Industrial Plants: Threats and Defense Approach - Dave Hreha Schneider Electric
 
Datacenter best practices design and implementation
Datacenter best practices design and implementationDatacenter best practices design and implementation
Datacenter best practices design and implementationAnton An
 
Cyber security: A roadmap to secure solutions
Cyber security: A roadmap to secure solutionsCyber security: A roadmap to secure solutions
Cyber security: A roadmap to secure solutionsSchneider Electric
 
Creating a Reliable and Secure Advanced Distribution Management System
Creating a Reliable and Secure Advanced Distribution Management SystemCreating a Reliable and Secure Advanced Distribution Management System
Creating a Reliable and Secure Advanced Distribution Management SystemSchneider Electric
 
Best Practices for Creating Your Smart Grid Network Model
Best Practices for Creating Your Smart Grid Network ModelBest Practices for Creating Your Smart Grid Network Model
Best Practices for Creating Your Smart Grid Network ModelSchneider Electric
 
Holistic Efficiency
Holistic EfficiencyHolistic Efficiency
Holistic EfficiencySchneider Electric
 
Branndon Kelley Keynote on Cybersecurity and the Smart Utility
Branndon Kelley Keynote on Cybersecurity and the Smart Utility Branndon Kelley Keynote on Cybersecurity and the Smart Utility
Branndon Kelley Keynote on Cybersecurity and the Smart Utility EnergyTech2015
 
NERC Critical Infrastructure Protection (CIP) and Security for Field Devices
NERC Critical Infrastructure Protection (CIP) and Security for Field DevicesNERC Critical Infrastructure Protection (CIP) and Security for Field Devices
NERC Critical Infrastructure Protection (CIP) and Security for Field DevicesSchneider Electric
 
Data center
Data centerData center
Data centergssmedia
 
Getting Started with Advanced Network Operations
Getting Started with Advanced Network OperationsGetting Started with Advanced Network Operations
Getting Started with Advanced Network OperationsSchneider Electric
 
Data Center Checklist for Infrastructure Best Practices (SlideShare)
Data Center Checklist for Infrastructure Best Practices (SlideShare)Data Center Checklist for Infrastructure Best Practices (SlideShare)
Data Center Checklist for Infrastructure Best Practices (SlideShare)SP Home Run Inc.
 
What Does It Cost to Build a Data Center? (SlideShare)
What Does It Cost to Build a Data Center? (SlideShare)What Does It Cost to Build a Data Center? (SlideShare)
What Does It Cost to Build a Data Center? (SlideShare)SP Home Run Inc.
 
Substation Cyber Security
Substation Cyber SecuritySubstation Cyber Security
Substation Cyber SecuritySchneider Electric
 
Top 10 Data Center Success Criteria
Top 10 Data Center Success CriteriaTop 10 Data Center Success Criteria
Top 10 Data Center Success CriteriaInternap
 
Understanding Open Protocols in Building Automation
Understanding Open Protocols in Building AutomationUnderstanding Open Protocols in Building Automation
Understanding Open Protocols in Building AutomationSchneider Electric
 
Ensuring your plant is secure
Ensuring your plant is secureEnsuring your plant is secure
Ensuring your plant is secureSchneider Electric
 
Trellis DCIM Platform
Trellis DCIM PlatformTrellis DCIM Platform
Trellis DCIM PlatformGreg Stover
 
Datacenter Strategy, Design, and Build
Datacenter Strategy, Design, and BuildDatacenter Strategy, Design, and Build
Datacenter Strategy, Design, and BuildChristopher Kelley
 
Cloud computing
Cloud computing Cloud computing
Cloud computing Schneider Electric
 
Data center disaster recovery.ppt
Data center disaster recovery.ppt Data center disaster recovery.ppt
Data center disaster recovery.ppt omalreda
 
Datacenter101
Datacenter101Datacenter101
Datacenter101tarundua
 
CERTIFIED Data Center Professional - CDCP
CERTIFIED Data Center Professional - CDCPCERTIFIED Data Center Professional - CDCP
CERTIFIED Data Center Professional - CDCPAPEXMarCom
 
Panduit Smartzone™ DCIM Solution Details
Panduit Smartzone™ DCIM Solution DetailsPanduit Smartzone™ DCIM Solution Details
Panduit Smartzone™ DCIM Solution DetailsPanduit
 
DCIM: ERP for the Data Center Manager
DCIM: ERP for the Data Center ManagerDCIM: ERP for the Data Center Manager
DCIM: ERP for the Data Center ManagerGreenField Software Private Limited
 
[Webinar Presentation] Best Practices for IT/OT Convergence
[Webinar Presentation] Best Practices for IT/OT Convergence[Webinar Presentation] Best Practices for IT/OT Convergence
[Webinar Presentation] Best Practices for IT/OT ConvergenceSchneider Electric
 
[Industry report] U.S. Grid Automation Report
[Industry report] U.S. Grid Automation Report[Industry report] U.S. Grid Automation Report
[Industry report] U.S. Grid Automation ReportSchneider Electric
 
Measurement validation peak load reduction
Measurement validation peak load reductionMeasurement validation peak load reduction
Measurement validation peak load reductionSchneider Electric
 
NER & Emerson Infrastructure Optimization Capabilties Storyboard
NER & Emerson Infrastructure Optimization Capabilties StoryboardNER & Emerson Infrastructure Optimization Capabilties Storyboard
NER & Emerson Infrastructure Optimization Capabilties StoryboardGreg Stover
 
IRJET- Effective Privacy based Distributed Storage Structure
IRJET- Effective Privacy based Distributed Storage StructureIRJET- Effective Privacy based Distributed Storage Structure
IRJET- Effective Privacy based Distributed Storage StructureIRJET Journal
 
Moving to the cloud
Moving to the cloudMoving to the cloud
Moving to the cloudPedro Alexander Romero Tortosa
 

More Related Content

What's hot

Data center
Data centerData center
Data centergssmedia
 
Getting Started with Advanced Network Operations
Getting Started with Advanced Network OperationsGetting Started with Advanced Network Operations
Getting Started with Advanced Network OperationsSchneider Electric
 
Data Center Checklist for Infrastructure Best Practices (SlideShare)
Data Center Checklist for Infrastructure Best Practices (SlideShare)Data Center Checklist for Infrastructure Best Practices (SlideShare)
Data Center Checklist for Infrastructure Best Practices (SlideShare)SP Home Run Inc.
 
What Does It Cost to Build a Data Center? (SlideShare)
What Does It Cost to Build a Data Center? (SlideShare)What Does It Cost to Build a Data Center? (SlideShare)
What Does It Cost to Build a Data Center? (SlideShare)SP Home Run Inc.
 
Top 10 Data Center Success Criteria
Top 10 Data Center Success CriteriaTop 10 Data Center Success Criteria
Top 10 Data Center Success CriteriaInternap
 
Understanding Open Protocols in Building Automation
Understanding Open Protocols in Building AutomationUnderstanding Open Protocols in Building Automation
Understanding Open Protocols in Building AutomationSchneider Electric
 
Trellis DCIM Platform
Trellis DCIM PlatformTrellis DCIM Platform
Trellis DCIM PlatformGreg Stover
 
Datacenter Strategy, Design, and Build
Datacenter Strategy, Design, and BuildDatacenter Strategy, Design, and Build
Datacenter Strategy, Design, and BuildChristopher Kelley
 
Data center disaster recovery.ppt
Data center disaster recovery.ppt Data center disaster recovery.ppt
Data center disaster recovery.ppt omalreda
 
Datacenter101
Datacenter101Datacenter101
Datacenter101tarundua
 
CERTIFIED Data Center Professional - CDCP
CERTIFIED Data Center Professional - CDCPCERTIFIED Data Center Professional - CDCP
CERTIFIED Data Center Professional - CDCPAPEXMarCom
 
Panduit Smartzone™ DCIM Solution Details
Panduit Smartzone™ DCIM Solution DetailsPanduit Smartzone™ DCIM Solution Details
Panduit Smartzone™ DCIM Solution DetailsPanduit
 
[Webinar Presentation] Best Practices for IT/OT Convergence
[Webinar Presentation] Best Practices for IT/OT Convergence[Webinar Presentation] Best Practices for IT/OT Convergence
[Webinar Presentation] Best Practices for IT/OT ConvergenceSchneider Electric
 
[Industry report] U.S. Grid Automation Report
[Industry report] U.S. Grid Automation Report[Industry report] U.S. Grid Automation Report
[Industry report] U.S. Grid Automation ReportSchneider Electric
 
Measurement validation peak load reduction
Measurement validation peak load reductionMeasurement validation peak load reduction
Measurement validation peak load reductionSchneider Electric
 
NER & Emerson Infrastructure Optimization Capabilties Storyboard
NER & Emerson Infrastructure Optimization Capabilties StoryboardNER & Emerson Infrastructure Optimization Capabilties Storyboard
NER & Emerson Infrastructure Optimization Capabilties StoryboardGreg Stover
 

What's hot (20)

Data center
Data centerData center
Data center
 
Getting Started with Advanced Network Operations
Getting Started with Advanced Network OperationsGetting Started with Advanced Network Operations
Getting Started with Advanced Network Operations
 
Data Center Checklist for Infrastructure Best Practices (SlideShare)
Data Center Checklist for Infrastructure Best Practices (SlideShare)Data Center Checklist for Infrastructure Best Practices (SlideShare)
Data Center Checklist for Infrastructure Best Practices (SlideShare)
 
What Does It Cost to Build a Data Center? (SlideShare)
What Does It Cost to Build a Data Center? (SlideShare)What Does It Cost to Build a Data Center? (SlideShare)
What Does It Cost to Build a Data Center? (SlideShare)
 
Substation Cyber Security
Substation Cyber SecuritySubstation Cyber Security
Substation Cyber Security
 
Top 10 Data Center Success Criteria
Top 10 Data Center Success CriteriaTop 10 Data Center Success Criteria
Top 10 Data Center Success Criteria
 
Understanding Open Protocols in Building Automation
Understanding Open Protocols in Building AutomationUnderstanding Open Protocols in Building Automation
Understanding Open Protocols in Building Automation
 
Ensuring your plant is secure
Ensuring your plant is secureEnsuring your plant is secure
Ensuring your plant is secure
 
Trellis DCIM Platform
Trellis DCIM PlatformTrellis DCIM Platform
Trellis DCIM Platform
 
Datacenter Strategy, Design, and Build
Datacenter Strategy, Design, and BuildDatacenter Strategy, Design, and Build
Datacenter Strategy, Design, and Build
 
Cloud computing
Cloud computing Cloud computing
Cloud computing
 
Data center disaster recovery.ppt
Data center disaster recovery.ppt Data center disaster recovery.ppt
Data center disaster recovery.ppt
 
Datacenter101
Datacenter101Datacenter101
Datacenter101
 
CERTIFIED Data Center Professional - CDCP
CERTIFIED Data Center Professional - CDCPCERTIFIED Data Center Professional - CDCP
CERTIFIED Data Center Professional - CDCP
 
Panduit Smartzone™ DCIM Solution Details
Panduit Smartzone™ DCIM Solution DetailsPanduit Smartzone™ DCIM Solution Details
Panduit Smartzone™ DCIM Solution Details
 
DCIM: ERP for the Data Center Manager
DCIM: ERP for the Data Center ManagerDCIM: ERP for the Data Center Manager
DCIM: ERP for the Data Center Manager
 
[Webinar Presentation] Best Practices for IT/OT Convergence
[Webinar Presentation] Best Practices for IT/OT Convergence[Webinar Presentation] Best Practices for IT/OT Convergence
[Webinar Presentation] Best Practices for IT/OT Convergence
 
[Industry report] U.S. Grid Automation Report
[Industry report] U.S. Grid Automation Report[Industry report] U.S. Grid Automation Report
[Industry report] U.S. Grid Automation Report
 
Measurement validation peak load reduction
Measurement validation peak load reductionMeasurement validation peak load reduction
Measurement validation peak load reduction
 
NER & Emerson Infrastructure Optimization Capabilties Storyboard
NER & Emerson Infrastructure Optimization Capabilties StoryboardNER & Emerson Infrastructure Optimization Capabilties Storyboard
NER & Emerson Infrastructure Optimization Capabilties Storyboard
 

Similar to Isaca cloud security presentation duncan unwin 16 jul13

IRJET- Effective Privacy based Distributed Storage Structure
IRJET- Effective Privacy based Distributed Storage StructureIRJET- Effective Privacy based Distributed Storage Structure
IRJET- Effective Privacy based Distributed Storage StructureIRJET Journal
 
Data Security Approach in Cloud computing using SHA
Data Security Approach in Cloud computing using SHAData Security Approach in Cloud computing using SHA
Data Security Approach in Cloud computing using SHAIRJET Journal
 
Embracing Cloud - Google Enterprise
Embracing Cloud - Google EnterpriseEmbracing Cloud - Google Enterprise
Embracing Cloud - Google EnterpriseAmin Kazemi
 
Cloud and challenges isacakenya
Cloud and challenges isacakenyaCloud and challenges isacakenya
Cloud and challenges isacakenyaTonny Omwansa
 
Microsegmentation for enterprise data centers
Microsegmentation for enterprise data centersMicrosegmentation for enterprise data centers
Microsegmentation for enterprise data centersNarendran Vaideeswaran
 
Understanding_the_Cloud
Understanding_the_CloudUnderstanding_the_Cloud
Understanding_the_CloudMelissa Kattke
 
Welcome to the Cloud!
Welcome to the Cloud!Welcome to the Cloud!
Welcome to the Cloud!imogokate
 
Celera Networks on Cloud Computing
Celera Networks on Cloud Computing Celera Networks on Cloud Computing
Celera Networks on Cloud Computing CeleraNetworks
 
Legal And Regulatory Issues Cloud Computing...V2.0
Legal And Regulatory Issues Cloud Computing...V2.0Legal And Regulatory Issues Cloud Computing...V2.0
Legal And Regulatory Issues Cloud Computing...V2.0David Spinks
 
step on cloud payments
step on cloud paymentsstep on cloud payments
step on cloud paymentssethnainaa
 
Advantages and disadvantages of cloud computing ppt.pptx
Advantages and disadvantages of cloud computing ppt.pptxAdvantages and disadvantages of cloud computing ppt.pptx
Advantages and disadvantages of cloud computing ppt.pptxNetwork Kings
 
Cognizant Cloud for Utilities
Cognizant Cloud for UtilitiesCognizant Cloud for Utilities
Cognizant Cloud for UtilitiesSteve Lennon
 
RightScale Webinar - Coping With Cloud Migration Challenges: Best Practices a...
RightScale Webinar - Coping With Cloud Migration Challenges: Best Practices a...RightScale Webinar - Coping With Cloud Migration Challenges: Best Practices a...
RightScale Webinar - Coping With Cloud Migration Challenges: Best Practices a...RightScale
 

Similar to Isaca cloud security presentation duncan unwin 16 jul13 (20)

IRJET- Effective Privacy based Distributed Storage Structure
IRJET- Effective Privacy based Distributed Storage StructureIRJET- Effective Privacy based Distributed Storage Structure
IRJET- Effective Privacy based Distributed Storage Structure
 
Moving to the cloud
Moving to the cloudMoving to the cloud
Moving to the cloud
 
Data Security Approach in Cloud computing using SHA
Data Security Approach in Cloud computing using SHAData Security Approach in Cloud computing using SHA
Data Security Approach in Cloud computing using SHA
 
Embracing Cloud - Google Enterprise
Embracing Cloud - Google EnterpriseEmbracing Cloud - Google Enterprise
Embracing Cloud - Google Enterprise
 
Cloud and challenges isacakenya
Cloud and challenges isacakenyaCloud and challenges isacakenya
Cloud and challenges isacakenya
 
Microsegmentation for enterprise data centers
Microsegmentation for enterprise data centersMicrosegmentation for enterprise data centers
Microsegmentation for enterprise data centers
 
Connections Cloud Talk
Connections Cloud TalkConnections Cloud Talk
Connections Cloud Talk
 
Understanding_the_Cloud
Understanding_the_CloudUnderstanding_the_Cloud
Understanding_the_Cloud
 
Cloud Security.ppt
Cloud Security.pptCloud Security.ppt
Cloud Security.ppt
 
Cloud computing
Cloud computingCloud computing
Cloud computing
 
Welcome to the Cloud!
Welcome to the Cloud!Welcome to the Cloud!
Welcome to the Cloud!
 
Celera Networks on Cloud Computing
Celera Networks on Cloud Computing Celera Networks on Cloud Computing
Celera Networks on Cloud Computing
 
Legal And Regulatory Issues Cloud Computing...V2.0
Legal And Regulatory Issues Cloud Computing...V2.0Legal And Regulatory Issues Cloud Computing...V2.0
Legal And Regulatory Issues Cloud Computing...V2.0
 
A3 cloud computing
A3 cloud computingA3 cloud computing
A3 cloud computing
 
step on cloud payments
step on cloud paymentsstep on cloud payments
step on cloud payments
 
step on cloud payments
step on cloud paymentsstep on cloud payments
step on cloud payments
 
Adopting the Cloud
Adopting the CloudAdopting the Cloud
Adopting the Cloud
 
Advantages and disadvantages of cloud computing ppt.pptx
Advantages and disadvantages of cloud computing ppt.pptxAdvantages and disadvantages of cloud computing ppt.pptx
Advantages and disadvantages of cloud computing ppt.pptx
 
Cognizant Cloud for Utilities
Cognizant Cloud for UtilitiesCognizant Cloud for Utilities
Cognizant Cloud for Utilities
 
RightScale Webinar - Coping With Cloud Migration Challenges: Best Practices a...
RightScale Webinar - Coping With Cloud Migration Challenges: Best Practices a...RightScale Webinar - Coping With Cloud Migration Challenges: Best Practices a...
RightScale Webinar - Coping With Cloud Migration Challenges: Best Practices a...
 

Recently uploaded

Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxOnBoard
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhisoniya singh
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...shyamraj55
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...HostedbyConfluent
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Alan Dix
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 

Recently uploaded (20)

Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptx
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food Manufacturing
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 

Isaca cloud security presentation duncan unwin 16 jul13

  • 1. Cloud Security Duncan Unwin, Business Aspect ISACA, Brisbane, 16th July 2013 Why Cloud will happen, Why it changes how you need to manage security, and How you can address it
  • 2. A Fresh Perspective 2 Cloud Security — The overwhelming economics of Cloud – Why cloud is here and why you better get used to it — Seven Reasons why Cloud is a new type of security challenge – why every technique you have used to manage security needs to be reconsidered — How you can manage cloud security – Introducing a total lifecycle approach to security management
  • 3. A Fresh Perspective 3 The overwhelming economics of Cloud — Supply-Side Saving — Demand-side aggregation — Multi-tenancy efficiency — Telecommunications is becoming cheap — Cloud is nearly a perfect commodity
  • 4. A Fresh Perspective 4 Supply-Side Saving — Cost of electricity – 15-20% of TCO for server infrastructure – Power Usage Effectiveness (PUE) significantly higher for large DCs – Green electricity costs will drive Cloud DC location — Infrastructure labour costs – Large DCs operate at ratios of 1 engineer to 1000s of servers — Security and Reliability Compliance – Increasing requirements will make it less affordable to run IT in-house – Market demand and scale favour large players (e.g. AWS is ISO 27001) — Buying Power – Hardware – Software – Telecommunications – Electricity
  • 5. A Fresh Perspective 5 Demand-side aggregation — Demand is not stable – Randomness – Time-of-day patterns – Industry-specific patterns – Large clouds aggregate and smooth demand — Uncertain growth pattern – In-house capacity planning targets provisioning for peak load – Chronic over-provisioning – User demands for performance increasing – Loads are moving from batch to real-time – Demand when massively aggregated become predictable
  • 6. A Fresh Perspective 6 Multi-tenancy Economies of Scale — Fixed costs amortised over 1000s of customers — Management Costs — Implementation Costs — Base processing overhead
  • 7. A Fresh Perspective 7 Telecommunications costs are becoming cheap
  • 8. A Fresh Perspective 8 Cloud is a near perfect commodity — True Commodities – No qualitative difference in the market – Price set for the market as a whole – Fungible – Traded via commodity markets — Existing barriers limit the total commoditisation of cloud – Lack of interoperability – Lack of consistency in governance standards – Market immaturity – Cultural — We predict these will be substantively solved over the next few years, resulting in commodity markets emerging
  • 9. A Fresh Perspective 9 The overwhelming economics of Cloud — Supply-Side Saving. Large scale data centres have lower cost per CPU unit — Demand-side aggregation. Aggregating demand for computing smooths overall variability, allowing server utilization rates to increase. — Multi-tenancy efficiency. When changing to a multi-tenant application model, increasing the number of tenants (i.e., customers or users) lowers the application management and server cost per tenant. — Telecommunications is becoming cheap. Much of the reason for in-house IT was driven by the historically high cost to ship data — Cloud is nearly a perfect commodity. Supply will not be able to extract price premiums from the market. They win by scale not margin.
  • 10. A Fresh Perspective 10 For now accept that cloud computing will happen.. Let us reset and consider security
  • 11. 7 Reasons why Cloud presents a Security Challenge A Fresh Perspective 11
  • 12. A Fresh Perspective 12 1. Loss of network perimeter — Current model of security based on ‘egg shell’ design – Depends upon bad people being mainly outside the network – Data inside the perimeter – No real idea of where the ‘valuables’ are kept — Cloud breaks this – Data is outside the perimeter – Systems are outside the perimeter — Organisations that have been practicing good security such as maintaining asset inventories and protection-in-depth are well postured – For the rest of us there is significant risk
  • 13. A Fresh Perspective 13 2. Loss of directive control and audit — Cloud means that you have limited control over Infrastructure — You can’t fix emerging risks by direction — You have very limited ability to audit (not a managed service) – This includes engaging external auditors – Developing but immature and inflexible assurance standards —SAS 70 / SSAE 16 —Cloud Security Alliance Application Middleware Guest OS Hypervisor Storage Hardware Network L N N N N N N M F F F F F F Customer Provider Application Middleware Guest OS Hypervisor Storage Hardware Network L L N N N N N M M F F F F F Customer Provider Application Middleware Guest OS Hypervisor Storage Hardware Network F F F N N N N N N N F F F F Customer Provider SaaS PaaS IaaS N=none M=mostly L=limited F=full Customer and provider control
  • 14. A Fresh Perspective 14 3. Risks from the physical location of servers — Legal risks – Where your data is stored determines the legal jurisdiction and data and privacy protection laws – Your obligations are not reduced — Potential for not knowing where your data is – This needs to be addressed in specification of the service
  • 15. A Fresh Perspective 15 4. Risks from multi-tenancy — Who are the neighbours? — Virtualisation security is highly dependent on good administration — Neighbours pose risks because of malfeasance and negligence — The driving idea behind ‘Community Clouds’ – a digital gated community
  • 16. A Fresh Perspective 16 5. Risks from Internet accessibility — Why is the Internet a threat? Because that is where the bad people are — Access to User Interfaces – Reliance solely based on application security – Often supporting only single-factor authentication — Access to APIs – History of poor implementation of security — Tools to help – Virtual firewalls and VPNs – Integration of federated identity and access management
  • 17. A Fresh Perspective 17 6. Difficulty in implementing effective records management protocols — Cloud providers do not generally offer effective data archiving and record management services – this problem is left to you — Need to ensure backup and archive regimes meet the organisation’s requirements — Today this generally involves a bespoke solution
  • 18. A Fresh Perspective 18 7. Risks to service availability — Cloud creates perverse risks of Disaster – Wild fires in the USA threaten Australian SaaS services. – Amazon EC2 affected by powerful thunderstorms in Northern Virginia. Tools to move processing to another data centre did not function correctly. – 2011 Brisbane floods: cloud services enabled email and remote access to remain available – an example of a positive risk of a cloud service
  • 19. A Fresh Perspective 19 Reasons why Cloud presents a Security Challenge 1. Loss of the network perimeter 2. Loss of directive control and audit 3. Risks from the physical location of servers 4. Risks from multi-tenancy 5. Risks from Internet accessibility 6. Difficulty in implementing effective records management protocols 7. Risks to service availability
  • 20. Treatment Strategy A Fresh Perspective 20
  • 21. Business Aspect’s Lifecycle Approach to Cloud Security Requirements Procurement ImplementationOperation Transition Out Cloud Service Lifecycle
  • 22. Requirements Phase Requirements Procurement ImplementationOperation Transition Out Cloud Service Lifecycle • Risk Assessment - Harm if… • asset widely public and widely distributed? • a cloud provider employee accessed asset? • the function was manipulated by outsider? • the function failed to provide results? • the information/data was unexpectedly changed? • the asset was unavailable for a period of time? • Control Requirements • DSD’s advice on Cloud controls • Traditional normative control frameworks need to be adapted (e.g. ISM, IS18, ISO/IEC 27002, ISO17799) • Compliance with… • Legislation • Mandated standards
  • 23. Procurement and Vendor Selection Phase Requirements Procurement ImplementationOperation Transition Out Cloud Service Lifecycle • Vendor Selection • Capability • Contract • Fit • The Contract is the mechanism of control • The SLA • Service Availability and Reliability requirements • Minimum security levels that may be further defined in separate specifications and / or policies and standards • Processes for monitoring the performance of the provider, specifically in relation to security and availability • Business continuity and disaster recovery requirements and arrangements • Liability and indemnity, including zones of responsibility • Termination and transition arrangements • Auditing and reporting requirements • Event and incident management processes • Account management
  • 24. Implementation and Transition In Phase Requirements Procurement ImplementationOperation Transition Out Cloud Service Lifecycle • Planning & Project Management • De-risk by piloting and phasing • Formal Project e.g. Prince2 • Design key processes with Vendor • Service governance model • Data conversion and assurance • Information Management and Data Custodianship • Meeting recordkeeping requirements • appointing key roles for information governance • Establishing capacity planning and service monitoring • Setting up support processes • Provisioning of initial services • Establishing security incident management
  • 25. Operations Phase Requirements Procurement ImplementationOperation Transition Out Cloud Service Lifecycle • You as client may have a limited role • Depending on the type of cloud • Understand limits • But is essential you know what it is • Who internally manages the Vendor • Are we clear about the ‘governance gap’ – the difference between what the vendor provides and what our stakeholders expect • Vendor management is vital • Establish a performance measurement framework and share with the vendor • Keep touch points fresh Just because you don’t operate the service does not mean you have no responsibilities - Cloud may save money but it is no free lunch
  • 26. A Fresh Perspective 26 Operations processes - example
  • 27. Cease Operation & Transition Out Phase Requirements Procurement ImplementationOperation Transition Out Cloud Service Lifecycle • Assume this will happen • Manage as project not BAU • Considerations • Data ownership and retention • Notice and transition arrangement • Service transition
  • 28. A Fresh Perspective 28 Transition out process - example
  • 29. Lifecycle Approach to Cloud Security – Key Points Requirements Procurement ImplementationOperation Transition Out Cloud Service Lifecycle • Risk Assessment • Control frameworks • Compliance with legislation & standards • Vendor selection • Capability • Contract • Fit • Contract / SLA • Account Management • Project management • Design key processes with vendor • Assume it will happen • Manage as a project • Consider • Data retention • Service transition • Notice and contract • Understand roles & responsibilities • Manage the gap • Vendor management
  • 31. A Fresh Perspective 31 References — Anon. (2012). About FedRAMP. Retrieved 10 July, 2013, from http://www.gsa.gov/portal/category/102375 — Anon. (2012). CLOUD COMPUTING STRATEGIC DIRECTION PAPER: Opportunities and applicability for use by the Australian Government. Retrieved 12 Jul 2013, 2013, from http://agimo.gov.au/files/2012/04/final_cloud_computing_strategy_version_1.pdf — Anon. (2012). Cloud Security Considerations. Retrieved 14 July, 2013, from http://www.dsd.gov.au/infosec/cloudsecurity.htm — Buyya, R., Yeo, C. S., Venugopal, S., Broberg, J., & Brandic, I. (2009). Cloud computing and emerging IT platforms: Vision, hype, and reality for delivering computing as the 5th utility. Future Generation Computer Systems, 25(6), 599-616. doi: http://dx.doi.org/10.1016/j.future.2008.12.001 — Harms, R., & Yamartino, M. (2010). The economics of the cloud. Retrieved 13 June, 2013, from http://www.microsoft.com/en-us/news/presskits/cloud/docs/the-economics-of-the-cloud.pdf — Maxwell, W. (2012). A Global Reality: Governmental Access to Data in the Cloud. Retrieved 13 July, 2013, from http://m.hoganlovells.com/files/News/c6edc1e2-d57b-402e-9cab- a7be4e004c59/Presentation/NewsAttachment/a17af284-7d04-4008-b557- 5888433b292d/Revised%20Government%20Access%20to%20Cloud%20Data%20Paper%20(18%20 July%2012).pdf — Reed, A., Rezek, C., & Simmonds, P. (2011). Critical Areas of Focus in Cloud Computing. Retrieved 13 July, 2013, from https://cloudsecurityalliance.org/research/security-guidance/
  • 32. A Fresh Perspective 32 About Business Aspect Business Aspect assists clients with the execution of their business strategy through either large scale business transformation or through the addressing of smaller challenges in specific areas of the business. We focus on the business first, and then address technology needs as an enabler of required business outcomes. We have skills, experience and expertise in; business and technology strategy, architecture, risk, control, planning, design and governance. In delivering services, we address all layers of the business, including people, organisational change, process change, information management, information and communications technology (ICT) applications and technology infrastructure. We solve complex business problems through the collaborative efforts of our team of highly experienced personnel, and through the application of proven intellectual property. One of our key strengths is the diversity of the background and skills our senior consultants bring to planning initiatives involving people, process and systems. Our ability to extend from business focused domains into architecture and complex program management builds a bond of trust with our clients and fosters more effective relationships. For our clients, we serve as the interpreter between ICT and the demands of individual business units, translating business needs into ICT outcomes. We complement this with our ability to work with all parts of the organisation, therefore maximising the benefits collectively gained from ICT. We believe the use of senior consultants for the delivery of our clients’ projects is the cornerstone of our success. We also hand pick specialists from our extensive network of associates and industry partners to complement our consulting teams. We guarantee senior people with the right balance of qualifications and real-world industry experience, and our delivery capability extends across Australia. Duncan Unwin M: 0407 032 755 E: dunwin@businessaspect.com.au Brisbane / Sydney / Canberra / Melbourne www.businessaspect.com.au T +61 7 3831 7600 F +61 7 3831 7900 Head Office - 588 Boundary St Spring Hill Brisbane QLD 4000

Editor's Notes

  1. e.g a well known SaaS vendor had the primary DC for their Australian service in country with common-law but generally suitable data protection provision but their DR (and backups) in a country that has legal provisions that provides for state access to data without warrant and restrictions on disclosure of said access.A Queensland business had their ERP service threatened by bush fires in North America.Of course there are positive risks as well for the same reason
  2. Vendor selection consideration:Whether the service levels are formally documented and publishedWhether the service levels and performance penalties are negotiable or fixedThe financial penalties for failure to meet service levels and performanceAutomated monitoring and reporting of service levels and performanceAutomatic processing of financial penalties when accruedWhether SLA’s can be changed by the provider without approval or consultation with the client.