IT Series: Cloud Computing Done Right CISOA 2011
•Download as PPTX, PDF•
1 like•661 views
Coverage of the risks and rewards of Cloud computing. Including proper management and risk assessment considerations.
Recommended
Recommended
More Related Content
What's hot
What's hot (20)
Viewers also liked
Viewers also liked (18)
Similar to IT Series: Cloud Computing Done Right CISOA 2011
Similar to IT Series: Cloud Computing Done Right CISOA 2011 (20)
More from Donald E. Hester
More from Donald E. Hester (20)
Recently uploaded
Recently uploaded (20)
IT Series: Cloud Computing Done Right CISOA 2011
- 1. Donald Hester IT Series: Cloud Computing Done Right
- 2. Image: NASA
- 3. Cloud Computing? The “Cloud” • Buzz word • Overused cliché • Ill defined • Many different definitions • Marketing term • All hype • The “unknown path” • Service provider 3 Nebulous
- 4. What is it? 4 “..[a] model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g. networks, servers, storage, applications, services) that can be provisioned and released with minimal management effort or service provider interactions.” NIST & Cloud Security Alliance A utility model of technology delivery.
- 5. Cloud Flavors 5 • Private Cloud • Operated solely for one organization • In-sourcing • Community Cloud • Operated for a group of similar organizations • Public Cloud • Outsourced • Multi-tenant • Hybrid Cloud • Combination of the above
- 6. …as-a-service 6 • Communication-as-a-Service (CaaS) • Infrastructure-as-a-Service (IaaS) • Monitoring-as-a-Service (MaaS) • Platform-as-a-Service (PaaS) • Software-as-a-Service (SaaS) • Security-as-a-Service (SECaaS) • Everything-as-a-Service (EaaS) • Anything-as-a-Service (XaaS)
- 8. Potential Spending on Cloud Computing 8 Based on agency estimates as reported to the Office of Management and Budget (OMB) Federal Cloud Computing Strategy
- 9. Federal Cloud Computing Strategy 9 “Cloud First policy. This policy is intended to accelerate the pace at which the government will realize the value of cloud computing by requiring agencies to evaluate safe, secure cloud computing options before making any new investments.” “…to be more efficient, agile, and innovative through more effective use of IT investments…” Federal Cloud Computing Strategy, February 2011
- 10. Benefits of Cloud Computing 10 • Save time and money on provisioning new services • Less time spent on deployment • Move capital investment to operational expenses • Instant test bed • Enables IT systems to be scalable and elastic • Provision computing resources as required, on-demand • No need to own data center infrastructure (for public cloud service)
- 11. Benefits of Cloud Computing 11 • Energy saving (green) • Increased utilization, less idle time • Cost based on usage • More effective use of capital resources ($) • Better service • Allows IT staff to focus on core competencies • Repurpose IT staff for more customer service • Outsource to esoteric experts • 24/7 service and support • Economies of scale
- 12. Federal Cloud Computing Benefits 12 Federal Cloud Computing Strategy, February 2011
- 13. Cost Benefit Analysis 13 Traditional Costs Hardware (initial) Software (initial) Hardware repair/upgrades Software upgrades Staff costs Energy costs Training Traditional Limits Maximum load Maximum up-time Maximum users MTTR Dependencies Cloud Costs Cost per user Cost by bandwidth/storage Cost increase over time Cost of additional services Legal consultation costs Staff costs Training Cloud limitations Users Bandwidth Storage Service Support Dependencies
- 14. Cost Benefit Analysis Example 14 Traditional Costs TCO $21,000 Cloud Costs TCO $22,850 0 2000 4000 6000 8000 10000 12000 14000 1 2 3 4 5 6 7 8 9 10 Year Traditional Cloud
- 15. Cost Benefit Analysis Example 15 TCO over 10 years: MS Office Retail $1,220 MS Office Academic $346 MS Office 360 $295 0 50 100 150 200 250 300 350 1 2 3 4 5 6 7 8 9 10 Retail Academic Cloud
- 16. Cloud Risks 16 Where’s My Data? The Bad Divorce Trust but Verify “I thought you knew” I didn’t think of that Clarify Consider Expectations, Put it in Writing
- 17. Where’s My Data? 17 • In the information age your key asset is information. • Some information requires protection • (Credit Card Data, Student Records, SSN, etc…) • Your information could be anywhere in the world • You may loss access to your data • ISP failure • Service provider failure • Failure to pay (service provider stops access)
- 18. The Bad Divorce 18 “Vendor Lock” • All relationships come to an end • Let you down, had a breach, SLA performance etc… • The company fails/gets sold • Introductory pricing or it goes up over time • Transition to new vendor or in-source • How will you get your data back? • Get a prenup – get it in the contract up front
- 19. Trust but Verify 19 Assurance • How do you know they are protecting your data? • Not everyone is treated the same by service providers • Disclosure concerning security posture • 3rd party independent verification (audit/assessment) • SAS 70 / SSAE 16 • SysTrust / WebTrust • ISO 27001 Certification • Audit / Assessment
- 20. “I thought you knew” 20 Breach Notification • When do you want to know about a data breach? • (Data that you are legal obligated to protect) • Typical contracts give wide latitude for service providers • Actual verses possible breach • Timeliness of notification
- 21. I didn’t think of that 21 Dependencies • Infrastructure – Internet • Authentication management (SSO) • Operational budget • Greater dependency on 3rd parties Other considerations • Complex legal issues • Multi-tenancy • Transborder data flow
- 22. Clarify 22 • What do they mean by “Cloud” • Establish clear responsibilities and accountability • Your expectations • Cost of compensating controls • What will happen with billing disputes
- 23. Consider 23 • The reputation of the service provider • Track record of issues • Large or small, likelihood of change • Vendor ‘supply chain management’ issues • The reliability of the service or technology • Is the technology time tested • Typically you have no control over upgrades and changes • Training for staff
- 24. Expectations, Put it in Writing 24 • Anything they guarantee get in writing • Typical agreements are in favor of the service provider • Protect your interests in writing (have legal look at it) • Get specific SLA • Document specific security requirements • Non-performance clause • Disposition and transition clauses • Notification requirements
- 25. Resources Cloud Security Alliance • cloudsecurityalliance.org ISACA: Cloud Computing Management Audit/Assurance Program, 2010 NIST Special Publication 800-145 (draft) Federal Cloud Computing Strategy, February 2011 Above the Clouds managing Risk in the World of Cloud Computing by McDonald (978-1-84928-031-0) Cloud Computing, Implementation, Management, and Security by Rittinghouse and Ransome (978-1-4398- 0680-7) 25
- 26. Donald E. Hester CISSP, CISA, CAP, MCT, MCITP, MCTS, MCSE Security, Security+, CTT+ Director, Maze & Associates University of San Francisco / San Diego City College / Los Positas College www.LearnSecurity.org | www.linkedin.com/in/donaldehester | www.facebook.com/LearnSec | www.twitter.com/sobca | DonaldH@MazeAssociates.com Q&A
- 27. Thanks for attending For upcoming events and links to recently archived seminars, check the @ONE Web site at: http://onefortraining.org/ IT Series: Cloud Computing Done Right