The document discusses various risks and security considerations related to cloud computing. It covers assessing risks from real world, corporate, and technical perspectives. Key risks include user access, data location, recovery risks, and ensuring regulatory compliance. The document also provides an overview of security standards like PCI compliance and approaches to securing confidential data and applications in the cloud.

1. Securing the Cloud (Don’t get lost in the fog) Chris Munt M/Gateway Developments Ltd

2. Topics Real World View Assessing risk Corporate/Lawyers View Analysis of commercial risk Technical View Using technology to mitigate risk

3. Real world view

4. Assessing risk What risks are you exposed to?

5. Assessing risk

6. Assessing risk Indentify weaknesses

7. Assessing risk Can technology help?

8. Assessing risk Source: XKCD web comic: http://xkcd.com/

9. Assessing risk Lost in the fog of fanciful terms used to describe technology?

10. Assessing risk Cyberspace Virtualization Cloud computing Private Cloud Public Cloud Hybrid Cloud Cloudware IaaS, PaaS, SaaS

11. Assessing risk Cloud Computing Real computers

12. Real databases

13. Real networks Who’s watching you?

14. Assessing risk What about human factors?

15. Assessing risk

16. Assessing risk

17. Assessing risk “ You must change your password every few weeks and it must be constructed from no less than twelve characters which will include a mixture of upper and lower case letters, digits and punctuation characters”

18. Assessing risk Security versus Convenience?

19. Assessing risk

20. Assessing risk Why would anyone want to break your security?

21. Assessing risk

22. Assessing risk What’s your data worth to you? What’s it worth to someone else?

23. Assessing risk Lindisfarne Castle, Holy Island ~1797 by Thomas Girtin (1775–1802)

24. Assessing risk Best security is data locked in a secure room Not practical Sensible compromise required Must be practical with safeguards against all likely risks

25. Corporate/Lawyers view

26. Cloud Computing: Risks to an organization Focus on Security and Accountability

27. Gartner report June 2008 Identify seven areas of risk

28. Suggest questions to be directed at service provider

29. Reference: http://www.infoworld.com/article/08/07/02/Gartner_Seven_cloudcomputing_security_risks_1.html

30. User Access Risk Privileged user access Who has access to your data?

31. Who administers the systems?

32. Governance

33. Regulatory Compliance Risk You are ultimately responsible for the security and integrity of your own data What is in your data?

34. Do you store sensitive information about others?

35. Is the supplier subject to external audit in the same way as conventional suppliers of outsourcing solutions?

36. Data Location Risk You probably have no control of where your data is physically held Can you insist that it be held within a certain jurisdiction?

37. Can the Cloud provider sign up to local privacy requirements on behalf of their customers?

38. Data Segregation Risk Your data is usually stored in shared environments along with the data of other customers. Ask about encryption schemes used and how they are verified

39. Assess risk of encryption accidents Possibility of rendering data unreadable

40. Risks Associated With Recovery Even with modern equipment disasters can (and do) still happen Can the supplier do a complete recovery?

41. How long will a full recovery take?

42. Granularity of recovery?

43. Risks inherent in investigating security breaches and illegal activity Inherent difficulty in investigating illegal activity in shared environments To what extent can the supplier support investigative work?

44. To what extent do you have to account for illegal activity involving your application and/or data?

45. Risks associated with sustainability Long term viability of supplier What happens if the supplier goes bust?

46. What happens if the supplier is taken over by another company?

47. How would you get your data back (and port it to another platform) if you needed to?

48. Technical view

49. Cloud Computing: Security Standards compliance Credit Card transactions Payment Card Industry – PCI compliance 4 Levels Confidential data Medical records