SlideShare a Scribd company logo

The Cloud Security Landscape

Peter Wood
Peter Wood

An ethical hacker's view of the cloud security landscape. As presented at the inaugural meeting of the CSA UK & Ireland chapter, March 2011

TechnologyBusiness
1 of 24
Download to read offline
The Cloud Security Landscape An Ethical Hacker’s View Peter Wood Chief Executive Officer First•Base Technologies
Who am I ? Worked in computers and electronics since 1969 1969 Founded First•Base in 1989 (one of the first ethical hacking firms) - Social engineer & penetration tester - Conference speaker and security ‘expert’ - Chair of Advisory board at CSA UK & Ireland - Vice Chair of BCS Information Risk Management and Audit Group - ISACA Security Advisory Group and Conference Task Force 1989 - Corporate Executive Programme Expert - IISP Interviewer - FBCS, CITP, CISSP, MIEEE, M.Inst.ISP - Registered BCS Security Consultant - Member of ACM, ISACA, ISSA, Mensa 2 © First Base Technologies 2011
Agenda • Cloud Computing: Define • Is Cloud Computing Insecure? • Cloud Security Guidance • Q&A 3 © First Base Technologies 2011
Agenda • Cloud Computing: Define • Is Cloud Computing Secure? • Cloud Security Guidance • Q&A 4 © First Base Technologies 2011
Cloud Service Models • Software (SaaS) - consumer uses a provider’s applications running on a cloud infrastructure. Consumer does not manage or control the underlying cloud infrastructure (including network, servers, operating systems, storage or even individual application capabilities, with the possible exception of limited user-specific application configuration settings) • Platform (PaaS) - consumer uses a provider’s infrastructure to run their own applications. Consumer does not manage or control the underlying cloud infrastructure (including network, servers, operating systems or storage) • Infrastructure (IaaS) consumer uses a provider’s infrastructure to run their own applications and operating systems. Consumer does not manage or control the underlying cloud infrastructure but has control over operating systems, storage, deployed applications, and possibly limited control of select networking components (e.g., host firewalls) 5 © First Base Technologies 2011
Cloud Deployment Models • Public Cloud - available to the general public or a large industry group and owned by an organisation selling cloud services • Private Cloud - operated for a single organisation. May be managed by the organisation or a third party and may exist on- premises or off-premises • Community Cloud - shared by several organisations and supports a specific community that has shared concerns (e.g., mission, security requirements, policy, or compliance considerations). May be managed by the organisations or a third party and may exist on-premises or off-premises • Hybrid Cloud - composition of two or more clouds (private, community, or public) that remain unique entities but are bound together by standardised or proprietary technology that enables data and application portability (e.g., cloud bursting for load- balancing between clouds) 6 © First Base Technologies 2011
7 © First Base Technologies 2011
8 © First Base Technologies 2011
Agenda • Cloud Computing: Define • Is Cloud Computing Secure? • Cloud Security Guidance • Q&A 9 © First Base Technologies 2011
Not the best approach to cloud 10 © First Base Technologies 2011
Typical cloud security questions • Your data is … where? • Which country? • Who has access? • Have staff been vetted? • How well is it segregated from other users? • Is it encrypted? Who holds the keys? • How is it backed up (encrypted? where is it?) • How is it transmitted (encrypted? authenticated?) • Have the providers been tested by a reputable third party? 11 © First Base Technologies 2011
Amrit Williams Blog Observations of a Digitally Enlightened Mind • When we allow services to be delivered by a third party, we lose all control over how they secure and maintain the health of their environments - and you simply can't enforce what you can't control. • The ‘experts’ will tell you otherwise, convince you that their model is 100 per cent secure and that you have nothing to fear. Then again, those experts don't lose their jobs if you fail. Amrit Williams is CTO at BigFix and was previously a research director in the Information Security and Risk Research Practice at Gartner, Inc. http://techbuddha.wordpress.com/ 12 © First Base Technologies 2011
Just a little brainstorm 13 © First Base Technologies 2011
Agenda • Cloud Computing: Define • Is Cloud Computing Secure? • Cloud Security Guidance • Q&A 14 © First Base Technologies 2011
Security Guidance for Critical Areas of Focus in Cloud Computing V2.1 -> V3.0 Cloud Security Alliance http://www.cloudsecurityalliance.org/guidance/csaguide.v2.1.pdf https://wiki.cloudsecurityalliance.org/guidance/index.php/Main_Page 15 © First Base Technologies 2011
Risk Assessment Evaluate your tolerance for moving an asset to various cloud computing models • Identify the asset for the cloud deployment • Evaluate the asset • Map the asset to potential cloud deployment models • Evaluate potential cloud service models and providers • Sketch the potential data flow 16 © First Base Technologies 2011
Identify the asset • Determine exactly what data or function is being considered for the cloud - This should include potential uses of the asset once it moves to the cloud to account for scope creep - Data and transaction volumes are often higher than expected • Data and applications don’t need to reside in the same location; can shift only parts of functions to the cloud - For example, host application and data in own data centre, while outsourcing a portion of its functionality to the cloud through a Platform as a Service 17 © First Base Technologies 2011
Evaluate the asset How would we be harmed if: • the asset became widely public and widely distributed? • an employee of our cloud provider accessed the asset? • the process or function were manipulated by an outsider? • the process or function failed to provide expected results? • the information/data were unexpectedly changed? • the asset were unavailable for a period of time? 18 © First Base Technologies 2011
Map the asset to potential models • Public • Private, internal/on-premises • Private, external (including dedicated or shared infrastructure) • Community; taking into account the hosting location, potential service provider, and identification of other community members • Hybrid. To effectively evaluate a potential hybrid deployment, you must have in mind at least a rough architecture of where components, functions, and data will reside 19 © First Base Technologies 2011
Evaluate models and providers • In this step focus on the degree of control you’ll have at each SPI tier to implement any required risk management • If you are evaluating a specific offering, at this point you might switch to a fuller risk assessment • Your focus will be on the degree of control you have to implement risk mitigation in the different SPI tiers • If you already have specific requirements (e.g. for handling of regulated data) you can include them in the evaluation 20 © First Base Technologies 2011
Sketch the potential data flow • If you are evaluating a specific deployment option, map out the data flow between your organisation, the cloud service, and any customers/other nodes • While most of these steps have been high-level, before making a final decision it’s absolutely essential to understand whether, and how, data can move in and out of the cloud • If you have yet to decide on a particular offering, you’ll want to sketch out the rough data flow for any options on your acceptable list. This is to insure that as you make final decisions, you’ll be able to identify risk exposure points. 21 © First Base Technologies 2011
Conclusions • Understand the importance of what you are considering moving to the cloud, your risk tolerance (at least at a high level), and which combinations of deployment and service models are acceptable • Have a rough idea of potential exposure points for sensitive information and operations • These together should give you sufficient context to evaluate any other security controls in the Guidance 22 © First Base Technologies 2011
Agenda • Cloud Computing: Define • Is Cloud Computing Secure? • Cloud Security Guidance • Q&A 23 © First Base Technologies 2011
Need more information? Peter Wood Chief Executive Officer First•Base Technologies LLP peterw@firstbase.co.uk Twitter: peterwoodx Blog: fpws.blogspot.com http://firstbase.co.uk http://white-hats.co.uk http://peterwood.com

Recommended

Emerging Threats and Attack Surfaces
Emerging Threats and Attack SurfacesEmerging Threats and Attack Surfaces
Emerging Threats and Attack SurfacesPeter Wood
 
Unpatched Systems: An Ethical Hacker's View
Unpatched Systems: An Ethical Hacker's ViewUnpatched Systems: An Ethical Hacker's View
Unpatched Systems: An Ethical Hacker's ViewPeter Wood
 
Cloud, social networking and BYOD collide!
Cloud, social networking and BYOD collide!Cloud, social networking and BYOD collide!
Cloud, social networking and BYOD collide!Peter Wood
 
The Ultimate Defence - Think Like a Hacker
The Ultimate Defence - Think Like a HackerThe Ultimate Defence - Think Like a Hacker
The Ultimate Defence - Think Like a HackerPeter Wood
 
Social Networks and Security: What Your Teenager Likely Won't Tell You
Social Networks and Security: What Your Teenager Likely Won't Tell YouSocial Networks and Security: What Your Teenager Likely Won't Tell You
Social Networks and Security: What Your Teenager Likely Won't Tell YouDenim Group
 
Hp Fortify Pillar
Hp Fortify PillarHp Fortify Pillar
Hp Fortify PillarEd Wong
 
Vulnerability Management
Vulnerability ManagementVulnerability Management
Vulnerability Managementjustinkallhoff
 
Top 5 myths of it security in the light of current events tisa pro talk 4 2554
Top 5 myths of it security in the light of current events tisa pro talk 4 2554Top 5 myths of it security in the light of current events tisa pro talk 4 2554
Top 5 myths of it security in the light of current events tisa pro talk 4 2554TISA
 

Recommended

Emerging Threats and Attack Surfaces
Emerging Threats and Attack SurfacesEmerging Threats and Attack Surfaces
Emerging Threats and Attack SurfacesPeter Wood
 
Unpatched Systems: An Ethical Hacker's View
Unpatched Systems: An Ethical Hacker's ViewUnpatched Systems: An Ethical Hacker's View
Unpatched Systems: An Ethical Hacker's ViewPeter Wood
 
Cloud, social networking and BYOD collide!
Cloud, social networking and BYOD collide!Cloud, social networking and BYOD collide!
Cloud, social networking and BYOD collide!Peter Wood
 
The Ultimate Defence - Think Like a Hacker
The Ultimate Defence - Think Like a HackerThe Ultimate Defence - Think Like a Hacker
The Ultimate Defence - Think Like a HackerPeter Wood
 
Social Networks and Security: What Your Teenager Likely Won't Tell You
Social Networks and Security: What Your Teenager Likely Won't Tell YouSocial Networks and Security: What Your Teenager Likely Won't Tell You
Social Networks and Security: What Your Teenager Likely Won't Tell YouDenim Group
 
Hp Fortify Pillar
Hp Fortify PillarHp Fortify Pillar
Hp Fortify PillarEd Wong
 
Vulnerability Management
Vulnerability ManagementVulnerability Management
Vulnerability Managementjustinkallhoff
 
Top 5 myths of it security in the light of current events tisa pro talk 4 2554
Top 5 myths of it security in the light of current events tisa pro talk 4 2554Top 5 myths of it security in the light of current events tisa pro talk 4 2554
Top 5 myths of it security in the light of current events tisa pro talk 4 2554TISA
 
Intersect
IntersectIntersect
IntersectFotios Lindiakos
 
Protecting Data on Laptops
Protecting Data on LaptopsProtecting Data on Laptops
Protecting Data on LaptopsProduct Marketing Services
 
MBM's InterGuard Security Suite
MBM's InterGuard Security SuiteMBM's InterGuard Security Suite
MBM's InterGuard Security SuiteCharles McNeil
 
Ensure Software Security already during development
Ensure Software Security already during developmentEnsure Software Security already during development
Ensure Software Security already during developmentIT Weekend
 
Mitigating Risk for the Mobile Worker: Novell ZENworks Endpoint Security Mana...
Mitigating Risk for the Mobile Worker: Novell ZENworks Endpoint Security Mana...Mitigating Risk for the Mobile Worker: Novell ZENworks Endpoint Security Mana...
Mitigating Risk for the Mobile Worker: Novell ZENworks Endpoint Security Mana...Novell
 
Cloud Security: Perception Vs. Reality
Cloud Security: Perception Vs. RealityCloud Security: Perception Vs. Reality
Cloud Security: Perception Vs. RealityInternap
 
The Need For Open Software Security Standards In A Mobile And Cloudy World
The Need For Open Software Security Standards In A Mobile And Cloudy WorldThe Need For Open Software Security Standards In A Mobile And Cloudy World
The Need For Open Software Security Standards In A Mobile And Cloudy WorldDenim Group
 
Webinar: Be Cyber Smart – Stories from the Trenches
Webinar: Be Cyber Smart – Stories from the TrenchesWebinar: Be Cyber Smart – Stories from the Trenches
Webinar: Be Cyber Smart – Stories from the TrenchesWithum
 
Security For Free
Security For FreeSecurity For Free
Security For Freegwarden
 
RSA 2010 Kevin Rowney
RSA 2010 Kevin RowneyRSA 2010 Kevin Rowney
RSA 2010 Kevin RowneySymantec
 
Symantec Ubiquity
Symantec UbiquitySymantec Ubiquity
Symantec UbiquitySymantec
 
Don’t Sweat the Small Stuff – Protect What Matters Most - Interop 2014
Don’t Sweat the Small Stuff – Protect What Matters Most - Interop 2014 Don’t Sweat the Small Stuff – Protect What Matters Most - Interop 2014
Don’t Sweat the Small Stuff – Protect What Matters Most - Interop 2014 Unisys Corporation
 
Skeletons in the Closet: Securing Inherited Applications
Skeletons in the Closet: Securing Inherited ApplicationsSkeletons in the Closet: Securing Inherited Applications
Skeletons in the Closet: Securing Inherited ApplicationsDenim Group
 
NEtwork Security Admin Portal
NEtwork Security Admin PortalNEtwork Security Admin Portal
NEtwork Security Admin PortalBhadreshsinh Gohil
 
Security Awareness
Security AwarenessSecurity Awareness
Security AwarenessDinesh O Bareja
 
Infosec lecture-final
Infosec lecture-finalInfosec lecture-final
Infosec lecture-finalPaul Dutot IEng MIET MBCS CITP OSCP CSTM
 
Rationalization and Defense in Depth - Two Steps Closer to the Cloud
Rationalization and Defense in Depth - Two Steps Closer to the CloudRationalization and Defense in Depth - Two Steps Closer to the Cloud
Rationalization and Defense in Depth - Two Steps Closer to the CloudBob Rhubart
 
Hastily Formed Networks (HFN) at the Waldo Canyon Fire
Hastily Formed Networks (HFN) at the Waldo Canyon FireHastily Formed Networks (HFN) at the Waldo Canyon Fire
Hastily Formed Networks (HFN) at the Waldo Canyon FireRakesh Bharania
 
Dressing up the ICS Kill Chain
Dressing up the ICS Kill ChainDressing up the ICS Kill Chain
Dressing up the ICS Kill ChainDragos, Inc.
 
Security Testing in an Age of Austerity
Security Testing in an Age of AusteritySecurity Testing in an Age of Austerity
Security Testing in an Age of AusterityPeter Wood
 
Migrating Critical Applications To The Cloud - ISACA Seattle - Sanitized
Migrating Critical Applications To The Cloud - ISACA Seattle - SanitizedMigrating Critical Applications To The Cloud - ISACA Seattle - Sanitized
Migrating Critical Applications To The Cloud - ISACA Seattle - SanitizedNorm Barber
 
Migrating Critical Applications to the Cloud - isaca seattle - sanitized
Migrating Critical Applications to the Cloud - isaca seattle - sanitizedMigrating Critical Applications to the Cloud - isaca seattle - sanitized
Migrating Critical Applications to the Cloud - isaca seattle - sanitizedUnifyCloud
 

More Related Content

What's hot

MBM's InterGuard Security Suite
MBM's InterGuard Security SuiteMBM's InterGuard Security Suite
MBM's InterGuard Security SuiteCharles McNeil
 
Ensure Software Security already during development
Ensure Software Security already during developmentEnsure Software Security already during development
Ensure Software Security already during developmentIT Weekend
 
Mitigating Risk for the Mobile Worker: Novell ZENworks Endpoint Security Mana...
Mitigating Risk for the Mobile Worker: Novell ZENworks Endpoint Security Mana...Mitigating Risk for the Mobile Worker: Novell ZENworks Endpoint Security Mana...
Mitigating Risk for the Mobile Worker: Novell ZENworks Endpoint Security Mana...Novell
 
Cloud Security: Perception Vs. Reality
Cloud Security: Perception Vs. RealityCloud Security: Perception Vs. Reality
Cloud Security: Perception Vs. RealityInternap
 
The Need For Open Software Security Standards In A Mobile And Cloudy World
The Need For Open Software Security Standards In A Mobile And Cloudy WorldThe Need For Open Software Security Standards In A Mobile And Cloudy World
The Need For Open Software Security Standards In A Mobile And Cloudy WorldDenim Group
 
Webinar: Be Cyber Smart – Stories from the Trenches
Webinar: Be Cyber Smart – Stories from the TrenchesWebinar: Be Cyber Smart – Stories from the Trenches
Webinar: Be Cyber Smart – Stories from the TrenchesWithum
 
Security For Free
Security For FreeSecurity For Free
Security For Freegwarden
 
RSA 2010 Kevin Rowney
RSA 2010 Kevin RowneyRSA 2010 Kevin Rowney
RSA 2010 Kevin RowneySymantec
 
Symantec Ubiquity
Symantec UbiquitySymantec Ubiquity
Symantec UbiquitySymantec
 
Don’t Sweat the Small Stuff – Protect What Matters Most - Interop 2014
Don’t Sweat the Small Stuff – Protect What Matters Most - Interop 2014 Don’t Sweat the Small Stuff – Protect What Matters Most - Interop 2014
Don’t Sweat the Small Stuff – Protect What Matters Most - Interop 2014 Unisys Corporation
 
Skeletons in the Closet: Securing Inherited Applications
Skeletons in the Closet: Securing Inherited ApplicationsSkeletons in the Closet: Securing Inherited Applications
Skeletons in the Closet: Securing Inherited ApplicationsDenim Group
 
Rationalization and Defense in Depth - Two Steps Closer to the Cloud
Rationalization and Defense in Depth - Two Steps Closer to the CloudRationalization and Defense in Depth - Two Steps Closer to the Cloud
Rationalization and Defense in Depth - Two Steps Closer to the CloudBob Rhubart
 
Hastily Formed Networks (HFN) at the Waldo Canyon Fire
Hastily Formed Networks (HFN) at the Waldo Canyon FireHastily Formed Networks (HFN) at the Waldo Canyon Fire
Hastily Formed Networks (HFN) at the Waldo Canyon FireRakesh Bharania
 
Dressing up the ICS Kill Chain
Dressing up the ICS Kill ChainDressing up the ICS Kill Chain
Dressing up the ICS Kill ChainDragos, Inc.
 
Security Testing in an Age of Austerity
Security Testing in an Age of AusteritySecurity Testing in an Age of Austerity
Security Testing in an Age of AusterityPeter Wood
 

What's hot (20)

Intersect
IntersectIntersect
Intersect
 
Protecting Data on Laptops
Protecting Data on LaptopsProtecting Data on Laptops
Protecting Data on Laptops
 
MBM's InterGuard Security Suite
MBM's InterGuard Security SuiteMBM's InterGuard Security Suite
MBM's InterGuard Security Suite
 
Ensure Software Security already during development
Ensure Software Security already during developmentEnsure Software Security already during development
Ensure Software Security already during development
 
Mitigating Risk for the Mobile Worker: Novell ZENworks Endpoint Security Mana...
Mitigating Risk for the Mobile Worker: Novell ZENworks Endpoint Security Mana...Mitigating Risk for the Mobile Worker: Novell ZENworks Endpoint Security Mana...
Mitigating Risk for the Mobile Worker: Novell ZENworks Endpoint Security Mana...
 
Cloud Security: Perception Vs. Reality
Cloud Security: Perception Vs. RealityCloud Security: Perception Vs. Reality
Cloud Security: Perception Vs. Reality
 
The Need For Open Software Security Standards In A Mobile And Cloudy World
The Need For Open Software Security Standards In A Mobile And Cloudy WorldThe Need For Open Software Security Standards In A Mobile And Cloudy World
The Need For Open Software Security Standards In A Mobile And Cloudy World
 
Webinar: Be Cyber Smart – Stories from the Trenches
Webinar: Be Cyber Smart – Stories from the TrenchesWebinar: Be Cyber Smart – Stories from the Trenches
Webinar: Be Cyber Smart – Stories from the Trenches
 
Security For Free
Security For FreeSecurity For Free
Security For Free
 
RSA 2010 Kevin Rowney
RSA 2010 Kevin RowneyRSA 2010 Kevin Rowney
RSA 2010 Kevin Rowney
 
Symantec Ubiquity
Symantec UbiquitySymantec Ubiquity
Symantec Ubiquity
 
Don’t Sweat the Small Stuff – Protect What Matters Most - Interop 2014
Don’t Sweat the Small Stuff – Protect What Matters Most - Interop 2014 Don’t Sweat the Small Stuff – Protect What Matters Most - Interop 2014
Don’t Sweat the Small Stuff – Protect What Matters Most - Interop 2014
 
Skeletons in the Closet: Securing Inherited Applications
Skeletons in the Closet: Securing Inherited ApplicationsSkeletons in the Closet: Securing Inherited Applications
Skeletons in the Closet: Securing Inherited Applications
 
NEtwork Security Admin Portal
NEtwork Security Admin PortalNEtwork Security Admin Portal
NEtwork Security Admin Portal
 
Security Awareness
Security AwarenessSecurity Awareness
Security Awareness
 
Infosec lecture-final
Infosec lecture-finalInfosec lecture-final
Infosec lecture-final
 
Rationalization and Defense in Depth - Two Steps Closer to the Cloud
Rationalization and Defense in Depth - Two Steps Closer to the CloudRationalization and Defense in Depth - Two Steps Closer to the Cloud
Rationalization and Defense in Depth - Two Steps Closer to the Cloud
 
Hastily Formed Networks (HFN) at the Waldo Canyon Fire
Hastily Formed Networks (HFN) at the Waldo Canyon FireHastily Formed Networks (HFN) at the Waldo Canyon Fire
Hastily Formed Networks (HFN) at the Waldo Canyon Fire
 
Dressing up the ICS Kill Chain
Dressing up the ICS Kill ChainDressing up the ICS Kill Chain
Dressing up the ICS Kill Chain
 
Security Testing in an Age of Austerity
Security Testing in an Age of AusteritySecurity Testing in an Age of Austerity
Security Testing in an Age of Austerity
 

Similar to The Cloud Security Landscape

Migrating Critical Applications To The Cloud - ISACA Seattle - Sanitized
Migrating Critical Applications To The Cloud - ISACA Seattle - SanitizedMigrating Critical Applications To The Cloud - ISACA Seattle - Sanitized
Migrating Critical Applications To The Cloud - ISACA Seattle - SanitizedNorm Barber
 
Migrating Critical Applications to the Cloud - isaca seattle - sanitized
Migrating Critical Applications to the Cloud - isaca seattle - sanitizedMigrating Critical Applications to the Cloud - isaca seattle - sanitized
Migrating Critical Applications to the Cloud - isaca seattle - sanitizedUnifyCloud
 
110307 cloud security requirements gourley
110307 cloud security requirements gourley110307 cloud security requirements gourley
110307 cloud security requirements gourleyGovCloud Network
 
Building Cloud capability for startups
Building Cloud capability for startupsBuilding Cloud capability for startups
Building Cloud capability for startupsSekhar Mohanty
 
Dr. Michael Valivullah, NASS/USDA - Cloud Computing
Dr. Michael Valivullah, NASS/USDA - Cloud ComputingDr. Michael Valivullah, NASS/USDA - Cloud Computing
Dr. Michael Valivullah, NASS/USDA - Cloud Computingikanow
 
Navigating through the Cloud - 7 feb 2012 at Institute for Information Manage...
Navigating through the Cloud - 7 feb 2012 at Institute for Information Manage...Navigating through the Cloud - 7 feb 2012 at Institute for Information Manage...
Navigating through the Cloud - 7 feb 2012 at Institute for Information Manage...Livingstone Advisory
 
Info Sec 2010 Possibilities And Security Challenges Of Cloud Computing (Han...
Info Sec 2010 Possibilities And Security Challenges Of Cloud Computing (Han...Info Sec 2010 Possibilities And Security Challenges Of Cloud Computing (Han...
Info Sec 2010 Possibilities And Security Challenges Of Cloud Computing (Han...ptaglephd
 
Nfp Seminar Series Danny November 18 Emerging Technology Challenges And...
Nfp Seminar Series Danny November 18 Emerging Technology Challenges And...Nfp Seminar Series Danny November 18 Emerging Technology Challenges And...
Nfp Seminar Series Danny November 18 Emerging Technology Challenges And...Danny Miller
 
The most trusted, proven enterprise-class Cloud:Closer than you think
The most trusted, proven enterprise-class Cloud:Closer than you think The most trusted, proven enterprise-class Cloud:Closer than you think
The most trusted, proven enterprise-class Cloud:Closer than you think Uni Systems S.M.S.A.
 
Impact of busines model elements on cloud computing adoption
Impact of busines model elements on cloud computing adoptionImpact of busines model elements on cloud computing adoption
Impact of busines model elements on cloud computing adoptionAndreja Pucihar
 
Cloud Computing basic concept to understand
Cloud Computing basic concept to understandCloud Computing basic concept to understand
Cloud Computing basic concept to understandRahulBhole12
 
Cloudcomputingoct2009 100301142544-phpapp02
Cloudcomputingoct2009 100301142544-phpapp02Cloudcomputingoct2009 100301142544-phpapp02
Cloudcomputingoct2009 100301142544-phpapp02abhisheknayak29
 
State of the Cloud and Data Centers 2014
State of the Cloud and Data Centers 2014State of the Cloud and Data Centers 2014
State of the Cloud and Data Centers 2014Digital Realty
 
Security concerns of cloud migration and its implications on cloud-enabled bu...
Security concerns of cloud migration and its implications on cloud-enabled bu...Security concerns of cloud migration and its implications on cloud-enabled bu...
Security concerns of cloud migration and its implications on cloud-enabled bu...Adewole Shitta-bey
 
The Cloud is in the details webinar - Rothke
The Cloud is in the details webinar - RothkeThe Cloud is in the details webinar - Rothke
The Cloud is in the details webinar - RothkeBen Rothke
 
Shared responsibility - a model for good cloud security
Shared responsibility - a model for good cloud securityShared responsibility - a model for good cloud security
Shared responsibility - a model for good cloud securityAndy Powell
 
Cloud Computing Introduction. Engineering seventh Semester
Cloud Computing Introduction. Engineering seventh SemesterCloud Computing Introduction. Engineering seventh Semester
Cloud Computing Introduction. Engineering seventh SemesterMayuraD1
 
Iia 2012 Spring Conference Philly V Final
Iia 2012 Spring Conference Philly V FinalIia 2012 Spring Conference Philly V Final
Iia 2012 Spring Conference Philly V FinalDanny Miller
 

Similar to The Cloud Security Landscape (20)

Migrating Critical Applications To The Cloud - ISACA Seattle - Sanitized
Migrating Critical Applications To The Cloud - ISACA Seattle - SanitizedMigrating Critical Applications To The Cloud - ISACA Seattle - Sanitized
Migrating Critical Applications To The Cloud - ISACA Seattle - Sanitized
 
Migrating Critical Applications to the Cloud - isaca seattle - sanitized
Migrating Critical Applications to the Cloud - isaca seattle - sanitizedMigrating Critical Applications to the Cloud - isaca seattle - sanitized
Migrating Critical Applications to the Cloud - isaca seattle - sanitized
 
110307 cloud security requirements gourley
110307 cloud security requirements gourley110307 cloud security requirements gourley
110307 cloud security requirements gourley
 
Building Cloud capability for startups
Building Cloud capability for startupsBuilding Cloud capability for startups
Building Cloud capability for startups
 
Cloud capability for startups
Cloud capability for startupsCloud capability for startups
Cloud capability for startups
 
Dr. Michael Valivullah, NASS/USDA - Cloud Computing
Dr. Michael Valivullah, NASS/USDA - Cloud ComputingDr. Michael Valivullah, NASS/USDA - Cloud Computing
Dr. Michael Valivullah, NASS/USDA - Cloud Computing
 
Navigating through the Cloud - 7 feb 2012 at Institute for Information Manage...
Navigating through the Cloud - 7 feb 2012 at Institute for Information Manage...Navigating through the Cloud - 7 feb 2012 at Institute for Information Manage...
Navigating through the Cloud - 7 feb 2012 at Institute for Information Manage...
 
Info Sec 2010 Possibilities And Security Challenges Of Cloud Computing (Han...
Info Sec 2010 Possibilities And Security Challenges Of Cloud Computing (Han...Info Sec 2010 Possibilities And Security Challenges Of Cloud Computing (Han...
Info Sec 2010 Possibilities And Security Challenges Of Cloud Computing (Han...
 
Nfp Seminar Series Danny November 18 Emerging Technology Challenges And...
Nfp Seminar Series Danny November 18 Emerging Technology Challenges And...Nfp Seminar Series Danny November 18 Emerging Technology Challenges And...
Nfp Seminar Series Danny November 18 Emerging Technology Challenges And...
 
The most trusted, proven enterprise-class Cloud:Closer than you think
The most trusted, proven enterprise-class Cloud:Closer than you think The most trusted, proven enterprise-class Cloud:Closer than you think
The most trusted, proven enterprise-class Cloud:Closer than you think
 
Impact of busines model elements on cloud computing adoption
Impact of busines model elements on cloud computing adoptionImpact of busines model elements on cloud computing adoption
Impact of busines model elements on cloud computing adoption
 
Cloud Computing basic concept to understand
Cloud Computing basic concept to understandCloud Computing basic concept to understand
Cloud Computing basic concept to understand
 
Cloudcomputingoct2009 100301142544-phpapp02
Cloudcomputingoct2009 100301142544-phpapp02Cloudcomputingoct2009 100301142544-phpapp02
Cloudcomputingoct2009 100301142544-phpapp02
 
State of the Cloud and Data Centers 2014
State of the Cloud and Data Centers 2014State of the Cloud and Data Centers 2014
State of the Cloud and Data Centers 2014
 
Security concerns of cloud migration and its implications on cloud-enabled bu...
Security concerns of cloud migration and its implications on cloud-enabled bu...Security concerns of cloud migration and its implications on cloud-enabled bu...
Security concerns of cloud migration and its implications on cloud-enabled bu...
 
The Cloud is in the details webinar - Rothke
The Cloud is in the details webinar - RothkeThe Cloud is in the details webinar - Rothke
The Cloud is in the details webinar - Rothke
 
Shared responsibility - a model for good cloud security
Shared responsibility - a model for good cloud securityShared responsibility - a model for good cloud security
Shared responsibility - a model for good cloud security
 
Cloud Computing Introduction. Engineering seventh Semester
Cloud Computing Introduction. Engineering seventh SemesterCloud Computing Introduction. Engineering seventh Semester
Cloud Computing Introduction. Engineering seventh Semester
 
Iia 2012 Spring Conference Philly V Final
Iia 2012 Spring Conference Philly V FinalIia 2012 Spring Conference Philly V Final
Iia 2012 Spring Conference Philly V Final
 
Cloud computing
Cloud computingCloud computing
Cloud computing
 

More from Peter Wood

Hacking is easy: understanding your vulnerabilities
Hacking is easy: understanding your vulnerabilitiesHacking is easy: understanding your vulnerabilities
Hacking is easy: understanding your vulnerabilitiesPeter Wood
 
The future of cloud security
The future of cloud securityThe future of cloud security
The future of cloud securityPeter Wood
 
The 2018 Threatscape
The 2018 ThreatscapeThe 2018 Threatscape
The 2018 ThreatscapePeter Wood
 
Introduction to Cyber Resilience
Introduction to Cyber ResilienceIntroduction to Cyber Resilience
Introduction to Cyber ResiliencePeter Wood
 
Network security, seriously?
Network security, seriously?Network security, seriously?
Network security, seriously?Peter Wood
 
Lessons from a Red Team Exercise
Lessons from a Red Team ExerciseLessons from a Red Team Exercise
Lessons from a Red Team ExercisePeter Wood
 
Red teaming in the cloud
Red teaming in the cloudRed teaming in the cloud
Red teaming in the cloudPeter Wood
 
All your files now belong to us
All your files now belong to usAll your files now belong to us
All your files now belong to usPeter Wood
 
Network Security - Real and Present Dangers
Network Security - Real and Present DangersNetwork Security - Real and Present Dangers
Network Security - Real and Present DangersPeter Wood
 
Big Data and Security - Where are we now? (2015)
Big Data and Security - Where are we now? (2015)Big Data and Security - Where are we now? (2015)
Big Data and Security - Where are we now? (2015)Peter Wood
 
Advanced Threat Protection: Lessons from a Red Team Exercise
Advanced Threat Protection: Lessons from a Red Team ExerciseAdvanced Threat Protection: Lessons from a Red Team Exercise
Advanced Threat Protection: Lessons from a Red Team ExercisePeter Wood
 
Pragmatic Network Security - Avoiding Real-World Vulnerabilities
Pragmatic Network Security - Avoiding Real-World VulnerabilitiesPragmatic Network Security - Avoiding Real-World Vulnerabilities
Pragmatic Network Security - Avoiding Real-World VulnerabilitiesPeter Wood
 
Attacking the cloud with social engineering
Attacking the cloud with social engineeringAttacking the cloud with social engineering
Attacking the cloud with social engineeringPeter Wood
 
Advanced threat protection and big data
Advanced threat protection and big dataAdvanced threat protection and big data
Advanced threat protection and big dataPeter Wood
 
Prime Targets in Network Infrastructure
Prime Targets in Network InfrastructurePrime Targets in Network Infrastructure
Prime Targets in Network InfrastructurePeter Wood
 
Security Intelligence: Advanced Persistent Threats
Security Intelligence: Advanced Persistent ThreatsSecurity Intelligence: Advanced Persistent Threats
Security Intelligence: Advanced Persistent ThreatsPeter Wood
 
Out of the Blue: Responding to New Zero-Day Threats
Out of the Blue: Responding to New Zero-Day ThreatsOut of the Blue: Responding to New Zero-Day Threats
Out of the Blue: Responding to New Zero-Day ThreatsPeter Wood
 
Social Networking - An Ethical Hacker's View
Social Networking - An Ethical Hacker's ViewSocial Networking - An Ethical Hacker's View
Social Networking - An Ethical Hacker's ViewPeter Wood
 
Top Five Internal Security Vulnerabilities
Top Five Internal Security VulnerabilitiesTop Five Internal Security Vulnerabilities
Top Five Internal Security VulnerabilitiesPeter Wood
 
The Consumerisation of Corporate IT
The Consumerisation of Corporate ITThe Consumerisation of Corporate IT
The Consumerisation of Corporate ITPeter Wood
 

More from Peter Wood (20)

Hacking is easy: understanding your vulnerabilities
Hacking is easy: understanding your vulnerabilitiesHacking is easy: understanding your vulnerabilities
Hacking is easy: understanding your vulnerabilities
 
The future of cloud security
The future of cloud securityThe future of cloud security
The future of cloud security
 
The 2018 Threatscape
The 2018 ThreatscapeThe 2018 Threatscape
The 2018 Threatscape
 
Introduction to Cyber Resilience
Introduction to Cyber ResilienceIntroduction to Cyber Resilience
Introduction to Cyber Resilience
 
Network security, seriously?
Network security, seriously?Network security, seriously?
Network security, seriously?
 
Lessons from a Red Team Exercise
Lessons from a Red Team ExerciseLessons from a Red Team Exercise
Lessons from a Red Team Exercise
 
Red teaming in the cloud
Red teaming in the cloudRed teaming in the cloud
Red teaming in the cloud
 
All your files now belong to us
All your files now belong to usAll your files now belong to us
All your files now belong to us
 
Network Security - Real and Present Dangers
Network Security - Real and Present DangersNetwork Security - Real and Present Dangers
Network Security - Real and Present Dangers
 
Big Data and Security - Where are we now? (2015)
Big Data and Security - Where are we now? (2015)Big Data and Security - Where are we now? (2015)
Big Data and Security - Where are we now? (2015)
 
Advanced Threat Protection: Lessons from a Red Team Exercise
Advanced Threat Protection: Lessons from a Red Team ExerciseAdvanced Threat Protection: Lessons from a Red Team Exercise
Advanced Threat Protection: Lessons from a Red Team Exercise
 
Pragmatic Network Security - Avoiding Real-World Vulnerabilities
Pragmatic Network Security - Avoiding Real-World VulnerabilitiesPragmatic Network Security - Avoiding Real-World Vulnerabilities
Pragmatic Network Security - Avoiding Real-World Vulnerabilities
 
Attacking the cloud with social engineering
Attacking the cloud with social engineeringAttacking the cloud with social engineering
Attacking the cloud with social engineering
 
Advanced threat protection and big data
Advanced threat protection and big dataAdvanced threat protection and big data
Advanced threat protection and big data
 
Prime Targets in Network Infrastructure
Prime Targets in Network InfrastructurePrime Targets in Network Infrastructure
Prime Targets in Network Infrastructure
 
Security Intelligence: Advanced Persistent Threats
Security Intelligence: Advanced Persistent ThreatsSecurity Intelligence: Advanced Persistent Threats
Security Intelligence: Advanced Persistent Threats
 
Out of the Blue: Responding to New Zero-Day Threats
Out of the Blue: Responding to New Zero-Day ThreatsOut of the Blue: Responding to New Zero-Day Threats
Out of the Blue: Responding to New Zero-Day Threats
 
Social Networking - An Ethical Hacker's View
Social Networking - An Ethical Hacker's ViewSocial Networking - An Ethical Hacker's View
Social Networking - An Ethical Hacker's View
 
Top Five Internal Security Vulnerabilities
Top Five Internal Security VulnerabilitiesTop Five Internal Security Vulnerabilities
Top Five Internal Security Vulnerabilities
 
The Consumerisation of Corporate IT
The Consumerisation of Corporate ITThe Consumerisation of Corporate IT
The Consumerisation of Corporate IT
 

Recently uploaded

Stronger Together: Developing an Organizational Strategy for Accessible Desig...
Stronger Together: Developing an Organizational Strategy for Accessible Desig...Stronger Together: Developing an Organizational Strategy for Accessible Desig...
Stronger Together: Developing an Organizational Strategy for Accessible Desig...caitlingebhard1
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistandanishmna97
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdfSandro Moreira
 
The Zero-ETL Approach: Enhancing Data Agility and Insight
The Zero-ETL Approach: Enhancing Data Agility and InsightThe Zero-ETL Approach: Enhancing Data Agility and Insight
The Zero-ETL Approach: Enhancing Data Agility and InsightSafe Software
 
JavaScript Usage Statistics 2024 - The Ultimate Guide
JavaScript Usage Statistics 2024 - The Ultimate GuideJavaScript Usage Statistics 2024 - The Ultimate Guide
JavaScript Usage Statistics 2024 - The Ultimate GuidePixlogix Infotech
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMESafe Software
 
ChatGPT and Beyond - Elevating DevOps Productivity
ChatGPT and Beyond - Elevating DevOps ProductivityChatGPT and Beyond - Elevating DevOps Productivity
ChatGPT and Beyond - Elevating DevOps ProductivityVictorSzoltysek
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxRustici Software
 
Introduction to use of FHIR Documents in ABDM
Introduction to use of FHIR Documents in ABDMIntroduction to use of FHIR Documents in ABDM
Introduction to use of FHIR Documents in ABDMKumar Satyam
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusZilliz
 
Simplifying Mobile A11y Presentation.pptx
Simplifying Mobile A11y Presentation.pptxSimplifying Mobile A11y Presentation.pptx
Simplifying Mobile A11y Presentation.pptxMarkSteadman7
 
JohnPollard-hybrid-app-RailsConf2024.pptx
JohnPollard-hybrid-app-RailsConf2024.pptxJohnPollard-hybrid-app-RailsConf2024.pptx
JohnPollard-hybrid-app-RailsConf2024.pptxJohnPollard37
 
Quantum Leap in Next-Generation Computing
Quantum Leap in Next-Generation ComputingQuantum Leap in Next-Generation Computing
Quantum Leap in Next-Generation ComputingWSO2
 
AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)
AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)
AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)Samir Dash
 
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...TrustArc
 
WSO2 Micro Integrator for Enterprise Integration in a Decentralized, Microser...
WSO2 Micro Integrator for Enterprise Integration in a Decentralized, Microser...WSO2 Micro Integrator for Enterprise Integration in a Decentralized, Microser...
WSO2 Micro Integrator for Enterprise Integration in a Decentralized, Microser...WSO2
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Jeffrey Haguewood
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businesspanagenda
 
Choreo: Empowering the Future of Enterprise Software Engineering
Choreo: Empowering the Future of Enterprise Software EngineeringChoreo: Empowering the Future of Enterprise Software Engineering
Choreo: Empowering the Future of Enterprise Software EngineeringWSO2
 
Decarbonising Commercial Real Estate: The Role of Operational Performance
Decarbonising Commercial Real Estate: The Role of Operational PerformanceDecarbonising Commercial Real Estate: The Role of Operational Performance
Decarbonising Commercial Real Estate: The Role of Operational PerformanceIES VE
 

Recently uploaded (20)

Stronger Together: Developing an Organizational Strategy for Accessible Desig...
Stronger Together: Developing an Organizational Strategy for Accessible Desig...Stronger Together: Developing an Organizational Strategy for Accessible Desig...
Stronger Together: Developing an Organizational Strategy for Accessible Desig...
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistan
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf
 
The Zero-ETL Approach: Enhancing Data Agility and Insight
The Zero-ETL Approach: Enhancing Data Agility and InsightThe Zero-ETL Approach: Enhancing Data Agility and Insight
The Zero-ETL Approach: Enhancing Data Agility and Insight
 
JavaScript Usage Statistics 2024 - The Ultimate Guide
JavaScript Usage Statistics 2024 - The Ultimate GuideJavaScript Usage Statistics 2024 - The Ultimate Guide
JavaScript Usage Statistics 2024 - The Ultimate Guide
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
ChatGPT and Beyond - Elevating DevOps Productivity
ChatGPT and Beyond - Elevating DevOps ProductivityChatGPT and Beyond - Elevating DevOps Productivity
ChatGPT and Beyond - Elevating DevOps Productivity
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 
Introduction to use of FHIR Documents in ABDM
Introduction to use of FHIR Documents in ABDMIntroduction to use of FHIR Documents in ABDM
Introduction to use of FHIR Documents in ABDM
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with Milvus
 
Simplifying Mobile A11y Presentation.pptx
Simplifying Mobile A11y Presentation.pptxSimplifying Mobile A11y Presentation.pptx
Simplifying Mobile A11y Presentation.pptx
 
JohnPollard-hybrid-app-RailsConf2024.pptx
JohnPollard-hybrid-app-RailsConf2024.pptxJohnPollard-hybrid-app-RailsConf2024.pptx
JohnPollard-hybrid-app-RailsConf2024.pptx
 
Quantum Leap in Next-Generation Computing
Quantum Leap in Next-Generation ComputingQuantum Leap in Next-Generation Computing
Quantum Leap in Next-Generation Computing
 
AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)
AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)
AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)
 
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
 
WSO2 Micro Integrator for Enterprise Integration in a Decentralized, Microser...
WSO2 Micro Integrator for Enterprise Integration in a Decentralized, Microser...WSO2 Micro Integrator for Enterprise Integration in a Decentralized, Microser...
WSO2 Micro Integrator for Enterprise Integration in a Decentralized, Microser...
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
Choreo: Empowering the Future of Enterprise Software Engineering
Choreo: Empowering the Future of Enterprise Software EngineeringChoreo: Empowering the Future of Enterprise Software Engineering
Choreo: Empowering the Future of Enterprise Software Engineering
 
Decarbonising Commercial Real Estate: The Role of Operational Performance
Decarbonising Commercial Real Estate: The Role of Operational PerformanceDecarbonising Commercial Real Estate: The Role of Operational Performance
Decarbonising Commercial Real Estate: The Role of Operational Performance
 

The Cloud Security Landscape

  • 1. The Cloud Security Landscape An Ethical Hacker’s View Peter Wood Chief Executive Officer First•Base Technologies
  • 2. Who am I ? Worked in computers and electronics since 1969 1969 Founded First•Base in 1989 (one of the first ethical hacking firms) - Social engineer & penetration tester - Conference speaker and security ‘expert’ - Chair of Advisory board at CSA UK & Ireland - Vice Chair of BCS Information Risk Management and Audit Group - ISACA Security Advisory Group and Conference Task Force 1989 - Corporate Executive Programme Expert - IISP Interviewer - FBCS, CITP, CISSP, MIEEE, M.Inst.ISP - Registered BCS Security Consultant - Member of ACM, ISACA, ISSA, Mensa 2 © First Base Technologies 2011
  • 3. Agenda • Cloud Computing: Define • Is Cloud Computing Insecure? • Cloud Security Guidance • Q&A 3 © First Base Technologies 2011
  • 4. Agenda • Cloud Computing: Define • Is Cloud Computing Secure? • Cloud Security Guidance • Q&A 4 © First Base Technologies 2011
  • 5. Cloud Service Models • Software (SaaS) - consumer uses a provider’s applications running on a cloud infrastructure. Consumer does not manage or control the underlying cloud infrastructure (including network, servers, operating systems, storage or even individual application capabilities, with the possible exception of limited user-specific application configuration settings) • Platform (PaaS) - consumer uses a provider’s infrastructure to run their own applications. Consumer does not manage or control the underlying cloud infrastructure (including network, servers, operating systems or storage) • Infrastructure (IaaS) consumer uses a provider’s infrastructure to run their own applications and operating systems. Consumer does not manage or control the underlying cloud infrastructure but has control over operating systems, storage, deployed applications, and possibly limited control of select networking components (e.g., host firewalls) 5 © First Base Technologies 2011
  • 6. Cloud Deployment Models • Public Cloud - available to the general public or a large industry group and owned by an organisation selling cloud services • Private Cloud - operated for a single organisation. May be managed by the organisation or a third party and may exist on- premises or off-premises • Community Cloud - shared by several organisations and supports a specific community that has shared concerns (e.g., mission, security requirements, policy, or compliance considerations). May be managed by the organisations or a third party and may exist on-premises or off-premises • Hybrid Cloud - composition of two or more clouds (private, community, or public) that remain unique entities but are bound together by standardised or proprietary technology that enables data and application portability (e.g., cloud bursting for load- balancing between clouds) 6 © First Base Technologies 2011
  • 7. 7 © First Base Technologies 2011
  • 8. 8 © First Base Technologies 2011
  • 9. Agenda • Cloud Computing: Define • Is Cloud Computing Secure? • Cloud Security Guidance • Q&A 9 © First Base Technologies 2011
  • 10. Not the best approach to cloud 10 © First Base Technologies 2011
  • 11. Typical cloud security questions • Your data is … where? • Which country? • Who has access? • Have staff been vetted? • How well is it segregated from other users? • Is it encrypted? Who holds the keys? • How is it backed up (encrypted? where is it?) • How is it transmitted (encrypted? authenticated?) • Have the providers been tested by a reputable third party? 11 © First Base Technologies 2011
  • 12. Amrit Williams Blog Observations of a Digitally Enlightened Mind • When we allow services to be delivered by a third party, we lose all control over how they secure and maintain the health of their environments - and you simply can't enforce what you can't control. • The ‘experts’ will tell you otherwise, convince you that their model is 100 per cent secure and that you have nothing to fear. Then again, those experts don't lose their jobs if you fail. Amrit Williams is CTO at BigFix and was previously a research director in the Information Security and Risk Research Practice at Gartner, Inc. http://techbuddha.wordpress.com/ 12 © First Base Technologies 2011
  • 13. Just a little brainstorm 13 © First Base Technologies 2011
  • 14. Agenda • Cloud Computing: Define • Is Cloud Computing Secure? • Cloud Security Guidance • Q&A 14 © First Base Technologies 2011
  • 15. Security Guidance for Critical Areas of Focus in Cloud Computing V2.1 -> V3.0 Cloud Security Alliance http://www.cloudsecurityalliance.org/guidance/csaguide.v2.1.pdf https://wiki.cloudsecurityalliance.org/guidance/index.php/Main_Page 15 © First Base Technologies 2011
  • 16. Risk Assessment Evaluate your tolerance for moving an asset to various cloud computing models • Identify the asset for the cloud deployment • Evaluate the asset • Map the asset to potential cloud deployment models • Evaluate potential cloud service models and providers • Sketch the potential data flow 16 © First Base Technologies 2011
  • 17. Identify the asset • Determine exactly what data or function is being considered for the cloud - This should include potential uses of the asset once it moves to the cloud to account for scope creep - Data and transaction volumes are often higher than expected • Data and applications don’t need to reside in the same location; can shift only parts of functions to the cloud - For example, host application and data in own data centre, while outsourcing a portion of its functionality to the cloud through a Platform as a Service 17 © First Base Technologies 2011
  • 18. Evaluate the asset How would we be harmed if: • the asset became widely public and widely distributed? • an employee of our cloud provider accessed the asset? • the process or function were manipulated by an outsider? • the process or function failed to provide expected results? • the information/data were unexpectedly changed? • the asset were unavailable for a period of time? 18 © First Base Technologies 2011
  • 19. Map the asset to potential models • Public • Private, internal/on-premises • Private, external (including dedicated or shared infrastructure) • Community; taking into account the hosting location, potential service provider, and identification of other community members • Hybrid. To effectively evaluate a potential hybrid deployment, you must have in mind at least a rough architecture of where components, functions, and data will reside 19 © First Base Technologies 2011
  • 20. Evaluate models and providers • In this step focus on the degree of control you’ll have at each SPI tier to implement any required risk management • If you are evaluating a specific offering, at this point you might switch to a fuller risk assessment • Your focus will be on the degree of control you have to implement risk mitigation in the different SPI tiers • If you already have specific requirements (e.g. for handling of regulated data) you can include them in the evaluation 20 © First Base Technologies 2011
  • 21. Sketch the potential data flow • If you are evaluating a specific deployment option, map out the data flow between your organisation, the cloud service, and any customers/other nodes • While most of these steps have been high-level, before making a final decision it’s absolutely essential to understand whether, and how, data can move in and out of the cloud • If you have yet to decide on a particular offering, you’ll want to sketch out the rough data flow for any options on your acceptable list. This is to insure that as you make final decisions, you’ll be able to identify risk exposure points. 21 © First Base Technologies 2011
  • 22. Conclusions • Understand the importance of what you are considering moving to the cloud, your risk tolerance (at least at a high level), and which combinations of deployment and service models are acceptable • Have a rough idea of potential exposure points for sensitive information and operations • These together should give you sufficient context to evaluate any other security controls in the Guidance 22 © First Base Technologies 2011
  • 23. Agenda • Cloud Computing: Define • Is Cloud Computing Secure? • Cloud Security Guidance • Q&A 23 © First Base Technologies 2011
  • 24. Need more information? Peter Wood Chief Executive Officer First•Base Technologies LLP peterw@firstbase.co.uk Twitter: peterwoodx Blog: fpws.blogspot.com http://firstbase.co.uk http://white-hats.co.uk http://peterwood.com