Cloud Cuckoo Land to Corporate Acceptance

1. Cloud Computing XaaS Moving from Cloud Cuckoo Land to Corporate Acceptance London e-Crime Cloud Forum, June 2010 Mark Henshaw FBCS CITP CISM CGEIT CISSP [email protected] [Speaker notes included]

2. Proprietas The presentation and the views and opinions expressed represent those of the author and should not be ascribed to General Motors or Vauxhall Opel Any subsequent debate or discussion in relation to this material should be conducted with the author [email protected]

3. Cloud XaaS, friend or foe? [speaker notes slide #21] How do you see it? Risk taker Risk averse Cloud provider CISO Security Business unit Legal Governance Start-up CIO Mature business (E.g., Cost dominated) (E.g., Risk dominated) [email protected]

4. First thoughts Have you engaged, Legal Counsel? Privacy Counsel? Human Resources Management? Business Process Leadership? Risk Management (Enterprise)? Business Partners? All impacted IT players? Third Parties and Suppliers? Why not? - you are establishing a major strategic direction for the business using Cloud Computing and they are all key stakeholders and Subject Matter Experts Build and execute a Cloud delivered Security Strategy with partnership across the organisation NOT just IT [email protected]

5. Ash Cloud, Icelandic Volcano [speaker notes slide #22] Sixty-three thousand flights cancelled in four days; a total of 313 airports paralysed by restrictions and a global backlog affecting more than 6.8 million travellers$B5 Bigger issues came into play, which may potentially put organisations out of business, such as reduced or non existent service to customers; supply chains failing; and even vital - life-saving equipment and medication - unable to reach it's destination In the context of business continuity, many unprepared organisations may simply say that they couldn't possibly plan for an eventuality such as this and excuse themselves for their misgivings in the hope that everything will get back to normal sooner or later and their customers will understand Is this a familiar attitude? And who is liable anyway? [email protected]

6. Agenda When adopting service offerings from the cloud, what are the security, compliance and liability issues that need to be understood at board level beyond the sales pitch of cost reductions and operational benefits? What measures can be taken to surmount the challenges of implementing access controls for enterprises that move to cloud based services, and why is this a critical step in approaching corporate acceptance of cloud computing? What aspects of security in the cloud should remain under the control of corporate custodians, which are likely to necessitate outsourcing control to the cloud provider, and what steps must be taken to ensure a comprehensive understanding of where the business is accountable and liable for defending against vulnerability as opposed to the cloud supplier? How can organisations that utilise multiple elasticated storage solutions across different jurisdictions abide by regional data privacy laws while meeting regulatory compliance requirements? [email protected]

7. Agenda Or to put it another way: What should it take to convince the CEO and board that cloud computing services are a realistic choice for their business and not some cloud cuckoo land fantasy? [email protected]

8. To the Board: Cloud, silver lining? [speaker notes slide #23] Price: not always cheaper than in house Applications: not all fit the XaaS model Security: should be rock solid, will be a bigger target Governance/Compliance: maze of data handling rules Legal maturity: Cloud models complex hard to define, poor or non existent legal structures and precedents Liability: significant work to define and document who is liable for what at each XaaS layer Cost: driving utilisation of possible high-risk providers Risk: distinguish risk from commercial risk Outsourcing: a better first step [email protected]

9. To the Board: Cloud, silver lining? Any provider who claims to have fixed all the risks and issues may be offering FaaS [email protected]

10. Enterprise Access Controls [speaker notes slide #24] Cloud computing must provide security on par with what exists inside the firewall - compliance is impossible without controls Control over access, authentication, auditing and administration (IAM) Infrastructure resides across the Internet, collectively operated by the enterprise, its partners, and service providers Firewalls can't manage access to cloud applications because by definition these applications are accessed over the Internet outside the corporate firewall Access management for the cloud must be controlled without agents and without tightly coupling infrastructure components together [email protected]

11. Enterprise Access Controls [speaker notes slide #25] Federation, this provides an inter- organisational authentication solution Federation uses the Security Assertion Markup Language (SAML) standard Each organization will manage its own users and through trust relationships share authentication between sites Administration supporting the complex structures and business relationships between cloud networks and organisations [email protected]

12. Enterprise Access Controls [speaker notes slide #26] Auditing and compliance for the cloud must extend across the Internet and encompass the applications, users, and activities on remote as well as enterprise systems Perimeter controls ineffective for compliance Confidentiality of data must be protected both in motion and while at rest Requires intelligent cloud strategy from very beginning [email protected]

13. Liability and Responsibility Division of liabilities between customer and provider Division of responsibilities for security incidents, SaaS and IaaS vary greatly Establish table and clearly define who is responsible for what Where no negotiation is possible providers must verify what lies within their responsibility IaaS providers treat customer applications as a black-box so vitally important for customer to take full responsibility for securing cloud- deployed applications Follow best practice and perform assessment [email protected]

14. Liability and Responsibility Businesses signing up for standard (read economic) cloud services should not expect the provider to accept liability for data breaches and other security incidents Attrib. Microsoft [email protected]

15. Liability [speaker notes slide #27] Customer Provider Lawfulness of Full liability Intermediary liability with content liability exemptions under the terms of the E-commerce directive (1) and its interpretations Security incidents Responsibility for due Responsible for due diligence (including data diligence for what is for what is under its control leakage, use of under its control account to launch according to contractual attack) conditions European Data Data controller Data processor (external) Protection Law status Incident management and resolution - will vary greatly if SaaS, PaaS or IaaS From enisa, Cloud Computing - Benefits, risks and recommendations for information security, Nov 2009 [email protected]

16. Privacy with Elasticated Storage [speaker notes slide #28] Geography can lose all meaning, location seems irrelevant not able to tell where data is at any given point in time Multiple data copies being stored in different locations also true for private cloud Data transferred across multiple borders with significant legal implications Gets more complicatedpublic cloud, hybrid cloud Public cloud economics is about trading available processing and storage capacitydata is fungible, and able to be moved like trading electricity [email protected]

17. Privacy with Elasticated Storage [speaker notes slide #29] There is no universally adopted privacy standard - perception may be different from the law Essential for well defined Security and Privacy SLAs to be part of the Statement of Work Strong data governance should be performed by Cloud provider through full Information Lifecycle Management (ILM) - protection of personal information should consider the impact of the cloud on each of the ILM phases [email protected]

18. Privacy with Elasticated Storage Adopt a systematic approach to addressing privacy in the cloud Perform due diligence and risk assessments Seek country based legal advice (legal counsel) and develop process framework and internal controls Attempt to control cross-border data flows through selection of countries used by the Cloud provider Ensure data is deleted on virtual storage devices Ensure consent from data owner before transfer to 3rd parties [email protected]

19. Final thought In IT sustaining competitive advantage is not possible because everyone can copy what you do so from the context of the cloud provider operating in a panoply, survival is about taking out costs fasterbringing down IT costsand increasing sales Cost reductions in this space seem to fixate around increasing use of cloud aggregatorsperhaps in China or India The consequences of this are legal, governance and security plays catch up and while this vacuum exists there will be many risks across many facets of cloud sourcing, particularly with low- cost highly aggregated cloud sourcing implementations We are definitely chasing the tail, and its way too early for any of us to be complacent [email protected]

20. Speaker notes Speaker notes provided here to assist with reader understanding [email protected]

21. Cloud XaaS, friend or foe? Speaker notes use with slide # 3 (+ Side) Emerging not yet core Very attractive sales pitch; cost saving, efficiency, elastic storage Low cost path for start-up Business unit making the most of their limited budget Cloud provider sells the dream (- Side) Its just not mature yet Too much to lose Let someone else catch a cold Only a few applications, very low risk We carry sensitive customer informationno way.. US PATRIOT Act (= Balancing) The CIO pulling in both directions Limit the travel and accelerate the acceptability (how?) Legal have been saying they are slow in this space for quite some time but they believe our issues will be fixed by contracts (right?) (= Balancing) Clearly an emerging technology that has everyone excited for one reason or another [email protected]

22. Ash Cloud, Icelandic Volcano Speaker notes use with slide # 5 Major airlines, major losses during disaster. Share price for all was impacted. Hotels, supply industry, perishable goods. Some winners, Brittany Ferries carried 5 X more passengers during this period. Channel tunnel operators actually made a profit. Do cloud providers run their businesses in the same way in that there are just some elements in the equation that are just not manageable? Will the economics involved create the same outcome (in cloud)? Is it really just a fad and a FaaS (FARCE)? [email protected]

23. To the Board: Cloud, Silver Lining? Speaker notes use with slide # 8 (- side) MS Office $1.5 per seat in house, $3 cloud Graphics intensive, Latency sensitive (E.g., financial and transactional applications) You are a target or will become a target where your data is held alongside valuable information EU DP rules, US Patriot Act, non existent or emerging DPA/DPO E-discovery subject data in cloud, where? SaaS, PaaS, DaaS, etc cloud providers and sub providers who?, where?, what? = due diligence is near impossible for customer Commercial risk can be transferred, but ultimate risk always remains with the end customer (+ side) Outsourcing allows customer to test the water examine the portability of their operation and how to bring back in house if required. Cloud is NOT another way to outsource, they are in fact very different. [email protected]

24. Enterprise Access Controls Speaker notes use with slide # 10 Cloud infrastructures are different - impossible to run a web server plug-in on a multi-tenant architecture where multiple organizations share common infrastructure Poor authentication, authorisation and accounting (AAA) Unauthorised access to resources, privileges escalation, impossibility of tracking the misuse of resources and security incidents in general Cloud makes password based authentication attacks Much more impactful Corporate applications are now exposed to the internet Password based authentication is now insufficient Need for stronger two-factor authentication [email protected]

25. Enterprise Access Controls Speaker notes use with slide # 11 Authentication for the cloud - the cloud works differently than for an enterprise network. The enterprise can rely on multiple layers of authentication Doesn't scale to the cloud Users aren't necessarily connected to a corporate LAN Users, like customers, aren't part of the enterprise Active Directory Administration - not only manage access by employees, but also customers and partners Data can reside in remote repositories across the Internet User management must also be federated between clouds and the partner enterprises [email protected]

26. Enterprise Access Controls Speaker notes use with slide # 12 Auditing and Compliance - the infrastructure for managing compliance must extend across the Internet and encompass the applications, users, and activities on remote as well as enterprise systems. Manage cloud access paths through a consistent control point Using an Internet-scale proxy utility. Task of auditing becomes centralised. Proxies do not require software agents Loosely coupling security with cloud applications is massively scalable. Consistency is essential for compliance, cannot be achieved using ad-hoc and siloed approaches to access control and reporting. Confidentiality of data - users' credentials are scattered across multiple systems not under their direct control. If proper encryption is not in place, user passwords are vulnerable to theft and can be used to gain access to other applications. Simply extending existing security systems will fail. [email protected]

27. Liability Speaker notes use with slide #15 if required: definitions E-Commerce Directive ensure free movement of information society services across the European Community (enhancing the internal market) establishment of service providers, commercial communications, electronic contracts, the liability of intermediaries, codes of conduct etc Data Controller - is the individual or the legal persons (such as companies) who controls and is responsible for the keeping and use of personal information on computer or in structured manual files. Carries serious legal responsibilities. Must comply with certain important rules on how they collect and use personal information. Some controllers must register annually with the Data Protection Commissioner in order to make transparent their data handling practices. Data Processor holds or processes personal data BUT do not exercise responsibility for control over the personal data, then you are a data processor. Have a very limited set of responsibilities under the Data Protection Act. Concern the necessity to keep personal data secure form unauthorised access, disclosure, destruction or accidental loss. [email protected]

28. Privacy with Elasticated Storage Speaker notes use with slide # 16 Existing legal structure cant cope with the reality of existing technology Current Privacy rules want to compartmentalise our cloud- space Significant legal compliance risk Who are you dealing with? Who is processing your data? No transparency due to architecture No direct relationship, and no direct contractual legal rights or remedies [email protected]

29. Privacy with Elasticated Storage Speaker notes use with slide # 17 There are conflicting laws, regulations and views on what privacy is and what it requires from organisations to protect it - perception may be different from the law Important Principles - Collection and User Limitation, Security, Retention and Destruction,Transfer, Accountability ILM phases from cradle to grave - Generation, Use, Transfer, Transformation, Storage, Archival, and Destruction [email protected]

30. Bibliography Llrx.com, Cloud Computing, Navetta September 2009, Forsheit October 2009 InformIT, Cloud Security and Privacy parts 1 and 2, McHale May 2010 Info Law Group, Legal Implications of Cloud Computing part 3, Navetta October 2009 Enisa, Cloud Computing - Benefits, risks and recommendations for information security, Nov 2009 Cloud Security and Privacy, An Enterprise Perspective on Risks and Compliance, Tim Mather, Subra Kumaraswamy, Shahed Latif, O Reilly September 2009 Cloud Security Alliance, csaguide.pdf v2.1 [email protected]

Cloud Cuckoo Land to Corporate Acceptance

Documents

enterprise

mhenshawisaca

speaker notes

cloud xaas

personal information

elasticated

patriot act

security incidents