This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
1. Cloud Computing XaaS Moving from Cloud Cuckoo Land to
Corporate Acceptance London e-Crime Cloud Forum, June 2010 Mark
Henshaw FBCS CITP CISM CGEIT CISSP [email protected]
[Speaker notes included]
2. Proprietas The presentation and the views and opinions
expressed represent those of the author and should not be ascribed
to General Motors or Vauxhall Opel Any subsequent debate or
discussion in relation to this material should be conducted with
the author [email protected]
3. Cloud XaaS, friend or foe? [speaker notes slide #21] How do
you see it? Risk taker Risk averse Cloud provider CISO Security
Business unit Legal Governance Start-up CIO Mature business (E.g.,
Cost dominated) (E.g., Risk dominated)
[email protected]
4. First thoughts Have you engaged, Legal Counsel? Privacy
Counsel? Human Resources Management? Business Process Leadership?
Risk Management (Enterprise)? Business Partners? All impacted IT
players? Third Parties and Suppliers? Why not? - you are
establishing a major strategic direction for the business using
Cloud Computing and they are all key stakeholders and Subject
Matter Experts Build and execute a Cloud delivered Security
Strategy with partnership across the organisation NOT just IT
[email protected]
5. Ash Cloud, Icelandic Volcano [speaker notes slide #22]
Sixty-three thousand flights cancelled in four days; a total of 313
airports paralysed by restrictions and a global backlog affecting
more than 6.8 million travellers$B5 Bigger issues came into play,
which may potentially put organisations out of business, such as
reduced or non existent service to customers; supply chains
failing; and even vital - life-saving equipment and medication -
unable to reach it's destination In the context of business
continuity, many unprepared organisations may simply say that they
couldn't possibly plan for an eventuality such as this and excuse
themselves for their misgivings in the hope that everything will
get back to normal sooner or later and their customers will
understand Is this a familiar attitude? And who is liable anyway?
[email protected]
6. Agenda When adopting service offerings from the cloud, what
are the security, compliance and liability issues that need to be
understood at board level beyond the sales pitch of cost reductions
and operational benefits? What measures can be taken to surmount
the challenges of implementing access controls for enterprises that
move to cloud based services, and why is this a critical step in
approaching corporate acceptance of cloud computing? What aspects
of security in the cloud should remain under the control of
corporate custodians, which are likely to necessitate outsourcing
control to the cloud provider, and what steps must be taken to
ensure a comprehensive understanding of where the business is
accountable and liable for defending against vulnerability as
opposed to the cloud supplier? How can organisations that utilise
multiple elasticated storage solutions across different
jurisdictions abide by regional data privacy laws while meeting
regulatory compliance requirements? [email protected]
7. Agenda Or to put it another way: What should it take to
convince the CEO and board that cloud computing services are a
realistic choice for their business and not some cloud cuckoo land
fantasy? [email protected]
8. To the Board: Cloud, silver lining? [speaker notes slide
#23] Price: not always cheaper than in house Applications: not all
fit the XaaS model Security: should be rock solid, will be a bigger
target Governance/Compliance: maze of data handling rules Legal
maturity: Cloud models complex hard to define, poor or non existent
legal structures and precedents Liability: significant work to
define and document who is liable for what at each XaaS layer Cost:
driving utilisation of possible high-risk providers Risk:
distinguish risk from commercial risk Outsourcing: a better first
step [email protected]
9. To the Board: Cloud, silver lining? Any provider who claims
to have fixed all the risks and issues may be offering FaaS
[email protected]
10. Enterprise Access Controls [speaker notes slide #24] Cloud
computing must provide security on par with what exists inside the
firewall - compliance is impossible without controls Control over
access, authentication, auditing and administration (IAM)
Infrastructure resides across the Internet, collectively operated
by the enterprise, its partners, and service providers Firewalls
can't manage access to cloud applications because by definition
these applications are accessed over the Internet outside the
corporate firewall Access management for the cloud must be
controlled without agents and without tightly coupling
infrastructure components together [email protected]
11. Enterprise Access Controls [speaker notes slide #25]
Federation, this provides an inter- organisational authentication
solution Federation uses the Security Assertion Markup Language
(SAML) standard Each organization will manage its own users and
through trust relationships share authentication between sites
Administration supporting the complex structures and business
relationships between cloud networks and organisations
[email protected]
12. Enterprise Access Controls [speaker notes slide #26]
Auditing and compliance for the cloud must extend across the
Internet and encompass the applications, users, and activities on
remote as well as enterprise systems Perimeter controls ineffective
for compliance Confidentiality of data must be protected both in
motion and while at rest Requires intelligent cloud strategy from
very beginning [email protected]
13. Liability and Responsibility Division of liabilities
between customer and provider Division of responsibilities for
security incidents, SaaS and IaaS vary greatly Establish table and
clearly define who is responsible for what Where no negotiation is
possible providers must verify what lies within their
responsibility IaaS providers treat customer applications as a
black-box so vitally important for customer to take full
responsibility for securing cloud- deployed applications Follow
best practice and perform assessment [email protected]
14. Liability and Responsibility Businesses signing up for
standard (read economic) cloud services should not expect the
provider to accept liability for data breaches and other security
incidents Attrib. Microsoft [email protected]
15. Liability [speaker notes slide #27] Customer Provider
Lawfulness of Full liability Intermediary liability with content
liability exemptions under the terms of the E-commerce directive
(1) and its interpretations Security incidents Responsibility for
due Responsible for due diligence (including data diligence for
what is for what is under its control leakage, use of under its
control account to launch according to contractual attack)
conditions European Data Data controller Data processor (external)
Protection Law status Incident management and resolution - will
vary greatly if SaaS, PaaS or IaaS From enisa, Cloud Computing -
Benefits, risks and recommendations for information security, Nov
2009 [email protected]
16. Privacy with Elasticated Storage [speaker notes slide #28]
Geography can lose all meaning, location seems irrelevant not able
to tell where data is at any given point in time Multiple data
copies being stored in different locations also true for private
cloud Data transferred across multiple borders with significant
legal implications Gets more complicatedpublic cloud, hybrid cloud
Public cloud economics is about trading available processing and
storage capacitydata is fungible, and able to be moved like trading
electricity [email protected]
17. Privacy with Elasticated Storage [speaker notes slide #29]
There is no universally adopted privacy standard - perception may
be different from the law Essential for well defined Security and
Privacy SLAs to be part of the Statement of Work Strong data
governance should be performed by Cloud provider through full
Information Lifecycle Management (ILM) - protection of personal
information should consider the impact of the cloud on each of the
ILM phases [email protected]
18. Privacy with Elasticated Storage Adopt a systematic
approach to addressing privacy in the cloud Perform due diligence
and risk assessments Seek country based legal advice (legal
counsel) and develop process framework and internal controls
Attempt to control cross-border data flows through selection of
countries used by the Cloud provider Ensure data is deleted on
virtual storage devices Ensure consent from data owner before
transfer to 3rd parties [email protected]
19. Final thought In IT sustaining competitive advantage is not
possible because everyone can copy what you do so from the context
of the cloud provider operating in a panoply, survival is about
taking out costs fasterbringing down IT costsand increasing sales
Cost reductions in this space seem to fixate around increasing use
of cloud aggregatorsperhaps in China or India The consequences of
this are legal, governance and security plays catch up and while
this vacuum exists there will be many risks across many facets of
cloud sourcing, particularly with low- cost highly aggregated cloud
sourcing implementations We are definitely chasing the tail, and
its way too early for any of us to be complacent
[email protected]
20. Speaker notes Speaker notes provided here to assist with
reader understanding [email protected]
21. Cloud XaaS, friend or foe? Speaker notes use with slide # 3
(+ Side) Emerging not yet core Very attractive sales pitch; cost
saving, efficiency, elastic storage Low cost path for start-up
Business unit making the most of their limited budget Cloud
provider sells the dream (- Side) Its just not mature yet Too much
to lose Let someone else catch a cold Only a few applications, very
low risk We carry sensitive customer informationno way.. US PATRIOT
Act (= Balancing) The CIO pulling in both directions Limit the
travel and accelerate the acceptability (how?) Legal have been
saying they are slow in this space for quite some time but they
believe our issues will be fixed by contracts (right?) (=
Balancing) Clearly an emerging technology that has everyone excited
for one reason or another [email protected]
22. Ash Cloud, Icelandic Volcano Speaker notes use with slide #
5 Major airlines, major losses during disaster. Share price for all
was impacted. Hotels, supply industry, perishable goods. Some
winners, Brittany Ferries carried 5 X more passengers during this
period. Channel tunnel operators actually made a profit. Do cloud
providers run their businesses in the same way in that there are
just some elements in the equation that are just not manageable?
Will the economics involved create the same outcome (in cloud)? Is
it really just a fad and a FaaS (FARCE)?
[email protected]
23. To the Board: Cloud, Silver Lining? Speaker notes use with
slide # 8 (- side) MS Office $1.5 per seat in house, $3 cloud
Graphics intensive, Latency sensitive (E.g., financial and
transactional applications) You are a target or will become a
target where your data is held alongside valuable information EU DP
rules, US Patriot Act, non existent or emerging DPA/DPO E-discovery
subject data in cloud, where? SaaS, PaaS, DaaS, etc cloud providers
and sub providers who?, where?, what? = due diligence is near
impossible for customer Commercial risk can be transferred, but
ultimate risk always remains with the end customer (+ side)
Outsourcing allows customer to test the water examine the
portability of their operation and how to bring back in house if
required. Cloud is NOT another way to outsource, they are in fact
very different. [email protected]
24. Enterprise Access Controls Speaker notes use with slide #
10 Cloud infrastructures are different - impossible to run a web
server plug-in on a multi-tenant architecture where multiple
organizations share common infrastructure Poor authentication,
authorisation and accounting (AAA) Unauthorised access to
resources, privileges escalation, impossibility of tracking the
misuse of resources and security incidents in general Cloud makes
password based authentication attacks Much more impactful Corporate
applications are now exposed to the internet Password based
authentication is now insufficient Need for stronger two-factor
authentication [email protected]
25. Enterprise Access Controls Speaker notes use with slide #
11 Authentication for the cloud - the cloud works differently than
for an enterprise network. The enterprise can rely on multiple
layers of authentication Doesn't scale to the cloud Users aren't
necessarily connected to a corporate LAN Users, like customers,
aren't part of the enterprise Active Directory Administration - not
only manage access by employees, but also customers and partners
Data can reside in remote repositories across the Internet User
management must also be federated between clouds and the partner
enterprises [email protected]
26. Enterprise Access Controls Speaker notes use with slide #
12 Auditing and Compliance - the infrastructure for managing
compliance must extend across the Internet and encompass the
applications, users, and activities on remote as well as enterprise
systems. Manage cloud access paths through a consistent control
point Using an Internet-scale proxy utility. Task of auditing
becomes centralised. Proxies do not require software agents Loosely
coupling security with cloud applications is massively scalable.
Consistency is essential for compliance, cannot be achieved using
ad-hoc and siloed approaches to access control and reporting.
Confidentiality of data - users' credentials are scattered across
multiple systems not under their direct control. If proper
encryption is not in place, user passwords are vulnerable to theft
and can be used to gain access to other applications. Simply
extending existing security systems will fail.
[email protected]
27. Liability Speaker notes use with slide #15 if required:
definitions E-Commerce Directive ensure free movement of
information society services across the European Community
(enhancing the internal market) establishment of service providers,
commercial communications, electronic contracts, the liability of
intermediaries, codes of conduct etc Data Controller - is the
individual or the legal persons (such as companies) who controls
and is responsible for the keeping and use of personal information
on computer or in structured manual files. Carries serious legal
responsibilities. Must comply with certain important rules on how
they collect and use personal information. Some controllers must
register annually with the Data Protection Commissioner in order to
make transparent their data handling practices. Data Processor
holds or processes personal data BUT do not exercise responsibility
for control over the personal data, then you are a data processor.
Have a very limited set of responsibilities under the Data
Protection Act. Concern the necessity to keep personal data secure
form unauthorised access, disclosure, destruction or accidental
loss. [email protected]
28. Privacy with Elasticated Storage Speaker notes use with
slide # 16 Existing legal structure cant cope with the reality of
existing technology Current Privacy rules want to compartmentalise
our cloud- space Significant legal compliance risk Who are you
dealing with? Who is processing your data? No transparency due to
architecture No direct relationship, and no direct contractual
legal rights or remedies [email protected]
29. Privacy with Elasticated Storage Speaker notes use with
slide # 17 There are conflicting laws, regulations and views on
what privacy is and what it requires from organisations to protect
it - perception may be different from the law Important Principles
- Collection and User Limitation, Security, Retention and
Destruction,Transfer, Accountability ILM phases from cradle to
grave - Generation, Use, Transfer, Transformation, Storage,
Archival, and Destruction [email protected]
30. Bibliography Llrx.com, Cloud Computing, Navetta September
2009, Forsheit October 2009 InformIT, Cloud Security and Privacy
parts 1 and 2, McHale May 2010 Info Law Group, Legal Implications
of Cloud Computing part 3, Navetta October 2009 Enisa, Cloud
Computing - Benefits, risks and recommendations for information
security, Nov 2009 Cloud Security and Privacy, An Enterprise
Perspective on Risks and Compliance, Tim Mather, Subra Kumaraswamy,
Shahed Latif, O Reilly September 2009 Cloud Security Alliance,
csaguide.pdf v2.1 [email protected]