Cloud Computing Primer for Municipal Records Management Steven C. Markey, MSIS, PMP, CISSP, CIPP, CISM, CISA, STS-EV, CCSK Principal, nControl, LLC Adjunct Professor
Cloud Computing Primer for Municipal Records Management
Steven C. Markey, MSIS, PMP, CISSP, CIPP, CISM, CISA, STS-EV, CCSK
Principal, nControl, LLCAdjunct Professor
• Presentation Overview– Cloud Overview
• General• Business Case for Cloud Computing• Security Guidance• Selecting a Cloud Service Provider (CSP)• Records & Info Management (RIM) in the Cloud• Municipal Government in the Cloud
– Case Studies• IlliniCloud• Washington D.C.
Cloud Computing
• General Overview– Why should you care about the “cloud”?
Cloud Computing
• What is Cloud Computing?– Re-Branded IT Business Model
• Application Service Provider (ASP)• IT Outsourcing (ITO)
– Formal Characteristics• Resource Pooling• Rapid Elasticity
– Confusion• Hosting• Virtualization• Service Provider
Cloud Computing
Service Delivery Models
Source: Swain Techs
Source: Matthew Gardiner, Computer Associates
Responsibility
SaaS Providers
PaaS Providers
IaaS Providers
Private Cloud
• Dedicated Clouds– Usually Hosted Internally
• Use Chargeback/Shared Services Model
– External Private Clouds Exist
Hosting Providers
Third Parties
• Business Case for Cloud Computing– Time-to-Market– Global Presence– Focus on Core Competency– Elasticity– Cost-Benefit Analysis (CBA)
Cloud Computing
Source: Flickr
• Partly Cloudy with a Chance of Risk!– The Cloud is Perceived as Risky Business
• Lack of Control• Regulatory Compliance• Hacks, Outages, Disasters….Oh My!
Source: Youtube
Cloud Computing
Cloud Computing• Data Breaches & Security Incidents
– Average Cost: $7.2 million– http://www.networkworld.com/news/2011/030811-
ponemon-data-breach.html
– Leading Cause: Negligence, 41%; Hacks, 31%– http://www.networkworld.com/news/2011/030811-
ponemon-data-breach.html
– Responsible Party: Vendors, 39%– http://www.theiia.org/chapters/index.cfm/view.news_detail/
cid/197/newsid/13809
– Increased Frequency: 2010-2011, 58%– http://www.out-law.com/en/articles/2011/october/personal-
data-breaches-on-the-increase-in-private-sector-reports-ico/
• Security Guidance– Existing Certifications/Attestations
• SAS 70 Type II/SSAE 16/ISAE 3402• ISO 27001/2, 27036, 15489• BITS Shared Assessments• PCI DSS• HIPAA/HITECH
– Guidance Specifically for the Cloud• Cloud Security Alliance (CSA) Guide v3.0• ENISA Cloud Computing Risk Assessment• NIST SP 800-144 Guidelines Security/Privacy for a Public Cloud
Cloud Computing
Cloud Computing
• Selecting a CSP– Service Provider/Consumer Process Alignment– Portability/Interoperability– Contractual/Legal Agreements– Industry Tools
Cloud Computing
• Service Provider/Consumer Process Alignment– Change/Configuration Management– Loading/Offloading– Disaster Recovery– Incident Response– Legal Hold/Litigation Response/e-Discovery
• Electronic Discovery Reference Model (EDRM)
– Records and Information Management (RIM)• Generally Accepted Recordkeeping Principles (GARP)• Information Governance Reference Model (IGRM)• Information Lifecycle Management (ILM)
Cloud Computing
• Portability/Interoperability– Software– Data– Third Parties
Cloud Computing
• Contractual/Legal Agreements– Service Level Agreements (SLA)
• Up-Time• Jurisdiction• Data Ownership
– Escrow Data– Include Metadata
• Exit Clause• Testing
– Disaster Recovery– Incident Response– Legal Hold/Litigation Response/e-Discovery
Cloud Computing
• Contractual/Legal Agreements– Service Level Agreements (SLA)
• Right to Audit– Vendor & Vendor’s Vendors– Public Sector Specific
Cloud Computing
• Industry Tools– Selection
• Gravitant CloudWiz• VMware Cloud Readiness Self-Assessment Tool
– Brokerage/Management• RightScale• CloudFloor• Skydera• enStratus
Cloud Computing
• Industry Tools– Migration
• Bit Titan MigrationWiz• Layer 2 SharePoint Cloud Connector• Metalogix StoragePoint• AvePoint DocAve Migrator
Cloud Computing
Cloud Computing• RIM in the Cloud
– Process• Self-Service Provisioning• CSP Brokerage, Monitoring & Metering• CSP Information Governance • CSP Adherence to Standards
– NIST» SP 800-92: Log Management
– ISO» 15489: Records Management» 23081: Records Metadata» 15386: Digital Archive» 30300/303001: RIM Management System» 17024: Conformity Assessment
Cloud Computing• RIM in the Cloud
– People• More Empowered: Shadow IT, Consumerized IT
– Millenials Expect Autonomy– Bring Your Own Device (BYOD)– Less Office Time, But Always On
• Increased Roles & Responsibilities• Additional Tech/Analytical Skill-Sets Required
– Technology• Commoditized• CSP Metadata • New Technologies: Non-Relational Database Architectures• New Paradigms: Big Data (Data Lakes & Cloud)
• Municipal Government in the CloudCloud Computing
Source: Cisco
• Municipal Government in the Cloud– Budget/Size– Technical Strategy– Risk Appetite/Tolerance– Constituents
Cloud Computing
• Municipal Government in the Cloud– Budget/Size
–Not all municipalities are the same–Economy of scale with vendors–Bigger does not mean better
–Smaller = Nimble–Community clouds
Cloud Computing
• Municipal Government in the Cloud– Technical Strategy
– Internal Staff–Outsourcing/In-Sourcing–Vendors/Partners–Best-of-Breed/Lowest Bidder
Cloud Computing
• Municipal Government in the Cloud– Risk Appetite/Tolerance
–Not all risks are the same–911 & Operational Risk
– Constituents–Not all constituents are technical
Cloud Computing
• Case Study: IlliniCloud– Background– Drivers – Technologies– Limitations– Risks– Lessons Learned– Next Steps
Cloud Computing
• Case Study: IlliniCloud– Background
• Community Cloud• Illinois School Districts
– Drivers• Budget
– Technologies• Virtualization: VMware• Networking: Cisco
Cloud Computing
• Case Study: IlliniCloud– Limitations
• Budget• Skill-Set
– Risks• Security• Privacy• System Interoperability
Cloud Computing
• Case Study: IlliniCloud– Lessons Learned
• One’s smallest client may be its largest consumer.• A particular service (e.g., video conferencing) may be a
surprise hit.• The delivery of a blended hardware/software solution
set may be appropriate in order to receive the maximum return on investment (ROI).
• A service that may have been cost prohibitive before may be cost effective in a cloud environment.
• Collaboration (with stakeholders) is key to enhanced participation.
Cloud Computing
• Case Study: IlliniCloud– Lessons Learned
• One’s smallest client may be its largest consumer.• Community cloud consumers should not
underestimate the economies of scale/cost efficiencies that can be reached by deploying a community cloud.
• An organization should focus on its core competency/technical skill set, thus enabling the use of these different skill sets throughout the conglomerate.
• An organization can leverage a community cloud for necessities, such as disaster recovery (DR).
• Community clouds leverage a grassroots approach for stakeholder buy-in.
Cloud Computing
• Case Study: IlliniCloud– Next Steps
• Master Data Management (MDM)• Using Hypervisor Neutral Technologies• Packaging Software/System Solutions• Expanding User-base• Federated Identities
Cloud Computing
Cloud Computing
• Case Study: D.C. IN the Cloud– Background– Drivers – Technologies– Limitations– Risks– Lessons Learned– Next Steps
Cloud Computing• Case Study: D.C. IN the Cloud
– Background• 38,000 Employees/Contractors
– Drivers• Cost
– Technologies• Cloud: Google Apps (Docs), Drive (Storage) & Gmail
Cloud Computing
• Case Study: D.C. IN the Cloud– Limitations
• Budget
– Risks• Software/System Interoperability • Data Privacy• Intuitive Use• Administration
Cloud Computing• Case Study: D.C. IN the Cloud
– (Hypothetical) Lessons Learned• Limited Cost Savings• Vendor Lock-In
Cloud Computing• Case Study: D.C. IN the Cloud
– (Hypothetical) Next Steps• Test Gmail/Postini Message Discovery• Use CloudLock Data Discovery• Use Google AppEngine (PaaS) to Develop New Apps• Federated Identities
Cloud Computing• Presentation Take Aways
– Cloud = Re-Branded Business Model–With New Bells & Whistles (Big Data, etc.)
– Paradigm Shift Towards Empowerment– Strategy & Due Diligence Are VERY Important
–Must Consider the Business Ecosystem
Cloud Computing• References
– CSA Guide: https://cloudsecurityalliance.org/research/security-guidance/– BITS Enterprise Cloud Self-Assessment: http://sharedassessments.org/media/pdf-EnterpriseCloud-SA.pdf– ENISA Risk Assessment: http://www.enisa.europa.eu/act/rm/files/deliverables/cloud-computing-risk-
assessment– NIST SP 800-144: http://csrc.nist.gov/publications/drafts/800-144/Draft-SP-800-144_cloud-computing.pdf– VMware CRSA: http://getcloudready.vmware.com/crsa/– Bit Titan MigrationWiz: https://www.migrationwiz.com/Secure/Default.aspx– Gravitant cloudWiz: http://www.gravitant.com/cloudwiz-home.html– RightScale: http://www.rightscale.com/– CloudFloor: http://www.cloudfloor.com/– Skydera: http://www.skydera.com/– enStratus: http://enstratus.com/– Layer 2: http://www.layer2.de/en/products/Pages/Cloud-Connector-for-SharePoint-2010-Office365.aspx– Metalogix StoragePoint: http://www.metalogix.com/Products/StoragePoint.aspx– AvePoint DocAve: http://www.avepoint.com/sharepoint-to-sharepoint-migration-docave/– GovTech: http://www.itnewsafrica.com/2011/09/govtech-cloud-allows-gov-citizen-connection/
Cloud Computing
• Personal References– PenTest Magazine, "Scanning Your Cloud Environment": http://pentestmag.com/client-side-exploits-pentest-
082011/– ISACA Journal, "Testing Your Incident Response Plan":
http://www.isaca.org/Journal/Current-Issue/Pages/default.aspx– e-Discovery 2.0: In the Cloud: https://s3.amazonaws.com/nControl-Docs/CSA11_Session-SMarkey.ppt– Security in the Cloud: https://s3.amazonaws.com/nControl-Docs/Cloud_Computing-Security.ppt– System Architecture & Engineering for the Cloud:
https://s3.amazonaws.com/nControl-Docs/Cloud_Computing-Architecture_Engineering.ppt– Cloud Computing Primer: https://s3.amazonaws.com/nControl-Docs/Cloud_Computing-Basic.ppt– Cloud Computing - Authentication & Encryption:
https://s3.amazonaws.com/nControl-Docs/Cloud_Computing_Security-Session_II.ppt– Cloud Computing - Application & Virtualization Security:
https://s3.amazonaws.com/nControl-Docs/Cloud_Computing_Security-Session_III.ppt– Securing Your ESI: https://s3.amazonaws.com/nControl-Docs/Securing_Your_ESI_v2.ppt
• Questions?• Contact
– Email: [email protected]– Twitter: @markes1– LI: http://www.linkedin.com/in/smarkey