Cloud Computing Primer for Municipal Records Management Steven C. Markey, MSIS, PMP, CISSP, CIPP, CISM, CISA, STS-EV, CCSK Principal, nControl, LLC Adjunct Professor
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Cloud Computing Primer for Municipal Records Management
Steven C. Markey, MSIS, PMP, CISSP, CIPP, CISM, CISA, STS-EV, CCSK
Principal, nControl, LLCAdjunct Professor
• Presentation Overview– Cloud Overview
• General• Business Case for Cloud Computing• Security Guidance• Selecting a Cloud Service Provider (CSP)• Records & Info Management (RIM) in the Cloud• Municipal Government in the Cloud
– Case Studies• IlliniCloud• Washington D.C.
Cloud Computing
• General Overview– Why should you care about the “cloud”?
Cloud Computing
• What is Cloud Computing?– Re-Branded IT Business Model
• Application Service Provider (ASP)• IT Outsourcing (ITO)
– Formal Characteristics• Resource Pooling• Rapid Elasticity
– Confusion• Hosting• Virtualization• Service Provider
Cloud Computing
Service Delivery Models
Source: Swain Techs
Source: Matthew Gardiner, Computer Associates
Responsibility
SaaS Providers
PaaS Providers
IaaS Providers
Private Cloud
• Dedicated Clouds– Usually Hosted Internally
• Use Chargeback/Shared Services Model
– External Private Clouds Exist
Hosting Providers
Third Parties
• Business Case for Cloud Computing– Time-to-Market– Global Presence– Focus on Core Competency– Elasticity– Cost-Benefit Analysis (CBA)
Cloud Computing
Source: Flickr
• Partly Cloudy with a Chance of Risk!– The Cloud is Perceived as Risky Business
• Lack of Control• Regulatory Compliance• Hacks, Outages, Disasters….Oh My!
Source: Youtube
Cloud Computing
Cloud Computing• Data Breaches & Security Incidents
– Average Cost: $7.2 million– http://www.networkworld.com/news/2011/030811-
ponemon-data-breach.html
– Leading Cause: Negligence, 41%; Hacks, 31%– http://www.networkworld.com/news/2011/030811-
ponemon-data-breach.html
– Responsible Party: Vendors, 39%– http://www.theiia.org/chapters/index.cfm/view.news_detail/
cid/197/newsid/13809
– Increased Frequency: 2010-2011, 58%– http://www.out-law.com/en/articles/2011/october/personal-
data-breaches-on-the-increase-in-private-sector-reports-ico/
• Security Guidance– Existing Certifications/Attestations
• SAS 70 Type II/SSAE 16/ISAE 3402• ISO 27001/2, 27036, 15489• BITS Shared Assessments• PCI DSS• HIPAA/HITECH
– Guidance Specifically for the Cloud• Cloud Security Alliance (CSA) Guide v3.0• ENISA Cloud Computing Risk Assessment• NIST SP 800-144 Guidelines Security/Privacy for a Public Cloud
Cloud Computing
Cloud Computing
• Selecting a CSP– Service Provider/Consumer Process Alignment– Portability/Interoperability– Contractual/Legal Agreements– Industry Tools
Cloud Computing
• Service Provider/Consumer Process Alignment– Change/Configuration Management– Loading/Offloading– Disaster Recovery– Incident Response– Legal Hold/Litigation Response/e-Discovery
• Electronic Discovery Reference Model (EDRM)
– Records and Information Management (RIM)• Generally Accepted Recordkeeping Principles (GARP)• Information Governance Reference Model (IGRM)• Information Lifecycle Management (ILM)
Cloud Computing
• Portability/Interoperability– Software– Data– Third Parties
Cloud Computing
• Contractual/Legal Agreements– Service Level Agreements (SLA)
• Up-Time• Jurisdiction• Data Ownership
– Escrow Data– Include Metadata
• Exit Clause• Testing
– Disaster Recovery– Incident Response– Legal Hold/Litigation Response/e-Discovery
Cloud Computing
• Contractual/Legal Agreements– Service Level Agreements (SLA)
• Right to Audit– Vendor & Vendor’s Vendors– Public Sector Specific
Cloud Computing
• Industry Tools– Selection
• Gravitant CloudWiz• VMware Cloud Readiness Self-Assessment Tool
– Brokerage/Management• RightScale• CloudFloor• Skydera• enStratus
Cloud Computing
• Industry Tools– Migration
• Bit Titan MigrationWiz• Layer 2 SharePoint Cloud Connector• Metalogix StoragePoint• AvePoint DocAve Migrator
Cloud Computing
Cloud Computing• RIM in the Cloud
– Process• Self-Service Provisioning• CSP Brokerage, Monitoring & Metering• CSP Information Governance • CSP Adherence to Standards
– NIST» SP 800-92: Log Management
– ISO» 15489: Records Management» 23081: Records Metadata» 15386: Digital Archive» 30300/303001: RIM Management System» 17024: Conformity Assessment
Cloud Computing• RIM in the Cloud
– People• More Empowered: Shadow IT, Consumerized IT
– Millenials Expect Autonomy– Bring Your Own Device (BYOD)– Less Office Time, But Always On
• Increased Roles & Responsibilities• Additional Tech/Analytical Skill-Sets Required
– Technology• Commoditized• CSP Metadata • New Technologies: Non-Relational Database Architectures• New Paradigms: Big Data (Data Lakes & Cloud)
• Municipal Government in the CloudCloud Computing
Source: Cisco
• Municipal Government in the Cloud– Budget/Size– Technical Strategy– Risk Appetite/Tolerance– Constituents
Cloud Computing
• Municipal Government in the Cloud– Budget/Size
–Not all municipalities are the same–Economy of scale with vendors–Bigger does not mean better
–Smaller = Nimble–Community clouds
Cloud Computing
• Municipal Government in the Cloud– Technical Strategy
– Internal Staff–Outsourcing/In-Sourcing–Vendors/Partners–Best-of-Breed/Lowest Bidder
Cloud Computing
• Municipal Government in the Cloud– Risk Appetite/Tolerance
–Not all risks are the same–911 & Operational Risk
– Constituents–Not all constituents are technical
Cloud Computing
• Case Study: IlliniCloud– Background– Drivers – Technologies– Limitations– Risks– Lessons Learned– Next Steps
Cloud Computing
• Case Study: IlliniCloud– Background
• Community Cloud• Illinois School Districts
– Drivers• Budget
– Technologies• Virtualization: VMware• Networking: Cisco
Cloud Computing
• Case Study: IlliniCloud– Limitations
• Budget• Skill-Set
– Risks• Security• Privacy• System Interoperability
Cloud Computing
• Case Study: IlliniCloud– Lessons Learned
• One’s smallest client may be its largest consumer.• A particular service (e.g., video conferencing) may be a
surprise hit.• The delivery of a blended hardware/software solution
set may be appropriate in order to receive the maximum return on investment (ROI).
• A service that may have been cost prohibitive before may be cost effective in a cloud environment.
• Collaboration (with stakeholders) is key to enhanced participation.
Cloud Computing
• Case Study: IlliniCloud– Lessons Learned
• One’s smallest client may be its largest consumer.• Community cloud consumers should not
underestimate the economies of scale/cost efficiencies that can be reached by deploying a community cloud.
• An organization should focus on its core competency/technical skill set, thus enabling the use of these different skill sets throughout the conglomerate.
• An organization can leverage a community cloud for necessities, such as disaster recovery (DR).
• Community clouds leverage a grassroots approach for stakeholder buy-in.
Cloud Computing
• Case Study: IlliniCloud– Next Steps
• Master Data Management (MDM)• Using Hypervisor Neutral Technologies• Packaging Software/System Solutions• Expanding User-base• Federated Identities
Cloud Computing
Cloud Computing
• Case Study: D.C. IN the Cloud– Background– Drivers – Technologies– Limitations– Risks– Lessons Learned– Next Steps
Cloud Computing• Case Study: D.C. IN the Cloud
– Background• 38,000 Employees/Contractors
– Drivers• Cost
– Technologies• Cloud: Google Apps (Docs), Drive (Storage) & Gmail
Cloud Computing
• Case Study: D.C. IN the Cloud– Limitations
• Budget
– Risks• Software/System Interoperability • Data Privacy• Intuitive Use• Administration
Cloud Computing• Case Study: D.C. IN the Cloud
– (Hypothetical) Lessons Learned• Limited Cost Savings• Vendor Lock-In
Cloud Computing• Case Study: D.C. IN the Cloud
– (Hypothetical) Next Steps• Test Gmail/Postini Message Discovery• Use CloudLock Data Discovery• Use Google AppEngine (PaaS) to Develop New Apps• Federated Identities
Cloud Computing• Presentation Take Aways
– Cloud = Re-Branded Business Model–With New Bells & Whistles (Big Data, etc.)
– Paradigm Shift Towards Empowerment– Strategy & Due Diligence Are VERY Important
–Must Consider the Business Ecosystem
Cloud Computing• References
– CSA Guide: https://cloudsecurityalliance.org/research/security-guidance/– BITS Enterprise Cloud Self-Assessment: http://sharedassessments.org/media/pdf-EnterpriseCloud-SA.pdf– ENISA Risk Assessment: http://www.enisa.europa.eu/act/rm/files/deliverables/cloud-computing-risk-
assessment– NIST SP 800-144: http://csrc.nist.gov/publications/drafts/800-144/Draft-SP-800-144_cloud-computing.pdf– VMware CRSA: http://getcloudready.vmware.com/crsa/– Bit Titan MigrationWiz: https://www.migrationwiz.com/Secure/Default.aspx– Gravitant cloudWiz: http://www.gravitant.com/cloudwiz-home.html– RightScale: http://www.rightscale.com/– CloudFloor: http://www.cloudfloor.com/– Skydera: http://www.skydera.com/– enStratus: http://enstratus.com/– Layer 2: http://www.layer2.de/en/products/Pages/Cloud-Connector-for-SharePoint-2010-Office365.aspx– Metalogix StoragePoint: http://www.metalogix.com/Products/StoragePoint.aspx– AvePoint DocAve: http://www.avepoint.com/sharepoint-to-sharepoint-migration-docave/– GovTech: http://www.itnewsafrica.com/2011/09/govtech-cloud-allows-gov-citizen-connection/
Cloud Computing
• Personal References– PenTest Magazine, "Scanning Your Cloud Environment": http://pentestmag.com/client-side-exploits-pentest-
082011/– ISACA Journal, "Testing Your Incident Response Plan":
http://www.isaca.org/Journal/Current-Issue/Pages/default.aspx– e-Discovery 2.0: In the Cloud: https://s3.amazonaws.com/nControl-Docs/CSA11_Session-SMarkey.ppt– Security in the Cloud: https://s3.amazonaws.com/nControl-Docs/Cloud_Computing-Security.ppt– System Architecture & Engineering for the Cloud:
https://s3.amazonaws.com/nControl-Docs/Cloud_Computing-Architecture_Engineering.ppt– Cloud Computing Primer: https://s3.amazonaws.com/nControl-Docs/Cloud_Computing-Basic.ppt– Cloud Computing - Authentication & Encryption:
https://s3.amazonaws.com/nControl-Docs/Cloud_Computing_Security-Session_II.ppt– Cloud Computing - Application & Virtualization Security:
https://s3.amazonaws.com/nControl-Docs/Cloud_Computing_Security-Session_III.ppt– Securing Your ESI: https://s3.amazonaws.com/nControl-Docs/Securing_Your_ESI_v2.ppt
• Questions?• Contact
– Email: [email protected]– Twitter: @markes1– LI: http://www.linkedin.com/in/smarkey