Cloud & Security challenges

Dr. Tonny K. OmwansaSchool of computing and Informatics

University of Nairobitomwansa@uonbi.ac.ke

@tomwansa

ISACA Kenya conferenceMay 2014

Overview

Presentation format1. Cloud Overview2. Cloud Penetration in Kenya – Study3. Security Challenges and some solutions

Not ISACA Member: ICT Resources provided on demand...

ISACA member + CISA: ‘an elastic execution environment of resources involving multiple stakeholders and providing a metered service at multiple granularities for a specified level of quality of service’

ISACA Chapter President: ‘A model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction’

Cloud

Cloud Overview: Here to stay…

Jeffrey, K. & Neidecker – lutz, B. (2009)

Cloud Benefits

Non-Functional aspects Economic considerations Technological benefits

Elasticity Cost Reduction Flexibility

Reliability Pay per use Multi-tenancy

Quality of Service Improved time to market Virtualization

Agility Return on investment Location independence

Adaptability Turning CAPEX into OPEX Infrastructure independency

Availability Going Green Adaptability

Cloud terms

• Infrastructure as a Service (IaaS): Computing resources used by others to deliver business solutions.

• Platform as a Service (PaaS):Black-box services developers can use to build applications

• Software as a Service (SaaS):Provider hosts software to be hired

• Public Cloud:Shared infrastructure with pay-as-you-go economics

Provider makes resources available on demand, over public Internet• Private Cloud:

Delivers services entirely within a firewall of an organization

• Hybrid and Community Clouds:Elements of public and private

Cloud In Kenya - Study

• Objectives– Investigate current status of CC adoption in Kenya– Establish gaps/challenges in adoption and impact of cloud computing– Make recommendations to better grow the sub-sector

• Justification– Hardly any research has been done in this area– Need to understand gaps/challenges – We need policies informed more by solid research

Medium & large businesses using cloud services [top three in Africa - 2013 Cisco survey]

50% in South Africa48% in Kenya36% in Nigeria

Approach

Scope:– Institutions that have a physical presence in Nairobi

• Most HQs are in Nairobi• Budget limits• Not national representative

– Respondents• Providers

– Infrastructure as a Service (IaaS)– Software as a Service (SaaS) – Platform as a Service (PaaS).

• Consumers– Public cloud– Private clouds.

• Policy makers

Conceptual FrameworkDETERMINANTS: Affect cloud performance & its outcomes/impacts

>Deployed TechnologiesInvestment cost, Reliability, Agility, Usability, Technology availability & Sustainability

>Local firms technology capabilities

>Policy and legal frameworksAvailability, Flexibility, Comprehensiveness, Effectivenes

>MarketCertain actors dominating, Availability, Readiness

>Institutional legitimacy to the cloudGovernment support , Institutional innovation culture

Conceptual FrameworkSTRATEGIES/ACTIONS OF CC ACTORS: Instrumental in delivering cloud outcomes/impact• Costing• Promotion• Training and capacity development• Adoption• Usage • Cloud-related entrepreneurship• Deployment decisions (e.g. open source or

proprietary solutions

Conceptual FrameworkOUTCOMES/IMPACTS OF CC: The ‘value’ created by the cloud • Improved operational efficiency

• New products and services

• Extended/enhanced market reach

• Export of cloud related services

• Job creation

• Enhanced security enhancement

Sampling

Quantitative– 207 organ’s identified

– 60 sampled

– 54 participated

Qualitative– 12 in-depth

interviews planned with industry leaders

– 7 were available

Cloud computing stakeholders’ taxonomy

Data collection• Extensive desktop research & literature

review

• Conceptual framework transformed to 5 point likert scale questionnaire

• Collection between October 10th, 2013 and November 10th, 2013

• ICT Managers, Information Security Managers, Network Administrators or Chief Information Officers were interviewed

Category Population Sample

Government entities 14 8

Banks 10 4

Consulting firms 5 4

Insurance firms 10 4

Hospitals 9 4

Universities 10 4

Business & Industries 24 8

Tech companies 25 8

SaaS Companies 11 8

PaaS Companies 3 0

IaaS Companies 18 8

Total 207 60

Findings• Cloud computing has

been around since 2000– most organizations

adopted between 2010 & 2011

– 69% use some form of cloud.

• Private cloud is more pronounced than public.

• IaaS option is the most prominent

Year 2000 (2)Year 2006 (2)

Year 2009 (4)

Year 2010 (9)

Year 2011( 12)

Year 2012 (4)

Year 2013( 4)

Cloud Deployment

Findings

Three skills lacking in the Kenyan market: • Security (networks, data etc) skills [highest]• Cloud architecture and design skills • Storage and virtualization skills

Cloud value is appreciated

Skills gap Cloud reliability

What determines cloud reliability offered?

• reliable connectivity and infrastructure• dependable technical support • systems uptime [power?]

0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%

Providing/utilising cloud services is sustainable

More agile than traditional so-lutions

Cloud technologies received are reliable

FindingsPolicy, Legal frameworks & Standards

• 80% did not know of any policy framework• 80% did not know of any legal framework• The few how knew about policy framework, also knew about legal• 75% not aware of any standards

Those who know a framework Agree

Policy framework gives you flexibility to exploit CC as you wish? 27%Existing policy framework is comprehensive 27%Policy framework is effective enough to facilitate growth in the sub-sector 45%Legal framework give you flexibility to exploit CC as you wish? 33%Legal framework is comprehensive 33%Legal framework is effective enough to facilitate growth in the sub-sector 16%

FindingsPolicy, Legal frameworks recommendations by respondents

Policy Legal

Increased awareness of availability & power of CC

Mechanisms for controlling cyber crime & offenders

Guidelines for enforcing security, privacy and standards

Mechanisms for guaranteeing privacy

Guidelines for service level agreements Mechanisms to enforce service level agreements

Appropriate licensing and certification of providers

Mechanisms for conflict resolutions and addressing liability

Mostly suggest that ordinary consumers are anxious and sensitive about their data.

FindingsMarkets

• Market is ready for cloud: 90% say YES• Largest consumers:

– Financial and telecommunication sectors – Education and government are moderate users

• Majority of Kenyans are unaware of CC and its benefits• There are many misconceptions about cloud technology• Safaricom, Dimension Data and KDN are market leaders

Support received

• Government support has been generic, e.g. development of infrastructure like fibre connectivity

• Some financial support has been received• Many not aware of government initiatives towards CC development

Conclusions & Recommendations• Assessment of Kenya’s cloud readiness:

– clearly understand the national status through an elaborate national study.

• Develop national cloud strategy: – focus on capacity building, architectures and implementation.

• Government to champion cloud services: – set pace for better uptake by private sector.

• Enhance relevant legal & regulatory frameworks: – protect of users, address cyber security challenges, – guarantee secure online payments, privacy, data security

• Develop human resource capacity: – technical skills, legal skills, management skills

• Enhance awareness of cloud technologies: – through a multi-stakeholder approach, – demystified the technology

Security concerns• Each benefits of cloud, comes with potential several risks!

– Infrastructure independency– Flexibility and Adaptability– Location independence– Multi-tenancy– Virtualization– etc

• Traditional security mechanisms - identity, - authentication, - authorization are no longer enough for clouds

Security concerns: 3 Classes1. Traditional security concerns:

• Computer and network intrusions made possible or easier by moving to cloud

• Huge array of attacks– from Authentication to Phishing cloud provider

• Conducting Forensics in the cloud can be complicated – E.g. data gets overwritten easily and fast.

Security concerns2. Availability concerns:

• Will critical applications and data be available?– Gmail’s one-day outage in mid-October 2008

• Maintaining the uptime

• Denial of service attacks

• Ensuring robustness of computational integrity

Security concerns3. Third Party Data Control

• Legal implications of 3rd party holding data & applications – complex and not well understood.

• Potential lack of control & transparency when a third party holds the data – Can provider guarantee that data has been deleted?– Can provider guarantee response time?– Is there sufficient transparency in the operations of cloud provider for

auditing purposes? – On-site audit in distributed & dynamic multi-tenant computing

environment spread all over the globe is a major challenge. – Regulations can require data & operations remain in certain

geographic locations. – Can theft of company information by the cloud provider happen?– etc

Security Concerns: Solutions

• Role of Providers:– ensure that customers will continue to have the same security

and privacy controls

– provide evidence to customers that organization are secure

– guarantee to meet their service-level agreements

– prove compliance to auditors and regulations

• Role of Consumers:

Stage 1:– think about data security from content instead of location

• security regulations become consistent no matter where data resides.

– a three-step process:1. Establish high-level information security policies to protect data2. Establish more granular compliance-related policies for specific

departments, e.g finance and human resources3. Establish processes for auditing & improving policy effectiveness

Security Concerns: Solutions

• Role of Consumers:

Stage 2:– Look at what third-party service providers can contribute. – Similar to outsourcing procurement plans.

– Involves:• conduct cost/benefit analysis• ensure third-party service aligns with business objectives• identify regulatory and privacy requirements • developing a contingency plan/exit strategy

Security Concerns: Solutions

Keep critical data local, otherwise take to public cloud

Bottom line: Develop a Cloud Strategy

Thank You!@tomwansa

END