cloud security - what you should be concerned about
TRANSCRIPT
Jim ReavisCo-founder and Chief Executive OfficerCloud Security Alliance
Raj SamaniEMEA CTOIntel Security
Speakers
2
• Global, not-for-profit organization
• Building security best practices for next generation IT
• Research and Educational Programs
• Cloud Provider Certification – CSA STAR
• User Certification - CCSK
• The globally authoritative source for Trust in the Cloud
“To promote the use of best practices for providing security assurance within Cloud Computing, and provide education on the uses of Cloud Computing to help secure all
other forms of computing.”
About the Cloud Security Alliance
3
A Cloud for Everyone?
5
The ubiquitous computing platform
There is no such thing as “the cloud.” It’s just someone else’s computer.
So Where Are We Today?
6Source: Intel Security
1200 IT decision makers with a responsibility for cloud security in their organizations were interviewed in 2015, categorized in the following ways …
… respondent country … organization size … job role
350
100
150150
150
100
100
100
US Canada
UK France
Germany Spain
Brazil Australia
335
316246
195
108
251 - 500 employees
501 - 1000 employees
1001 - 3000 employees
3001 - 5000 employees
More than 5000 employees
210
100
207
218
96
59
24
149
25
44
39
29
CIO/CTO
CISO/CSO
IT Security Director/…
IT Manager
Security Analyst
Security Operations
Security Architect
Network Operations/…
Cloud Computing Architect
Cloud Service Manager
Cloud Computing Systems Engineer
Other
Financial Investment in the Cloud• On average, respondents expect 80% of their organization’s IT
budget to be comprised of cloud computing in 16 months’ time
• For those in Brazil and Australia, they expect this within a year
• Ultimately, investment in cloud is going to happen to a large extent and very quickly
• Almost all (91%) expect their organization to invest further in cloud, with 63% expecting to do so in the next 12 months
• A higher percentage (81%) in Brazil say they plan to do this within the next 12 months
63%
28%
9%
Yes, within the
next 12 months
Yes, but beyond
12 months' time
No
1614 14
28
1618
1412 11
Total US Canada UK France Germany Spain Brazil Australia
7Source: Intel Security
• Right Figure: Analysis showing average number of months until 80% of the organization's IT budget will be comprised of cloud computing services, split by country, asked to all respondents (1200 respondents)
Where Is the Future Investment?
8Source: Intel Security
• The majority of respondents are planning to invest in all cloud service models
• The highest percentage (81%) are planning to invest in IaaS, whereas only 60% are planning to invest in SaaS
• However, as SaaS is historically the more widespread of the two service models, the lower intended investment may be because organizations already have the SaaS they need in place
69%81%
60%79%
31%19%
40%22%
PaaS IaaS (e.g. AWS) SaaS (e.g. Salesforce) Security-as-a-Service (e.g.
email security in the cloud)
Those planning on investing
Those who are not planning on
investing or don't know
Cloud Driving New Security Models
• Assurance
• Harmonized, Inherited, Community-driven, Transparent & Automated
• Software Defined Perimeter
• End 2 End, Dynamic, Automated, VPC
• Sharing
• Anonymized, P2P, Analytics
• DevOps inspired Cloud Security
• Drive visibility, Leverage APIs, CASB, Provider-owned vs Enterprise-owned
9
Concerns Abound• Data breaches (28%) are the most common concern when using private cloud,
as with SaaS and IaaS
• For the third time, the most common concern in Australia is different; the time and effort for implementation and maintenance (12%) is the top concern, with 15% concerned about data breaches
10
8%
11%
12%
12%
14%
28%
Orchestration and management of software defined infrastructure
Cost/poor value for money
The time/effort for implementation and maintenance
Legacy IT integration
Having consistent security controls that are integrating traditional
with virtualized infrastructure
Breach of sensitive data
Source: Intel Security
Where Are We Today?• Almost all (87%) respondents have experienced issues with their cloud service providers
• Despite data breaches being the biggest concern for use of SaaS, IaaS, and private cloud only 23% have experienced data loss or breaches with their cloud service providers, and only 20% have had someone achieve unauthorized access to their data/services
• Perhaps the fear around data breaches is exaggerated in relation to real-world experience
11
13%
13%
13%
17%
17%
18%
19%
19%
20%
21%
23%
23%
25%
25%
27%
We have seen no issues from our cloud service providers
Adversary traversal from cloud to internal systems
Account takeovers
Discontinuation of service and retrieving data
Poor availability and uptime
Coordinated incident response
Difficulty obtaining security event log files
Contractual issues (e.g. issues with SLA or data sharing…
Unauthorized access to our data/services
Poor customer service
Visibility into security incidents
Data loss or breaches
Lack of visibility into cloud provider operations
High costs and fees/poor value
Difficulty migrating services or data
Source: Intel Security
Trust?
12
• Respondents completely trust public cloud
the least (only 13%, compared to 47%
completely trust on-premises systems)
• However, under half completely trust on-
premises systems
• Despite this relatively low level of trust, it has increased over the past year; 77% of respondents agree that their organization trusts cloud computing more now than it did 12 months ago
47%
37%
13%
Completely trust on-
premise/internally
hosted
Completely trust
private cloud
Completely trust
public cloud77%
20%
3%
Agree
Neither agree nor disagree
Disagree
Source: Intel Security
CSA Top Threats for 2016
7. APT’s
8. Data Loss
9. Due Diligence
10. Nefarious Use and Abuse
11. Denial of Service
12. Shared Technology Issues
1. Data Breaches
2. Compromised Credentials and IAM
3. Insecure APIs
4. System and App Vulnerabilities
5. Account Hijacking
6. Malicious Insiders
The Treacherous 12
13
Cloud for All Seasons
14
Domain
Information Network
Actor
Domain Gateway Actor
Comms Path
Comms Path Access Owner/Domain
Customer
Billing
CIS
Billing
Service Provider
Utility Provider Third-Party Provider
Asset Mgmt
MDMS
DMS
Demand Responses
Operations
Distribution OpsDistribution OpsRTO/ISO Ops
EMS
Markets
DistributionTransmission
Bulk Generation
CIS
Internet/ e-Business
EnterpriseBus
Metering System
Distribution SCADA
Home Building Manager
Retail Energy Provider
Aggregator
Others
Energy Services Interface
Meter
Customer Equipment
Customer EMS
Premise Networks
Electric Vehicle Distributed
Generation
Electric Storage
Appliance
Thermostat
Field Area Networks
Field Device
Distributed GenerationElectric
Storage
Substation Controller
Data Collector
Wide Area Networks
Substation LANs
Substation Device
RTO SCADA
EnterpriseBus
Retailer/Wholesaler
Aggregator
Home Building Manager
ISO/RTO Participant
Internet/ e-Business
Plant Control System
Market Services Interface
Generators
EMSWAMS
EnterpriseBus
Transmission SCADA
Data Overload
15
Peak = 7.18 kwMean = 0.49 kwDaily load factor = 0.07Energy consumption = 11.8 kwh
Refrigerator
Kettle
Toaster
Washing Machine
Kettle
Hob heaters
Oven preheating
Oven cycling
8 –
7 –
6 –
5 –
4 –
3 –
2 –
1 –
0 –
Time of day, hour
Power, kw
– – – – – – – – – – – –
0 2 4 6 8 10 12 14 16 18 20 22 0
Source: NIST 7628
Where We Are TodaySecurity. Unlike PC-based Supervisory Control and Data Acquisitions (SCADA) systems that are vulnerable to virus and malware attacks, our system is housed on cloud-based servers. These servers are overseen by highly skilled technicians, negating the need for antivirus updates and continuous security vulnerability patches required by PC-based solutions.
Questions ?
17
www.cloudsecurityalliance.org
www.mcafee.com/cloudsecurity
LinkedIn: www.linkedin.com/groups?gid=1864210
Twitter: @cloudsa
Twitter: @Raj_Samani @CyberGridBook