isaca cloud security presentation duncan unwin 16 jul13
TRANSCRIPT
Cloud Security
Duncan Unwin, Business AspectISACA, Brisbane, 16th July 2013
Why Cloud will happen, Why it changes how you need to manage security, and How you can address it
A Fresh Perspective 2
Cloud Security
— The overwhelming economics of Cloud– Why cloud is here and why you better get used to it
— Seven Reasons why Cloud is a new type of security challenge– why every technique you have used to manage security needs to be
reconsidered— How you can manage cloud security
– Introducing a total lifecycle approach to security management
A Fresh Perspective 3
The overwhelming economics of Cloud
— Supply-Side Saving— Demand-side aggregation— Multi-tenancy efficiency— Telecommunications is becoming cheap— Cloud is nearly a perfect commodity
A Fresh Perspective 4
Supply-Side Saving
— Cost of electricity– 15-20% of TCO for server infrastructure– Power Usage Effectiveness (PUE) significantly higher for large DCs– Green electricity costs will drive Cloud DC location
— Infrastructure labour costs– Large DCs operate at ratios of 1 engineer to 1000s of servers
— Security and Reliability Compliance– Increasing requirements will make it less affordable to run IT in-house– Market demand and scale favour large players (e.g. AWS is ISO 27001)
— Buying Power– Hardware– Software– Telecommunications– Electricity
A Fresh Perspective 5
Demand-side aggregation
— Demand is not stable– Randomness– Time-of-day patterns– Industry-specific patterns– Large clouds aggregate and smooth demand
— Uncertain growth pattern– In-house capacity planning targets provisioning for peak load– Chronic over-provisioning– User demands for performance increasing– Loads are moving from batch to real-time– Demand when massively aggregated become predictable
A Fresh Perspective 6
Multi-tenancy Economies of Scale
— Fixed costs amortised over 1000s of customers— Management Costs— Implementation Costs— Base processing overhead
A Fresh Perspective 7
Telecommunications costs are becoming cheap
A Fresh Perspective 8
Cloud is a near perfect commodity
— True Commodities– No qualitative difference in the market– Price set for the market as a whole– Fungible– Traded via commodity markets
— Existing barriers limit the total commoditisation of cloud– Lack of interoperability– Lack of consistency in governance standards– Market immaturity– Cultural
— We predict these will be substantively solved over the next few years, resulting in commodity markets emerging
A Fresh Perspective 9
The overwhelming economics of Cloud
— Supply-Side Saving. Large scale data centres have lower cost per CPU unit
— Demand-side aggregation. Aggregating demand for computing smooths overall variability, allowing server utilization rates to increase.
— Multi-tenancy efficiency. When changing to a multi-tenant application model, increasing the number of tenants (i.e., customers or users) lowers the application management and server cost per tenant.
— Telecommunications is becoming cheap. Much of the reason for in-house IT was driven by the historically high cost to ship data
— Cloud is nearly a perfect commodity. Supply will not be able to extract price premiums from the market. They win by scale not margin.
A Fresh Perspective 10
For now accept that cloud computing will happen..
Let us reset and consider security
7 Reasons why Cloud presents a Security Challenge
A Fresh Perspective 11
A Fresh Perspective 12
1. Loss of network perimeter
— Current model of security based on ‘egg shell’ design– Depends upon bad people being mainly outside the network– Data inside the perimeter– No real idea of where the ‘valuables’ are kept
— Cloud breaks this– Data is outside the perimeter– Systems are outside the perimeter
— Organisations that have been practicing good security such as maintaining asset inventories and protection-in-depth are well postured– For the rest of us there is significant risk
A Fresh Perspective 13
2. Loss of directive control and audit
— Cloud means that you have limited control over Infrastructure
— You can’t fix emerging risks by direction— You have very limited ability to audit (not a managed service)
– This includes engaging external auditors– Developing but immature and inflexible assurance standards
—SAS 70 / SSAE 16—Cloud Security Alliance
Application
Middleware
Guest OS
Hypervisor
Storage
Hardware
Network
L
N
N
N
N
N
N
M
F
F
F
F
F
FCustom
er
Provider
Application
Middleware
Guest OS
Hypervisor
Storage
Hardware
Network
L
L
N
N
N
N
N
M
M
F
F
F
F
FCustom
er
Provider
Application
Middleware
Guest OS
Hypervisor
Storage
Hardware
Network
F
F
F
N
N
N
N
N
N
N
F
F
F
FCustom
er
Provider
SaaS PaaS IaaS
N=none M=mostlyL=limited F=full
Customer and providercontrol
A Fresh Perspective 14
3. Risks from the physical location of servers
— Legal risks– Where your data is stored determines the legal jurisdiction and data
and privacy protection laws– Your obligations are not reduced
— Potential for not knowing where your data is– This needs to be addressed in specification of the service
A Fresh Perspective 15
4. Risks from multi-tenancy
— Who are the neighbours?— Virtualisation security is highly dependent on good
administration— Neighbours pose risks because of malfeasance and negligence— The driving idea behind ‘Community Clouds’ – a digital gated
community
A Fresh Perspective 16
5. Risks from Internet accessibility
— Why is the Internet a threat? Because that is where the bad people are
— Access to User Interfaces– Reliance solely based on application security– Often supporting only single-factor authentication
— Access to APIs– History of poor implementation of security
— Tools to help– Virtual firewalls and VPNs– Integration of federated identity and access management
A Fresh Perspective 17
6. Difficulty in implementing effective records management protocols
— Cloud providers do not generally offer effective data archiving and record management services – this problem is left to you
— Need to ensure backup and archive regimes meet the organisation’s requirements
— Today this generally involves a bespoke solution
A Fresh Perspective 18
7. Risks to service availability
— Cloud creates perverse risks of Disaster– Wild fires in the USA threaten Australian
SaaS services.– Amazon EC2 affected by powerful
thunderstorms in Northern Virginia. Tools to move processing to another data centre did not function correctly.
– 2011 Brisbane floods: cloud services enabled email and remote access to remain available – an example of a positive risk of a cloud service
A Fresh Perspective 19
Reasons why Cloud presents a Security Challenge
1. Loss of the network perimeter2. Loss of directive control and audit3. Risks from the physical location of servers4. Risks from multi-tenancy5. Risks from Internet accessibility6. Difficulty in implementing effective records management
protocols7. Risks to service availability
Treatment Strategy
A Fresh Perspective 20
Business Aspect’s Lifecycle Approach to Cloud Security
Requirements
Procurement
ImplementationOperation
Transition Out
Cloud ServiceLifecycle
Requirements Phase
Requirements
Procurement
ImplementationOperation
Transition Out
Cloud ServiceLifecycle
• Risk Assessment - Harm if…• asset widely public and widely distributed? • a cloud provider employee accessed asset? • the function was manipulated by outsider? • the function failed to provide results? • the information/data was unexpectedly changed? • the asset was unavailable for a period of time?
• Control Requirements• DSD’s advice on Cloud controls• Traditional normative control frameworks need to be
adapted (e.g. ISM, IS18, ISO/IEC 27002, ISO17799)• Compliance with…
• Legislation• Mandated standards
Procurement and Vendor Selection Phase
Requirements
Procurement
ImplementationOperation
Transition Out
Cloud ServiceLifecycle
• Vendor Selection• Capability• Contract• Fit
• The Contract is the mechanism of control• The SLA
• Service Availability and Reliability requirements • Minimum security levels that may be further defined in
separate specifications and / or policies and standards• Processes for monitoring the performance of the provider,
specifically in relation to security and availability• Business continuity and disaster recovery requirements and
arrangements• Liability and indemnity, including zones of responsibility• Termination and transition arrangements• Auditing and reporting requirements• Event and incident management processes
• Account management
Implementation and Transition In Phase
Requirements
Procurement
ImplementationOperation
Transition Out
Cloud ServiceLifecycle
• Planning & Project Management• De-risk by piloting and phasing• Formal Project e.g. Prince2
• Design key processes with Vendor• Service governance model • Data conversion and assurance • Information Management and Data
Custodianship• Meeting recordkeeping requirements• appointing key roles for information governance• Establishing capacity planning and service
monitoring • Setting up support processes• Provisioning of initial services• Establishing security incident management
Operations Phase
Requirements
Procurement
ImplementationOperation
Transition Out
Cloud ServiceLifecycle
• You as client may have a limited role• Depending on the type of cloud• Understand limits
• But is essential you know what it is• Who internally manages the Vendor• Are we clear about the ‘governance gap’ – the
difference between what the vendor provides and what our stakeholders expect
• Vendor management is vital• Establish a performance measurement
framework and share with the vendor• Keep touch points fresh
Just because you don’t operate the service does not mean you have no responsibilities
- Cloud may save money but it is no free lunch
A Fresh Perspective 26
Operations processes - example
Cease Operation & Transition Out Phase
Requirements
Procurement
ImplementationOperation
Transition Out
Cloud ServiceLifecycle
• Assume this will happen• Manage as project not BAU• Considerations• Data ownership and retention• Notice and transition arrangement• Service transition
A Fresh Perspective 28
Transition out process - example
Lifecycle Approach to Cloud Security – Key Points
Requirements
Procurement
ImplementationOperation
Transition Out
Cloud ServiceLifecycle
• Risk Assessment• Control frameworks• Compliance with legislation & standards
• Vendor selection• Capability• Contract• Fit
• Contract / SLA• Account Management
• Project management• Design key processes with vendor
• Assume it will happen• Manage as a project• Consider
• Data retention• Service transition• Notice and
contract
• Understand roles & responsibilities• Manage the gap• Vendor management
A Fresh Perspective 30
A Fresh Perspective 31
References
— Anon. (2012). About FedRAMP. Retrieved 10 July, 2013, from http://www.gsa.gov/portal/category/102375
— Anon. (2012). CLOUD COMPUTING STRATEGIC DIRECTION PAPER: Opportunities and applicability for use by the Australian Government. Retrieved 12 Jul 2013, 2013, from http://agimo.gov.au/files/2012/04/final_cloud_computing_strategy_version_1.pdf
— Anon. (2012). Cloud Security Considerations. Retrieved 14 July, 2013, from http://www.dsd.gov.au/infosec/cloudsecurity.htm
— Buyya, R., Yeo, C. S., Venugopal, S., Broberg, J., & Brandic, I. (2009). Cloud computing and emerging IT platforms: Vision, hype, and reality for delivering computing as the 5th utility. Future Generation Computer Systems, 25(6), 599-616. doi: http://dx.doi.org/10.1016/j.future.2008.12.001
— Harms, R., & Yamartino, M. (2010). The economics of the cloud. Retrieved 13 June, 2013, from http://www.microsoft.com/en-us/news/presskits/cloud/docs/the-economics-of-the-cloud.pdf
— Maxwell, W. (2012). A Global Reality: Governmental Access to Data in the Cloud. Retrieved 13 July, 2013, from http://m.hoganlovells.com/files/News/c6edc1e2-d57b-402e-9cab-a7be4e004c59/Presentation/NewsAttachment/a17af284-7d04-4008-b557-5888433b292d/Revised%20Government%20Access%20to%20Cloud%20Data%20Paper%20(18%20July%2012).pdf
— Reed, A., Rezek, C., & Simmonds, P. (2011). Critical Areas of Focus in Cloud Computing. Retrieved 13 July, 2013, from https://cloudsecurityalliance.org/research/security-guidance/
A Fresh Perspective 32
About Business AspectBusiness Aspect assists clients with the execution of their business strategy through either large scale business transformation or through the addressing of smaller challenges in specific areas of the business. We focus on the business first, and then address technology needs as an enabler of required business outcomes. We have skills, experience and expertise in; business and technology strategy, architecture, risk, control, planning, design and governance. In delivering services, we address all layers of the business, including people, organisational change, process change, information management, information and communications technology (ICT) applications and technology infrastructure.We solve complex business problems through the collaborative efforts of our team of highly experienced personnel, and through the application of proven intellectual property. One of our key strengths is the diversity of the background and skills our senior consultants bring to planning initiatives involving people, process and systems.Our ability to extend from business focused domains into architecture and complex program management builds a bond of trust with our clients and fosters more effective relationships. For our clients, we serve as the interpreter between ICT and the demands of individual business units, translating business needs into ICT outcomes. We complement this with our ability to work with all parts of the organisation, therefore maximising the benefits collectively gained from ICT.We believe the use of senior consultants for the delivery of our clients’ projects is the cornerstone of our success. We also hand pick specialists from our extensive network of associates and industry partners to complement our consulting teams. We guarantee senior people with the right balance of qualifications and real-world industry experience, and our delivery capability extends across Australia.
Duncan UnwinM: 0407 032 755E: [email protected]
Brisbane / Sydney / Canberra / Melbournewww.businessaspect.com.auT +61 7 3831 7600F +61 7 3831 7900Head Office - 588 Boundary StSpring Hill Brisbane QLD 4000