it series: cloud computing done right @one 2011

33
Donald Hester March 22, 2011 For audio call Toll Free 1-888-886-3951 and use PIN/code 202789 IT Series: Cloud Computing Done Right

Upload: donald-hester

Post on 08-Jul-2015

76 views

Category:

Technology


1 download

DESCRIPTION

Coverage of the risks and rewards of Cloud computing. Including proper management and risk assessment considerations.

TRANSCRIPT

Page 1: IT Series: Cloud Computing Done Right @One 2011

Donald HesterMarch 22, 2011

For audio call Toll Free 1-888-886-3951

and use PIN/code 202789

IT Series:

Cloud Computing Done Right

Page 2: IT Series: Cloud Computing Done Right @One 2011

• Maximize your CCC Confer window.

• Phone audio will be in presenter-only mode.

• Ask questions and make comments using the chat window.

Housekeeping

Page 3: IT Series: Cloud Computing Done Right @One 2011

Adjusting Audio

1) If you’re listening on your computer, adjust your volume using the speaker slider.

2) If you’re listening over the phone, click on phone headset.

Do not listen on both computer and phone.

Page 4: IT Series: Cloud Computing Done Right @One 2011

Saving Files & Open/close Captions

1. Save chat window with floppy disc icon

2. Open/close captioning window with CC icon

Page 5: IT Series: Cloud Computing Done Right @One 2011

Emoticons and Polling

1) Raise hand and Emoticons

2) Polling options

Page 6: IT Series: Cloud Computing Done Right @One 2011

Donald Hester

IT Series:

Cloud Computing Done Right

Page 7: IT Series: Cloud Computing Done Right @One 2011

Image: NASA

Page 8: IT Series: Cloud Computing Done Right @One 2011

Cloud Computing?

The “Cloud”

• Buzz word

• Overused cliché

• Ill defined

• Many different definitions

• Marketing term

• All hype

• The “unknown path”

• Service provider

8

Nebulous

Page 9: IT Series: Cloud Computing Done Right @One 2011

What is it?

9

“..[a] model for enabling convenient, on-demand

network access to a shared pool of configurable

computing resources (e.g. networks, servers,

storage, applications, services) that can be

provisioned and released with minimal

management effort or service provider

interactions.”

NIST & Cloud Security Alliance

A utility model of technology delivery.

Page 10: IT Series: Cloud Computing Done Right @One 2011

Cloud Flavors

10

• Private Cloud

• Operated solely for one organization

• In-sourcing

• Community Cloud

• Operated for a group of similar organizations

• Public Cloud

• Outsourced

• Multi-tenant

• Hybrid Cloud

• Combination of the above

Page 11: IT Series: Cloud Computing Done Right @One 2011

…as-a-service

11

• Communication-as-a-Service (CaaS)

• Infrastructure-as-a-Service (IaaS)

• Monitoring-as-a-Service (MaaS)

• Platform-as-a-Service (PaaS)

• Software-as-a-Service (SaaS)

• Security-as-a-Service (SECaaS)

• Everything-as-a-Service (EaaS)

• Anything-as-a-Service (XaaS)

Page 12: IT Series: Cloud Computing Done Right @One 2011

…as-a-service

12

Page 13: IT Series: Cloud Computing Done Right @One 2011

Potential Spending on Cloud Computing

13

Based on agency estimates as reported to the Office of Management and Budget (OMB)

Federal Cloud Computing Strategy

Page 14: IT Series: Cloud Computing Done Right @One 2011

Federal Cloud Computing Strategy

14

“Cloud First policy. This policy is intended to

accelerate the pace at which the government will

realize the value of cloud computing by requiring

agencies to evaluate safe, secure cloud computing

options before making any new investments.”

“…to be more efficient, agile, and innovative through

more effective use of IT investments…”

Federal Cloud Computing Strategy, February 2011

Page 15: IT Series: Cloud Computing Done Right @One 2011

Benefits of Cloud Computing

15

• Save time and money on provisioning new

services

• Less time spent on deployment

• Move capital investment to operational

expenses

• Instant test bed

• Enables IT systems to be scalable and

elastic

• Provision computing resources as required,

on-demand

• No need to own data center infrastructure

(for public cloud service)

Page 16: IT Series: Cloud Computing Done Right @One 2011

Benefits of Cloud Computing

16

• Energy saving (green)

• Increased utilization, less idle time

• Cost based on usage

• More effective use of capital resources ($)

• Better service

• Allows IT staff to focus on core

competencies

• Repurpose IT staff for more customer

service

• Outsource to esoteric experts

• 24/7 service and support

• Economies of scale

Page 17: IT Series: Cloud Computing Done Right @One 2011

Federal Cloud Computing Benefits

17 Federal Cloud Computing Strategy, February 2011

Page 18: IT Series: Cloud Computing Done Right @One 2011

Cost Benefit Analysis

18

Traditional Costs

Hardware (initial)

Software (initial)

Hardware repair/upgrades

Software upgrades

Staff costs

Energy costs

Training

Traditional Limits

Maximum load

Maximum up-time

Maximum users

MTTR

Dependencies

Cloud Costs

Cost per user

Cost by bandwidth/storage

Cost increase over time

Cost of additional services

Legal consultation costs

Staff costs

Training

Cloud limitations

Users

Bandwidth

Storage

Service Support

Dependencies

Page 19: IT Series: Cloud Computing Done Right @One 2011

Cost Benefit Analysis Example

19

Traditional Costs

TCO $21,000

Cloud Costs

TCO $22,850

0

2000

4000

6000

8000

10000

12000

14000

1 2 3 4 5 6 7 8 9 10

Year

Traditional

Cloud

Page 20: IT Series: Cloud Computing Done Right @One 2011

Cost Benefit Analysis Example

20

TCO over 10 years:

MS Office Retail

$1,220

MS Office Academic

$346

MS Office 360

$2950

50

100

150

200

250

300

350

1 2 3 4 5 6 7 8 910

Retail

Academic

Cloud

Page 21: IT Series: Cloud Computing Done Right @One 2011

Cloud Risks

21

Where’s My Data?

The Bad Divorce

Trust but Verify

“I thought you knew”

I didn’t think of that

Clarify

Consider

Expectations, Put it in Writing

Page 22: IT Series: Cloud Computing Done Right @One 2011

Where’s My Data?

22

• In the information age your key asset is information.

• Some information requires protection

• (Credit Card Data, Student Records, SSN, etc…)

• Your information could be anywhere in the world

• You may loss access to your data

• ISP failure

• Service provider failure

• Failure to pay (service provider stops access)

Page 23: IT Series: Cloud Computing Done Right @One 2011

The Bad Divorce

23

“Vendor Lock”

• All relationships come to an end

• Let you down, had a breach, SLA performance etc…

• The company fails/gets sold

• Introductory pricing or it goes up over time

• Transition to new vendor or in-source

• How will you get your data back?

• Get a prenup – get it in the contract up front

Page 24: IT Series: Cloud Computing Done Right @One 2011

Trust but Verify

24

Assurance

• How do you know they are protecting your data?

• Not everyone is treated the same by service providers

• Disclosure concerning security posture

• 3rd party independent verification (audit/assessment)

• SAS 70 / SSAE 16

• SysTrust / WebTrust

• ISO 27001 Certification

• Audit / Assessment

Page 25: IT Series: Cloud Computing Done Right @One 2011

“I thought you knew”

25

Breach Notification

• When do you want to know about a data breach?

• (Data that you are legal obligated to protect)

• Typical contracts give wide latitude for service providers

• Actual verses possible breach

• Timeliness of notification

Page 26: IT Series: Cloud Computing Done Right @One 2011

I didn’t think of that

26

Dependencies

• Infrastructure – Internet

• Authentication management (SSO)

• Operational budget

• Greater dependency on 3rd parties

Other considerations

• Complex legal issues

• Multi-tenancy

• Transborder data flow

Page 27: IT Series: Cloud Computing Done Right @One 2011

Clarify

27

• What do they mean by “Cloud”

• Establish clear responsibilities and accountability

• Your expectations

• Cost of compensating controls

• What will happen with billing disputes

Page 28: IT Series: Cloud Computing Done Right @One 2011

Consider

28

• The reputation of the service provider

• Track record of issues

• Large or small, likelihood of change

• Vendor ‘supply chain management’ issues

• The reliability of the service or technology

• Is the technology time tested

• Typically you have no control over upgrades and

changes

• Training for staff

Page 29: IT Series: Cloud Computing Done Right @One 2011

Expectations, Put it in Writing

29

• Anything they guarantee get in writing

• Typical agreements are in favor of the service provider

• Protect your interests in writing (have legal look at it)

• Get specific SLA

• Document specific security requirements

• Non-performance clause

• Disposition and transition clauses

• Notification requirements

Page 30: IT Series: Cloud Computing Done Right @One 2011

Resources

Cloud Security Alliance

• cloudsecurityalliance.org

ISACA: Cloud Computing Management

Audit/Assurance Program, 2010

NIST Special Publication 800-145 (draft)

Federal Cloud Computing Strategy, February 2011

Above the Clouds managing Risk in the World of

Cloud Computing by McDonald (978-1-84928-031-0)

Cloud Computing, Implementation, Management, and

Security by Rittinghouse and Ransome (978-1-4398-

0680-7)

30

Page 31: IT Series: Cloud Computing Done Right @One 2011

Donald E. HesterCISSP, CISA, CAP, MCT, MCITP, MCTS, MCSE Security, Security+, CTT+

Director, Maze & Associates

University of San Francisco / San Diego City College / Los Positas College

www.LearnSecurity.org | www.linkedin.com/in/donaldehester | www.facebook.com/LearnSec |

www.twitter.com/sobca | [email protected]

Q&A

Page 32: IT Series: Cloud Computing Done Right @One 2011

Evaluation Survey Link

Help us improve our seminars by filing

out a short online evaluation survey at:

http://www.surveymonkey.com/s/CloudComput

Page 33: IT Series: Cloud Computing Done Right @One 2011

Thanks for attending

For upcoming events and links to recently archived seminars, check the @ONE Web site at:

http://onefortraining.org/

IT Series:

Cloud Computing Done Right