Donald HesterMarch 22, 2011

For audio call Toll Free 1-888-886-3951

and use PIN/code 202789

• Maximize your CCC Confer window.• Phone audio will be in presenter-only mode.• Ask questions and make comments using the chat window.

HousekeepingHousekeeping

Adjusting AudioAdjusting Audio

1) If you’re listening on your computer, adjust your volume using the speaker slider.

2) If you’re listening over the phone, click on phone headset.

Do not listen on both computer and phone.

Saving Files & Open/close CaptionsSaving Files & Open/close Captions

1. Save chat window with floppy disc icon

2. Open/close captioning window with CC icon

Emoticons and PollingEmoticons and Polling

1) Raise hand and Emoticons

2) Polling options

Donald Hester

Image: NASA

The “Cloud”• Buzz word

• Overused cliché

• Ill defined

• Many different definitions

• Marketing term

• All hype

• The “unknown path”

• Service provider

8

Nebulous

9

“..[a] model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g. networks, servers, storage, applications, services) that can be provisioned and released with minimal management effort or service provider interactions.”NIST & Cloud Security Alliance

A utility model of technology delivery.

10

• Private Cloud• Operated solely for one organization• In-sourcing

• Community Cloud• Operated for a group of similar

organizations• Public Cloud

• Outsourced • Multi-tenant

• Hybrid Cloud• Combination of the above

11

• Communication-as-a-Service (CaaS)

• Infrastructure-as-a-Service (IaaS)• Monitoring-as-a-Service (MaaS)• Platform-as-a-Service (PaaS)• Software-as-a-Service (SaaS)• Security-as-a-Service (SECaaS)• Everything-as-a-Service (EaaS)• Anything-as-a-Service (XaaS)

12

13

Based on agency estimates as reported to the Office of Management and Budget (OMB)

Federal Cloud Computing Strategy

14

“Cloud First policy. This policy is intended to accelerate the pace at which the government will realize the value of cloud computing by requiring agencies to evaluate safe, secure cloud computing options before making any new investments.”

“…to be more efficient, agile, and innovative through more effective use of IT investments…”

Federal Cloud Computing Strategy, February 2011

15

• Save time and money on provisioning new services• Less time spent on deployment• Move capital investment to operational

expenses• Instant test bed• Enables IT systems to be scalable and

elastic• Provision computing resources as

required, on-demand• No need to own data center

infrastructure (for public cloud service)

16

• Energy saving (green)• Increased utilization, less idle time• Cost based on usage• More effective use of capital resources

($)• Better service

• Allows IT staff to focus on core competencies

• Repurpose IT staff for more customer service

• Outsource to esoteric experts • 24/7 service and support• Economies of scale

17 Federal Cloud Computing Strategy, February 2011

18

Traditional CostsHardware (initial)Software (initial)Hardware repair/upgradesSoftware upgradesStaff costsEnergy costsTraining

Traditional LimitsMaximum loadMaximum up-timeMaximum usersMTTRDependencies

Cloud CostsCost per userCost by bandwidth/storageCost increase over timeCost of additional servicesLegal consultation costsStaff costsTraining

Cloud limitationsUsersBandwidthStorageService SupportDependencies

19

Traditional CostsTCO $21,000

Cloud CostsTCO $22,850

20

TCO over 10 years:

MS Office Retail$1,220

MS Office Academic$346

MS Office 360$295

21

Where’s My Data?The Bad DivorceTrust but Verify“I thought you knew”I didn’t think of thatClarify Consider Expectations, Put it in Writing

22

• In the information age your key asset is information.

• Some information requires protection• (Credit Card Data, Student Records, SSN,

etc…)• Your information could be anywhere in the world• You may loss access to your data

• ISP failure• Service provider failure• Failure to pay (service provider stops access)

23

“Vendor Lock”•All relationships come to an end

• Let you down, had a breach, SLA performance etc…

• The company fails/gets sold• Introductory pricing or it goes up over time

•Transition to new vendor or in-source• How will you get your data back?

•Get a prenup – get it in the contract up front

24

Assurance•How do you know they are protecting your data?

• Not everyone is treated the same by service providers

•Disclosure concerning security posture•3rd party independent verification (audit/assessment)

• SAS 70 / SSAE 16• SysTrust / WebTrust• ISO 27001 Certification• Audit / Assessment

25

Breach Notification•When do you want to know about a data breach?

• (Data that you are legal obligated to protect)•Typical contracts give wide latitude for service providers

• Actual verses possible breach• Timeliness of notification

26

Dependencies•Infrastructure – Internet•Authentication management (SSO)•Operational budget•Greater dependency on 3rd partiesOther considerations•Complex legal issues•Multi-tenancy •Transborder data flow

27

• What do they mean by “Cloud”• Establish clear responsibilities and accountability• Your expectations• Cost of compensating controls• What will happen with billing disputes

28

• The reputation of the service provider• Track record of issues• Large or small, likelihood of change• Vendor ‘supply chain management’ issues

• The reliability of the service or technology• Is the technology time tested

• Typically you have no control over upgrades and changes• Training for staff

29

• Anything they guarantee get in writing• Typical agreements are in favor of the service

provider• Protect your interests in writing (have legal look at

it)• Get specific SLA• Document specific security requirements• Non-performance clause• Disposition and transition clauses• Notification requirements

Cloud Security Alliance• cloudsecurityalliance.org

ISACA: Cloud Computing Management Audit/Assurance Program, 2010

NIST Special Publication 800-145 (draft) Federal Cloud Computing Strategy, February 2011 Above the Clouds managing Risk in the World of

Cloud Computing by McDonald (978-1-84928-031-0) Cloud Computing, Implementation, Management, and

Security by Rittinghouse and Ransome (978-1-4398-0680-7)

30

Donald E. HesterCISSP, CISA, CAP, MCT, MCITP, MCTS, MCSE Security, Security+, CTT+

Director, Maze & Associates

University of San Francisco / San Diego City College / Los Positas College

www.LearnSecurity.org | www.linkedin.com/in/donaldehester | www.facebook.com/LearnSec |

www.twitter.com/sobca | DonaldH@MazeAssociates.com

Q&AQ&A

Evaluation Survey LinkEvaluation Survey Link

Help us improve our seminars by filing out a short online evaluation survey at:

http://www.surveymonkey.com/s/CloudComput

Thanks for attendingFor upcoming events and links to recently archived

seminars, check the @ONE Web site at:

http://onefortraining.org/