the notorious 9: is your data secure in the cloud?
DESCRIPTION
The first part of this presentation is designed to scare the cloud out of you by talking about some of the common and often overlooked concerns with cloud security. Then we'll bring you right back by showing you how cloud technology publishers as well as VARS, like BCS Prosoft are taking steps to mitigate potential threats and keep you business up and running 24/7/365.TRANSCRIPT
The Notorious Nine(Is Your Data Secure in the Cloud?)
http://www.bcsprosoft.com
• Cloud Recap• What’s keeping you up at night (aka – “The
Notorious Nine”)• How Cloud publishers are securing your data• With security in mind, why would you move to
the cloud?• Questions to ask Cloud publishers• Q&A
Agenda
http://www.bcsprosoft.com
• 27+ Years Experience• 1,500 Clients across all 50 States, Canada, and
Mexico• Offices in San Antonio, Houston, Denver,
Honolulu• Award winning partners with
About BCS ProSoft
http://www.bcsprosoft.com
• Cloud computing…– The word "cloud" is used as a metaphor for "the Internet" – Cloud computing is the process of outsourcing IT services – such as
servers, storage and applications – to a shared platform accessed via the Internet.
– End users access cloud based applications through a web browser or a light weight desktop or mobile apps while business software and data are stored on servers at a remote location.
– Services are provided as a utility, most often on a subscription basis – Saves money and energy, as a vendor maintains the infrastructure and
applications that run in the cloud environment instead of the organization.
Definitions
http://www.bcsprosoft.com
http://www.bcsprosoft.com
Cloud Computing TaxonomyOn Premise IaaS PaaS
Storage
Servers
Networking
O/S
Middleware
Virtualization
Data
Applications
Runtime
Storage
Servers
Networking
O/S
Middleware
Virtualization
Data
Applications
Runtime
You m
anage
Managed b
y v
endor
Managed b
y v
endor
You m
anage
You m
anage
Storage
Servers
Networking
O/S
Middleware
Virtualization
Applications
Runtime
Data
SaaS
Managed b
y v
endor
Storage
Servers
Networking
O/S
Middleware
Virtualization
Applications
Runtime
Data
http://www.bcsprosoft.com
On-Premise
• All resources managed by the end-user organization.
• Everything is private and controlled.
Storage
Servers
Networking
O/S
Middleware
Virtualization
Data
Applications
Runtime
You m
anage
http://www.bcsprosoft.com
IaaS - Infrastructure as a Service On Premise IaaS
Storage
Servers
Networking
O/S
Middleware
Virtualization
Data
Applications
Runtime
Storage
Servers
Networking
O/S
Middleware
Virtualization
Data
Applications
Runtime
You m
anage
Managed b
y v
endor
You m
anage
• Virtual infrastructure• Virtual desktop• Backup and recovery• Managed cloud
security
http://www.bcsprosoft.com
PaaS - Platform as a Service On Premise IaaS PaaS
Storage
Servers
Networking
O/S
Middleware
Virtualization
Data
Applications
Runtime
Storage
Servers
Networking
O/S
Middleware
Virtualization
Data
Applications
Runtime
You m
anage
Managed b
y v
endor
Managed b
y v
endor
You m
anage
You m
anage
Storage
Servers
Networking
O/S
Middleware
Virtualization
Applications
Runtime
Data
http://www.bcsprosoft.com
SaaS - Software as a ServiceOn Premise IaaS PaaS
Storage
Servers
Networking
O/S
Middleware
Virtualization
Data
Applications
Runtime
Storage
Servers
Networking
O/S
Middleware
Virtualization
Data
Applications
Runtime
You m
anage
Managed b
y v
endor
Managed b
y v
endor
You m
anage
You m
anage
Storage
Servers
Networking
O/S
Middleware
Virtualization
Applications
Runtime
Data
SaaS
Managed b
y v
endor
Storage
Servers
Networking
O/S
Middleware
Virtualization
Applications
Runtime
Data
http://www.bcsprosoft.com
Tenancy
• Multi-Tenant – Single instance of software runs on a server, serving multiple client organizations (tenants).
• Single Tenant – Physical or virtual machine is exclusively dedicated to a single client, i.e. software is not shared with multiple customers. This is more expensive for a vendor to setup and maintain.
http://www.bcsprosoft.com
What’s Keeping You Up at Night?
http://www.bcsprosoft.com
Cloud Computing Threats in 2013
The Notorious Nine
Cloud Security AllianceCloud Computing Top Threats in 2013
http://www.bcsprosoft.com
1. Data Breaches2. Data Loss3. Account Hijacking4. Insecure APIs5. Denial of Service6. Malicious Insiders7. Abuse of Cloud Services8. Insufficient Due Diligence9. Shared Technology Issues
The Notorious Nine
http://www.bcsprosoft.com
1. Organizations sensitive internal data falls into the hands of competitors
Data Breaches
http://www.bcsprosoft.com
2. The Problem: Permanent loss of data due to malicious attack or accidental deletion
Data Loss
http://www.bcsprosoft.com
3. Unauthorized access gained through phishing, fraud, and exploitation of software vulnerabilities
Account or Service Traffic Hijacking
http://www.bcsprosoft.com
4. Cloud computing providers expose a set of software interfaces (APIs) that customers use to manage and interact with cloud services. Lack of (or inadequate) security opens the possibility of unauthorized access.
Insecure Interfaces and APIs
http://www.bcsprosoft.com
5. Denial-of-Service attacks are meant to prevent users of cloud service from being able to access their data and/or applications by forcing the victim cloud service to consume inordinate amounts of finite system resources.
Denial of Service
http://www.bcsprosoft.com
6. A current or former employee, contractor, etc. with authorized access misuses that access in a manner that negatively affects the confidentiality, integrity, or availability of company data.
Malicious Insiders
http://www.bcsprosoft.com
7. Use of the power of distributed cloud services to perform power intensive tasks, formerly not feasible/possible from a single computer
Abuse of Cloud Services
http://www.bcsprosoft.com
8. Organizations are adopting cloud applications without understanding the risks and/or readiness of the cloud vendor to provide adequate security.
Insufficient Due Diligence
http://www.bcsprosoft.com
9. Poorly designed cloud applications can introduce cross entity vulnerabilities.
Shared Technology Vulnerabilities
http://www.bcsprosoft.com
• Perhaps not!– Is your staff properly trained?– Are your servers really secure? – Do you have adequate backups? – What about natural disasters?
• Your data security is only as good as your system manager and your weakest user!
Is Your Data Safer on Premise?
http://www.bcsprosoft.com
How Cloud Vendors Secure Your Data
http://www.bcsprosoft.com
• American Institute of Certified Public Accountants (AICPA)– SSAE 16 (supersedes SAS 70)
• International Federation of Accountants (IFAC)– ISAE 3402 (Type 1 or Type 2)
• PCI Security Standards Council– PCI DSS
• US Department of Commerce – US-EU Safe Harbor
Comprehensive Security Certifications
http://www.bcsprosoft.com
• 24/7-365 Monitoring• Continuous Monitoring with Intrusion
Detection Systems (IDS)• Separation of Duties• Strong Management of Physical Access• Fully Guarded Premises• Continuous Data Center Performance Audits
Requirements Include
http://www.bcsprosoft.com
Tiered Data CentersTier 1 Tier 2 Tier 3 Tier 4Non-redundant capacity components
X X X
Redundant capacity components
X X
Dual-powered equipment and multiple uplinks
X
All components are fully fault-tolerant including uplinks, storage, chillers, HVAC systems, servers, etc.
Everything is dual-powered
http://www.bcsprosoft.com
• Tier 1: Guaranteeing 99.671% availability• Tier 2: Guaranteeing 99.741% availability• Tier 3: Guaranteeing 99.982% availability• Tier 4: Guaranteeing 99.995% availability
Data Center Availability According to Tiers
http://www.bcsprosoft.com
Why Cloud?
http://www.bcsprosoft.com
• Reduced internal IT infrastructure• Backup & redundancy in the Cloud• Predictable monthly costs• Low/no cost upgrades – always running the latest
version• Anywhere, anytime access, on ANY device, i.e.
everything through a browser• No/limited install of local files & programs
Why Cloud Computing?
http://www.bcsprosoft.com
The Iceberg Analogy
• Apply Fixes, Patches, Upgrade
• Downtime• Performance tuning• Rewrite customizations • Rewrite integrations• Upgrade dependent
applications
• Subscription fee• Training• Configuration
• Ongoing burden on IT• Maintain/upgrade
hardware• Maintain/upgrade
network• Maintain/upgrade
security• Maintain/upgrade
database• Training
Ongoing Costs Ongoing Costs
On-Premises Software Cloud Computing
http://www.bcsprosoft.com
On-Premise Holds the Business Back
Typical IT Budget Allocation
91% Maintenance
Current66% on old
versions
9% Innovation
The Result?VERSION-LOCK
http://www.bcsprosoft.com
1. Improved Business Agility2. Generate an Attractive ROI3. Accelerate Time to Value4. Jump Start Innovation
Programs5. Elasticity and Scale
Top 5 Reasons Business Owners are Turning to the Cloud
http://www.bcsprosoft.com
Choosing a Cloud Provider
http://www.bcsprosoft.com
Security Questions for Potential Cloud Service Providers
• What encryption mechanisms do you use for customers’ data?
• In how many locations do you store customer data?• What safeguards do you employ to ensure that different
customers’ data in a multitenant cloud is kept separate?• How is your data center physically protected?• Which of your employees have access to customers’ data?• How do you authenticate users?• How precisely can you specify the degree of access that
individual users have to data?
http://www.bcsprosoft.com
Security Questions for Potential Cloud Service Providers
• How many and what types of security breaches have you experienced in the last 12 months? If you had any, what were they? What new protections have you put into place?
• What disaster recovery protections do you have in place?• What are your security scenarios? Why should I trust you?• What tracking, reporting, and auditing capabilities do you
offer?• Do you comply with all relevant government and industry
laws and regulations?
http://www.bcsprosoft.com
Security Questions for Potential Cloud Service Providers
• What Security Certifications do you hold? Can you provide me with copies?
• What happens to data when you “delete” it? Is it actually wiped out?
• What happens if we decide we want to discontinue using your services?
• Who owns the rights to the data?
http://www.bcsprosoft.com
• Complete the Questionnaire• I’ll send you more detail: – The Notorious Nine from the Cloud Security
Alliance– What to Look for in a Service Level Agreement
(SLA)
Next Steps?
http://www.bcsprosoft.com
Clark Haley, CEO BCS/ProSoft, Inc.
Contact Information
Email: [email protected]
Phone: (800) 882-6705
LinkedIn: www.linkedin.com/in/clarkhaley