the notorious 9: is your data secure in the cloud?

The Notorious Nine(Is Your Data Secure in the Cloud?)

http://www.bcsprosoft.com

• Cloud Recap• What’s keeping you up at night (aka – “The

Notorious Nine”)• How Cloud publishers are securing your data• With security in mind, why would you move to

the cloud?• Questions to ask Cloud publishers• Q&A

Agenda


• 27+ Years Experience• 1,500 Clients across all 50 States, Canada, and

Mexico• Offices in San Antonio, Houston, Denver,

Honolulu• Award winning partners with

About BCS ProSoft


• Cloud computing…– The word "cloud" is used as a metaphor for "the Internet" – Cloud computing is the process of outsourcing IT services – such as

servers, storage and applications – to a shared platform accessed via the Internet.

– End users access cloud based applications through a web browser or a light weight desktop or mobile apps while business software and data are stored on servers at a remote location.

– Services are provided as a utility, most often on a subscription basis – Saves money and energy, as a vendor maintains the infrastructure and

applications that run in the cloud environment instead of the organization.

Definitions


http://en.wikipedia.org/wiki/File:Cloud_computing.svg


Cloud Computing TaxonomyOn Premise IaaS PaaS

Storage

Servers

Networking

O/S

Middleware

Virtualization

Data

Applications

Runtime

Storage

Servers

Networking

O/S

Middleware

Virtualization

Data

Applications

Runtime

You m

anage

Managed b

y v

endor

Managed b

y v

endor

You m

anage

You m

anage

Storage

Servers

Networking

O/S

Middleware

Virtualization

Applications

Runtime

Data

SaaS

Managed b

y v

endor

Storage

Servers

Networking

O/S

Middleware

Virtualization

Applications

Runtime

Data


On-Premise

• All resources managed by the end-user organization.

• Everything is private and controlled.

Storage

Servers

Networking

O/S

Middleware

Virtualization

Data

Applications

Runtime

You m

anage


IaaS - Infrastructure as a Service On Premise IaaS

Storage

Servers

Networking

O/S

Middleware

Virtualization

Data

Applications

Runtime

Storage

Servers

Networking

O/S

Middleware

Virtualization

Data

Applications

Runtime

You m

anage

Managed b

y v

endor

You m

anage

• Virtual infrastructure• Virtual desktop• Backup and recovery• Managed cloud

security


PaaS - Platform as a Service On Premise IaaS PaaS

Storage

Servers

Networking

O/S

Middleware

Virtualization

Data

Applications

Runtime

Storage

Servers

Networking

O/S

Middleware

Virtualization

Data

Applications

Runtime

You m

anage

Managed b

y v

endor

Managed b

y v

endor

You m

anage

You m

anage

Storage

Servers

Networking

O/S

Middleware

Virtualization

Applications

Runtime

Data


SaaS - Software as a ServiceOn Premise IaaS PaaS

Storage

Servers

Networking

O/S

Middleware

Virtualization

Data

Applications

Runtime

Storage

Servers

Networking

O/S

Middleware

Virtualization

Data

Applications

Runtime

You m

anage

Managed b

y v

endor

Managed b

y v

endor

You m

anage

You m

anage

Storage

Servers

Networking

O/S

Middleware

Virtualization

Applications

Runtime

Data

SaaS

Managed b

y v

endor

Storage

Servers

Networking

O/S

Middleware

Virtualization

Applications

Runtime

Data


Tenancy

• Multi-Tenant – Single instance of software runs on a server, serving multiple client organizations (tenants).

• Single Tenant – Physical or virtual machine is exclusively dedicated to a single client, i.e. software is not shared with multiple customers. This is more expensive for a vendor to setup and maintain.


What’s Keeping You Up at Night?


Cloud Computing Threats in 2013

The Notorious Nine

Cloud Security AllianceCloud Computing Top Threats in 2013


1. Data Breaches2. Data Loss3. Account Hijacking4. Insecure APIs5. Denial of Service6. Malicious Insiders7. Abuse of Cloud Services8. Insufficient Due Diligence9. Shared Technology Issues

The Notorious Nine


1. Organizations sensitive internal data falls into the hands of competitors

Data Breaches


2. The Problem: Permanent loss of data due to malicious attack or accidental deletion

Data Loss


3. Unauthorized access gained through phishing, fraud, and exploitation of software vulnerabilities

Account or Service Traffic Hijacking


4. Cloud computing providers expose a set of software interfaces (APIs) that customers use to manage and interact with cloud services. Lack of (or inadequate) security opens the possibility of unauthorized access.

Insecure Interfaces and APIs


5. Denial-of-Service attacks are meant to prevent users of cloud service from being able to access their data and/or applications by forcing the victim cloud service to consume inordinate amounts of finite system resources.

Denial of Service


6. A current or former employee, contractor, etc. with authorized access misuses that access in a manner that negatively affects the confidentiality, integrity, or availability of company data.

Malicious Insiders


7. Use of the power of distributed cloud services to perform power intensive tasks, formerly not feasible/possible from a single computer

Abuse of Cloud Services


8. Organizations are adopting cloud applications without understanding the risks and/or readiness of the cloud vendor to provide adequate security.

Insufficient Due Diligence


9. Poorly designed cloud applications can introduce cross entity vulnerabilities.

Shared Technology Vulnerabilities


• Perhaps not!– Is your staff properly trained?– Are your servers really secure? – Do you have adequate backups? – What about natural disasters?

• Your data security is only as good as your system manager and your weakest user!

Is Your Data Safer on Premise?


How Cloud Vendors Secure Your Data


• American Institute of Certified Public Accountants (AICPA)– SSAE 16 (supersedes SAS 70)

• International Federation of Accountants (IFAC)– ISAE 3402 (Type 1 or Type 2)

• PCI Security Standards Council– PCI DSS

• US Department of Commerce – US-EU Safe Harbor

Comprehensive Security Certifications


• 24/7-365 Monitoring• Continuous Monitoring with Intrusion

Detection Systems (IDS)• Separation of Duties• Strong Management of Physical Access• Fully Guarded Premises• Continuous Data Center Performance Audits

Requirements Include


Tiered Data CentersTier 1 Tier 2 Tier 3 Tier 4Non-redundant capacity components

X X X

Redundant capacity components

X X

Dual-powered equipment and multiple uplinks

X

All components are fully fault-tolerant including uplinks, storage, chillers, HVAC systems, servers, etc.

Everything is dual-powered


• Tier 1: Guaranteeing 99.671% availability• Tier 2: Guaranteeing 99.741% availability• Tier 3: Guaranteeing 99.982% availability• Tier 4: Guaranteeing 99.995% availability

Data Center Availability According to Tiers


Why Cloud?


• Reduced internal IT infrastructure• Backup & redundancy in the Cloud• Predictable monthly costs• Low/no cost upgrades – always running the latest

version• Anywhere, anytime access, on ANY device, i.e.

everything through a browser• No/limited install of local files & programs

Why Cloud Computing?


The Iceberg Analogy

• Apply Fixes, Patches, Upgrade

• Downtime• Performance tuning• Rewrite customizations • Rewrite integrations• Upgrade dependent

applications

• Subscription fee• Training• Configuration

• Ongoing burden on IT• Maintain/upgrade

hardware• Maintain/upgrade

network• Maintain/upgrade

security• Maintain/upgrade

database• Training

Ongoing Costs Ongoing Costs

On-Premises Software Cloud Computing


On-Premise Holds the Business Back

Typical IT Budget Allocation

91% Maintenance

Current66% on old

versions

9% Innovation

The Result?VERSION-LOCK


1. Improved Business Agility2. Generate an Attractive ROI3. Accelerate Time to Value4. Jump Start Innovation

Programs5. Elasticity and Scale

Top 5 Reasons Business Owners are Turning to the Cloud


Choosing a Cloud Provider


Security Questions for Potential Cloud Service Providers

• What encryption mechanisms do you use for customers’ data?

• In how many locations do you store customer data?• What safeguards do you employ to ensure that different

customers’ data in a multitenant cloud is kept separate?• How is your data center physically protected?• Which of your employees have access to customers’ data?• How do you authenticate users?• How precisely can you specify the degree of access that

individual users have to data?



• How many and what types of security breaches have you experienced in the last 12 months? If you had any, what were they? What new protections have you put into place?

• What disaster recovery protections do you have in place?• What are your security scenarios? Why should I trust you?• What tracking, reporting, and auditing capabilities do you

offer?• Do you comply with all relevant government and industry

laws and regulations?



• What Security Certifications do you hold? Can you provide me with copies?

• What happens to data when you “delete” it? Is it actually wiped out?

• What happens if we decide we want to discontinue using your services?

• Who owns the rights to the data?


• Complete the Questionnaire• I’ll send you more detail: – The Notorious Nine from the Cloud Security

Alliance– What to Look for in a Service Level Agreement

(SLA)

Next Steps?


Clark Haley, CEO BCS/ProSoft, Inc.

Contact Information

Email: [email protected]

Phone: (800) 882-6705

LinkedIn: www.linkedin.com/in/clarkhaley

the notorious 9: is your data secure in the cloud?

Technology

word cloud

cloud environment

internet cloud computing

cloud publishers qa

cloud recap whats

end users access cloud

single client

virtual machine