Presenter

Presentation Notes

© 2016 Maze & Associates Revision 10 (April 2016) Images from Microsoft Clipart unless otherwise noted, Other Sources: NIST and Donald E. Hester Picture: Muir Beach, North of San Francisco, CA, Photo by Donald E. Hester all rights reserved

Categorize

Select

Implement

Assess

Authorize

Monitor

”

Presenter

Presentation Notes

What is Cloud Computing? The “Cloud” Buzz word Overused cliché Ill defined Many different definitions Marketing term All hype The “unknown path” Service provider “____-as-a-service” Nebulous Image: NASA

utility model

Presenter

Presentation Notes

Definition According to NIST the cloud model is composed of five essential characteristics, three service models, and four deployment models. Photo by Donald E. Hester all rights reserved NIST SP 800-145

Presenter

Presentation Notes

Essential Characteristics On-demand self-service, customer driven utility Broad network access, using standard networking Resource pooling, economies of scale Rapid elasticity, dynamic provisioning and releasing Measured service, the ability to measure usage Essential Characteristics: On-demand self-service. A consumer can unilaterally provision computing capabilities, such as server time and network storage, as needed automatically without requiring human interaction with each service provider. Broad network access. Capabilities are available over the network and accessed through standard mechanisms that promote use by heterogeneous thin or thick client platforms (e.g., mobile phones, tablets, laptops, and workstations). Resource pooling. The provider’s computing resources are pooled to serve multiple consumers using a multi-tenant model, with different physical and virtual resources dynamically assigned and reassigned according to consumer demand. There is a sense of location independence in that the customer generally has no control or knowledge over the exact location of the provided resources but may be able to specify location at a higher level of abstraction (e.g., country, state, or datacenter). Examples of resources include storage, processing, memory, and network bandwidth. Rapid elasticity. Capabilities can be elastically provisioned and released, in some cases automatically, to scale rapidly outward and inward commensurate with demand. To the consumer, the capabilities available for provisioning often appear to be unlimited and can be appropriated in any quantity at any time. Measured service. Cloud systems automatically control and optimize resource use by leveraging a metering capability1 at some level of abstraction appropriate to the type of service (e.g., storage, processing, bandwidth, and active user accounts). Resource usage can be monitored, controlled, and reported, providing transparency for both the provider and consumer of the utilized service. NIST SP 800-145

** Defined by NIST

Presenter

Presentation Notes

Graphic courtesy of Microsoft

Presenter

Presentation Notes

Cloud Flavors (Deployment Models) Private Cloud Operated solely for one organization In-sourcing Community Cloud Operated for a group of similar organizations Public Cloud Outsourced Multi-tenant Hybrid Cloud Combination of the above Image: Microsoft Clip Art • Private cloud. The cloud infrastructure is operated solely for an organization. It may be managed by the organization or a third party and may exist on premise or off premise. • Community cloud. The cloud infrastructure is shared by several organizations and supports a specific community that has shared concerns (e.g., mission, security requirements, policy, and compliance considerations). It may be managed by the organizations or a third party and may exist on premise or off premise. • Public cloud. The cloud infrastructure is made available to the general public or a large industry group and is owned by an organization selling cloud services. • Hybrid cloud. The cloud infrastructure is a composition of two or more clouds (private, community, or public) that remain unique entities but are bound together by standardized or proprietary technology that enables data and application portability (e.g., cloud bursting for load-balancing between clouds). This cloud model is composed of five essential characteristics, three service models, and four deployment models.

Presenter

Presentation Notes

Image: Federal Cloud Computing Strategy, Vivek Kundra US CIO, 8 FEB 2011

Presenter

Presentation Notes

DoDI 8510.01

Presenter

Presentation Notes

Potential Spending on Cloud Computing Image: Federal Cloud Computing Strategy, Vivek Kundra US CIO, 8 FEB 2011 “Cloud First policy. This policy is intended to accelerate the pace at which the government will realize the value of cloud computing by requiring agencies to evaluate safe, secure cloud computing options before making any new investments.” - Federal Cloud Computing Strategy, February 2011

Efficiency

Agility

Innovation

Presenter

Presentation Notes

Benefits Save time and money on provisioning new services Less time spent on deployment Move capital investment to operational expenses Instant test bed Enables IT systems to be scalable and elastic Provision computing resources as required, on-demand No need to own data center infrastructure (for public cloud service)

Presenter

Presentation Notes

Benefits Energy saving (green) Increased utilization, less idle time Cost based on usage More effective use of capital resources ($) Better service Allows IT staff to focus on core competencies Repurpose IT staff for more customer service Outsource to esoteric experts 24/7 service and support Economies of scale

Presenter

Presentation Notes

Cloud Provider Benefits (NIST SP 800-144)

Presenter

Presentation Notes

Benefits Image: Federal Cloud Computing Strategy, Vivek Kundra US CIO, 8 FEB 2011

Presenter

Presentation Notes

Cost Considerations Traditional Costs Capital Expenses Hardware (initial) Software (initial) Hardware repair/upgrades Software upgrades Staff costs Energy costs Training Traditional Limits Maximum load Maximum up-time Maximum users MTTR Dependencies Cloud Costs Operational Expenses Cost per user Cost by bandwidth/storage Cost increase over time Cost of additional services Legal consultation costs Staff costs Training Cloud limitations Users Bandwidth Storage Service Support Dependencies MTTR Mean-Time-To-Recover

Traditional CostsTCO $21,000

Cloud CostsTCO $22,850

0

2000

4000

6000

8000

10000

12000

14000

1 2 3 4 5 6 7 8 9 10

Year

Traditional

Cloud

Presenter

Presentation Notes

Cloud Risks Where’s My Data? The Bad Divorce Trust but Verify “I thought you knew” I didn’t think of that Clarify Consider Expectations, Put it in Writing Compatibility Can you think of some risks not mentioned?

Presenter

Presentation Notes

Where’s My Data? In the information age your key asset is information. Some information requires protection (Credit Card Data, Student Records, SSN, etc…) Your information could be anywhere in the world You may loss access to your data (availability) ISP failure Service provider failure Failure to pay (service provider stops access) Image: Microsoft Clip Art

Presenter

Presentation Notes

The Bad Divorce “Vendor Lock” All relationships come to an end Let you down, had a breach, SLA performance etc… The company fails/gets sold Introductory pricing or it goes up over time Transition to new vendor or in-source How will you get your data back? Lack of Portability between PaaS Clouds Example, something built for Google won’t work for SharePoint or Amazon Get a prenup – get it in the contract up front Image: Microsoft Clip Art

Presenter

Presentation Notes

Trust but Verify Assurance How do you know they are protecting your data? Not everyone is treated the same by service providers Disclosure concerning security posture 3rd party independent verification (audit/assessment) SAS 70 / SSAE 16 SysTrust / WebTrust ISO 27001 Certification Audit / Assessment MOU/MOA & ISA Image: Microsoft Clip Art

Presenter

Presentation Notes

“I thought you knew” Cloud systems are typically more complex This may create a larger attack surface Breach Notification When do you want to know about a data breach? (Data that you are legal obligated to protect) Typical contracts give wide latitude for service providers Actual verses possible breach Timeliness of notification Image: Microsoft Clip Art

Presenter

Presentation Notes

I didn’t think of that Dependencies Infrastructure – Internet Authentication management (SSO) Operational budget Greater dependency on 3rd parties Other considerations Complex legal issues Multi-tenancy Transborder data flow Jurisdiction and Regulation Support for Forensics Image: Microsoft Clip Art

Presenter

Presentation Notes

Clarify What do they mean by “Cloud” Establish clear responsibilities and accountability Your expectations Cost of compensating controls What will happen with billing disputes Will your data be in a multi-tenant environment What controls will you have Image: Microsoft Clip Art

Presenter

Presentation Notes

Consider The reputation of the service provider Track record of issues Large or small, likelihood of change Vendor ‘supply chain management’ issues The reliability of the service or technology Is the technology time tested Competency of cloud provider Typically you have no control over upgrades and changes Training for staff Image: Microsoft Clip Art

Presenter

Presentation Notes

Compatibility When will they upgrade their service? Will they be ready when you are ready for an upgrade of dependent software Will you be ready when they are ready to upgrade Browser-based Risks and Risk Remediation What software will be required on the client side? Java Flash Active-X Silverlight HTML 5

Presenter

Presentation Notes

New attack vectors Hypervisor complexity Data leakage (multi-tenant environment) Man in the Middle Browser vulnerabilities Mobile device vulnerabilities

Presenter

Presentation Notes

Service Agreements Service Level Agreement (SLA) Some are predefined and non-negotiable Some are negotiable (typically cost more) Terms of Service May cover privacy Breach notification Licensing Acceptable use (What you can and can’t do) Limitations on liability (Typically in the favor of the service provider) Modifications of the terms of service (Do you want this?) Data ownership

Presenter

Presentation Notes

Traditional risks no matter where you go Insider threat, Instead of your staff it is their staff Access control How can you control and monitor? Authentication Another logon or SSO Data sanitation Is your data really deleted? Others????

Presenter

Presentation Notes

What to do? Careful planning before engagement Understand the technical aspects of the solution Make sure it will meet your needs (security and privacy) Maintain accountability Define data location restrictions Ensure laws and regulations are met Make sure they can support electronic discovery and forensics Follow NIST and Cloud Security Alliance guidance

Presenter

Presentation Notes

Remember to specify Personnel (clear backgrounds) Access control, account resource and management Availability, including SLA and dependencies Problem & Incident reporting, notification and resolution Disclosure agreements Physical controls Network boundary protection Continuity, Backup and Recovery Assurance levels Independent audit or assessment

Presenter

Presentation Notes

FedRAMP “The Federal Risk and Authorization Management Program or FedRAMP has been established to provide a standard approach to Assessing and Authorizing (A&A) cloud computing services and products. FedRAMP allows joint authorizations and continuous security monitoring services for Government and Commercial cloud computing systems intended for multi-agency use. Joint authorization of cloud providers results in a common security risk model that can be leveraged across the Federal Government. The use of this common security risk model provides a consistent baseline for Cloud based technologies. This common baseline ensures that the benefits of cloud-based technologies are effectively integrated across the various cloud computing solutions currently proposed within the government. The risk model will also enable the government to "approve once, and use often" by ensuring multiple agencies gain the benefit and insight of the FedRAMP's Authorization and access to service provider’s authorization packages.” - http://www.cio.gov/pages.cfm/page/Federal-Risk-and-Authorization-Management-Program-FedRAMP

Presenter

Presentation Notes

Resources Cloud Security Alliance cloudsecurityalliance.org ISACA: Cloud Computing Management Audit/Assurance Program, 2010 NIST SP 800-144 (draft) NIST SP 800-145 NIST SP 800-146 (draft) Federal Cloud Computing Strategy, February 2011 CIO.gov Above the Clouds managing Risk in the World of Cloud Computing by McDonald (978-1-84928-031-0) Cloud Computing, Implementation, Management, and Security by Rittinghouse and Ransome (978-1-4398-0680-7) Image: Microsoft Clip Art