Why Cloud will happen, Why it changes how you need to manage security, and How you can address it
Size: px
Start display at page:

Download "Why Cloud will happen, Why it changes how you need to manage security, and How you can address it"

Transcription

1 Cloud Security Why Cloud will happen, Why it changes how you need to manage security, and How you can address it Duncan Unwin, Business Aspect ISACA, Brisbane, 16 th July 2013

2 Cloud Security The overwhelming economics of Cloud Why cloud is here and why you better get used to it Seven Reasons why Cloud is a new type of security challenge why every technique you have used to manage security needs to be reconsidered How you can manage cloud security Introducing a total lifecycle approach to security management A resh Perspective 2

3 The overwhelming economics of Cloud Supply-Side Saving Demand-side aggregation Multi-tenancy efficiency Telecommunications is becoming cheap Cloud is nearly a perfect commodity A resh Perspective 3

4 Supply-Side Saving Cost of electricity 15-20% of TCO for server infrastructure Power Usage Effectiveness (PUE) significantly higher for large DCs Green electricity costs will drive Cloud DC location Infrastructure labour costs Large DCs operate at ratios of 1 engineer to 1000s of servers Security and Reliability Compliance Increasing requirements will make it less affordable to run IT in-house Market demand and scale favour large players (e.g. AWS is ISO 27001) Buying Power Hardware Software Telecommunications Electricity A resh Perspective 4

5 Demand-side aggregation Demand is not stable Randomness Time-of-day patterns Industry-specific patterns Large clouds aggregate and smooth demand Uncertain growth pattern In-house capacity planning targets provisioning for peak load Chronic over-provisioning User demands for performance increasing Loads are moving from batch to real-time Demand when massively aggregated become predictable A resh Perspective 5

6 Multi-tenancy Economies of Scale ixed costs amortised over 1000s of customers Management Costs Implementation Costs Base processing overhead A resh Perspective 6

7 Telecommunications costs are becoming cheap A resh Perspective 7

8 Cloud is a near perfect commodity True Commodities o qualitative difference in the market Price set for the market as a whole ungible Traded via commodity markets Existing barriers limit the total commoditisation of cloud Lack of interoperability Lack of consistency in governance standards Market immaturity Cultural We predict these will be substantively solved over the next few years, resulting in commodity markets emerging A resh Perspective 8

9 The overwhelming economics of Cloud Supply-Side Saving. Large scale data centres have lower cost per CPU unit Demand-side aggregation. Aggregating demand for computing smooths overall variability, allowing server utilization rates to increase. Multi-tenancy efficiency. When changing to a multi-tenant application model, increasing the number of tenants (i.e., customers or users) lowers the application management and server cost per tenant. Telecommunications is becoming cheap. Much of the reason for in-house IT was driven by the historically high cost to ship data Cloud is nearly a perfect commodity. Supply will not be able to extract price premiums from the market. They win by scale not margin. A resh Perspective 9

10 or now accept that cloud computing will happen.. Let us reset and consider security A resh Perspective 10

11 7 Reasons why Cloud presents a Security Challenge A resh Perspective 11

12 1. Loss of network perimeter Current model of security based on egg shell design Depends upon bad people being mainly outside the network Data inside the perimeter o real idea of where the valuables are kept Cloud breaks this Data is outside the perimeter Systems are outside the perimeter Organisations that have been practicing good security such as maintaining asset inventories and protection-in-depth are well postured or the rest of us there is significant risk A resh Perspective 12

13 2. Loss of directive control and audit Cloud means that you have limited control over Infrastructure SaaS PaaS IaaS M L Application M L Application Application Middleware M L Middleware Middleware Guest OS Guest OS Guest OS Hypervisor Hypervisor Hypervisor Storage Storage Storage Hardware Hardware Hardware etwork etwork etwork Provider Customer You can t fix emerging risks by direction You have very limited ability to audit (not a managed service) This includes engaging external auditors Developing but immature and inflexible assurance standards SAS 70 / SSAE 16 Cloud Security Alliance Provider Customer A resh Perspective 13 Provider Customer Customer and provider control =none M=mostly L=limited =full

14 3. Risks from the physical location of servers Legal risks Where your data is stored determines the legal jurisdiction and data and privacy protection laws Your obligations are not reduced Potential for not knowing where your data is This needs to be addressed in specification of the service A resh Perspective 14

15 4. Risks from multi-tenancy Who are the neighbours? Virtualisation security is highly dependent on good administration eighbours pose risks because of malfeasance and negligence The driving idea behind Community Clouds a digital gated community A resh Perspective 15

16 5. Risks from Internet accessibility Why is the Internet a threat? Because that is where the bad people are Access to User Interfaces Reliance solely based on application security Often supporting only single-factor authentication Access to APIs History of poor implementation of security Tools to help Virtual firewalls and VPs Integration of federated identity and access management A resh Perspective 16

17 6. Difficulty in implementing effective records management protocols Cloud providers do not generally offer effective data archiving and record management services this problem is left to you eed to ensure backup and archive regimes meet the organisation s requirements Today this generally involves a bespoke solution A resh Perspective 17

18 7. Risks to service availability Cloud creates perverse risks of Disaster Wild fires in the USA threaten Australian SaaS services. Amazon EC2 affected by powerful thunderstorms in orthern Virginia. Tools to move processing to another data centre did not function correctly Brisbane floods: cloud services enabled and remote access to remain available an example of a positive risk of a cloud service A resh Perspective 18

19 Reasons why Cloud presents a Security Challenge 1. Loss of the network perimeter 2. Loss of directive control and audit 3. Risks from the physical location of servers 4. Risks from multi-tenancy 5. Risks from Internet accessibility 6. Difficulty in implementing effective records management protocols 7. Risks to service availability A resh Perspective 19

20 Treatment Strategy A resh Perspective 20

21 Business Aspect s Lifecycle Approach to Cloud Security Requirements Transition Out Procurement Cloud Service Lifecycle Operation Implementation

22 Requirements Phase Transition Out Operation Requirements Cloud Service Lifecycle Implementation Procurement Risk Assessment - Harm if asset widely public and widely distributed? a cloud provider employee accessed asset? the function was manipulated by outsider? the function failed to provide results? the information/data was unexpectedly changed? the asset was unavailable for a period of time? Control Requirements DSD s advice on Cloud controls Traditional normative control frameworks need to be adapted (e.g. ISM, IS18, ISO/IEC 27002, ISO17799) Compliance with Legislation Mandated standards

23 Procurement and Vendor Selection Phase Transition Out Operation Requirements Cloud Service Lifecycle Implementation Procurement Vendor Selection Capability Contract it The Contract is the mechanism of control The SLA Service Availability and Reliability requirements Minimum security levels that may be further defined in separate specifications and / or policies and standards Processes for monitoring the performance of the provider, specifically in relation to security and availability Business continuity and disaster recovery requirements and arrangements Liability and indemnity, including zones of responsibility Termination and transition arrangements Auditing and reporting requirements Event and incident management processes Account management

24 Implementation and Transition In Phase Transition Out Operation Requirements Cloud Service Lifecycle Implementation Procurement Planning & Project Management De-risk by piloting and phasing ormal Project e.g. Prince2 Design key processes with Vendor Service governance model Data conversion and assurance Information Management and Data Custodianship Meeting recordkeeping requirements appointing key roles for information governance Establishing capacity planning and service monitoring Setting up support processes Provisioning of initial services Establishing security incident management

25 Operations Phase Transition Out Operation Requirements Cloud Service Lifecycle Implementation Procurement You as client may have a limited role Depending on the type of cloud Understand limits But is essential you know what it is Who internally manages the Vendor Are we clear about the governance gap the difference between what the vendor provides and what our stakeholders expect Vendor management is vital Establish a performance measurement framework and share with the vendor Keep touch points fresh Just because you don t operate the service does not mean you have no responsibilities - Cloud may save money but it is no free lunch

26 Operations processes - example A resh Perspective 26

27 Cease Operation & Transition Out Phase Transition Out Operation Requirements Cloud Service Lifecycle Implementation Procurement Assume this will happen Manage as project not BAU Considerations Data ownership and retention otice and transition arrangement Service transition

28 Transition out process - example A resh Perspective 28

29 Lifecycle Approach to Cloud Security Key Points Requirements Risk Assessment Control frameworks Compliance with legislation & standards Assume it will happen Manage as a project Consider Data retention Service transition otice and contract Transition Out Cloud Service Lifecycle Procurement Vendor selection Capability Contract it Contract / SLA Account Management Understand roles & responsibilities Manage the gap Vendor management Operation Implementation Project management Design key processes with vendor

30 A resh Perspective 30

31 References Anon. (2012). About edramp. Retrieved 10 July, 2013, from Anon. (2012). CLOUD COMPUTIG STRATEGIC DIRECTIO PAPER: Opportunities and applicability for use by the Australian Government. Retrieved 12 Jul 2013, 2013, from Anon. (2012). Cloud Security Considerations. Retrieved 14 July, 2013, from Buyya, R., Yeo, C. S., Venugopal, S., Broberg, J., & Brandic, I. (2009). Cloud computing and emerging IT platforms: Vision, hype, and reality for delivering computing as the 5th utility. uture Generation Computer Systems, 25(6), doi: Harms, R., & Yamartino, M. (2010). The economics of the cloud. Retrieved 13 June, 2013, from Maxwell, W. (2012). A Global Reality: Governmental Access to Data in the Cloud. Retrieved 13 July, 2013, from a7be4e004c59/presentation/ewsattachment/a17af284-7d b b292d/revised%20government%20access%20to%20cloud%20data%20paper%20(18%20 July%2012).pdf Reed, A., Rezek, C., & Simmonds, P. (2011). Critical Areas of ocus in Cloud Computing. Retrieved 13 July, 2013, from A resh Perspective 31

32 Duncan Unwin M: E: Brisbane / Sydney / Canberra / Melbourne T Head Office Boundary St Spring Hill Brisbane QLD 4000 About Business Aspect Business Aspect assists clients with the execution of their business strategy through either large scale business transformation or through the addressing of smaller challenges in specific areas of the business. We focus on the business first, and then address technology needs as an enabler of required business outcomes. We have skills, experience and expertise in; business and technology strategy, architecture, risk, control, planning, design and governance. In delivering services, we address all layers of the business, including people, organisational change, process change, information management, information and communications technology (ICT) applications and technology infrastructure. We solve complex business problems through the collaborative efforts of our team of highly experienced personnel, and through the application of proven intellectual property. One of our key strengths is the diversity of the background and skills our senior consultants bring to planning initiatives involving people, process and systems. Our ability to extend from business focused domains into architecture and complex program management builds a bond of trust with our clients and fosters more effective relationships. or our clients, we serve as the interpreter between ICT and the demands of individual business units, translating business needs into ICT outcomes. We complement this with our ability to work with all parts of the organisation, therefore maximising the benefits collectively gained from ICT. We believe the use of senior consultants for the delivery of our clients projects is the cornerstone of our success. We also hand pick specialists from our extensive network of associates and industry partners to complement our consulting teams. We guarantee senior people with the right balance of qualifications and real-world industry experience, and our delivery capability extends across Australia. A resh Perspective 32

Similar documents
2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback | Do Not Sell My Personal Information