Overview of Cloud Computing and Cloud Computing s Use in Government Justin Heyman CGCIO, Information Technology Specialist, Township of Franklin

Transcription

1

2 Overview of Cloud Computing and Cloud Computing s Use in Government Justin Heyman CGCIO, Information Technology Specialist, Township of Franklin Best Practices for Security in the Cloud John Essner, Director Statewide Office Information Security/Chief Information Security Officer NJOIT Operational Considerations for Cloud Computing Bernadette Kucharczuk CGCIO, Director of Information Technology, City of Atlantic City

3 Justin Heyman, CGCIO Information Technology Specialist Township of Franklin

4

5

6 Who currently uses the cloud? Application Services? Platform Services? Infrastructure Services?

7 Wikipedia Cloud computing is the delivery of computing as a service rather than a product, whereby shared resources, software, and information are provided to computers and other devices as a utility (like the electricity grid) over a network (typically the Internet). Cloud computing is a marketing term for technologies that provide computation, software, data access, and storage services that do not require end-user knowledge of the physical location and configuration of the system that delivers the services.

8 Gartner Defines cloud computing as "a style of computing in which massively scalable IT-related capabilities are provided 'as a service' using Internet technologies to multiple external customers. Network World The cloud is not really a technology by itself. Rather, it is an approach to building IT services that harnesses the rapidly increasing horsepower of servers as well as virtualization technologies that combine many servers into large computing pools and divide single servers into multiple virtual machines that can be spun up and powered down at will.

9 Any Computing/Network resource that physically resides somewhere off of the users network but is utilized locally.

10 This isn t anything new hosted systems have been around for many, many, many years!

11

12

13

14

15 Public Cloud Resources are provided to the general public over the internet. Self service basis via web applications or web services. Examples - Google Maps, Google Docs, Office 365

16 Private Cloud Infrastructure operated solely for a single organization. Managed and/or hosed internally or externally. Tend to lend themselves to larger organizations

17 Community Cloud Resources of one or more organizations are shared between several organizations. Organizations have common concerns (security, compliance, jurisdiction, etc.) Shared Services Anyone?

18 Hybrid cloud Composition of two or more clouds (private, community, public) Allows programs and data to be shared across cloud

19 Application Services or Software as a Service (SaaS) Platform Service or Platform as a Service (PaaS) Cloud Infrastructure or Infrastructure as a Service (IaaS)

20 Software and data are hosed centrally by a provider. Software is usually accessed via a web browser Other Methods of Delivery may include Remote Desktop or Native application Minimize or eliminate need to locally manage software or hardware.

21 Examples: Permits NJ (Web based, Community cloud) Some ADP Payroll services (thin client or web based) Vital Communications/MicroSystems MOD4/CAMA (Thin client, Private cloud or Web based, community cloud)

22 Examples (cont.): Electronic Death Registration System, EDRS (Web based, Community cloud) Google apps , Documents, Sites (Web based, Public Cloud or Community Cloud) Online Recreation Programs (Web based, Community cloud)

23

24

25

26 Is the delivery of a computing platform Developers to sustain cloud applications (internal & client services) Database integration Sharing data across multiple environment. Scalability Allowing for server, network & process expansion

27 Examples: Somerset County Interoperability System Share pertinent crime statistics across multiple Municipal systems GIS, Tax Collection, Tax Assessment Share parcel information between system Data Storage Offsite storage normal operation or disaster recovery Mobile apps for Android or Apple Develop and host applications

28 Network Essentials fully outsourced beyond the current physical network boundaries

29 Examples: system Microsoft Exchange environment DNS & Active Directory services IP and host name resolution How your systems are visible on your network Firewall or Security services Implement and/or management of security policies across your infrastructure Monitor and filter in/out-bound network traffic

30

31 Pro Access anytime, anywhere Low upfront cost of ownership Provider managed application & hardware Fast & simple implementation Con Increased internet bandwidth Monthly recurring service fees Provider managed updates (browser support) Data accessibility and management (Security & DR)

32 Pro No capital expenditures for hardware or licensing No additional facilities required (building, power, cooling) Provider managed hardware platform Shared resource across state/county/local agencies Con Increased internet bandwidth Monthly recurring licensing costs Data accessibility and management (Security & DR) Application performance

33 Pro No capital expenditures for hardware or licensing No additional facilities required (building, power, cooling) Provider managed hardware & applications platform Shared resource across state/county/local agencies Con Increased internet bandwidth Monthly recurring service fees Data accessibility and management (Security & DR) Application performance

34 Who currently uses the cloud? Application Services? Platform Services? Infrastructure Services?

35 John Essner, CISO Office of Information Technology State of New Jersey

36

37 Governance Compliance Trust Architecture Identity and Access Management Software Isolation Data Protection Availability Incident Response Recommendations

38 Governance implies control and oversight. Policies, procedures, and standards. Asset Classification. Application development and information technology service acquisition. Design, implementation, testing, use, and monitoring of deployed or engaged services. Audit mechanisms and tools to ensure organizational practices.

39 Compliance refers to an organization s responsibility. Operate in agreement with established laws, regulations, standards, and specifications. Security Requirements ISO HIPAA FISMA Payment Card Industry (PCI) State of NJ - Service Contract Requirements for the Performance of Service Contracts within the United States

40 Data Location - when information crosses borders, the governing legal, privacy, and regulatory regimes can be ambiguous and raise a variety of concerns. Electronic Discovery - involves the identification, collection, processing, analysis, and production of Electronically Stored Information (ESI) in the discovery phase of litigation.

41 Relinquishes direct control over many aspects of security and privacy. High level of trust onto the cloud provider. Responsibility to protect information and information systems. The risk and magnitude of the harm resulting from unauthorized access, use, disclosure, disruption, modification, or destruction. Ensure that service arrangements have sufficient means to allow visibility into the security and privacy controls and processes.

42 Data Ownership - the organization s ownership rights over the data must be firmly established in the service contract to enable a basis for trust and privacy of data. Third Party - cloud services that use thirdparty cloud providers to outsource or subcontract some of their services should raise concerns, including the scope of control over the third party. Visibility - continuous monitoring of information security requires maintaining ongoing awareness of security controls, vulnerabilities, and threats to support risk management decisions.

43 Ancillary Data - while the focus of attention in cloud computing is mainly on protecting application data, cloud providers also hold significant details about the accounts of cloud consumers that could be compromised and used in subsequent attacks. Risk Management - is the process of identifying and assessing risk to organizational operations, organizational assets, or individuals resulting from the operation of an information system, and taking the necessary steps to reduce it to an acceptable level

44 The software and hardware used to deliver cloud services can vary significantly among cloud providers for any specific service model. The physical location of the infrastructure is determined by the cloud provider. The design and implementation of the reliability, resource pooling, scalability, and other logic needed in the support framework.

45 Attack Surface - the hypervisor or virtual machine monitor is an additional layer of software between an operating system and hardware platform that is used to operate multi-tenant virtual machines and is common to IaaS clouds. Virtual Network Protection. Most virtualization platforms have the ability to create softwarebased switches and network configurations as part of the virtual environment.

46 Virtual Machine Images - IaaS cloud providers and manufacturers of virtual machine products maintain repositories of virtual machine images. Client-Side Protection - a successful defense against attacks requires securing both the client and server side of cloud computing.

47 Safeguards are in place to secure authentication, authorization, and other identity and access management functions. An organizational identification and authentication may not naturally extend into a public cloud. Identity federation allows the organization and cloud provider to trust and share digital identities and attributes across both domains.

48 Authentication - is the process of establishing confidence in user identities. Assurance levels should be appropriate for the sensitivity of the application and information assets accessed and the risk involved. Authorization is the process to control role definition, user authorization, and other administrative tasks related to security. Access controls - are one means to keep data away from unauthorized users; encryption is another. Access controls are typically identitybased, which makes authentication of the user s identity an important issue in cloud computing.

49 Multi-tenancy - High degrees of multitenancy over large numbers of platforms are needed for cloud computing to achieve the envisioned flexibility of on-demand provisioning of reliable services and the cost benefits and efficiencies due to economies of scale. Attack Vectors - multi-tenancy in virtual machine-based cloud infrastructures, together with the subtleties in the way physical resources are shared between guest virtual machines, can give rise to new sources of threat

50 Shared environment - Data stored in a public cloud typically resides in a shared environment collocated with data from other customers. Sensitive and regulated Organizations must account for the means by which access to the data is controlled and the data is kept secure. Data controls - Data must be secured while at rest, in transit, and in use, and access to the data must be controlled.

51 Data Sanitization - the data sanitization practices that a cloud provider implements have obvious implications for security. Sanitization involves the expunging of data from storage media by overwriting, degaussing, or other means, or the destruction of the media itself, to prevent unauthorized disclosure of information.

52 In simple terms, availability is the extent to which an organization s full set of computational resources is accessible and usable. Availability can be affected temporarily or permanently, and a loss can be partial or complete. Data Backup and Recovery - the organization s contingency and continuity planning should address the recovery and restoration of disrupted cloud services and operations, using alternate services, equipment, and locations.

53 Involves an organized method for dealing with the consequences of an attack against the security of a computer system. Incident Response Plan the cloud provider s role is vital in performing incident response activities, including incident verification, attack analysis, containment, data collection and preservation, problem remediation, and service restoration.

54 Trust requires a carefully execute service agreement. It should include everything that has been covered this morning. Have it reviewed by your Information Technology Department and legal counsel. Have these discussions with IT at the table. If you don t have an IT department? Hire a Technology Consultant to ensure all areas are covered and that you are protecting your agency.

55 Identify security, privacy, and other requirements for cloud services. Common security requirements include coverage for the following areas: Personnel requirements, including clearances, roles, and responsibilities Regulatory requirements Service availability Problem reporting, review, and resolution Information handling and disclosure agreements and procedures

56 Physical and logical access controls Network access control, connectivity, and filtering Data protection System configuration and patch management Backup and recovery Data retention and sanitization Security and vulnerability scanning Risk management Incident reporting, handling, and response Continuity of operations Resource management Certification and accreditation Assurance levels Independent auditing of services

57 NIST SP Guidelines on Security and Privacy in Public Cloud Computing Federal Risk and Authorization Management Program (FedRAMP) Cloud Security Alliance NJINFOSECURE