Cloud security: A matter of trust? Dr Mark Ian Williams CEO, Muon Consulting

Transcription

1 Cloud security: A matter of trust? Dr Mark Ian Williams CEO, Muon Consulting

2 I wandered lonely as a cloud... The academic, globe-trotting years: : Parallel software for PET scanner images in Geneva Hospital : Particle Physics PhD research at CERN for Lancaster University 1998: Senior Software Developer at SLAC, Stanford, USA : RA for QMUL and webmaster for BaBar experiment at SLAC The stepping stone: : Business idea development as RSE/PPARC Enterprise Fellow And down to business: : Web developer and accessibility consultant as CEO of Surfability : Managed Extrasys cloud computing business for NG Bailey 2009 Present: Cloud consultant, author and CEO of Muon Consulting

3 Benefits of cloud computing Pay-as-you-go IT, online and on-demand Operational versus capital expenditure Less time spent administering non-core commodity IT systems internally Faster development and deployment of business applications Data storage and compute resources scale seamlessly with your business Faster entry to new markets using cloud-based software delivery and content distribution services, and online application marketplaces Fewer hardware assets and software licenses to track Always use latest version of cloud-based software with no upgrade costs Mobile services, online collaboration and remote access out of the box

4 Cloud computing concerns Public clouds are multi-tenanted and therefore open to your competitors Common business concerns include: The inherent dependency upon internet access The potential for vendor lock-in Unexpected cloud service charges and internal costs Contractual liability for services if SLAs are missed But surveys consistently reveal that data security and data privacy in public clouds are the primary concerns for businesses And data protection and data privacy are your organisation s responsibility not your cloud provider s

5 Horror stories like this don t help... High profile cloud security breaches in 2011: Sony: over a dozen data breaches affecting 100 million user records Epsilon, a cloud-based provider: estimated 60 million customer s addresses breached EMC s RSA two-factor authentication system breached and SecurID data stolen, putting tens of thousands of their customers at risk Source : But internal (non-cloud) networks can be breached too: In a survey of USA-based SMBs 40% claim to have suffered a security breach due to unsafe web surfing Source:

6 Security attack techniques Public and/or private clouds create more targets for security attacks like this, and your employees hold the keys to your data: Physical theft of unencrypted laptops that may have copies of data or have browsers with saved passwords for accessing web applications Hacking servers to access unencrypted passwords (e.g. SONY) Spear-phishing targeted spoofing fraud (e.g. Epsilon and RSA) Social engineering attacks via social media and personal webmail to gain access to web-based systems Exploits of web browser vulnerabilities and apps on mobile devices Downloads of backdoor Trojans, keystroke loggers and other malware

7 Risk mitigation in and out of clouds Minimise internal security breaches through education, user account management processes and security technologies such as two-factor authentication and identity federation (e.g. single sign-on) Involve your IT and legal departments throughout your cloud adoption programme, and consult and engage other stakeholders too Institute a strict device management regime and/or educate your employees how to use their devices securely Avoid data protection litigation by storing only non-sensitive data in public clouds unless the cloud/s are a safer place for all your data Reduce the risk of cloud security breaches by ensuring your providers have adequate controls verified by a reputable third party

8 Questioning cloud providers Cartoon by Dave Blazek -

9 Questions on systems and processes Do the cloud provider s systems satisfy your internal requirements for governance and compliance? Do they follow any industry best practices for IT service management, such as the Information Technology Infrastructure Library (ITIL)? Do they have independently audited internal controls of IT systems and processes to ISAE 3402 (successor to SAS 70) specifications? Do they have ISO certification for their information security management system? Do they have favourable independent and verifiable online reviews and client endorsements?

10 Questions on data security Do your cloud providers support federated identity? How are your data stored, backed-up, encrypted and kept separate from other organisations data in the cloud? How and when are security tests performed, especially during service updates? How are the data centres secured physically? Who, including system administrators, has access to your data, and how are they vetted? How is data access controlled and logged? What happens to your data if a service agreement is terminated or if the provider s business fails?

11 Related data questions Who owns the data you store on the provider s servers? Where are your data and backups stored geographically? Where is the provider based? Do they have controlled facilities for making automated and authorised backups to other clouds, including private clouds? Do they have flexible data retention facilities for regulatory purposes? What are their standard procedures for responding to government inquiries and legal investigations of their customers data, and the costs to be incurred by individual customers being investigated? What assurances that your data will not be compromised or seized if another customer of theirs is being investigated? What is the provider s disaster recovery plan?

12 Cloud control

13 Top tips for cloud control Classify your data in terms of sensitivity and business criticality and define roles and responsibilities for data protection Document your security and privacy requirements with clouds in mind before entering public clouds Extend your governance practices to cloud environments Configure your cloud systems to meet your requirements Consider compensating controls to work around any cloud security defects Revisit security and privacy issues throughout the system lifecycle Formulate an identity management system

14 More top tips for cloud control Choose cloud providers with transparent and adequate security processes and request evidence that they have effectively provisioned your systems in line with your controls Continually monitor and maintain your information systems, test their security and document your findings Review your existing security measures to take into account the client side of cloud services e.g. web browser vulnerabilities and applications on mobile devices

15 The future of cloud security Further development and wider adoption of cloud security standards More use of hybrid clouds, which combine public and private clouds More use of virtual private clouds for sensitive data Independent and standardised security audits so similar providers can be compared like for like

16 Who do you trust? Renowned cloud providers? The clouds of Amazon, Google, Microsoft and others have been hardened through surviving continual hacking attempts Attract and employ the best security people Have the best and most up-todate security hardware and software Your inhouse IT? Is your internal network a secure hosting environment for a private cloud exposed to multiple devices etc? Do your people have the necessary competencies? Is your hardware and software fit for purpose?

17 Further information Online resources: NIST: Guidelines on Security and Privacy in Public Cloud Computing Cloud Security Alliance guidance document ICAEW IT faculty guides: Cloud computing: A guide for business managers, by Barnaby Page Making the move to cloud computing, by yours truly

18 Conclusion Cloud computing is a matter of trust But trust can be earned by cloud providers and you can manage and mitigate internal and external security risks Many public cloud providers know what they are doing and some will have the right answers to your questions There is a balance between the potential cost and productivity benefits of using public clouds versus the data security and privacy risks Could your business create a more trustworthy private cloud? Plan carefully with security in mind, and be vigilant, but don t let the clouds pass by your window without taking a good look

19 Any questions? Cartoon by Dave Blazek - Contact me at miw@muon.co.uk