CLOUD MIGRATION. Celina Alexandre M6807

Similar documents
Cloud Computing and Security Risk Analysis Qing Liu Technology Architect STREAM Technology Lab

Strategic Compliance & Securing the Cloud. Annalea Sharack-Ilg, CISSP, AMBCI Technical Director of Information Security

EXIN Cloud Computing Foundation

Managing Cloud Computing Risk

Private vs. Public Cloud Solutions

Cloud Computing: What needs to Be Validated and Qualified. Ivan Soto

Security Issues in Cloud Computing

Cloud Computing Backgrounder

Quick guide: Using the Cloud to support your business

Refresher on cloud computing

HIPAA CRITICAL AREAS TECHNICAL SECURITY FOCUS FOR CLOUD DEPLOYMENT

INTRODUCTION TO CLOUD COMPUTING CEN483 PARALLEL AND DISTRIBUTED SYSTEMS

International Journal of Innovative Technology & Adaptive Management (IJITAM) ISSN: , Volume-1, Issue-5, February 2014

Newcastle University Information Security Procedures Version 3

Data Protection Act Guidance on the use of cloud computing

Cloud Security and Managing Use Risks

The silver lining: Getting value and mitigating risk in cloud computing

University of Sunderland Business Assurance Information Security Policy

AHLA. JJ. Keeping Your Cloud Services Provider from Raining on Your Parade. Jean Hess Manager HORNE LLP Ridgeland, MS

Cloud Computing: Legal Risks and Best Practices

CLOUD STORAGE SECURITY INTRODUCTION. Gordon Arnold, IBM

Cloud Security: Evaluating Risks within IAAS/PAAS/SAAS

Securing and Auditing Cloud Computing. Jason Alexander Chief Information Security Officer

TEMPLE UNIVERSITY POLICIES AND PROCEDURES MANUAL

Public Clouds. Krishnan Subramanian Analyst & Researcher Krishworld.com. A whitepaper sponsored by Trend Micro Inc.

penelope athena software SOFTWARE AS A SERVICE INFORMATION PACKAGE case management software

Security Officer s Checklist in a Sourcing Deal

What Every User Needs To Know Before Moving To The Cloud. LawyerDoneDeal Corp.

Wednesday, January 16, 2013

Information Technology Engineers Examination. Information Technology Service Manager Examination. (Level 4) Syllabus

Leveraging Dedicated Servers and Dedicated Private Cloud for HIPAA Security and Compliance

USE OF CLOUD COMPUTING BY SMALL AND MEDIUM ENTERPRISES

Welcome. Panel. Cloud Computing New Challenges in Data Integrity and Security 13 November 2014

University of California, Riverside Computing and Communications. IS3 Local Campus Overview Departmental Planning Template

White Paper. Managed IT Services as a Business Solution

Cloud-Security: Show-Stopper or Enabling Technology?

Cloud Courses Description

2014 HIMSS Analytics Cloud Survey

Cloud Security Keeping Data Safe in the Boundaryless World of Cloud Computing

Module 1: Facilitated e-learning

Cloud Courses Description

Isaac Willett April 5, 2011

INFORMATION TECHNOLOGY SECURITY STANDARDS

Recommendations for companies planning to use Cloud computing services

The Private Cloud Your Controlled Access Infrastructure

A Strawman Model. NIST Cloud Computing Reference Architecture and Taxonomy Working Group. January 3, 2011

Purpose. Service Model SaaS (Applications) PaaS (APIs) IaaS (Virtualization) Use Case 1: Public Use Case 2: Use Case 3: Public.

LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL. for INFORMATION RESOURCES

Cloud Computing for SCADA

The NREN s core activities are in providing network and associated services to its user community that usually comprises:

How To Manage Cloud Data Safely

Information Security Policy September 2009 Newman University IT Services. Information Security Policy

LEGAL ISSUES IN CLOUD COMPUTING

HIPAA/HITECH Compliance Using VMware vcloud Air

Cloud Computing in the Federal Sector: What is it, what to worry about, and what to negotiate.

GETTING THE MOST FROM THE CLOUD. A White Paper presented by

CONSIDERATIONS BEFORE MOVING TO THE CLOUD

How To Understand Cloud Computing

Virtualization - Adoption

AUSTIN INDEPENDENT SCHOOL DISTRICT INTERNAL AUDIT DEPARTMENT TRANSPORTATION AUDIT PROGRAM

Five Tactics to Hybrid Cloud Success

Security & Trust in the Cloud

Assessing, Evaluating and Managing Cloud Computing Security

Leveraging the Cloud for Your Business

Addressing Cloud Computing Security Considerations

Information Security Policies. Version 6.1

Chapter 7 Information System Security and Control

Cloud Computing. What is Cloud Computing?

Information Security Program

AskAvanade: Answering the Burning Questions around Cloud Computing

Data Security and Privacy Principles for IBM SaaS How IBM Software as a Service is protected by IBM s security-driven culture

Daren Kinser Auditor, UCSD Jennifer McDonald Auditor, UCSD

Security Controls What Works. Southside Virginia Community College: Security Awareness

Protecting Official Records as Evidence in the Cloud Environment. Anne Thurston

Cloudy with Showers of Business Opportunities and a Good Chance of. Security. Transforming the government IT landscape through cloud technology

Services Providers. Ivan Soto

East African Information Conference th August, 2013, Kampala, Uganda. Security and Privacy: Can we trust the cloud?

Legal Issues Associated with Cloud Computing. Laurin H. Mills May 13, 2009

VENDOR RISK MANAGEMENT UPDATE- ARE YOU AT RISK? Larry L. Llirán, CISA, CISM December 10, 2015 ISACA Puerto Rico Symposium

Cloud Computing--Efficiency and Security

SRA International Managed Information Systems Internal Audit Report

Topics. Images courtesy of Majd F. Sakr or from Wikipedia unless otherwise noted.

SECURITY CONCERNS AND SOLUTIONS FOR CLOUD COMPUTING

Project management solution in the cloud

Using Data Encryption to Achieve HIPAA Safe Harbor in the Cloud

Hybrid Clouds. Krishnan Subramanian Analyst & Researcher Krishworld.com. A whitepaper sponsored by Trend Micro Inc.

Cloud Computing Risks in Financial Services Companies: How Attorneys Can Best Help In An Increasingly SaaS-ified World

OPEN DATA CENTER ALLIANCE Usage Model: Guide to Interoperability Across Clouds

Welcome & Introductions

IT Security Risk Management Model for Cloud Computing: A Need for a New Escalation Approach.

Navigating Endpoint Encryption Technologies

ensurcloud Service Level Agreement (SLA)

Assessing Risks in the Cloud

CLOUD COMPUTING for Construction Accounting BY BRIAN J. THOMAS

Transcription:

CLOUD MIGRATION M6807 S

Content 1. Introduction 2. Methodology 3. Requirements Definition Phase 3.1. Strategy 3.2. Knowledge 06/05/15 2

Content 4. Analysis Phase 4.1. Aplications and Systems 4.2. Development Model 06/05/15 3

Content 4.3. Service Model 4.3.1. SaaS Migration Considerations 4.3.2. PaaS Migration Considerations 4.3.3. IaaS Migration Considerations 4.4. Provider Avaliation 06/05/15 4

Content 5. Security Phase 5.1. Migration Tests 5.2. Security Policies 5.3. Security Controls 06/05/15 5

Content 6. Operation Phase 7. SaaS Example Normal Proccess 8. SaaS Example 9. References 06/05/15 6

1. Introduction S The term cloud is everytime presente in our daily life; S Looking at the advantages, companies have started to think about it as an appealing option; S However, for some companies using cloud services can presente some threats; S All companies should carefully, plan and analyze the change; 06/05/15 7

1. Introduction (Cont.) S When using cloud services becomes an option, one should always take into account security issues, analyzing them, finding solutions to mitigate them; S A good organization plan should be presente in all projects if they are to succeed; 06/05/15 8

1. Introduction (Cont.) S That being said, one should always have presente a good methodology that helps create a good tasks planning; S 4 Phases Methodology (Walter Andrew Shewhart, 30 s): S Plan; S Do; S Check; S Act. 06/05/15 9

2. Methodology S Based on the methodology presented before, in the 50 s, Edward Deming proposed that the business processes, as well as the systems, should be monitorized, measured and analyzed continuously identifying more easily faults and measures to correct them; 06/05/15 10

2. Methodology (Cont.) S Deming Plan-Do-Check-Act: S Plan: identification phase of what can be improved and all the necessary changes; S Do: changes implementation phase; S Check: obtained results analysis phase; S Act: phase to correct all that didn t work. 06/05/15 11

3. Requirements Definition Phase S One of the most important phases in all projects; S Well defined and clarified objectives; S Organization expertise level identification; S Requirements definition (need of learning); S Or, decide to use external services. 06/05/15 12

3.1. Strategy S The plan should include: S Risks and threats; S Applications and systems; S Well defined objectives; S Infrastructures and technologies in the new service; S Existing beneficts; 06/05/15 13

3.1. Strategy (Cont.) S Clear and suficient information to answer questions like: S Should the migration project be abandoned? Reduced? Delayed? S The cloud services are the most suitable for the business? S Should more careful analysis be made? 06/05/15 14

3.2. Knowledge S The plan before described should be able to make a complete assessment of the thecnical knowledge needed; S With these plans there is an assurance that the project can be accomplished and that all involved have a common definition of the topic at hand: cloud computing. 06/05/15 15

4. Analysis Phase S In the analysis phase the applications and systems ready to migrate are identified; S An analysis of the development models should be made, based on efficiency, economic beneficts, agility and inovation. 06/05/15 16

4.1. Aplications and Systems S A careful analysis should be made to evaluate what s best; S These can vary from organization, depending on the necessities, information to migrate, laws, regulations, etc 06/05/15 17

4.1. Aplications and Systems (Cont.) S The analysis should be made with basis on the following classification: S S S S Availability: identify minimum requirements; Latency: identify the minimum latency requirements for each application; Integration: level of integration, integrated applications can complicate the proccess, unlike stand-alone ones; Portability: evaluate the data migration capacity. 06/05/15 18

4.1. Aplications and Systems (Cont.) S In terms of security it is necessary to evaluate: S S S S Security: data security requirements and available system encryption options; Privacy and Confidentiality: security requirements that allow the control of privacy and confidentiality; Integrity: assure information integrity using redundancy, etc. Compliance: specific laws and regulations regarding sensible information. 06/05/15 19

4.2. Development Model S There are several facts to consider, for exemple: economic and security issues; S Organizations may choose to use a private or public cloud, depending of the necessity and available budget. 06/05/15 20

4.2. Development Model (Cont.) S The following table shows a brief analysis of both cloud models: Factor Public Cloud Private cloud Costs Low cost; Only pay for the necessary services; Cloud provider in charge of the Infrastructure. High cost: - Instalation; - Configuration; - Maintenance. Access to the available hardware. 06/05/15 21

4.2. Development Model (Cont.) Factor Public Cloud Private cloud Security Suitable for information or services not critical for the organization. Suitable for information or services critical for the organization. 06/05/15 22

4.2. Development Model (Cont.) Factor Public Cloud Private cloud Threats Limited Infrastructure control since it is in charge of the cloud provider; Requires good security policies that should be assured in the contract. Controls to protect the private cloud can be implemented. 06/05/15 23

4.2. Development Model (Cont.) Factor Public Cloud Private cloud Scalability High, virtually infinite, only limited by the contract between cliente and provider. Low, limited to the infrastructure and monetary resources available. 06/05/15 24

4.3. Service Model S In choosing from the several servisse models, Software as a Service (SaaS), Platform as a Service (PaaS), Infrastructure as a Service (IaaS), it is necessary to take into consideration the organization business requirements; S Have knowledge of the requirements for the type of system or information used. 06/05/15 25

4.3.1. SaaS Migration Considerations S Security options restricted at the application level; S Model used for colaboration applications, i.e., e-mail, productivity, Customer Relationship Management (CRM), or specific sectors, like logistics; 06/05/15 26

4.3.1. SaaS Migration Considerations (Cont.) S Since comunication is done via Internet, it should be considered to use encryption system (proprietary or from other entities); S For critical information it should not only used its own encryption systems, as well as encryption of data stored on the provider 's infrastructure. 07/05/15 27

4.3.2. PaaS Migration Considerations S The PaaS offer lies mostly in a complete development environment; S It is an indicated model for own or custom applications or custom applications, security services, databases services, etc. 06/05/15 28

4.3.2. PaaS Migration Considerations (Cont.) S Security considerations cover the access control and authorization, operation in shared environments, information and data;; S This model operates on a shared environment, so a strong authentication framework is essential to ensure that access to information is made only by those with permission. 06/05/15 29

4.3.3. IaaS Migration Considerations S The vendor provides a complete infrastructure to its customers; S Customers can install and provide services and resources to internal and external users; S It applies primarily to disk space, computing, storage, web page publishing and to backup and disaster recovery systems. 06/05/15 30

4.3.3. IaaS Migration Considerations (Cont.) S The customer must ensure that the implemented security controls can effectively separate and secure virtual machines, use of memory, network and storage resources; S As in previous models, encryption methods must be considered either to data in transit, whether for data at rest. 06/05/15 31

4.4. Provider Avaliation S This is a complex process which should check comparative standards, in a way that enables a real comparison between the different potential providers of services; S This analysis should focus the following: S Services, data and applications integration: analyze the existing infrastructure integration features in the organization with the services provided by the cloud provider; 06/05/15 32

4.4. Provider Avaliation (Cont.) S Protect data and information: analyse which encryption systems the provider has available; S Performance: make admission tests to make sure it is not too slow; S Contract negotiations: conform key settings, such as portability of information and systems, the ease of switching provider, change contractual terms of services, etc. 06/05/15 33

4.4. Provider Avaliation (Cont.) S S Physical security: check safety standards for implemented installations and what evidence can be provided; Product support : confirm the inclusion of technical support in the contract and the additional costs of providing this service. Also check the time in which this is available and what training and certification the support team has; S References: request a list of all customers, preferably up to date, and look for information about the organization. 06/05/15 34

5. Security Phase S At this stage we define controls attesting that the security is effective and observed; S Migration tests should be planned, tested and performed to allow a good decision of when and how the migration of applications, data and information should be conducted; S These tests determine whether the migration is done in stages or all at once, understanding the need to maintain services or applications in parallel and for how long. 06/05/15 35

5.1. Migration Tests S Migration tests are one of the final steps; S The planning and execution of migration may vary depending on whether the classification of the application: essential or imply losses for the company if it is stopped; S If the application is classified as in the previous topic this the migration should be achieved in phases, coexisting both infrastructures; 06/05/15 36

5.1. Migration Tests (Cont.) S The information collected in all the previous steps should be used for creating tests; S A well made and applied test plan will assure a cloud migration project success. 06/05/15 37

5.1. Migration Tests (Cont.) S In these tests, the following features should be analyzed: S Confirm the integrity of the data; S Set recovery plans and disaster response ; S Check the need for training workers whose job is to answer questions or problems of users; S Set a return plan in case of unexpected problems arise. 07/05/15 38

5.2. Security Policies S Approved by the management of the organization; S A security policy should have (Winkler, 2011): S Identification of all resources and systems we want to protect; S Identify vulnerabilities, threats and exposure to threats; S Measures to protect resources, evaluate security controls and estimate implementation costs. 06/05/15 39

5.3. Security Controls S They are administrative, technical and physical measures attesting that security policies are observed and followed; S Guarantee and minimize the loss or unauthorized alteration of the information, unavailability of systems, service degradation and the loss of access to systems. 06/05/15 40

5.3. Security Controls (Cont.) S Physical controls: implementation of security controls that prevent unauthorized access to facilities, equipment or systems; S Technical controls: implementing access control technology information stored in IT systems; S Administrative controls: implementation of administrative security controls that prevent access to information intentionally or not. 06/05/15 41

6. Operation Phase S It is the last step that occurs after the migration; S It is a strategic assessment at regular intervals to ensure that the contracted services are within the defined objectives; S Metric analysis process should be established so that there is a contract with enforcement agreed with the supplier; 06/05/15 42

6. Operation Phase (Cont.) S These processes should: S Promote internal information collection to support achievement of a qualitative and quantitative analysis to assess problems and weaknesses to solve; S Attest to the safety and privacy with the rules that are in force; S Monitor the performance of the contract with the supplier guaranteeing that this is being complied with; 06/05/15 43

6. Operation Phase (Cont.) S Analyze similar services from other providers so there is a comparison of the service, conditions, etc... S Ask the supplier for certificates, inspections and audits that guarantee that the processes are maintained and safety checks are laid down in the contract; S Establish billing process monitoring of contracted services and services actually consumed. 06/05/15 44

7. SaaS Example Normal Proccess 1. New worker 2. Notification from the access manager to the helpdesk: email 5. Worker has access 4. Worker notified Problems: Manual process; Slow; Low volume. 3. Access is assured 06/05/15 45

8. SaaS Example 4. Automatic welcome e- mail Work makes request 5. Using application 2. Service invoked automatically Sign up page Beneficts: Automatic; Fast; High volume. Problem: Access restrictions. Access Management Service 3. User registered 06/05/15 46

9. References S http://repositorio.ucp.pt/bitstream/10400.14/16110/1/ Dissertação-Migração%20e%20segurança%20em%20plataformas %20cloud%20computing%20-%20Roberto%20Silva.pdf S https://www.usenix.org/legacy/event/lisa11/tech/full_papers/ Zhang.pdf S http://ieeexplore.ieee.org/xplore/login.jsp?url=http%3a%2f %2Fieeexplore.ieee.org%2Fxpls%2Fabs_all.jsp%3Farnumber %3D6008753&authDecision=-203 S http://regions.cmg.org/regions/stlcmg/files/download/ Presentations_2012-02/CMG%20App%20Migration%20PPT.pptx 06/05/15 47

CLOUD MIGRATION M6807 S

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information