Software Journey to the Cloud - CATUG Discussion Document



Similar documents
Cloud Security Who do you trust?

A COMPLETE GUIDE HOW TO CHOOSE A CLOUD-TO-CLOUD BACKUP PROVIDER FOR THE ENTERPRISE

NCTA Cloud Architecture

Cloud Computing Security Considerations

Cloud Computing. Mike Bourgeois Platform as a Service Point of View September 17, 2015

Cloud Computing. Benefits and Risks. Bill Wells, CISSP, CISM, CISA, CRISC, CIPP/IT

Cloud Security Who do you trust?

Optimizing Service Levels in Public Cloud Deployments

Computing: Public, Private, and Hybrid. You ve heard a lot lately about Cloud Computing even that there are different kinds of Clouds.

Cloud Computing: Making the right choices

HTTPS Inspection with Cisco CWS

Cloud Courses Description

Cloud Essentials for Architects using OpenStack

Cloud Courses Description

Security Considerations for Public Mobile Cloud Computing

THE TOP 4 CONTROLS.

2015 Vulnerability Statistics Report

CAST CENTER FOR ADVANCED SECURITY TRAINING. CAST618 Designing and Implementing Cloud Security CAST

The Education Fellowship Finance Centralisation IT Security Strategy

Credit Unions and The Cloud. By: Chris Sachse

PCI Requirements Coverage Summary Table

Auditing Cloud Computing. A Security and Privacy Guide. Wiley Corporate F&A

Our Cloud Offers You a Brighter Future

CPNI VIEWPOINT 01/2010 CLOUD COMPUTING

Public Versus Private Cloud Services

TECHNOLOGY TRANSFER PRESENTS MAX DOLGICER IT S ALL ABOUT CLOUD CONCEPTS, STRATEGIES, ARCHITECTURES, PLAYERS, AND TECHNOLOGIES

ISSN: (Online) Volume 2, Issue 5, May 2014 International Journal of Advance Research in Computer Science and Management Studies

Data In The Cloud: Who Owns It, and How Do You Get it Back?

Gain a competitive edge through optimized B2B file transfer

Kroll Ontrack VMware Forum. Survey and Report

Cloud Computing Flying High (or not) Ben Roper IT Director City of College Station

Research Paper Available online at: A COMPARATIVE STUDY OF CLOUD COMPUTING SERVICE PROVIDERS

Concurrent Technologies Corporation (CTC) is an independent, nonprofit, applied scientific research and development professional services

Securing The Cloud. Foundational Best Practices For Securing Cloud Computing. Scott Clark. Insert presenter logo here on slide master

CLOUD TECH SOLUTION AT INTEL INFORMATION TECHNOLOGY ICApp Platform as a Service

Introducing SOA Governance Suite. Magnus Wettemark, Solution Consultant Manager Software AG

It s All About Cloud Key Concepts, Players, Platforms And Technologies

Ensuring High Service Levels for Public Cloud Deployments Keys to Effective Service Management

An Agile and Scalable Mobile Workplace

CREATING AN INTERNAL CLOUD: EPAM DEVELOPS A CUSTOM SOLUTION. Time-consuming infrastructure configuration and maintenance

1 The intersection of IAM and the cloud

E-Guide SIX ENTERPRISE CLOUD STORAGE AND FILE-SHARING SERVICES TO CONSIDER

SECURE CLOUD SOLUTIONS FOR YOUR BUSINESS.

What Is The Cloud And How Can Your Agency Use It. Tom Konop Mark Piontek Cathleen Christensen

MAXIMUM DATA SECURITY with ideals TM Virtual Data Room

Thinking about APM? 4 key considerations for buy vs. build your own

Securing The Cloud With Confidence. Opinion Piece

Things You Need to Know About Cloud Backup

Module 7 Study Guide

Entire contents 2011 Praetorian. All rights reserved. Information Security Provider and Research Center

CLOUD MIGRATION STRATEGIES

B2C, B2B and B2E:! Leveraging IAM to Achieve Real Business Value

Trust and Dependability in Cloud Computing

ATI Cloud Computing.

Cloud Vendor Evaluation

Cloud Computing for Small to Mid Size Businesses. Tech66, LLC William Burleson

IT Environments Management

NEXT-GENERATION, CLOUD-BASED SERVER MONITORING AND SYSTEMS MANAGEMENT

Security Issues in Cloud Computing

CenturyLink IT Consulting Services. G-Cloud 6 - SCS. REFERENCE NUMBER RM1557vi

itg CloudBase is a suite of fully managed Hybrid & Private Cloud Services ready to support your business onwards and upwards into the future.

How To Choose A Cloud Computing Solution

White Paper Converting Lotus Notes Applications to the Cloud Using the CIMtrek converter Product

PATCH MANAGEMENT. February The Government of the Hong Kong Special Administrative Region

Module 1: Facilitated e-learning

PLATFORM-AS-A-SERVICE: ADOPTION, STRATEGY, PLANNING AND IMPLEMENTATION

Cloud Platform Development Services

<cloud> Secure Hosting Services

Cloud Computing Training

RE Think. IT & Business. Invent. IBM SmartCloud Security. Dr. Khaled Negm, SMIEEE, ACM Fellow IBM SW Global Competency Center Leader GCC

Service Definition MMaaS Mobile Device Management. G- Cloud VII. Service Definition Nine23 MMaaS Mobile Device Management

IBM PowerSC. Security and compliance solution designed to protect virtualized datacenters. Highlights. IBM Systems and Technology Data Sheet

Architectural Implications of Cloud Computing

Cloud Security:Threats & Mitgations

Selecting a Law Firm Cloud Provider: Questions to Ask and Ethical/Security Concerns

Cloud Computing and Security Risk Analysis Qing Liu Technology Architect STREAM Technology Lab

Cloud Computing An Elephant In The Dark

90% of data breaches are caused by software vulnerabilities.

Understanding Enterprise Cloud Governance

IoT & SCADA Cyber Security Services

Transcription:

Software Journey to the Cloud - CATUG Discussion Document Cloud Arena Technical Users Group (CATUG) ABSTRACT The CloudArena Technical Users Group (CATUG) developed this discussion document, which could act as a checklist for companies considering building software in the Cloud securely.

Table of Contents Acknowledgment... 2 Background... 2 Disclaimer... 2 Software journey to the Cloud... 3 1.0 Starting point... 3 2.0 Technology... 4 3.0 Development frameworks... 4 4.0 Security module & controls... 5 5.0 Platforms... 5 6.0 Development lifecycle... 6 7.0 Data protection, storage and extraction... 6 8.0 Encryption (Part of security)... 6 9.0 Auditing and logging... 6 10.0 Security review... 7 11.0 Ongoing security... 7 Key contributors to this document... 8 Acknowledgment The CloudArena Technical Users Group (CATUG) developed this discussion document. The group is made up of a number of IT professionals with a broad range of IT experience and skills. The group s purpose is to share and exchange knowledge with a particular focus on Cloud Computing. Background Based on the groups discussion around shared experiences of working in the Cloud the group wanted to produce a document in support of CloudArena s security event for companies who were looking to build a bespoke software in the Cloud, whether internal or external facing, software as a service or not. It s a very high level guide, which could act as a checklist for companies considering building software in the Cloud securely. There are a number of questions and pointers to consider which are captured in the document. Disclaimer This document is intended to support businesses of all types who are considering building software in the Cloud. It is a general guide and cannot reflect all of the particular requirements of every organisation. Ultimately, any decisions on the development and adoption of business technology should be made by users based on their own judgment, supported by professional advice where required. Neither the authors nor the publishers of this document can accept liability for any loss incurred by any person acting or refraining from acting on as a result of material in this document. The content of this document was compiled from the input of many individuals working in a personal capacity. Their input does not necessarily reflect the opinions of the organisations that they are employed by and no such validation should be assumed. 2 Copyright Cloud Arena 2012 www.cloud-arena.com

Software journey to the Cloud 1.0 Starting point So what s the business case? The standard rules still apply when it comes to the cloud and the proper justification needs to be sought. Do you have business or organisational buy in at this stage? You need to fully understand the cost benefit of moving to the cloud and clearly research the potential costs of such a move. Based on the CATUG s experience pricing services in the cloud was not always easy or as expected. At this starting point do you know what is the service you are looking to provide? Is it an internal service or an external service? Are there legacy constraints or is a clean slate. Will it be a managed service or self-service. Are their any integration requirements e.g. to third party software or services? Is it already available and how mission critical is the service? What is the level of support requirements e.g. for bandwidth, spikes and uptime. 3 Copyright Cloud Arena 2012 www.cloud-arena.com

What level of security to do you require? It would be the group s recommendation to involve a security specialist at the start of your project as well as at the end for verification. 2.0 Technology So you ve got support and you now need to select the right technology so there are a number of considerations at this point. Do you go with an open source technology such as PHP, JEE, Ruby, Python, or a closed technology such as Microsoft s.net? Do you understand the benefits or potential challenges of this decision such as? Do you understand licensing implications of the technology? What community support is available for the technology? Paid support versus free. What is the maturity and quality of the technology? What is your experience and understanding of using that technology? Needs to be a clear fit now and also in the future You don t want to cul-de-sac yourself so be sure! Consider maintenance and future proofing yourself Security concerns Some technologies can be less error prone than others Known vulnerabilities and misconfigurations need to be considered and understand How well documented is the technology? Access to resources Accessibility to the skill base you require for that technology now and in the future is a very important issue. Interoperability Enterprise integration with third parties and services What environments and devises do you intend to run your system on 3.0 Development frameworks Development frameworks are like the scaffolding for your application. The benefits of using a framework would be you are typically using proven components, which should improve the overall quality the system so you re not reinventing the wheel. There are risks with some development frameworks because of the possibility of introducing rogue or malicious code that is perhaps unchecked by the framework or community. What is your or your development team s understanding of the framework? What is the quality of the implementation of the framework? And again it s critical to have the right skills and experience to leverage the chosen framework. 4 Copyright Cloud Arena 2012 www.cloud-arena.com

4.0 Security module & controls When you are developing where are the security controls within the application and what do they do? Authorisation (privileges to invoke a function) Authentication (proving who the user is) Input validation (accepting appropriate non malicious data) For more information on security controls check out OWASP s top ten. What security components does your framework offer or contain? Do they meet your requirements? Are they sufficiently proven and future proofed? Can you change or enhance these if required to maintain a level of compliance? Do you need to integrate with other services or third parties with different security controls? For example integrating a Microsoft technology with OpenID or an enterprise environment connecting to a legacy system or mainframe. How effective are the security controls you are connecting to. 5.0 Platforms Do you know what types of platforms exist? There are public, private, hybrid, community cloud platforms and each provides it s own type of service. For example there is a significant difference in the services supplied between Cloud providers e.g. Amazon versus Google Apps versus Force.com versus Microsoft. So what are the differences between cloud platforms and data centres? Get your own server versus a managed service? What are the risks and security issues? Depends on the platform you ve selected and service provided! Key is to understand the security module being provided by the platform and then compliment that with your own requirements Do you understand the service level agreements (SLA) What are the terms of the service? Do you need legal advice to review? How do you deploy to these platforms? Make sure you understand what the process is and how you intend deploy following best practice Make sure you document and test! Make sure you restrict and control access! Pricing and cost modules Based on the groups experience it is critical you understand how your Cloud provider charges for its services. Costs for bandwidth, transactions, storage and content delivery can quickly accumulate if your service doesn't take these into consideration or not architected for the Cloud. Ease of integration with other Cloud services For example Amazon plugins, IBM integration services, Azure AppFabric & Azure Accelerators 5 Copyright Cloud Arena 2012 www.cloud-arena.com

6.0 Development lifecycle What are the differences between traditional methods and developing in the Cloud? Behavior of a Cloud application, depending on the Cloud service, could be quite different to a tradition architecture The lifecycle of a Cloud application maybe different as you could run several instances and versions of the same application concurrently This in turn could impact maintenance, code versioning and management, as well as administration of the system itself Deployment maybe different depending on the cloud service The benefits of spinning and ramping services: Switching it off when you don t need it! Testing potential scenarios before deciding appropriate path Speed at which you can deploy environments 7.0 Data protection, storage and extraction It is critical you understand jurisdiction requirements and adhere to them. How are you going to secure your data in storage and is data size a potential issue for backup or extraction? How are you managing storage / backups? Will you use a different Cloud provider or back up in-house? Are their any standards you need to consider in relation to extraction? Closed versus open standards and code versus data extraction. You also need to consider who has access to the system and more importantly the data that is held within the system. What levels of access and visibility are appropriate and what internal governance and policies do you need to have in place to make sure those levels are adhered to? 8.0 Encryption What is the appropriate level of encryption required for your application? What type of data are you encrypting? Are there any legal or compliance obligations that you need to adhere to? What is the industry standard for the level of encryption required? Do you have to encrypt data all the way to the client? Is there encryption required in transit and in storage? What levels of encryption do you require? Performance of data once encrypted Decrypting data will create an overhead on the performance of the application If you are using encryption how will you manage your encryption keys? Supporting policies and procedures How are you going to manage and administrate the encryption Again consider independent third party advice! 9.0 Auditing and logging You need to ask yourself what are you looking to capture? Do you understand the key system events and steps you need to log? And what are you NOT going to 6 Copyright Cloud Arena 2012 www.cloud-arena.com

log? Auditing and logging customers as well as your own employees need to be considered. Are there quality or compliance requirements do you need to adhere too? What alerts do you need or expect? How does auditing / logging impact your backups? What level of analysis is required from the logs What supporting procedures are required How do you rate or describe a breach? How will you deal with a breach 10.0 Security review So what are the benefits of a security review. It s key you understand the importance of this stage and budget appropriately at the start of your project. A proper security review can ensure the continuity of the service and privacy of data held within the system. It enhances the quality and compliance of the service if you need to adhere to compliance requirements. Based on the CATUG s experience third party evidence that you take security seriously means you ll be taken seriously. Penetration testing External and internal testing of your system Seeking application vulnerabilities Authenticated and unauthenticated access testing Network and / or application layer Code review Independent review that code is securely developed and following industry best practice Availability of the code Ensure ongoing maintenance is managed in a secure manner 11.0 Ongoing security Good ongoing security is about taking each of the items outlined and making sure you ve considered and understood your options. You ve adhered to best practice with you approach and implementation and you understand the risks and are managing them appropriately. You have a proactive approach to security and continuously review and monitor. You have independently verified that what you ve set out to achieve has actually been achieved. Hopefully this discussion document has provided some helpful tips and considerations with your move to building your software in the Cloud. You re more than welcome to join CATUG and share your experiences. 7 Copyright Cloud Arena 2012 www.cloud-arena.com

Key contributors to this document Trevor Dagg: Chairman of CATUG & Managing Director Talentevo Eoin Keary: Owasp Global Vice Chair/Director of BCC Risk Advisory Mike O'Brien: Founder & CEO at Eastpoint Enterprise Information Solutions Ltd Terry Jack: Tech Project Manager at Citi Michael Bradford: Lecturer NCI School of Computing Derek Hardiman: Chief Technology Officer at Abbey Capital Dave Feenan: Business Development Manager, Swiss Post Solutions Ireland Richie Bowden: Chief Operations Officer, Cloud Consulting Ltd Freddie Graham: Senior Account Manager at Commidea Ltd Vikas Sahni: Independent consultant Chad Gilmore: Managing Director, iplanit Joe Haugh: Managing Director of ProductFul.com And other members of the CATUG Group - You can view their profiles and also join our Linkedin group at: http://www.linkedin.com/groups?gid=3913283&trk=myg_ugrp_ovr 8 Copyright Cloud Arena 2012 www.cloud-arena.com

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information