Cloud Computing. Benefits and Risks. Bill Wells, CISSP, CISM, CISA, CRISC, CIPP/IT bill.wells@transamerica.com

Similar documents
A Review on Cloud Computing Vulnerabilities

HIPAA CRITICAL AREAS TECHNICAL SECURITY FOCUS FOR CLOUD DEPLOYMENT

CLOUD COMPUTING. When It's smarter to rent than to buy

How To Protect Your Cloud Computing Resources From Attack

OWASP Chapter Meeting June Presented by: Brayton Rider, SecureState Chief Architect

Session 11 : (additional) Cloud Computing Advantages and Disadvantages

Research Paper Available online at: A COMPARATIVE STUDY OF CLOUD COMPUTING SERVICE PROVIDERS

Information Security: Cloud Computing

KeyLock Solutions Security and Privacy Protection Practices

Cloud Security Who do you trust?

CLOUD COMPUTING INTRODUCTION HISTORY

5 Essential Benefits of Hybrid Cloud Backup

Introduction to Cloud : Cloud and Cloud Storage. Lecture 2. Dr. Dalit Naor IBM Haifa Research Storage Systems. Dalit Naor, IBM Haifa Research

New hybrid cloud scenarios with SQL Server Matt Smith 6/4/2014

Cloud Computing. What is Cloud Computing?

CLOUD COMPUTING SECURITY ISSUES

Security Overview Enterprise-Class Secure Mobile File Sharing

Information System Audit. Arkansas Administrative Statewide Information System (AASIS) General Controls

Securing SaaS Applications: A Cloud Security Perspective for Application Providers

Electronic Records Storage Options and Overview

DISASTER RECOVERY WITH AWS

Cloud Computing for SCADA

Cloud Computing Trends, Examples & What s Ahead

Druva Phoenix: Enterprise-Class. Data Security & Privacy in the Cloud

ArcGIS for Server in the Amazon Cloud. Michele Lundeen Esri

Top 10 Cloud Risks That Will Keep You Awake at Night

Keyfort Cloud Services (KCS)

Microsoft SharePoint Architectural Models

INCREASING SERVER UTILIZATION AND ACHIEVING GREEN COMPUTING IN CLOUD

Shaping Your IT. Cloud

A Guide to Disaster Recovery in the Cloud. Simple, Affordable Protection for Your Applications and Data

Data Storage That Looks at Business the Way You Do. Up. cloud

IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including:

Fully Managed Secure Data Sharing (a cloud service)

nwstor Storage Security Solution 1. Executive Summary 2. Need for Data Security 3. Solution: nwstor isav Storage Security Appliances 4.

Data Protection: From PKI to Virtualization & Cloud

Whitepaper. The ABC of Private Clouds. A viable option or another cloud gimmick?

Everything You Need To Know About Cloud Computing

CompTIA Cloud+ 9318; 5 Days, Instructor-led

With Eversync s cloud data tiering, the customer can tier data protection as follows:

Service Overview CloudCare Online Backup

Datacenter Transformation

IBM Spectrum Protect in the Cloud

Securing Data in the Virtual Data Center and Cloud: Requirements for Effective Encryption

Leveraging the Cloud for Data Protection and Disaster Recovery

CompTIA Cloud+ Course Content. Length: 5 Days. Who Should Attend:

Security Information & Policies

Cloud Infrastructure Security

White Paper. Prepared by: Neil Shah Director, Product Management March, 2014 Version: 1. Copyright 2014, ezdi, LLC.

WHITE PAPER SETTING UP AND USING ESTATE MASTER ON THE CLOUD INTRODUCTION

Security and Control Issues within Relational Databases

Managing Cloud Computing Risk

Whitepaper. What You Need to Know About Infrastructure as a Service (IaaS) Encryption

SMS. Cloud Computing. Systems Management Specialists. Grupo SMS option 3 for sales

Is online backup right for your business? Eight reasons to consider protecting your data with a hybrid backup solution

Cloud-integrated Storage What & Why

SECURE BACKUP SYSTEM DESKTOP AND MOBILE-PHONE SECURE BACKUP SYSTEM HOSTED ON A STORAGE CLOUD

Things You Need to Know About Cloud Backup

IT Risk and Security Cloud Computing Mike Thomas Erie Insurance May 2011

Las Vegas Datacenter Overview. Product Overview and Data Sheet. Created on 6/18/2014 3:49:00 PM

Cloud Computing. Cloud computing:

ProjectManager.com Security White Paper

Course 20533: Implementing Microsoft Azure Infrastructure Solutions

Cloud, Appliance, or Software? How to Decide Which Backup Solution Is Best for Your Small or Midsize Organization.

The Hybrid Cloud Approach: CA ARCserve D2D On Demand

Cloud Computing and Records Management

Domain 1 The Process of Auditing Information Systems

Migration Scenario: Migrating Backend Processing Pipeline to the AWS Cloud

Cloud Computing: Advantages and Security Challenges

Certified Information Systems Auditor (CISA)

Ensuring Enterprise Data Security with Secure Mobile File Sharing.

Hosted SharePoint: Questions every provider should answer

What Is The Cloud And How Can Your Agency Use It. Tom Konop Mark Piontek Cathleen Christensen

How cloud computing can transform your business landscape

NetApp and Microsoft Virtualization: Making Integrated Server and Storage Virtualization a Reality

This white paper describes the three reasons why backup is a strategic element of your IT plan and why it is critical to your business that you plan

How To Protect Your Data From Harm

Cloud Courses Description

Cloud Computing Flying High (or not) Ben Roper IT Director City of College Station

Cloud-integrated Enterprise Storage. Cloud-integrated Storage What & Why. Marc Farley

The Cloud is Not Enough Why Hybrid Infrastructure is Shaping the Future of Cloud Computing

1 Introduction 2. 2 Document Disclaimer 2

Residual risk. 3 Compliance challenges (i.e. right to examine, exit clause, privacy acy etc.)

Comprehensive Agentless Cloud Backup and Recovery Software for the Enterprise

Quick guide: Using the Cloud to support your business

Requirements Checklist for Choosing a Cloud Backup and Recovery Service Provider

Frequently Asked Questions about Cloud and Online Backup

SteelFusion with AWS Hybrid Cloud Storage

Overview of Cloud Computing and Cloud Computing s Use in Government Justin Heyman CGCIO, Information Technology Specialist, Township of Franklin

Projectplace: A Secure Project Collaboration Solution

Solving the Second Site IT Dilemma. Understanding the Benefits of Cloud DR for NetApp Storage Environments. Introduction.

Cloud Computing - Architecture, Applications and Advantages

Transcription:

Cloud Computing Benefits and Risks Bill Wells, CISSP, CISM, CISA, CRISC, CIPP/IT bill.wells@transamerica.com 10/3/2012 1

Let s make sure we re all talking about the same thing. WHAT IS CLOUD COMPUTING? 2

Legacy Definition Hosting Internet Hosting Apps Storage 3

Today s Definition Virtual Servers App Servers DB Servers Web Hosting Web Services 4

Private Cloud Virtual Servers App Servers DB Servers Web Hosting Web Services 5

Public Cloud Virtual Servers App Servers DB Servers Web Hosting Web Services 6

Hybrid Cloud Virtual Servers App Servers DB Servers Web Hosting Web Services 7

Textbook Definitions (a la Wikipedia.com) Public cloud Public cloud applications, storage, and other resources are made available to the general public by a service provider. These services are free or offered on a pay-per-use model. Generally, public cloud service providers like Amazon AWS, Microsoft and Google own and operate the infrastructure and offer access only via Internet (direct connectivity is not offered). [28] Community cloud Community cloud shares infrastructure between several organizations from a specific community with common concerns (security, compliance, jurisdiction, etc.), whether managed internally or by a third-party and hosted internally or externally. The costs are spread over fewer users than a public cloud (but more than a private cloud), so only some of the cost savings potential of cloud computing are realized. [4] Hybrid cloud Hybrid cloud is a composition of two or more clouds (private, community or public) that remain unique entities but are bound together, offering the benefits of multiple deployment models. [4] By utilizing "hybrid cloud" architecture, companies and individuals are able to obtain degrees of fault tolerance combined with locally immediate usability without dependency on internet connectivity. Hybrid cloud architecture requires both on-premises resources and off-site (remote) server-based cloud infrastructure. Hybrid clouds lack the flexibility, security and certainty of in-house applications. [51] Hybrid cloud provides the flexibility of in house applications with the fault tolerance and scalability of cloud based services. Private cloud Private cloud is cloud infrastructure operated solely for a single organization, whether managed internally or by a third-party and hosted internally or externally. [4] Undertaking a private cloud project requires a significant level and degree of engagement to virtualize the business environment, and it will require the organization to reevaluate decisions about existing resources. When it is done right, it can have a positive impact on a business, but every one of the steps in the project raises security issues that must be addressed in order to avoid serious vulnerabilities. [52] They have attracted criticism because users "still have to buy, build, and manage them" and thus do not benefit from less hands-on management, [53] essentially "[lacking] the economic model that makes cloud computing such an intriguing concept". [54][55] 8

Cha-Ching! Show me the money! BENEFITS OF CLOUD COMPUTING 9

Benefits Reduced Cost Lower Cap-Ex Less hardware Less headcount Less operational overhead Scalability More computing resources Faster implementation cycles Pay as you grow 10

Benefits Flexibility Ability to use services previously too costly Ability to set up and tear down as needed Use in-house or external providers Greater mobility Data and apps available anywhere the users are Administrative functions available anywhere the admins are Typically higher degree of mobile technology 11

Benefits Skilled Practitioners Microsoft Google Amazon IBM Yahoo! Free up internal resources Increased innovation Increased workload bandwidth 12

Benefits Quality of service 24/7 support Rapid response to emergencies Skilled IT staff always on-hand Resiliency and redundancy Backup and recovery services Hot-failover Fault tolerance 13

Business Loves the Cloud What s not to love? Reduced operational costs and lower capital spending Capability to repurpose skilled staff from business support to business innovation and growth Ability to use a pay-as-you-grow model for IT spend Greater agility to rapidly adjust to changing market conditions Expanded access to business systems and data for employees and business partners Enhanced business resiliency in the face of natural and man-made disasters 14

Wait a minute did you say it could put us out of business?! RISKS 15

Risks Compliance Provider Resiliency Vulnerability Management Cloud Management VM Environment Operations Encryption Management Identity Management 16

Compliance Risks SOX, HIPAA, PCI, BASEL Accords, and others require demonstrated compliance Do not assume provider is required to comply or will be liable Read provider privacy and security policy Customer is sole owner of responsibility for compliance Encryption not a default for data at rest and data in flight Understand position on provider's 3rd party relationships 17

Provider Resiliency Risks Provider s position in the market Major player or small operation? Core business or on the menu? Subject to acquisition or liquidation Financial statements Media buzz Service level monitoring Service level agreement in place? How are service levels monitored? 18

Provider Resiliency Risks Backup and recoverability Included in contract? Tape restore or hot site? Maximum allowable downtime Recovery Time Objective Recovery Point Objective BC/DR Plans up to date? Logging and monitoring capability in co-located facilities with other providers' customers Are audit log files available upon request? Provided in usable electronic format? 19

Vulnerability Management Risks Unauthorized access to management interface Shared Multiple admins Management Access Management interface shared Typically web-based Subject to common web-based attacks Internet protocol vulnerabilities Well-known ports and protocols Well-known technologies (e.g., web-based) Vulnerability scanning prohibited 20

Cloud Management Risks Metering and billing evasion Manipulation of billing data Billing evasion Security metrics not adapted to cloud Standardized cloud-specific metrics do not exist Difficult to assess, audit and determine accountability 21

VM Environment Operational Risks Customer technical staff Inadequate skills to manage specifications Inadequate skills to assess & identify risks Virtualized networks' insufficient controls IP-based zoning typically not available VM's share hardware VM's typically use a template Attacker may be able to analyze Attacker may rent the service himself 22

VM Environment Operational Risks VM replication May lead to data leakage via cloning Keys may be inadvertently cloned Data recovery vulnerability Resources are subject to reassignment Next user might be able to retrieve prior user's data 23

Encryption Management Risks Cryptographic vulnerability Weak random number generation Entropy of unique numbers Poor key management Many keys are typically required Lack of fixed hardware infrastructure may limit key management methods, such as hardware security module (HSM) 24

Identity Management Risks Insecure user behavior Weak passwords Indiscriminate data sharing One-factor authentication Typical cloud offerings limited to username & password Subject to account lockout and DOS against that feature Weak credential-reset mechanism Method needs to be understood Password recovery, reuse and reset 25

Identity Management Risks Insufficient or faulty authorization checks HTTP is stateless Transaction integrity and security may be weak URL obfuscation may not be used Coarse authorization control Duty separation may not be possible May not be able to honor "business need to know" Insufficient logging & monitoring Shared audit logfiles May not be able to filter/prune sufficiently May lead to inability to monitor system activity 26

Assessing the Risks Compliance Legal, Compliance and Security should jointly review contracts with the business owner Provider Resiliency BCP/DR Staff should review provider s ability to recover Vulnerability Management Network and Applications staff should review vulnerability management processes Cloud Management IT Cost management and Info Security staff should review for means of understanding value tracking and security monitoring 27

Assessing the Risks VM Environment Operations Infrastructure architects, engineering and support staff should review architecture and integration design Encryption Management Information security and security staff should review for appropriateness Identity Management Identity management, entitlement review, segregation of duties and information security teams should review 28

/fire_hose put-down WRAP UP & QUESTIONS 29

Risks Maybe next time you ll do the risk assessment BEFORE you start using it 30

Questions 31

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information