Agenda What is cloud? Cloud based services The Good bad and Ugly.. Anatomy of a cloud Guidelines for you
What is Cloud Computing? Compute as a utility: third major era of computing Cloud enabled by Moore s Law Hyperconnectivity SOA Provider scale Key characteristics Elastic & on-demand Multi-tenancy Metered service
Cloud Computing: the landscape Extended Concepts NIST Definition Security as a Service Storage as a Service Unified Comms as a Service
What s up in the clouds? SaaS Software As A Service Xero SalesForce.com Workflow Max PaaS Platform as a service Azure MobileMe Google Apps Mail/Docs Iaas Amazon EC2 Rackspace Fronde OneNet Andy Prow - Cloud Services and Security Summit - 23/24 May 2011
Security as a Service.. Web filtering, social network security, virus control, antivirus, Web policy and management, DLP Anti-Spam and Anti-virus services, including its SecureTide Spam and Virus Protection, Archiving and Compliance, and CipherPost Email Encryption.
Security as a Service.. Acquisition of Purewire, a SaaS-based secure Web gateway provider MailMarshal SMTP 6.7 protects against both malware and blended threat attacks. The Finjan acquisition : real-time content inspection and code analysis technology, along with malware detection
Security as a Service.. cloud-based e-mail, e- mail archiving and e-mail continuity services, website security single sign-on service exponentially improves customers' security posture by eliminating passwords for virtually every major SaaS application
Security as a Service.. SaaS security risk and compliance management company vulnerability management, policy compliance, PCI compliance and Web application scanning. Cloud based Application Penetration Testing- Consultant quality with on demand experience
Other Cloud Services 400 CPU cluster 135m in 20 mins WPA and Zip files http://www.wpacracker.com Andy Prow - Cloud Services and Security Summit - 23/24 May 2011
Who s are using the clould? Examples of major cloud adopters? NZ Post Google Apps hosted by Fronde NZ Microsoft use azure services Intergen they have a cloud Exchange box Viber uses Amazon cloud servers Ebay First azure platform customer NASA Major Azure platform user Xero - Rackspace Andy Prow - Cloud Services and Security Summit - 23/24 May 2011
Other Cloud Users 14 May 2011 forhacsec.com Amazon cloud used to mount Sony PSN attack The hackers who breached the security of Sony s PlayStation network and gained access to sensitive data for 77 million subscribers used Amazon s web services cloud to launch the attack, Bloomberg News reported. http://www.forhacsec.com/2011/05/14/amazon-cloud-used-to-mount-sony-psn-attack-what-a-surprise/ Andy Prow - Cloud Services and Security Summit - 23/24 May 2011
Anatomy of cloud based solution..
Enterprise Architecture Model Top Level Logical View Collaboration Platform Partner Portal Customer Portal Partner B2B GW <<Consume GW>> Customer B2B GW <<Consum er GW>> Service Provider s Portal Common Data Model Common Framework Service Management Orchestration Service Fulfillment System SEP Core Logic Service Delivery Platform Ticketing System Order Management System SEP Orchestration SEP Data Services Tool Interface Layer Product Manage ment Tester s Workbench Partner and Customer Management Platform Billing and Payment Platform Service Execution Platform iviz Crypto Service I & AM Data Warehouse Reporting Living Data Repository Analytics Business Intelligence Security Enterprise Service Bus OA & M Collaboration Platform Supplier Gateway Verimo NetSparker AppScan Nessus NTO
How it Works Service Provider s Portal Service Provider s Service Portal Provider s Other Supporting Portal Platform Service Delivery Platform Service Execution Platform Tester s Workbench Partner Portal iviz Scanner 3 rd Party Tools BI + Analytics + Reporting Platform Task Mgmt Tools Interface Automated Workflow Knowledge Management Queue Mgmt SEP Interface Visual Tool BI & Report Interface
Cloud..The good bad and ugly!
The Good Benefits You don t have to manage the infrastructure Economies of scale + skills Patching Monitoring Instant scaling Failover, HA and DR Better Cost Management/Forecasting Andy Prow - Cloud Services and Security Summit - 23/24 May 2011
Cloud Security Advantages Dedicated Security Team Greater Investment in Security Infrastructure Fault Tolerance and Reliability Greater Resiliency Simplification of Compliance Analysis Low-Cost Disaster Recovery/ Storage Solutions On-Demand Security Controls 18
The Bad Issues / risks Someone else has the keys Reliant on their backup Reliant on their patching Reliant on their monitoring Access to backups Ownership of data Accessing backups Intellectual Property Rights Uptime and Scheduled outages Andy Prow - Cloud Services and Security Summit - 23/24 May 2011
Main concerns of cloud computing customers Questionnaire in 2009 in Europe by ENISA (EU s Network and Information Security Agency) Not Important Medium Importance Very Important Showstopper Main concerns in approaching the cloud Confidentiality of corporate data Privacy Integrity of services and/or data Availability of services and/or data Lack of liability of providers in case of security incidents Loss of control of services and/or data Intra-clouds (vendor lock-in) migration Inconsistency between trans national laws and regulations Unclear scheme in the pay per use approach Uncontrolled variable cost Cost and difficulty of migration to the cloud (legacy software Repudiation 0% 50% 100% 20
Security is the Major Issue 21
Security Challenges Trusting vendor s security model Customer inability to respond to audit findings Possibility for massive outages Proprietary implementations can t be examined Loss of physical control Data ownership issues Multi-tenancy Attraction to hackers (high value target) 22
The Ugly 21 April 2011 PCMag Amazon Cloud Outage Takes Down Reddit, Quora, More While many North American consumers slept through a large part of the outage, which started early on Thursday, Web users on other continents experienced the downtime during peak business hours http://www.pcmag.com/article2/0,2817,2383910,00.asp Andy Prow - Cloud Services and Security Summit - 23/24 May 2011
The Ugly 15 September 2010 CNN Google Engineer Fired for Violating Internal Privacy Policies Google has acknowledged that it fired an employee in July for allegedly accessing user accounts without authorization. David Barksdale, a Site Reliability Engineer, allegedly accessed Gmail and Google Voice accounts Google is "significantly increasing" log auditing to make sure privacy policies are being followed. Law enforcement authorities were not contacted about the incidents because one of the families has asked to remain anonymous. Barksdale is not the first Google engineer who was fired for privacy policy violations. http://www.cnn.com/2010/tech/web/09/15/google.privacy.firing/index.html Andy Prow - Cloud Services and Security Summit - 23/24 May 2011
How to choose a cloud provider?
CheckList for Provider Are they compliant with any standards? Where are they physically located? Do they have to inform you of data relocation? Do they have back-end admin access? What s their HR and staff management policy? Can you review their policies? What s their authentication mechanism? SSO? /2FA? Andy Prow - Cloud Services and Security Summit - 23/24 May 2011
CheckList for Provider When was their last security audit? Can you see confirmation? When was their last pen-test? Can you perform one of your own? Do they have ongoing monitoring in place? SIEM Vuln scanning Hosted malware detection Andy Prow - Cloud Services and Security Summit - 23/24 May 2011
Road Ahead.. Cloud computing is an evolution and here to stay Use a phased approach for moving to the cloud Rethink your risk assessment process Most important words: terms of service, location, provider Virtualisation and Cloud Services: security risks but also security enablers
Thank You