Information Security: Cloud Computing



Similar documents
Cloud Computing Overview & Security Issues

Negotiating Contracts That Will Keep our Clouds Afloat: You re going to put THAT in a cloud? Meteorologist: Daniel T. Graham

Assessing the Security Risks of Cloud Computing

Cloud Computing: What needs to Be Validated and Qualified. Ivan Soto

OWASP Chapter Meeting June Presented by: Brayton Rider, SecureState Chief Architect

Cloud Computing: The atmospheric jeopardy. Unique Approach Unique Solutions. Salmon Ltd 2014 Commercial in Confidence Page 1 of 5

GETTING YOUR HEAD IN THE CLOUD A PRIMER TO THE TYPES OF CLOUD COMPUTING SOLUTIONS

Strategic Compliance & Securing the Cloud. Annalea Sharack-Ilg, CISSP, AMBCI Technical Director of Information Security

Overview of Cloud Computing and Cloud Computing s Use in Government Justin Heyman CGCIO, Information Technology Specialist, Township of Franklin

Cloud Security Implications for Financial Institutions By Scott Galyk Director of Software Development FIMAC Solutions, LLC

Cloud Security and Managing Use Risks

Cloud Computing and Records Management

Risks of Hosting Practice Data on the Cloud Vs. Locally

Bringing the Cloud into Focus. A Whitepaper by CMIT Solutions and Cadence Management Advisors

What Is The Cloud And How Can Your Agency Use It. Tom Konop Mark Piontek Cathleen Christensen

The Data Melting Pot Computing in the Cloud. Becky Pinkard Manager, Security Operations Centres Research In Motion

Cloud Computing and Security Risk Analysis Qing Liu Technology Architect STREAM Technology Lab

Customer Security Issues in Cloud Computing

Cloud Security Who do you trust?

Orchestrating the New Paradigm Cloud Assurance

Embrace the G-Cloud. Ultra Secure Colocation Services for the Public Sector. thebunker.net Phone: Fax:

Information Security Policies. Version 6.1

CLOUD COMPUTING SECURITY ISSUES

Data Protection Act Guidance on the use of cloud computing

John Essner, CISO Office of Information Technology State of New Jersey

IT Audit in the Cloud

Security & Trust in the Cloud

Managing Cloud Computing Risk

Cloud Services Overview

Services Providers. Ivan Soto

Cloud Computing in a Regulated Environment

Cloud Security Who do you trust?

Cloud Computing: Contracting and Compliance Issues for In-House Counsel

Topics. Images courtesy of Majd F. Sakr or from Wikipedia unless otherwise noted.

INTRODUCTION TO CLOUD COMPUTING CEN483 PARALLEL AND DISTRIBUTED SYSTEMS

White paper. How cloud computing can transform the fortunes of small and mid-sized businesses

How to ensure control and security when moving to SaaS/cloud applications

Governance and Control in the Cloud. Infrastructure as a Service

Service Definition Document

Cloud Computing. Benefits and Risks. Bill Wells, CISSP, CISM, CISA, CRISC, CIPP/IT

HIPAA CRITICAL AREAS TECHNICAL SECURITY FOCUS FOR CLOUD DEPLOYMENT

Cloud computing: benefits, risks and recommendations for information security

CPNI VIEWPOINT 01/2010 CLOUD COMPUTING

Auditing Cloud Computing and Outsourced Operations

Information Security Policy September 2009 Newman University IT Services. Information Security Policy

On-boarding the Cloud in Your Workforce

The Keys to the Cloud: The Essentials of Cloud Contracting

Cloud s Illusions: Jericho Forum future direction

Cloud Computing An Auditor s Perspective

Security, Compliance & Risk Management for Cloud Relationships. Adnan Dakhwe, MS, CISA, CRISC, CRMA Safeway Inc. In-Depth Seminars D32

AskAvanade: Answering the Burning Questions around Cloud Computing

The HIPAA Security Rule: Cloudy Skies Ahead?

The Magazine for IT Security. May issue 3. sör alex / photocase.com

Cloud Computing in the Federal Sector: What is it, what to worry about, and what to negotiate.

Cloud definitions you've been pretending to understand. Jack Daniel, Reluctant CISSP, MVP Community Development Manager, Astaro

How To Protect Your Cloud Computing Resources From Attack

Cloud Computing: Compliance and Client Expectations

Cloud Courses Description

Understanding Financial Cloud Services

East African Information Conference th August, 2013, Kampala, Uganda. Security and Privacy: Can we trust the cloud?

INFORMATION TECHNOLOGY SECURITY STANDARDS

Information Technology: This Year s Hot Issue - Cloud Computing

What Every User Needs To Know Before Moving To The Cloud. LawyerDoneDeal Corp.

Cloud Computing. What is Cloud Computing?

Top 10 Cloud Risks That Will Keep You Awake at Night

20 th Year of Publication. A monthly publication from South Indian Bank.

IT Risk and Security Cloud Computing Mike Thomas Erie Insurance May 2011

Office of the Government Chief Information Officer The Government of the Hong Kong Special Administrative Region

Security in the Cloud: Visibility & Control of your Cloud Service Providers

Validating Enterprise Systems: A Practical Guide

Validation of a Cloud-Based ERP system, in practice. Regulatory Affairs Conference Raleigh. 8Th September 2014

Clinical Trials in the Cloud: A New Paradigm?

LEGAL ISSUES IN CLOUD COMPUTING

Cloud Security Panel: Real World GRC Experiences. ISACA Atlanta s 2013 Annual Geek Week

Cloud Computing; What is it, How long has it been here, and Where is it going?

security in the cloud White Paper Series

Why Cloud CompuTing ThreaTens midsized enterprises and WhaT To do about it

SECURING HEALTH INFORMATION IN THE CLOUD. Feisal Nanji, Executive Director, Techumen

Cloud Computing and Data Protection Compliance - Experiences from Norway

Electronic Records Storage Options and Overview

Cloud Security considerations for business adoption. Ricci IEONG CSA-HK&M Chapter

Seven Key Issues to Consider Before Selecting a Cloud Hosting Provider

Securing and Auditing Cloud Computing. Jason Alexander Chief Information Security Officer

Compliance and the Cloud: What You Can and What You Can t Outsource

Buyer s Guide. Buyer s Guide to Secure Cloud. thebunker.net Phone: Fax: info@thebunker.net

Assessing Risks in the Cloud

Cloud Infrastructure Security

Choosing a Cloud Hosting Provider with Confidence

Cloud Computing demystified! ISACA-IIA Joint Meeting Dec 9, 2014 By: Juman Doleh-Alomary Office of Internal Audit

Running head: TAKING A DEEPER LOOK AT THE CLOUD: SOLUTION OR 1

AHLA. JJ. Keeping Your Cloud Services Provider from Raining on Your Parade. Jean Hess Manager HORNE LLP Ridgeland, MS

Cloud Computing Policy 1.0 INTRODUCTION 2.0 PURPOSE. Effective Date: July 28, 2015


ISO Controls and Objectives

Technology & Business Overview of Cloud Computing

Cloud Computing for SCADA

While cloud computing may have many benefits, it comes with a financial and a business cost in terms of:

Transcription:

Information Security: Cloud Computing Simon Taylor MSc CLAS CISSP CISMP PCIRM Director & Principal Consultant All Rights Reserved. Taylor Baines Limited is a Registered Company in England & Wales. Registration No. 07272922 Registered Office Southgate House 88 Town Square Basildon SS14 1BN.

Cloud Computing 2 Cloud computing is relatively new as a business concept but already organisations are converting to cloud computing architecture. As with any new concept, business or technological risks arise that must be considered. So what is cloud computing? Client-server model using web browser protocols The Cloud provides server-based applications The cloud provides all data services to the user Output is provided to the user client device via web browser. For example: User wants to create a word-processing document User starts a browser session and logs into the cloud service and selects wordprocessing Cloud service application server starts word-processing session Users machine is only used for input and output via the browser All computations, changes and data storage are done in The Cloud Service provider may pool resources of many computers in the cloud to achieve resource intensive tasks

Cloud Computing Layers 3 There are three layers of cloud computing that are commonly referred to which are: Infrastructure as a Service (IaaS) Delivers computer infrastructure Typically a platform virtualisation environment Organisation purchases a fully outsourced service Platform as a Service (Paas) Typically delivers a platform and solution stack Offers deployment of applications without hardware cost & complexity of management May include application design and implementation Software as a Service (SaaS) Provides on-demand software Application & data hosted centrally Accessed by browser (often on thin-client device)

Cloud Computing Models 4 In addition to layers of cloud computing there are different models: Public Cloud Community Cloud Hybrid Cloud Private Cloud Resources dynamically provided, self-service basis over the internet Delivered from an offsite third party provider Billed on a utilitycomputing basis Established when several organisations have similar computing requirements & seek to share infrastructure May offer better levels of security (C & I) than public cloud (e.g. Google s Gov.Cloud) Use part public and part private clouds Often used for archiving and backup solutions Organisation still ahs to build & manage the private cloud A simple extension of existing client-server architecture managed by a single organisation Typically uses a shared services model (see earlier section)

Cloud Computing Definitions 5 "Cloud Computing" - Internet based computing whereby shared infrastructure, resources, software and information are provided to computers on demand [source: Wikipedia] "Provider" - The organisation(s) providing cloud computing services. "Organisation" - The organisation receiving and utilising cloud computing services from a "provider". "Infrastructure as a Service (IaaS)" - Capability to provision processing, storage, networks and other fundamental computing resources, offering the customer organisation the ability to deploy and run arbitrary software including operating systems and applications. IaaS puts these IT operations into the hands of a third party. [source: ISACA Across Cloud Computing Governance & Risks - May 2010] "Platform as a Service (PaaS)" - Capability to deploy onto the cloud infrastructure customer-created or acquired applications created using programming languages and tools supported by the provider. [source: ISACA Across Cloud Computing Governance & Risks - May 2010] "Software as a Service (SaaS)" - Capability to use the provider's applications running on cloud infrastructure. The applications are accessible from various client devices through a thin-client interface such as a web browser (e.g. web-based e-mail). [source: ISACA Across Cloud Computing Governance & Risks - May 2010]

Cloud Computing Security Issues 6 There are a number of issues relating to cloud computing: Privacy - Infrastructure, platform, applications & data controlled and managed by third party service providers who can monitor (lawfully or unlawfully) the communications and data. Compliance In order to comply with legislation & regulation, community or hybrid models may need to be used that are typically more expensive and may offer restricted benefits. US FISMA, HIPAA, SOX EU DPD UK DPA, OSA Global PCI DSS Legal Increase in trademarking of cloud computing terminology, use of proprietary platforms & restrictive business practices (e.g. Google Vs US Dept Interior relating to public sector procurement). Also issues exist around intellectual property rights (IPR) modelling within the cloud. Security Traditional protection mechanisms need to be reconsidered. Unease around letting go of control of security to a third party. These Concerns are delaying its wider adoption as organisations seek to understand all the implications

Cloud Computing Provider Selection 7 In 2008 Gartner identified the following 7 risks organisations should consider when selecting a cloud computing provider: 1. Privileged user access. Outsourced services bypass the "physical, logical and personnel controls" IT departments exert over in-house programs. Get as much information as you can about the people who manage your data. "Ask providers to supply specific information on the hiring and oversight of privileged administrators, and the controls over their access," 2. Regulatory compliance. Customers are ultimately responsible for the security and integrity of their own data, even when it is held by a service provider. Traditional service providers are subjected to external audits and security certifications. Cloud computing providers who refuse to undergo this scrutiny are "signalling that customers can only use them for the most trivial functions," Source: Gartner: Seven cloud-computing security risks (July 2008)

Cloud Computing Provider Selection 8 3. Data location. When you use the cloud, you probably won't know exactly where your data is hosted (even which country) In fact, you might not even know what country it will be stored in. Ask providers if they will commit to storing and processing data in specific jurisdictions, and whether they will make a contractual commitment to obey local privacy requirements on behalf of their customers. 4. Data segregation Data in the cloud is typically in a shared environment alongside data from other customers. Encryption is effective but isn't a cure-all. Find out what is done to segregate data at rest. The cloud provider should provide evidence that encryption schemes were designed and tested by experienced specialists. Source: Gartner: Seven cloud-computing security risks (July 2008)

Cloud Computing Provider Selection 9 5. Recovery. A cloud provider should tell you what will happen to your data and service in case of a disaster. Any offering that does not replicate the data and application infrastructure across multiple sites is vulnerable to a total failure. Ask your provider if it has "the ability to do a complete restoration, and how long it will take." 6. Investigative support. Investigating inappropriate or illegal activity may be impossible in cloud computing. Cloud services are especially difficult to investigate, because logging and data for multiple customers may be co-located and may also be spread across an ever-changing set of hosts and data centres. If you cannot get a contractual commitment to support specific forms of investigation, along with evidence that the vendor has already successfully supported such activities, then your only safe assumption is that investigation and discovery requests will be impossible Source: Gartner: Seven cloud-computing security risks (July 2008)

Cloud Computing Provider Selection 10 7. Long-term viability. Ideally, your cloud computing provider will never go broke or get acquired and swallowed up by a larger company but you must be sure your data will remain available even after such an event. Ask potential providers how you would get your data back and if it would be in a format that you could import into a replacement application. Gartner Says: Smart customers will ask tough questions and consider getting a security assessment from a neutral third party before committing to a cloud vendor Cloud computing has "unique attributes that require risk assessment in areas such as data integrity, recovery, and privacy, and an evaluation of legal issues in areas such as e-discovery, regulatory compliance, and auditing Demand transparency avoiding vendors that refuse to provide detailed information on security programs. Ask questions related to the qualifications of policy makers, architects, coders and operators; risk-control processes and technical mechanisms and about the level of testing that's been done to verify that service and control processes are functioning as intended, and that vendors can identify unanticipated vulnerabilities. Source: Gartner: Seven cloud-computing security risks (July 2008)

Cloud Computing Risk Comparison 5-11 Many of the risks that exist around a classical organisational IT infrastructure and service provision exist in a cloud computing environment They are just out there instead of in here Confidentiality The same issues around confidentiality exist with the added concern as above that there is some degree of loss of control. Data stored and/or processed in the cloud still needs to be classified, segregated and handled according to it protection requirements. Controlling this relies on the security processes of the cloud provider and access to and audit of these processes is vital in maintaining a degree of control and assurance. Confidentiality issues are generally considered the number one concern for organisations when considering using cloud services. Integrity Integrity within the cloud is generally perceived to be on a par, if not better, than most classical organisational architectures. Cloud providers tend to be large, experienced, IT providers with

Cloud Computing Risk Comparison 12 Integrity Integrity within the cloud is generally perceived to be on a par, if not better, than most classical organisational architectures. Cloud providers tend to be large, experienced, IT providers with experience in resilient IT technologies that protect integrity. However, due to the ubiquitous nature of access to the cloud, there is always the potential for attackers, posing as legitimate service users, to try to affect the integrity of your organisation s data. Availability Availability is at the same time one of the strengths and one of the weaknesses of cloud computing. The size and scalability of cloud computing environments reduces risk of availability issues due to capacity management problems The resilient architectures of cloud providers also help to provide assurance around issues such as DDOS attacks and others. However, cloud computing is entirely dependent on the user connection into the cloud if this is compromised then the organisation may be powerless to effect recovery.

Provider / Customer Risk 13 It is important to differentiating between the commercial risk of the provider and the risk to the customer. Whilst the cloud services supplier will naturally want to provide a quality (and hopefully) secure service to your organisation as a customer there are some important considerations to be made: The provider is a business looking to make money They will perceive the risks differently to your organisation and make decisions based on the risks to their organisation as a priority over yours Depending on the size and nature of your organisation, they may prioritise your concerns and issues higher or lower than other customers Realised risks to the cloud provider may only be low impact to them, but it could shut down your organisation completely. Service providers are not usually held up as the main culprit if an incident becomes news: HMRC data loss suspected that discs were lost in transit by a courier company but the headlines were all around the poor security practices of HMRC not the courier company. Remember under DPA, the data controller is ultimately responsible for the security of data, not the data processor

Information Security: Cloud Computing Simon Taylor MSc CLAS CISSP CISMP PCIRM Director & Principal Consultant All Rights Reserved. Taylor Baines Limited is a Registered Company in England & Wales. Registration No. 07272922 Registered Office Southgate House 88 Town Square Basildon SS14 1BN.

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information