Why Cloud will happen, Why it changes how you need to manage security, and How you can address it

Cloud Security

Duncan Unwin, Business Aspect

ISACA, Brisbane, 16

_{July 2013}

Why Cloud will happen,

Why it changes how you need to manage security, and

How you can address it

Cloud Security

— The overwhelming economics of Cloud

–

Why cloud is here and why you better get used to it

— Seven Reasons why Cloud is a new type of security challenge

–

why every technique you have used to manage security needs to be

reconsidered

— How you can manage cloud security

The overwhelming economics of Cloud

— Supply-Side Saving

— Demand-side aggregation

— Multi-tenancy efficiency

— Telecommunications is becoming cheap

— Cloud is nearly a perfect commodity

Supply-Side Saving

— Cost of electricity

–

15-20% of TCO for server infrastructure

–

Power Usage Effectiveness (PUE) significantly higher for large DCs

–

Green electricity costs will drive Cloud DC location

— Infrastructure labour costs

–

Large DCs operate at ratios of 1 engineer to 1000s of servers

— Security and Reliability Compliance

–

Increasing requirements will make it less affordable to run IT in-house

–

Market demand and scale favour large players (e.g. AWS is ISO 27001)

— Buying Power

–

Hardware

–

Software

Demand-side aggregation

— Demand is not stable

–

Randomness

–

Time-of-day patterns

–

Industry-specific patterns

–

Large clouds aggregate and smooth demand

— Uncertain growth pattern

–

In-house capacity planning targets provisioning for peak load

–

Chronic over-provisioning

–

User demands for performance increasing

–

Loads are moving from batch to real-time

Multi-tenancy Economies of Scale

— Fixed costs amortised over 1000s of customers

— Management Costs

— Implementation Costs

Cloud is a near perfect commodity

— True Commodities

–

No qualitative difference in the market

–

Price set for the market as a whole

–

Fungible

–

Traded via commodity markets

— Existing barriers limit the total commoditisation of cloud

–

Lack of interoperability

–

Lack of consistency in governance standards

–

Market immaturity

–

Cultural

— We predict these will be substantively solved over the next

few years, resulting in commodity markets emerging

The overwhelming economics of Cloud

—

Supply-Side Saving

. Large scale data centres have lower cost per

CPU unit

—

Demand-side aggregation

. Aggregating demand for computing

smooths overall variability, allowing server utilization rates to

increase.

—

Multi-tenancy efficiency.

When changing to a multi-tenant

application model, increasing the number of tenants (i.e.,

customers or users) lowers the application management and server

cost per tenant.

—

Telecommunications is becoming cheap.

Much of the reason for

in-house IT was driven by the historically high cost to ship data

—

Cloud is nearly a perfect commodity.

Supply will not be able to

extract price premiums from the market. They win by scale not

margin.

For now accept that cloud computing will happen..

7 Reasons why Cloud

presents a Security

1. Loss of network perimeter

— Current model of security based on ‘egg shell’ design

–

Depends upon bad people being mainly outside the network

–

Data inside the perimeter

–

No real idea of where the ‘valuables’ are kept

— Cloud breaks this

–

Data is outside the perimeter

–

Systems are outside the perimeter

— Organisations that have been practicing good security such as

maintaining asset inventories and protection-in-depth are

2. Loss of directive control and audit

— Cloud means that you have limited control over Infrastructure

— You can’t fix emerging risks by direction

— You have very limited ability to audit (not a managed service)

–

This includes engaging external auditors

–

Developing but immature and inflexible assurance standards

Application Middleware Guest OS Hypervisor Storage Hardware Network L N N N N N N M F F F F F F Cu sto_m er Pr ov_id er Application Middleware Guest OS Hypervisor Storage Hardware Network L L N N N N N M M F F F F F Cu sto_m er Pr ov_id er Application Middleware Guest OS Hypervisor Storage Hardware Network F F F N N N N N N N F F F F Cu sto_m er Pr ov_id er

SaaS PaaS IaaS

N=none M=mostly

L=limited F=full Customer and provider

3. Risks from the physical location of servers

— Legal risks

–

Where your data is stored determines the legal jurisdiction and data

and privacy protection laws

–

Your obligations are not reduced

— Potential for not knowing where your data is

4. Risks from multi-tenancy

— Who are the neighbours?

— Virtualisation security is highly dependent on good

administration

— Neighbours pose risks because of malfeasance and negligence

— The driving idea behind ‘Community Clouds’ – a digital gated

5. Risks from Internet accessibility

— Why is the Internet a threat? Because that is where the bad

people are

— Access to User Interfaces

–

Reliance solely based on application security

–

Often supporting only single-factor authentication

— Access to APIs

–

History of poor implementation of security

— Tools to help

–

Virtual firewalls and VPNs

6. Difficulty in implementing effective records

management protocols

— Cloud providers do not generally offer effective data archiving

and record management services – this problem is left to you

— Need to ensure backup and archive regimes meet the

organisation’s requirements

7. Risks to service availability

— Cloud creates perverse risks of Disaster

–

Wild fires in the USA threaten Australian

SaaS services.

–

Amazon EC2 affected by powerful

thunderstorms in Northern Virginia. Tools

to move processing to another data centre

did not function correctly.

–

2011 Brisbane floods: cloud services

enabled email and remote access to

remain available – an example of a positive

risk of a cloud service

Reasons why Cloud presents a Security Challenge

1. Loss of the network perimeter

2. Loss of directive control and audit

3. Risks from the physical location of servers

4. Risks from multi-tenancy

5. Risks from Internet accessibility

6. Difficulty in implementing effective records management

protocols

Business Aspect’s Lifecycle Approach to Cloud Security

Cloud Service

Lifecycle

Requirements Phase

•

Risk Assessment - Harm if…

•

asset widely public and widely distributed?

•

a cloud provider employee accessed asset?

•

the function was manipulated by outsider?

•

the function failed to provide results?

•

the information/data was unexpectedly changed?

•

the asset was unavailable for a period of time?

•

Control Requirements

•

DSD’s advice on Cloud controls

•

Traditional normative control frameworks need to be

adapted (e.g. ISM, IS18, ISO/IEC 27002, ISO17799)

•

Compliance with…

•

Legislation

Procurement and Vendor Selection Phase

•

Vendor Selection

•

Capability

•

Contract

•

Fit

•

The Contract is the mechanism of control

•

The SLA

• Service Availability and Reliability requirements

• Minimum security levels that may be further defined in separate specifications and / or policies and standards

• Processes for monitoring the performance of the provider, specifically in relation to security and availability

• Business continuity and disaster recovery requirements and arrangements

• Liability and indemnity, including zones of responsibility

• Termination and transition arrangements

• Auditing and reporting requirements

• Event and incident management processes

Implementation and Transition In Phase

•

Planning & Project Management

•

De-risk by piloting and phasing

•

Formal Project e.g. Prince2

•

Design key processes with Vendor

•

Service governance model

•

Data conversion and assurance

•

Information Management and Data

Custodianship

•

Meeting recordkeeping requirements

•

appointing key roles for information governance

•

Establishing capacity planning and service

monitoring

•

Setting up support processes

•

Provisioning of initial services

Operations Phase

•

You as client may have a limited role

•

Depending on the type of cloud

•

Understand limits

•

But is essential you know what it is

•

Who internally manages the Vendor

•

Are we clear about the ‘governance gap’ – the

difference between what the vendor provides

and what our stakeholders expect

•

Vendor management is vital

•

Establish a performance measurement

framework and share with the vendor

•

Keep touch points fresh

Cease Operation & Transition Out Phase

•

Assume this will happen

•

Manage as project not BAU

•

Considerations

•

Data ownership and retention

•

Notice and transition arrangement

Lifecycle Approach to Cloud Security – Key Points

Cloud Service

Lifecycle

• Compliance with legislation & standards

• Vendor selection • Capability • Contract • Fit • Contract / SLA • Account Management • Project management

• Design key processes with vendor

• Assume it will happen

• Manage as a project • Consider • Data retention • Service transition • Notice and contract

• Understand roles & responsibilities

• Manage the gap

References

— Anon. (2012). About FedRAMP. Retrieved 10 July, 2013, from

http://www.gsa.gov/portal/category/102375

— Anon. (2012). CLOUD COMPUTING STRATEGIC DIRECTION PAPER: Opportunities and applicability for use by the Australian Government. Retrieved 12 Jul 2013, 2013, from

http://agimo.gov.au/files/2012/04/final_cloud_computing_strategy_version_1.pdf — Anon. (2012). Cloud Security Considerations. Retrieved 14 July, 2013, from

http://www.dsd.gov.au/infosec/cloudsecurity.htm

— Buyya, R., Yeo, C. S., Venugopal, S., Broberg, J., & Brandic, I. (2009). Cloud computing and emerging IT platforms: Vision, hype, and reality for delivering computing as the 5th utility. Future Generation Computer Systems, 25(6), 599-616. doi: http://dx.doi.org/10.1016/j.future.2008.12.001

— Harms, R., & Yamartino, M. (2010). The economics of the cloud. Retrieved 13 June, 2013, from

http://www.microsoft.com/en-us/news/presskits/cloud/docs/the-economics-of-the-cloud.pdf — Maxwell, W. (2012). A Global Reality: Governmental Access to Data in the Cloud. Retrieved 13 July,

2013, from http://m.hoganlovells.com/files/News/c6edc1e2-d57b-402e-9cab-

a7be4e004c59/Presentation/NewsAttachment/a17af284-7d04-4008-b557-5888433b292d/Revised%20Government%20Access%20to%20Cloud%20Data%20Paper%20(18%20 July%2012).pdf

— Reed, A., Rezek, C., & Simmonds, P. (2011). Critical Areas of Focus in Cloud Computing. Retrieved 13 July, 2013, from https://cloudsecurityalliance.org/research/security-guidance/

About Business Aspect

Business Aspect assists clients with the execution of their business strategy through either large scale business transformation or through the

addressing of smaller challenges in specific areas of the business. We focus on the business first, and then address technology needs as an enabler of required business outcomes. We have skills, experience and expertise in; business and technology strategy, architecture, risk, control, planning, design and governance. In delivering services, we address all layers of the business, including people, organisational change, process change,

information management, information and communications technology (ICT) applications and technology infrastructure.

We solve complex business problems through the collaborative efforts of our team of highly experienced personnel, and through the application of proven intellectual property. One of our key strengths is the diversity of the background and skills our senior consultants bring to planning initiatives involving people, process and systems.

Our ability to extend from business focused domains into architecture and complex program management builds a bond of trust with our clients and fosters more effective relationships. For our clients, we serve as the

interpreter between ICT and the demands of individual business units, translating business needs into ICT outcomes. We complement this with our ability to work with all parts of the organisation, therefore maximising the benefits collectively gained from ICT.

We believe the use of senior consultants for the delivery of our clients’ projects is the cornerstone of our success. We also hand pick specialists from our extensive network of associates and industry partners to

complement our consulting teams. We guarantee senior people with the Duncan Unwin

M: 0407 032 755

E: [email protected]

Brisbane / Sydney / Canberra / Melbourne

www.businessaspect.com.au T +61 7 3831 7600