Cloud: Should I Stay or Should I Go? Marcelo Martins exploitedbunker.com

Agenda §  Advantages of the Cloud §  What could go wrong? §  Balancing Benefits and Risk §  Business Risk §  Information Classification §  Legal §  Geographic Location §  IT Operations §  Interoperability §  Continuity §  Conclusion §  References

§  Freedom to innovate §  Cloud-based solutions enable business areas to innovate §  Cost reduction §  Does not require Capex §  Opex as needed §  No unused resources §  Ramp-up speed §  It takes only a few days to have a number of servers set up §  All done over the Internet §  Administrative tasks performed by the provider §  Provider manages physical environment, handles the supply chain and delivers virtual machines or web services Advantages of the Cloud

§  Loss of control §  A complex supply chain of providers and interconnected solutions, security incident management, flow of information §  New threats §  Shared environment §  Perimeterless security §  Third-party management §  Incompatibilities and service level issues §  Is the provider trustworthy? §  Is there a lock-in risk? §  Does the provider comply with the same business or legal requirements? Is there enough transparency? What could go wrong?

Balancing Benefits and Risks Freedom to innovate Cost reduction Implementation speed Ease of management Third-party management New threats Legal and fiscal issues Physical location Compliance and audit Benefits Risks

Balancing Benefits and Risks •  Multi-tenancy •  Provider supplies app SaaS •  Provider supplies app / own app •  Interface with internal systems PaaS •  Basic Infrastructure •  Fully isolated IaaS Any number of combinations More control

§  The business may be impacted §  If confidentiality is violated §  If the information is unavailable or inaccessible when needed §  In case of unauthorized changes §  There may be also legal and fiscal issues §  Laws to avoid the information from being physically copied to another country §  Laws that establish that the information may be accessed by third parties on that country §  Laws that specify how information should be kept and for how long Business Risk

§  Has your information already gone through an information classification process? §  Information sensitivity is one of the most important factors to help decide if a business process fits in the cloud §  Do you know the inputs and outputs of your business processes? §  Business processes must be mapped out before information classification §  It is necessary to know the flow of information inside and outside the enterprise to understand its security requirements Information Classification

§  Are there any legal restrictions against moving the business processes or information to the cloud? §  Legal restrictions may enforce that the information must physically reside in the country §  Does the contract or agreement contain clauses regarding availability, protection and recovery of the information? §  Does the provider allow tenants to specify to which of their geographic locations the data is allowed to move into/out of (to address legal jurisdictional considerations based on where data is stored vs. accessed)? Legal

§  Geographic restrictions §  The provider should not process or store information in countries restricted by the Enterprise §  The provider should ensure that data does not migrate beyond a defined geographical residency §  Third parties §  Outsourced providers should be selected and monitored in compliance with laws in the country where the data originates §  Flow of information §  The provider should allow tenants to define acceptable geographical locations for data routing Geographic Location

§  User Management §  In a perimeterless world like the cloud, Identity and Access Management (IAM) is a priority §  Creation, removal and access grating processes should run in compliance with internal policies §  The provider must keep track of all users, including their own §  Provider Compliance §  The providers must be assessed regarding their capacity to comply with the needs of your Information Security IT Operations

§  Connectivity to the Enterprise §  Internal resources may have to be accessed from the outside §  Data Retrieval §  The provider should use an industry-recognized virtualization platform and standard virtualization formats (e.g., OVF) to help ensure interoperability §  Customer data should be available upon request in an industry-standard format Interoperability

§  Framework §  Business continuity plans should address priorities for testing, maintenance, and information security requirements §  Testing §  Business continuity and security incident response plans should be subject to testing at planned intervals or upon significant organizational or environmental changes §  Impact Analysis §  The analysis of any disruption to the organization must include §  Identify critical products and services §  Identify all dependencies, including processes, applications, business partners, and third party service providers §  Understand threats to critical products and services Continuity

Conclusion Start small •  Migrate only low risk business processes and servers (information) Collect evidence •  Evaluate SLA and compliance level •  Evaluate transparency level •  Are you better off in the cloud? Build trust •  Only then you should think about migrating medium/ high risk business processes •  Critical processes may have to be kept close to the heart

References §  Security Assessment §  Cloud Security Alliance §  CAIQ: Consensus Assessments Initiative Questionnaire ¨  “…launched to perform research, create tools and create industry partnerships to enable cloud computing assessments.” §  NIST §  Special Publication 800-144 ¨  Guidelines on Security and Privacy in Public Cloud Computing §  Special Publication 800-146 ¨  Cloud Computing Synopsis and Recommendations §  The icons? §  You can find them at http://www.flaticon.com/packs/cloud-computing-2