The cloud provides freedom to innovate, cost reduction and ramp-up speed but introduces new threats that must be analyzed and balanced in order to take the most of it in a secure manner.
to innovate § Cost reduction § Does not require Capex § Opex as needed § No unused resources § Ramp-up speed § It takes only a few days to have a number of servers set up § All done over the Internet § Administrative tasks performed by the provider § Provider manages physical environment, handles the supply chain and delivers virtual machines or web services Advantages of the Cloud
providers and interconnected solutions, security incident management, flow of information § New threats § Shared environment § Perimeterless security § Third-party management § Incompatibilities and service level issues § Is the provider trustworthy? § Is there a lock-in risk? § Does the provider comply with the same business or legal requirements? Is there enough transparency? What could go wrong?
SaaS • Provider supplies app / own app • Interface with internal systems PaaS • Basic Infrastructure • Fully isolated IaaS Any number of combinations More control
violated § If the information is unavailable or inaccessible when needed § In case of unauthorized changes § There may be also legal and fiscal issues § Laws to avoid the information from being physically copied to another country § Laws that establish that the information may be accessed by third parties on that country § Laws that specify how information should be kept and for how long Business Risk
process? § Information sensitivity is one of the most important factors to help decide if a business process fits in the cloud § Do you know the inputs and outputs of your business processes? § Business processes must be mapped out before information classification § It is necessary to know the flow of information inside and outside the enterprise to understand its security requirements Information Classification
processes or information to the cloud? § Legal restrictions may enforce that the information must physically reside in the country § Does the contract or agreement contain clauses regarding availability, protection and recovery of the information? § Does the provider allow tenants to specify to which of their geographic locations the data is allowed to move into/out of (to address legal jurisdictional considerations based on where data is stored vs. accessed)? Legal
store information in countries restricted by the Enterprise § The provider should ensure that data does not migrate beyond a defined geographical residency § Third parties § Outsourced providers should be selected and monitored in compliance with laws in the country where the data originates § Flow of information § The provider should allow tenants to define acceptable geographical locations for data routing Geographic Location
cloud, Identity and Access Management (IAM) is a priority § Creation, removal and access grating processes should run in compliance with internal policies § The provider must keep track of all users, including their own § Provider Compliance § The providers must be assessed regarding their capacity to comply with the needs of your Information Security IT Operations
to be accessed from the outside § Data Retrieval § The provider should use an industry-recognized virtualization platform and standard virtualization formats (e.g., OVF) to help ensure interoperability § Customer data should be available upon request in an industry-standard format Interoperability
testing, maintenance, and information security requirements § Testing § Business continuity and security incident response plans should be subject to testing at planned intervals or upon significant organizational or environmental changes § Impact Analysis § The analysis of any disruption to the organization must include § Identify critical products and services § Identify all dependencies, including processes, applications, business partners, and third party service providers § Understand threats to critical products and services Continuity
and servers (information) Collect evidence • Evaluate SLA and compliance level • Evaluate transparency level • Are you better off in the cloud? Build trust • Only then you should think about migrating medium/ high risk business processes • Critical processes may have to be kept close to the heart
Consensus Assessments Initiative Questionnaire ¨ “…launched to perform research, create tools and create industry partnerships to enable cloud computing assessments.” § NIST § Special Publication 800-144 ¨ Guidelines on Security and Privacy in Public Cloud Computing § Special Publication 800-146 ¨ Cloud Computing Synopsis and Recommendations § The icons? § You can find them at http://www.flaticon.com/packs/cloud-computing-2
mmartins000
akexorcist
oracle4engineer
tacck
shonansurvivors
chanyou0311
salaboy
iotengineer22
shujisado
estie
sadnessojisan
eventhub
keithpitt
deanohume
chriscoyier
andyhume
aarron
jmmastey
shlominoach
paulrobertlloyd
malarkey
aleyda
jrom
yeseniaperezcruz
