Slide 1

Slide 1 text

Cloud: Should I Stay or Should I Go? Marcelo Martins

Slide 2

Slide 2 text

Agenda §  Advantages of the Cloud §  What could go wrong? §  Balancing Benefits and Risk §  Business Risk §  Information Classification §  Legal §  Geographic Location §  IT Operations §  Interoperability §  Continuity §  Conclusion §  References

Slide 3

Slide 3 text

§  Freedom to innovate §  Cloud-based solutions enable business areas to innovate §  Cost reduction §  Does not require Capex §  Opex as needed §  No unused resources §  Ramp-up speed §  It takes only a few days to have a number of servers set up §  All done over the Internet §  Administrative tasks performed by the provider §  Provider manages physical environment, handles the supply chain and delivers virtual machines or web services Advantages of the Cloud

Slide 4

Slide 4 text

§  Loss of control §  A complex supply chain of providers and interconnected solutions, security incident management, flow of information §  New threats §  Shared environment §  Perimeterless security §  Third-party management §  Incompatibilities and service level issues §  Is the provider trustworthy? §  Is there a lock-in risk? §  Does the provider comply with the same business or legal requirements? Is there enough transparency? What could go wrong?

Slide 5

Slide 5 text

Balancing Benefits and Risks Freedom to innovate Cost reduction Implementation speed Ease of management Third-party management New threats Legal and fiscal issues Physical location Compliance and audit Benefits Risks

Slide 6

Slide 6 text

Balancing Benefits and Risks •  Multi-tenancy •  Provider supplies app SaaS •  Provider supplies app / own app •  Interface with internal systems PaaS •  Basic Infrastructure •  Fully isolated IaaS Any number of combinations More control

Slide 7

Slide 7 text

§  The business may be impacted §  If confidentiality is violated §  If the information is unavailable or inaccessible when needed §  In case of unauthorized changes §  There may be also legal and fiscal issues §  Laws to avoid the information from being physically copied to another country §  Laws that establish that the information may be accessed by third parties on that country §  Laws that specify how information should be kept and for how long Business Risk

Slide 8

Slide 8 text

§  Has your information already gone through an information classification process? §  Information sensitivity is one of the most important factors to help decide if a business process fits in the cloud §  Do you know the inputs and outputs of your business processes? §  Business processes must be mapped out before information classification §  It is necessary to know the flow of information inside and outside the enterprise to understand its security requirements Information Classification

Slide 9

Slide 9 text

§  Are there any legal restrictions against moving the business processes or information to the cloud? §  Legal restrictions may enforce that the information must physically reside in the country §  Does the contract or agreement contain clauses regarding availability, protection and recovery of the information? §  Does the provider allow tenants to specify to which of their geographic locations the data is allowed to move into/out of (to address legal jurisdictional considerations based on where data is stored vs. accessed)? Legal

Slide 10

Slide 10 text

§  Geographic restrictions §  The provider should not process or store information in countries restricted by the Enterprise §  The provider should ensure that data does not migrate beyond a defined geographical residency §  Third parties §  Outsourced providers should be selected and monitored in compliance with laws in the country where the data originates §  Flow of information §  The provider should allow tenants to define acceptable geographical locations for data routing Geographic Location

Slide 11

Slide 11 text

§  User Management §  In a perimeterless world like the cloud, Identity and Access Management (IAM) is a priority §  Creation, removal and access grating processes should run in compliance with internal policies §  The provider must keep track of all users, including their own §  Provider Compliance §  The providers must be assessed regarding their capacity to comply with the needs of your Information Security IT Operations

Slide 12

Slide 12 text

§  Connectivity to the Enterprise §  Internal resources may have to be accessed from the outside §  Data Retrieval §  The provider should use an industry-recognized virtualization platform and standard virtualization formats (e.g., OVF) to help ensure interoperability §  Customer data should be available upon request in an industry-standard format Interoperability

Slide 13

Slide 13 text

§  Framework §  Business continuity plans should address priorities for testing, maintenance, and information security requirements §  Testing §  Business continuity and security incident response plans should be subject to testing at planned intervals or upon significant organizational or environmental changes §  Impact Analysis §  The analysis of any disruption to the organization must include §  Identify critical products and services §  Identify all dependencies, including processes, applications, business partners, and third party service providers §  Understand threats to critical products and services Continuity

Slide 14

Slide 14 text

Conclusion Start small •  Migrate only low risk business processes and servers (information) Collect evidence •  Evaluate SLA and compliance level •  Evaluate transparency level •  Are you better off in the cloud? Build trust •  Only then you should think about migrating medium/ high risk business processes •  Critical processes may have to be kept close to the heart

Slide 15

Slide 15 text

References §  Security Assessment §  Cloud Security Alliance §  CAIQ: Consensus Assessments Initiative Questionnaire ¨  “…launched to perform research, create tools and create industry partnerships to enable cloud computing assessments.” §  NIST §  Special Publication 800-144 ¨  Guidelines on Security and Privacy in Public Cloud Computing §  Special Publication 800-146 ¨  Cloud Computing Synopsis and Recommendations §  The icons? §  You can find them at