SlideShare a Scribd company logo

Cloud computing due diligence WTF?

Security BSides London
Security BSides London

BSidesLondon 20th April 2011- @Jimmy Blake ----------------------------------------------------------------- The media hype, both positive and negative, around cloud computing is often sensationalist. The reality is that cloud computing has a place as a tool in the modern computing environment – but how do you realistically balance the benefits with the risks? ---- for more about Jimmy jimmyblake.com

Technology
1 of 20
Cloud Computing Due Diligence - WTF? Jimmy Blake @jimmyblake Security B-Sides London: Cloud Computing - WTF? Wednesday, 20 April 2011
Jimmy Who? • CSO for one of the UK’s largest SaaS providers • Talking mainly from a SaaS perspective • Dozens of client risk assessments a month • ISO 27001 Lead Auditor • These are my opinions, not necessarily those of my employer Security B-Sides London: Cloud Computing - WTF? Wednesday, 20 April 2011
Cloud Computing Don’t make me APT your cyber- defences http://csrc.nist.gov/groups/SNS/cloud-computing/ Essential Characteristics Service Model Deployment Model ...blah blah blah Security B-Sides London: Cloud Computing - WTF? Wednesday, 20 April 2011
Businesses Are Moving to the Cloud Well governed organisations make decisions after consideration of risk Security B-Sides London: Cloud Computing - WTF? Wednesday, 20 April 2011
Businesses Are Moving to the Cloud Well governed organisations make decisions after consideration of risk ...and we all know how many well governed organisations there are out there. Security B-Sides London: Cloud Computing - WTF? Wednesday, 20 April 2011
Who Does the Due Diligence?? • Understands security, not risk • Knows on-premise, not cloud • Still thinks he has a secure perimeter • Likes to be able to hug servers • He, and his toys, may be displaced by the solution Security B-Sides London: Cloud Computing - WTF? Wednesday, 20 April 2011
The Cost of Due Diligence: Do The Math Average Due Diligence Questionnaire = 2 hours Average Audit = 6 man hours 4,000 customers = 3,000 working days per annum ...and you want cost savings??? Security B-Sides London: Cloud Computing - WTF? Wednesday, 20 April 2011
Certification: ISO:IEC 27001:2005 • Scope? • Very few scopes include production platforms • Is your acceptable risk < or > then the provider’s? Security B-Sides London: Cloud Computing - WTF? Wednesday, 20 April 2011
ISO 27001: What They Really Mean Cloud Our On-Premise Provider’s 27002 controls 27002 controls Security B-Sides London: Cloud Computing - WTF? Wednesday, 20 April 2011
Certification: SAS-70 (soon SSAE16) • Control Statements • Great for auditing against SOX 404 controls Security B-Sides London: Cloud Computing - WTF? Wednesday, 20 April 2011
Getting Real How do you ensure physical access to your data centres is restricted to those who need it for a job function? By not having 100 customers a day walking through on audits... Security B-Sides London: Cloud Computing - WTF? Wednesday, 20 April 2011
Getting Real So I hope that answers your question on how we handle key rotation on our distributed filing system utilising AES 256-bit encryption? Can I The IT Manager backs up to ask how you do it at the moment? tape and leaves the tapes in the back of his car overnight. The tapes are encrypted of course? .... Please tell me the car isn’t left on his driveway overnight? .... Security B-Sides London: Cloud Computing - WTF? Wednesday, 20 April 2011
Turning the Tables RFP responses contain a lot of sensitive information How do you classify How many people completed RFP have access to completed responses? RFP responses? How do you ensure access How do you dispose control and prevent leakage of printed copies of RFP of completed RFP responses? responses? Security B-Sides London: Cloud Computing - WTF? Wednesday, 20 April 2011
Industry Representation or Prospects? Security B-Sides London: Cloud Computing - WTF? Wednesday, 20 April 2011
What We Need Software-as-a-Service is often about replacing specific on-premise solutions within the business Security B-Sides London: Cloud Computing - WTF? Wednesday, 20 April 2011
What We Need Software-as-a-Service is often about replacing specific on-premise solutions within the business baseline Cloud On-premise Provider risk risk Security B-Sides London: Cloud Computing - WTF? Wednesday, 20 April 2011
What We Need baseline On-premise risk Cloud Provider risk Security B-Sides London: Cloud Computing - WTF? Wednesday, 20 April 2011
What We’re Getting Great, now I’ve got 6 lots of audit and certification.... Security B-Sides London: Cloud Computing - WTF? Wednesday, 20 April 2011
A Final Plea Customers: Baseline on your current risk exposure Due your due diligence, but make it proportionate If you want champagne, expect to pay for it Industry Bodies: Come together for a unified standard of audit and assessment Represent cloud customers and the service provider, not infrastructure vendors Cloud Providers: Embrace transparency Security B-Sides London: Cloud Computing - WTF? Wednesday, 20 April 2011
Cloud Computing Due Diligence - WTF? Jimmy Blake @jimmyblake http://jimmyblake.com Security B-Sides London: Cloud Computing - WTF? Wednesday, 20 April 2011

Recommended

Triangle InfoSecon Conference program 2011
Triangle InfoSecon Conference program 2011Triangle InfoSecon Conference program 2011
Triangle InfoSecon Conference program 2011Travis Barnes
 
Moving forward. Building a culture of continuous improvement.
Moving forward. Building a culture of continuous improvement.Moving forward. Building a culture of continuous improvement.
Moving forward. Building a culture of continuous improvement.Agustin Argelich Casals
 
Martin Geddes - Hypervoice keynote
Martin Geddes - Hypervoice keynoteMartin Geddes - Hypervoice keynote
Martin Geddes - Hypervoice keynoteMartin Geddes
 
You built a security castle and forgot the bridge…now users are climbing your...
You built a security castle and forgot the bridge…now users are climbing your...You built a security castle and forgot the bridge…now users are climbing your...
You built a security castle and forgot the bridge…now users are climbing your...Security BSides London
 
Open Source Software Solutions for Clinical Research: Applications for HIV Re...
Open Source Software Solutions for Clinical Research: Applications for HIV Re...Open Source Software Solutions for Clinical Research: Applications for HIV Re...
Open Source Software Solutions for Clinical Research: Applications for HIV Re...UC San Diego AntiViral Research Center
 
Penetration testing must die
Penetration testing must diePenetration testing must die
Penetration testing must dieSecurity BSides London
 
Security YMCA
Security YMCASecurity YMCA
Security YMCASecurity BSides London
 
Your money, your media a DRMtastic (reverse|re) eng. tutorial
Your money, your media a DRMtastic (reverse|re) eng. tutorialYour money, your media a DRMtastic (reverse|re) eng. tutorial
Your money, your media a DRMtastic (reverse|re) eng. tutorialSecurity BSides London
 

Recommended

Triangle InfoSecon Conference program 2011
Triangle InfoSecon Conference program 2011Triangle InfoSecon Conference program 2011
Triangle InfoSecon Conference program 2011Travis Barnes
 
Moving forward. Building a culture of continuous improvement.
Moving forward. Building a culture of continuous improvement.Moving forward. Building a culture of continuous improvement.
Moving forward. Building a culture of continuous improvement.Agustin Argelich Casals
 
Martin Geddes - Hypervoice keynote
Martin Geddes - Hypervoice keynoteMartin Geddes - Hypervoice keynote
Martin Geddes - Hypervoice keynoteMartin Geddes
 
You built a security castle and forgot the bridge…now users are climbing your...
You built a security castle and forgot the bridge…now users are climbing your...You built a security castle and forgot the bridge…now users are climbing your...
You built a security castle and forgot the bridge…now users are climbing your...Security BSides London
 
Open Source Software Solutions for Clinical Research: Applications for HIV Re...
Open Source Software Solutions for Clinical Research: Applications for HIV Re...Open Source Software Solutions for Clinical Research: Applications for HIV Re...
Open Source Software Solutions for Clinical Research: Applications for HIV Re...UC San Diego AntiViral Research Center
 
Penetration testing must die
Penetration testing must diePenetration testing must die
Penetration testing must dieSecurity BSides London
 
Security YMCA
Security YMCASecurity YMCA
Security YMCASecurity BSides London
 
Your money, your media a DRMtastic (reverse|re) eng. tutorial
Your money, your media a DRMtastic (reverse|re) eng. tutorialYour money, your media a DRMtastic (reverse|re) eng. tutorial
Your money, your media a DRMtastic (reverse|re) eng. tutorialSecurity BSides London
 
Cloud Security: Perception Vs. Reality
Cloud Security: Perception Vs. RealityCloud Security: Perception Vs. Reality
Cloud Security: Perception Vs. RealityInternap
 
Cloud security and cyber security v 3.1
Cloud security and cyber security v 3.1Cloud security and cyber security v 3.1
Cloud security and cyber security v 3.1CloudExpoEurope
 
DTS Solution - ISACA UAE Chapter - ISAFE 2014 - RU PWNED - Living a Life as a...
DTS Solution - ISACA UAE Chapter - ISAFE 2014 - RU PWNED - Living a Life as a...DTS Solution - ISACA UAE Chapter - ISAFE 2014 - RU PWNED - Living a Life as a...
DTS Solution - ISACA UAE Chapter - ISAFE 2014 - RU PWNED - Living a Life as a...Shah Sheikh
 
Build a network to thrive in the Digital age
Build a network to thrive in the Digital ageBuild a network to thrive in the Digital age
Build a network to thrive in the Digital ageFiona Sexton
 
DevOps and the cloud: all hail the (developer) king - Daniel Bryant, Steve Poole
DevOps and the cloud: all hail the (developer) king - Daniel Bryant, Steve PooleDevOps and the cloud: all hail the (developer) king - Daniel Bryant, Steve Poole
DevOps and the cloud: all hail the (developer) king - Daniel Bryant, Steve PooleJAXLondon_Conference
 
JAXLondon 2015 "DevOps and the Cloud: All Hail the (Developer) King"
JAXLondon 2015 "DevOps and the Cloud: All Hail the (Developer) King"JAXLondon 2015 "DevOps and the Cloud: All Hail the (Developer) King"
JAXLondon 2015 "DevOps and the Cloud: All Hail the (Developer) King"Daniel Bryant
 
Exponential-e | Cloud Revolution Seminar at the Ritz, 20th November 2014
Exponential-e | Cloud Revolution Seminar at the Ritz, 20th November 2014Exponential-e | Cloud Revolution Seminar at the Ritz, 20th November 2014
Exponential-e | Cloud Revolution Seminar at the Ritz, 20th November 2014Exponential_e
 
A Blueprint for Cloud-Native Financial Institutions
A Blueprint for Cloud-Native Financial InstitutionsA Blueprint for Cloud-Native Financial Institutions
A Blueprint for Cloud-Native Financial InstitutionsAngelo Agatino Nicolosi
 
Cloud Team Alliance @ EU Buxelles
Cloud Team Alliance @ EU BuxellesCloud Team Alliance @ EU Buxelles
Cloud Team Alliance @ EU BuxellesMariano Cunietti
 
AWS per il settore pubblico in Italia
AWS per il settore pubblico in ItaliaAWS per il settore pubblico in Italia
AWS per il settore pubblico in ItaliaAmazon Web Services
 
AWS re:Invent 2016: IoT and Beyond: Building IoT Solutions for Exploring the ...
AWS re:Invent 2016: IoT and Beyond: Building IoT Solutions for Exploring the ...AWS re:Invent 2016: IoT and Beyond: Building IoT Solutions for Exploring the ...
AWS re:Invent 2016: IoT and Beyond: Building IoT Solutions for Exploring the ...Amazon Web Services
 
Structure 2014 - Launchpad Competition
Structure 2014 - Launchpad CompetitionStructure 2014 - Launchpad Competition
Structure 2014 - Launchpad CompetitionGigaom
 
2011 VMI DEMO Conference Highlights
2011 VMI DEMO Conference Highlights2011 VMI DEMO Conference Highlights
2011 VMI DEMO Conference HighlightsJulie_Vasquez
 
DevOps Con 2015: Radical Agility with Autonomous Teams and Microservices in t...
DevOps Con 2015: Radical Agility with Autonomous Teams and Microservices in t...DevOps Con 2015: Radical Agility with Autonomous Teams and Microservices in t...
DevOps Con 2015: Radical Agility with Autonomous Teams and Microservices in t...Henning Jacobs
 
Dev ops con 2015 radical agility with autonomous teams and microservices in...
Dev ops con 2015 radical agility with autonomous teams and microservices in...Dev ops con 2015 radical agility with autonomous teams and microservices in...
Dev ops con 2015 radical agility with autonomous teams and microservices in...Jan Löffler
 
Radical Agility with Autonomous Teams and Microservices in the Cloud
Radical Agility with Autonomous Teams and Microservices in the CloudRadical Agility with Autonomous Teams and Microservices in the Cloud
Radical Agility with Autonomous Teams and Microservices in the CloudZalando Technology
 
E Crime Symposium June 10
E Crime Symposium June 10E Crime Symposium June 10
E Crime Symposium June 10Simon Wardley
 
2011-08-10 In-Q-Tel Technology Focus Day, Trends & Observations in Open Sourc...
2011-08-10 In-Q-Tel Technology Focus Day, Trends & Observations in Open Sourc...2011-08-10 In-Q-Tel Technology Focus Day, Trends & Observations in Open Sourc...
2011-08-10 In-Q-Tel Technology Focus Day, Trends & Observations in Open Sourc...Shawn Wells
 
Bridging the Enterprise and the Cloud from Layer 7
Bridging the Enterprise and the Cloud from Layer 7Bridging the Enterprise and the Cloud from Layer 7
Bridging the Enterprise and the Cloud from Layer 7CA API Management
 
CIO Summit Berlin 2011
CIO Summit Berlin 2011CIO Summit Berlin 2011
CIO Summit Berlin 2011Jitscale
 
Agnitio: its static analysis, but not as we know it
Agnitio: its static analysis, but not as we know itAgnitio: its static analysis, but not as we know it
Agnitio: its static analysis, but not as we know itSecurity BSides London
 
The Funny Thing About Information Security
The Funny Thing About Information SecurityThe Funny Thing About Information Security
The Funny Thing About Information SecuritySecurity BSides London
 

More Related Content

Similar to Cloud computing due diligence WTF?

Cloud Security: Perception Vs. Reality
Cloud Security: Perception Vs. RealityCloud Security: Perception Vs. Reality
Cloud Security: Perception Vs. RealityInternap
 
Cloud security and cyber security v 3.1
Cloud security and cyber security v 3.1Cloud security and cyber security v 3.1
Cloud security and cyber security v 3.1CloudExpoEurope
 
DTS Solution - ISACA UAE Chapter - ISAFE 2014 - RU PWNED - Living a Life as a...
DTS Solution - ISACA UAE Chapter - ISAFE 2014 - RU PWNED - Living a Life as a...DTS Solution - ISACA UAE Chapter - ISAFE 2014 - RU PWNED - Living a Life as a...
DTS Solution - ISACA UAE Chapter - ISAFE 2014 - RU PWNED - Living a Life as a...Shah Sheikh
 
Build a network to thrive in the Digital age
Build a network to thrive in the Digital ageBuild a network to thrive in the Digital age
Build a network to thrive in the Digital ageFiona Sexton
 
DevOps and the cloud: all hail the (developer) king - Daniel Bryant, Steve Poole
DevOps and the cloud: all hail the (developer) king - Daniel Bryant, Steve PooleDevOps and the cloud: all hail the (developer) king - Daniel Bryant, Steve Poole
DevOps and the cloud: all hail the (developer) king - Daniel Bryant, Steve PooleJAXLondon_Conference
 
JAXLondon 2015 "DevOps and the Cloud: All Hail the (Developer) King"
JAXLondon 2015 "DevOps and the Cloud: All Hail the (Developer) King"JAXLondon 2015 "DevOps and the Cloud: All Hail the (Developer) King"
JAXLondon 2015 "DevOps and the Cloud: All Hail the (Developer) King"Daniel Bryant
 
Exponential-e | Cloud Revolution Seminar at the Ritz, 20th November 2014
Exponential-e | Cloud Revolution Seminar at the Ritz, 20th November 2014Exponential-e | Cloud Revolution Seminar at the Ritz, 20th November 2014
Exponential-e | Cloud Revolution Seminar at the Ritz, 20th November 2014Exponential_e
 
A Blueprint for Cloud-Native Financial Institutions
A Blueprint for Cloud-Native Financial InstitutionsA Blueprint for Cloud-Native Financial Institutions
A Blueprint for Cloud-Native Financial InstitutionsAngelo Agatino Nicolosi
 
Cloud Team Alliance @ EU Buxelles
Cloud Team Alliance @ EU BuxellesCloud Team Alliance @ EU Buxelles
Cloud Team Alliance @ EU BuxellesMariano Cunietti
 
AWS per il settore pubblico in Italia
AWS per il settore pubblico in ItaliaAWS per il settore pubblico in Italia
AWS per il settore pubblico in ItaliaAmazon Web Services
 
AWS re:Invent 2016: IoT and Beyond: Building IoT Solutions for Exploring the ...
AWS re:Invent 2016: IoT and Beyond: Building IoT Solutions for Exploring the ...AWS re:Invent 2016: IoT and Beyond: Building IoT Solutions for Exploring the ...
AWS re:Invent 2016: IoT and Beyond: Building IoT Solutions for Exploring the ...Amazon Web Services
 
Structure 2014 - Launchpad Competition
Structure 2014 - Launchpad CompetitionStructure 2014 - Launchpad Competition
Structure 2014 - Launchpad CompetitionGigaom
 
2011 VMI DEMO Conference Highlights
2011 VMI DEMO Conference Highlights2011 VMI DEMO Conference Highlights
2011 VMI DEMO Conference HighlightsJulie_Vasquez
 
DevOps Con 2015: Radical Agility with Autonomous Teams and Microservices in t...
DevOps Con 2015: Radical Agility with Autonomous Teams and Microservices in t...DevOps Con 2015: Radical Agility with Autonomous Teams and Microservices in t...
DevOps Con 2015: Radical Agility with Autonomous Teams and Microservices in t...Henning Jacobs
 
Dev ops con 2015 radical agility with autonomous teams and microservices in...
Dev ops con 2015 radical agility with autonomous teams and microservices in...Dev ops con 2015 radical agility with autonomous teams and microservices in...
Dev ops con 2015 radical agility with autonomous teams and microservices in...Jan Löffler
 
Radical Agility with Autonomous Teams and Microservices in the Cloud
Radical Agility with Autonomous Teams and Microservices in the CloudRadical Agility with Autonomous Teams and Microservices in the Cloud
Radical Agility with Autonomous Teams and Microservices in the CloudZalando Technology
 
E Crime Symposium June 10
E Crime Symposium June 10E Crime Symposium June 10
E Crime Symposium June 10Simon Wardley
 
2011-08-10 In-Q-Tel Technology Focus Day, Trends & Observations in Open Sourc...
2011-08-10 In-Q-Tel Technology Focus Day, Trends & Observations in Open Sourc...2011-08-10 In-Q-Tel Technology Focus Day, Trends & Observations in Open Sourc...
2011-08-10 In-Q-Tel Technology Focus Day, Trends & Observations in Open Sourc...Shawn Wells
 
Bridging the Enterprise and the Cloud from Layer 7
Bridging the Enterprise and the Cloud from Layer 7Bridging the Enterprise and the Cloud from Layer 7
Bridging the Enterprise and the Cloud from Layer 7CA API Management
 
CIO Summit Berlin 2011
CIO Summit Berlin 2011CIO Summit Berlin 2011
CIO Summit Berlin 2011Jitscale
 

Similar to Cloud computing due diligence WTF? (20)

Cloud Security: Perception Vs. Reality
Cloud Security: Perception Vs. RealityCloud Security: Perception Vs. Reality
Cloud Security: Perception Vs. Reality
 
Cloud security and cyber security v 3.1
Cloud security and cyber security v 3.1Cloud security and cyber security v 3.1
Cloud security and cyber security v 3.1
 
DTS Solution - ISACA UAE Chapter - ISAFE 2014 - RU PWNED - Living a Life as a...
DTS Solution - ISACA UAE Chapter - ISAFE 2014 - RU PWNED - Living a Life as a...DTS Solution - ISACA UAE Chapter - ISAFE 2014 - RU PWNED - Living a Life as a...
DTS Solution - ISACA UAE Chapter - ISAFE 2014 - RU PWNED - Living a Life as a...
 
Build a network to thrive in the Digital age
Build a network to thrive in the Digital ageBuild a network to thrive in the Digital age
Build a network to thrive in the Digital age
 
DevOps and the cloud: all hail the (developer) king - Daniel Bryant, Steve Poole
DevOps and the cloud: all hail the (developer) king - Daniel Bryant, Steve PooleDevOps and the cloud: all hail the (developer) king - Daniel Bryant, Steve Poole
DevOps and the cloud: all hail the (developer) king - Daniel Bryant, Steve Poole
 
JAXLondon 2015 "DevOps and the Cloud: All Hail the (Developer) King"
JAXLondon 2015 "DevOps and the Cloud: All Hail the (Developer) King"JAXLondon 2015 "DevOps and the Cloud: All Hail the (Developer) King"
JAXLondon 2015 "DevOps and the Cloud: All Hail the (Developer) King"
 
Exponential-e | Cloud Revolution Seminar at the Ritz, 20th November 2014
Exponential-e | Cloud Revolution Seminar at the Ritz, 20th November 2014Exponential-e | Cloud Revolution Seminar at the Ritz, 20th November 2014
Exponential-e | Cloud Revolution Seminar at the Ritz, 20th November 2014
 
A Blueprint for Cloud-Native Financial Institutions
A Blueprint for Cloud-Native Financial InstitutionsA Blueprint for Cloud-Native Financial Institutions
A Blueprint for Cloud-Native Financial Institutions
 
Cloud Team Alliance @ EU Buxelles
Cloud Team Alliance @ EU BuxellesCloud Team Alliance @ EU Buxelles
Cloud Team Alliance @ EU Buxelles
 
AWS per il settore pubblico in Italia
AWS per il settore pubblico in ItaliaAWS per il settore pubblico in Italia
AWS per il settore pubblico in Italia
 
AWS re:Invent 2016: IoT and Beyond: Building IoT Solutions for Exploring the ...
AWS re:Invent 2016: IoT and Beyond: Building IoT Solutions for Exploring the ...AWS re:Invent 2016: IoT and Beyond: Building IoT Solutions for Exploring the ...
AWS re:Invent 2016: IoT and Beyond: Building IoT Solutions for Exploring the ...
 
Structure 2014 - Launchpad Competition
Structure 2014 - Launchpad CompetitionStructure 2014 - Launchpad Competition
Structure 2014 - Launchpad Competition
 
2011 VMI DEMO Conference Highlights
2011 VMI DEMO Conference Highlights2011 VMI DEMO Conference Highlights
2011 VMI DEMO Conference Highlights
 
DevOps Con 2015: Radical Agility with Autonomous Teams and Microservices in t...
DevOps Con 2015: Radical Agility with Autonomous Teams and Microservices in t...DevOps Con 2015: Radical Agility with Autonomous Teams and Microservices in t...
DevOps Con 2015: Radical Agility with Autonomous Teams and Microservices in t...
 
Dev ops con 2015 radical agility with autonomous teams and microservices in...
Dev ops con 2015 radical agility with autonomous teams and microservices in...Dev ops con 2015 radical agility with autonomous teams and microservices in...
Dev ops con 2015 radical agility with autonomous teams and microservices in...
 
Radical Agility with Autonomous Teams and Microservices in the Cloud
Radical Agility with Autonomous Teams and Microservices in the CloudRadical Agility with Autonomous Teams and Microservices in the Cloud
Radical Agility with Autonomous Teams and Microservices in the Cloud
 
E Crime Symposium June 10
E Crime Symposium June 10E Crime Symposium June 10
E Crime Symposium June 10
 
2011-08-10 In-Q-Tel Technology Focus Day, Trends & Observations in Open Sourc...
2011-08-10 In-Q-Tel Technology Focus Day, Trends & Observations in Open Sourc...2011-08-10 In-Q-Tel Technology Focus Day, Trends & Observations in Open Sourc...
2011-08-10 In-Q-Tel Technology Focus Day, Trends & Observations in Open Sourc...
 
Bridging the Enterprise and the Cloud from Layer 7
Bridging the Enterprise and the Cloud from Layer 7Bridging the Enterprise and the Cloud from Layer 7
Bridging the Enterprise and the Cloud from Layer 7
 
CIO Summit Berlin 2011
CIO Summit Berlin 2011CIO Summit Berlin 2011
CIO Summit Berlin 2011
 

More from Security BSides London

Agnitio: its static analysis, but not as we know it
Agnitio: its static analysis, but not as we know itAgnitio: its static analysis, but not as we know it
Agnitio: its static analysis, but not as we know itSecurity BSides London
 
The Funny Thing About Information Security
The Funny Thing About Information SecurityThe Funny Thing About Information Security
The Funny Thing About Information SecuritySecurity BSides London
 
Practical Crypto Attacks Against Web Applications
Practical Crypto Attacks Against Web Applications Practical Crypto Attacks Against Web Applications
Practical Crypto Attacks Against Web Applications Security BSides London
 
Jedi mind tricks for building application security programs
Jedi mind tricks for building application security programsJedi mind tricks for building application security programs
Jedi mind tricks for building application security programsSecurity BSides London
 

More from Security BSides London (8)

Agnitio: its static analysis, but not as we know it
Agnitio: its static analysis, but not as we know itAgnitio: its static analysis, but not as we know it
Agnitio: its static analysis, but not as we know it
 
The Funny Thing About Information Security
The Funny Thing About Information SecurityThe Funny Thing About Information Security
The Funny Thing About Information Security
 
Breaking out of restricted RDP
Breaking out of restricted RDPBreaking out of restricted RDP
Breaking out of restricted RDP
 
Breaking, Entering and Pentesting
Breaking, Entering and Pentesting Breaking, Entering and Pentesting
Breaking, Entering and Pentesting
 
All your logs are belong to you!
All your logs are belong to you!All your logs are belong to you!
All your logs are belong to you!
 
Practical Crypto Attacks Against Web Applications
Practical Crypto Attacks Against Web Applications Practical Crypto Attacks Against Web Applications
Practical Crypto Attacks Against Web Applications
 
Jedi mind tricks for building application security programs
Jedi mind tricks for building application security programsJedi mind tricks for building application security programs
Jedi mind tricks for building application security programs
 
Dns tunnelling its all in the name
Dns tunnelling its all in the nameDns tunnelling its all in the name
Dns tunnelling its all in the name
 

Recently uploaded

Evaluating the top large language models.pdf
Evaluating the top large language models.pdfEvaluating the top large language models.pdf
Evaluating the top large language models.pdfChristopherTHyatt
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUK Journal
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProduct Anonymous
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEarley Information Science
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherRemote DBA Services
 

Recently uploaded (20)

Evaluating the top large language models.pdf
Evaluating the top large language models.pdfEvaluating the top large language models.pdf
Evaluating the top large language models.pdf
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 

Cloud computing due diligence WTF?

  • 1. Cloud Computing Due Diligence - WTF? Jimmy Blake @jimmyblake Security B-Sides London: Cloud Computing - WTF? Wednesday, 20 April 2011
  • 2. Jimmy Who? • CSO for one of the UK’s largest SaaS providers • Talking mainly from a SaaS perspective • Dozens of client risk assessments a month • ISO 27001 Lead Auditor • These are my opinions, not necessarily those of my employer Security B-Sides London: Cloud Computing - WTF? Wednesday, 20 April 2011
  • 3. Cloud Computing Don’t make me APT your cyber- defences http://csrc.nist.gov/groups/SNS/cloud-computing/ Essential Characteristics Service Model Deployment Model ...blah blah blah Security B-Sides London: Cloud Computing - WTF? Wednesday, 20 April 2011
  • 4. Businesses Are Moving to the Cloud Well governed organisations make decisions after consideration of risk Security B-Sides London: Cloud Computing - WTF? Wednesday, 20 April 2011
  • 5. Businesses Are Moving to the Cloud Well governed organisations make decisions after consideration of risk ...and we all know how many well governed organisations there are out there. Security B-Sides London: Cloud Computing - WTF? Wednesday, 20 April 2011
  • 6. Who Does the Due Diligence?? • Understands security, not risk • Knows on-premise, not cloud • Still thinks he has a secure perimeter • Likes to be able to hug servers • He, and his toys, may be displaced by the solution Security B-Sides London: Cloud Computing - WTF? Wednesday, 20 April 2011
  • 7. The Cost of Due Diligence: Do The Math Average Due Diligence Questionnaire = 2 hours Average Audit = 6 man hours 4,000 customers = 3,000 working days per annum ...and you want cost savings??? Security B-Sides London: Cloud Computing - WTF? Wednesday, 20 April 2011
  • 8. Certification: ISO:IEC 27001:2005 • Scope? • Very few scopes include production platforms • Is your acceptable risk < or > then the provider’s? Security B-Sides London: Cloud Computing - WTF? Wednesday, 20 April 2011
  • 9. ISO 27001: What They Really Mean Cloud Our On-Premise Provider’s 27002 controls 27002 controls Security B-Sides London: Cloud Computing - WTF? Wednesday, 20 April 2011
  • 10. Certification: SAS-70 (soon SSAE16) • Control Statements • Great for auditing against SOX 404 controls Security B-Sides London: Cloud Computing - WTF? Wednesday, 20 April 2011
  • 11. Getting Real How do you ensure physical access to your data centres is restricted to those who need it for a job function? By not having 100 customers a day walking through on audits... Security B-Sides London: Cloud Computing - WTF? Wednesday, 20 April 2011
  • 12. Getting Real So I hope that answers your question on how we handle key rotation on our distributed filing system utilising AES 256-bit encryption? Can I The IT Manager backs up to ask how you do it at the moment? tape and leaves the tapes in the back of his car overnight. The tapes are encrypted of course? .... Please tell me the car isn’t left on his driveway overnight? .... Security B-Sides London: Cloud Computing - WTF? Wednesday, 20 April 2011
  • 13. Turning the Tables RFP responses contain a lot of sensitive information How do you classify How many people completed RFP have access to completed responses? RFP responses? How do you ensure access How do you dispose control and prevent leakage of printed copies of RFP of completed RFP responses? responses? Security B-Sides London: Cloud Computing - WTF? Wednesday, 20 April 2011
  • 14. Industry Representation or Prospects? Security B-Sides London: Cloud Computing - WTF? Wednesday, 20 April 2011
  • 15. What We Need Software-as-a-Service is often about replacing specific on-premise solutions within the business Security B-Sides London: Cloud Computing - WTF? Wednesday, 20 April 2011
  • 16. What We Need Software-as-a-Service is often about replacing specific on-premise solutions within the business baseline Cloud On-premise Provider risk risk Security B-Sides London: Cloud Computing - WTF? Wednesday, 20 April 2011
  • 17. What We Need baseline On-premise risk Cloud Provider risk Security B-Sides London: Cloud Computing - WTF? Wednesday, 20 April 2011
  • 18. What We’re Getting Great, now I’ve got 6 lots of audit and certification.... Security B-Sides London: Cloud Computing - WTF? Wednesday, 20 April 2011
  • 19. A Final Plea Customers: Baseline on your current risk exposure Due your due diligence, but make it proportionate If you want champagne, expect to pay for it Industry Bodies: Come together for a unified standard of audit and assessment Represent cloud customers and the service provider, not infrastructure vendors Cloud Providers: Embrace transparency Security B-Sides London: Cloud Computing - WTF? Wednesday, 20 April 2011
  • 20. Cloud Computing Due Diligence - WTF? Jimmy Blake @jimmyblake http://jimmyblake.com Security B-Sides London: Cloud Computing - WTF? Wednesday, 20 April 2011