2. Disclaimer : Scope of this paper is limited
to challenges to management for
migration of Information Technology
resources to the cloud computing
environment. Intentionally technical
issues have been avoided and only
emerging corporate governance issues
are highlighted, especially those which
are lesser discussed but likely to have
major impact on decision making by non-
technocrat management
3. Cloud Computing Market size
Estimates
US Federal Government - $26.1 Billion (CAGR
40%) by 2015.
Worldwide - $148.8 billion by 2012
China has recently announced launching the
project “Sea of Cloud”
Chinese cloud computing market - 1 trillion
Yuan ($154 Billion) in next few years.
4. Cloud Computing
Migration To Cloud will not be an option but a
necessity
Emerging Challenges for managers
International efforts
Planning Migration to Cloud
Evolving Assurance Framework
5.
6. Ubiquitous
Connectivity
Virtualization
Broadband
Networking
Web 2.0
Multi Tenancy
Out Sourcing
Utility Service
Computing Oriented
Clustering Architecture
7. “ A model for enabling convenient, on-
demand network access to a shared pool of
configurable computing resources (e.g.
networks, servers, storage, applications, and
services) that can rapidly provisioned and
released with minimal management effort or
service provider interaction”
8.
9.
10.
11. Massive Scale Resilient Computing
Geographic
Homogeneity
Distribution
Virtualization Service Orientation
Low Cost Software Advanced Security
12.
13.
14.
15.
16. Cloud Efficiencies and improvements
Improved
Cost Time Power Unlimited Improved
process
Efficiencies Efficiencies Efficiencies capacity Security
control
Standardized
updated base Top quality
Burst
image security
Capacity Procurement
Near to products
to
generation
production
Centrally
auditable log
server Dynamic
Short top quality
use of
duration security
project capacity professionals
Centralized
authentication utilization
Reduced system
Any place overhead
Cancelled connectivity power top quality
or failed consumption Improved security
mission forensics processes
17. CAPEX to OPEX
Capital
Sunken cost Depreciation cost
Expenditure on IT
Actual usage cost
Data Centre
IT professionals
Obsolescence cost running and
costs
maintainance costs
18.
19. Source: Federal Cloud Computing Strategy, by Vivek Kundra,
US Chief Information Officer
27. Unlike money when data Solution
gets stolen the owner may • Strong Identity Management
not even know because • Rigid access control
data can be just copied mechanisms
and taken away while • Log Management
original data stays
unperturbed.
28. Solution
Own IT department may feel
threatened and thus take • Third party should
actions causing aversion to undertake migration
migration to cloud. analysis
• Strong and firm
management
• Must identify cost
Decommissioning / moth reduction mechanism at
balling released IT assets initial stage itself
and retrenchment of IT staff
29. Global nature of
Internet can make life Solution
easy for fly by night
• Due diligence in
operators
selection of CSP
• Industry Confederations
have role to play
CSP has entered in • International
business to capture ombudsman required
the opportunity but
lacks seriousness
30. Solution
Organisational data may be • International Cooperation
kept in several country • Bilateral/multi lateral
causing jurisdictional and treaties
law enforcement challenges • Coordination amongst
LEAs across the globe.
31. Law enforcement orders against
one co-tenant can cause seizure Solution
of other co-tenants data also
• Policies, Procedures and
Rules by government
• Training and capacity
building in police force/
Law enforcement will face serious Cyber Forensic
challenges. A too strict a regime can Specialists/ Legal
hurt the industry and CSPs may just fraternity
move out the country, affecting
revenue and security; while too
comfortable zone may provide free
play ground to cyber criminals
32. The co- tenancy poses Solution
new challenges such as • Continuous R&D
data overflow, Side – • Log analysis by CSP as
channel well as user (may be by
attacks, reminiscent data third party)
recovery, and other • Assurance framework
technical and social and audit
engineering attack
33. Solution
• Policy, procedures and
rules to protect the
CSPs are far more powerful comparative weak users
than the Cloud users may cause (SMEs)
skew in drafting and
implementation of contracts • Formation of cloud
users confederation /
group
• National and
International
ombudsman
34. Auditor must
Competent and
understand cloud
expert Auditor
technology
Auditor must Solution
understand complex • Second party audit /
governance and legal expert representing cloud
issues affecting user
migration to cloud • Should be included in SLA
40. 1. Short title, extent, commencement
and application.
Subsection (2) – It shall extend to the whole of India
and, save as otherwise provided in this Act, it applies
also to any offence or contravention thereunder
committed outside India by any person.
41. 75. Act to apply for offence or
contravention committed outside
India. -
(1) Subject to the provision of sub- (2) For the purposes of sub-
section (2), the provisions of this section(1), this act shall apply to
Act shall apply also to any offence an offence or contravention
or contravention committed committed outside India by any
outside India by any person person if the act or conduct
irrespective of his nationality. constituting located in India.
43. Published Standards
• ISO/IEC 27000 — Information security management systems — Overview and
vocabulary
• ISO/IEC 27001 — Information security management systems — Requirements
• ISO/IEC 27002 — Code of practice for information security management
• ISO/IEC 27003 — Information security management system implementation guidance
• ISO/IEC 27004 — Information security management — Measurement
• ISO/IEC 27005 — Information security risk management
• ISO/IEC 27006 — Requirements for bodies providing audit and certification of
information security management systems
• ISO/IEC 27011 — Information security management guidelines for
telecommunications organizations based on ISO/IEC 27002
• ISO/IEC 27031 — Guidelines for information and communications technology
readiness for business continuity
• ISO/IEC 27033-1 — Network security overview and concepts
• ISO/IEC 27035 — Security incident management
• ISO 27799 — Information security management in health using ISO/IEC 27002
44. First serious attempt to harmonise International laws on cyberspace.
Opened for Signature – 23 Nov 2001
Entry into force – 1 Jul 2004
Ratified/Accession – 32 Countries
Signed but not yet ratified – 15 Countries
Major missing – Russia.
Even USA has recorded reservations
45. IT Security — Security techniques — Guidelines for
identification, collection, acquisition, and preservation of digital
evidence (DRAFT - new title)
provides detailed guidance that describes the process for
recognition and identification, collection and/or acquisition and
preservation of digital data which may contain information of
potential evidential value. This document includes physical and
documentary activities deemed necessary in supporting inter-
jurisdictional recognition of collected and/or acquired potential
digital evidence
46. Helping the European Commission, the Member States and the
business community to address, respond and especially
to prevent Network and Information Security problems.
ENISA is as a body of expertise, set up by the EU to carry out
very specific technical, scientific tasks in the field of Information
Security, working as a "European Community Agency".
Nov 20, 2009 published Cloud Computing Risk Assessment
47. CSA is a not-for-profit organization led by a broad coalition of
industry practitioners, corporations, associations and other
key stakeholders.
Mission Statement : To promote the use of best practices for
providing security assurance within Cloud Computing, and
provide education on the uses of Cloud Computing to help
secure all other forms of computing.
Issued Security Guidance for Critical Areas of Focus in Cloud
Computing V2.1 in Dec 2010
52. Contact Details
Web : www.xcyss.in
E-mail : cmd@xcyss.com
Tele : +91-11-25128910
Mobile : +91- 9953286928
Blogs: http://cyber-crime-in-india.blogspot.com/
http://security-of-cyberspace.blogspot.com/
53. Reference List
Alcatel-Lucent 2010, Presentation at Securecloud, 2010, Barcelona , viewed on 18th October, 2010, <https://cloudsecurityalliance.org/sc2010.html>
Cloud Security Alliance Guide V 2.16 2009, Security Guidance for Critical Area of Focus in Cloud Computing V 2.1 , viewed on 18th
October, 2010, <https://cloudsecurityalliance.org/csaguide.pdf>
Commander Mukesh, Saini (Retd.) 2011, Next Challenge for governance - the Cloud Computing, Thinking Aloud, pp 28-30, June, 2011
Courtney, Martin 2011, Interview: Brian Gammage, Gartner, viewed on 18th
October, 2010, <http://www.computing.co.uk/ctg/interview/1930935/interview-brian-gammage-gartner>
Data Security Council of India 2010, Data protection Challenges in Cloud Computing - an Indian perspective, viewed on 18th
October, 2010, <http://www.dsci.in/sites/default/files/Data%20Protection%20Challenges%20in%20Cloud%20Computing.pdf>
European Network and Information Security Agency 2009, Cloud Computing Risk Assessment, viewed on 18th
October, 2010, <http://www.enisa.europa.eu/act/rm/files/deliverables/cloud-computing-risk-assessment>
Grance Tim 2010, Cloud Computing Paradigm, Presentation at NIST on 16 March 2010
ISO 27001 Security 2011, ISO/IEC 27037, viewed on 18th October, 2010, <http://www.iso27001security.com/html/27037.html>
James F. Willams 2011, NASA's Nebula Cloud Computing Initiative, viewed on 18th
October, 2010, <http://fms.treas.gov/sfc/NASA%20Cloud%20Computing%20Agency%20Case%20Study%20Presentation.pdf>
Jeff Vance 2010, Datamation. 5 Cloud computing prediction for 2011 , viewed on 18th October, 2010, <www.itmanagement.earthweb.com/feature/5-
Cloud-Computing-Predictions-for-2011-3919196.htm>
Market Research Media 2009, U.S. Fedral Cloud Computing Market Forecast 2010-2015, viewed on 18th
October, 2010, <www.marketresearchmedia.com/2009/05/20/us-fedral-cloud-computing-market-forecast-2010-2015/>
National Institute of Standards and Technology 2011, The NIST defination of Cloud Computing (Draft), SP -880-145, viewed on 18th
October, 2010, <http://csrc.nist.gov/publications/drafts/800-145/Draft-SP-800-145_cloud-definition.pdf>
Shanghai Security News 2011, News Xinhuanet. The virtualization of a nation, cloud computing in China takes hold, viewed on 18th
October, 2010, <www.news.xinhuanet.com/english2010/china/2011-06/29/c_13956822.htm>
Vishal Khera 2010, Planning for Cloud Implementation, Presentation at Securecloud, 2010 at Barcelona, viewed on 18th
October, 2010, <https://cloudsecurityalliance.org/sc2010.html>
Editor's Notes
Cloud computing ('cloud') is an evolving term that describes the development of many existing technologies and approaches to computing into something different. Cloud separates application and information resources from the underlying infrastructure, and the mechanisms used to deliver them.
Essential Characteristics of Cloud Computing Cloud services exhibit five essential characteristics that demonstrate their relation to, and differences from, traditional computing approaches: • On-demand self-service. A consumer can unilaterally provision computing capabilities such as server time and network storage as needed automatically, without requiring human interaction with a service provider. • Broad network access. Capabilities are available over the network and accessed through standard mechanisms that promote use by heterogeneous thin or thick client platforms (e.g., mobile phones, laptops, and PDAs) as well as other traditional or cloudbased software services. • Resource pooling. The provider’s computing resources are pooled to serve multiple consumers using a multi-tenant model, with different physical and virtual resources dynamically assigned and reassigned according to consumer demand. There is a degree of location independence in that the customer generally has no control or knowledge over the exact location of the provided resources, but may be able to specify location at a higher level of abstraction (e.g., country, state, or datacenter). Examples of resourcesinclude storage, processing, memory, network bandwidth, and virtual machines. Even private clouds tend to pool resources between different parts of the same organization. • Rapid elasticity. Capabilities can be rapidly and elastically provisioned — in some cases automatically — to quickly scale out; and rapidly released to quickly scale in. To the consumer, the capabilities available for provisioning often appear to be unlimited and can be purchased in any quantity at any time. • Measured service. Cloud systems automatically control and optimize resource usage by leveraging a metering capability at some level of abstraction appropriate to the type of service (e.g., storage, processing, bandwidth, or active user accounts). Resource usage can be monitored, controlled, and reported — providing transparency for both the provider and consumer of the service. It is important to recognize that cloud services are often but not always utilized in conjunction with, and enabled by, virtualization technologies. There is no requirement, however, that ties the abstraction of resources to virtualization technologies and in many offerings virtualization by hypervisor or operating system container is not utilized. Further, it should be noted that multi-tenancy is not called out as an essential cloud characteristic by NIST but is often discussed as such. Please refer to the section on multi-tenancy featured after the cloud deployment model description below for further details.
Essential Characteristics of Cloud Computing Cloud services exhibit five essential characteristics that demonstrate their relation to, and differences from, traditional computing approaches: • On-demand self-service. A consumer can unilaterally provision computing capabilities such as server time and network storage as needed automatically, without requiring human interaction with a service provider. • Broad network access. Capabilities are available over the network and accessed through standard mechanisms that promote use by heterogeneous thin or thick client platforms (e.g., mobile phones, laptops, and PDAs) as well as other traditional or cloudbased software services. • Resource pooling. The provider’s computing resources are pooled to serve multiple consumers using a multi-tenant model, with different physical and virtual resources dynamically assigned and reassigned according to consumer demand. There is a degree of location independence in that the customer generally has no control or knowledge over the exact location of the provided resources, but may be able to specify location at a higher level of abstraction (e.g., country, state, or datacenter). Examples of resourcesinclude storage, processing, memory, network bandwidth, and virtual machines. Even private clouds tend to pool resources between different parts of the same organization. • Rapid elasticity. Capabilities can be rapidly and elastically provisioned — in some cases automatically — to quickly scale out; and rapidly released to quickly scale in. To the consumer, the capabilities available for provisioning often appear to be unlimited and can be purchased in any quantity at any time. • Measured service. Cloud systems automatically control and optimize resource usage by leveraging a metering capability at some level of abstraction appropriate to the type of service (e.g., storage, processing, bandwidth, or active user accounts). Resource usage can be monitored, controlled, and reported — providing transparency for both the provider and consumer of the service. It is important to recognize that cloud services are often but not always utilized in conjunction with, and enabled by, virtualization technologies. There is no requirement, however, that ties the abstraction of resources to virtualization technologies and in many offerings virtualization by hypervisor or operating system container is not utilized. Further, it should be noted that multi-tenancy is not called out as an essential cloud characteristic by NIST but is often discussed as such. Please refer to the section on multi-tenancy featured after the cloud deployment model description below for further details.
Westpac has a long and proud history as Australia's first and oldest bank. It was established in 1817 as the Bank of New South Wales.
Westpac has a long and proud history as Australia's first and oldest bank. It was established in 1817 as the Bank of New South Wales.
Westpac has a long and proud history as Australia's first and oldest bank. It was established in 1817 as the Bank of New South Wales.