Sharing the Cloud by Glen Roberts, CISSP
Presented at CUISPA 2012 Conference in Austin, TX on 2/21/2012.
CUISPA (Credit Union Information Security Professionals Association) is a national association of credit union information technology professionals focused on improving security and risk management through cooperation.
2. About
the
Presenter
* Glen
Roberts,
CISSP
* IT
Infrastructure
Manager
at
UFCU
* President
at
Cloud
Security
Alliance,
Austin
Chapter
3. Agenda
* Cloud
Computing
Overview
* Cloud
Benefits
and
Risks
* Community
Cloud
Deployment
Model
* Case
Study:
2nd
Node
* Foundational
Issues
* Abbreviated
Risk
Framework
* Addressing
Common
Security
Concerns
4. Cloud
Computing
Definition
A
model
for
enabling
ubiquitous,
convenient,
on-‐demand
network
access
to
a
shared
pool
of
configurable
computing
resources
(NIST:
September,
2011)
6. Interactive
Slide
What
are
some
of
the
benefits
cloud
computing
can
offer
credit
unions?
7. Top
10
Cloud
Benefits
1. Faster
implementation,
ready
to
use,
automation
2. Access
anywhere,
on
any
device
3. Reduced
cost,
pay
for
use
4. Scalability,
right-‐sized,
flex
up
and
down
5. Collective
benefits,
GRC
alignment,
new
functionality
6. Improved
productivity,
shift
focus
to
further
innovate
7. Integrated
security
and
patching
8. Leverage
vendor
expertise,
economy
of
scale
9. High
performance,
reliability,
uptime
10. Environment-‐friendly,
computing
efficiency
8. Interactive
Slide
What
risks
might
cloud
computing
expose
a
credit
union
to?
9. Top
10
Cloud
Risks
1. Data
loss,
alteration,
disclosure
2. Unable
to
prove
security
of
provider
or
solution
3. Provider
insider
threat,
insecure
APIs,
hypervisor
flaws
4. Multi-‐tenancy
trust
issues
5. Account
hijacking
6. Regulatory
problems,
lack
of
forensics
support
7. Blurred
responsibilities
8. Internet/external
network
dependency
9. Poor
support,
scalability
issues
10. Complexity,
hidden
costs
10. Enter
Community
Clouds
* Shared
by
several
organizations
* Supports
a
community
with
common
interests
* Business
purpose
* Standardization
* GRC
requirements:
GLBA,
NCUA
* Many
of
the
benefits
of
public
cloud
with
less
risk
* Better
cost
savings
than
private
cloud
or
traditional
infrastructure
11. What
Community
Offers
* Transparency
* Dependable
SLAs
* Clear
roles
&
responsibilities
* Shared
improvements
* Data
sharing
12. Cloud
Service
Brokerage
* Cooperatively
select
vendors
* Improved
bargaining
power
as
a
collective
* Shared
cost
of
vendor
solutions
* Leverage
shared
integration
with
vendors
13. Do
More
with
Less
* Reduce
maintenance
&
operations
costs
* Share
the
expense
of
implementations
* Free
up
staff
to
innovate
for
members
14. Case
Study:
2nd
Node
* Formed
by
UFCU
and
AFCU
in
2009
* CUSO
* Second
data
center
* Business
Continuity/Disaster
Recovery
15. 2nd
Node:
Facility
* Facility
* SAS
70
Type
II
Facility
* Working
on
SSAE
16
Type
II
* Generator,
UPS,
HVAC
* Environmental
security
16. 2nd
Node:
Infrastructure
* Utility
pricing
per
cabinet:
* Telecom
* Internet
connectivity
–
100
mbps
* SAN
* Separate
LUNS,
partitions
* EqualLogic,
Compellent
* IDS/IPS
* Individual
consoles/customer
* 2nd
Node
as
the
oracle
18. Some
Community
Clouds
* NYSE
Capital
Markets
Community
Platform
* IBM
Federal
Community
Cloud
* G-‐Cloud
* News
Corporation
NC3
19. Foundational
Issues
* Many
have
tried
and
failed
* Control
issues
vs.
cooperation
* Visibility
of
operations
* Differing
visions
* Undefined
SLAs
20. Addressing
Common
Security
Concerns
* Security
* Not
necessarily
more
or
less
secure
* Enormous
potential
to
be
more
secure
* Collaborate
to
implement
controls
* Standards
gaps
* Traditional
standards
still
apply
* NIST
and
CSA
are
helping
accelerate
catch-‐up
21. Data
Protection
* What
data
needs
to
be
protected?
* Common
options:
* Encryption
of
data
at
rest
and
in
motion
* Tokenization
* Sanitization,
anonymization
* Object
security
(SQL)
* Hashing
22. Abbreviated
Risk
Framework:
Identify
Assets
* Identify
potential
assets
to
be
moved
to
a
community
cloud
* Infrastructure
* Data
* Applications
* Functions/Processes
23. Abbreviated
Risk
Framework:
Community
Cloud
Risks
* Assess
DAD
risks
of
moving
assets
to
community
cloud
* What
is
the
impact
if
the
provider
accesses
the
asset
or
if
data
goes
public?
* What
is
the
impact
if
processes
are
manipulated
or
fail
to
function?
24. Abbreviated
Risk
Framework:
Community
Cloud
Requirements
* Location
* Identification
of
other
tenants
* Degree
of
control
* Who
manages
assets
and
how
* Security
and
compliance
controls