1. Cloud Computing XaaS
Moving from Cloud Cuckoo Land to Corporate
Acceptance
London e-Crime Cloud Forum, June 2010
Mark Henshaw
FBCS CITP CISM CGEIT CISSP
mhenshaw@isaca-london.org
[Speaker notes included]
2. Proprietas
The presentation and the views and opinions
expressed represent those of the author and
should not be ascribed to General Motors or
Vauxhall Opel
Any subsequent debate or discussion in relation
to this material should be conducted with the
author
mhenshaw@isaca-london.org
3. Cloud XaaS, friend or foe? [speaker notes slide #21]
How do you see it?
Risk taker Risk averse
Cloud provider CISO Security
Business unit Legal
Governance
Start-up CIO Mature business
(E.g., Cost dominated) (E.g., Risk dominated)
mhenshaw@isaca-london.org
4. First thoughts
Have you engaged,
◦ Legal Counsel?
◦ Privacy Counsel?
◦ Human Resources Management?
◦ Business Process Leadership?
◦ Risk Management (Enterprise)?
◦ Business Partners?
◦ All impacted IT players?
◦ Third Parties and Suppliers?
Why not? - you are establishing a major strategic direction for the
business using Cloud Computing and they are all key stakeholders
and Subject Matter Experts
Build and execute a Cloud delivered Security Strategy with
partnership across the organisation NOT just IT
mhenshaw@isaca-london.org
5. Ash Cloud, Icelandic Volcano
[speaker notes slide #22]
Sixty-three thousand flights cancelled in four days; a total of
313 airports paralysed by restrictions and a global backlog
affecting more than 6.8 million travellers…$B5
Bigger issues came into play, which may potentially put
organisations out of business, such as reduced or non
existent service to customers; supply chains failing; and even
vital - life-saving equipment and medication - unable to reach
it's destination
In the context of business continuity, many unprepared
organisations may simply say that they couldn't possibly
plan for an eventuality such as this and excuse
themselves for their misgivings in the hope that everything
will get back to normal sooner or later and their
customers will understand
Is this a familiar attitude? And who is liable anyway?
mhenshaw@isaca-london.org
6. Agenda
When adopting service offerings from the cloud, what are the
security, compliance and liability issues that need to be understood
at board level beyond the sales pitch of cost reductions and
operational benefits?
What measures can be taken to surmount the challenges of
implementing access controls for enterprises that move to cloud
based services, and why is this a critical step in approaching
corporate acceptance of cloud computing?
What aspects of security in the cloud should remain under the
control of corporate custodians, which are likely to necessitate
outsourcing control to the cloud provider, and what steps must be
taken to ensure a comprehensive understanding of where the
business is accountable and liable for defending against vulnerability
as opposed to the cloud supplier?
How can organisations that utilise multiple elasticated storage
solutions across different jurisdictions abide by regional data
privacy laws while meeting regulatory compliance requirements?
mhenshaw@isaca-london.org
7. Agenda
Or to put it another way:
What should it take to
convince the CEO and
board that cloud computing
services are a realistic
choice for their business and
not some cloud cuckoo land
fantasy?
mhenshaw@isaca-london.org
8. To the Board: Cloud, silver lining? [speaker notes slide #23]
Price: not always cheaper than in house
Applications: not all fit the XaaS model
Security: should be rock solid, will be a bigger target
Governance/Compliance: maze of data handling rules
Legal maturity: Cloud models complex hard to define,
poor or non existent legal structures and precedents
Liability: significant work to define and document who is
liable for what at each XaaS layer
Cost: driving utilisation of possible high-risk providers
Risk: distinguish risk from commercial risk
Outsourcing: a better first step
mhenshaw@isaca-london.org
9. To the Board: Cloud, silver lining?
Any provider who claims to
have fixed all the risks and
issues may be offering FaaS
mhenshaw@isaca-london.org
10. Enterprise Access Controls [speaker notes slide #24]
Cloud computing must provide security on par with
what exists inside the firewall - compliance is
impossible without controls
Control over access, authentication, auditing and
administration (IAM)
Infrastructure resides across the Internet, collectively
operated by the enterprise, its partners, and service
providers
Firewalls can't manage access to cloud applications
because by definition these applications are accessed
over the Internet outside the corporate firewall
Access management for the cloud must be controlled
without agents and without tightly coupling
infrastructure components together
mhenshaw@isaca-london.org
11. Enterprise Access Controls [speaker notes slide #25]
Federation, this provides an inter-
organisational authentication solution
Federation uses the Security Assertion
Markup Language (SAML) standard
Each organization will manage its own users
and through trust relationships share
authentication between sites
Administration supporting the complex
structures and business relationships
between cloud networks and organisations
mhenshaw@isaca-london.org
12. Enterprise Access Controls [speaker notes slide #26]
Auditing and compliance for the cloud must
extend across the Internet and encompass
the applications, users, and activities on
remote as well as enterprise systems
Perimeter controls ineffective for
compliance
Confidentiality of data must be protected
both in motion and while at rest
Requires intelligent cloud strategy from very
beginning
mhenshaw@isaca-london.org
13. Liability and Responsibility
Division of liabilities between customer and
provider
Division of responsibilities for security incidents,
SaaS and IaaS vary greatly
Establish table and clearly define who is
responsible for what
Where no negotiation is possible providers must
verify what lies within their responsibility
IaaS providers treat customer applications as a
black-box so vitally important for customer to
take full responsibility for securing cloud-
deployed applications
Follow best practice and perform assessment
mhenshaw@isaca-london.org
14. Liability and Responsibility
Businesses signing up for
standard (read economic)
cloud services should not
expect the provider to
accept liability for data
breaches and other security
incidents
Attrib. Microsoft
mhenshaw@isaca-london.org
15. Liability [speaker notes slide #27]
Customer Provider
Lawfulness of Full liability Intermediary liability with
content liability exemptions under the
terms of the E-commerce
directive (1) and its
interpretations
Security incidents Responsibility for due Responsible for due diligence
(including data diligence for what is for what is under its control
leakage, use of under its control
account to launch according to contractual
attack) conditions
European Data Data controller Data processor (external)
Protection Law
status
Incident management and resolution - will vary greatly if SaaS, PaaS or IaaS
From enisa, “Cloud Computing - Benefits, risks and recommendations for information security”, Nov 2009
mhenshaw@isaca-london.org
16. Privacy with Elasticated Storage
[speaker notes slide #28]
Geography can lose all meaning, location seems
irrelevant – not able to tell where data is at any
given point in time
Multiple data copies being stored in different
locations – also true for private cloud
Data transferred across multiple borders with
significant legal implications
Gets more complicated…public cloud, hybrid
cloud
Public cloud economics is about trading available
processing and storage capacity…data is fungible,
and able to be moved …like trading electricity
mhenshaw@isaca-london.org
17. Privacy with Elasticated Storage
[speaker notes slide #29]
There is no universally adopted privacy
standard - perception may be different from the
law
Essential for well defined Security and Privacy
SLAs to be part of the Statement of Work
Strong data governance should be performed by
Cloud provider through full Information
Lifecycle Management (ILM) - protection of
personal information should consider the
impact of the cloud on each of the ILM phases
mhenshaw@isaca-london.org
18. Privacy with Elasticated Storage
Adopt a systematic approach to addressing
privacy in the cloud
Perform due diligence and risk assessments
Seek country based legal advice (legal counsel)
and develop process framework and internal
controls
Attempt to control cross-border data flows
through selection of countries used by the Cloud
provider
Ensure data is deleted on virtual storage devices
Ensure consent from data owner before transfer
to 3rd parties
mhenshaw@isaca-london.org
19. Final thought…
In IT sustaining competitive advantage is not possible
because everyone can copy what you do so…
…from the context of the cloud provider operating in a
panoply, survival is about taking out costs faster…bringing
down IT costs…and increasing sales
Cost reductions in this space seem to fixate around
increasing use of cloud aggregators…perhaps in China or
India
The consequences of this are…
…legal, governance and security plays catch up
…and while this vacuum exists there will be many risks
across many facets of cloud sourcing, particularly with low-
cost highly aggregated cloud sourcing implementations
We are definitely chasing the tail, and it’s way too early for
any of us to be complacent
mhenshaw@isaca-london.org
20. Speaker notes
Speaker notes provided here to assist
with reader understanding
mhenshaw@isaca-london.org
21. Cloud XaaS, friend or foe?
<back to slide>
Speaker notes use with slide # 3
◦ (+ Side)
Emerging not yet core
Very attractive sales pitch; cost saving, efficiency, elastic storage
Low cost path for start-up
Business unit making the most of their limited budget
Cloud provider sells the dream
◦ (- Side)
Its just not mature yet
Too much to lose
Let someone else catch a cold
Only a few applications, very low risk
We carry sensitive customer information…no way.. US PATRIOT Act
◦ (= Balancing)
The CIO pulling in both directions
Limit the travel and accelerate the acceptability (how?)
Legal have been saying they are slow in this space for quite some time – but they believe our issues will be fixed by
contracts (right?)
◦ (= Balancing)
Clearly an emerging technology that has everyone excited for one reason or another
mhenshaw@isaca-london.org
22. Ash Cloud, Icelandic Volcano
Speaker notes use with slide # 5
◦ Major airlines, major losses during disaster.
◦ Share price for all was impacted.
◦ Hotels, supply industry, perishable goods.
◦ Some winners, Brittany Ferries carried 5 X more passengers during this
period.
◦ Channel tunnel operators actually made a profit.
◦ Do cloud providers run their businesses in the same way – in that there
are just some elements in the equation that are just not manageable?
◦ Will the economics involved create the same outcome (in cloud)?
◦ Is it really just a fad and a FaaS (FARCE)?
mhenshaw@isaca-london.org
23. To the Board: Cloud, Silver Lining?
Speaker notes use with slide # 8
◦ (- side)
◦ MS Office $1.5 per seat in house, $3 cloud
◦ Graphics intensive, Latency sensitive (E.g., financial and transactional applications)
◦ You are a target or will become a target where your data is held alongside
valuable information
◦ EU DP rules, US Patriot Act, non existent or emerging DPA/DPO
◦ E-discovery subject data in cloud, where?
◦ SaaS, PaaS, DaaS, etc cloud providers and sub providers who?, where?, what? =
due diligence is near impossible for customer
◦ Commercial risk can be transferred, but ultimate risk always remains with the
end customer
◦ (+ side)
◦ Outsourcing allows customer to test the water – examine the portability of
their operation and how to bring back in house if required.
◦ Cloud is NOT another way to outsource, they are in fact very different.
mhenshaw@isaca-london.org
24. Enterprise Access Controls
Speaker notes use with slide # 10
◦ Cloud infrastructures are different - impossible to run a web server
plug-in on a multi-tenant architecture where multiple organizations
share common infrastructure
◦ Poor authentication, authorisation and accounting (AAA)
◦ Unauthorised access to resources, privileges escalation, impossibility of
tracking the misuse of resources and security incidents in general
◦ Cloud makes password based authentication attacks
◦ Much more impactful
◦ Corporate applications are now exposed to the internet
◦ Password based authentication is now insufficient
◦ Need for stronger two-factor authentication
mhenshaw@isaca-london.org
25. Enterprise Access Controls
Speaker notes use with slide # 11
◦ Authentication for the cloud - the cloud works differently than for an
enterprise network. The enterprise can rely on multiple layers of
authentication
◦ Doesn't scale to the cloud
◦ Users aren't necessarily connected to a corporate LAN
◦ Users, like customers, aren't part of the enterprise Active Directory
◦ Administration - not only manage access by employees, but also
customers and partners
◦ Data can reside in remote repositories across the Internet
◦ User management must also be federated between clouds and the
partner enterprises
mhenshaw@isaca-london.org
26. Enterprise Access Controls
Speaker notes use with slide # 12
◦ Auditing and Compliance - the infrastructure for managing compliance must
extend across the Internet and encompass the applications, users, and activities
on remote as well as enterprise systems.
◦ Manage cloud access paths through a consistent control point
◦ Using an Internet-scale proxy utility.
◦ Task of auditing becomes centralised.
◦ Proxies do not require software agents
◦ Loosely coupling security with cloud applications is massively scalable.
◦ Consistency is essential for compliance, cannot be achieved using ad-hoc and
siloed approaches to access control and reporting.
◦ Confidentiality of data - users' credentials are scattered across multiple systems
not under their direct control. If proper encryption is not in place, user
passwords are vulnerable to theft and can be used to gain access to other
applications.
◦ Simply extending existing security systems will fail.
mhenshaw@isaca-london.org
27. Liability
Speaker notes use with slide #15 if required: definitions
E-Commerce Directive – ensure free movement of “information society services”
across the European Community (enhancing the internal market) – establishment of
service providers, commercial communications, electronic contracts, the liability of
intermediaries, codes of conduct etc
Data Controller - is the individual or the legal persons (such as companies) who
controls and is responsible for the keeping and use of personal information on
computer or in structured manual files. Carries serious legal responsibilities. Must
comply with certain important rules on how they collect and use personal
information. Some controllers must register annually with the Data Protection
Commissioner in order to make transparent their data handling practices.
Data Processor – holds or processes personal data BUT do not exercise
responsibility for control over the personal data, then you are a data processor.
Have a very limited set of responsibilities under the Data Protection Act. Concern
the necessity to keep personal data secure form unauthorised access, disclosure,
destruction or accidental loss.
mhenshaw@isaca-london.org
28. Privacy with Elasticated Storage
Speaker notes use with slide # 16
◦ Existing legal structure can’t cope with the reality of existing
technology
◦ Current Privacy rules want to compartmentalise our cloud-
space
◦ Significant legal compliance risk
◦ Who are you dealing with?
◦ Who is processing your data?
◦ No transparency due to architecture
◦ No direct relationship, and no direct contractual legal rights or
remedies
mhenshaw@isaca-london.org
29. Privacy with Elasticated Storage
Speaker notes use with slide # 17
◦ There are conflicting laws, regulations and views on what privacy
is and what it requires from organisations to protect it -
perception may be different from the law
◦ Important Principles - Collection and User Limitation, Security,
Retention and Destruction,Transfer, Accountability
◦ ILM phases from cradle to grave - Generation, Use, Transfer,
Transformation, Storage, Archival, and Destruction
mhenshaw@isaca-london.org
30. Bibliography
Llrx.com, Cloud Computing, Navetta September 2009, Forsheit October
2009
InformIT, Cloud Security and Privacy parts 1 and 2, McHale May 2010
Info Law Group, Legal Implications of Cloud Computing part 3, Navetta
October 2009
Enisa, Cloud Computing - Benefits, risks and recommendations for
information security, Nov 2009
Cloud Security and Privacy, An Enterprise Perspective on Risks and
Compliance, Tim Mather, Subra Kumaraswamy, Shahed Latif, O’ Reilly
September 2009
Cloud Security Alliance, csaguide.pdf v2.1
mhenshaw@isaca-london.org