Cloud Cuckoo Land to Corporate Acceptance

Cloud Computing XaaS
Moving from Cloud Cuckoo Land to Corporate
Acceptance

London e-Crime Cloud Forum, June 2010

Mark Henshaw
FBCS CITP CISM CGEIT CISSP
mhenshaw@isaca-london.org

[Speaker notes included]

Proprietas
 The presentation and the views and opinions
expressed represent those of the author and
should not be ascribed to General Motors or
Vauxhall Opel

 Any subsequent debate or discussion in relation
to this material should be conducted with the
author


Cloud XaaS, friend or foe? [speaker notes slide #21]

How do you see it?

 Risk taker Risk averse 

Cloud provider CISO Security
Business unit Legal
Governance
Start-up CIO Mature business

(E.g., Cost dominated) (E.g., Risk dominated)

First thoughts
 Have you engaged,
◦ Legal Counsel?
◦ Privacy Counsel?
◦ Human Resources Management?
◦ Business Process Leadership?
◦ Risk Management (Enterprise)?
◦ Business Partners?
◦ All impacted IT players?
◦ Third Parties and Suppliers?
 Why not? - you are establishing a major strategic direction for the
business using Cloud Computing and they are all key stakeholders
and Subject Matter Experts
 Build and execute a Cloud delivered Security Strategy with
partnership across the organisation NOT just IT


Ash Cloud, Icelandic Volcano
[speaker notes slide #22]
 Sixty-three thousand flights cancelled in four days; a total of
313 airports paralysed by restrictions and a global backlog
affecting more than 6.8 million travellers…$B5

 Bigger issues came into play, which may potentially put
organisations out of business, such as reduced or non
existent service to customers; supply chains failing; and even
vital - life-saving equipment and medication - unable to reach
it's destination

 In the context of business continuity, many unprepared
organisations may simply say that they couldn't possibly
plan for an eventuality such as this and excuse
themselves for their misgivings in the hope that everything
will get back to normal sooner or later and their
customers will understand
Is this a familiar attitude? And who is liable anyway?

Agenda
 When adopting service offerings from the cloud, what are the
security, compliance and liability issues that need to be understood
at board level beyond the sales pitch of cost reductions and
operational benefits?
 What measures can be taken to surmount the challenges of
implementing access controls for enterprises that move to cloud
based services, and why is this a critical step in approaching
corporate acceptance of cloud computing?
 What aspects of security in the cloud should remain under the
control of corporate custodians, which are likely to necessitate
outsourcing control to the cloud provider, and what steps must be
taken to ensure a comprehensive understanding of where the
business is accountable and liable for defending against vulnerability
as opposed to the cloud supplier?
 How can organisations that utilise multiple elasticated storage
solutions across different jurisdictions abide by regional data
privacy laws while meeting regulatory compliance requirements?


Agenda

Or to put it another way:
What should it take to
convince the CEO and
board that cloud computing
services are a realistic
choice for their business and
not some cloud cuckoo land
fantasy?


To the Board: Cloud, silver lining? [speaker notes slide #23]

 Price: not always cheaper than in house
 Applications: not all fit the XaaS model
 Security: should be rock solid, will be a bigger target
 Governance/Compliance: maze of data handling rules
 Legal maturity: Cloud models complex hard to define,
poor or non existent legal structures and precedents
 Liability: significant work to define and document who is
liable for what at each XaaS layer
 Cost: driving utilisation of possible high-risk providers
 Risk: distinguish risk from commercial risk
 Outsourcing: a better first step


To the Board: Cloud, silver lining?

Any provider who claims to
have fixed all the risks and
issues may be offering FaaS


Enterprise Access Controls [speaker notes slide #24]

 Cloud computing must provide security on par with
what exists inside the firewall - compliance is
impossible without controls
 Control over access, authentication, auditing and
administration (IAM)
 Infrastructure resides across the Internet, collectively
operated by the enterprise, its partners, and service
providers
 Firewalls can't manage access to cloud applications
because by definition these applications are accessed
over the Internet outside the corporate firewall
 Access management for the cloud must be controlled
without agents and without tightly coupling
infrastructure components together



 Federation, this provides an inter-
organisational authentication solution
 Federation uses the Security Assertion
Markup Language (SAML) standard
 Each organization will manage its own users
and through trust relationships share
authentication between sites
 Administration supporting the complex
structures and business relationships
between cloud networks and organisations



 Auditing and compliance for the cloud must
extend across the Internet and encompass
the applications, users, and activities on
remote as well as enterprise systems
 Perimeter controls ineffective for
compliance
 Confidentiality of data must be protected
both in motion and while at rest
 Requires intelligent cloud strategy from very
beginning


Liability and Responsibility
 Division of liabilities between customer and
provider
 Division of responsibilities for security incidents,
SaaS and IaaS vary greatly
 Establish table and clearly define who is
responsible for what
 Where no negotiation is possible providers must
verify what lies within their responsibility
 IaaS providers treat customer applications as a
black-box so vitally important for customer to
take full responsibility for securing cloud-
deployed applications
 Follow best practice and perform assessment


Liability and Responsibility

Businesses signing up for
standard (read economic)
cloud services should not
expect the provider to
accept liability for data
breaches and other security
incidents
Attrib. Microsoft


Liability [speaker notes slide #27]

Customer Provider
Lawfulness of Full liability Intermediary liability with
content liability exemptions under the
terms of the E-commerce
directive (1) and its
interpretations
Security incidents Responsibility for due Responsible for due diligence
(including data diligence for what is for what is under its control
leakage, use of under its control
account to launch according to contractual
attack) conditions
European Data Data controller Data processor (external)
Protection Law
status

Incident management and resolution - will vary greatly if SaaS, PaaS or IaaS
From enisa, “Cloud Computing - Benefits, risks and recommendations for information security”, Nov 2009

Privacy with Elasticated Storage

 Geography can lose all meaning, location seems
irrelevant – not able to tell where data is at any
given point in time
 Multiple data copies being stored in different
locations – also true for private cloud
 Data transferred across multiple borders with
significant legal implications
 Gets more complicated…public cloud, hybrid
cloud
 Public cloud economics is about trading available
processing and storage capacity…data is fungible,
and able to be moved …like trading electricity



 There is no universally adopted privacy
standard - perception may be different from the
law
 Essential for well defined Security and Privacy
SLAs to be part of the Statement of Work
 Strong data governance should be performed by
Cloud provider through full Information
Lifecycle Management (ILM) - protection of
personal information should consider the
impact of the cloud on each of the ILM phases


 Adopt a systematic approach to addressing
privacy in the cloud
 Perform due diligence and risk assessments
 Seek country based legal advice (legal counsel)
and develop process framework and internal
controls
 Attempt to control cross-border data flows
through selection of countries used by the Cloud
provider
 Ensure data is deleted on virtual storage devices
 Ensure consent from data owner before transfer
to 3rd parties


Final thought…
 In IT sustaining competitive advantage is not possible
because everyone can copy what you do so…
 …from the context of the cloud provider operating in a
panoply, survival is about taking out costs faster…bringing
down IT costs…and increasing sales
 Cost reductions in this space seem to fixate around
increasing use of cloud aggregators…perhaps in China or
India
 The consequences of this are…
 …legal, governance and security plays catch up
 …and while this vacuum exists there will be many risks
across many facets of cloud sourcing, particularly with low-
cost highly aggregated cloud sourcing implementations
 We are definitely chasing the tail, and it’s way too early for
any of us to be complacent


Speaker notes
 Speaker notes provided here to assist
with reader understanding


Cloud XaaS, friend or foe?
<back to slide>

 Speaker notes use with slide # 3
◦ (+ Side)
 Emerging not yet core
 Very attractive sales pitch; cost saving, efficiency, elastic storage
 Low cost path for start-up
 Business unit making the most of their limited budget
 Cloud provider sells the dream

◦ (- Side)
 Its just not mature yet
 Too much to lose
 Let someone else catch a cold
 Only a few applications, very low risk
 We carry sensitive customer information…no way.. US PATRIOT Act

◦ (= Balancing)
 The CIO pulling in both directions
 Limit the travel and accelerate the acceptability (how?)
 Legal have been saying they are slow in this space for quite some time – but they believe our issues will be fixed by
contracts (right?)

◦ (= Balancing)
 Clearly an emerging technology that has everyone excited for one reason or another


Ash Cloud, Icelandic Volcano
◦ Major airlines, major losses during disaster.
◦ Share price for all was impacted.
◦ Hotels, supply industry, perishable goods.
◦ Some winners, Brittany Ferries carried 5 X more passengers during this
period.
◦ Channel tunnel operators actually made a profit.
◦ Do cloud providers run their businesses in the same way – in that there
are just some elements in the equation that are just not manageable?
◦ Will the economics involved create the same outcome (in cloud)?
◦ Is it really just a fad and a FaaS (FARCE)?


To the Board: Cloud, Silver Lining?
◦ (- side)
◦ MS Office $1.5 per seat in house, $3 cloud
◦ Graphics intensive, Latency sensitive (E.g., financial and transactional applications)
◦ You are a target or will become a target where your data is held alongside
valuable information
◦ EU DP rules, US Patriot Act, non existent or emerging DPA/DPO
◦ E-discovery subject data in cloud, where?
◦ SaaS, PaaS, DaaS, etc cloud providers and sub providers who?, where?, what? =
due diligence is near impossible for customer
◦ Commercial risk can be transferred, but ultimate risk always remains with the
end customer
◦ (+ side)
◦ Outsourcing allows customer to test the water – examine the portability of
their operation and how to bring back in house if required.
◦ Cloud is NOT another way to outsource, they are in fact very different.


Enterprise Access Controls
◦ Cloud infrastructures are different - impossible to run a web server
plug-in on a multi-tenant architecture where multiple organizations
share common infrastructure
◦ Poor authentication, authorisation and accounting (AAA)
◦ Unauthorised access to resources, privileges escalation, impossibility of
tracking the misuse of resources and security incidents in general
◦ Cloud makes password based authentication attacks
◦ Much more impactful
◦ Corporate applications are now exposed to the internet
◦ Password based authentication is now insufficient
◦ Need for stronger two-factor authentication


◦ Authentication for the cloud - the cloud works differently than for an
enterprise network. The enterprise can rely on multiple layers of
authentication
◦ Doesn't scale to the cloud
◦ Users aren't necessarily connected to a corporate LAN
◦ Users, like customers, aren't part of the enterprise Active Directory
◦ Administration - not only manage access by employees, but also
customers and partners
◦ Data can reside in remote repositories across the Internet
◦ User management must also be federated between clouds and the
partner enterprises


◦ Auditing and Compliance - the infrastructure for managing compliance must
extend across the Internet and encompass the applications, users, and activities
on remote as well as enterprise systems.
◦ Manage cloud access paths through a consistent control point
◦ Using an Internet-scale proxy utility.
◦ Task of auditing becomes centralised.
◦ Proxies do not require software agents
◦ Loosely coupling security with cloud applications is massively scalable.
◦ Consistency is essential for compliance, cannot be achieved using ad-hoc and
siloed approaches to access control and reporting.
◦ Confidentiality of data - users' credentials are scattered across multiple systems
not under their direct control. If proper encryption is not in place, user
passwords are vulnerable to theft and can be used to gain access to other
applications.
◦ Simply extending existing security systems will fail.


Liability
 Speaker notes use with slide #15 if required: definitions
 E-Commerce Directive – ensure free movement of “information society services”
across the European Community (enhancing the internal market) – establishment of
service providers, commercial communications, electronic contracts, the liability of
intermediaries, codes of conduct etc

 Data Controller - is the individual or the legal persons (such as companies) who
controls and is responsible for the keeping and use of personal information on
computer or in structured manual files. Carries serious legal responsibilities. Must
comply with certain important rules on how they collect and use personal
information. Some controllers must register annually with the Data Protection
Commissioner in order to make transparent their data handling practices.

 Data Processor – holds or processes personal data BUT do not exercise
responsibility for control over the personal data, then you are a data processor.
Have a very limited set of responsibilities under the Data Protection Act. Concern
the necessity to keep personal data secure form unauthorised access, disclosure,
destruction or accidental loss.


◦ Existing legal structure can’t cope with the reality of existing
technology
◦ Current Privacy rules want to compartmentalise our cloud-
space
◦ Significant legal compliance risk
◦ Who are you dealing with?
◦ Who is processing your data?
◦ No transparency due to architecture
◦ No direct relationship, and no direct contractual legal rights or
remedies


◦ There are conflicting laws, regulations and views on what privacy
is and what it requires from organisations to protect it -
perception may be different from the law
◦ Important Principles - Collection and User Limitation, Security,
Retention and Destruction,Transfer, Accountability
◦ ILM phases from cradle to grave - Generation, Use, Transfer,
Transformation, Storage, Archival, and Destruction


Bibliography
 Llrx.com, Cloud Computing, Navetta September 2009, Forsheit October
2009
 InformIT, Cloud Security and Privacy parts 1 and 2, McHale May 2010
 Info Law Group, Legal Implications of Cloud Computing part 3, Navetta
October 2009
 Enisa, Cloud Computing - Benefits, risks and recommendations for
information security, Nov 2009
 Cloud Security and Privacy, An Enterprise Perspective on Risks and
Compliance, Tim Mather, Subra Kumaraswamy, Shahed Latif, O’ Reilly
September 2009
 Cloud Security Alliance, csaguide.pdf v2.1


Cloud Cuckoo Land to Corporate Acceptance

Recomendados

Recomendados

Más contenido relacionado

La actualidad más candente

La actualidad más candente (20)

Destacado

Destacado (11)

Similar a Cloud Cuckoo Land to Corporate Acceptance

Similar a Cloud Cuckoo Land to Corporate Acceptance (20)

Cloud Cuckoo Land to Corporate Acceptance