The world of computing is moving to the cloud —shared infrastructure, shared systems, instant provisioning, and pay-as-you-go services. And users can enjoy anytime, anywhere access to services and their data, on any device. But are we secure within the new cloud environments? Are information assets adequately protected as they move around in the cloud? The answer to both is yes— as long as your underlying security architecture has been designed for the cloud. In this session, Rob Livingstone will examine key security considerations surrounding the convergence of hybrid clouds, mobile devices and BYOD, and provide practical guidance on how to identify, mitigate and the key technical and systemic risks in your Cloud journey.
Cloud Security Keynote: Cloud-Mobile Convergence: IT's Next Horizon, CISO's Next Challenge
1. Cloud Security Keynote: Cloud-Mobile
Convergence: IT's Next Horizon, CISO's
Next Challenge
Presented by:
Rob Livingstone
Principal – Rob Livingstone Advisory Pty Ltd
Fellow – University of Technology, Sydney
2. What I will be covering
1. Exploring the real definition of Cloud
2. Scope of this presentation
3. Systemic vs. Technical risks
4. Hybrid Cloud is the reality
5. Adding in mobility
6. BYOD, or Bring your own Disaster?
7. Hybrid Cloud + Mobility + BYOD Systemic Risk?
8. Standards? Which standards?
9. Orchestrating the transition
3. 1. Exploring the real definition of Cloud
The most sensible Definition of Cloud:
“Forget your technical definition of the Cloud, ask
your mom what the Cloud is….
…And what your mother will tell you about the Cloud
is that it means it’s not on my computer.”
Dave Asprey – Global VP, Cloud Security, Trend Micro
‘Navigating through the Cloud ‘ - Podcast Episode 23 rd May 2012
5. 2. Scope of this presentation
• Mission critical, non-commodity, enterprise systems
• Multi-year investment in a cloud solution
• Shifting existing enterprise capability to Cloud, (or integrating)
• Mid to large enterprise
• High security, privacy and confidentiality needs
• High governance loads and compliance environments
• Low risk appetite / high failure penalty environments
6. 3. Systemic vs. Technical Risk
Systemic Risks
• Taking a systemic view of risk will give you a better perspective of the actual
risk, rather that what you think the risk might be
• Systemic risks are those with the greatest potential impact as they affect the
entire system (ie: Organisation, government, country, world…)
• Case in Point: How is that the finance industry, which is one of the more
regulated, and invests heavily in risk identification, mitigation and transference
could be the cause of the current global financial problems?
• Systemic risk for the enterprise is the silent killer and is often the hardest to
identify as only a few have a complete, transparent and objective overview of
the overall enterprise in sufficient detail.
• Mitigation through approaches such as Enterprise Risk Management (ERM),
origins in fraud, organisational governance, insurance, etc
7. 3. Systemic vs. Technical Risk
Technical (or functional) Risk
• Identifying, categorising and ranking technical and functional risks is core
to conventional IT risk assessment approaches:
o Risk of a specific event = (Impact x Probability of that event
occurring) + Risk Adjustment
• Underpins conventional risk certification frameworks e.g. ISO 2700X
• Certification does not necessarily equal security or effectiveness of your
risk management model
• Often focusing on the diverse range of technical risks, does not account
for the interaction between risks.
• Systemic risks are often more significant than the sum of the individual,
technical risks
8. 4. Hybrid Cloud is the reality
Hybrid will be the dominant form in the enterprise
“Within five years, it will be primarily deployed by enterprises
working in a hybrid mode”. - Gartner
Gartner "Predicts 2012: Cloud Computing Is Becoming a Reality”
(Published: 8 December 2011 ID:G00226103)
9. 4. Hybrid Cloud is the reality
…. And with the Hybrid Cloud comes complexity….
le
si mp
is not
m
ste
c o sy
this e
n g
n a gi
Ma
10. 4. Hybrid Cloud is the reality …. As is the complexity….!
• Orchestrating versioning,
change control and rollback
• Life expectancy alignments
• Business Continuity
• Identity Management
• Due diligence
• Forensics
• BYOD
• Mobility
• Legislative / Jurisdictional
• Contractual complexity
….. To name but a few
11. 4. Hybrid Cloud is the reality
…. And what about availability in the Hybrid Cloud?
Availability of hybrid will be lower in a hybrid model due
to the 'weakest link' effect in the cloud ecosystem
12. 4. Hybrid Cloud is the reality
Hybrid cloud can contribute to….
•Increased vulnerability due to its fragmented architecture and larger
surface …
•however if it is properly architected, risks largely eliminated by
implementing measures such as…
o Deploying effective policy based key management processes
o Properly segmenting your public and private clouds
o Encrypting each part of the hybrid Cloud with separate keys
o … amongst other measures
13. 5. Adding in Mobility
Mobile Devices
•Are powerful cloud access devices
•Extend the perimeter of your cloud
•Disperse the perimeter to your cloud
Have the potential to increase the vulnerability
•The compromising of one of these mobile devices could
be significant and compromise your entire cloud.
•Use policy based key management regimes for your data.
14. 6. BYOD or Bring Your Own Disaster?
BYOD stands for Bring Your Own Device,
•Reflects the increasing demands of users and organisations of their
own IT departments to be increasingly agile and responsive to their
needs when it comes to iPads, tablets and other mobile devices.
•Read the NIST Draft Guidelines
http://csrc.nist.gov/publications/drafts/800-
124r1/draft_sp800-124-rev1.pdf
15. 6. BYOD or Bring Your Own Disaster?
BYOD requires management:
•Deploy Mobile Device Management systems (Remote wipe, policy
enforcement)
•Introduce a non-porous Virtual Desktop environment - No data can
flow between the Cloud system and the mobile device itself
•Containerisation:
• Segregates corporate from personal data and applications
• Enforces encryption and prevention of data leakage
between containers
• Application / device specific therefore can be a challenge to
expand across the entire mobile environment for all
applications.
16. 7 . Hybrid Cloud + Mobility + BYOD Systemic Risk?
Is the Systemic risk increased by the combination of:
– Hybrid Cloud es ’
s ‘Y
– Mobility w er i
e a ns
– BYOD? at t
h
t th
ug ges
d s
o ul
Iw
17. 8. Standards? Which standards?
Plethora of forums, industry groups and associations
– Cloud Security Alliance
– Cloud Standards Customer Council
– Distributed Management Task Force (DMTF)
– Cloud Management Working Group (CMWG)
– The European Telecommunications Standards Institute (ETSI)
– National Institute of Standards and Technology (NIST)
– Open Grid Forum (OGF)
– Object Management Group (OMG)
– Open Cloud Consortium (OCC)
– Organization for the Advancement of Structured Information Standards (OASIS)
– Storage Networking Industry Association (SNIA)
– The Open Group
– Association for Retail Technology Standards (ARTS)
– TM Forum’s Cloud Services Initiative
Source: cloud-standards.org
18. 8. Standards? Which standards?
• Compliance standards were originally designed for on-premise
IT systems and infrastructure that were relatively static
• Auditing institutions are averse to cutting edge technologies
• Is your organisation standards driven?
– Compliance to Standards vs. Unimpeded Innovation based on principle
of caveat emptor?
• Regulators not providing much specific and concrete guidance
on Cloud
20. 9. Orchestrating the Transition
#1: Adopt an integrated approach to function specific
methodologies and technologies
• Standardised, traditional methodologies within specific
disciplines such as IT security, project management, audit, and
information security, in and of themselves, are self limiting.
• Each discipline and/or technology is only really effective when
applied in a coordinated orchestration with the other key moving
parts of the organisation
Harmonization of functionally specific methodologies and
technologies unleashes value and eliminates waste
21. 9. Orchestrating the Transition
#2: Manage the conflicting messages
• 24% of CEOs surveyed in the 2012 PWC CEO Survey expect
‘major change’.
• The eighth annual KPMG 2012 Audit Institute Report identified
“IT Risk and Emerging Technologies” as the second-highest
concern for audit committees, which is unprecedented in the
history of the report.
• Cloud evangelists see cloud as imperative, others not
Develop an effective mechanism for interpreting these messages
in the context of your business
22. 9. Orchestrating the Transition
#3: Actively identify, embrace and managing shadow IT
“Shadow IT can create risks of data loss, corruption or misuse, and
risks of inefficient and disconnected processes and information”
– Gartner*
Embrace shadow IT, and define what and what is not eligible to
be considered enterprise IT
*CIO New Year's Resolutions, 2012 ID:G00227785)
23. 9. Orchestrating the Transition
#4: Identify systemic risks across the organisation
• Systemic risks can kill your business
Ensure your executives and key decision makers are aware of
long term, systemic risks
Consider implementing Enterprise Risk Management (ERM)
24. 9. Orchestrating the Transition
#5: Don’t gloss over complexity
• Senior managers with functional responsibility over specific
vertical silos of the organisation may underestimate the overall
complexity of their own business as a whole.
• From a functional perspective, specific methodologies exist to
support specific activities.
Don’t believe that simple IT solutions can paper over underlying
business complexity. Test assumptions if critical.
25. Thank You
Rob Livingstone
Principal – Rob Livingstone Advisory Pty Ltd
Fellow – University of Technology, Sydney
www.rob-livingstone.com
www.navigatingthroughthecloud.com