5. CLOUD SECURITY AN EXECUTIVE LEVEL CONCERN
Source: Cloud Security Alliance “Cloud Adoptions Practices & Priorities Survey Report” (2015)
82% of IT professionals in Asia
Pacific continue to regard cloud
data security as an executive-
level concern
11. A simple definition
“In simple words, the Cloud refers to the
process of sharing resources (such as
hardware, development platforms and/or
software) over the internet. It enables On-
Demand network access to a shared pool of
dynamically configurable computing
resources. These resources are accessed mostly
on a pay-per-use or subscription basis.”
The Cloud Changing the Business Ecosystem, KPMG, 2011
14. Public, Private, Hybrid
Off premises/third-party
Public/
external
Private/
internal
On premises/internal
Hybrid
Image reproduced from Cloud security and privacy, 2009, Mather et al.
15. Private and hybrid clouds
• Rise in hybrid and private
cloud for sensitive data
• Private cloud cost can be
prohibitive
• Hybrid cloud ranks 4 on
Gartner top 10 strategic
technology trends, 2014
KPMG's The Cloud: Changing the Business Ecosystem, 2011
Models companies use/intend to use*
(Larger companies prefer private)
17. CUSTOMER’S BIGGEST
CONCERN?
A survey commissioned by Microsoft on ‘Cloud computing
among business leaders and the general population’ states that:
58% of the general population and 86% of senior business leaders
are excited about the potential of cloud computing.
But, more than 90% of these same people are concerned about the
security, access and privacy of their own data in the cloud.
Source: Microsoft
20. CONTROL, LIABILITY AND
ACCOUNTABILITY
On premise
App
VM
Server
Storage
Network
On premise
(hosted)
App
VM
Server
Storage
Network
IaaS
App
VM
Server
Storage
Network
PaaS
App
Services
Server
Storage
Network
SaaS
App
Services
Server
Storage
Network
Organization has
control
Organization shares
control with vendor
Vendor
has control
Image reproduced from Cloud security and privacy, 2009, Mather et al.
21. Cloud security
• What’s not new?
• Phishing, password, malware, downtime etc.
• What’s new? Understand…
• Change in trust boundaries
• Impact of using
• Public vs. private cloud
• IaaS vs. PaaS vs. SaaS
• Division of responsibilities between customer and
Cloud Service Provider (CSP)
23. CLOUD SECURITY IS NO DIFFERENT
Familiar Security
Model
Validated and driven by
customers’ security experts
Benefits all customers
Physical
Network
System
People & Process
CLOUD SECURITY IS NO DIFFERENT
24. There are undoubtedly risks associated with the use of
Cloud-based services, just as there are risks associated
other delivery models.
Source: Capgemini
26. SECURITY & COMPLIANCE IS A SHARED RESPONSIBILITY
Foundation Services
Compute Storage Database Networking
Global
Infrastructure
Edge Locations
Availability Zones
Regions
Responsible for
the security
OF the cloud
Customers have
their choice of
Security IN the
Cloud
Client-side Data
Encryption
Sever-side Data
Encryption
Network Traffic
Protection
Operating System, Network & Firewall Configuration
Platform, Application, Identity & Access Management
Customer Application & ContentC
U
S
T
O
M
E
R
27. WHY ITS DIFFERENT?
Most cloud security problems stem from:
Loss of control
Lack of trust
Multi-tenancy
28. CLOUD DATA AND STORAGE SECURITY
Data-in-transit
Data-at-rest
Processing of Data
(including Multi-tenancy)
29. When users use the cloud, user probably won’t know exactly where your data is
hosted, what country it will be stored in?
Data should be stored and processed by only specific jurisdictions as define by
user.
Provider should also make contractual commitment to obey privacy
requirement on behalf of their customers,
Data-centered policies that are generated when a user provides personal or
sensitive information, that travels with that information throughout its lifetime
to ensure that the information is used only in accordance with the policy
DATA LOCATION
Data
Policies
30. Sanitization is a process of removing sensitive information from a storage
device .
What happens to data stored in a cloud computing environment once it has
passed Its user’s “use by date”
What data sanitization practices does the cloud computing service provider
propose to implement for redundant and retiring data storage devices as and
when these devices are retired or taken out of service.
DATA SANITIZATION
36. AWS CLOUDTRAIL
You are making
API calls
On a growing set
of services around
the world…
CloudTrail is
continuously
recording API calls
And delivering log
files to you
37. SECURITY IS VISIBLE
Who is accessing the resources?
Who took what action
When?
From Where?
What did they do?
Logs Logs Logs
Physical
44. What steps are you [CSP] taking to improve data security and privacy
in your cloud offerings? (top 3)*
CSPs improving security
Tighter
restrictions
on user
access
Greater use
of data
encryption
Improving
real-time
threat
detection
45. Top SLA parameters
System Availability Regulatory compliance
Data security
Functional capabilities
Response time
Other performance levels
*KPMG International’s 2012 Global Cloud Provider Survey (n=179)
47. HYPERVISOR BASED FIREWALL
We do have some options available if we need a higher level of risk
mitigation than what is provided by a virtual firewall appliance i.e.
hypervisor based firewall.
Example: VMware’s vShield
A hypervisor based firewall moves the firewall to the other side of the
virtual switch, thus mitigating any risks within the switch itself.
The problem with hypervisor based firewalls is that they are vendor
specific.
49. FIRERACK VIRTUAL FIREWALL
The Netservers FireRack firewall is an Internet security appliance
designed to provide highly compartmentalized security with
devolved management.
Security Zones
It is hence ideally suited for environments such as co-location
hosting or college networks where badly maintained or
untrustworthy computers on the same network as yours could
otherwise pose it a threat.
54. MTCS MODEL
Level 3
Level 2
Level 1
Security
Controls
in place
Most
Stringent
Stringent
Baseline
Addresses
Security Risks
& Threats to
High impact IT
systems
Moderate impact
IT systems
Low impact IT
systems
Designed for
companies
with
Regulatory
compliance
requirements
Business critical
data and
systems
Business non-
critical data and
system
Examples
Hosting of highly
confidential
business data,
financial records,
medical records
Hosting of
confidential
business data,
email, CRM
Web site hosting
public
information
58. NUMBERS AND VOLUME
DOT
12 agencies
60,000 employees
100’s of business and
government services managed
CARS
18,000+ car dealers enrolled
680,000 older vehicles traded
in for new, fuel-efficient cars
61. THE RESULTS
CARS is considered one of the biggest successes of
the Obama administration.
CARS had a large impact on the economic recovery
by saving or creating tens of thousands of jobs, as
well as by increasing GDP by an estimated $3.8 to
$6.8 billion.
Going forward, the program will also result in a
reduction of fuel consumption (~33M gallons
annually) and CO2 emissions (~360K metric tons
annually) over the lifetime of the newly purchased
vehicles.
62. • Change in trust boundaries
• Mostly no new security or privacy
issues per se
63. CLOUD SECURITY IS FAMILIAR!
“Based on our experience, I believe that we can be even more secure in
the AWS cloud than in our own data centres.”
Tom Soderstrom, CTO, NASA
Nearly 60% of organizations agreed that CSPs[cloud service
providers] provide better security than their own IT
organizations.
Source: IDC 2013 U.S. Cloud Security Survey,
doc#242836,September 2013