SlideShare una empresa de Scribd logo

Marketing, Uncertainty and Doubt: Information Security and Cloud Computing

J
jikbal

What is the minimum security due diligence that a company needs to do before putting it's data in the cloud? Since 2007, Amazon has been telling us they are ".. working with a public accounting firm to ... attain certifications such as SAS70 Type II" but these have not happened in 2+ years. On one side of the cloud security issue we have the marketing people, who hype up the existing security and gloss over the non-existing. On the other side we have security services vendors, who hawk their wares by hyping up the lack of security. The truth is, there is a class of data for every cloud out there, and there is also someone who will suffer a data breach because they did not secure it properly. We look at Amazon's EC2, risk tolerance, and how to secure the data in the cloud.

Tecnología
1 de 31
Marketing, Uncertainty & Doubt: Information Security and Cloud Computing Javed Ikbal zSquad LLC © 2009 Javed Ikbal
About zSquad • Information Security Consulting Practice • Focus areas are: – Policy review/development – IT Governance – Security Architecture – Application Security – PCI, SAS 70 and ISO 27001 audit prep – 3rd party due diligence audits • Customers are financial services, insurances and state / city agencies • We also founded The Layoff Support Network (www.layoffsupportnetwork.com) 2
Agenda • Too many “cloud” offerings = confused market • Pay-as-you-go vs. always on • Cloud (in)security • Hype: Security vendors • Hype: Cloud providers • Enterprise Cloud Computing • Know your information • Minimum due diligence – questions to ask your cloud provider • If you are a cloud (or related service) provider – questions you better have answers for • If you develop, things to do • QA 3
“Cloud:” Buzzword 2.0 • Gmail and Hotmail are clouds, too • So are SalesForce.com and Google Apps • What about timesharing mainframes of old? • Or the $5/month shared web-hosting? So is the cloud concept decades old? 4
So what exactly is a “cloud”? … Massively scalable IT-enabled capabilities delivered 'as a service' to external customers using Internet technologies. -- Gartner 5
Cumulous, Stratus, Nimbus… • SaaS: SalesForce, GoogleMail, Google Apps… • Utility Computing: Amazon EC2, IBM, Unisys… • Web Services (API): Google Maps, ADP Payroll processing… • Platform As A Service: Force.com, Google App Engine, Azure • Managed Service Providers: Hosted anti- spam services • Infrastructure as a Service: Amazon, 3Tera 6
Characteristics: • Elasticity: provisioning and deprovisioning resources in real time to meet workload demands • Utility: providing resources on a 'pay-as- you-go' basis • Ubiquity: providing services available from anywhere to anywhere 7
Cloud (in)Security Characteristics • Outside customers’ physical security perimeter • Unknown (untrusted?) personnel • Unenforceable regulatory compliance • Unpredictable jurisdiction over data • Unknown disaster recovery • You may very well be locked-in • Zero support for forensics / investigations But: Trust us, we are doing the right things 8
Every RSA Conference has a buzzword This year it was "the cloud." In one way or another, vendors were pushing their answer to handling security in the cloud. Cisco unveiled a number of tools and services in the cloud April 21, even though a day later Cisco CEO John Chambers described the idea of securing a virtual cloud network as “a security nightmare.” IBM pulled the covers off a new arsenal of products designed to protect cloud computing environments as well, while McAfee CEO Dave DeWalt used his keynote to talk about using the cloud in the context of what he called “predictive security,” his vision of how McAfee will share threat intelligence in the cloud to better protect end users. eWeek.com - 4/24/2009 9
Customers Worry • 90% of cloud application users say they would be very concerned if the company at which their data were stored sold it to another party. • 80% say they would be very concerned if companies used their photos or other data in marketing campaigns. • 68% of users of at least one of the six cloud applications say they would be very concerned if companies who provided these services analyzed their information and then displayed ads to them based on their actions. Cloud Computing Gains in Currency Pew Internet and American Life Project 10
Vendors Respond: • Since 2007, Amazon has been telling us they are: ".. working with a public accounting firm to ... attain certifications such as SAS70 Type II" but these have not happened in 2+ years. 11
Vendors Respond http://googleenterprise.blogspot.com/2008/11/sas-70-type-ii-for-google-apps.html 12
Reality • March 7, 2009 from the WSJ: Google disclosed Saturday that it shared a very small number of online documents with users who weren’t authorized to see them. The privacy glitch, caused by a software bug, affected just a tiny fraction of documents — an estimated less than .05% http://blogs.wsj.com/digits/2009/03/08/1214/ • September 18, 2009 from the NY Times: A recent bug in Google Apps allowed students at several colleges to read each other's email messages and some were even able to see another student's entire inbox. The issue occurred at a small handful of colleges… http://www.nytimes.com/external/readwriteweb/2009/09/18/18readwriteweb- whoops-students-going-google-get-to-read-ea-12995.html 13
Want To Complain? http://www.google.com/accounts/TOS?hl=en 14
Amazon EC2/S3 http://developer.amazonwebservices.com/connect/thread.jspa?threadID=34960 We are not responsible for any unauthorized access to, alteration of, or the deletion, destruction, damage, loss or failure to store any of, Your Content (as defined in Section 10.2), your Applications, or other data which you submit or use in connection with your account or the Services. http://aws.amazon.com/agreement/ 15
No Customer Audit Allowed http://www.v3.co.uk/v3/analysis/2246616/q-google-apps-director-security …It is possible for you to build a PCI level 2 compliant app in our AWS cloud using EC2 and S3, but you cannot achieve level 1 compliance. And you have to provide the appropriate encryption mechanisms and key management processes. If you have a data breach, you automatically need to become level 1 compliant which requires on-site auditing; that is something we cannot extend to our customers. … I recommend businesses always plan for level 1 compliance. So, from a compliance and risk management perspective, we recommend that you do not store sensitive credit card payment information in our EC2/S3 system because it is not inherently PCI level 1 compliant. It is quite feasible for you to run your entire app in our cloud but keep the credit card data stored on your own local servers which are available for auditing, scanning, and on-site review at any time. 16 http://developer.amazonwebservices.com/connect/thread.jspa?threadID=34960
Detour: SAS 70 type II • Concept: ISO 9000 certified Concrete Life Jackets • manufactured according to the documented procedures • instructions on how to complain about defects • SAS 70: Company management defines controls to be evaluated Management: We have a guard at the front door. That is the sole control we want evaluated Auditor: And he checked my ID. The control works as claimed. Here is your SAS 70 type II certification Unless you can see which controls were evaluated, SAS 70 type II reports are not meaningful 17
Can you move your enterprise to the cloud? Or, If you are a cloud vendor, how do you convince your customers to move? 18
Case Study • Business: Automatic discount at retail stores • Customer identified by Credit Card used • Currently 1 million transactions/day • PCI-certified stores have demanded PCI certification • Client stress test: 1 million transactions/hour • Amazon Extra-Large Instance • Cost: ~ $200 • They can not get PCI certified on Amazon • Any other platform is unaffordable 19
Solution Source: Kavis Technology Consulting 20
Customer: Data Classification • Some parts of the enterprise can go to the cloud • The trick is in understanding that: • All data is not created equal • Some entirely fit to be in/on a cloud • But if data is valuable enough that someone might bring out a gun, cloud is not the right place to be. • If you need PCI certification, excellent advice from AWS rep: … keep the credit card data stored on your own local servers which are available for auditing, scanning, and on-site review at any time 21
Off-premise has different security problems and requirements Understand them, and you can secure them or Make an informed decision to Stay Away 22
Customer Due Diligence • Centralization of data makes insider threats from within the cloud provider a bigger risk • Customers should perform onsite inspections of cloud provider facilities whenever possible • Customers should inspect cloud provider disaster recovery and business continuity plans. • Customers should identify physical interdependencies in provider infrastructure. • For IaaS, deploy applications in runtime in a way that is abstracted from the machine image. Backups should also be machine independent. • Understand who your provider’s competitors are. Plan for a migration http://www.cloudsecurityalliance.org/ 23
Considering a SaaS provider? • If you have the resources, do an audit yourself • If your data requires that level of assurance • If the provider allows • Ask the vendor for 3rd party audit reports • SAS 70 audit reports: better than nothing • Barely • Ask them about: • Employee background check • Secure development process • Trust, but verify 24
Multi-tenant SaaS Security Issues • Not net-new vulnerabilities • But suddenly you are hosting data on servers managed by people who don't work for you • And you are not the only user of the server • Can someone do an off-by-one attack? • By mistake? • Denial of service attack against another customer? 25
Providers: • Know what you will host • Spell out policies and procedures • Employees are background-checked? • Are they bonded? • How would you stop someone from backing up a VM and taking it home? • Be clear about what you will NOT support • It took Amazon AWS 2 years to provide an answer • Some things are still unclear • The Google / AWS disclaimers are excellent models • Unisys has ISO 27001-certified data centers. • Think before investing that much time, effort and money 26
Providers (cont.) • Cloud providers should adopt as a security baseline the most stringent requirements of any customer. • Or make clear to the customer where they stand • Providers should have robust compartmentalization of job duties and limit knowledge of customers to that which is absolutely needed to perform job duties. • Understand that you may be subject to a legal / regulatory discovery because of a customer 27
Creating Secure Software • Developers care about deadlines and meeting the requirements • If security is not in the requirements, it will not get done • If developers don't know how to code securely, it will not get done right • If at all 28
Building a SaaS offering? • Train your developers and architects • A single-day training will probably eliminate 90% future security issues • Build Security into your life-cycle • Let security people, not developers, write the security requirements • Security Code review sounds nice, but is expensive • Do an application audit before going live • Allow time for it in the project plan 29
Final Thoughts IaaS Customer Extensibility PaaS SaaS Provider Security Responsibility Where are you? What are you doing about it? 30
Questions? javed@zsquad.com http://10domains.blogspot.com http://www.zsquad.com 31

Recomendados

EAI Case Study | A Major Regional Bank
EAI Case Study | A Major Regional BankEAI Case Study | A Major Regional Bank
EAI Case Study | A Major Regional BankIdeba
 
Business case for Information Security program
Business case for Information Security programBusiness case for Information Security program
Business case for Information Security programWilliam Godwin
 
How Do You Create A Successful Information Security Program Hire A Great Iso!!
How Do You Create A Successful Information Security Program Hire A Great Iso!!How Do You Create A Successful Information Security Program Hire A Great Iso!!
How Do You Create A Successful Information Security Program Hire A Great Iso!!Tammy Clark
 
Information Security, some illustrated principles
Information Security, some illustrated principlesInformation Security, some illustrated principles
Information Security, some illustrated principlesboskabout
 
Improving Your Information Security Program
Improving Your Information Security ProgramImproving Your Information Security Program
Improving Your Information Security ProgramSeccuris Inc.
 
Managing a security program (when you are not a security expert)
Managing a security program (when you are not a security expert)Managing a security program (when you are not a security expert)
Managing a security program (when you are not a security expert)jikbal
 
The Role of Information Security Policy
The Role of Information Security PolicyThe Role of Information Security Policy
The Role of Information Security PolicyRobot Mode
 
Information security: importance of having defined policy & process
Information security: importance of having defined policy & processInformation security: importance of having defined policy & process
Information security: importance of having defined policy & processInformation Technology Society Nepal
 

Recomendados

EAI Case Study | A Major Regional Bank
EAI Case Study | A Major Regional BankEAI Case Study | A Major Regional Bank
EAI Case Study | A Major Regional BankIdeba
 
Business case for Information Security program
Business case for Information Security programBusiness case for Information Security program
Business case for Information Security programWilliam Godwin
 
How Do You Create A Successful Information Security Program Hire A Great Iso!!
How Do You Create A Successful Information Security Program Hire A Great Iso!!How Do You Create A Successful Information Security Program Hire A Great Iso!!
How Do You Create A Successful Information Security Program Hire A Great Iso!!Tammy Clark
 
Information Security, some illustrated principles
Information Security, some illustrated principlesInformation Security, some illustrated principles
Information Security, some illustrated principlesboskabout
 
Improving Your Information Security Program
Improving Your Information Security ProgramImproving Your Information Security Program
Improving Your Information Security ProgramSeccuris Inc.
 
Managing a security program (when you are not a security expert)
Managing a security program (when you are not a security expert)Managing a security program (when you are not a security expert)
Managing a security program (when you are not a security expert)jikbal
 
The Role of Information Security Policy
The Role of Information Security PolicyThe Role of Information Security Policy
The Role of Information Security PolicyRobot Mode
 
Information security: importance of having defined policy & process
Information security: importance of having defined policy & processInformation security: importance of having defined policy & process
Information security: importance of having defined policy & processInformation Technology Society Nepal
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024Results
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...gurkirankumar98700
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxKatpro Technologies
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsRoshan Dwivedi
 
2024 State of Marketing Report – by Hubspot
2024 State of Marketing Report – by Hubspot2024 State of Marketing Report – by Hubspot
2024 State of Marketing Report – by HubspotMarius Sescu
 
Everything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPTEverything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPTExpeed Software
 

Más contenido relacionado

Último

Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024Results
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...gurkirankumar98700
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxKatpro Technologies
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsRoshan Dwivedi
 

Último (20)

Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
 

Destacado

2024 State of Marketing Report – by Hubspot
2024 State of Marketing Report – by Hubspot2024 State of Marketing Report – by Hubspot
2024 State of Marketing Report – by HubspotMarius Sescu
 
Everything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPTEverything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPTExpeed Software
 
Product Design Trends in 2024 | Teenage Engineerings
Product Design Trends in 2024 | Teenage EngineeringsProduct Design Trends in 2024 | Teenage Engineerings
Product Design Trends in 2024 | Teenage EngineeringsPixeldarts
 
How Race, Age and Gender Shape Attitudes Towards Mental Health
How Race, Age and Gender Shape Attitudes Towards Mental HealthHow Race, Age and Gender Shape Attitudes Towards Mental Health
How Race, Age and Gender Shape Attitudes Towards Mental HealthThinkNow
 
AI Trends in Creative Operations 2024 by Artwork Flow.pdf
AI Trends in Creative Operations 2024 by Artwork Flow.pdfAI Trends in Creative Operations 2024 by Artwork Flow.pdf
AI Trends in Creative Operations 2024 by Artwork Flow.pdfmarketingartwork
 
PEPSICO Presentation to CAGNY Conference Feb 2024
PEPSICO Presentation to CAGNY Conference Feb 2024PEPSICO Presentation to CAGNY Conference Feb 2024
PEPSICO Presentation to CAGNY Conference Feb 2024Neil Kimberley
 
Content Methodology: A Best Practices Report (Webinar)
Content Methodology: A Best Practices Report (Webinar)Content Methodology: A Best Practices Report (Webinar)
Content Methodology: A Best Practices Report (Webinar)contently
 
How to Prepare For a Successful Job Search for 2024
How to Prepare For a Successful Job Search for 2024How to Prepare For a Successful Job Search for 2024
How to Prepare For a Successful Job Search for 2024Albert Qian
 
Social Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie InsightsSocial Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie InsightsKurio // The Social Media Age(ncy)
 
Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024Search Engine Journal
 
5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summary5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summarySpeakerHub
 
ChatGPT and the Future of Work - Clark Boyd
ChatGPT and the Future of Work - Clark Boyd ChatGPT and the Future of Work - Clark Boyd
ChatGPT and the Future of Work - Clark Boyd Clark Boyd
 
Getting into the tech field. what next
Getting into the tech field. what next Getting into the tech field. what next
Getting into the tech field. what next Tessa Mero
 
Google's Just Not That Into You: Understanding Core Updates & Search Intent
Google's Just Not That Into You: Understanding Core Updates & Search IntentGoogle's Just Not That Into You: Understanding Core Updates & Search Intent
Google's Just Not That Into You: Understanding Core Updates & Search IntentLily Ray
 
Time Management & Productivity - Best Practices
Time Management & Productivity - Best PracticesTime Management & Productivity - Best Practices
Time Management & Productivity - Best PracticesVit Horky
 
The six step guide to practical project management
The six step guide to practical project managementThe six step guide to practical project management
The six step guide to practical project managementMindGenius
 
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...RachelPearson36
 

Destacado (20)

2024 State of Marketing Report – by Hubspot
2024 State of Marketing Report – by Hubspot2024 State of Marketing Report – by Hubspot
2024 State of Marketing Report – by Hubspot
 
Everything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPTEverything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPT
 
Product Design Trends in 2024 | Teenage Engineerings
Product Design Trends in 2024 | Teenage EngineeringsProduct Design Trends in 2024 | Teenage Engineerings
Product Design Trends in 2024 | Teenage Engineerings
 
How Race, Age and Gender Shape Attitudes Towards Mental Health
How Race, Age and Gender Shape Attitudes Towards Mental HealthHow Race, Age and Gender Shape Attitudes Towards Mental Health
How Race, Age and Gender Shape Attitudes Towards Mental Health
 
AI Trends in Creative Operations 2024 by Artwork Flow.pdf
AI Trends in Creative Operations 2024 by Artwork Flow.pdfAI Trends in Creative Operations 2024 by Artwork Flow.pdf
AI Trends in Creative Operations 2024 by Artwork Flow.pdf
 
Skeleton Culture Code
Skeleton Culture CodeSkeleton Culture Code
Skeleton Culture Code
 
PEPSICO Presentation to CAGNY Conference Feb 2024
PEPSICO Presentation to CAGNY Conference Feb 2024PEPSICO Presentation to CAGNY Conference Feb 2024
PEPSICO Presentation to CAGNY Conference Feb 2024
 
Content Methodology: A Best Practices Report (Webinar)
Content Methodology: A Best Practices Report (Webinar)Content Methodology: A Best Practices Report (Webinar)
Content Methodology: A Best Practices Report (Webinar)
 
How to Prepare For a Successful Job Search for 2024
How to Prepare For a Successful Job Search for 2024How to Prepare For a Successful Job Search for 2024
How to Prepare For a Successful Job Search for 2024
 
Social Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie InsightsSocial Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie Insights
 
Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024
 
5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summary5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summary
 
ChatGPT and the Future of Work - Clark Boyd
ChatGPT and the Future of Work - Clark Boyd ChatGPT and the Future of Work - Clark Boyd
ChatGPT and the Future of Work - Clark Boyd
 
Getting into the tech field. what next
Getting into the tech field. what next Getting into the tech field. what next
Getting into the tech field. what next
 
Google's Just Not That Into You: Understanding Core Updates & Search Intent
Google's Just Not That Into You: Understanding Core Updates & Search IntentGoogle's Just Not That Into You: Understanding Core Updates & Search Intent
Google's Just Not That Into You: Understanding Core Updates & Search Intent
 
How to have difficult conversations
How to have difficult conversations How to have difficult conversations
How to have difficult conversations
 
Introduction to Data Science
Introduction to Data ScienceIntroduction to Data Science
Introduction to Data Science
 
Time Management & Productivity - Best Practices
Time Management & Productivity - Best PracticesTime Management & Productivity - Best Practices
Time Management & Productivity - Best Practices
 
The six step guide to practical project management
The six step guide to practical project managementThe six step guide to practical project management
The six step guide to practical project management
 
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
 

Marketing, Uncertainty and Doubt: Information Security and Cloud Computing

  • 1. Marketing, Uncertainty & Doubt: Information Security and Cloud Computing Javed Ikbal zSquad LLC © 2009 Javed Ikbal
  • 2. About zSquad • Information Security Consulting Practice • Focus areas are: – Policy review/development – IT Governance – Security Architecture – Application Security – PCI, SAS 70 and ISO 27001 audit prep – 3rd party due diligence audits • Customers are financial services, insurances and state / city agencies • We also founded The Layoff Support Network (www.layoffsupportnetwork.com) 2
  • 3. Agenda • Too many “cloud” offerings = confused market • Pay-as-you-go vs. always on • Cloud (in)security • Hype: Security vendors • Hype: Cloud providers • Enterprise Cloud Computing • Know your information • Minimum due diligence – questions to ask your cloud provider • If you are a cloud (or related service) provider – questions you better have answers for • If you develop, things to do • QA 3
  • 4. “Cloud:” Buzzword 2.0 • Gmail and Hotmail are clouds, too • So are SalesForce.com and Google Apps • What about timesharing mainframes of old? • Or the $5/month shared web-hosting? So is the cloud concept decades old? 4
  • 5. So what exactly is a “cloud”? … Massively scalable IT-enabled capabilities delivered 'as a service' to external customers using Internet technologies. -- Gartner 5
  • 6. Cumulous, Stratus, Nimbus… • SaaS: SalesForce, GoogleMail, Google Apps… • Utility Computing: Amazon EC2, IBM, Unisys… • Web Services (API): Google Maps, ADP Payroll processing… • Platform As A Service: Force.com, Google App Engine, Azure • Managed Service Providers: Hosted anti- spam services • Infrastructure as a Service: Amazon, 3Tera 6
  • 7. Characteristics: • Elasticity: provisioning and deprovisioning resources in real time to meet workload demands • Utility: providing resources on a 'pay-as- you-go' basis • Ubiquity: providing services available from anywhere to anywhere 7
  • 8. Cloud (in)Security Characteristics • Outside customers’ physical security perimeter • Unknown (untrusted?) personnel • Unenforceable regulatory compliance • Unpredictable jurisdiction over data • Unknown disaster recovery • You may very well be locked-in • Zero support for forensics / investigations But: Trust us, we are doing the right things 8
  • 9. Every RSA Conference has a buzzword This year it was "the cloud." In one way or another, vendors were pushing their answer to handling security in the cloud. Cisco unveiled a number of tools and services in the cloud April 21, even though a day later Cisco CEO John Chambers described the idea of securing a virtual cloud network as “a security nightmare.” IBM pulled the covers off a new arsenal of products designed to protect cloud computing environments as well, while McAfee CEO Dave DeWalt used his keynote to talk about using the cloud in the context of what he called “predictive security,” his vision of how McAfee will share threat intelligence in the cloud to better protect end users. eWeek.com - 4/24/2009 9
  • 10. Customers Worry • 90% of cloud application users say they would be very concerned if the company at which their data were stored sold it to another party. • 80% say they would be very concerned if companies used their photos or other data in marketing campaigns. • 68% of users of at least one of the six cloud applications say they would be very concerned if companies who provided these services analyzed their information and then displayed ads to them based on their actions. Cloud Computing Gains in Currency Pew Internet and American Life Project 10
  • 11. Vendors Respond: • Since 2007, Amazon has been telling us they are: ".. working with a public accounting firm to ... attain certifications such as SAS70 Type II" but these have not happened in 2+ years. 11
  • 12. Vendors Respond http://googleenterprise.blogspot.com/2008/11/sas-70-type-ii-for-google-apps.html 12
  • 13. Reality • March 7, 2009 from the WSJ: Google disclosed Saturday that it shared a very small number of online documents with users who weren’t authorized to see them. The privacy glitch, caused by a software bug, affected just a tiny fraction of documents — an estimated less than .05% http://blogs.wsj.com/digits/2009/03/08/1214/ • September 18, 2009 from the NY Times: A recent bug in Google Apps allowed students at several colleges to read each other's email messages and some were even able to see another student's entire inbox. The issue occurred at a small handful of colleges… http://www.nytimes.com/external/readwriteweb/2009/09/18/18readwriteweb- whoops-students-going-google-get-to-read-ea-12995.html 13
  • 14. Want To Complain? http://www.google.com/accounts/TOS?hl=en 14
  • 15. Amazon EC2/S3 http://developer.amazonwebservices.com/connect/thread.jspa?threadID=34960 We are not responsible for any unauthorized access to, alteration of, or the deletion, destruction, damage, loss or failure to store any of, Your Content (as defined in Section 10.2), your Applications, or other data which you submit or use in connection with your account or the Services. http://aws.amazon.com/agreement/ 15
  • 16. No Customer Audit Allowed http://www.v3.co.uk/v3/analysis/2246616/q-google-apps-director-security …It is possible for you to build a PCI level 2 compliant app in our AWS cloud using EC2 and S3, but you cannot achieve level 1 compliance. And you have to provide the appropriate encryption mechanisms and key management processes. If you have a data breach, you automatically need to become level 1 compliant which requires on-site auditing; that is something we cannot extend to our customers. … I recommend businesses always plan for level 1 compliance. So, from a compliance and risk management perspective, we recommend that you do not store sensitive credit card payment information in our EC2/S3 system because it is not inherently PCI level 1 compliant. It is quite feasible for you to run your entire app in our cloud but keep the credit card data stored on your own local servers which are available for auditing, scanning, and on-site review at any time. 16 http://developer.amazonwebservices.com/connect/thread.jspa?threadID=34960
  • 17. Detour: SAS 70 type II • Concept: ISO 9000 certified Concrete Life Jackets • manufactured according to the documented procedures • instructions on how to complain about defects • SAS 70: Company management defines controls to be evaluated Management: We have a guard at the front door. That is the sole control we want evaluated Auditor: And he checked my ID. The control works as claimed. Here is your SAS 70 type II certification Unless you can see which controls were evaluated, SAS 70 type II reports are not meaningful 17
  • 18. Can you move your enterprise to the cloud? Or, If you are a cloud vendor, how do you convince your customers to move? 18
  • 19. Case Study • Business: Automatic discount at retail stores • Customer identified by Credit Card used • Currently 1 million transactions/day • PCI-certified stores have demanded PCI certification • Client stress test: 1 million transactions/hour • Amazon Extra-Large Instance • Cost: ~ $200 • They can not get PCI certified on Amazon • Any other platform is unaffordable 19
  • 20. Solution Source: Kavis Technology Consulting 20
  • 21. Customer: Data Classification • Some parts of the enterprise can go to the cloud • The trick is in understanding that: • All data is not created equal • Some entirely fit to be in/on a cloud • But if data is valuable enough that someone might bring out a gun, cloud is not the right place to be. • If you need PCI certification, excellent advice from AWS rep: … keep the credit card data stored on your own local servers which are available for auditing, scanning, and on-site review at any time 21
  • 22. Off-premise has different security problems and requirements Understand them, and you can secure them or Make an informed decision to Stay Away 22
  • 23. Customer Due Diligence • Centralization of data makes insider threats from within the cloud provider a bigger risk • Customers should perform onsite inspections of cloud provider facilities whenever possible • Customers should inspect cloud provider disaster recovery and business continuity plans. • Customers should identify physical interdependencies in provider infrastructure. • For IaaS, deploy applications in runtime in a way that is abstracted from the machine image. Backups should also be machine independent. • Understand who your provider’s competitors are. Plan for a migration http://www.cloudsecurityalliance.org/ 23
  • 24. Considering a SaaS provider? • If you have the resources, do an audit yourself • If your data requires that level of assurance • If the provider allows • Ask the vendor for 3rd party audit reports • SAS 70 audit reports: better than nothing • Barely • Ask them about: • Employee background check • Secure development process • Trust, but verify 24
  • 25. Multi-tenant SaaS Security Issues • Not net-new vulnerabilities • But suddenly you are hosting data on servers managed by people who don't work for you • And you are not the only user of the server • Can someone do an off-by-one attack? • By mistake? • Denial of service attack against another customer? 25
  • 26. Providers: • Know what you will host • Spell out policies and procedures • Employees are background-checked? • Are they bonded? • How would you stop someone from backing up a VM and taking it home? • Be clear about what you will NOT support • It took Amazon AWS 2 years to provide an answer • Some things are still unclear • The Google / AWS disclaimers are excellent models • Unisys has ISO 27001-certified data centers. • Think before investing that much time, effort and money 26
  • 27. Providers (cont.) • Cloud providers should adopt as a security baseline the most stringent requirements of any customer. • Or make clear to the customer where they stand • Providers should have robust compartmentalization of job duties and limit knowledge of customers to that which is absolutely needed to perform job duties. • Understand that you may be subject to a legal / regulatory discovery because of a customer 27
  • 28. Creating Secure Software • Developers care about deadlines and meeting the requirements • If security is not in the requirements, it will not get done • If developers don't know how to code securely, it will not get done right • If at all 28
  • 29. Building a SaaS offering? • Train your developers and architects • A single-day training will probably eliminate 90% future security issues • Build Security into your life-cycle • Let security people, not developers, write the security requirements • Security Code review sounds nice, but is expensive • Do an application audit before going live • Allow time for it in the project plan 29
  • 30. Final Thoughts IaaS Customer Extensibility PaaS SaaS Provider Security Responsibility Where are you? What are you doing about it? 30
  • 31. Questions? javed@zsquad.com http://10domains.blogspot.com http://www.zsquad.com 31