Slide 1

Cloud Computing Services Overview Arizona State Capital Chapter of NIGP 2014 Regional Conference October 16, 2014 Presented by: Brian Walsh and Michael Echols, Maricopa County

Slide 2

CLOUD COMPUTING AGENDA What is Cloud Computing? Cloud Computing Architecture Types of Cloud Computing What is a Data Center? Is Cloud Computing for you? Cloud Computing Case studies Cyber Security and Breaches Cyber Security Insurance What is the role of Procurement? Questions

Slide 3

CLOUD COMPUTING? Source: www.evolven.com

Slide 4

What is Cloud Computing? Cloud computing is typically defined as a type of computing that relies on sharing computing resources rather than having local servers or personal devices to handle applications. In cloud computing, the word cloud (also phrased as "the cloud") is used as a metaphor for "the Internet," so the phrase cloud computing means "a type of Internet-based computing," where different services such as servers, storage and applications are delivered to an organization's computers and devices through the Internet. Cloud computing is comparable to grid computing, a type of computing where unused processing cycles of all computers in a network are harnessed to solve problems too intensive for any stand- alone machine. Source: www.webopedia.com

Slide 5

Cloud Computing Architecture Source: www.wikipedia.com

Slide 6

Types of Cloud Computing Software as a Service (SaaS), Infrastructure as a Service (IaaS), Platform as a Service (PaaS), Desktop as a Service (DaaS), Backend as a Service (BaaS), and Information Technology Management as a Service (ITMaaS) Private Cloud Public Cloud Hybrid Cloud

Slide 7

Data Centers What is a Data Center? Data centers are physical or virtual infrastructure used by enterprises to house computer, server and networking systems and components for the company's information technology (IT) needs, which typically involve storing, processing and serving large amounts of mission-critical data to clients in a client/server architecture. A data center often requires extensive redundant or backup power supply systems, cooling systems, redundant networking connections and policy-based security systems for running the enterprise's core applications. A data center is classified as a Tier I-IV based on established industry infrastructure design and function standards by the National Institute of Standards and Technology (NIST) or the Uptime Institute. Source : www.webopedia.com Corporate Data Center Owned and operated by the entity Web Hosting Data Center Data Center that provides IaaS for the entity Colocated Data Center Leases Data Center space to the entity Service Data Center Provides hardware/software and services to the entity Data Center Types

Slide 8

The Future of the Cloud Cloud Vision - Access to any service, anytime, anywhere, from any device with limited overhead. Direction By 2015, end-user spending on cloud services could be more than $180 billion Global market for cloud equipment will reach $79.1 billion by 2018 By 2014, US Businesses will spend more than $13 billion on cloud computing and managed hosting services Statistics 44% annual growth in workloads for the public cloud versus an 8.9% growth for on- premise in the next 5 years 82% of companies reportedly saved money by moving to the cloud More than 60% of businesses utilize cloud for performing IT-related operations 14% of companies downsized their IT after cloud adoption 80% of cloud adopters saw improvements within 6 months of moving to the cloud 32% of Americans believe cloud computing is a thing of the future Source: Silicon ANGLE 20 cloud computing statistics every CIO should know

Slide 9

Advantages of the Cloud Increase Productivity Achieve economies of scale Pay as you go Reduce spending on technology infrastructure Serve more disparate areas of your organization Globalize your workforce on the cheap Reduced resource requirements Streamline processes Limit infrastructure procurement needs Reduce capital costs Increase Access Improve accessibility Limit resource costs Less personnel training is needed Pay for what you really need Minimize licensing new software Change direction with limited costs Improve flexibility 60% of Cloud Users reported Capital Cost Reductions

Slide 10

Disadvantages of the Cloud The Cloud System can fail and the cloud subscriber is not in control of correcting the issue. Possible Downtime The Cloud System can be breached and the cloud subscriber may not have control over the circumstances that allowed it to happen. Security Issues The Cloud System costs can exceed the cost of managing an internal infrastructure, if safeguards are not identified. Increasing Cost The Cloud System provider may not be flexible in allowing your organization to have what it wants, when it wants it. Inflexibility The Cloud System may not have good support, which may result in a lack of desired service. Lack of Support Source: www.sbinfocanada.about.com

Slide 11

US Department of the Army Challenge The U.S. Army Experience Center needed a flexible, extendable and customizable recruitment tracking platform to track prospective recruits. Solution Move to a cloud environment that permits a 360 degree community outreach and relationship management approach. Result Costs down to $8M for full licensing from $83M 33% productivity gain 30 times higher response rates Twitter, Facebook integration Geo-location and contact data in the field via iPhone and Blackberry Visitor and user surveys for instant information Massive email campaign capabilities Source: cloud.cio.gov

Slide 12

US Department of Labor Relations Authority Challenge The Federal Labor Relation Authoritys decade-old, off the shelf case management system no longer met the agencys needs and was financially unsupportable. Solution The agency migrated to a cloud-based Software-as-a-Service case management system that allows users the flexibility to monitor case activity anytime, anywhere. Results 88% reduction in total cost of ownership over a five year period Eliminated up-front licensing cost of $273,000 Reduced annual maintenance from $77,000 to $16,800 Eliminated all hardware acquisition costs Secure access from any Internet connection Ability to operate and access case information from any location in the world, supporting the virtual enterprise Source: cloud.cio.gov

Slide 13

US Department of Treasury Source: cloud.cio.gov Challenge Replace the hosting service used to run the Bureau of Engraving and Printings public-facing website and eCommerce store with one that has equivalent capabilities and can improve service metrics. Solution Used SaaS cloud-based services to replace both the public- facing webpage and the eCommerce storefront. Results Reduced infrastructure costs from $800,000 to $1,550 Eliminated transaction fees Improved wait time and accessibility Eliminated coding requirements Faster deployment

Slide 14

Security Implications of the Cloud 1 breach exposes everyone Data Breach Data loss can be wide ranging Data Loss Unauthorized access could expose everyone Service Traffic Hijacking Information theft could be massive Insecure Interfaces Denial of Service could affect everyone Denial of Service One bad apple can impact all Malicious Insiders Not understanding the risk can make you liable to it Insufficient Due Diligence Vulnerabilities will only increase Technology Vulnerabilities

Slide 15

Apple iCloud Breach What Happened? Apple iCloud Celebrity User Accounts were allegedly accessed by unauthorized personnel, which resulted in the loss and exposure of personal photos. Why did this occur? Hackers exploited a vulnerability that allowed them to Brute Force Attack, accounts passwords How did Apple respond? Corrected the vulnerability and took other measures to mitigate future risk. Source: InformationWeek Apple iCloud Hacks Other Victim: Cloud Trust

Slide 16

Sony PlayStation Breach An "illegal and unauthorized person" obtained people's names, addresses, email address, birth dates, usernames, passwords, logins, security questions and possibly credit card numbers of more than 77 million users. Why did this occur? Sony did not pay enough attention to security during the development of this platform. How did Sony Respond? Shutdown online PlayStation services for an extended period of time. Hired an outside recognized firm to investigate and correct the issues that led to the breach. Source: Reuters Sony PlayStation suffers massive data breach

Slide 17

How might a breach occur? Gains Access Gains access by exploiting vulnerabilities in the systems that it infects. Requests instructions Automatically requests instructions from the hackers command and control software. Looks for Data Looks for information to steal, for example nine digit numbers (or social security numbers). Ex-filtrates Data Sends information that it steals back to the command and control software. Identifies new Targets Scans other adjacent computers for additional vectors in which it can spread. Evades Detection Deletes and recreates itself with new patters to evade detection by Antivirus platforms. Typical Malware will do the following:

Slide 18

Cloud Risk Mitigation Cloud Subscriber You MUST have well adopted security standards You MUST maintain a team of security professionals dedicated to analyzing Cloud Provider Security Risk You MUST conduct a measurable security audit of your Cloud Service Provider You MUST have the ability to conduct routine Penetration Tests and Vulnerability Assessments You MUST have adequate Cyber Security Insurance Cloud Provider Cloud Service Providers MUST maintain great threat management and situational awareness Cloud Service Providers MUST have strong vulnerability remediation processes and procedures Cloud Service Security Maturity MUST be measured Cloud Service Providers MUST segment services Cloud Service Provider access restriction MUST be granular and well understood Source: Verizon 2014 Data Breach Investigations Report

Slide 19

Cyber Security Insurance Cyber security insurance is designed to mitigate losses from a variety of cyber incidents, including data breaches, network damage, and cyber extortion Market-driven way of increasing cyber security posture Helps to reduce the number of successful cyber attacks by promoting widespread adoption of preventative measures; Encourages the implementation of best practices by basing premiums on an insureds level of self-protection Limits the level of losses that companies face following a cyber attack. Many companies nevertheless forego cyber security insurance for the following reasons; Perception of high cost Lack of awareness about what it covers Uncertainty that theyll suffer a cyber attack as just some reasons for their decision

Slide 20

Contract Review Checklist Service model Risk factors Pricing Security controls and reports Data assurances Data conversion Governing law Service level agreement (SLA) Contact information (24x7)

Slide 21

Contract Review Checklist Contd Outsourced services Disaster recovery Mergers and acquisitions Site inspections Warranty Liability Compliance with laws-PCI, HIPPAA, CJIS, etc. Professional services Contract renewal and termination

Slide 22

Questions Brian Walsh, Senior Procurement Officer, 602-506-3243 Office of Procurement Services walshb@mail.maricopa.gov Michael Echols, Chief Information Security Officer, 602-506-5798 Office of Enterprise Technology echolsm@mail.maricopa.gov