cloud security and cloud adoption public

Download Cloud security and cloud adoption   public

If you can't read please download the document

Upload: john-mathon

Post on 10-May-2015

399 views

Category:

Documents


0 download

TRANSCRIPT

  • 1.Cloud Security and Technology Adoption By John Mathon February 28, 2014

2. About the Author o I am a 30+ year veteran of the computer industry, 10 patents, publish / subscribe, founder of TIBCO, also have started a company in the DLP space as well as worked at one of the most secure companies (Bridgewater). o I am not a security expert. o I have implemented SaaS solutions in a number of companies including a company I founded and a large multibillion dollar company. 3. Introduction o The statement that is heard frequently: Cloud security is the biggest factor inhibiting adoption of the cloud in most companies. o The premise of this statement is that cloud security is a black hole or is much more risky than traditional enterprise security. 4. History o New Technologies that were described as being too insecure to do business with: o Internet and credit cards o Internet and email o Internet and business transactions o Electronic Signatures o B2B o I questioned the reality of these claims o I believe I was right o However, economic / business realities forced these things to happen o So, are the following the same? Are they safe for personal or business use? o Cloud IaaS o Mobile Devices o Cloud SaaS applications o Cloud Data Storage o Cloud PaaS o Internet of Things o Personal Cloud 5. The Cloud is a large business today growing very fast considering its size o Today o IaaS - $6Billion 2013 business (8yrs from start) o 136% annual growth rate today o SaaS companies - $130Billion o Mobile 1.5 Billion smartphones o Social 1.2 Billion followers (22% of world population, 50% of US population) o Future 2017 (4 years) o Total Cloud Services: $0.5Trillion (4X) o IaaS - $100Billion (16X) o PaaS - $14Billion (40X) o SaaS - $0.4Trillion (3X) o 2/3rds of all workloads will be processed in the cloud (*Cisco) o 3 Billion smartphones 6. Cloud Adoption o 9/2013 According to a survey from Spiceworks, 70% of IT professionals are using cloud-based web hosting applications, with 60% using cloud-based security and 30% backup applications. o Numbers climbing very fast with near universal adoption possible within a few years o http://www.computerweekly.com/news/2240206038/70-of-IT-professionals-using-cloud-at-work 7. Why is the Cloud growing so fast? o For Small Companies o Less capital needed o Grow as fast as your business o Self Service / DevOps o Cloud providers provide superior service to in-house o For Large Companies o Less Capital needed means faster to market o DevOps efficiencies to compete be more nimble o Less Excess hardware - A waste of energy, money, space, time o SaaS apps can increase productivity o APIs, Social, Cloud Services enable new lines of revenue 8. The potential is almost incalculable in just the next 5-7 years o Datacenters of 50% of companies in the world o SaaS/PaaS and other services o Becoming the dominant and maybe only way most software is delivered o Other impacts o Social, Behavioral o Life without the cloud will be essentially impossible for most people 9. Why is this overwhelmingly good? o Most companies are not/should not be managing technology at the level they are o They are not competent at security, cost management, optimization or technology in general o vastly underutilization of what they acquire o unnecessary duplicative work of many people doing the same technology over and over o technology that is being used way beyond its productive life. o Universal Connectivity - People, Things, Applications o Network Effect - Spurring massive cascading unpredictable innovation o Possibly not all positive o Overall huge cost savings and improved efficiency o Due to the first and second points the US/World economy will see massive gains in productivity and improvements in services and technology usage 10. Financial Firms have a higher standard o Generally well endowed compared to many other businesses. o Federal regulation, International regulation (Basel and individual country rules) and State regulation. o Fines assessed regularly. o Financial data among the most sensitive and private of all information of any corporation. Of great concern to customers. o 37% of all breaches (2012*) *http://www.verizonenterprise.com/DBIR/2013/ 11. Other Industries with similar constraints: o Health o Aerospace 12. Ecosystem PaaSs o Boeing Ecosystem PaaS o Encourage airlines to buy Boeing Airplanes o Create a PaaS for all Airlines and service providers o Make it easier to buy Boeing, cheaper easier to run an airline with Boeing airplanes o Cars o Google Android, OpenCar, OpenXC, Webinos, Apple, Blackberry / QNX o Entertainment o Finance 13. Should you adopt a technology? Technology Benefit or Cost Gives Employees Choice (BYOD, applications, ) Increased productivity (and morale, retention) Is better than an internal technology Increased productivity (anything from slight to huge benefit) Is necessary for business with customers or partners Increased sales (unavoidable) saves money over internal service Reduced costs (depends if productivity improvement or loss accompanies) Faster time to market Increased sales (potentially huge benefit) Lack of cohesive common technology Decreased productivity Increased support costs and difficult integration or sometimes collaboration More expensive than internal service Increasing costs (not very frequently true especially when one considers all lifecycle costs). There can be variable costs that are uncontrolled. Productivity gains may offset higher cost. Increased Security Risk Can be mitigated to some extent 14. These benefits can be substantial o A new technology can easily give a 30% increase in productivity, reduced costs or increased income. o In many cases it is not optional to use a certain technology, but how do we do it safely? o Security must find ways to minimize risk of the new technology. 15. The point of this talk is perspective o Security is part of a business decision o The cloud will be made safe for business o A strategy to minimize risk and maximize adoption by segregating information and applications in a fine grained way as they make sense to migrate is essential o The safety of the cloud is not great but it is no worse than where we are in business, possibly better. This may be sad but it is expected in my opinion. 16. Agenda o What is the cloud? o Security in General o Cloud vs Enterprise o Best practices to adopt cloud services o Enhanced Security Services for the Cloud 17. What is the cloud? Many things o IaaS and Infrastructure Services (compute, data) o *6B 2013, 136% annual YOY growth o SaaS (Web Services and applications) o APIs (at least 20,000 today doubling annually) o PaaS and Platform Services (iPaaS, DaaS, APIMaaS, BPMaaS) o *14B by 2016 o Mobile Apps, Web and BaaS o Personal Cloud o Internet of Things *Gartner, 2013 18. Not all information is the same o Customer information o Extremely sensitive customer information o Passwords, pins, personal data, health data, SS# o Company employee information o Extremely sensitive employee information o passwords, SS# o Company information o Extremely sensitive company information o Sales projections, roadmaps, customer interactions, information that you would be liable for releasing o Information that gives you significant market advantage 19. Risks you face: o Loss of personal data of employees o Loss of customer personal data o Loss of Corporate data that results in lost business (customers upset, competitors find advantage) o Loss of Service (Caused by security lapse) o Lawsuits (loss of data/service related) o Fines (Loss of data/service considered regulated) o Reputation Damage o Transitive Loss (you help someone compromise someone else) o And more 20. Sources of loss (irrespective of cloud or not cloud) o Technology o External hacking o Infection / malware o Denial of service o Processes o Physical penetration or data lost in transit o Poor IT Practices o People o Internal o Employee mistakes / phishing 21. The Enterprise physical and electronic 4 walls is being continuously eroded by new stuff: o Employees taking home data or electronics that contain data on them (cell phones, USB, computers, ) o SaaS (corporate data contained within) o APIs and Web services, EDI or partner electronic interfaces o Personal Cloud o Internet of Things (coming) o Cloud Services (IaaS) o Higher level Cloud Services (PaaS and other) o Social - Discussion boards, twitter o Skunkworks/Unauthorized use: o Personal Cloud(Dropbox, Google docs and apps, ) o POCs being done in PaaS or IaaS environments o Enterprise Apps being used with corporate data o Interactions with partners through cloud o The people who violate controls most : IT people and executives 22. 2013 Examples of breaches Cloud Severity Attack Company Loss Not Cloud Major undisclosed Target, Adobe 200+ million email, passwords, credit stolen, Adobe source code Cloud Major Malware Facebook, Dropbox, Linkedin 8 Million emails and passwords lost Not Cloud Major Internal Federal Reserve, NSA, Dept Homeland Sec Secrets Disclosed , personal information Not Cloud Major Internal Goldman Sachs Trading Algorithms Stolen Cloud Minor Human Error NYTimes, Twitter, Cloudflare Google email reset policies allowed individuals to be hacked Cloud Minor API Penetration Linkedin Thousands of profiles http://thinkprogress.org/security/2013/12/31/3108661/10-biggest-privacy-security-breaches-rocked-2013/# 23. 2013 Examples of breaches Cloud Severity Attack Company Loss Cloud Minor Outage Amazon Heroku didnt have multiple regions Not Cloud Minor undisclosed Department of Energy 53,000 employee records Not Cloud Major Physical Penetration Advocate Medical Group 4 million medical records lost Cloud Major Human Error CorporateCarOnline 850,000 credit cards, personal information Cloud Minor Human Error MongoHQ Thousands of emails http://thinkprogress.org/security/2013/12/31/3108661/10-biggest-privacy-security-breaches-rocked-2013/# 24. Cloud vs Enterprise o Anything that can be accessed from the outside is under identical attack* o However, on-premises environment users or customers actually suffer more incidents than those of service provider environments. On-premises environment users experience an average of 61.4 attacks, while service provider environment customers averaged only 27.8.* o After looking at both, there is no proof that cloud computing is any more of a security risk than traditional internet usage. The research in this paper has shown that there is no significant difference that makes one better than the other. o It is not provable that the cloud is less secure than enterprise security o *http://searchcloudcomputing.techtarget.com/opinion/Clouds-are-more-secure-than-traditional-IT-systems-and-heres-why o **http://www.cameron.edu/uploads/34/f4/34f4b845dca4fb2125ba03f0964efed1/3.pdf / Cloud Computing vs Traditional Internet Setting: Which One is More Secur 25. Security is a problem o At least 200+million emails disclosed with passwords. Credit cards of at least 40-80 million people with social sec#s in some cases. o Medical records for 4 million people. o Average of 60 attacks / year reported o 37% of breaches affected financial organizations o 14% insiders o 19% china related breaches o 35% involve physical compromise o 76% exploited weak passwords o vulnerability discovered to patch: 25-60 days at enterprises! A Very High Percentage of these losses are non-cloud, possibly as high as 80% It is unclear what percentage of private companies disclose breaches Cloud Companies are required by law to disclose any loss* *http://www.csoonline.com/article/221322/cso-disclosure-series-data-breach-notification-laws-state-by-state 26. Cloud Companies are responding to threats o Most cloud companies now enforce multi- factor authentication o Most cloud companies employ encryption with salted passwords o Google and others changing policies on password resets o AWS wiping disks now as default o The feeling is the cloud service companies are learning and becoming more and more astute o What we really need is transparency! 27. Cloud is theoretically worse on security o Ability to attack from anywhere and from anyone could lead to many more attacks o Specific cloud-based attacks such as exploiting virtual machine vulnerability, building mobile apps to exploit APIs o Ubiquitous connectivity seems to imply more chance for attacks o yet so far not the case 28. I am not saying: o Cloud companies are all safer generically o All Private companies enterprise security is rotten o That cloud is better than enterprise for security if enterprise is done well 29. I am saying: o Cloud is not blatantly more insecure than enterprises o For whatever reason the attention of hackers has not become focused on cloud YET because the number of incidents and severity is still clearly more in the enterprise o Some cloud companies are way better than many enterprises in security today o For the vast majority of companies large and small the cloud is probably better 30. Cloud Companies use the same technology and approaches as private companies o Antivirus / Malware detection / Scanning o Patching regimes o Audits / Penetration testing o Personnel training o DLP technology / hardware o Multiple authentication schemes o Automated Event Detection o Multiple Region backups / DR o Physical Security 31. Vast majority of non-cloud companies not competent in security* *http://searchcloudcomputing.techtarget.com/opinion/Clouds-are-more-secure-than-traditional-IT-systems-and-heres- why This is NOT true in Finance Companies like Fidelity hopefully 32. Actual Losses some data o 400 cases of fraudulent ACH transactions of $255 million with actual loss of $85 million o July 2009, two U.S. stock exchanges were victims of a sustained DDoS attack o Outages have real cost o Adobe lost actual source code for photoshop o Reputation risk is an extreme concern 33. The cloud is not a black hole of security o No evidence cloud computing IS riskier than enterprise based computing o More attacks reported both anecdotally, statistically as well as admitted by private companies than companies using cloud services o Full disclosure at private companies doubtful o Over the last 4 years as incidents happen the strength of cloud security has increased. Most companies now support 2 factor authentication for instance. But problems clearly still exist. 34. Cloud vs NonCloud Security 35. Nine Top Threats 1. Data Breaches 2. Data Loss 3. Account Hijacking 4. Insecure APIs 5. Denial of Service 6. Malicious Insiders 7. Abuse of Cloud Services 8. Insufficient Due Diligence 9. Shared Technology Issues CLOUD SECURITY ALLIANCE The Notorious Nine: Cloud Computing Top Threats in 2013 2013, Cloud Security Alliance. All rights reserved. 7 http://bit.ly/1brlej6 Infoworld 2/2013 http://www.infoworld.com/t/cloud-security/9-top-threats-cloud-computing-security-213428 36. Cloud Specific Security Concerns o Data from one company leaking to another (multi-tenancy isolation failure) o Demand from one company leaking to another (poor service) o Inability to control specific policies and personnel or change them at will o Lack of transparency o Inability to conduct effective investigations o Navet in using the cloud* o *http://blog.cloudpassage.com/2012/09/13/10-mom-didnt-warn-cloud/ 37. Good Ideas http://www.intel.com/content/www/us/en/cloud-computing/whats-holding-back-the-cloud-peer-research-report.html 38. Cloud Services o Lets look at various types of Cloud Services and specific security concerns that dont exist necessarily in the enterprise 39. aaSes o IaaS o Multi-tenancy isolation failures o Virtualization vulnerabilities o SaaS o Multi-tenancy isolation failures o PaaS - Poorly behaving apps can threaten other apps o One app taking down another o Multiplicative SLA weakening o Very dynamic demand can stress other tenants 40. New types of security/service concerns o APIs o Conscious Malicious Rogue Applications o inadvertent usage of Applications causing ability to access information inappropriately o Demand variations can be chaotic and result in wide SLAs o Mobile o Loss of device o Containerization problems o Bad Applications (like virus) o Employee termination issues o Hardware hijacking 41. New types of security/service concerns o Personal Cloud (moving of my life to the cloud) o Type of information allowed may be inappropriate o Sharing less controlled by the enterprise o Termination what happens to the information? o Internet of things o Privacy o Potential damage to security depending on type of device (camera, gps, activity tracking, cars, ) o Social o Reputation risk o Lack of control of information shared by employees and others 42. I admit o Its tiring and scary to consider all the possibilities. o So one has to take perspective. o Youre not 100% in control o You need to delegate but monitor o Being a good manager 43. Best Practices o Segregate data and applications in a fine grained way and move to cloud incrementally as benefits promote adoption (see adoption slide) o Establish Service Provider SLAs o Negotiate hard for transparency not damages o Make demands o Ask questions, audit, stay involved o Do not settle for applications or vendors which dont meet your security requirements. They will want your business and I bet many will adapt if asked with reasonable proposals o Watch for changes in the risk profiles o As the cloud gains more and more adoption it is likely to start seeing more and more attacks , more sophisticated attacks 44. What is happening? o SaaS o API Management huge (mostly focused on external but internal growing) o Reuse and Community collaboration o BigData, data collection and intelligence o PaaS Ecosystem and DevOps o Mobile Apps o iPaaS o Personal Cloud / Internet of Things happening 45. Enterprise Reuse and Refactoring o Most companies I see are doing this o Reuse is hard o Its not just a registry o Growing Mobile, API and Web service application storm presages new era in enterprise software 46. New Types of Security Available o EMM (MDM, MAM) o Enterprise Mobility Management, provides control and monitoring of mobile devices o API Management o app based security, fine grained authorization, SLA management o Ecosystem Private PaaS o Control of information shared to partners as well as applications that use information o Complex Event Processing o Detect complex events that indicate intrusion, theft, accidental behavior, suspicious behavior, alert, escalate o 2 factor authentication, fine grained authorization o New protocols and technologies support more control o SDN o Fingerprint scanners 47. WSO2 Commercial o Completely Open Source No enterprise versions o The only complete composable API Centric Enterprise Application Platform o Built entirely by WSO2 o Multi-tenant, Cloud Native, Componentized Integrated Platform o Built to API Centric, BigData, Mobile, Social, Cloud, SOA Platform 48. WSO2 Commercial o 200 customers worldwide o In business 8 years o Leading Enterprises in almost every vertical industry: o Retail, Aerospace, Health, Finance, Logistics, Telecommunications, Government, Travel, o Ebay does 5 billion transactions/day on peak days on our servers o Boeing, Cisco and other industry leading companies are starting to build their future technology vision with WSO2 49. WSO2 Commercial o Identity Management o WSO2 has full suite of identity products supporting all new protocols and features o EMM (Enterprise Mobility Management) o WSO2 has a full EMM suite with both device and application management o Ecosystem PaaS o WSO2 is working with several industry leaders to create PaaSs for their industry. This gives the leader control over the data and applications like Apple has for Ios Apps and also encourages development of communities with the first social enterprise store o Hybrid Polyglot PaaS technology for sophisticated enterprise deployments o API Management and Enterprise Store combining API, Mobile and Web services to promote API Centric Enterprises o NSA for you our bigdata and CEP technology gives you the ability to identify in real time and respond to security events AND MORE. I have listed just the products relevant to security. 50. Conclusion o We have seen the enemy and it is us. o The issues for the cloud are the issues we deal with everyday in the enterprise. Its not a reason to not adopt the cloud. o For more info on WSO2: wso2.com o Services Oxygenated o John Mathon: VP, Product Strategy o [email protected]