Collaborative  Contingency    in  the  Cloud  

Glen  Roberts,  CISSP  

About  the  Presenter  

*  Glen  Roberts,  CISSP  *  IT  Infrastructure  Manager  at  UFCU  *  President  at  Cloud  Security  Alliance,  Austin  Chapter  

*  Cloud  Computing  Overview  *  Cloud  Benefits  and  Risks  *  Myths  and  Reality  of  the  Cloud  *  Community  Clouds  *  What  a  CUSO  Model  Offers  *  CUSO  Model  Benefits  *  Case  Study:  2nd  Node  *  Foundational  Issues  *  Abbreviated  Risk  Framework  *  Addressing  Common  Security  Concerns  

Agenda  

Cloud  Computing  Definition  

A  model  for  enabling  ubiquitous,  convenient,  on-­‐demand  network  access  to  a  shared  pool  of  configurable  computing  resources  (NIST:  September,  2011)    

Cloud  Computing  Model  

!

What  are  some  of  the  benefits  cloud  computing  can  offer  credit  unions?  

Interactive  Slide    

1.  Faster  implementation,  ready  to  use,  automation  2.  Access  anywhere,  on  any  device  3.  Reduced  cost,  pay  for  use  4.  Scalability,  right-­‐sized,  flex  up  and  down  5.  Collective  benefits,  GRC  alignment,  new  functionality  6.  Improved  productivity,  shift  focus  to  further  innovate  7.  Integrated  security  and  patching  8.  Leverage  vendor  expertise,  economy  of  scale  9.  High  performance,  reliability,  uptime  10.  Environment-­‐friendly,  computing  efficiency  

Top  10  Cloud  Benefits  

What  risks  might  cloud  computing  expose  a  credit  union  to?  

Interactive  Slide    

1.  Data  loss,  alteration,  disclosure  2.  Unable  to  prove  security  of  provider  or  solution  3.  Provider  insider  threat,  insecure  APIs,  hypervisor  flaws  4.  Multi-­‐tenancy  trust  issues  5.  Account  hijacking  6.  Regulatory  problems,  lack  of  forensics  support  7.  Blurred  responsibilities    8.  Internet/external  network  dependency  9.  Poor  support,  scalability  issues  10.  Complexity,  hidden  costs  

Top  10  Cloud  Risks  

*  The  cloud  is  just  a  fad  *  The  cloud  is  less  secure  *  The  cloud  is  not  compliant  *  Moving  to  the  cloud  is  too  challenging  *  Moving  to  the  cloud  is  too  costly  

Myths  and  Reality  of  the  Cloud  

*  Shared  by  several  organizations  *  Supports  a  community  with  common  interests  *  Business  purpose  *  Standardization  *  GRC  requirements:  GLBA,  NCUA  

*  Many  of  the  benefits  of  public  cloud  with  less  risk  *  Better  cost  savings  than  private  cloud  or  traditional  infrastructure  

Community  Clouds  

*  Trust  *  Transparency  *  Dependable  SLAs  *  Clear  roles  &  responsibilities  *  Shared  improvements  *  Data  sharing  

What  a  CUSO  Model  Offers  

*  Do  more  with  less  *  Reduce  maintenance  &  operations  costs  *  Sharing  of  assets  *  Share  the  expense  of  implementations  *  Free  up  staff  to  innovate  for  members  

CUSO  Model  Benefits  

*  Cloud  service  brokerage  *  Cooperatively  select  vendors    *  Improved  bargaining  power  as  a  collective  *  Shared  cost  of  vendor  solutions  *  Leverage  shared  integration  with  vendors  

More  CUSO  Model  Benefits  

Case  Study:  2nd  Node  

*  Formed  by  UFCU  and  AFCU  in  2009  *  CUSO  *  Second  data  center  *  Business  Continuity/Disaster  Recovery  

2nd  Node:  Facility  

*  Facility  *  SAS  70  Type  II  Facility  *  Working  on  SSAE  16  Type  II  *  Generator,  UPS,  HVAC  *  Environmental  security  

2nd  Node:  Infrastructure  

*  Utility  pricing  per  cabinet:    *  Telecom  *  Internet  connectivity  –  100  mbps  

*  SAN  *  Separate  LUNS,  partitions  *  EqualLogic,  Compellent  

*  IDS/IPS  *  Individual  consoles/customer  *  2nd  Node  as  the  oracle  

 

2nd  Node:  Cloud  Services  

*  Private  clouds  *  SAN  replication  *  System  backups  *  Silver  Peak  network  concentrators  *  Hosted  failover  (Symitar)  

Foundational  Issues  

*  Many  have  tried  and  failed  *  Control  issues  vs.  cooperation  *  Visibility  of  operations  *  Differing  visions  *  Undefined  SLAs  *  Security  concerns  

*  Security  *  Not  necessarily  more  or  less  secure  *  Enormous  potential  to  be  more  secure  *  Collaborate  to  implement  controls  *  Standards  gaps  *  Traditional  standards  still  apply  *  NIST  and  CSA  are  helping  accelerate  catch-­‐up  

Addressing  Common  Security  Concerns  

*  What  data  needs  to  be  protected?  *  Common  options:  *  Encryption  of  data  *  Tokenization  *  Sanitization,  anonymization  *  Object  security  *  Hashing  

Data  Protection  

*  Identify  potential  assets  to  be  moved  to  a  community  cloud  *  Infrastructure  *  Data  *  Applications  *  Functions/Processes  

Abbreviated  Risk  Framework:  Identify  Assets  

*  Assess  DAD  risks  of  moving  assets  to  community  cloud  *  What  is  the  impact  if  the  provider  accesses  the  asset  or  if  data  goes  public?  *  What  is  the  impact  if  processes  are  manipulated  or  fail  to  function?  

Abbreviated  Risk  Framework:  Community  Cloud  Risks  

*  Location  *  Identification  of  other  tenants  *  Degree  of  control  *  Who  manages  assets  and  how  *  Security  and  compliance  controls  

Abbreviated  Risk  Framework:  Community  Cloud  Requirements  

*  Providers  *  Partners  *  Solutions  

Abbreviated  Risk  Framework:  Community  Cloud  Evaluation  

Thanks!  

 Glen  Roberts  groberts@ufcu.org  (512)  966-­‐3425