peering through the cloud forrester emea 2010
DESCRIPTION
A detailed conversation on the cloud, including risks, benefits and recommendations for enterprise use.TRANSCRIPT
Peering Through *the Cloud*
Presented toForrester's Security Forum EMEA 2010
ByGray Williams
Slide Title
• Gray Williams ‐ Biography– TATA Communications (GM & Sr Dir PLM; 06 to present)– KillPhish (Founder)– Cybertrust (Dir Prod Mngmnt)– SafeNet (VP/Dir Prod Mngmnt & Marketing)– INS/Lucent Technologies (Sales & Biz Dev)– AT&T (Sales NAM)
Introduction
Slide Titlethe soothing light at the end of the tunnel…
…is it just a freight train comin’ your
way? - Metallica- Anti-Cloud HW/SW crowd - Assorted CSO’s
-The Business- Pro-Cloud Crowd
Slide Title
*aaSCompliance
Integrity
SOAVM
RISK
PublicPrivate
The Business
Framing the Debate
Technical
Legal
IT/DC
Efficiency
Effectiveness
Cost
AgilityWhat it is
Confidentiality
SECURITYCNA
APT
Today
Why it is
Tomorrow?
Economics
NIST ENISA Jericho Forum
CloudAudit/A6
Cloud Security Alliance
CLOUD
Availability
CONTROL?
Billions $$ at stake in a tech land-grab
Slide Title“A model for enabling convenient on-demand network access to a shared pool of configurable computing resources that can be rapidly provisioned and released with minimal management effort or service provider interaction.” - NIST Oct 09
“Everything we think of as a computer today is really just a device that connects to the big computer that we are all collectively building”
-Tim O'Reilly
1. Illusion of infinite, on-demand resources
2. No upfront capex commit
3. Pay for what you need, as you go- Above the Clouds: A Berkeley View of Cloud Computing Feb 2009
1. Illusion of infinite, on-demand resources
2. No upfront capex commit
3. Pay for what you need, as you go- Above the Clouds: A Berkeley View of Cloud Computing Feb 2009
Slide TitleEnterprise:
Source: BT's Enterprise Intelligence survey
Slow Adoption– Want ROI on existing investment & time invested making IT
a trusted resource– 53% fail to see how cloud can save them money– 57% surveyed said they were not happy to run applications
and store data on servers outside their country for security reasons
– 21% think that doing business in the cloud is not a security concern.
– 53% are concerned about IP being stored in a public cloud because of potential security breaches
– 44% believe they deal with information that is so sensitive it could never be stored in the cloud.
•Single tenancy / Multi-tenancy
•Isolated data / co-mingled data
•Dedicated security /socialist security
•On-premise / Off-premise
Slide TitleThe overall risk profile for cloud compute has
not yet come into full view
Slide Title“Cloud Computing is great™…
Source: Me
…until it isn’t.”
Slide TitleTraditional Security Issues:
1. Shared Tech - VM Attacks2. Provider Vulnerabilities3. Phishing Provider4. Expanded Network Attack
Surface5. Authentication &
Authorization6. Forensics
Availability:
1. Uptime2. Single Point of Failure3. Integrity assurance
3rd party Control:
1. Due Diligence2. Audit (Geo-Regulated Data)3. Contractual Obligations4. Espionage5. Data Lock-In6. Transitive (Subcontractors)
New Challenges:
1. Privacy 2. Nefarious Use (DDoS,
Malware)3. Effective Authentication4. Authorization (mashup)
- Controlling Data in the Cloud Nov 2009
CLOUD SECURITY ISSUES ARE REAL
Slide Title% of 62 real‐world UK breaches in various levels of PCI‐DSS compliance
Source: 7Safe Breach Report Jan 2010
120 of 600 surveyed had been victimized by attacks similar to Google
66% said the attacks had harmed company operations
54% said their company had been the subject of infiltration in the last 2 yrs
24% expect a major cybersecurity incident in the next year
INTERNAL IT SECURITY IS CRASHING & BURNING
ISSUES ARE REAL.
- McAfee Critical Infrastructure in the age of Cyberwar Feb 2010
Slide TitlePublic vs PrivateTop 3 Objections:
1. Security
2. Availability
3. Performance
4. CONTROL
Source: IDC
Slide Title
Public cloud providers can’t have their cake and eat it too…
Must Have:• Sufficient Security Defenses
• Sufficient Monitoring• Adequate Support
• Transparency
Slide Title
Private Cloud Top 3 Objectives:
1. Preserving confidentiality, integrity and availability
2. Maintaining appropriate levels of identity and access Control
3. Ensuring appropriate audit and compliance capability
Slide Title
Slide TitleRecommendations
GENERAL: Create policy on acceptable use SPECIFIC:• Identify candidate data/processes/functions • Perform risk assessment on each asset
– Explore legal, regulatory and audit issues 1st– Conduct 3rd party internal/external VA and audit– Explore geo-location specific offerings – Demand full subcontracting disclosures, detailed
security framework and DR procedures for the whole ecosystem (partner chain)
• Map findings to potential deployment models & vendors
• Standard risk and governance controls apply (ISO 27001/2 and BS25999; NIST SP 800-70/60/53/37/30/18; FIPS 199/200)
Slide Title
• the asset became widely public and widely distributed?• the process or function were manipulated by an outsider?• the process or function failed to provide expected results?• the information/data were unexpectedly changed? • the asset were unavailable for a period of time?• we could not satisfy regulatory/compliance requirements?
What if…
Source: Cloud Security Alliance
Slide TitleRecommended Reading
Slide Title
• Chris Hoff rationalsurvivability.com• PARC Richard Chow, Philippe Golle, Markus Jakobsson, Ryusuke Masuoka, Jesus
Molina; Fujitsu Elaine Shi, Jessica Staddon• Lisa J. Sotto, Bridget C. Treacy, Melinda L. McLellan Hunton & Williams• Andrew Becherer, Alex Stamos, Nathan Wilcox ISEC Partners• David Linthicum infoworld.com/d/cloud-computing• Paul Murphy blogs.zdnet.com/Murphy• Peter Mell, Tim Grance NIST• Prof Carsten Maple Univ Bedfordshire• Alan Phillips, Ben Morris 7Safe • Gunnar Perterson 1raindrop.typepad.com• Joel Dubin, CISSP• Richard Bejtlich, TaoSecurity.com• ENISA• Cloud Security Forum
Special Thanks
Source: Chris Hoff
Thank you.ContactGray Williams
+1.000.000.0000
Office locationAddress line 1Address line 2Address line 3
Back‐up Slides& other DVD extras+1.000.000.0000
Office locationAddress line 1Address line 2Address line 3
Slide TitleTCO to Public Cloud 2.4 Xenon Dual Core 16Gb RAM;
140GbHD Windows Pro plus Install/Support CAPEX Finance
Public Cloud
Capex $3,589
Cost of capital 12%
Term in months $48 $48Cost MRC $98 $98
Management & Power$100k per admin 100 servers $83 $83
(Watts*hrs used/1000)x cost kw/hr) $18 $18
TOTAL Monthly Cost $200 $199 $54
100% Utilization during Biz Hrs 160 160 160
Hourly Recurring Charge $1.25 $1.25 $0.34
Slide Title
• This is actually something to be really happy about; people who would not ordinarily think about security are doing so
• While we’re scrambling to adapt, we’re turning over rocks and shining lights in dark crevices
• Sure, Bad Things™ will happen• But, Really Smart People™ are engaging in meaningful dialog & starting to work on solutions
• You’ll find that much of what you have works...perhaps just differently; setting expectations is critical
In Conclusion
Slide Title
• Adopt a risk assessment methodology. Classify assets and data and segment.
• Interrogate providers; use the same diligence for outsourced services and focus on resilience/recovery,
• SLA’s, confidentiality, privacy and segmentation• Match both business and security requirements against the various deliver models and define the gaps
Slide TitleWho has Control?
Slide Title
1. Lack of standards. All clouds are different. Each one must be investigated and analyzed to understand its capabilities and weaknesses. The technical basis for digital trust must be created for each cloud.
2. Lack of portability. Every cloud creates its own processing climate. Any digital trust obtained by one cloud environment does not transfer to any other.
3. Lack of transparency. All clouds are opaque. Neither technology nor process is easily visible. It is almost impossible to generate digital trust when transparency is absent.
Services likely to be outsourced
Source: ENISA
Slide TitleBusiness Drivers
Source: ENISA
Slide TitleIssues
Source: ENISA
Slide TitleSMB vs Enterprise
Case Studies
Slide TitleNASDAQ and the New York Times
• New York Times– Didn’t coordinate with Amazon, used a credit card!– Used EC2 and S3 to convert 15M scanned news articles to PDF (4TB data)– Took 100 Linux computers 24 hours (would have taken months on NYT
computers– “It was cheap experimentation, and the learning curve isn't steep.” –
Derrick Gottfrid, Nasdaq• Nasdaq
– Uses S3 to deliver historic stock and fund information– Millions of files showing price changes over 10 minute segments– “The expenses of keeping all that data online [in Nasdaq servers] was too
high.” – Claude Courbois, Nasdaq VP– Created lightweight Adobe AIR application to let users view data
Slide TitleGovernment Use of Public Cloud
• 5,000+ Public Sector and Nonprofit Customers use Salesforce
• President Obama’s Citizen’s Briefing Book Based on Salesforce.com Ideas application– Concept to Live in Three Weeks– 134,077 Registered Users– 1.4 M Votes – 52,015 Ideas– Peak traffic of 149 hits per second
• US Census Bureau Uses Salesforce.com Cloud Application– Project implemented in under 12 weeks – 2,500+ partnership agents use Salesforce.com for 2010 decennial census – Allows projects to scale from 200 to 2,000 users overnight to meet peak periods
with no capital expenditure
Slide Title“Cyber crime isn’t conducted by 15-year-olds experimenting with viruses”
”Well-funded…..pursued by professionals with deep financial and technical resources, often with government toleration if not outright support.”
Source: Eugene Spafford, Purdue; “CyberWarriors”, the Atlantic March 2010
“Responsible for billions of dollars in losses…it is growing and becoming more capable.”
60-minutess-secureworks-russian-cybercriminal-goof
Slide Titleand this…“More than 40 states have developed IO doctrines or capabilities…”
- CSIS, America’s failure to protect cyberspace, 2008"Militaries now have the capability to launch damaging cyber attacks against critical infrastructure, but serious cyber attack independent of a larger military conflict is unlikely.“
Slide Title“…but the main damage done to date through cyberwar has involved not theft of military secrets nor acts of electronic sabotage but rather business‐versus‐business spying.”
- CyberWarriors, The Atlantic, March 2010
“A shortcut on the ‘D’ of R&D”
Slide TitleNew Issues, Same Governance
Source:
Slide TitleEnvironment
Source: 7Safe Breach Report Jan 2010
Slide TitleAttack Sophistication
Slide TitleGovernment Use of Public Cloud
• New Jersey Transit Wins InfoWorld 100 Award for its Cloud Computing Project– Use Salesforce.com to run their call center, incident management,
complaint tracking, and service portal– 600%More Inquiries Handled– 0 New Agents Required– 36% Improved Response Time
• U.S. Army uses Salesforce CRM for Cloud‐based Recruiting– U.S. Army needed a new tool to track potential recruits who visited its
Army Experience Center.– Use Salesforce.com to track all core recruitment functions and allows the
Army to save time and resources.
Slide TitlePCI DSS Dirty Dozen
Slide Title
- Symantec 2009
Slide Title– Minimize complexity & cost– Eliminate the need to own – Value outweighs risk, Outsource everything
SMB:
Slide TitleWhat businesses were breached:
Source: 7Safe Breach Report Jan 2010
Slide TitleWhat information was targeted:
Source: 7Safe Breach Report Jan 2010
Slide TitleNot an inside job…
Source: 7Safe Breach Report Jan 2010
Slide TitleTargeted Asset
Source: 7Safe Breach Report Jan 2010
Slide TitleExploit
Slide TitleOrigin
Slide Title
Customer• Compliance with data protection
law in respect of customer data collected and processed
• Maintenance of identity management system
• Management of identity management system
• Management of authentication platform (including enforcing password policy
Provider• Physical support infrastructure (facilities,
rack space, power, cooling, cabling, etc) • Physical infrastructure security and
availability (servers, storage, network bandwidth, etc)
• OS patch management and hardening procedures (check also any conflict between customer hardening procedure and provider security policy)
• Security platform configuration (Firewall rules, IDS/IPS tuning, etc)
• Systems monitoring • Security platform maintenance (Firewall,
Host IDS/IPS, antivirus, packet filtering) • Log collection and security monitoring
SaaS Division of Responsibilities
Source: ENISA
Slide Title
• Identify what’s most important • Identify where vulnerabilities exist • Isolate the probable • Quantify• Identify the most effective & efficient prevention• Have a pre‐approved incidence response plan • Test, Evaluate and Improve
Reducing Risk
Examples
Slide TitleOne Proposal for the Here and Now…
Slide TitleThe best defense is a good offense?
“We spend more time on the computer network attack business than we do on computer network defense because so many people at very high levels are interested"
- Former CNA commander, Air Force Maj. Gen. John Bradley
“…but Mr. Obama is expected to say little or nothing about the nation’s offensive capabilities, on which the military and intelligence agencies have been spending billions.”