Presented by Glen Roberts to the NCUA (National Credit Union Administration) and the OCCU (Office of Corporate Credit Unions) in Alexandria, VA on April 10, 2012.
2. About
the
Presenter
* Glen
Roberts,
CISSP
* IT
Infrastructure
Manager
at
UFCU
* President
at
Cloud
Security
Alliance,
Austin
Chapter
3. Agenda
* Cloud
Computing
Overview
* Cloud
Benefits
and
Risks
* Myths
and
Reality
of
the
Cloud
* Community
Clouds
* What
a
CUSO
Model
Offers
* CUSO
Model
Benefits
* Case
Study:
2nd
Node
* Foundational
Issues
* Abbreviated
Risk
Framework
* Addressing
Common
Security
Concerns
4. Cloud
Computing
Definition
A
model
for
enabling
ubiquitous,
convenient,
on-‐demand
network
access
to
a
shared
pool
of
configurable
computing
resources
(NIST:
September,
2011)
6. Interactive
Slide
What
are
some
of
the
benefits
cloud
computing
can
offer
credit
unions?
7. Top
10
Cloud
Benefits
1. Faster
implementation,
ready
to
use,
automation
2. Access
anywhere,
on
any
device
3. Reduced
cost,
pay
for
use
4. Scalability,
right-‐sized,
flex
up
and
down
5. Collective
benefits,
GRC
alignment,
new
functionality
6. Improved
productivity,
shift
focus
to
further
innovate
7. Integrated
security
and
patching
8. Leverage
vendor
expertise,
economy
of
scale
9. High
performance,
reliability,
uptime
10. Environment-‐friendly,
computing
efficiency
8. Interactive
Slide
What
risks
might
cloud
computing
expose
a
credit
union
to?
9. Top
10
Cloud
Risks
1. Data
loss,
alteration,
disclosure
2. Unable
to
prove
security
of
provider
or
solution
3. Provider
insider
threat,
insecure
APIs,
hypervisor
flaws
4. Multi-‐tenancy
trust
issues
5. Account
hijacking
6. Regulatory
problems,
lack
of
forensics
support
7. Blurred
responsibilities
8. Internet/external
network
dependency
9. Poor
support,
scalability
issues
10. Complexity,
hidden
costs
10. Myths
and
Reality
of
the
Cloud
* The
cloud
is
just
a
fad
* The
cloud
is
less
secure
* The
cloud
is
not
compliant
* Moving
to
the
cloud
is
too
challenging
* Moving
to
the
cloud
is
too
costly
11. Community
Clouds
* Shared
by
several
organizations
* Supports
a
community
with
common
interests
* Business
purpose
* Standardization
* GRC
requirements:
GLBA,
NCUA
* Many
of
the
benefits
of
public
cloud
with
less
risk
* Better
cost
savings
than
private
cloud
or
traditional
infrastructure
12. What
a
CUSO
Model
Offers
* Trust
* Transparency
* Dependable
SLAs
* Clear
roles
&
responsibilities
* Shared
improvements
* Data
sharing
13. CUSO
Model
Benefits
* Do
more
with
less
* Reduce
maintenance
&
operations
costs
* Sharing
of
assets
* Share
the
expense
of
implementations
* Free
up
staff
to
innovate
for
members
14. More
CUSO
Model
Benefits
* Cloud
service
brokerage
* Cooperatively
select
vendors
* Improved
bargaining
power
as
a
collective
* Shared
cost
of
vendor
solutions
* Leverage
shared
integration
with
vendors
15. Case
Study:
2nd
Node
* Formed
by
UFCU
and
AFCU
in
2009
* CUSO
* Second
data
center
* Business
Continuity/Disaster
Recovery
16. 2nd
Node:
Facility
* Facility
* SAS
70
Type
II
Facility
* Working
on
SSAE
16
Type
II
* Generator,
UPS,
HVAC
* Environmental
security
17. 2nd
Node:
Infrastructure
* Utility
pricing
per
cabinet:
* Telecom
* Internet
connectivity
–
100
mbps
* SAN
* Separate
LUNS,
partitions
* EqualLogic,
Compellent
* IDS/IPS
* Individual
consoles/customer
* 2nd
Node
as
the
oracle
19. Foundational
Issues
* Many
have
tried
and
failed
* Control
issues
vs.
cooperation
* Visibility
of
operations
* Differing
visions
* Undefined
SLAs
* Security
concerns
20. Addressing
Common
Security
Concerns
* Security
* Not
necessarily
more
or
less
secure
* Enormous
potential
to
be
more
secure
* Collaborate
to
implement
controls
* Standards
gaps
* Traditional
standards
still
apply
* NIST
and
CSA
are
helping
accelerate
catch-‐up
21. Data
Protection
* What
data
needs
to
be
protected?
* Common
options:
* Encryption
of
data
* Tokenization
* Sanitization,
anonymization
* Object
security
* Hashing
22. Abbreviated
Risk
Framework:
Identify
Assets
* Identify
potential
assets
to
be
moved
to
a
community
cloud
* Infrastructure
* Data
* Applications
* Functions/Processes
23. Abbreviated
Risk
Framework:
Community
Cloud
Risks
* Assess
DAD
risks
of
moving
assets
to
community
cloud
* What
is
the
impact
if
the
provider
accesses
the
asset
or
if
data
goes
public?
* What
is
the
impact
if
processes
are
manipulated
or
fail
to
function?
24. Abbreviated
Risk
Framework:
Community
Cloud
Requirements
* Location
* Identification
of
other
tenants
* Degree
of
control
* Who
manages
assets
and
how
* Security
and
compliance
controls