Diese Präsentation wurde erfolgreich gemeldet.
Die SlideShare-Präsentation wird heruntergeladen. ×

The Cloud Beckons, But is it Safe?

Nächste SlideShare
Cloud Security - Idealware
Cloud Security - Idealware
Wird geladen in …3

Hier ansehen

1 von 54 Anzeige

Weitere Verwandte Inhalte

Diashows für Sie (20)


Ähnlich wie The Cloud Beckons, But is it Safe? (20)

Weitere von NTEN (20)


Aktuellste (20)

The Cloud Beckons, But is it Safe?

  1. 1. The Cloud Beckons, But is it Safe? April 2012
  2. 2. The Cloud Beckons, But is it Safe? #12NTCCSec Laura Quinn Michael Enos
  3. 3. Evaluate This Session! Each entry is a chance to win an NTEN engraved iPad! or Online at www.nten.org/ntc/eval
  4. 4. Introductions Laura Quinn Executive Director Idealware Michael Enos Chief Technology Officer, Second Harvest Food Bank of Santa Clara and San Mateo Counties What are you hoping to get out of this session?
  5. 5. What is The Cloud?
  6. 6. The Lure of the Cloud Low cost of entry Easy remote access No complex infrastructure But what about security?
  7. 7. How Do YOU Feel About Cloud Security?
  8. 8. Why the Concern?
  9. 9. Cloud Security in the News
  10. 10. Under Siege To be on the Internet is to be vulnerable to attack. If you’re on the Internet, you’re in The Cloud
  11. 11. But We Do Lots of Things on the Internet We shop online We bank online We post crazy things on Facebook Why is the cloud different? It’s not.
  12. 12. How Secure is Your On-Site Data? Do any of these sound familiar? • No one patches computers or is responsible for network security • You haven’t really thought about passwords or permissions • No disaster recovery plans • Staff hasn’t had any security training
  13. 13. Myth “We’re a tiny nonprofit. We’re safe because no one would target us for cyber attack.”
  14. 14. Fact Many data security breaches are crimes of opportunity. Organizations don’t always consider the sensitivity of their data until it’s exposed.
  15. 15. Myth “Our data is safer not in the cloud”
  16. 16. A Cloud Data Center
  17. 17. Is This Your Server Closet?
  18. 18. What Does Security Mean?
  19. 19. The Three Pillars of Information Security
  20. 20. Confidentiality Information is available only to authorized parties.
  21. 21. Integrity Information isn’t modified inappropriately, and that you can track who made what change.
  22. 22. Availability Assurance that data is accessible when needed by authorized parties.
  23. 23. Also: Physical Possession Whoever has the data could, for instance, turn it over to the government
  24. 24. How Does This Apply to the Cloud?
  25. 25. Cloud Security The use of the term “Cloud” is cloudy! Three general types of clouds: – Software-as-a-Service – Hosted Private Cloud – Co-located Private Cloud All three have different security models
  26. 26. Software as a Service The vendor owns and manages all aspects of the environment. For instance:
  27. 27. Hosted Private Cloud The vendor owns and manages the equipment only, but all software is managed by the client. The equipment is on the vendors network. For instance:
  28. 28. Co-located Private Cloud The vendor provides the physical environment only in a data center, the client maintains the hardware and the software. For instance:
  29. 29. What Does Security Mean For You?
  30. 30. Rules for Absolute Safety Turn off your Internet connection. Allow no one access to your data and systems. But let’s be realistic…
  31. 31. Know What You’re Protecting What kinds of data are you storing, and how sensitive are they? Think about its value on the open market.
  32. 32. Red Flags You need extremely tight security to store: • Donor’s credit card numbers. • Scanned images of checks. • Donor’s bank account information.
  33. 33. What’s Your Exposure? Consider the impact of exposure of your confidential information, both in monetary terms and reputation.
  34. 34. What’s The Impact of an Outage? How much staff time could you lose from a short term or prolonged outage?
  35. 35. Testing Your On-Site Security Have you recently performed a: • Check on whether your systems have been recently patched? • Systems penetration test ? • Employee training on security procedures? • Backup/recovery test? If not, you’d likely increase your security by moving to the cloud.
  36. 36. A Multi-Level Security Model
  37. 37. Multi-Level Security is the Ideal
  38. 38. Physical Security • Guarded facilities • Protection of your hardware and devices • Power redundancy • Co-location (redundant facilities)
  39. 39. Network Security • Intrusion prevention • Intrusion detection • Firewalled systems • Network proactive anti-virus protection
  40. 40. Transmission Security Is data encrypted in transit? Is the network secure?
  41. 41. Access Controls • Ensuring the right people have access to the right data • Physical access to the server • Training on appropriate passwords and security measures
  42. 42. Data Protection • Data encryption • Solid backup and restore policies • Ability to purge deleted data • Ability to prevent government entities from getting your data with a subpoena
  43. 43. What to Look For in a Vendor
  44. 44. Description of Security Mechanisms Documentation of all the facets of security, and the staff can talk about it intelligently. Proves information security is on the “front burner”
  45. 45. Uptime Do they provide any guarantee of uptime? Any historic uptime figures? Uptime figures are typically in 9s-- 99%, 99.9% or 99.99% Your connection to the internet may well be the weakest link.
  46. 46. Regulatory Compliance: HIPAA Does the vendor support organizations that need to be compliant with HIPAA (the Health Insurance Portability and Accountability Act)?
  47. 47. Regulatory Compliance: SAS70 and SSAE16 Audit for security standards, hardware, and processes. Statement on Accounting Standards 70 (SAS70) Statement of Standards for Attestation Engagements 16 (SSAE16)
  48. 48. Regulatory Compliance: PCI DSS Compliance If you’re storing credit card numbers, your vendor needs to be compliant with PCI DSS (Payment Card Industry Payment Data Security Standard)
  49. 49. In Summary
  50. 50. Understand the Value of Your Data What is it worth to you? To others? What measures are appropriate to protect it?
  51. 51. Your Data Is No Safer Than You Make It Any computer attached to the internet is vulnerable unless you protect it. The cloud isn’t, in of itself, more or less secure
  52. 52. But Many Vendors Make Your Data Really Safe Choose vendors who show they’re serious about data protection (not all vendors are created equal). Consider a vendor’s regulatory compliance.
  53. 53. Questions?