This document summarizes the key security risks of cloud computing. It discusses how privileged user access poses risks if sensitive data is processed outside an organization without proper controls. Regulatory compliance responsibilities still fall on the customer. Data location and legal jurisdiction need to be clearly understood. Data segregation and investigative access are also security concerns, as most cloud data is commingled. Disaster recovery and long-term provider viability require thorough due diligence. Proper planning, flexible agreements, and well-defined roles are emphasized as part of a roadmap for successful cloud adoption.
2. Agenda What is the cloud? Why Cloud Computing? Decomposing the Cloud Understanding Implementations Top Security Risks Privileged User Access Regulatory Compliance Data Location Data Segregation Recovery Investigations Long Term Viability Myths and Truths Roadmap to Success
5. What is the Cloud? Cloud computing: Private Cloud: Virtual Private Cloud: is Internet-based computing, whereby shared resources, software, and information are provided to computers and other devices on demand, like the electricity grid. utilisestechnologies of the public cloud but are operated solely for an organisation. It could be managed by the organisation itself or by a third party on, or off site….. a cloud deployed solely for use of an organisation. This cloud utilisesstandardised technology, and processes of a service provider, which leverages shared resources with dedicated resource pools and tailored Service Model (determined by each provider).
18. Understanding Implementations? Cloud Computing Service Categories On Premises Infrastructure as a Service (IaaS) Platform as a Service (PaaS) Software as a Service (SaaS) You manage Applications Applications Applications Applications Data Data Data Data You manage Runtime Runtime Runtime Runtime Managed by vendor Middleware Middleware Middleware Middleware You manage Managed by vendor O/S O/S O/S O/S Virtualization Virtualization Virtualization Virtualization Managed by vendor Servers Servers Servers Servers Storage Storage Storage Storage Networking Networking Networking Networking
19. Top Security Risks Privileged User Access Sensitive Data processed outside the organisation / enterprise brings with it an inherent level risk, as the outsourced services tend to bypass the “physical, logical and personnel controls”. Know your provider! Get as much information as you can about the people who will manage your data! Best practice – what standards do they follow or are they certified to? How often are they assessed and controls tested and verified? You wouldn’t give someone all your data without asking what they are going to do with it would you?
20. Regulatory Compliance It remains YOUR responsibility! Customers are ultimately responsible for the security and integrity of the data they collect, even when held by a service provider. You cannot “surrender or transfer” your responsibilities under the Data Protection Act (Irish and UK). If you collect the information, you need to ensure the information is held in accordance with the 8 key principles of the Data Protection Act. International Data Transfer
21. Data Location Where is It? What laws is it governed by? When organisations use the cloud – most probably don’t even know where their data is held or hosted? What country is it in? What laws govern it? Who has access to it? “smaller cloud providers are not carrying cyber insurance, and have no plans to do so until the larger customers push back” -Hartford Financial Services Group (New York)
22. Data Segregation Data Segregation In the vast majority of cases, data in the cloud is stored and hosted in a shared environment alongside data from other customers. How is this controlled? What accountability is there? How is CIA enforced? What happens in the case of an investigation? Can I get my data back if I need it?
23. Data Recovery Disaster Recovery / Business Continuity Data Backup and replication are NOT a given when utilising cloud computing. There is often little to no continuity around data backup and replication in standard agreements. Most of these agreements tend to ensure availability around the service provided by the provider and not the contents or data. Always check to ensure your provider can tell you what will happen to your data in the event of a disaster! Service Level Agreements should be thoroughly checked and reviewed to ensure they align with the business requirements before proceeding.
24. Investigations & Support Illegal / Inappropriate activity The investigation of inappropriate or illegal activities may be impossible in cloud computing for a number of reasons. What technology / systems are being utilised by the provider? Is there an intelligent system being used to detect anomalies or attacks? What processes / procedures are in place to ensure any breaches can be detected? Will your provider notify you of any breaches (most don’t)? What happens if my information is taken as part of an investigation?
25. Long Term Viability How viable is my provider long term? In an ideal world, your cloud computing provider will never go broke, get acquired or swallowed up by a larger company. Recent stories: SAP acquire Coghead (Cloud Computing) HP acquires ArcSight (from RSA) IBM acquires CastIron (Cloud Computing) Dell acquires Perot Systems “The most mature cloud services are only 3 years old”