Marc Vael, International Vice-President and Chair of the Cloud Computing Task Force, presented on cloud computing risks. The document discussed the definition of cloud computing, its characteristics and service models. It outlined lessons learned from cloud computing implementations including never outsourcing what cannot be properly managed internally, and that risk always exists regardless of detection. Specific technical, legal and organizational risks were also reviewed.
6. When was the term used
for the first time?
26th of October 1997
7. Who hyped all this?
“What's interesting [now] is that there is an
emergent new model, and you all are here
because you are part of that new model. I
don't think people have really understood
how big this opportunity really is. It starts
with the premise that the data services and
architecture should be on servers. We call it
cloud computing – they should be in a "cloud"
somewhere. And that if you have the right
kind of browser or the right kind of access, it
doesn't matter whether you have a PC or a
Mac or a mobile phone or a BlackBerry or
what have you – or new devices still to be
developed – you can get access to the cloud.”
Mr. Eric Schmidt, Chairman & CEO Google
Search Engine Strategies Conference
9th of August 2006
http://www.google.com/press/podium/ses2006.html
14. Definition
Cloud computing =
model for enabling convenient, on-demand broad
network access to a shared pool of configurable
computing resources that can be rapidly
provisioned & released with minimal management
effort or service provider interaction and with
automatic measuring, controlling & optimization.
5 characteristics
3 service models
4 deployment models
NIST, Definition of Cloud Computing, October 2009
16. Definition : 5 essential characteristics
2. Broad network access.
accessible via different platforms.
17. Definition : 5 essential characteristics
3. Resource pooling.
multi-tenant model.
Location independence :
Consumer has no control / knowledge over location of
resources but may be able to specify location at a higher
level of abstraction
18. Definition : 5 essential characteristics
4. Rapid & elastic provisioning (add & withdraw).
Capabilities appear to be unlimited + can be purchased in any
quantity at any time.
20. Definition
Cloud computing =
model for enabling convenient, on-demand broad
network access to a shared pool of configurable
computing resources that can be rapidly
provisioned & released with minimal management
effort or service provider interaction and with
automatic measuring, controlling & optimization.
5 characteristics
3 service models
4 deployment models
NIST, Definition of Cloud Computing, October 2009
21. ISACA, Cloud Computing: Business Benefits With Security, Governance and Assurance Perspectives, 2010
Considerations in 3 Cloud Computing Service Models
22. Considerations in 3 Cloud Computing Service Models
• Marketing packaging is becoming important…
23. Definition
Cloud computing =
model for enabling convenient, on-demand broad
network access to a shared pool of configurable
computing resources that can be rapidly
provisioned & released with minimal management
effort or service provider interaction and with
automatic measuring, controlling & optimization.
5 characteristics
3 service models
4 deployment models
NIST, Definition of Cloud Computing, October 2009
24. Considerations in 4 Cloud Computing Deployment Models
ISACA, Cloud Computing: Business Benefits With Security, Governance and Assurance Perspectives, 2010
29. TANGIBLE BENEFITS
•Cost Reduction (OPEX)
•Enhanced productivity
•Optimized resource utilization
•Improved security
•Improved compliance
•Access to skills & capabilities
•On-demand scalability
•Agility (time to market)
•Improved customer satisfaction
•Higher reliability (DRP)
•Better performance and uptime
INTANGIBLE BENEFITS
•Avoiding missed business opportunities
•Focus on core business
•Higher employee satisfaction (mobile)
•Boosting innovation
•Real-time collaboration
•Risk transfer to CSP
30. UPFRONT COSTS
•Technical readiness (bandwidth)
•Implementation / Transition
•Integration inhouse-cloud
•Configuration/Customization
•Training
•Organisational change
RECURRING COSTS
•Subscription fees
•Change management
•Vendor management (SLA)
•Cloud coordination
•End-user support & administration
•Risk mitigation
•Downsize/Upsize costs
TERMINATION COSTS
•Revert to on-premises or transfer to other CSP
•Penalties, Data export, Knowledge, Documents
31. UPFRONT COSTS
•Technical readiness (bandwidth)
•Implementation / Transition
•Integration inhouse-cloud
•Configuration/Customization
•Training
•Organisational change
RECURRING COSTS
•Subscription fees
•Change management
•Vendor management (SLA)
•Cloud coordination
•End-user support & administration
•Risk mitigation
•Downsize/Upsize costs
TERMINATION COSTS
•Revert to on-premises or transfer to other CSP
•Penalties, Data export, Knowledge, Documents
32. CLOUD ROI suggestions
• Focus quickly on the optimal cloud solution
Starting with initial/baseline model and iteratively identify the one best
suited to the enterprise’s needs.
• Make an “apples to apples” comparison
Evaluate comparable set of costs for as-is & to-be alternatives :
make a fair comparison between 2 solutions that are potentially very
different. Measuring monetary values in a consistent manner
increases ROI accuracy and reliability.
• Stay within the enterprise’s risk tolerance
Perform risk assessment of as-is & to-be options to ensure that the
solutions being compared are within the enterprise’s risk tolerance and
the costs of mitigating unacceptable risk are factored into the
calculations.
Knowing enterprise’s risk appetite before calculations begin is a must.
64. Policy & Organizational risks
1. Provider Lock in*
2. Loss of Governance*
3. Compliance challenges*
4. Loss of business reputation due to co-tenant activities
5. Cloud service termination/failure
6. Cloud provider acquisition
7. Supply Chain failure
8. SLA challenges
72. • Transparency : providers must prove effective &
robust security controls, assuring consumers all info
is properly secured (C-I-A).
- How much transparency is enough/too much?
- Which employees (of the provider) have access to consumer
information?
- Is Segregation of Duties (SoD) between provider employees
maintained?
- How are different consumers’ information segregated?
- What controls are in place to prevent, detect and
react to security breaches?
- What investigations, examinations and audits
(physical & virtual) are allowed
by the provider?
73. • Privacy : providers must prove privacy controls are
in place + demonstrate ability to prevent, detect,
react to security breaches in a timely manner.
- Information & reporting lines of communication need to be
in place & agreed on.
- Communication channels should be tested periodically.
74. • Trans-border information flow : physical location
of the information:
- Physical location dictates jurisdiction and legal obligation.
- National laws governing personally identifiable information
(PII).
• What is allowed in one country can be a violation in
another.
99. Marc Vael
International Vice-President
Chairman of the Cloud Computing Task Force
http://www.isaca.org/cloud
Contact information
marc@vael.net
http://www.linkedin.com/in/marcvael
@marcvael
101. 14 General Cloud Computing Security Advantages
1.Data Fragmentation & Dispersal
2.Dedicated Security Team
3.Greater Investment in Security Infrastructure
4.Fault Tolerance & Reliability
5.Greater Resiliency
6.Hypervisor Protection against Network Attacks
7.Access to Pre-Accredited Clouds
8.Simplification of Compliance Analysis
9.Data held by unbiased party (cloud vendor assertion)
10.Low-Cost Disaster Recovery & Data Storage Solutions
11.On-Demand Security Controls
12.Real-Time Detection of System Tampering
13.Rapid Re-constitution of Services
14.Advanced Honeynet Capabilities
102. 1.Migrating PII & sensitive data to the
cloud
– EU Data Protection Directive & U.S. Safe Harbor
program
– Exposure of data to foreign government & data
subpoenas
– Data retention & records management issues
– Privacy Impact Assessments (PIA)
2.Identity & Access Management
3.Multi-tenancy
4.Logging & Monitoring
5.Data ownership /custodianship
6.Quality of Service guarantees
14 Specific Cloud Computing Security Challenges
103. 8.Attracting hackers (high value target)
9.Security of virtual OS in the cloud
10.BCP / DRP
11.Data encryption & key management
– Encrypting access to cloud resource control interface
– Encrypting administrative access to OS instances
– Encrypting access to applications
– Encrypting application data at rest
12.Public cloud vs. Internal cloud
security
13.Lack of public SaaS version control
14.Using SLAs to obtain cloud security
– Suggested requirements for cloud SLAs
14 Specific Cloud Computing Security Challenges