2015 - the cloud for managers @ riga business school - dss - cloud risks and some thoughts

29
Some thoughts about cloud computing risks Andris Soroka 28 th of January, 2015 Riga, Latvia

Upload: andris-soroka

Post on 16-Jul-2015

162 views

Category:

Business


0 download

TRANSCRIPT

Some thoughts about

cloud computing risks

Andris Soroka 28th of January, 2015

Riga, Latvia

Role of DSS in Cyber-security

Development in Baltics Cyber-Security Awareness Raising

Technology and knowledge transfer

Cyber Security Portfolio Only

Trusted Advisor to its Customers

Game changer

DSS ITSEC 2014

Today’s realities in the world

Escalating Attacks Increasing Complexity Resource Constraints

• Increasingly sophisticated attack methods

• Disappearing perimeters

• Accelerating security breaches

• Constantly changing infrastructure

• Too many products from multiple vendors; costly to configure and manage

• Inadequate and ineffective tools

• Struggling security teams

• Too much data with limited manpower and skills to manage it all

• Managing and monitoring increasing compliance demands

Spear Phishing

Persistence

Backdoors

Designer Malware

Business has to worry..

In 2014 to date, roughly 1 in 7

people on the entire planet

have been impacted

by a data leak.

Some key facts, statistics globally

83%

of enterprises have difficulty

finding the security skills they need 2012 ESG Research

85 security tools from

45 vendors IBM client example

…and traditional security practices are unsustainable

of security executives have

cloud and mobile concerns 2013 IBM CISO Survey

70% Mobile malware growth

in just one year 2012-2013 Juniper Mobile Threat Report

614%

Cyber security in the Baltic States

Challenges of «C» Level excutives (business, IT etc.)

Political (external and internal)

Technological (risks, threats, fraud, attacks, leaks)

Economical (budget reality, competition, costs…)

Legal (compliances, regulations etc.)

Professional (HR, information quantity)

Psychological ( traditions / knowledge / trust)

Shift to Cloud security – good or bad?

Shift to Cloud security

Cloud primary has the same ITSEC areas

IT Security controls - «to do» list

Business part

Business processes analysis from tech perspective

Assessment and management of cyber security risks

Related technological part

Inventory of devices and software

Secure configuration of everything (end-users, devices)

Vulnerability assessment and management

Malware defenses, application security, pen tests

Wifi security

Mobile security

Data security

Continuos skills training and learning

Access control and visibility

Audit, monitoring, analysis, incident response and more

But now – everything connected to the cloud

Shift to Cloud security – concerns...

Psychology factor Trust – we don’t want to give our data away

Latvia is small...

Level of maturity of the cloud computing Any new technology needs time to proove itself

Who wants to be a «testing sheep» and risk..and.. (50/50)

Cyber-criminals Clouds are at risk because cybercriminals choose best

ROI – they attack «watering holes» and...clouds

Legislation, responsibility, control International cooperation at world wide level is still a huge

challenge, but how otherwise can you catch bad guys and

solve problems...

Cloud of course has challenges...

ENISA «Cloud Computing Risk Assessment» recent reseach

describes at least 25 big, known cloud couputing major risks,

issues..

Shift to Cloud security – the Good

Economy of scale – security perspective..

More security for same

money..

Better security experts

for same money

Reduced costs of IT..

Near instant

provisioning

Service on demand

Availability from any

location

Redundancy

No down-time

24x7x365

And so on...

Shift to Cloud security – the Risk perspective

Insiders!!!

Data risks – location, transit

Loss of control & governance

Limited data available from cloud service provider (logs,

location of data, responsibilities, 3rd parties..)

External penetration tests not allowed

Usually no forensics tools are available

Outsourcing is not known or visible

Audit not allowed, sometimes important to meet compliance

criteria

Lack of complince with international regulations (EU data

protection regula, ENISA cloud certification, intelectual property

rights etc.)

3rd party solutions (f.i. Encryption software)

Overbooking or Isolation (DDoS attacks, not especially on you)

Lock-in! It is sometimes not so easy to change cloud provider)

Some final slides about risks...

Deployment Model Risk Profile

Higher Lower

Public Private Community

Likelihood of

Data Security,

Privacy, and

Control Breach

Some final slides about risks...

Service Model Risk Profile

Higher Lower

IaaS SaaS PaaS

Impact of Loss of

Control & Security

Breach

Some final slides...cont.

Attribute High (5) Med (3) Low (1)

Deployment Model Public Community Private

Service Model IaaS PaaS SaaSData Security level Secret Restricted Unclassified

Physical Hosting Site Undefined Int'l Location Domestic Location

SOX Critical Yes No

Dependent Apps Greater than 10 4 to 10 0 to 3

Recovery Time 4 Hours 7 Days 31 DaysRegion Supported Europe or Global US All other

Cloud Risk Ranking Example

Some final slides...cont.

Deployment Model Considerations

High Medium Low

Deploy Model

Public Community Private

- Security and privacy are not a priority

- Service level agreements may not exist

- Private environments provide adequate security and privacy

- Service level agreements should exist

Public

Private

Some final slides...cont.

Service Model Considerations

High Medium Low

Service Model

IaaS PaaS SaaS

- Issues may impact all hosted applications and data

- No control over foundational general controls

- PaaS - Impact limited to outsourced platform

- SaaS - Impact limited to applications and data

IaaS

SaaS

Some final slides...cont.

Data Security Considerations

High Medium Low

Security Level

Secret Restricted Unclassified

- Difficult to enforce security standards when outsourcing

- Difficult to demonstrate compliance with regulations like GLBA

- Security and privacy is not a concern (good candidate for cloud computing)

Secret

Unclassified

Shift to Cloud security

Dependent Applications

High Medium Low

Number of Apps

Greater than 10 4 to 9 Less than 3

- Implies complexity and greater organizational significance

- Implies simplicity and less organizational significance

> 10

< 3

Conclusion...

Cloud computing is not a new technology. Cloud computing

is a new business model. It is a way of delivering computing

resources and this is here to stay. Adopt it as soon as you can

and make even more successful business.

Before moving to cloud – involve professionals to help to

understand what part, how, when, where, by whom, why

would be reasonable (by costs, risks, investment measures)

to be moved to cloud. And which cloud.

Like famous Latvian poet once said – «One who’d be able

to change would also be able to continue exist!»

Think security first

www.dss.lv

[email protected]

+371 29162784

Think security first

Credits to ENISA, ISACA papers and presentations, Dr Giles Hogben, Dr.Evangelos

Ouzounis, Kiran Kumar, Matt McMillon, Donald Gallien and many others