Shahar Geiger Maor, Senior Analyst

www.shaharmaor.blogspot.com http://www.facebook.com/shahar.maor http://twitter.com/shaharmaor

Cloud Security: Risks and Awareness

Shahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion of graphic 2

We Should Know, by now, What Cloud

Means

http://www.opengroup.org/jericho/cloud_cube_model_v1.0.pdf

Shahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion of graphic 3

Game Changer #7

Hybrid Clouds

Private Clouds

Public Clouds – BPaaS

– PaaS

– SaaS

– IaaS

Shahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion of graphic 4

4 types: Enterprise Clouds

http://www.readwriteweb.com/cloud/2011/04/the-cloud-stratosphere-infogra.php

Shahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion of graphic 5

Cloudy IT: the hybrid world

By 2014 : 80% of Israeli companies Will run hybrid clouds

Developers are now doing most of their development work for public cloud versions. But will have private cloud versions 2015

ISPs will become strategic

Shahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion of graphic 6

How does a private “cloud” looks Like ?

Shahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion of graphic 7

Enterprise Benefits from Cloud Computing

Server/Storage

Utilization 10-20%

Self service None

Test

Provisioning Weeks

Change

Management Months

Release

Management Weeks

Time to market bad

Metering/Billing Fixed cost

model

Focus on the

Core Not really

70-90%

Unlimited

Minutes

Days/Hours

Minutes

Better

Granular

Much better

Legacy environments Cloud enabled enterprise

Cloud accelerates

business value

across a wide

variety of

domains.

Capability From To

Source: IBM STKI modifications

Shahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion of graphic 8

Technologies Categorization 2010\2011

Using Implementing Looking

Mar

ket

Cu

rio

sity

Market Maturity

Major

Changes

IT Project

Cyber Warfare

Size of figure =

complexity/

cost of project

Mobile Sec

DLP \IRM

“Social” Security

Cloud Security

Network Security

Application Security

Endpoint Security

Security

Management

Source: STKI

Shahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion of graphic 9

Cloud Security

http://securosis.com/research

Shahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion of graphic 10

Top Threats To Cloud Computing

http://www.cloudsecurityalliance.org/topthreats/csathreats.v1.0.pdf

Abuse and Nefarious Use of Cloud Computing

Malicious Insiders

Shared Technology

Issues

Insecure Interfaces and

APIs

Data Loss or Leakage

Account or Service Hijacking

Unknown Risk Profile

Shahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion of graphic 11

Cloud Provider Vs. Organization

Governance Compliance Trust

Architecture

Identity and Access

Management

Software Isolation

Data Protection Availability Incident

Response

http://csrc.nist.gov/publications/drafts/800-144/Draft-SP-800-144_cloud-computing.pdf

Shahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion of graphic 12

Division of Liabilities in the Cloud

http://www.enisa.europa.eu/act/rm/files/deliverables/cloud-computing-information-assurance-framework/

Shahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion of graphic 13

How to Secure the Cloud? –Provider’s Side

http://www.ca.com/files/IndustryResearch/security-cloud-computing-users_235659.pdf

Technologies believed to be most important in securing the cloud computing environment

Shahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion of graphic 14

Cloud Services Concerns –Client’s Side

Security (especially access issues) is still

considered a top concern

Source: InformationWeek, State of Cloud, Jan 2011

Shahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion of graphic 15

Cloud Services Concerns –Client’s Side

Source: InformationWeek, State of Cloud, Jan 2011

“We won’t be involving our security team in this project until the last possible moment, because the answer will be ‘no.’” -VP at one of the largest retailers in the world

Shahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion of graphic 16

Lack of Confidence in IT?

http://www.ca.com/files/IndustryResearch/security-cloud-computing-users_235659.pdf

Who is responsible for ensuring a secure cloud computing environment?

Isn't cloud security an IT responsibility??? -So why is it 3rd?

Don’t let it scatter

Shahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion of graphic 17

Regulations, Standards and Certifications

Regulations?????

-Nothing (so far…)

Looking for regulations?

…Please wait for the next disaster

Shahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion of graphic 18

Regulations, Standards and Certifications

• Standards: – AICPA: SAS 70:

• there is no published list of SAS 70 standards (Recommendation: ask to review your cloud provider’s SAS 70 type Ⅰ/Ⅱ report!!!)

• Certifications: – NIST (National Institute of Standards and Technology)

• Recommended Security Controls for Federal Information Systems and Organizations* === > FISMA (Federal Information Security Management Act) ATO (Authorization to Operate).

– CSA: • CCSK –Certified Cloud Security Knowledge

* Not related directly to cloud security

Shahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion of graphic 19

Regulations, Standards and Certifications

• Guidelines:

– CSA (Cloud Security Alliance):

• CCM -Cloud Controls Matrix

– NIST (National Institute of Standards and Technology):

• DRAFT Guidelines on Security and Privacy in Public Cloud Computing

– ENISA (European Network and Information Security Agency):

• Cloud Security Information Assurance Framework

Shahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion of graphic 20

Addressing Cloud Issues in the Israeli Government

?

http://www.justice.gov.il/NR/rdonlyres/1FB266DE-95A0-4C31-939B-3796DCB0C232/23065/positionmikurhuz.pdf

בישראל במיקור חוץ עקרונות להגנת הפרטיות במידע אישי : מתוך נייר עמדה בנושא 2010/10

Shahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion of graphic 21

Look for standards

Find yourself a solid

partner

In Short

The cloud is here to stay

Security is an EASY

showstopper

…”We put our money in

the cloud” No rush!

Shahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion of graphic 22

Thank you!