Cloud Computing

Steven C. Markey, MSIS, PMP, CISSP, CIPP, CISM, CISA, STS-EV, CCSK

Principal, nControl, LLCAdjunct Professor

President, Cloud Security Alliance – Delaware Valley Chapter (CSA-DelVal)

• Presentation Overview– Cloud Overview

• General• Business Case for Cloud Computing• Security Guidance• Selecting a Cloud Service Provider (CSP)• Records & Info Management (RIM) in the Cloud

– Case Studies• e-Discovery IN the Cloud

Cloud Computing

• General Overview– Why should you care about the “cloud”?

Cloud Computing

8

Numbers

80% fortune companies 1000 will pay to use cloud computing services and 30% will pay for infrastructure.Gartner

33% of IT business will be in Cloud Computing

Gartner

Market :42 billon: IDC

95 billion: Merrill Lynch

Numbers around CC are always impressive:

8

At this moment, the 5 major search engines together have 2.000.000computers

Microsoft data centre in Chicago: 610.000 servers

Cloud Computing Trends

Source: Open Group

• What is Cloud Computing?– Re-Branded IT Business Model

• Application Service Provider (ASP)• IT Outsourcing (ITO)

– Formal Characteristics• Resource Pooling• Rapid Elasticity

– Confusion• Hosting• Virtualization• Service Provider

Cloud Computing

Service Delivery Models

Source: Swain Techs

Source: Matthew Gardiner, Computer Associates

Responsibility

SaaS Providers

PaaS Providers

IaaS Providers

Private Cloud

• Dedicated Clouds– Usually Hosted Internally

• Use Chargeback/Shared Services Model

– External Private Clouds Exist

Hosting Providers

Third Parties

• Business Case for Cloud Computing– Time-to-Market– Global Presence– Focus on Core Competency– Elasticity– Cost-Benefit Analysis (CBA)

Cloud Computing

• Partly Cloudy with a Chance of Risk!– The Cloud is Perceived as Risky Business

• Lack of Control• Regulatory Compliance• Hacks, Outages, Disasters….Oh My!

Source: Youtube

Cloud Computing

• Security Guidance– Existing Certifications/Attestations

• SAS 70 Type II/SSAE 16/ISAE 3402• ISO 27001/2, 27036, 15489• BITS Shared Assessments• PCI DSS• HIPAA/HITECH

– Guidance Specifically for the Cloud• CSA Guide v3.0• ENISA Cloud Computing Risk Assessment• NIST SP 800-144 Guidelines Security/Privacy for a Public Cloud

Cloud Computing

• Selecting a CSP– Service Provider/Consumer Process Alignment– Portability/Interoperability– Contractual/Legal Agreements– Industry Tools

Cloud Computing

• Service Provider/Consumer Process Alignment– Change/Configuration Management– Loading/Offloading– Disaster Recovery– Incident Response– Legal Hold/Litigation Response/e-Discovery

• Electronic Discovery Reference Model (EDRM)

– Records and Information Management (RIM)• Generally Accepted Recordkeeping Principles (GARP)• Information Governance Reference Model (IGRM)• Information Lifecycle Management (ILM)

Cloud Computing

• Portability/Interoperability– Software– Data– Third Parties

Cloud Computing

• Contractual/Legal Agreements– Service Level Agreements (SLA)

• Up-Time• Jurisdiction• Data Ownership

– Escrow Data– Include Metadata

• Exit Clause• Testing

– Disaster Recovery– Incident Response– Legal Hold/Litigation Response/e-Discovery

Cloud Computing

• Contractual/Legal Agreements– Service Level Agreements (SLA)

• Right to Audit– Vendor & Vendor’s Vendors– GARP-Specific

Cloud Computing

• Industry Tools– Selection

• Gravitant CloudWiz• VMware Cloud Readiness Self-Assessment Tool

– Brokerage/Management• RightScale• CloudFloor• Skydera• enStratus

Cloud Computing

• Industry Tools– Migration

• Bit Titan MigrationWiz• Layer 2 SharePoint Cloud Connector• Metalogix StoragePoint• AvePoint DocAve Migrator

Cloud Computing

Source: Metalogix StoragePoint

Source: Metalogix StoragePoint

Source: AvePoint DocAve Migrator

• RIM in the Cloud– Process

• Self-Service Provisioning• CSP Brokerage, Monitoring & Metering• CSP Information Governance • CSP Adherence to Standards

– NIST» SP 800-92: Log Management

– ISO» 15489: Records Management» 23081: Records Metadata» 15386: Digital Archive» 30300/303001: RIM Management System» 17024: Conformity Assessment

Cloud Computing

Source: Flickr

• RIM in the Cloud– People

• More Empowered: Shadow IT, Consumerized IT– Millenials Expect Autonomy– Bring Your Own Device (BYOD)– Less Office Time, But Always On

• Increased Roles & Responsibilities• Additional Tech/Analytical Skill-Sets Required

– Technology• Commoditized• CSP Metadata • New Technologies: Non-Relational Database Architectures• New Paradigms: Big Data (Data Lakes & Cloud)

Cloud Computing

• Case Study: e-Discovery FROM the Cloud– Background– Drivers – Technologies– Limitations– Risks– Lessons Learned– Next Steps

Cloud Computing

• Case Study: e-Discovery FROM the Cloud– Background

• Financial Services SMB– Capital Management (PA)

• Recent Project: 2010• IT: Managed Service Provider/Operations, Director

– Drivers• Cost • Compliance

– Technologies• Email: Exchange Server 2007, 2010/Office 365• Discovery: Symantec Enterprise Vault (EV) v8.0/v9.0

Cloud Computing

• Case Study: e-Discovery FROM the Cloud– Limitations

• Budget• Skill-Sets• Resources

– Risks• Software/System Interoperability • Vendor Management: Contractual/SLA Omissions• Disaster Recovery: Datacom• Legacy Email Availability, No More Archiving• Scope Creep

Cloud Computing

• Case Study: e-Discovery FROM the Cloud– Lessons Learned

• Limited Cost Savings– On-Site Exchange Box for Journaling– Upgrade to EV v9.0 to Support Exchange 2010– Exchange Hosted Encryption (EHE)

– Forefront Online Protection for Exchange (FOPE)• Exchange Journaling From the Cloud, Complicated

– Microsoft Federation Gateway (MFG)• Leverage Interim Solution for BlackBerry Services

– Shutdown BlackBerry Enterprise Server (BES)– Leverage AstraSync (Exchange ActiveSync)

Cloud Computing

• Case Study: e-Discovery FROM the Cloud– Next Steps

• Upgrade to EV v10.0– Incorporate Social Media

• Test BCP/DR e-Discovery Functionality• BlackBerry Office 365

– Looking at BES Balance (“Data Boxing”)• Leverage Office 365 for SharePoint, iOS & Android

– Nix AstraSync, Reviewing Hosted AirWatch & MobileIron for MDM• Reviewing Cloud e-Discovery SaaS Solutions

– Symantec Enterprise Vault.cloud– Microsoft Exchange Online Archiving (EOA)

Cloud Computing

Cloud Computing• Presentation Take Aways

– Cloud = Re-Branded Business Model–With New Bells & Whistles (Big Data, etc.)

– Paradigm Shift Towards Empowerment– Strategy & Due Diligence Are VERY Important

–Must Consider the Business Ecosystem

Cloud Computing• References

– CSA Guide: https://cloudsecurityalliance.org/research/security-guidance/– BITS Enterprise Cloud Self-Assessment: http://sharedassessments.org/media/pdf-EnterpriseCloud-SA.pdf– ENISA Risk Assessment: http://www.enisa.europa.eu/act/rm/files/deliverables/cloud-computing-risk-

assessment– NIST SP 800-144: http://csrc.nist.gov/publications/drafts/800-144/Draft-SP-800-144_cloud-computing.pdf– IGRM: http://www.edrm.net/projects/igrm– EDRM: http://www.edrm.net/– MIKE2.0: http://mike2.openmethodology.org/– VMware CRSA: http://getcloudready.vmware.com/crsa/– Bit Titan MigrationWiz: https://www.migrationwiz.com/Secure/Default.aspx– Gravitant cloudWiz: http://www.gravitant.com/cloudwiz-home.html– RightScale: http://www.rightscale.com/– CloudFloor: http://www.cloudfloor.com/– Skydera: http://www.skydera.com/– enStratus: http://enstratus.com/– Layer 2: http://www.layer2.de/en/products/Pages/Cloud-Connector-for-SharePoint-2010-Office365.aspx– Metalogix StoragePoint: http://www.metalogix.com/Products/StoragePoint.aspx– AvePoint DocAve: http://www.avepoint.com/sharepoint-to-sharepoint-migration-docave/

Cloud Computing• Personal References

– PenTest Magazine, "Scanning Your Cloud Environment": http://pentestmag.com/client-side-exploits-pentest-082011/

– ISACA Journal, "Testing Your Incident Response Plan": http://www.isaca.org/Journal/Current-Issue/Pages/default.aspx

– e-Discovery 2.0: In the Cloud: https://s3.amazonaws.com/nControl-Docs/CSA11_Session-SMarkey.ppt– Security in the Cloud: https://s3.amazonaws.com/nControl-Docs/Cloud_Computing-Security.ppt– System Architecture & Engineering for the Cloud:

https://s3.amazonaws.com/nControl-Docs/Cloud_Computing-Architecture_Engineering.ppt– Cloud Computing Primer: https://s3.amazonaws.com/nControl-Docs/Cloud_Computing-Basic.ppt– Cloud Computing - Authentication & Encryption:

https://s3.amazonaws.com/nControl-Docs/Cloud_Computing_Security-Session_II.ppt– Cloud Computing - Application & Virtualization Security:

https://s3.amazonaws.com/nControl-Docs/Cloud_Computing_Security-Session_III.ppt– Securing Your ESI: https://s3.amazonaws.com/nControl-Docs/Securing_Your_ESI_v2.ppt

• Questions?• Contact

– Email: steve@ncontrol-llc.com– Twitter: @markes1, @csdadelval2011– LI: http://www.linkedin.com/in/smarkey– CSA-DelVal: http://www.csadelval.org/