Cloud Computing Services Overview

Arizona State Capital Chapter of NIGP2014 Regional ConferenceOctober 16, 2014

Presented by: Brian Walsh and Michael Echols, Maricopa County

CLOUD COMPUTINGAGENDA

• What is Cloud Computing?• Cloud Computing Architecture• Types of Cloud Computing • What is a Data Center?• Is Cloud Computing for you?• Cloud Computing Case studies• Cyber Security and Breaches• Cyber Security Insurance• What is the role of Procurement?• Questions

CLOUD COMPUTING?

Source: www.evolven.com

What is Cloud Computing?

• Cloud computing is typically defined as a type of computing that relies on sharing computing resources rather than having local servers or personal devices to handle applications.• In cloud computing, the word cloud (also phrased as "the cloud") is

used as a metaphor for "the Internet," so the phrase cloud computing means "a type of Internet-based computing," where different services — such as servers, storage and applications — are delivered to an organization's computers and devices through the Internet.• Cloud computing is comparable to grid computing, a type of

computing where unused processing cycles of all computers in a network are harnessed to solve problems too intensive for any stand-alone machine.

Source: www.webopedia.com

Cloud Computing Architecture

Source: www.wikipedia.com

Types of Cloud Computing

Software as a Service (SaaS),

Infrastructure as a Service (IaaS),

Platform as a Service (PaaS),

Desktop as a Service (DaaS),

Backend as a Service (BaaS), and

Information Technology

Management as a Service (ITMaaS)

Private Cloud

Public Cloud

Hybrid Cloud

Data Centers

What is a Data Center?• Data centers are physical or virtual infrastructure

used by enterprises to house computer, server and networking systems and components for the company's information technology (IT) needs, which typically involve storing, processing and serving large amounts of mission-critical data to clients in a client/server architecture.

• A data center often requires extensive redundant or backup power supply systems, cooling systems, redundant networking connections and policy-based security systems for running the enterprise's core applications.

• A data center is classified as a Tier I-IV based on established industry infrastructure design and function standards by the National Institute of Standards and Technology (NIST) or the “Uptime Institute”.

Source: www.webopedia.com

Corporate Data

Center

• Owned and operated by the entity

Web Hosting

Data Center

• Data Center that provides IaaS for the entity

Colocated Data

Center

• Leases Data Center space to the entity

Service Data

Center

• Provides hardware/software and services to the entity

Data Center Types

The Future of the Cloud

Cloud Vision - Access to any service, anytime, anywhere, from any device with limited overhead.

Direction

• By 2015, end-user spending on cloud services could be more than $180 billion

• Global market for cloud equipment will reach $79.1 billion by 2018

• By 2014, US Businesses will spend more than $13 billion on cloud computing and managed hosting services

Statistics

• 44% annual growth in workloads for the public cloud versus an 8.9% growth for “on-premise” in the next 5 years

• 82% of companies reportedly saved money by moving to the cloud

• More than 60% of businesses utilize cloud for performing IT-related operations

• 14% of companies downsized their IT after cloud adoption

• 80% of cloud adopters saw improvements within 6 months of moving to the cloud

• 32% of Americans believe cloud computing is a thing of the future

Source: Silicon ANGLE “20 cloud computing statistics every CIO should know”

Advantages of the Cloud

• Increase ProductivityAchieve economies of scale

• Pay as you goReduce spending on technology infrastructure

• Serve more disparate areas of your organizationGlobalize your workforce on the cheap

• Reduced resource requirementsStreamline processes

• Limit infrastructure procurement needsReduce capital costs

• Increase AccessImprove accessibility

• Limit resource costsLess personnel training is needed

• Pay for what you really needMinimize licensing new software

• Change direction with limited costsImprove flexibility

60% of Cloud Users

reported Capital Cost Reductions

Disadvantages of the Cloud

• The Cloud System can fail and the cloud subscriber is not in control of correcting the issue.

Possible Downtime

• The Cloud System can be breached and the cloud subscriber may not have control over the circumstances that allowed it to happen.

Security Issues

• The Cloud System costs can exceed the cost of managing an internal infrastructure, if safeguards are not identified.

Increasing Cost

• The Cloud System provider may not be flexible in allowing your organization to have what it wants, when it wants it.

Inflexibility

• The Cloud System may not have good support, which may result in a lack of desired service.

Lack of Support

Source: www.sbinfocanada.about.com

US Department of the Army

• Challenge• The U.S. Army Experience Center needed a flexible, extendable and

customizable recruitment tracking platform to track prospective recruits.

• Solution• Move to a cloud environment that permits a 360 degree community

outreach and relationship management approach.

• Result• Costs down to $8M for full licensing from $83M• 33% productivity gain• 30 times higher response rates• Twitter, Facebook integration• Geo-location and contact data in the field via iPhone and Blackberry• Visitor and user surveys for instant information• Massive email campaign capabilities

Source: cloud.cio.gov

US Department of Labor Relations Authority

• Challenge• The Federal Labor Relation Authority’s decade-old, off the shelf

case management system no longer met the agency’s needs and was financially unsupportable.

• Solution• The agency migrated to a cloud-based Software-as-a-Service case

management system that allows users the flexibility to monitor case activity anytime, anywhere.

• Results• 88% reduction in total cost of ownership over a five year period• Eliminated up-front licensing cost of $273,000• Reduced annual maintenance from $77,000 to $16,800• Eliminated all hardware acquisition costs• Secure access from any Internet connection• Ability to operate and access case information from any location in

the world, supporting the virtual enterprise

Source: cloud.cio.gov

US Department of Treasury

Source: cloud.cio.gov

• Challenge• Replace the hosting service used to run the Bureau of

Engraving and Printing’s public-facing website and eCommerce store with one that has equivalent capabilities and can improve service metrics.

• Solution• Used SaaS cloud-based services to replace both the public-

facing webpage and the eCommerce storefront.

• Results• Reduced infrastructure costs from $800,000 to $1,550• Eliminated transaction fees• Improved wait time and accessibility• Eliminated coding requirements• Faster deployment

Security Implications of the Cloud

•1 breach exposes everyoneData Breach•Data loss can be wide rangingData Loss•Unauthorized access could expose everyoneService Traffic Hijacking

•Information theft could be massiveInsecure Interfaces•Denial of Service could affect everyoneDenial of Service•One bad apple can impact allMalicious Insiders•Not understanding the risk can make you liable to itInsufficient Due Diligence

•Vulnerabilities will only increaseTechnology Vulnerabilities

Security mistakes by Cloud Providers will have an Catastrophic Impact

Apple iCloud Breach

• What Happened?• Apple iCloud Celebrity User Accounts were allegedly accessed by

unauthorized personnel, which resulted in the loss and exposure of personal photos.

• Why did this occur?• Hackers exploited a vulnerability that allowed them to “Brute Force Attack,”

accounts’ passwords

• How did Apple respond?• Corrected the vulnerability and took other measures to mitigate future risk.

Source: InformationWeek “Apple iCloud Hack’s Other Victim: Cloud Trust”

Sony PlayStation Breach

• An "illegal and unauthorized person" obtained people's names, addresses, email address, birth dates, usernames, passwords, logins, security questions and possibly credit card numbers of more than 77 million users.• Why did this occur?

• Sony did not pay enough attention to security during the development of this platform.

• How did Sony Respond?• Shutdown online PlayStation services for an extended period of time. • Hired an outside recognized firm to investigate and correct the issues that led

to the breach.

Source: Reuters “Sony PlayStation suffers massive data breach”

How might a breach occur?

Gains Access

•Gains access by exploiting vulnerabilities in the systems that it infects.

Requests

instructions

•Automatically requests instructions from the hackers command and control software.

Looks

for Data

•Looks for information to steal, for example nine digit numbers (or social security numbers).

Ex-filtrates Data

•Sends information that it steals back to the command and control software.

Identifies new

Targets

•Scans other adjacent computers for additional vectors in which it can spread.

Evades Detection

•Deletes and recreates itself with new patters to evade detection by Antivirus platforms.

Typical Malware will do the following:

1,367 Confirmed

and Reported Data

Breaches in 2013

63,437 Confirmed

Cyber Security

Incidents in 2013

Cloud Risk Mitigation

Cloud Subscriber

•You MUST have well adopted security standards•You MUST maintain a team of security professionals dedicated to analyzing Cloud Provider Security Risk•You MUST conduct a measurable security audit of your Cloud Service Provider•You MUST have the ability to conduct routine Penetration Tests and Vulnerability Assessments•You MUST have adequate Cyber Security Insurance

Cloud Provider

•Cloud Service Providers MUST maintain great threat management and situational awareness•Cloud Service Providers MUST have strong vulnerability remediation processes and procedures•Cloud Service Security Maturity MUST be measured•Cloud Service Providers MUST segment services•Cloud Service Provider access restriction MUST be granular and well understood

Source: Verizon 2014 Data Breach Investigations Report

Cyber Security Insurance

• Cyber security insurance is designed to mitigate losses from a variety of cyber incidents, including data breaches, network damage, and cyber extortion• Market-driven way of increasing cyber security posture

• Helps to reduce the number of successful cyber attacks by promoting widespread adoption of preventative measures; • Encourages the implementation of best practices by basing premiums on an

insured’s level of self-protection• Limits the level of losses that companies face following a cyber attack.

• Many companies nevertheless forego cyber security insurance for the following reasons;• Perception of high cost• Lack of awareness about what it covers• Uncertainty that they’ll suffer a cyber attack as just some reasons for their

decision

Contract Review Checklist

Service modelRisk factorsPricingSecurity controls and reportsData assurancesData conversionGoverning lawService level agreement (SLA)Contact information (24x7)

Contract Review Checklist Cont’d

Outsourced servicesDisaster recoveryMergers and acquisitionsSite inspectionsWarrantyLiabilityCompliance with laws-PCI, HIPPAA, CJIS, etc.Professional servicesContract renewal and termination

Questions

• Brian Walsh, Senior Procurement Officer, 602-506-3243• Office of Procurement Services• walshb@mail.maricopa.gov

• Michael Echols, Chief Information Security Officer, 602-506-5798• Office of Enterprise Technology• echolsm@mail.maricopa.gov