Cloud Security Strategy

Cloud security strategy: understanding and evaluating the real risks in the cloud Lee Newcombe ([email protected]) Infrastructure Services November 2012

mailto:[email protected]

2 Copyright © Capgemini 2012. All Rights Reserved

12th Cloud Circle Forum

Session Agenda

Introduction 5 minutes Presentation 15 minutes “Securing Cloud Services”

Facilitated Round Table Discussions 20 minutes What are the genuine security issues that hold back Cloud adoption? Are services in the cloud less secure than those on-premise? How much of the threat is human (malicious or accidental), and how much IT, devices and hardware? What is the best way to manage security in a world of self‐service IT,

mobile devices and social media?

Sharing of outcomes from Discussions 20 minutes



Agenda

Establishing a common point of view

Cloud Threats – who may attack your services?

An approach to secure adoption of cloud services

Introduction

Conclusions

Cloud Risks. And Benefits? ?



The questions you asked…

What are the genuine security issues that hold back Cloud adoption? Where do the main security threats come from and where should you focus your attention? Are services in the cloud less secure than those on-premise? How much of the threat is human (malicious or accidental), and how much IT, devices and hardware? Eliminating the human security risk: educating your workforce What is the best way to manage security in a world of self‐service IT,

mobile devices and social media? How do emerging social business technologies complicate security strategies?



The ones I will tackle!

What are the genuine security issues that hold back Cloud adoption? Where do the main security threats come from and where should you focus your attention? Are services in the cloud less secure than those on-premise? How much of the threat is human (malicious or accidental), and how much IT, devices and hardware? Eliminating the human security risk: educating your workforce What is the best way to manage security in a world of self‐service IT,

mobile devices and social media? How do emerging social business technologies complicate security strategies?



Agenda

Introduction




Conclusions




Cloud Computing – NIST

Cloud Computing: “…a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g. networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction…”

• On-demand self-service • Broad network access • Resource pooling • Rapid elasticity; and • Measured service.

Essential Characteristics of Cloud Computing

csrc.nist.gov/publications/nistpubs/800-145/SP800-145.pdf

http://csrc.nist.gov/publications/nistpubs/800-145/SP800-145.pdf







Service Models



NIST Deployment Models and Jericho Cloud Cube

Model Strengths Weaknesses

Public Agile, cost-effective, “Illusion of infinite resource”

Multi-tenant Data residency Assurance Standard contracts

Private Dedicated use Assurance Scope to negotiate SLAs etc

Expensive cf Public No “illusion of infinite resource”

Community Designed for a specific, shared, set of security requirements

Difficult to govern; need to manage all stakeholders

Hybrid “Best of breed” suppliers can be switched in and out.

“Weakest link” Must cater for security issues across ALL suppliers

The Jericho Forum® Cloud Model represents an alternative mechanism to represent deployment models.

http://www.opengroup.org/jericho/cloud_cube_model_v1.0.pdf



Agenda

Introduction




Conclusions




“Where do the main security threats come from and where should you focus your attention?” -> Cloud Threats



Agenda

Introduction



Cloud Risks. And Benefits?

Conclusions


?



“What are the genuine security issues that hold back Cloud adoption?” -> Cloud Risks

Multi-tenancy

Compliance

Lock-in

Standard Terms and Conditions

Supply chain – cloud, on cloud, on cloud, on… ?

Assurance



“Are services in the cloud less secure than those on-premise?” -> Cloud Benefits?

Improved resilience

Cost-effective datacentre security

Cloud data storage and sharing vs removable media

Encourages adoption of Jericho principles

Improved security expertise, including application-specific expertise, at the centre ?

More efficient security patching



Agenda

Introduction




Conclusions




“What is the best way to manage security in a world of self‐service IT, mobile devices and social media?” -> Security Architecture

“The fundamental security organization of a system, embodied in its components, their relationships to each other and the environment, and the security principles governing its design and evolution”

Adapted from: ISO/IEC 42010:2007



Security Reference Model



Modelling Different Delivery Responsibilities

The delivery responsibilities for the security services shifts from the consumer to the provider as you move from IaaS to SaaS.

Interfaces between consumer and provider present a risk of gaps in capability and poor/no/mis-communication between provider and consumer.



Procurement Usage



Agenda

Introduction



Conclusions





Conclusions

• All delivery models are unique. Cloud computing models have unique security challenges. So do other delivery models including on-premise and traditional outsourcing.

• Cloud is an evolution not a revolution.

• The threat actors remain mostly the same, cloud or on-premise

• The risks remain mostly the same, whether your applications are hosted on-premise or on-cloud, however

• increased sharing of resources due to multi-tenancy introduces new attack surfaces

• assurance difficulties can cause compliance issues (data residency, data deletion, segregation etc)

• Security architecture approach can help to enable cloud adoption.

• Architecture methodologies help to enforce consistency across an enterprise, no matter the IT delivery model.

• Architecture methodologies help to identify the security services required from a Provider

• Architecture helps to identify areas of overlap or interface (or confusion or omission) between Provider and Consumer

• Architecture helps to inform service procurement



Conclusions

• What are the genuine security issues that hold back Cloud adoption?

• Compliance

• Assurance

• Where do the main security threats come from and where should you focus your attention?

• The usual…

• Are services in the cloud less secure than those on-premise?

• It depends!

• How much of the threat is human (malicious or accidental), and how much IT, devices and hardware?

• Confidentiality? Human. Availability? Mixture.

•What is the best way to manage security in a world of self‐service IT, mobile devices and social media?

• Adopt an architectural approach.



Session Agenda

Introduction 5 minutes Presentation 15 minutes “Securing Cloud Services”

Facilitated Round Table Discussions 20 minutes What are the genuine security issues that hold back Cloud adoption? Are services in the cloud less secure than those on-premise? How much of the threat is human (malicious or accidental), and how much IT, devices and hardware? What is the best way to manage security in a world of self‐service IT,

mobile devices and social media?

Sharing of outcomes from Discussions 20 minutes

The information contained in this presentation is proprietary.

Rightshore® is a trademark belonging to Capgemini

© 2012 Capgemini. All rights reserved.

www.capgemini.com

About Capgemini

With more than 120,000 people in 40 countries, Capgemini is one

of the world's foremost providers of consulting, technology and

outsourcing services. The Group reported 2011 global revenues

of EUR 9.7 billion.

Together with its clients, Capgemini creates and delivers

business and technology solutions that fit their needs and drive

the results they want. A deeply multicultural organization,

Capgemini has developed its own way of working, the

Collaborative Business ExperienceTM, and draws on Rightshore ®,

its worldwide delivery model.

http://www.facebook.com/Capgemini

http://www.linkedin.com/company/capgemini

http://www.twitter.com/capgemini

http://www.youtube.com/capgemini

http://www.slideshare.net/capgemini

Cloud Security Strategy

Documents

Transcript of Cloud Security Strategy