No Such Agency in the Cloud…Amanda Goodger

11 Sept 2011

Tomorrow’s World is here…

NOW!!!!!!

Today’s Session Content:

My BackgroundMy MSc Experience – DissertationToday’s World… that thing called CLOUD!Social and Business Assurance…Tomorrow’s World – New concept…Have we answered the exam statement?

INFORMATION JOURNEY…… CONTINUATION OF PREVIOUS DISCUSSIONS EG DIETER, KERRY…

My Background

Hybrid Background…◦Maths & Education◦MBA◦MSc – Information Security

Work Experience…◦Private Sector◦Public Sector

Social Experience – why add this?????

My MSc Experience – Dissertation Tips & Tricks

Structure‘V’ Model ApproachResearch MethodologyCritical AnalysisMy topic ….

◦Assurance Cases – New Approach for Critical National Infrastructure Assessments

Dissertation Overview

Background – Interconnected Environment… Rationale for CLAIMS-ARGUMENT-EVIDENCE

(CAE) notation – Legal AnalogyVulnerability Assessment Lifecycle –

Assurance CasesRecommendations:

◦Patterns – ‘Mesh’ Case◦Resilience Framework using Hypercompetition

Model ◦Future Thinking…

Today’s World…

Move from Fortress to Data Centric World…

Cloud Computing Phenomenon…

SaaS

Public Cloud

SaaS

Private Cloud

Virtual public Cloud Virtual private Cloud 13rd partyprovider(s)

Private cloudprovider(s)

Hybrid

Customer1

Customer2

Customern

OneCustomer

dedicated provisioningshared

Independent application provider

Customerbase

Environment

Platform

Cloudcomputingtype

SaaS

CommunityCloud

Why is this a problem – complexity? Or is wicked?

Consumer XStand alone models

Provider B Focal Org/Serv Consumer Y

Provider A Focal Org/Serv

SaaS

PaaS

IaaS

SaaS

PaaS

IaaS

ISCThread

(baseline)

Example of how an information supply chain can change over time…this is only the beginning!

Provider B Focal Org/Serv Consumer Y

Provider A Focal Org/Serv Consumer X

SaaS

PaaS

IaaS

SaaS

PaaS

IaaS

Provider B Focal Org/Serv Consumer Z

Provider A Focal Org/Serv

SaaS

PaaS

IaaS

SaaS

PaaS

IaaS

Nodes inred inhave

alteredover thetimeline

Consumer X

ISCThread

(baseline)

ChangedISC

Thread

Timeline

Timeline

The CAS/SoS iscomposed of a cellularstructure that changes(e.g. IT systems beingpatched, businessesbeing merged etc) overtimelines or (as part oftemporal planes) atdiffering rates. Thisexample shows thatthe ISC thread isbaselined (in blue), andthen alters for two ofthe nodes (in the focalorg/serv andConsumer Z) at theIaaS and SaaS layersrespectively.

First Walkthrough (if not understood not matter)… this is where we are now & will be from now on…

Provider B Focal Org/Serv Consumer Y

Provider A Consumer X

SaaS

PaaS

IaaS

SaaS

PaaS

IaaS

Provider B Focal Org/Serv Consumer Z

Provider A

SaaS

PaaS

IaaS

SaaS

PaaS

IaaS

Nodes inred inhave

alteredover thetimeline

Consumer X

WalkthroughNo. 1 - ISC

Thread(baseline)

ChangedISC

Thread

Timeline

Timeline

The Walkthrough No. 1example shows the one-wayflow of an ISC thread. It isbaselined (in blue) and isfocussed on a node in thePaaS layer. Over time, anadditional node in the IaaSlayer of the Focal Org/Servand the new Consumer Z’snode in the SaaS layerchange. These alterationsshow that when consideringthe ISC that thesedependencies impact theFocal Org/Serv’s node riskprofile. Consequently, thechanges to this nodeimpacts this single thread invarying ways.

Second Walkthrough (if not understood not matter just to show how complexity grows!)… this is where we are now & will be from now on…

Provider B Focal Org/Serv Consumer Y

Provider A Consumer X

SaaS

PaaS

IaaS

SaaS

PaaS

IaaS

Provider B Focal Org/Serv 2 Consumer Z

Provider A Focal Org/Serv 1

SaaS

PaaS

IaaS

SaaS

PaaS

IaaS

Nodes in redin have

altered overthis timeline.

Nodes inblue

previouslychanged.

Consumer X

WalkthroughNo. 2 - ISC

Thread(baseline) +Alterations

ChangedISC

Thread

Timeline

Timeline

The Walkthrough No. 2 exampleshows the ISC thread developmentfrom being baselined, to includingchanges from Walkthrough No. 1 (inblue). For the evolving Focal Org/Serv. 2 requirement, Provider Aprovides an extra IaaS layer nodeand expands with an additionalConsumer Y’s node in the SaaSlayer. In this example, thesealterations show the increasingcomplexity to this ISC, whichimpact Focal Org/Serv’s 2 node riskprofile. In addition, Provider A’snode inputs into Focal Org/Serv. 1'sISC and that inputs to Consumer X.Consequently leading to further ISCcomplexities with extra threadsadded or using the samedependencies impact the singlethread in varying ways.

Social and Business Assurance…

Harmonisation of the Information Standards…

Common Assurance Maturity Model…Issues across the ISG weekend…

◦HDF◦Trust◦Assurance◦Critical Information Infrastructure◦……………………….

Tomorrow’s World… New Concept

Information Lodestone…◦Why is this relevant to information security?

Concept…◦Understanding◦Protecting◦Sustaining◦Nurturing

Tomorrow’s World = Information World!!!!

Information World – ‘bridge and beyond…’

Why this?Why think differently?What is the relevance for you?Does it mean anything to you?

So what…

TOMORROW’S WORLD… NOW!!!!!!!!

Hybrid thinking…Integrated Information / Knowledge World…Cyber-surete not = command and control…NOW = TRUST + ASSURANCE + INFLUENCE

DATA CENTRIC WORLD – INFORMATION LODESTONE….

Integrated Information Society Hub…

CONCEPT LAUNCH… RSA EUROPE… 10-13 0CTOBER 2011 via CSA EUROPE… Exact date to be confirmed…

Exam question answered!

Thanks for listening…Amanda.Goodger@cloud-security.org.uk