The Cloud Beckons, But is it Safe?

April 2012

The Cloud Beckons, But is it Safe?

#12NTCCSec

Laura Quinn Michael Enos

Evaluate This Session! Each entry is a chance to win an NTEN engraved iPad!

or Online at www.nten.org/ntc/eval

Introductions

Laura Quinn

Executive Director

Idealware

What are you hoping to get out of this session?

Michael Enos

Chief Technology Officer,

Second Harvest Food Bank of Santa

Clara and San Mateo Counties

What We’ll Cover Today

• Thinking About Cloud Security

• What Does Security Mean?

• What Does it Mean for You?

• A Multi-level Security Model

• What to Look for in a Vendor

What is The Cloud?

Internet or Someone Else’s Network

The Lure of the Cloud

Low cost of entry

Easy remote access

No complex infrastructure

But what about security?

How Do YOU Feel About Cloud Security?

Why the Concern?

<Cue video>

Cloud Security in the News

Under Siege

To be on the

Internet is to be

vulnerable to attack.

If you’re on the Internet, you’re in The Cloud

But We Do Lots of Things on the Internet

We shop online

We bank online

We post crazy

things on Facebook

Why is the cloud different? It’s not.

How Secure is Your On-Site Data?

Do any of these sound familiar?

• No one patches computers or is

responsible for network security

• You haven’t really thought

about passwords or

permissions

• No disaster recovery plans

• Staff hasn’t had any security

training

Myth

“We’re a tiny nonprofit.

We’re safe because no

one would target us for

cyber attack.”

Fact

Many data security breaches

are crimes of opportunity.

Organizations don’t always

consider the sensitivity of their

data until it’s exposed.

Myth

“Our data is safer

not in the cloud”

A Cloud Data Center

Is This Your Server Closet?

What Does Security Mean?

The Three Pillars of Information Security

Confidentiality

Information is available only to authorized parties.

Integrity

Information isn’t modified inappropriately, and that

you can track who made what change.

Drawing or picture of a

“Prudential”-like rock?

Availability

Assurance that data is

accessible when needed

by authorized parties.

Also: Physical Possession

Whoever has the

data could, for

instance, turn it

over to the

government

How Does This Apply to the Cloud?

Cloud Security

The use of the term “Cloud” is cloudy!

Three general types of clouds:

– Software-as-a-Service

– Hosted Private Cloud

– Co-located Private Cloud

All three have different security

models

Software as a Service

The vendor owns and manages all aspects of the environment.

For instance:

Hosted Private Cloud

The vendor owns and manages the equipment only, but all

software is managed by the client. The equipment is on the

vendors network. For instance:

28

Co-located Private Cloud

The vendor provides the physical environment only in a data

center, the client maintains the hardware and the software. For

instance:

What Does Security Mean For You?

Rules for Absolute Safety

Turn off your Internet

connection.

Allow no one access to

your data and systems.

But let’s be realistic…

Know What You’re Protecting

What kinds of data are you storing,

and how sensitive are they?

Think about its value on the open

market.

Red Flags

You need extremely tight

security to store:

• Donor’s credit card

numbers.

• Scanned images of checks.

• Donor’s bank account

information.

What’s Your Exposure?

Consider the impact of

exposure of your

confidential information,

both in monetary terms and

reputation.

What’s The Impact of an Outage?

How much staff

time could you

lose from a short

term or prolonged

outage?

Testing Your On-Site Security

Have you recently performed a:

• Check on whether your systems

have been recently patched?

• Systems penetration test ?

• Employee training on security

procedures?

• Backup/recovery test?

If not, you’d likely increase your security by moving

to the cloud.

A Multi-Level Security Model

Multi-Level Security is the Ideal

Physical Security

Network Security

Transmission Security

Access Controls

Protected Data Storage

Physical Security

• Guarded facilities

• Protection of your hardware and devices

• Power redundancy

• Co-location (redundant facilities)

Network Security

• Intrusion prevention

• Intrusion detection

• Firewalled systems

• Network proactive anti-virus protection

Transmission Security

Is data encrypted in

transit?

Is the network

secure?

Access Controls

• Ensuring the right people

have access to the right data

• Physical access to the server

• Training on appropriate

passwords and security

measures

Data Protection

• Data encryption

• Solid backup and

restore policies

• Ability to purge

deleted data

• Ability to prevent

government entities

from getting your data

with a subpoena

What to Look For in a Vendor

Description of Security Mechanisms

Documentation of all the facets of

security, and the staff can talk

about it intelligently.

Proves information security is on

the “front burner”

Uptime

Your connection to the internet may well be the weakest link.

Do they provide any guarantee of

uptime? Any historic uptime

figures?

Uptime figures are typically in 9s--

99%, 99.9% or 99.99%

Regulatory Compliance: HIPAA

Does the vendor support

organizations that need to be

compliant with HIPAA (the

Health Insurance Portability

and Accountability Act)?

Regulatory Compliance: SAS70 and SSAE16

Audit for security standards,

hardware, and processes.

Statement on Accounting

Standards 70 (SAS70)

Statement of Standards for

Attestation Engagements 16

(SSAE16)

Regulatory Compliance: PCI DSS Compliance

If you’re storing credit card

numbers, your vendor

needs to be compliant with

PCI DSS (Payment Card

Industry Payment Data

Security Standard)

In Summary

Understand the Value of Your Data

What is it worth to you?

To others?

What measures are

appropriate to protect it?

Your Data Is No Safer Than You Make It

Any computer

attached to the

internet is

vulnerable unless

you protect it.

The cloud isn’t, in

of itself, more or

less secure

But Many Vendors Make Your Data Really Safe

Choose vendors who

show they’re serious

about data protection

(not all vendors are

created equal).

Consider a vendor’s

regulatory compliance.

Questions?