Cloud & Security challenges
Dr. Tonny K. OmwansaSchool of computing and Informatics
University of [email protected]
@tomwansa
ISACA Kenya conferenceMay 2014
Overview
Presentation format1. Cloud Overview2. Cloud Penetration in Kenya – Study3. Security Challenges and some solutions
Not ISACA Member: ICT Resources provided on demand...
ISACA member + CISA: ‘an elastic execution environment of resources involving multiple stakeholders and providing a metered service at multiple granularities for a specified level of quality of service’
ISACA Chapter President: ‘A model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction’
Cloud
Cloud Overview: Here to stay…
Jeffrey, K. & Neidecker – lutz, B. (2009)
Cloud Benefits
Non-Functional aspects Economic considerations Technological benefits
Elasticity Cost Reduction Flexibility
Reliability Pay per use Multi-tenancy
Quality of Service Improved time to market Virtualization
Agility Return on investment Location independence
Adaptability Turning CAPEX into OPEX Infrastructure independency
Availability Going Green Adaptability
Cloud terms
• Infrastructure as a Service (IaaS): Computing resources used by others to deliver business solutions.
• Platform as a Service (PaaS):Black-box services developers can use to build applications
• Software as a Service (SaaS):Provider hosts software to be hired
• Public Cloud:Shared infrastructure with pay-as-you-go economics
Provider makes resources available on demand, over public Internet• Private Cloud:
Delivers services entirely within a firewall of an organization
• Hybrid and Community Clouds:Elements of public and private
Cloud In Kenya - Study
• Objectives– Investigate current status of CC adoption in Kenya– Establish gaps/challenges in adoption and impact of cloud computing– Make recommendations to better grow the sub-sector
• Justification– Hardly any research has been done in this area– Need to understand gaps/challenges – We need policies informed more by solid research
Medium & large businesses using cloud services [top three in Africa - 2013 Cisco survey]
50% in South Africa48% in Kenya36% in Nigeria
Approach
Scope:– Institutions that have a physical presence in Nairobi
• Most HQs are in Nairobi• Budget limits• Not national representative
– Respondents• Providers
– Infrastructure as a Service (IaaS)– Software as a Service (SaaS) – Platform as a Service (PaaS).
• Consumers– Public cloud– Private clouds.
• Policy makers
Conceptual FrameworkDETERMINANTS: Affect cloud performance & its outcomes/impacts
>Deployed TechnologiesInvestment cost, Reliability, Agility, Usability, Technology availability & Sustainability
>Local firms technology capabilities
>Policy and legal frameworksAvailability, Flexibility, Comprehensiveness, Effectivenes
>MarketCertain actors dominating, Availability, Readiness
>Institutional legitimacy to the cloudGovernment support , Institutional innovation culture
Conceptual FrameworkSTRATEGIES/ACTIONS OF CC ACTORS: Instrumental in delivering cloud outcomes/impact• Costing• Promotion• Training and capacity development• Adoption• Usage • Cloud-related entrepreneurship• Deployment decisions (e.g. open source or
proprietary solutions
Conceptual FrameworkOUTCOMES/IMPACTS OF CC: The ‘value’ created by the cloud • Improved operational efficiency
• New products and services
• Extended/enhanced market reach
• Export of cloud related services
• Job creation
• Enhanced security enhancement
Sampling
Quantitative– 207 organ’s identified
– 60 sampled
– 54 participated
Qualitative– 12 in-depth
interviews planned with industry leaders
– 7 were available
Cloud computing stakeholders’ taxonomy
Data collection• Extensive desktop research & literature
review
• Conceptual framework transformed to 5 point likert scale questionnaire
• Collection between October 10th, 2013 and November 10th, 2013
• ICT Managers, Information Security Managers, Network Administrators or Chief Information Officers were interviewed
Category Population Sample
Government entities 14 8
Banks 10 4
Consulting firms 5 4
Insurance firms 10 4
Hospitals 9 4
Universities 10 4
Business & Industries 24 8
Tech companies 25 8
SaaS Companies 11 8
PaaS Companies 3 0
IaaS Companies 18 8
Total 207 60
Findings• Cloud computing has
been around since 2000– most organizations
adopted between 2010 & 2011
– 69% use some form of cloud.
• Private cloud is more pronounced than public.
• IaaS option is the most prominent
Year 2000 (2)Year 2006 (2)
Year 2009 (4)
Year 2010 (9)
Year 2011( 12)
Year 2012 (4)
Year 2013( 4)
Cloud Deployment
Findings
Three skills lacking in the Kenyan market: • Security (networks, data etc) skills [highest]• Cloud architecture and design skills • Storage and virtualization skills
Cloud value is appreciated
Skills gap Cloud reliability
What determines cloud reliability offered?
• reliable connectivity and infrastructure• dependable technical support • systems uptime [power?]
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
Providing/utilising cloud services is sustainable
More agile than traditional so-lutions
Cloud technologies received are reliable
FindingsPolicy, Legal frameworks & Standards
• 80% did not know of any policy framework• 80% did not know of any legal framework• The few how knew about policy framework, also knew about legal• 75% not aware of any standards
Those who know a framework Agree
Policy framework gives you flexibility to exploit CC as you wish? 27%Existing policy framework is comprehensive 27%Policy framework is effective enough to facilitate growth in the sub-sector 45%Legal framework give you flexibility to exploit CC as you wish? 33%Legal framework is comprehensive 33%Legal framework is effective enough to facilitate growth in the sub-sector 16%
FindingsPolicy, Legal frameworks recommendations by respondents
Policy Legal
Increased awareness of availability & power of CC
Mechanisms for controlling cyber crime & offenders
Guidelines for enforcing security, privacy and standards
Mechanisms for guaranteeing privacy
Guidelines for service level agreements Mechanisms to enforce service level agreements
Appropriate licensing and certification of providers
Mechanisms for conflict resolutions and addressing liability
Mostly suggest that ordinary consumers are anxious and sensitive about their data.
FindingsMarkets
• Market is ready for cloud: 90% say YES• Largest consumers:
– Financial and telecommunication sectors – Education and government are moderate users
• Majority of Kenyans are unaware of CC and its benefits• There are many misconceptions about cloud technology• Safaricom, Dimension Data and KDN are market leaders
Support received
• Government support has been generic, e.g. development of infrastructure like fibre connectivity
• Some financial support has been received• Many not aware of government initiatives towards CC development
Conclusions & Recommendations• Assessment of Kenya’s cloud readiness:
– clearly understand the national status through an elaborate national study.
• Develop national cloud strategy: – focus on capacity building, architectures and implementation.
• Government to champion cloud services: – set pace for better uptake by private sector.
• Enhance relevant legal & regulatory frameworks: – protect of users, address cyber security challenges, – guarantee secure online payments, privacy, data security
• Develop human resource capacity: – technical skills, legal skills, management skills
• Enhance awareness of cloud technologies: – through a multi-stakeholder approach, – demystified the technology
Security concerns• Each benefits of cloud, comes with potential several risks!
– Infrastructure independency– Flexibility and Adaptability– Location independence– Multi-tenancy– Virtualization– etc
• Traditional security mechanisms - identity, - authentication, - authorization are no longer enough for clouds
Security concerns: 3 Classes1. Traditional security concerns:
• Computer and network intrusions made possible or easier by moving to cloud
• Huge array of attacks– from Authentication to Phishing cloud provider
• Conducting Forensics in the cloud can be complicated – E.g. data gets overwritten easily and fast.
Security concerns2. Availability concerns:
• Will critical applications and data be available?– Gmail’s one-day outage in mid-October 2008
• Maintaining the uptime
• Denial of service attacks
• Ensuring robustness of computational integrity
Security concerns3. Third Party Data Control
• Legal implications of 3rd party holding data & applications – complex and not well understood.
• Potential lack of control & transparency when a third party holds the data – Can provider guarantee that data has been deleted?– Can provider guarantee response time?– Is there sufficient transparency in the operations of cloud provider for
auditing purposes? – On-site audit in distributed & dynamic multi-tenant computing
environment spread all over the globe is a major challenge. – Regulations can require data & operations remain in certain
geographic locations. – Can theft of company information by the cloud provider happen?– etc
Security Concerns: Solutions
• Role of Providers:– ensure that customers will continue to have the same security
and privacy controls
– provide evidence to customers that organization are secure
– guarantee to meet their service-level agreements
– prove compliance to auditors and regulations
• Role of Consumers:
Stage 1:– think about data security from content instead of location
• security regulations become consistent no matter where data resides.
– a three-step process:1. Establish high-level information security policies to protect data2. Establish more granular compliance-related policies for specific
departments, e.g finance and human resources3. Establish processes for auditing & improving policy effectiveness
Security Concerns: Solutions
• Role of Consumers:
Stage 2:– Look at what third-party service providers can contribute. – Similar to outsourcing procurement plans.
– Involves:• conduct cost/benefit analysis• ensure third-party service aligns with business objectives• identify regulatory and privacy requirements • developing a contingency plan/exit strategy
Security Concerns: Solutions
Keep critical data local, otherwise take to public cloud
Bottom line: Develop a Cloud Strategy
Thank You!@tomwansa
END
Top Related