Presentation is loading. Please wait.

Presentation is loading. Please wait.

Marketing, Uncertainty & Doubt: Information Security and Cloud Computing Javed Ikbal zSquad LLC © 2009 Javed Ikbal.

Similar presentations

Presentation on theme: "Marketing, Uncertainty & Doubt: Information Security and Cloud Computing Javed Ikbal zSquad LLC © 2009 Javed Ikbal."— Presentation transcript:

1 Marketing, Uncertainty & Doubt: Information Security and Cloud Computing Javed Ikbal zSquad LLC © 2009 Javed Ikbal

2 About zSquad Information Security Consulting Practice Focus areas are: – Policy review/development – IT Governance – Security Architecture – Application Security – PCI, SAS 70 and ISO 27001 audit prep – 3 rd party due diligence audits Customers are financial services, insurances and state / city agencies We also founded The Layoff Support Network ( 2

3 Agenda Too many “cloud” offerings = confused market Pay-as-you-go vs. always on Cloud (in)security Hype: Security vendors Hype: Cloud providers Enterprise Cloud Computing Know your information Minimum due diligence – questions to ask your cloud provider If you are a cloud (or related service) provider – questions you better have answers for If you develop, things to do QA 3

4 “Cloud:” Buzzword 2.0 Gmail and Hotmail are clouds, too So are and Google Apps What about timesharing mainframes of old? Or the $5/month shared web-hosting? So is the cloud concept decades old? 4

5 So what exactly is a “cloud”? … Massively scalable IT-enabled capabilities delivered 'as a service' to external customers using Internet technologies. -- Gartner 5

6 Cumulous, Stratus, Nimbus… SaaS: SalesForce, GoogleMail, Google Apps… Utility Computing: Amazon EC2, IBM, Unisys… Web Services (API): Google Maps, ADP Payroll processing… Platform As A Service:, Google App Engine, Azure Managed Service Providers: Hosted anti- spam services Infrastructure as a Service: Amazon, 3Tera 6

7 Characteristics: Elasticity: provisioning and deprovisioning resources in real time to meet workload demands Utility: providing resources on a 'pay-as- you-go' basis Ubiquity: providing services available from anywhere to anywhere 7

8 Cloud (in)Security Characteristics 8 Outside customers’ physical security perimeter Unknown (untrusted?) personnel Unenforceable regulatory compliance Unpredictable jurisdiction over data Unknown disaster recovery You may very well be locked-in Zero support for forensics / investigations But: Trust us, we are doing the right things

9 Every RSA Conference has a buzzword 9 This year it was "the cloud." In one way or another, vendors were pushing their answer to handling security in the cloud. Cisco unveiled a number of tools and services in the cloud April 21, even though a day later Cisco CEO John Chambers described the idea of securing a virtual cloud network as “a security nightmare.” IBM pulled the covers off a new arsenal of products designed to protect cloud computing environments as well, while McAfee CEO Dave DeWalt used his keynote to talk about using the cloud in the context of what he called “predictive security,” his vision of how McAfee will share threat intelligence in the cloud to better protect end users. - 4/24/2009

10 Customers Worry 90% of cloud application users say they would be very concerned if the company at which their data were stored sold it to another party. 80% say they would be very concerned if companies used their photos or other data in marketing campaigns. 68% of users of at least one of the six cloud applications say they would be very concerned if companies who provided these services analyzed their information and then displayed ads to them based on their actions. Cloud Computing Gains in Currency Pew Internet and American Life Project 10

11 Vendors Respond: Since 2007, Amazon has been telling us they are: ".. working with a public accounting firm to... attain certifications such as SAS70 Type II" but these have not happened in 2+ years. 11

12 Vendors Respond 12

13 Reality 13 March 7, 2009 from the WSJ: Google disclosed Saturday that it shared a very small number of online documents with users who weren’t authorized to see them. The privacy glitch, caused by a software bug, affected just a tiny fraction of documents — an estimated less than.05% September 18, 2009 from the NY Times: A recent bug in Google Apps allowed students at several colleges to read each other's email messages and some were even able to see another student's entire inbox. The issue occurred at a small handful of colleges… whoops-students-going-google-get-to-read-ea-12995.html

14 Want To Complain? 14

15 Amazon EC2/S3 15 We are not responsible for any unauthorized access to, alteration of, or the deletion, destruction, damage, loss or failure to store any of, Your Content (as defined in Section 10.2), your Applications, or other data which you submit or use in connection with your account or the Services.

16 No Customer Audit Allowed 16 …It is possible for you to build a PCI level 2 compliant app in our AWS cloud using EC2 and S3, but you cannot achieve level 1 compliance. And you have to provide the appropriate encryption mechanisms and key management processes. If you have a data breach, you automatically need to become level 1 compliant which requires on-site auditing; that is something we cannot extend to our customers. … I recommend businesses always plan for level 1 compliance. So, from a compliance and risk management perspective, we recommend that you do not store sensitive credit card payment information in our EC2/S3 system because it is not inherently PCI level 1 compliant. It is quite feasible for you to run your entire app in our cloud but keep the credit card data stored on your own local servers which are available for auditing, scanning, and on-site review at any time.

17 Detour: SAS 70 type II 17 Concept: ISO 9000 certified Concrete Life Jackets manufactured according to the documented procedures instructions on how to complain about defects SAS 70: Company management defines controls to be evaluated Management: We have a guard at the front door. That is the sole control we want evaluated Auditor: And he checked my ID. The control works as claimed. Here is your SAS 70 type II certification Unless you can see which controls were evaluated, SAS 70 type II reports are not meaningful

18 Can you move your enterprise to the cloud? Or, If you are a cloud vendor, how do you convince your customers to move? 18

19 Case Study Business: Automatic discount at retail stores Customer identified by Credit Card used Currently 1 million transactions/day PCI-certified stores have demanded PCI certification Client stress test: 1 million transactions/hour Amazon Extra-Large Instance Cost: ~ $200 They can not get PCI certified on Amazon Any other platform is unaffordable 19

20 Solution 20 Source: Kavis Technology Consulting

21 Customer: Data Classification Some parts of the enterprise can go to the cloud The trick is in understanding that: All data is not created equal Some entirely fit to be in/on a cloud But if data is valuable enough that someone might bring out a gun, cloud is not the right place to be. If you need PCI certification, excellent advice from AWS rep: … keep the credit card data stored on your own local servers which are available for auditing, scanning, and on-site review at any time 21

22 Off-premise has different security problems and requirements Understand them, and you can secure them or Make an informed decision to Stay Away 22

23 Customer Due Diligence Centralization of data makes insider threats from within the cloud provider a bigger risk Customers should perform onsite inspections of cloud provider facilities whenever possible Customers should inspect cloud provider disaster recovery and business continuity plans. Customers should identify physical interdependencies in provider infrastructure. For IaaS, deploy applications in runtime in a way that is abstracted from the machine image. Backups should also be machine independent. Understand who your provider’s competitors are. Plan for a migration 23

24 Considering a SaaS provider? 24 If you have the resources, do an audit yourself If your data requires that level of assurance If the provider allows Ask the vendor for 3rd party audit reports SAS 70 audit reports: better than nothing Barely Ask them about: Employee background check Secure development process Trust, but verify

25 Multi-tenant SaaS Security Issues 25 Not net-new vulnerabilities But suddenly you are hosting data on servers managed by people who don't work for you And you are not the only user of the server Can someone do an off-by-one attack? By mistake? Denial of service attack against another customer?

26 Providers: Know what you will host Spell out policies and procedures Employees are background-checked? Are they bonded? How would you stop someone from backing up a VM and taking it home? Be clear about what you will NOT support It took Amazon AWS 2 years to provide an answer Some things are still unclear The Google / AWS disclaimers are excellent models Unisys has ISO 27001-certified data centers. Think before investing that much time, effort and money 26

27 Providers (cont.) Cloud providers should adopt as a security baseline the most stringent requirements of any customer. Or make clear to the customer where they stand Providers should have robust compartmentalization of job duties and limit knowledge of customers to that which is absolutely needed to perform job duties. Understand that you may be subject to a legal / regulatory discovery because of a customer 27

28 Creating Secure Software 28 Developers care about deadlines and meeting the requirements If security is not in the requirements, it will not get done If developers don't know how to code securely, it will not get done right If at all

29 Building a SaaS offering? 29 Train your developers and architects A single-day training will probably eliminate 90% future security issues Build Security into your life-cycle Let security people, not developers, write the security requirements Security Code review sounds nice, but is expensive Do an application audit before going live Allow time for it in the project plan

30 Final Thoughts 30 Provider Security Responsibility Customer Extensibility Where are you? What are you doing about it? IaaS PaaS SaaS

31 Questions? 31

Download ppt "Marketing, Uncertainty & Doubt: Information Security and Cloud Computing Javed Ikbal zSquad LLC © 2009 Javed Ikbal."

Similar presentations

Ads by Google