Presentation is loading. Please wait.

Presentation is loading. Please wait.

Feeling safe in the cloud Pete Hickey Université d’Ottawa.

Similar presentations

Presentation on theme: "Feeling safe in the cloud Pete Hickey Université d’Ottawa."— Presentation transcript:


2 Feeling safe in the cloud Pete Hickey Université d’Ottawa

3 Everybody talks about clouds

4 Not all are happy

5 History of confusion 1967 The Saskatoon Connection

6 Joni Mitchel, 1967 I’ve looked at clouds from both sides now From up and down And still somehow It’s cloud illusions I recall I really don’t know clouds at all

7 Clouds Some people think the moving student e- mail to Google/Microsoft is moving to the cloud. Much more than that.

8 Jean-Philippe’s mountain cloud



11 Not everyone has the same idea Can’t see what is there.

12 What goes around comes around Early days, mainframes. Move to PCs and distributed processing – At one time we had 37 Novell servers on campus Move to centralize – Economics : economy of scale – Manageability Move to the cloud is the same thing on a larger scale.

13 It will come Just because something is not a good fit does not stop us. Look at the Internet – Not designed for how we use it – We change in spite of the issues.


15 Clouds are attractive! Somebody Else’s Problem( SEP) is a condition where individuals/populations of individuals choose to decentralize themselves from an issue that may be in critical need of recognition Everyone offering cloud services – Whatever you want, you can get it. – You can even get things you don’t want.

16 Clouds are attractive! Can provide something you don’t have the resources for Broad network access – Available from anywhere – Accessible from any platform Can be provided FAST! Rapid elasticity.

17 Clouds are attractive! Reduce or eliminate need for YOUR tech support. Get rid of your skilled geeks Trust the company to provide the service.

18 Trust me!!!!!

19 New skillsets required! Contract negotiation more important! You must have a thorough understanding of your process/system You must have a thorough understanding of their system You must ensure everything is clear in the contract.

20 Replace your geeks with lawyers!

21 Planning is essential When providing something in-house, you can react to changes, unrealized needs. In theory, an project is well planned in advance. In reality, not always true. “Let’s get it going, then fix it after.”

22 The Unknown As we know, There are known knowns. There are things we know we know. We also know There are known unknowns. That is to say We know there are some things We do not know. But there are also unknown unknowns, The ones we don't know We don't know. —Feb. 12, 2002, US Department of Defense news briefing

23 Trust the company Everyone is getting into the cloud. Do you have confidence in the company’s ability to deliver the product? Or are they just getting the product out the door

24 Areas of trust to consider The ability of the company to provide what you want The integrity of the employees of that company.

25 Trust People In general, people are trustworthy. Trust should make you think of this:

26 Trust

27 Statistics tell us that, the larger the population, the greater the number at the end of the bell curve. As we increase the size of the population we trust, the probability of an untrustworthy individual increases.

28 Trust states that data loss is from – 22% inside accidental – 10% inside malicious. Malicious insider is HIGH RISK – Due to their access to sensitive data. You have more insiders

29 Trust In the past, we would trust our staff because we knew them. The cloud brings a new style of trust.

30 Trust by Contract!

31 Trust You can’t trust a population you don’t know. Get it in the contract! Job for the future “Cloud Contracting Engineer.”

32 Kinds of clouds IAAS Infrastructure as a Service. EG Amazon’s E2C – Hardware provided for you – Quick to create new machines – Attractive for seasonal growth and un-growth. – Attractive if space is expensive – OS and hardware maintained for you.

33 Kinds of clouds PAAS Platform as a service. – The OS and middleware there for you – Develop custom applications without worrying about the rest.

34 Kinds of clouds SAAS Software as a service EG GoogleDocs, email – Very rapid deployment. – No maintenance/upgrades/patching. Just about everything imaginable is out there

35 Kinds of clouds SAAS PAAS IAAS The lower  Security responsibility : you The higher  Security responsibility : them.

36 Things to think about Your neighbors Breaches Your data/processes Authentication Authorisation Monitoring Auditing E-discovery

37 Things to think about image Physical Security DNS issues Laws regulations Risk evaluation Business continuity

38 Welcome to my Neighborhood!

39 Your Neighbors

40 In house, would you run your business systems on the same VMWare cluster which has open student shell access? Why? why not? Defense in depth?

41 Your Neighbors Do you know your neighbors Do you care? Do you know how you are kept separate from them? First recognizable group to use IAAS were the spammers. – Your neighbors may not be your friends

42 Breaches and attacks All the OWASP things still hold Other concerns as well

43 Breaches and attacks

44 What if your neighbor is breached? – Will you be notified? What if the cloud infrastructure is breached? – Will you be notified. What about an attack from a neighbor? What does a vulnerability in VMWare mean?

45 Collateral Damage

46 What if your neighbor is DoS attractive?

47 What if your neighbor is hacking attractive?

48 Collateral damage?

49 Know your data well!

50 Know your data? Understand what it is, and any regulations/laws Know how it may change Relatively easy with a database More difficult with something like GoogleDocs. Similar for processes – People have a way of using things in a way which was never intended.

51 New exposure risks To the world Cloud employees Other cloud customers. Data or process changed Lack of access for a period of time

52 Where is your data? US? France? Japan? North Korea? Many only worry about data in US. Will it always stay where it is now? Do you have any way to verify?

53 Termination of contract. Intentional/unintentional Data retrieved? Data will be destroyed?

54 Destruction of data ! Do you have a legal obligation to destroy data after X years? After being required to keep data for Y years do you want to destroy it. What is in the cloud providers backups? Destruction of data should be a cloud supplier’s responsibility.

55 Backups/archives! Will you maintain your own as well? What is the effect of total loss of data? – Careful about that locally All backups usually handled similarly Concerns about multiple cloud providers.

56 It has happened SEP example

57 Who owns the data

58 E-discovery You? Them? What tools do you have? You and the provider SHOULD be aligned here.

59 Can the cloud use your data? For advertising? In advertising? – Facebook using users pictures in ads.

60 Facebook picture

61 PCI-DSS Gives some areas to think about

62 Build a secure network Existence of firewalls? Their network’s security is probably classified.

63 Do not use vendor supplied passwords Servers hardened? Not much to say here You HOPE!

64 PCI-DSS Gives some areas to think about

65 Encryption Secure channels to data even more important. Can you store your data in the cloud with your own encryption? – Could solve a lot of problems Can you encrypt it on your own? Can the provider provide the infrastructure to let you encrypt with your keys?

66 PCI-DSS Gives some areas to think about

67 Vulnerability management Ensure cloud provider does it How soon are patches applied?

68 PCI-DSS Gives some areas to think about

69 Regularly monitor and test Logs? What can you see? What tools do you have Raw data or canned reports? Can you increase details if necessary Audit logs?

70 Monitor traffic

71 Traffic blocked by firewall or unseen by the app may give an idea of threats. Do you have any idea of what is there that you don’t see?

72 Test and Monitor Pen testing and vulnerability scanning may be disallowed by contract. – Other neighbors may view it as an attack – Cloud provider may view it as an attack. Be PCI compliant by buying a PCI compliant service.

73 PCI-DSS Gives some areas to think about

74 Policy Check their security policies Do you need cloud security policies? – With SaaS (or any other) you may have users going out to the cloud without central approval – Universities tend to be bad for this (eg DropBox)

75 Authentication “Who are you?”

76 Authentication Are accounts local or at cloud providers? – Tends to vary with size of system. Are you giving your cloud provider access to your credentials. – Users tend to have similar passwords for multiple sites. – Hint. Think Shibboleth If accounts are in the cloud how are former employees accounts deleted?

77 Authentication What if laws/regulations require 2-factor authentication in the future?

78 Authentication Stolen credentials may be more of a risk – Lack of defense in depth Compensate somehow

79 Administrative access How are admin accounts handled? Defense in depth: In house, VPN first. In the cloud everyone can poke. Essential to protect admin access! Can you see failed logon attempts?

80 Can you go back? If things go wrong? Move to another provider if theirs is better?

81 Business continuity Don’t forget it. May be more difficult if not planned.

82 DNS issues Phishing may be more of a threat. – How would outsiders see that? Reverse lookup?

83 How do you measure their security? Certifications, 3 rd party audits Global Payments was PCI compliant March 29.

84 What about your image? What if the Armed Forces use cloud services? What if Canada Revenue Agency did? If you would not feel good about them in the cloud, ask yourself “why?”

85 Previous examples of things gone wrong They can happen in-house as well Just be aware that they can also happen out there. It’s not a SEP… it’s YOUR problm.

86 Bottom line It’s all in the contract. You need a very good understanding of the data, processes and the systems. Advance planning is even more important. You probably still need your geek as an architect for your cloud contracting team.

87 Cloud contracting team!

88 “The flight here was specular. Like hovering all the way inside a jewel. We are the first generation to see the clouds from both sides.” Saül Bellow, Henderson the rain king

89 Trust me!!!!!

90 Feeling safe in the cloud Pete Hickey Université d’Ottawa

Download ppt "Feeling safe in the cloud Pete Hickey Université d’Ottawa."

Similar presentations

Ads by Google