Not everyone has the same idea Can’t see what is there.
What goes around comes around Early days, mainframes. Move to PCs and distributed processing – At one time we had 37 Novell servers on campus Move to centralize – Economics : economy of scale – Manageability Move to the cloud is the same thing on a larger scale.
It will come Just because something is not a good fit does not stop us. Look at the Internet – Not designed for how we use it – We change in spite of the issues.
Clouds are attractive! Somebody Else’s Problem( SEP) is a condition where individuals/populations of individuals choose to decentralize themselves from an issue that may be in critical need of recognition Everyone offering cloud services – Whatever you want, you can get it. – You can even get things you don’t want.
Clouds are attractive! Can provide something you don’t have the resources for Broad network access – Available from anywhere – Accessible from any platform Can be provided FAST! Rapid elasticity.
Clouds are attractive! Reduce or eliminate need for YOUR tech support. Get rid of your skilled geeks Trust the company to provide the service.
New skillsets required! Contract negotiation more important! You must have a thorough understanding of your process/system You must have a thorough understanding of their system You must ensure everything is clear in the contract.
Planning is essential When providing something in-house, you can react to changes, unrealized needs. In theory, an project is well planned in advance. In reality, not always true. “Let’s get it going, then fix it after.”
The Unknown As we know, There are known knowns. There are things we know we know. We also know There are known unknowns. That is to say We know there are some things We do not know. But there are also unknown unknowns, The ones we don't know We don't know. —Feb. 12, 2002, US Department of Defense news briefing
Trust the company Everyone is getting into the cloud. Do you have confidence in the company’s ability to deliver the product? Or are they just getting the product out the door
Areas of trust to consider The ability of the company to provide what you want The integrity of the employees of that company.
Trust People In general, people are trustworthy. Trust should make you think of this:
Statistics tell us that, the larger the population, the greater the number at the end of the bell curve. As we increase the size of the population we trust, the probability of an untrustworthy individual increases.
Trust Dataloss.org states that data loss is from – 22% inside accidental – 10% inside malicious. Malicious insider is HIGH RISK – Due to their access to sensitive data. You have more insiders
Trust In the past, we would trust our staff because we knew them. The cloud brings a new style of trust.
Trust You can’t trust a population you don’t know. Get it in the contract! Job for the future “Cloud Contracting Engineer.”
Kinds of clouds IAAS Infrastructure as a Service. EG Amazon’s E2C – Hardware provided for you – Quick to create new machines – Attractive for seasonal growth and un-growth. – Attractive if space is expensive – OS and hardware maintained for you.
Kinds of clouds PAAS Platform as a service. – The OS and middleware there for you – Develop custom applications without worrying about the rest.
Kinds of clouds SAAS Software as a service EG GoogleDocs, email – Very rapid deployment. – No maintenance/upgrades/patching. Just about everything imaginable is out there
Kinds of clouds SAAS PAAS IAAS The lower Security responsibility : you The higher Security responsibility : them.
Things to think about Your neighbors Breaches Your data/processes Authentication Authorisation Monitoring Auditing E-discovery
Things to think about image Physical Security DNS issues Laws regulations Risk evaluation Business continuity
In house, would you run your business systems on the same VMWare cluster which has open student shell access? Why? why not? Defense in depth?
Your Neighbors Do you know your neighbors Do you care? Do you know how you are kept separate from them? First recognizable group to use IAAS were the spammers. – Your neighbors may not be your friends
Breaches and attacks All the OWASP things still hold Other concerns as well
What if your neighbor is breached? – Will you be notified? What if the cloud infrastructure is breached? – Will you be notified. What about an attack from a neighbor? What does a vulnerability in VMWare mean?
Know your data? Understand what it is, and any regulations/laws Know how it may change Relatively easy with a database More difficult with something like GoogleDocs. Similar for processes – People have a way of using things in a way which was never intended.
New exposure risks To the world Cloud employees Other cloud customers. Data or process changed Lack of access for a period of time
Where is your data? US? France? Japan? North Korea? Many only worry about data in US. Will it always stay where it is now? Do you have any way to verify?
Termination of contract. Intentional/unintentional Data retrieved? Data will be destroyed?
Destruction of data ! Do you have a legal obligation to destroy data after X years? After being required to keep data for Y years do you want to destroy it. What is in the cloud providers backups? Destruction of data should be a cloud supplier’s responsibility.
Backups/archives! Will you maintain your own as well? What is the effect of total loss of data? – Careful about that locally All backups usually handled similarly Concerns about multiple cloud providers.
Encryption Secure channels to data even more important. Can you store your data in the cloud with your own encryption? – Could solve a lot of problems Can you encrypt it on your own? Can the provider provide the infrastructure to let you encrypt with your keys?
Traffic blocked by firewall or unseen by the app may give an idea of threats. Do you have any idea of what is there that you don’t see?
Test and Monitor Pen testing and vulnerability scanning may be disallowed by contract. – Other neighbors may view it as an attack – Cloud provider may view it as an attack. Be PCI compliant by buying a PCI compliant service.
Policy Check their security policies Do you need cloud security policies? – With SaaS (or any other) you may have users going out to the cloud without central approval – Universities tend to be bad for this (eg DropBox)
Authentication Are accounts local or at cloud providers? – Tends to vary with size of system. Are you giving your cloud provider access to your credentials. – Users tend to have similar passwords for multiple sites. – Hint. Think Shibboleth If accounts are in the cloud how are former employees accounts deleted?
Authentication What if laws/regulations require 2-factor authentication in the future?
Authentication Stolen credentials may be more of a risk – Lack of defense in depth Compensate somehow
Administrative access How are admin accounts handled? Defense in depth: In house, VPN first. In the cloud everyone can poke. Essential to protect admin access! Can you see failed logon attempts?
Can you go back? If things go wrong? Move to another provider if theirs is better?
Business continuity Don’t forget it. May be more difficult if not planned.
DNS issues Phishing may be more of a threat. Yourname.cloud.com? – How would outsiders see that? Reverse lookup?
How do you measure their security? Certifications, 3 rd party audits Global Payments was PCI compliant March 29.
What about your image? What if the Armed Forces use cloud services? What if Canada Revenue Agency did? If you would not feel good about them in the cloud, ask yourself “why?”
Previous examples of things gone wrong They can happen in-house as well Just be aware that they can also happen out there. It’s not a SEP… it’s YOUR problm.
Bottom line It’s all in the contract. You need a very good understanding of the data, processes and the systems. Advance planning is even more important. You probably still need your geek as an architect for your cloud contracting team.