Presentation is loading. Please wait.

Presentation is loading. Please wait.

Securing and Auditing Cloud Computing Jason Alexander Chief Information Security Officer.

Published byImogene Bailey Modified over 8 years ago

Similar presentations

Presentation on theme: "Securing and Auditing Cloud Computing Jason Alexander Chief Information Security Officer."— Presentation transcript:

1 Securing and Auditing Cloud Computing Jason Alexander Chief Information Security Officer

2 What is Cloud Computing “ A model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction” 5 essential characteristics 3 cloud service models 4 cloud deployment models

3 Essential Characteristics On-demand service – Computing capabilities as needed, often from a user portal allowing self-provisioning Broad Network Access – Services available over the net using desktop, laptop, PDA, mobile phone Resource pooling – Provider resources pooled to server multiple clients, Users are often sharing the same physical machines Rapid Elasticity – Ability to quickly scale in/out service levels to meet demand Measured service – Services based on metering, usually measured in service/timeframe

4 Service Models Software as a Service (SaaS) – Users access application, Provider manages the network, servers, OS, storage, application, & infrastructure Platform as a Service (PaaS) – User deploys their application, Provider supports servers, network, storage, & infrastructure Infrastructure as a Service (IaaS) – User controls application, OS, storage, apps, selected network components, Provider Controls the infrastructure

5 Deployment Models Public – Cloud infrastructure is available to the general public, owned by provider selling cloud services Private – Cloud infrastructure for single customer only, may be managed by the customer or a 3 rd party, on or off premise Community – Cloud infrastructure shared by several customers that have shared concerns, managed by customers or 3 rd party Hybrid – Combination of clouds bound by standard or proprietary technology

6 A Practical Example

7 Before Moving to the Cloud Identify the asset, application, or information for deployment – Data type and sensitivity level – Application/Function/Process Evaluate the asset – How important is the data or the functionality to the organization. Identify the stakeholders

8 Asset Evaluation How would we be harmed if the asset became widely public & widely distributed An employee of our cloud provider accessed the asset The process of function were manipulated by an outsider The process or function failed to provide expected results The info/data was unexpectedly changed The asset were unavailable for a period of time Does the deployment type address required security

9 Understand the Flow of Data Understand the flow of data Can data be used in unintended ways How can data move in/out of the cloud What is your risk tolerance for loss of data

10 Cloud Computing Architecture

11 Cloud Computing Governance Cloud computing governance is not much different than a traditional governance program. – Need to establish processes and controls – Effective Information Security Program – Providers must provide documentation – Service Level Agreements

12 What Should Audit Consider Physical – Where are the server physically located – What are the governing laws of that area Compliance – Can the provider show a recent SAS 70 Type II, ISO 27001/2, SSAE 16 Type II audit statement? – Contractual “Right to Audit” clause

13 What Should Audit Consider Legal – E-Discovery – Ownership of data – Clearly defined roles and responsibilities – Rights during separation Auditability – What regulations impact cloud services – Regulatory impact on data security

14 What Should Audit Consider Data Life Cycle – Data storage requirements – Comingling of data Disaster Recovery – Disaster Recovery Plan – Recovery Time Objectives (RTOs)

15 What Should Audit Consider Information Security – Information security is not always a first priority – Is an “Incident” clearly defined – Does the provider meet regulatory requirements Application Security – Does the provider have a defined Software Development Life Cycle

16 What Should Audit Consider Encryption – Encrypt all data in transit, at rest, backup media – Encryption Standards Identity and Access Management – Provisioning, deprovisioning – User authentication

17 Final Thoughts Cloud computing should not be scary. Decide on Public or Private depending on risk. With the governance, risk management, information security policy and auditing, a cloud implementation can be as secure a traditional implementation.

18 References Security Guidance for Critical Areas of Focus in Cloud Computing V2.1 – http://www.cloudsecurityalliance.org http://www.cloudsecurityalliance.org NIST Cloud Model – www.csrc.nist.gov/groups/SNS/cloud- computing/index.html www.csrc.nist.gov/groups/SNS/cloud- computing/index.html Pizza as a Service – Albert Barron, Sr. Software Client Architect at IBM – https://www.linkedin.com/pulse/20140730172610- 9679881-pizza-as-a-service https://www.linkedin.com/pulse/20140730172610- 9679881-pizza-as-a-service

Download ppt "Securing and Auditing Cloud Computing Jason Alexander Chief Information Security Officer."

Similar presentations

Cloud Computing in the Federal Sector: What is it, what to worry about, and what to negotiate. Presented by: Sabrina M. Segal, USITC, Counselor to the.

Cloud Computing in the Federal Sector: What is it, what to worry about, and what to negotiate. Presented by: Sabrina M. Segal, USITC, Counselor to the.
Security, Privacy and the Cloud Connecticut Community Providers’ Association June 20, 2014 Steven R Bulmer, VP of Professional Services.

Security, Privacy and the Cloud Connecticut Community Providers’ Association June 20, 2014 Steven R Bulmer, VP of Professional Services.
Chapter 22: Cloud Computing and Related Security Issues Guide to Computer Network Security.

Chapter 22: Cloud Computing and Related Security Issues Guide to Computer Network Security.
Cloud Computing to Satisfy Peak Capacity Needs Case Study.

Cloud Computing to Satisfy Peak Capacity Needs Case Study.
Clouds C. Vuerli Contributed by Zsolt Nemeth. As it started.

Clouds C. Vuerli Contributed by Zsolt Nemeth. As it started.
An Approach to Secure Cloud Computing Architectures By Y. Serge Joseph FAU security Group February 24th, 2011.

An Approach to Secure Cloud Computing Architectures By Y. Serge Joseph FAU security Group February 24th, 2011.
C LOUD C OMPUTING Presented by Ye Chen. What is cloud computing? Cloud computing is a model for enabling ubiquitous, convenient, on- demand network access.

C LOUD C OMPUTING Presented by Ye Chen. What is cloud computing? Cloud computing is a model for enabling ubiquitous, convenient, on- demand network access.
Security in the Cloud: Can You Trust What You Can’t Touch? Rob Johnson Security Architect, Cloud Engineering Unisys Corp.

Security in the Cloud: Can You Trust What You Can’t Touch? Rob Johnson Security Architect, Cloud Engineering Unisys Corp.
Presenter: Vikash Nath MCP, CCNA, MCTS. On-Premise Private Cloud Public Cloud Hybrid Cloud.

Presenter: Vikash Nath MCP, CCNA, MCTS. On-Premise Private Cloud Public Cloud Hybrid Cloud.
Copyright Marchany 2010 Cloud Computing Security Issues Randy Marchany, VA Tech IT Security,

Copyright Marchany 2010 Cloud Computing Security Issues Randy Marchany, VA Tech IT Security,
Cloud Usability Framework

Cloud Usability Framework
Wally Kowal, President and Founder Canadian Cloud Computing Inc.

Wally Kowal, President and Founder Canadian Cloud Computing Inc.
Be Smart, Use PwrSmart What Is The Cloud?. Where Did The Cloud Come From? We get the term “Cloud” from the early days of the internet where we drew a.

Be Smart, Use PwrSmart What Is The Cloud?. Where Did The Cloud Come From? We get the term “Cloud” from the early days of the internet where we drew a.
Cloud Computing Guide & Handbook SAI USA Madhav Panwar.

Cloud Computing Guide & Handbook SAI USA Madhav Panwar.
Cloud Basics.  Define what the Cloud is  Describe the essential characteristics are of the Cloud  Describe the service models of the Cloud  Describe.

Cloud Basics.  Define what the Cloud is  Describe the essential characteristics are of the Cloud  Describe the service models of the Cloud  Describe.
SPRING 2011 CLOUD COMPUTING Cloud Computing San José State University Computer Architecture (CS 147) Professor Sin-Min Lee Presentation by Vladimir Serdyukov.

SPRING 2011 CLOUD COMPUTING Cloud Computing San José State University Computer Architecture (CS 147) Professor Sin-Min Lee Presentation by Vladimir Serdyukov.
Design of New or Changed Services in the Cloud: An ISO/IEC 20000 Perspective Ronald Dattero Missouri State University, CIS Dept. Stuart D. Galup Florida.

Design of New or Changed Services in the Cloud: An ISO/IEC Perspective Ronald Dattero Missouri State University, CIS Dept. Stuart D. Galup Florida.
Cloud computing Tahani aljehani.

Cloud computing Tahani aljehani.
EA and IT Infrastructure - 1© Minder Chen, 1995-2014 Enterprise Architecture, IT Infrastructure, and Cloud Computing Minder Chen, Ph.D. CSU Channel Islands.

EA and IT Infrastructure - 1© Minder Chen, Enterprise Architecture, IT Infrastructure, and Cloud Computing Minder Chen, Ph.D. CSU Channel Islands.
EA and IT Infrastructure - 1© Minder Chen, 1995-2011 Stages in IT Infrastructure Evolution Mainframe/Mini Computers Personal Computer Client/Sever Computing.

EA and IT Infrastructure - 1© Minder Chen, Stages in IT Infrastructure Evolution Mainframe/Mini Computers Personal Computer Client/Sever Computing.

Similar presentations

Ads by Google