Moving to the Cloud: Benefits, Risks & a Case Study What is this Cloud thing?

Transcription

1 Moving to the Cloud: Benefits, Risks & a Case Study What is this Cloud thing? 1

2 Cloud Definition The cloud can mean different things to different people, usually dependent on their interaction with the cloud. For our purposes we will use the NIST (National Institute of Standards and Technology) definition. Cloud Definition Cloud computing is a model for enabling convenient, on demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. NIST Special Publication

3 Cloud Definition The NIST Cloud Model 5 Essential Characteristics 3 Service Models 4 Deployment Models Cloud Definition Essential Characteristics: On demand self service Broad network access Resource pooling Rapid elasticity Measured service 3

4 Cloud Definition Service Models: Software as a Service (SaaS) Platform as a Service (PaaS) Infrastructure as a Service (IaaS) Cloud Definition Deployment Models: Private cloud Community cloud Public cloud Hybrid cloud 4

5 Benefits of Moving to the Cloud Benefits Cost Efficient Scalability Backup and Recovery Application or application suite customization Convenient access to applications and information Rapid deployment 5

6 Risks of Moving to the Cloud Risks Technical Issues DoS Attacks Data Breaches Hacked interfaces & API s Credentials & authentication issues Compatibility issues Lack of standardized technology 6

7 Risks System vulnerabilities Insider threats Inadequate diligence Data ownership 7

8 Moving software, platform, or infrastructure to a cloud based model does not relieve a business organization of responsibility. From a risk standpoint, anything that is cloud hosted must be treated as if it resides on premise plus any additional cloud computing risks. Have a clear understanding of what you are intending to accomplish by moving to the cloud and how it fits in your business strategy. Process is important when moving to cloud computing. 8

9 Complete a full risk assessment Consider all the risks of a locally hosted project Add the additional risks of cloud hosted Vendor due diligence use the risk assessment as you guide Financial stability Reliability Business continuity Security Legal liability Support 9

10 Planning and project management Consider contracting outside expertise for project planning and implementation Preparation can be extensive Address items in the risk assessment Initial setup is often the key to future success Effective security configuration is best setup at the beginning of the project Migration can be daunting Create an exit strategy Implementation Implement according to the plan Avoid additions during implementation. Potential to open security holes. There can always be a phase 2. Test for the expected functionality Ensure that all is documented 10

11 Care and feeding Cloud computing requires monitoring and management just as in house systems Remain vigilant on security. The threat environment is always evolving. Evaluate on a continual basis Conduct a risk assessment on an annual basis and create any needed controls to mitigate new risk findings CSO Online surveyed IT executives on what they perceived as the greatest risks in cloud computing. 11

12 Perceived Risks in Cloud Computing Uncertain ability to enforce security policies at a provider Inadequate training and IT auditing Questionable privileged access control at provider site Uncertain ability to recover data Proximity of data to another customer s Uncertain ability to audit provider Uncertain continued existence of provider Uncertain provider regulatory compliance 23 percent 22 percent 14 percent 12 percent 11 percent 10 percent 4 percent 4 percent To address the concerns the article stated; accommodating security for cloud computing is simply an extension of dealing with security for mobile devices. As the boundaries of where data resides have been expanding to laptops and smartphones, they must expand to virtual systems, including those run by third parties. 12

13 The article proposed thinking about data security not by location but by content. Security policy becomes consistent across all platforms. In practice this could put a new emphasis on data classification and controlling access to data. For internal policy this requires: Establishing high level information security policies for protecting data Establishing more granular compliance related policies for specific departments, such as finance and human resources Establishing processes for auditing and improving policy effectiveness 13

14 The process for addressing 3 rd party providers involves: conducting a cost/benefit analysis ensuring the third party service aligns with business objectives identifying regulatory and privacy requirements developing a contingency plan and exit strategy Sidebar: More Things To Worry About Two scenarios that are of concern Backup failure The misconfigured server 14

15 Sidebar: More Things To Worry About Possible causes of cloud backup failure Technical issues DoS Attacks Hacked interfaces & API s Insider threats Data ownership Sidebar: More Things To Worry About : Tertiary backup Backup to another independent cloud provider Backup to a corporate network 15

16 Sidebar: More Things To Worry About The Misconfigured Server More than 600 gigabytes of files left unsecured on an Amazon server by third party communications company BroadSoft were leaked last month The four million Time Warner Cable records contain the personal details of its customers, and include usernames, addresses and financial transaction information CNBC Sidebar: More Things To Worry About The cost of human error.. Misconfigured server Third party of a third party issue 16

17 Sidebar: More Things To Worry About Equals. Major reputation hit Loss of customers Lawsuits Identity theft costs Case Study: Microsoft Office

18 Case Study Business case Corporate strategy is to combine what was three independent operations into one integrated company. The Office 365 project is part of the ongoing operational integration of the combined organization. Cost effectiveness and efficiency are primary goals. Case Study Microsoft Office 365 Enterprise E3 Full Office suite and calendars Archiving, legal discovery/hold & rights management Collaborative apps File sharing Active directory integration (SSO) Management tools 18

19 Case Study Risk assessment Malware File sharing Data loss Secure Management & administration Access by unauthorized devices Downtime Retention policies Case Study Vendor Management Organization has an extensive established vendor management function. Vendors and partners are reviewed on an annual basis. Assisted in this area due to one of our former organizations being a user of another version of Office 365 since

20 Case Study Planning and Project Management Managed by project management group Have contracted outside expertise who has been active in planning & will do much of the implementation. Risk findings addressed and in plan Preparation is extensive & ongoing Case Study 20

21 Case Study Implementation Preparation activities are ongoing Migration plan prepared Plan divided into two phases Project management process lessens possibility of delaying additions Outside expertise has been essential in planning for an initial configuration to meet our risk and security requirements Conclusion Key Take Aways Strategic fit Cloud vendor due diligence Benefits need to be balanced by the risks Process and controls to mitigate the risks Outside expertise for planning & implementation Evaluate continually after migration 21

22 Questions? Contact Information Robert Gentry Senior Consultant, Information Security Services Toll Free (855) Phone (717) ext Website: 22