Cloud Base Service vs. On Premise - Map Your Show€¦ · Cloud Base Service vs. On Premise What...

40
Cloud Base Service vs. On Premise What Physical Security Practitioners need to know Joey St. Jacques Hydro Ottawa Ottawa ,Ontario, Canada

Transcript of Cloud Base Service vs. On Premise - Map Your Show€¦ · Cloud Base Service vs. On Premise What...

Page 1: Cloud Base Service vs. On Premise - Map Your Show€¦ · Cloud Base Service vs. On Premise What Physical Security Practitioners need to know Joey St. Jacques Hydro Ottawa Ottawa

Cloud Base Service vs. On Premise What Physical Security Practitioners need to know

Joey St. Jacques Hydro Ottawa

Ottawa ,Ontario, Canada

Page 2: Cloud Base Service vs. On Premise - Map Your Show€¦ · Cloud Base Service vs. On Premise What Physical Security Practitioners need to know Joey St. Jacques Hydro Ottawa Ottawa

This session will cover some of the challenges facing Physical Security practitioners in determining if a Cloud Base Service Solutions is ideal for their organization.

Hydro Ottawa which provides electrical distribution and generation for the National Capital Region in Ottawa, Ontario, Canada will discuss the successes and the challenges faced when integrating a Cloud-Base Enterprise Access Control Platform.

Page 3: Cloud Base Service vs. On Premise - Map Your Show€¦ · Cloud Base Service vs. On Premise What Physical Security Practitioners need to know Joey St. Jacques Hydro Ottawa Ottawa

Overview

Company Profile

Driving Factors for Cloud Computing

Overview of the Cloud

Business Case (SOW)

• Vendor - Criteria

• Return on Investment

• Capital vs. Operating

• Cyber Security – Compliance

• Privacy – Data Location

Security of the Cloud

• Perimeter Layer

• Infrastructure

• Data Layer

• Environmental Layer

Benefits /Lessons Learned

Questions

Page 4: Cloud Base Service vs. On Premise - Map Your Show€¦ · Cloud Base Service vs. On Premise What Physical Security Practitioners need to know Joey St. Jacques Hydro Ottawa Ottawa

Hydro Ottawa Holding Inc., [Hydro Ottawa] is 100 percent owned by the City of Ottawa. The core businesses of the

Corporation are electricity distribution, renewable energy generation and related services.

Energy Ottawa Inc.

Energy Ottawa is the largest municipally owned producer of green power in Ontario

➢ Six run-of-the-river hydroelectric generation plants

➢ Ten additional run-of-the-river facilities in Ontario and upper New York State

➢ Hold interests in two landfill gas-to-energy joint ventures

Company Profile

Page 5: Cloud Base Service vs. On Premise - Map Your Show€¦ · Cloud Base Service vs. On Premise What Physical Security Practitioners need to know Joey St. Jacques Hydro Ottawa Ottawa

CEATI’s efforts are driven by 130+ participating organizations (electric utilities, governmental agencies), represented within 20

topic-focused programs across generation, transmission and distribution.

The Centre for Energy Advancement through Technological Innovation (CEATI)

Physical & Cyber Security Chair

Page 6: Cloud Base Service vs. On Premise - Map Your Show€¦ · Cloud Base Service vs. On Premise What Physical Security Practitioners need to know Joey St. Jacques Hydro Ottawa Ottawa

WHAT WE KNOW TODAY.......

➢Most organizations see security as cost centers

➢Security practitioners are tasked to review costs - reduction/efficiencies

➢Justify our budgets

➢Doing more with less

Page 7: Cloud Base Service vs. On Premise - Map Your Show€¦ · Cloud Base Service vs. On Premise What Physical Security Practitioners need to know Joey St. Jacques Hydro Ottawa Ottawa

Driving Factors For Cloud Computing - What Keeps OUR CIO Awake at Night?

How much time does your IT team spend managing & updating infrastructure related to legacy systems?

Are they trained experts and efficient in managing?

Network/Cyber Security

Is my solution secure?

Uptime & Resiliency

Is it running?

Total Cost of Ownership

Can I afford it?

Service

Is there a knowledgeable and reliable

integrator available?

Page 8: Cloud Base Service vs. On Premise - Map Your Show€¦ · Cloud Base Service vs. On Premise What Physical Security Practitioners need to know Joey St. Jacques Hydro Ottawa Ottawa

Driving Factors For Cloud Computing - IT & OT Convergence

IT and OT groups traditionally have had different reporting structures, objectives and skill set

Page 9: Cloud Base Service vs. On Premise - Map Your Show€¦ · Cloud Base Service vs. On Premise What Physical Security Practitioners need to know Joey St. Jacques Hydro Ottawa Ottawa

Driving Factors for Cloud Computing - Cloud Adoption

Convenience

Cyber Security

Mobile

• True Mobility

• Control from anywhere

• No configuration & maintenance

• Web server

• Firewall

• Redundancy/Failover

• Updates/Patches

• Secure by Design

• Encrypted by Default

Page 10: Cloud Base Service vs. On Premise - Map Your Show€¦ · Cloud Base Service vs. On Premise What Physical Security Practitioners need to know Joey St. Jacques Hydro Ottawa Ottawa

What is CLOUD COMPUTING? Cloud computing is the on-demand delivery of computing services — servers, storage, databases, networking, software, analytics, and more — over the Internet. Companies offering these computing services are called cloud providers and typically charge for cloud computing services based on usage, similar to how you’re billed for water or electricity at home.

Private Datacenter / Colocation Compute / Storage / or Network Hardware

Virtual Infrastructure

WHAT IS CLOUD COMPUTING?

Page 11: Cloud Base Service vs. On Premise - Map Your Show€¦ · Cloud Base Service vs. On Premise What Physical Security Practitioners need to know Joey St. Jacques Hydro Ottawa Ottawa

Foundation Services

Compute Storage Database Networking

Infrastructure

Client-side DataEncryption

Server-side DataEncryption

Network TrafficProtection

Platform, Applications, Identity & Access Management

Operating System, Network & Firewall Configuration

Customer content

Customers are

responsible for end-to-

end security in their on-

premise

data centers

Traditional On-Premise Security Model

Page 12: Cloud Base Service vs. On Premise - Map Your Show€¦ · Cloud Base Service vs. On Premise What Physical Security Practitioners need to know Joey St. Jacques Hydro Ottawa Ottawa

AWS Foundation Services

Compute Storage Database Networking

Client-side Data Encryption

Server-side Data Encryption

Network Traffic Protection

Platform, Applications, Identity & Access Management

Operating System, Network & Firewall Configuration

Customer content

AWS Global Infrastructure

Regions

Availability Zones

Edge Locations

Customer

responsibility

AWS responsibility

AWS Security Model when using IaaS (EC2 instances)

Page 13: Cloud Base Service vs. On Premise - Map Your Show€¦ · Cloud Base Service vs. On Premise What Physical Security Practitioners need to know Joey St. Jacques Hydro Ottawa Ottawa

Foundation Services

Compute Storage Database Networking

Client-side Data Encryption

Server-side Data Encryption

Network Traffic Protection

Platform, Applications, Identity & Access Management

Operating System, Network & Firewall Configuration

Customer content

AWS Global Infrastructure

Regions

Availability Zones

Edge Locations

Customer

responsibility

AWS responsibility

AWS Security Model when using PaaS (managed services)

Page 14: Cloud Base Service vs. On Premise - Map Your Show€¦ · Cloud Base Service vs. On Premise What Physical Security Practitioners need to know Joey St. Jacques Hydro Ottawa Ottawa

➢Increased agility

➢Elasticity – Stop guessing at capacity

➢Move from capital expense to variable expense

➢Breadth of services

➢Go global in minutes

PRIMARY DRIVERS FOR MOVING TO THE CLOUD

Page 15: Cloud Base Service vs. On Premise - Map Your Show€¦ · Cloud Base Service vs. On Premise What Physical Security Practitioners need to know Joey St. Jacques Hydro Ottawa Ottawa

BUSINESS CASE FOR CLOUD:

A CUSTOMER PERSPECTIVE

Page 16: Cloud Base Service vs. On Premise - Map Your Show€¦ · Cloud Base Service vs. On Premise What Physical Security Practitioners need to know Joey St. Jacques Hydro Ottawa Ottawa

Hydro Ottawa Case Study

Statement of Work

➢Determining if a Cloud Base Service Solutions (Software as a Service -SaaS) is ideal for Hydro Ottawa

➢Integrating a Cloud-Base Enterprise Access Control Platform.

Page 17: Cloud Base Service vs. On Premise - Map Your Show€¦ · Cloud Base Service vs. On Premise What Physical Security Practitioners need to know Joey St. Jacques Hydro Ottawa Ottawa

The Big Picture – Solve a Problem

➢Hydro Ottawa: Need a new access control system

➢Hydro Ottawa: There are issues and outgrown system

➢Hydro Ottawa: Its old and outdated

➢Hydro Ottawa: We didn’t do the upgrades or properly maintain it

➢Hydro Ottawa: We were busier than we thought, didn’t budget funding for future upgrades, rarely did a backup, had existing responsibilities, etc.

Page 18: Cloud Base Service vs. On Premise - Map Your Show€¦ · Cloud Base Service vs. On Premise What Physical Security Practitioners need to know Joey St. Jacques Hydro Ottawa Ottawa

About Feenics & KEEP

Feenics is the company name – (like Phoenix)

Leader in cloud base access control system

“Keep” is the product name➢Keep – a reference to the most secure part of the castle➢Keep incorporates multiple layers of security and privacy protection (customers data)

Feenics uses AWS to host Keep instance for customers

Customer’s Keep instance is:

➢Always on up-to-date software➢ Full fledged access control➢High availability and resiliency ➢Scalable➢Secured➢Always backed up – provides clients disaster recovery

Page 19: Cloud Base Service vs. On Premise - Map Your Show€¦ · Cloud Base Service vs. On Premise What Physical Security Practitioners need to know Joey St. Jacques Hydro Ottawa Ottawa

Criteria - Features

➢On-the-Go Access Control

➢Push Notification Alerts

➢Door Control On-the-Fly

➢Global Lockdown

➢Mobile Monitoring • Know the status of your facility when it is

empty

➢Personnel Management • Access levels• Deactivate a badge from any device

anywhere in the world

➢Full Building Control • BAS• Video• Biometrics

➢Visitor Management

Page 20: Cloud Base Service vs. On Premise - Map Your Show€¦ · Cloud Base Service vs. On Premise What Physical Security Practitioners need to know Joey St. Jacques Hydro Ottawa Ottawa

Criteria - Features

Secure by Design

No default passwordsTwo Factor Authentication

Security Level➢Higher the Level the less information

returned on an invalid login.

Create & Enforce Password Policies➢Strength requirements can be set ➢Change every x days.➢Change their password on next login.➢A user can be restricted from changing

their password.

Page 21: Cloud Base Service vs. On Premise - Map Your Show€¦ · Cloud Base Service vs. On Premise What Physical Security Practitioners need to know Joey St. Jacques Hydro Ottawa Ottawa

Integration - LDAP/Active Directory

Outdated employee/contractor information

➢Attributes

• Name

• Location

• Business unit

• Email address

➢Access privileges

➢Photo identification

➢Share specialized data using Keep “Custom Forms”

➢Define synchronization intervals – AD

➢Automatically revoke employee access upon termination via Human Resource on-boarding and off-boarding

Page 22: Cloud Base Service vs. On Premise - Map Your Show€¦ · Cloud Base Service vs. On Premise What Physical Security Practitioners need to know Joey St. Jacques Hydro Ottawa Ottawa

HOL AD

BUILDING #1

BUILDING #2

LDAP

APP

LSVR

ALARM

MONITOR

ALARM

MONITOR

Integration

Page 23: Cloud Base Service vs. On Premise - Map Your Show€¦ · Cloud Base Service vs. On Premise What Physical Security Practitioners need to know Joey St. Jacques Hydro Ottawa Ottawa

Return on Investment - Actual Server Costs

Spending $2,500 on a server really means ~ $8,300 in facility capital to provide:➢Real estate to house server➢Cap ex for hardware, racks, power supplies➢Depreciation/obsolescence ➢Power consumption➢Cooling costs➢Operations maintenance

Average cost per Kwh➢US $0.13➢Canada is $0.10

Examples: ➢HP DL-380 with 2 Quad core CPUs is about

$1,200.00 a year in electricity and cooling**➢Dell/HP 1U closer to $500 per year

Source: Forbes.com, “Servers: Why Thrifty Isn’t Nifty”

Page 24: Cloud Base Service vs. On Premise - Map Your Show€¦ · Cloud Base Service vs. On Premise What Physical Security Practitioners need to know Joey St. Jacques Hydro Ottawa Ottawa
Page 25: Cloud Base Service vs. On Premise - Map Your Show€¦ · Cloud Base Service vs. On Premise What Physical Security Practitioners need to know Joey St. Jacques Hydro Ottawa Ottawa

Return on Investment - Labor & Opportunity Cost

Cost for managing, maintaining & updating infrastructure related to legacy access control?➢Apply fixes, patches, upgrades➢Downtime➢Performance tuning➢Rewrite customizations➢Rewrite integrations➢Upgrade dependent applications

Ongoing burden on IT Maintain/upgrade➢Hardware➢Network Security➢Database➢Training

Page 26: Cloud Base Service vs. On Premise - Map Your Show€¦ · Cloud Base Service vs. On Premise What Physical Security Practitioners need to know Joey St. Jacques Hydro Ottawa Ottawa

Capital vs. Operating Expenditures

Purchase of license can be capitalized as intangible asset and amortised over its useful economic life (license period)

Implementation costs can usually be capitalized if they are development activities

Purchased hardware can be capitalized as a tangible fixed asset and depreciated over its useful economic life

Committing to a usage period or a recurring rolling

contract requires the costs to be recorded as operating

expense over the service period

Implementation costs can usually be capitalized if they

are development activities however fewer costs may be

capitalized in practise

An on-demand or multi-year usage contract (reserved

instance or dedicated host),means that the costs must

be recorded as operating expense over the service

period, if contract is not finance lease.

On Premise Cloud

Software

Implementation

Hardware

Source: Deloitte – Cloud Capitalization

Page 27: Cloud Base Service vs. On Premise - Map Your Show€¦ · Cloud Base Service vs. On Premise What Physical Security Practitioners need to know Joey St. Jacques Hydro Ottawa Ottawa

Cyber SecurityFrameworks/Maturity Models

The focus/purpose of the framework….includes

➢ IT Governance

➢ IT Enterprise Architecture

➢ IT Data Governance

➢ IT Internal Control

➢ IT Competency

➢ IT Risk Management

➢ IT Strategy

➢ IT Automation

SSAE 16-18 Compliance reporting certification is the name of the standard practiced by auditors.

Page 28: Cloud Base Service vs. On Premise - Map Your Show€¦ · Cloud Base Service vs. On Premise What Physical Security Practitioners need to know Joey St. Jacques Hydro Ottawa Ottawa

So the Cloud is where? Amazon web services

Customers can run their applications and workloads in the Canada (Central) Region in one of 2 availability zones.

End-users based in Canada can leverage the Canada Region to avoid up-front expenses, long-term commitments, and scaling challenges associated with maintaining and operating their own infrastructure. Canada joins Northern Virginia, Ohio, Oregon, Northern California and AWS GovCloud

AWS Region in Montreal is one of 22 worldwide, bringing the total number of Availability Zones to 69 globally.

In addition to the Region, AWS Canada has three Edge Locations – one in Montreal and two in Toronto.

Page 29: Cloud Base Service vs. On Premise - Map Your Show€¦ · Cloud Base Service vs. On Premise What Physical Security Practitioners need to know Joey St. Jacques Hydro Ottawa Ottawa

“Security OF the Cloud” - AWS is responsible for protecting the infrastructure that runs all of the services offered in the

AWS Cloud.

“Security IN the Cloud” - Customer responsibility will be determined by the

AWS Cloud services that a customer selects.

Shared

Responsibility

Model

Page 30: Cloud Base Service vs. On Premise - Map Your Show€¦ · Cloud Base Service vs. On Premise What Physical Security Practitioners need to know Joey St. Jacques Hydro Ottawa Ottawa

Our Data Centers

Our data centers provide protection at every layer:

➢ Perimeter Layer

➢ Infrastructure Layer

➢ Data Layer

➢ Environmental Layer

Take a virtual tour: https://aws.amazon.com/compliance/data-center/data-centers/

Page 31: Cloud Base Service vs. On Premise - Map Your Show€¦ · Cloud Base Service vs. On Premise What Physical Security Practitioners need to know Joey St. Jacques Hydro Ottawa Ottawa

➢ACCESS IS SCRUTINIZED

➢ENTRY IS CONTROLLED AND

MONITORED

➢AWS DATA CENTER WORKERS ARE

SCRUTINIZED, TOO

➢MONITORING FOR UNAUTHORIZED

ENTRY

➢AWS SECURITY OPERATIONS

CENTERS MONITORS GLOBAL

SECURITY

Perimeter Layer

Page 32: Cloud Base Service vs. On Premise - Map Your Show€¦ · Cloud Base Service vs. On Premise What Physical Security Practitioners need to know Joey St. Jacques Hydro Ottawa Ottawa

➢LAYER-BY-LAYER ACCESS REVIEW

➢MAINTAINING EQUIPMENT IS A PART OF

REGULAR OPERATIONS

➢EMERGENCY-READY BACKUP

EQUIPMENT

Infrastructure Layer

Page 33: Cloud Base Service vs. On Premise - Map Your Show€¦ · Cloud Base Service vs. On Premise What Physical Security Practitioners need to know Joey St. Jacques Hydro Ottawa Ottawa

➢TECHNOLOGY AND PEOPLE

WORK TOGETHER FOR ADDED

SECURITY

➢PREVENTING PHYSICAL AND

TECHNOLOGICAL INTRUSION

➢SERVERS AND MEDIA RECEIVE

EXACTING ATTENTION

➢THIRD-PARTY AUDITORS VERIFY

OUR PROCEDURES AND SYSTEMS

Data Layer

Page 34: Cloud Base Service vs. On Premise - Map Your Show€¦ · Cloud Base Service vs. On Premise What Physical Security Practitioners need to know Joey St. Jacques Hydro Ottawa Ottawa

➢PREPARED FOR THE UNEXPECTED

➢HIGH AVAILABILITY THROUGH

MULTIPLE AVAILABILITY ZONES

➢SIMULATING DISRUPTIONS &

MEASURING OUR RESPONSE

➢GREENER IN THE AWS CLOUD

Environmental Layer

Page 35: Cloud Base Service vs. On Premise - Map Your Show€¦ · Cloud Base Service vs. On Premise What Physical Security Practitioners need to know Joey St. Jacques Hydro Ottawa Ottawa

INHERIT GLOBAL SECURITY AND COMPLIANCE CONTROLS

Page 36: Cloud Base Service vs. On Premise - Map Your Show€¦ · Cloud Base Service vs. On Premise What Physical Security Practitioners need to know Joey St. Jacques Hydro Ottawa Ottawa

➢Benefit from AWS Regulatory Compliance Efforts

➢Cloud-based PhySec systems should ride on already compliant and established

providers

➢HSPD-12 & FICAM (PIV) Compliant Access Control

➢SOC Compliance

➢GDPR Compliance

AWS REGULATION & COMPLIANCE

Page 37: Cloud Base Service vs. On Premise - Map Your Show€¦ · Cloud Base Service vs. On Premise What Physical Security Practitioners need to know Joey St. Jacques Hydro Ottawa Ottawa

• Understand your business case

• Collaborate with other divisions

• Business process optimization

• Cost efficiencies and Total Cost of Ownership (TCO)

STARTING YOUR CLOUD JOURNEY

Page 38: Cloud Base Service vs. On Premise - Map Your Show€¦ · Cloud Base Service vs. On Premise What Physical Security Practitioners need to know Joey St. Jacques Hydro Ottawa Ottawa

Benefits - Summary➢Minimal upfront costs

➢Shorten deployment time

➢Always have a trained experts managing our system

➢Always patched and up-to-date

➢Monthly updates

➢Eliminates problems and costs associated with

• Hardware maintenance and obsolescence

• Service calls due to server and update issues

• Risk due to server failure/lack of backups

➢Remote support and assistance -reduce the need to come onsite to upgrade

➢Scalable & flexible

➢Secure mobile access

➢Reduce the system TCO

Page 39: Cloud Base Service vs. On Premise - Map Your Show€¦ · Cloud Base Service vs. On Premise What Physical Security Practitioners need to know Joey St. Jacques Hydro Ottawa Ottawa

Lessons Learned

➢Selecting the right computing option for your workload

➢Choosing the cloud consumption models to best fit your requirements

➢Reducing operating costs by leveraging application and data services available within the cloud platform

➢Addressing security and management challenges

➢Have a conversation with other divisions – organizational buy-in/support

➢Vendor and Integrator need to be aligned

Page 40: Cloud Base Service vs. On Premise - Map Your Show€¦ · Cloud Base Service vs. On Premise What Physical Security Practitioners need to know Joey St. Jacques Hydro Ottawa Ottawa

QUESTIONS?

Joey St. Jacques – Hydro Ottawa

[email protected]

James Armitage - Amazon

[email protected]

Fadi Hajjar- Feenics

[email protected]