To cloud or not to cloud
-
Upload
alejandro-de-la-borbolla-ruiz -
Category
Technology
-
view
49 -
download
3
Transcript of To cloud or not to cloud
Cloud Services Characteristics
On-demand self-services
Resource Pooling
Rapid elasticity
Measured services
Source : AWS
Insecure ?
Truth is that data and systems residing in
public or private clouds are as secure as you
make them
Typically, cloud-based systems can be more
secure than existing internal systems if you do
the upfront work required
Barriers
• Perceived Loss of control
• Lack of clarity around
responsibilities, liabilities
and accountability
• Lack of transparency /
clarity in SLA /
interoperability /
awareness and expertise
Risks and Security Concerns
Vendor Lock In
Poor SLA
3rd Party access
to Data
Poor DR Plan
Few tools, procedures or standard formats available for data and service portability
Service level affects confidentiality and availability
The needs to protect the intellectual property, trade secrets, personal data; complied to regulations / laws in different geographical regions
Business continuity and disaster recovery plans must be well documented and tested
Service and contractual risks
Risks and Security Concerns
Integration /
Bandwidth
Encryption and
Identity Mgnt
Testing and
Monitoring
Resource
Allocation
How to integrate the in-house systems to the Cloud ?
High speed bandwidth ready ?
Speedy encryption / decryption – in transit, at rest, destruction;
Identity management
Provider may not allow you to do thorough PEN test, audit;
Are there good monitoring tools available ?
Overbooking, underbooking;
Handling of DOS attack; Payment cap
Technology risks
Questions To Ask …
When and where to use the cloud – the business case
SLO (and then SLA)
Availability, reliability, accessibility, performance and security
Along with what best practices
People, processes, change management etc.
Along with what technologies, services, vendors
Servers, storage, network, software etc.
Bear In Mind …
Even though you are outsourcing some of your infrastructure
to the cloud
You are not outsourcing to vendor, the …
Risk,
Accountability and
Compliance obligations
Find the right Cloud Services Provider – qualified, Security
Standards compliance
ISO 27001, 27002, 27017, 27018,
29100
SSAE 16, HIPAA, FedRAMP, FISMA.
PCI-DSS
Are Security Standards the answer
?
Standards Development / Setting Organizations (SDO / SSO)
DMTF = Distributed Management Task Force
ENISA = European Network and Information Security Agency
ETSI = European Telecommunications Standards Institute
IEC = International Electrotechnical Commission
IEEE = Institute of Electrical and Electronics Engineers
INCITS = International Committee for Information Technology Standards
ISO = International Organization for Standardization
ITU-T = International Telecommunication Union – Telecom
NIST = National Institute for Standards and Technology
OASIS = Organization for the Advancement of Structured Information Standards
SNIA = Storage Networking Industry Association
TCG = Trusted Computing Group
Alphabet
Soup
Get Help from Professionals
Companies and individuals with certifications
An objective measurement of a professional’s knowledge and
skills in Security, Governance and Cloud technology
Committing the effort and resources to obtain certification
indicates seriousness of prospective companies and
individuals
Take Away Messages
Cloud is real and here to stay
Take ownership and responsibility
Review your current set up and the Cloud Services
Provider with guidelines
Focus in the SLO and SLA
Ask for expert help from services providers, and
professional organizations