To cloud or not to cloud
32
To Cloud or Not To Cloud ? Michael Yung Immediate Past President - ISACA HK / CSA HKM
-
Upload
alejandro-de-la-borbolla-ruiz -
Category
Technology
-
view
49 -
download
3
Transcript of To cloud or not to cloud
To Cloud or Not To Cloud ?Michael YungImmediate Past President - ISACA HK / CSA HKM
Why ?
Why Not ?
Myth # 1 -Cloud is Too New
Not Quite
Coined by Compaq Executive
George Favaloro back in 1996
Myth # 2 -Cloud is Just a Fad
Not Quite
We are talking about
US$ 100B Public Cloud
spending in 2015
(Forrester Research)
Myth # 3 -Cloud is Costly
Cloud Services Characteristics
On-demand self-services
Resource Pooling
Rapid elasticity
Measured services
Source : AWS
Capacity – Traditional Ways
Source : AWS
Capacity – Wastages and Dissatisfactions
Source : AWS
Elastic Capacity – The Cloud Ways
Source : AWS
Myth # 4 -Cloud is Not Secure
Insecure ?
Truth is that data and systems residing in
public or private clouds are as secure as you
make them
Typically, cloud-based systems can be more
secure than existing internal systems if you do
the upfront work required
Barriers
• Perceived Loss of control
• Lack of clarity around
responsibilities, liabilities
and accountability
• Lack of transparency /
clarity in SLA /
interoperability /
awareness and expertise
Cloud …is not New
is not a Fad
is more Cost Effective
is Secure *
To Jump or
Not to Jump ?
Next Step ?Proper Risk
Assessment
Risks and Security Concerns
Vendor Lock In
Poor SLA
3rd Party access
to Data
Poor DR Plan
Few tools, procedures or standard formats available for data and service portability
Service level affects confidentiality and availability
The needs to protect the intellectual property, trade secrets, personal data; complied to regulations / laws in different geographical regions
Business continuity and disaster recovery plans must be well documented and tested
Service and contractual risks
Risks and Security Concerns
Integration /
Bandwidth
Encryption and
Identity Mgnt
Testing and
Monitoring
Resource
Allocation
How to integrate the in-house systems to the Cloud ?
High speed bandwidth ready ?
Speedy encryption / decryption – in transit, at rest, destruction;
Identity management
Provider may not allow you to do thorough PEN test, audit;
Are there good monitoring tools available ?
Overbooking, underbooking;
Handling of DOS attack; Payment cap
Technology risks
Questions To Ask …
When and where to use the cloud – the business case
SLO (and then SLA)
Availability, reliability, accessibility, performance and security
Along with what best practices
People, processes, change management etc.
Along with what technologies, services, vendors
Servers, storage, network, software etc.
Bear In Mind …
Even though you are outsourcing some of your infrastructure
to the cloud
You are not outsourcing to vendor, the …
Risk,
Accountability and
Compliance obligations
Find the right Cloud Services Provider – qualified, Security
Standards compliance
ISO 27001, 27002, 27017, 27018,
29100
SSAE 16, HIPAA, FedRAMP, FISMA.
PCI-DSS
Are Security Standards the answer
?
Standards Development / Setting Organizations (SDO / SSO)
DMTF = Distributed Management Task Force
ENISA = European Network and Information Security Agency
ETSI = European Telecommunications Standards Institute
IEC = International Electrotechnical Commission
IEEE = Institute of Electrical and Electronics Engineers
INCITS = International Committee for Information Technology Standards
ISO = International Organization for Standardization
ITU-T = International Telecommunication Union – Telecom
NIST = National Institute for Standards and Technology
OASIS = Organization for the Advancement of Structured Information Standards
SNIA = Storage Networking Industry Association
TCG = Trusted Computing Group
Alphabet
Soup
SDO / SSO Relationships
Alphabet
and
Spaghetti
Soup
Any Pointers ?
Do Our Homework … Self Assessment
Get Help from Professionals
Companies and individuals with certifications
An objective measurement of a professional’s knowledge and
skills in Security, Governance and Cloud technology
Committing the effort and resources to obtain certification
indicates seriousness of prospective companies and
individuals
Take Away MessagesCredit : Ching Yiu
Take Away Messages
Cloud is real and here to stay
Take ownership and responsibility
Review your current set up and the Cloud Services
Provider with guidelines
Focus in the SLO and SLA
Ask for expert help from services providers, and
professional organizations
Thank
You !!
