cloud perspectives - ottawa seminar - oct 6
TRANSCRIPT
Cloud PerspectivesNeil Bunn, P.Eng. - Chief Technology Officer
Theo van Wyk – Security Solution Architect Manager
October 6th, 2016
© 2015 Scalar Decisions Inc. Not for distribution outside of intended audience.
Defining Cloud
“Cloud Computing” by the NIST Definition is:
Cloud computing is a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and releasedwith minimal management effort or service provider interaction. This cloud model is composed of five essential characteristics, three service models, and four deployment models.
Which really means…..
2
© 2015 Scalar Decisions Inc. Not for distribution outside of intended audience.
Pragmatic View of Industry Change
§ Cloud is just another delivery model, but largely predicated on:
§ Automation§ Elasticity§ Pay-as-you-go (public cloud)
§ Cloud creates challenges for clients in security, processes, automation, internal governance, and controls.
§ Hyperscale IaaS providers will dominate the market§ Hybrid-Cloud (multi-provider / hybridization) required for business success and security§ Most clients forget about:
§ SLAs & Service§ Governance and Financial controls - lead to accidently “breaking the bank”
§ Security
3
© 2015 Scalar Decisions Inc. Not for distribution outside of intended audience. 4
Cloud Primer
Broad Network Access Automation Flexible Costing On-Demand
Self-Service
Resource Pooling
CloudCharacteristics
Software as a Service (SaaS)
Platform as a Service (PaaS)
Infrastructure as a Service (IaaS)
Service Models
Deployment Models
Public Cloud Hybrid Cloud Private Cloud
© 2015 Scalar Decisions Inc. Not for distribution outside of intended audience. 5
Primary reasons for adopting cloud
Source: Cloud Security Alliance, “HOW CLOUD IS BEING USED IN THE FINANCIAL SECTOR” SURVEY REPORT –March 2015
© 2015 Scalar Decisions Inc. Not for distribution outside of intended audience. 6
Top Cloud Applications Adopted
Source: Cloud Security Alliance, “HOW CLOUD IS BEING USED IN THE FINANCIAL SECTOR” SURVEY REPORT –March 2015
© 2015 Scalar Decisions Inc. Not for distribution outside of intended audience. 7
Successful Client Outcomes
Rapid Deployment & Flexibility
Higher Return on Technology Spend
Matching CapEx/OpEx to the Budget
Lower Cost of Development
Measurable Outcomes
© 2015 Scalar Decisions Inc. Not for distribution outside of intended audience.
Our approach and strategic cloud partnerships
§ Partner with Multiple Providers (multi-cloud)
§ Amazon Web Services (AWS)§ Microsoft Azure§ IBM Softlayer
§ Provide consistent-feel managed services across client deployment options
§ Scalar Owned/Operated§ Client Owned/Operated§ HyperScaleProvider
§ Traditional Hosting Provider
Implement automation, policy and governance consistent across deployment option
10
© 2015 Scalar Decisions Inc. Not for distribution outside of intended audience. 11
Getting Started
Assess Perform a visibility assessment
Classify applications & data for public and private approaches
Design Design architecture & approach
Design for loose-coupling, scaling & security with spend management
Deploy Select a provider & deploy an application
Manage & monitor the environment like any other infrastructure
© 2015 Scalar Decisions Inc. Not for distribution outside of intended audience. 14
Consulting and Advisory - Service Offerings
Scalar Consulting and Advisory services help customers plan, execute, and derive maximum value from their cloud environment. Engagements are typically project/deliverable-based, and include services such as:
• Cloud migration planning• Cloud readiness assessments
• Workload analysis
• Architecture and design• Deployment services
• Cloud optimization• Training
© 2015 Scalar Decisions Inc. Not for distribution outside of intended audience. 16
Self-managed Cloud - Service Offerings
• Itemized billing • Customer Billing Portal with chargeback reporting
• Scalar-led support and escalation
Self-management appeals to customers who have the ability to manage their own cloud-based environment, and for whom maintaining that level of control is preferred. Customers select Scalar as their resell partner of choice, but otherwise access and manage the cloud via the selected Cloud Provider’s portal. There are 3 distinct values to purchasing your public cloud resources through Scalar:
© 2015 Scalar Decisions Inc. Not for distribution outside of intended audience. 18
Scalar Managed Cloud - Service Offerings
STANDARD - Includes basic deployment and monitoring services with SLO-backed response, and is generally appropriate for non-mission critical workloads.
PREMIUM - Provides a complete monitoring and optimization suite, along with rapid, SLA-backed response suitable for production workloads and other mission-critical environments.
Designed for customers who prefer to have Scalar provide management of their cloud infrastructure. Scalar provisions and manages cloud resources on the customer’s behalf along with providing access management, 24x7 monitoring and incident response, and continuous optimization. Cloud Management comes in 2 tiers:
© 2015 Scalar Decisions Inc. Not for distribution outside of intended audience. 19
Today’s Security Landscape
Traditional Countermeasures are Proving Ineffective
Rapidly Changing Threat Types
Regulatory Compliance & Corporate Governance Demands are Increasing
Security Budgets are Often Insufficient
Many Organizations are Blind to Security Threats that are Already Known
Hackers are Increasingly Motivated
!
!0 1 0 01 0 0 00 0 1 0
© 2015 Scalar Decisions Inc. Not for distribution outside of intended audience. 21
Why Security Breaches Continue to be Prevalent
Every technology eventually fails
Compliance programs often ignore business risk
Trying to keep hackers out is a losing battle
!
© 2015 Scalar Decisions Inc. Not for distribution outside of intended audience. 22
Cyber Incidents by Industry
Source: IBM Cyber Security Intelligence Index
© 2015 Scalar Decisions Inc. Not for distribution outside of intended audience. 23
Cloud Security Elements
Global Threat Intelligence & Research
Advanced Analytics
Protect Critical Assets
Robust Incident Handling
Understand Business Impact
Continuous Validation of Controls
!
© 2015 Scalar Decisions Inc. Not for distribution outside of intended audience.
Understand the Security Continuum
Integration & Middleware
Facilities
Hardware
APIs
Data Metadata Content
Applications
APIs
PresentationModality
PresentationPlatform
Abstraction
Core Connection & Delivery
Integration & Middleware
Facilities
Hardware
APIs
Abstraction
Core Connection & Delivery
Facilities
Hardware
APIs
Abstraction
Core Connection & Delivery
IaaSINFRASTRUCTUREAS A SERVICE
PaaSPLATFORM AS A SERVICE
SaaSSOFTWARE AS A SERVICE
Service Provider Security
Your Security
24
© 2015 Scalar Decisions Inc. Not for distribution outside of intended audience.
Unmanaged Shared Responsibility Model
25
© 2015 Scalar Decisions Inc. Not for distribution outside of intended audience.
Cloud Provider Responsibility
Your Responsibility
Foundation Services
Global Infrastructure
En
dp
oin
ts
Compute Storage Database Networking
RegionsAvailability
ZonesEdge Locations
Operating System & Network Configuration at Rest
Platform & Application Management
Customer Data
Client-side Data Encryption & Data Integrity Authentication
Server-side Encryption Provided by the Platform / Protection of Data at Rest
Network Traffic Protection Provided by the Platform / Protection of Data in Transit
Optional –Opaque
Data OS (in transit / at
rest)
Ide
ntity &
Acce
ss Ma
na
ge
me
nt
Managed Shared Responsibility Model
26
© 2015 Scalar Decisions Inc. Not for distribution outside of intended audience.
Getting Started
Prepare Perform a risk assessment
Build an effective security program
Defend Deploy security infrastructure
Properly configure and continuously tune security elements
Respond Detect & respond to incidents quickly
Continuously validate the effectiveness of security controls
28
© 2015 Scalar Decisions Inc. Not for distribution outside of intended audience.
Steps forward….
1. Ensure effective governance, risk, and compliance processes exist2. Audit operational & business processes3. Manage, people, roles and identities4. Ensure proper protection of data5. Enforce privacy policies6. Assess security provisions for cloud applications7. Ensure secure cloud networks and connections8. Evaluate security of physical infrastructure and facilities9. Manage security terms in the service agreement10.Understand the security requirements of the exit process
29
© 2015 Scalar Decisions Inc. Not for distribution outside of intended audience.
Step 1 - Ensure effective Governance, Risk, and Compliance
Governance Risk ComplianceEnsure that you have a data asset inventory and it is classified based on its CIA protection requirements.
Established security and compliance policies & procedures.
Assess vendors, applications, processes and policies against aformalized threat-risk-assessment process.
Identify and map regulatory and legislative requirements.
FedRAMP, ITARFFIEC,GLBA, OSFI, PIPEDA
30
© 2015 Scalar Decisions Inc. Not for distribution outside of intended audience.
Step 2 - Audit operational & business processes
Assurance Certification AuditReview independentauditor’s report on cloud provider’s operations.
SSAE16 SOC2 Type 2CSAE3416, ISAE3402
Beyond audit assurance reports. Review current security certifications.
ISO27001ISO27018
Ensure access to the corporate audit trail.
Shared Information Gathering (SIG) Questionnaire
CSA Cloud Controls Matrix
3.0.1
31
© 2015 Scalar Decisions Inc. Not for distribution outside of intended audience.
Step 3 – Manage People, Roles, and Identities
Identity and Access Management
Authentication Role, Entitlement and PolicyManagement
Federated Identity Management, Provisioning anddelegation,Single Sign-On, and Identity & Access Audit.
Ensure support for strong,multi-factor authentication.
Ensure provider is able to describe and enforce security policies, user roles, and groups based on requirements.
32
© 2015 Scalar Decisions Inc. Not for distribution outside of intended audience.
Step 4 – Ensure protection of data
Encryption / Tokenization
Create a data asset catalog
Consider all forms of data
Encrypted for data privacy with approved algorithms and long, random keys;;
Encrypted before it passes from the enterprise to the cloud provider;;
Should remain encrypted in transit, at rest, and in use;;
Provider should never have access to decryption keys
Identify all data assets, classify them in terms of business criticality, ownership. Identify relationships between data assets.
Unstructured vs Structured data.
33
© 2015 Scalar Decisions Inc. Not for distribution outside of intended audience.
Step 5 – Enforce privacy policies
PIPEDA Security Privacy Standards
Ensure privacyrequirements within the SLA
June 2015 - new data breach notification provisions, with the enactment of the Digital Privacy Act.
ISO / IEC 27018 standard addresses the controls required for the protection of PII.
Specific clausesaround privacy of information.
34
© 2015 Scalar Decisions Inc. Not for distribution outside of intended audience.
Step 6 – Assess security provisions for cloud applications
IaaS PaaS SaaSCustomer has responsibility for the complete software stack including security.
Focus on provider’s network, physical environment, audit, authorization, and authentication considerations.
Customer has responsibility for application development and securing application.
Focus on audit, authorization, and authentication considerations.
Provider is responsible for application-tier security and are dependent upon terms in the SLA.
Understand the provider’s patching schedule, controls against malware, and release cycle.
35
© 2015 Scalar Decisions Inc. Not for distribution outside of intended audience.
Step 7 – Ensure secure cloud networks and connections
External Network
Internal Network
Traffic screeningDOS protectionIntrusion Detection/PreventionLogging and Notification
Client separation and protection from one another
Monitoring for intrusion attempts
36
© 2015 Scalar Decisions Inc. Not for distribution outside of intended audience.
Step 8 – Evaluate security of physical infrastructure and facilities
Facilities Continuity Plans Human Resources
Security controls related to facilities. Environmental, Equipment, telecommunications, etc.
Continuity of service in the face of environmental threats or equipment failures
Security controls on their staff.Background checks / screening, role changes, termination.
Security Awareness and Training
37
© 2015 Scalar Decisions Inc. Not for distribution outside of intended audience.
Step 9 – Manage security terms in the service agreement
Breach Notification
IncidentResponse
MeasuringPerformance
Include pertinent information with regards to notification
Containment of security incidents
Restoration of secure access
Forensics in investigating circumstances and causes of breach.
Metrics and standards for measuring performance and effectiveness of information security should be established in the service agreement.
ISO27004:2009ISO19086NIST 800-55 Rev.1
38
© 2015 Scalar Decisions Inc. Not for distribution outside of intended audience.
Step 10 – Understand the security requirements of the exit process
Exit Process Data DestructionDocumented exit process as part of the service agreement.
Customer data is deleted from the provider’s environment at the end of the exit process.
39
© 2015 Scalar Decisions Inc. Not for distribution outside of intended audience.
Setting yourself up for success
Leveraging cloud providers can enable companies in being*more* secure and compliant than before, in contrast to leveraging your own on premise systems.
Spend sufficient time to ensure:§ Information Governance Policy/Programs are defined and in place§ Services are Policy Compliant§ Improved Security Awareness & Actions Plans documented
40