Download - Collaborative Contingency in the Cloud
Collaborative Contingency in the Cloud
Glen Roberts, CISSP
About the Presenter
* Glen Roberts, CISSP * IT Infrastructure Manager at UFCU * President at Cloud Security Alliance, Austin Chapter
* Cloud Computing Overview * Cloud Benefits and Risks * Myths and Reality of the Cloud * Community Clouds * What a CUSO Model Offers * CUSO Model Benefits * Case Study: 2nd Node * Foundational Issues * Abbreviated Risk Framework * Addressing Common Security Concerns
Agenda
Cloud Computing Definition
A model for enabling ubiquitous, convenient, on-‐demand network access to a shared pool of configurable computing resources (NIST: September, 2011)
Cloud Computing Model
!
What are some of the benefits cloud computing can offer credit unions?
Interactive Slide
1. Faster implementation, ready to use, automation 2. Access anywhere, on any device 3. Reduced cost, pay for use 4. Scalability, right-‐sized, flex up and down 5. Collective benefits, GRC alignment, new functionality 6. Improved productivity, shift focus to further innovate 7. Integrated security and patching 8. Leverage vendor expertise, economy of scale 9. High performance, reliability, uptime 10. Environment-‐friendly, computing efficiency
Top 10 Cloud Benefits
What risks might cloud computing expose a credit union to?
Interactive Slide
1. Data loss, alteration, disclosure 2. Unable to prove security of provider or solution 3. Provider insider threat, insecure APIs, hypervisor flaws 4. Multi-‐tenancy trust issues 5. Account hijacking 6. Regulatory problems, lack of forensics support 7. Blurred responsibilities 8. Internet/external network dependency 9. Poor support, scalability issues 10. Complexity, hidden costs
Top 10 Cloud Risks
* The cloud is just a fad * The cloud is less secure * The cloud is not compliant * Moving to the cloud is too challenging * Moving to the cloud is too costly
Myths and Reality of the Cloud
* Shared by several organizations * Supports a community with common interests * Business purpose * Standardization * GRC requirements: GLBA, NCUA
* Many of the benefits of public cloud with less risk * Better cost savings than private cloud or traditional infrastructure
Community Clouds
* Trust * Transparency * Dependable SLAs * Clear roles & responsibilities * Shared improvements * Data sharing
What a CUSO Model Offers
* Do more with less * Reduce maintenance & operations costs * Sharing of assets * Share the expense of implementations * Free up staff to innovate for members
CUSO Model Benefits
* Cloud service brokerage * Cooperatively select vendors * Improved bargaining power as a collective * Shared cost of vendor solutions * Leverage shared integration with vendors
More CUSO Model Benefits
Case Study: 2nd Node
* Formed by UFCU and AFCU in 2009 * CUSO * Second data center * Business Continuity/Disaster Recovery
2nd Node: Facility
* Facility * SAS 70 Type II Facility * Working on SSAE 16 Type II * Generator, UPS, HVAC * Environmental security
2nd Node: Infrastructure
* Utility pricing per cabinet: * Telecom * Internet connectivity – 100 mbps
* SAN * Separate LUNS, partitions * EqualLogic, Compellent
* IDS/IPS * Individual consoles/customer * 2nd Node as the oracle
2nd Node: Cloud Services
* Private clouds * SAN replication * System backups * Silver Peak network concentrators * Hosted failover (Symitar)
Foundational Issues
* Many have tried and failed * Control issues vs. cooperation * Visibility of operations * Differing visions * Undefined SLAs * Security concerns
* Security * Not necessarily more or less secure * Enormous potential to be more secure * Collaborate to implement controls * Standards gaps * Traditional standards still apply * NIST and CSA are helping accelerate catch-‐up
Addressing Common Security Concerns
* What data needs to be protected? * Common options: * Encryption of data * Tokenization * Sanitization, anonymization * Object security * Hashing
Data Protection
* Identify potential assets to be moved to a community cloud * Infrastructure * Data * Applications * Functions/Processes
Abbreviated Risk Framework: Identify Assets
* Assess DAD risks of moving assets to community cloud * What is the impact if the provider accesses the asset or if data goes public? * What is the impact if processes are manipulated or fail to function?
Abbreviated Risk Framework: Community Cloud Risks
* Location * Identification of other tenants * Degree of control * Who manages assets and how * Security and compliance controls
Abbreviated Risk Framework: Community Cloud Requirements
* Providers * Partners * Solutions
Abbreviated Risk Framework: Community Cloud Evaluation
Thanks!
Glen Roberts [email protected] (512) 966-‐3425