Granted: The Cloud comes with security and continuity... or, does it? Bogac Ozgen, MSc GyroFalco Ltd. http://www.gyrofalco.com
Questions & Answers Do we still need security and continuity? YES Should I be concerned about risks? The only thing you need is: YES Can To I manage migrate to the your Cloud? environment YES Can I implement security and continuity in the Cloud? YES
Benefits of The Cloud* 70%: Already claiming to have seen cost savings and higher levels of productivity 27%: Cloud enables faster entry into new markets 36%: Cloud helps manage their supply chain *KPMG Report, February 2013, 674 senior executives at organizations using cloud across 16 countries were surveyed
Worries in The Cloud* 35%: Fear data loss and security breaches 25%: See security problems as a hurdle that is yet to be overcome 27%: Focus on the absence of common standards used by providers 17%: See regulation as a challenge *KPMG Report, February 2013, 674 senior executives at organizations using cloud across 16 countries were surveyed
SOLUTION Being aware of your needs Planning the services you need Comparison of expectations and outcomes* Factual Decision Making Structured change management Contracts management Mutually beneficial relationship with your provider Run your security practices as usual Run your continuity practices as usual (assuming you have BCP s in place) *The term outcome was used deliberately, it is not output.
Topics for today Risk Management What is cloud? Details of services First time buyers Cloud consumers Conclusion
First step: Definitions Risk Management What is cloud? Details of services First time buyers Cloud owners Conclusion
What is cloud computing? Oxford Dictionary cloud computing [mass noun] the practice of using a network of remote servers hosted on the Internet to store, manage, and process data, rather than a local server or a personal computer. ISO/IEC WD 27017.4 definition 3.1 cloud computing a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable resources (e.g. networks, servers and storage systems), applications and services that can be rapidly provisioned and released with minimal management effort or service provider interaction. [ISO/IEC WD 17788] 8
What is cloud service? Software as a service Software, web applications, Google Mail, Office365, Google apps, Yahoo Mail,... Platform as a service Execution runtime, web servers, application platforms OrangeScape, databases (MySQL, SQL Server,...) Infrastructure as a service Virtual servers, storage, load balancers, network, DNS,... Amazon EC2, Rackspace, OpenStack providers 9
What is cloud service? Cloud Deployment models Private cloud Community cloud Public cloud Hybrid cloud 10
What is your responsibility as a consumer? SaaS PaaS IaaS Initial setup Access control SLA and Contract Management etc. Software Installation Platform and Software Access control Updates and patch management for Platform and Software Monitoring of Platform and Software Development and improvements of Platform and Software SLA and Contract Management etc. Software and Infrastructure systems Installation Platform and Software Access control Infrastructure systems access control Updates and patch management for Platform, Software and Infrastructure Monitoring of Platform, Software and Infrastructure Development and improvements of Platform, Software and Infrastructure API s and automation Internal software development Capacity management Network management SLA and Contract Management etc. Power, cooling, etc. Subscription management Infrastructure Maintenance Monitoring SLA and Contract Management etc. 11
One of the most important aspects of the Cloud services for the consumer is Management of Scope and via boundaries CONTRACT MANAGEMENT
Tips for consumers! Risk Management What is cloud? Details of services First time buyers Cloud owners Conclusion
Tips for First-Time buyers Risk Management What is cloud? Details of services First time buyers Cloud owners Conclusion
How to implement Cloud solutions? Day to day operations
Steps Negative consequences Threats Vulnerabilities Control Framework Analyse your existing system and design a new system -Incorrect analysis of the existing system to be taken as the basis of the contract, SLA s -Incorrect design of the new system -Customer satisfaction: MIN* -Financial: Longer time to production/market, so loss of revenue or interest -Legal: MIN* -Operations: Cost of travel time, meetings and rework -Incorrect identification of assets and their configuration -Incorrect identification of dependencies -Lack of documentation -Lack of understanding the specifications of existing system -Lack of knowledge over architecture -Wrong expectations from the new system -Incorrect authorization requirements -Lack of expertise -Lack of business analysis -Lack of understanding of real business impact ISO9001 ISO27001 ISO20000 ISO22301 COBIT ITIL Other best practices Evaluate providers and purchase the solution -Consequences from the previsous step -Customer satisfaction: MIN* -Financial: Re-purchasing the services -Legal: Dispute resolution with the supplier, counselling charges or court charges -Operations: Travel time, meetings and rework -Selection of the unsuitable supplier and service -Incorrectly defined scope of services in the contract -Incorrectly defined responsibilities of consumer, provider and sub-contractors 3 4 Migrate existing systems, run systems concurrently and test -Consequences from the previsous step -Customer satisfaction: MIN* -Financial: Re-purchasing the services -Legal: MIN* -Operations: Travel time, meetings and rework 2 -Insufficient planning -Insufficient impact analysis -Tight or unsuitable scheduling -Lack of testing -Small test case coverage -Inexistence of latest backups -Lack of rollback plans -Lack of business continuity, disaster recovery and emergency response plans ISO9001 ISO27001 ISO20000 ISO22301 COBIT ITIL Other best practices Publish production environment and monitor the system (baby sitting) 1 -Incorrect reporting of the system performance -Being unaware of incidents Also; Threats which are related to: -Information security -Business continuity -Operational effectiveness -Customer relations -etc. -Lack of formal hand-over process between the project team and the service management team -Lack of acceptance criteria -Lack of performance reporting -Lack of training for support personnel -Lack of formal incident management process Also; Vulnerabilities related to the Threats which are related to: -Information security -Business continuity -Operational effectiveness -Customer relations -etc. ISO9001 ISO27001 ISO20000 ISO22301 COBIT ITIL Other best practices Decommission the old infrastructure -Customer satisfaction Customer data protection requirements are breached, customer satisfaction is damaged -Financial Penalties, loss of a work, contract -Legal Dispute resolution, Court cases brought against the company, court and counselling charges -Operations Travel time, meetings and rework -Environmental: Natural life is impacted badly -Unauthorized access to customer/company/personal data -Loss of customer/company/personal data -Contamination of natural environment -Lack of data retention processes -Lack of formal data and records destruction process -Lack of qualified supplier -Lack of protection of data/records ready to be destroyed ISO9001 ISO27001 ISO20000 ISO22301 COBIT ITIL Other best practices
Steps Negative consequences Threats Vulnerabilities Control Framework Analyse your existing system and design a new system -Incorrect analysis of the existing system to be taken as the basis of the contract, SLA s -Incorrect design of the new system -Customer satisfaction: MIN* -Financial: Longer time to production/market, so loss of revenue or interest -Legal: MIN* -Operations: Cost of travel time, meetings and rework -Incorrect identification of assets and their configuration -Incorrect identification of dependencies -Lack of documentation -Lack of understanding the specifications of existing system -Lack of knowledge over architecture -Wrong expectations from the new system -Incorrect authorization requirements -Lack of expertise -Lack of business analysis -Lack of understanding of real business impact ISO9001 ISO27001 ISO20000 ISO22301 COBIT ITIL Other best practices Evaluate providers and purchase the solution -Consequences from the previsous step -Customer satisfaction: MIN* -Financial: Re-purchasing the services -Legal: Dispute resolution with the supplier, counselling charges or court charges -Operations: Travel time, meetings and rework -Selection of the unsuitable supplier and service -Incorrectly defined scope of services in the contract -Incorrectly defined responsibilities of consumer, provider and sub-contractors -Lack of knowledge of supplier evaluation process -Lack of measurable evaluation criteria-lack of objective evaluation and impartiality of assessor -Lack of formal service level agreements -Lack of penalties in case of low performance -Lack of early termination clauses -Lack of definition of change management process -Lack of formal testing environment ISO9001 ISO27001 ISO20000 ISO22301 COBIT ITIL Other best practices Migrate existing systems, run systems concurrently and test -Consequences from the previsous step -Customer satisfaction: MIN* -Financial: Re-purchasing the services -Legal: MIN* -Operations: Travel time, meetings and rework -Incorrect project plans -Incorrect release plans -Data corruption -Cannot rollback -Insufficient planning -Insufficient impact analysis -Tight or unsuitable scheduling -Lack of testing -Small test case coverage -Inexistence of latest backups -Lack of rollback plans -Lack of business continuity, disaster recovery and emergency response plans ISO9001 ISO27001 ISO20000 ISO22301 COBIT ITIL Other best practices Publish production environment and monitor the system (baby sitting) -Consequences from the previsous step -Customer satisfaction Cannot meet the SLA s and contractual requirements, customer satisfaction is damaged -Financial Penalties, loss of a work, contract or delayed payments, longer time to market -Legal Dispute resolution, Court cases brought against the company, court and counselling charges -Operations Travel time, meetings and rework -Incorrect reporting of the system performance -Being unaware of incidents Also; Threats which are related to: -Information security -Business continuity -Operational effectiveness -Customer relations -etc. -Lack of formal hand-over process between the project team and the service management team -Lack of acceptance criteria -Lack of performance reporting -Lack of training for support personnel -Lack of formal incident management process Also; Vulnerabilities related to the Threats which are related to: -Information security -Business continuity -Operational effectiveness -Customer relations -etc. ISO9001 ISO27001 ISO20000 ISO22301 COBIT ITIL Other best practices Decommission the old infrastructure -Customer satisfaction Customer data protection requirements are breached, customer satisfaction is damaged -Financial Penalties, loss of a work, contract -Legal Dispute resolution, Court cases brought against the company, court and counselling charges -Operations Travel time, meetings and rework -Environmental: Natural life is impacted badly -Unauthorized access to customer/company/personal data -Loss of customer/company/personal data -Contamination of natural environment -Lack of data retention processes -Lack of formal data and records destruction process -Lack of qualified supplier -Lack of protection of data/records ready to be destroyed ISO9001 ISO27001 ISO20000 ISO22301 COBIT ITIL Other best practices
Tips for consumers! Risk Management What is cloud? Details of services First time buyers Cloud owners Conclusion
Tips for consumers! Risk Management What is cloud? Details of services First time buyers Cloud owners Conclusion
What are the risks? Sample list of risk areas: Privacy and Data protection Storage and data ownership Legal / Compliance Change management and policy enforcement Risks of the service provider Continuity Open standards / services Systems development Abuse 20
Which controls in ISO27002? Aligned with DIS 27002 (N11907) 5 Security Policies 6 Organisation of information security 7 Human Resource Security 8 Asset management 9 Access Control 10 Cryptography 11 Physical and environmental security 12 Operations security 13 Communications security 14 Systems acquisition, development and maintenance 15 Supplier relationships 16 Information security incident management 17 Information security aspects of business continuity management 18 Compliance 21
As a summary We need to understand: Scope and boundaries of the system Relationship of us (Consumer) and the Provider (and its sub-contractors) Threats and vulnerabilities related to cloud computing Controls to mitigate risks in cloud computing 22
Conclusion Risk Management What is cloud? Details of services First time buyers Cloud owners Conclusion
The Answers Do we still need security and continuity? YES Should I be concerned about risks? YES Can I migrate to the Cloud? YES Can I implement security and continuity in the Cloud? YES The only thing you need is: To manage your environment
SOLUTION Being aware of your needs Planning the services you need Comparison of expectations and outcomes* Factual Decision Making Structured change management Contracts management Mutually beneficial relationship with your provider Run your security practices as usual Run your continuity practices as usual (assuming you have BCP s in place) *The term outcome was used deliberately, it is not output.
Questions? 22/05/2013 2013 Bogac Ozgen - GyroFalco Ltd. 26
Thank you for listening Bogac Ozgen Consultant, Assessor & Trainer Email: Bogac.Ozgen@GyroFalco.com Web: http://www.gyrofalco.com 22/05/2013 2013 Bogac Ozgen - GyroFalco Ltd. 27