Driving Cloud Governance and Avoiding Cloud Chaos
Key Take Aways What is Cloud Chaos? Why Do You Need Cloud Governance?
Intro: Timothy P. McAliley timothy.mcaliley@microsoft.com Microsoft Premier Field Engineer, SQL Server, Washington, DC CISA, CISM, CISSP, ITIL V3, MCSA, MCSE, MCITP, MCTS, MCT, PMP
Agenda Cloud Primer What are the Challenges? What are the Risks? Practices to Mitigate Risk Resources
Cloud Primer
Cloud Primer Spot Quiz: What Document Provides Key Recommendations for Defining Cloud Computing? Answer: NIST Special Publication 800-145, The NIST Definition of Cloud Computing
Cloud Primer What Is In The NIST SP 800-145, Definition of Cloud Computing? Essential Characteristics: On-demand self-service. Broad network access. Resource pooling. Rapid elasticity. Measured service.
Cloud Primer What Is In The NIST SP 800-145, Definition of Cloud Computing? Service Models: Software as a Service (SaaS) Platform as a Service (PaaS) Infrastructure as a Service (IaaS)
Cloud Primer
Cloud Primer What Is In The NIST SP 800-145, Definition of Cloud Computing? Deployment Models: Private Cloud Community Cloud Public Cloud Hybrid Cloud
What Is Microsoft Azure?
What Is Microsoft Azure?
What Are The Challenges?
What Are The Challenges? Forrester estimates that for every cloud initiative tracked centrally by IT shops today, there are three to six initiatives that are not tracked. Flexibility, or pay-as-you-go, enables a business unit to increase capacity or request additional services with a simple call. But there is a downside; this flexibility could also result in the bypassing of expense authorization, change control processes, information protection controls and other oversight processes. Staten, James; What are Enterprises Really Doing in the Cloud?, The Forrester Blog, 25 October 2011, http://blogs.forrester.com/james_staten/11-10-25-what_are_enterprises_really_doing_in_the_cloud
What Are The Challenges? Challenges presented by Essential Characteristics of Cloud Computing On-demand self-service (users/organizations can spin up resources) Broad network access. Resource pooling. Rapid elasticity. Measured service (cost control)
What Are The Challenges? Challenges presented by Cloud Computing Service Models SaaS PaaS IaaS (virtual servers, storage, network interfaces, data transfers)
What Are The Challenges? Challenges presented by Cloud Computing Deployment Models Private Cloud usually owned by an organization Community Cloud Public Cloud (IaaS - virtual servers, storage, network interfaces, data transfers) Hybrid Cloud (data egress/transfers)
What Are The Challenges? Controlling resources, services and data Users can self-provision resources - no longer required to interact with storage, network, server admins, IA, etc. Cost overruns for overutilization of cloud resources Organizational Awareness Individual Awareness Resource Sprawl / Cloud Sprawl Cloud Service Provider (CSP) Accountability/Response Rate/Pace of Change/Change Tracking
What Are The Risks?
What Are The Risks? Organizational Risks Individual Risks
What Are The Risks? Organizational Risks Failure to properly plan and assess Cloud Sprawl/Service Mapping Data Loss / Data Exposure Lack of Insight/Alert on competitive architectures/services Individuals ability to quick provision resources Work/Culture/Skill Sets
What Are The Risks? Individual Risks Rogue / Competitive Architecture Theft of Data Duplication of proprietary systems/configurations Cost Lack of Accountability
Practices to Mitigate Risk
Practices to Mitigate Risk Organizational Risk Organizational Readiness Assessment (Do you need to go into the cloud?) Assess/Adopt Compliance/Risk Assessment Framework Cloud Security Alliance Cloud Service Provider Compliance Guidance Have clear policies for individual and group resource provision Have charge-back/consumption metering in place Tiered resource access for metering/throttling Group/Individual Resource throttling Compliance Requirements Example for Public Sector- Federal Risk and Authorization Management Program (FedRAMP)
Practices to Mitigate Risk Organizational Risk Clear Service Level Agreements (SLAs) with CSPs Review the CSP Compliance Center Data ownership and data protection Services ownership Access ownership Response time Monitoring level Is there broad a organizational regulation /accreditation FedRAMP
Practices to Mitigate Risk Individual Risk (this is a tough one, no clear answer) Clear polices and restrictions in place Non-Disclosure/Non-Compete Agreements User education and awareness Consumption Limits/Monitoring (only effective if the user is leveraging organizational resources)
Practices to Mitigate Risk Leverage Automation for Provisioning Resources, Change Tracking, Monitoring Have Clear, Top-Down RACI assignments (responsible, accountable, consulted, informed) Tools for Assessing Cloud-based Risk/Governance Establishment FedRAMP "The Federal Risk and Authorization Management Program (FedRAMP) is a government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services" Cloud Security Alliance Consensus Assessments Initiative Questionnaire v3.0.1 Cloud Controls Matrix v3.0.1
Practices to Mitigate Risk Ask the Right Questions ISACA Cloud Governance: Questions Boards of Directors Need to Ask Do management teams have a plan for cloud computing? Have they weighed value and opportunity costs? How do current cloud plans support the enterprise s mission? Have executive teams systematically evaluated organizational readiness? Have management teams considered what existing investments might be lost in their cloud planning? Do management teams have strategies to measure and track the value of cloud return vs. risk? http://www.isaca.org/knowledge-center/research/researchdeliverables/pages/cloud-governance-questions-boards-of-directors-need-to-ask.aspx
Resources
Resources NIST Special Publication 800-145, The NIST Definition of Cloud Computing http://csrc.nist.gov/publications/nistpubs/800-145/sp800-145.pdf ISACA Cloud Computing Knowledge http://www.isaca.org/groups/professional-english/cloud-computing/pages/overview.aspx CSA - https://cloudsecurityalliance.org FEDRAMP - http://www.fedramp.gov
Resources Microsoft Azure Compliance Portal http://azure.microsoft.com/en-us/support/trust-center/compliance/ Amazon Web Services Compliance Portal http://aws.amazon.com/compliance/ IBM Compliance http://www.ibm.com/cloud-computing/us/en/security.html
Summary Cloud Primer What are the Challenges? What are the Risks? Practices to Mitigate Risk Resources
Thank You!! Make Sure to Checkout Special Seminar on SQL Server Security, April 14-15 GMU Arlington Campus http://www.isaca-washdc.org/