1 / 89

Feeling safe in the cloud

Feeling safe in the cloud. Pete Hickey Université d’Ottawa. Everybody talks about clouds. Not all are happy. History of confusion. 1967 The Saskatoon Connection. Joni Mitchel, 1967. I’ve looked at clouds from both sides now From up and down And still somehow

inara
Download Presentation

Feeling safe in the cloud

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Feeling safe in the cloud Pete Hickey Universitéd’Ottawa

  2. Everybody talks about clouds

  3. Not all are happy

  4. History of confusion • 1967 The Saskatoon Connection

  5. Joni Mitchel, 1967 I’ve looked at clouds from both sides now From up and down And still somehow It’s cloud illusions I recall I really don’t know clouds at all

  6. Clouds • Some people think the moving student e-mail to Google/Microsoft is moving to the cloud. • Much more than that.

  7. Jean-Philippe’s mountain cloud

  8. Jean-Philippe’s mountain cloud

  9. Jean-Philippe’s mountain cloud

  10. Jean-Philippe’s mountain cloud • Not everyone has the same idea • Can’t see what is there.

  11. What goes around comes around • Early days, mainframes. • Move to PCs and distributed processing • At one time we had 37 Novell servers on campus • Move to centralize • Economics : economy of scale • Manageability • Move to the cloud is the same thing on a larger scale.

  12. It will come • Just because something is not a good fit does not stop us. • Look at the Internet • Not designed for how we use it • We change in spite of the issues.

  13. Clouds are attractive! • Somebody Else’s Problem(SEP) is a condition where individuals/populations of individuals choose to decentralize themselves from an issue that may be in critical need of recognition • Everyone offering cloud services • Whatever you want, you can get it. • You can even get things you don’t want.

  14. Clouds are attractive! • Can provide something you don’t have the resources for • Broad network access • Available from anywhere • Accessible from any platform • Can be provided FAST! • Rapid elasticity.

  15. Clouds are attractive! • Reduce or eliminate need for YOUR tech support. Get rid of your skilled geeks • Trust the company to provide the service.

  16. Trust me!!!!!

  17. New skillsets required! • Contract negotiation more important! • You must have a thorough understanding of your process/system • You must have a thorough understanding of their system • You must ensure everything is clear in the contract.

  18. Replace your geeks with lawyers!

  19. Planning is essential • When providing something in-house, you can react to changes, unrealized needs. • In theory, an project is well planned in advance. • In reality, not always true. “Let’s get it going, then fix it after.”

  20. The UnknownAs we know, There are known knowns. There are things we know we know. We also know There are known unknowns. That is to say We know there are some things We do not know. But there are also unknown unknowns, The ones we don't know We don't know. —Feb. 12, 2002, US Department of Defense news briefing

  21. Trust the company • Everyone is getting into the cloud. • Do you have confidence in the company’s ability to deliver the product? • Or are they just getting the product out the door

  22. Areas of trust to consider • The ability of the company to provide what you want • The integrity of the employees of that company.

  23. Trust People • In general, people are trustworthy. • Trust should make you think of this:

  24. Trust

  25. Trust • Statistics tell us that, the larger the population, the greater the number at the end of the bell curve. • As we increase the size of the population we trust, the probability of an untrustworthy individual increases.

  26. Trust • Dataloss.org states that data loss is from • 22% inside accidental • 10% inside malicious. • Malicious insider is HIGH RISK • Due to their access to sensitive data. • You have more insiders

  27. Trust • In the past, we would trust our staff because we knew them. • The cloud brings a new style of trust.

  28. Trust by Contract!

  29. Trust • You can’t trust a population you don’t know. • Get it in the contract! • Job for the future “Cloud Contracting Engineer.”

  30. Kinds of clouds • IAAS Infrastructure as a Service. EG Amazon’s E2C • Hardware provided for you • Quick to create new machines • Attractive for seasonal growth and un-growth. • Attractive if space is expensive • OS and hardware maintained for you.

  31. Kinds of clouds • PAAS Platform as a service. • The OS and middleware there for you • Develop custom applications without worrying about the rest.

  32. Kinds of clouds • SAAS Software as a service EG GoogleDocs, email • Very rapid deployment. • No maintenance/upgrades/patching. • Just about everything imaginable is out there

  33. Kinds of clouds • SAAS • PAAS • IAAS • The lower  Security responsibility : you • The higher Security responsibility : them.

  34. Things to think about • Your neighbors • Breaches • Your data/processes • Authentication • Authorisation • Monitoring • Auditing • E-discovery

  35. Things to think about • image • Physical Security • DNS issues • Laws regulations • Risk evaluation • Business continuity

  36. Welcome to my Neighborhood!

  37. Your Neighbors

  38. Your Neighbors • In house, would you run your business systems on the same VMWare cluster which has open student shell access? • Why? why not? • Defense in depth?

  39. Your Neighbors • Do you know your neighbors • Do you care? • Do you know how you are kept separate from them? • First recognizable group to use IAAS were the spammers. • Your neighbors may not be your friends

  40. Breaches and attacks • All the OWASP things still hold • Other concerns as well

  41. Breaches and attacks

  42. Breaches and attacks • What if your neighbor is breached? • Will you be notified? • What if the cloud infrastructure is breached? • Will you be notified. • What about an attack from a neighbor? • What does a vulnerability in VMWare mean?

  43. Collateral Damage

  44. What if your neighbor is DoS attractive?

  45. What if your neighbor is hacking attractive?

  46. Collateral damage?

  47. Know your data well!

  48. Know your data? • Understand what it is, and any regulations/laws • Know how it may change • Relatively easy with a database • More difficult with something like GoogleDocs. • Similar for processes • People have a way of using things in a way which was never intended.

  49. New exposure risks • To the world • Cloud employees • Other cloud customers. • Data or process changed • Lack of access for a period of time

More Related