300 likes | 379 Views
”Sikkerhed i skyen – Cloud Computing” VIDA seminar 12. maj 2011. Agenda. Me, myself & I… A helicopter view The future is now! What is Cloud Computing offering? Threat Scenario 2011: FUD (Fear, Uncertainty & Doubt)? How can we do it securely (or ”you cannot stop a tsunami”)?
E N D
”Sikkerhed i skyen – Cloud Computing”VIDA seminar 12. maj 2011 JENS ROED ANDERSEN Principal Consultant
Agenda • Me, myself & I… • A helicopter view • The future is now! • What is Cloud Computing offering? • Threat Scenario 2011: FUD (Fear, Uncertainty & Doubt)? • How can we do it securely (or ”you cannot stop a tsunami”)? • A process, not a product! • Q&A
Me, Myself & I... • More than 16 years experience from working with IT • 8 years as Chief Information Security Oficer, Arla Foods amba • Subject Matter Expert on security related to: • Cloud computing, production IT/SCADA, outsourcing and Risk Management • Member of the counsil for IT Security & Privacy, chairman for Danish IT Association (Aarhus branch) • International experience from Information Security Forum, Cloud Security Alliance etc.
The world is changing… Are you coming (or will you be staying behind)? Diverse Business Needs Delivering IT Services embedded with Managed Services Communication to All Differentiated Security M&A, Investments, Divestments, JV Monitorization Regulations, requirements Multi-Sourcing Environment Privacy Personal Identifiable Data Protection Software as a Service (SaaS) End-user empowerment Cloud Computing New Technologies and Solutions Virtualization Web 2.0 attack vectors Increased Zero-Days SCADA attack vectors (Stuxnet) Managed Security Services Digital Evidence Smarter Malware Less Investment Evolving Threats Data Retention Increased Criminal organizations Economic Downturn De-perimeterization Enhanced Rootkits Targeted Attacks Forensics Mobile Malware Money-driven professional criminals
Food for thought…. Source: Ericsson
Some wellknown facts on paradigm shift since the 1970s Mass production Flexible production Closed pyramids Open networks Stable routines Continous improvement Human Resources Human Capital Fixed plans Flexible strategies Internationalisation Globalisation Three tier markets Highly segmented markets
A helicopter view on technological development 1771 The Industrial Revolution (machines, factories and canals) 1829 Age of steam, coal, iron and railways 1875 Age of steel and heavy engineering (electrical, chemical, civil, naval 1908 Age of automobile, oil, petrochemicals and mass production 1971 Age of information technology and telecommunications 20?? Age of biotech, nanotech, bioelectronics (and new materials?) Source: Professor Carlota Perez, Universities of Cambridge, Tallinn and Sussex
Big Bang Collapse Next Big Bang We are here Each surge is broken into two periods Turning point ?? Installation period (20-30 years) Deployment period (20-30 years) • ”Creative destruction” • Battle between paradigmes • Concentration of investment • Income polarisation • Led by financial capital • From irruption to bubble collapse ”maturity” • ”Creative construction” • Widespread application of new paradigm for innovation and growth in the economy • Spreading of social benefits • Led by production capital • From ”golden age” to maturity Recessions – Institutional changes – Role switch Degree of diffusion of technological potential Major technologybubble ”Uptake” Time Source: Professor Carlota Perez, Universities of Cambridge, Tallinn and Sussex
The future is NOW! • Web 2.0/3.0 and Social Software • Children of the cloud/Digital natives: • Mobbability (as opposed to organisation): Organisation and work in large virtual groups • Influency (as opposed to accountability): Being able to get away with anything! • Protovation (as opposed to innovation): Specific, iterative and very fast product development • Open authorship (as opposed to IPR): Open content to outsiders • High ping quotient: Ready, set, answer…
What is Cloud Computing really offering? • Economies of scale in innovation!
The drivers of Cloud Computing • Rising IT costs • Dependancy and complexity still going up • CAPEX! • Supply side: economies of scale • Demand side: constant fluctuations in demand for IT • The success of the Internet • From CAPEX to OPEX Summary: Economies of scale (at a large factor)
What is Cloud Computing really? • Advantages: • Efficiency • Elasticity • Innovation • Security • Disadvantages: • Vendor lock-in • Security
What is Cloud Computing really (2)? • Infrastructure-as-a-Service (IaaS): Raw processing power! • Platform-as-a-Service (PaaS): Rent a platform! • Software-as-a-Service (SaaS): Pre-packaged software solutions delivered in the browser.
Unified Communication & Collaboration UCC Communication: Collaboration: • e-mail • UM • Webconf. • IM • Presence • Directory • Telephone • Push e-mail • Call centre • Teleconference • Videoconference • Voicemail • Wikis • Blog • contentsharing • Social software • collaborationtools • Team workspaces Enterprise 2.0 Traditional UC Source: Gartner
The convergence of communication and collaboration Collaboration Communication On premise As-a-Service
The Threat scenario • AND NOW TO SOMETHING COMPLETELY DIFFERENT • And then not….
Regulators Stakeholders Customers, employees& citizens Malware Consumerization Expectations Targetted Bot Using Data Stealing Wireless Devices Plug&Play Storage Web Mashups SaaS Criminals Technology New DeliveryModels Cybercrime Cloud SaaS Outsourcing Remote Access Fraud Corp Espionage Pro Cybercriminals Hactivism/Terror Threat Scenario 2010/11: The drivers (Gartner Group) Growing Risk CaaS BUDGET
Summer of 2010: Stuxnet arrives… • Very advanced stuff, but nothing new from a technological point of view: • USB • 0-day • Rootkit • C&C • Etc…
What is technology related security, traditionally? • A nuisance? • A showstopper? • An add-on to projects raising the costs? An insurance….!
But why? • Complex • Regarded as tech stuff • But includes almost all of a modern company • Reveals any lack of governance or top management involvement • Timeconsuming (current reporting and threat analysis) • Many business execs does not find it businessoriented… That will have to change!
Why do we need change? 2 MEGA-TRENDS: • Dependency • Complexity Conclusion: Security is not at product you can buy, it is a process you will have to master
New rules Citrix, Terminal Sevices etc. Salesforce.com VPN Google App Engine Amazon WS MS Azure User Profile Digital natives Problematic The Future? Remote Access Traditional LAN/WAN Simpler Security Model HaaS SaaS PaaS IaaS Delivery Model History Unrealistic Fully Compliant
Summary • More of the same won’t do the job (no business case) • The ”audience” is changing • Perimeter is gradually disappearing • Platform control (ie. computer clients) will become more difficult and expensive • Cybercrime has become big business • Poor usability = poor security • Hence the platform must be unsafe
Demand for a simpler approach • Basic rules of Confidentiality, Integrity & Availability is (of course) still the most important case • It will be too difficult and hence, too expensive to protect the computer clients • The Digital Natives will not put up with policies, rules and regulations • Basically we want to protect the data • Theoretical concept developed in cooperation with the Alexandra institute • Practical implementation possible
Ignore the perimeter! • Primarily: Protect the data • Secure code on unsecure platform: ”If you love sombody…” • Preconditions: • Control the exceptions (Asset Management) • Harden Id-management (Authetication, usability, PW’s etc.) • Create and rely on a secure encrypted tunnel
Slicing the elephant of security! Stage/Gate Stage/Gate Businesscase • Phase 3: Selection & implementation • Choice (business case) • Selection of remediation effort • Implementation • Iterative process • Evaluation (business case) • Phase 2: State of security • Business Impact • Validation & threats • Risk Apetite • Prioritisation • Phase 1: Analysis • Assets/Inventory (what) • State of inventory (how) • Risks (how much)
What should I do? • Realise that CC is coming (like it or not)! • Create an innovative culture within your IT organisation and design an architecture for the future, not the past • Strengthen Governance & process based Risk Management • Create a policy/contract ”advisory service” for LoB • Establish Dataclassification & Asset Management • Manage the exceptions instead of the rule • Tighten your controls using Governance, Risk & Control tools and monitor your systems and users continuously • Bring in the lawyers!
Learnings? • ”What brought us here, • will not get us there…” • Carl-Henric Svanberg • ex-CEO, Ericsson ?