Cloudy with a Chance of Security – Addressing Security and Privacy Risk at Scale in Cloud-based Delivery Systems

From Anita Borg Institute Wiki

Jump to: navigation, search

Contents

Panelists

Kore Koubourlis (Microsoft)

Gerlinde Zibulski (SAP AG)

Linda Bernardi (StraTerra Partners LLC)

Alyssa Henry (Amazon Simple Storage Service)

Abstract

Cloud-based applications and Software as a Service present unique security, privacy and compliance concerns. Hear about top risks facing users of online services; areas users should evaluate when entrusting data to a service provider; the latest technologies that address these risks; and a risk management framework that delivers controls at scale, across global requirements and multiple service lines. Cloud applications have indeed a fair chance for IT security!

Blog Link

Ritu Arora: http://ghcbloggers.blogspot.com/2010/10/cloudy-with-chance-of-security.html Valerie Fenwick's Blog: http://bubbva.blogspot.com/2010/09/ghc10-cloudy-with-chance-of-security.html

Notes

Cloud computing is extremely useful because it means developers don't need to reinvent the wheel. Therefore, they can get up and started faster. Cloud also comes without the CapEx expenditure, the long lead times of equipment provisioning, and the pay-as-you-go model. This is a huge advantage for startups, and other companies in fields where iterating and developing to market quickly is the goal. The rise of virtualization lets you maximize existing hardware and represents an evolution of computing.

Clouds come in several different varieties:

Public - Open to anyone

Private - a cloud for a really security aware company on their in house network.

Community - a cloud for sharing information with a common group of people.

Cloud means reaching the data anytime, from anywhere. It improves speed to market and changes the consumption of resources. One of the big issues in moving an existing business to the cloud is giving up control. You have to forge a strong trust relationship with your partner. The company and the customer share responsibility for the cloud. The company must make security options flexible and available for the user. The customer must make sure she/he knows their options and takes full advantage of them. This is on them!

Some people worry that pushing their apps to the cloud is a security issue but it's actually more safe in several ways because the cloud computing companies are extremely focused on your security while you have more important things on your mind like your business! They have the time to keep your penetration testing up to date and current, for example.

You really have to work to customize the security options to your business, especially with options like encrypting your data before it even hits the server, which may be a great solution, or (if you need to process that data in situ) could be a big headache and represent a huge integration change to your operations. Another option is leveraging SSL for identity management in the cloud model.

Whether you're in or out of the cloud, compliance is a huge issue that shouldn't be neglected, just because the model is new. When something happens outside of the security processes or compliance regulations, it can have a huge impact. However, if you choose the right vendor, moving to the cloud can increase your visibility into what is going on. The reporting metrics are often built right in, and you can get a level of detail that you would otherwise have to build into an independently run data center. When you increase the visibility of this kind of usage, you can make more rational decisions, such as how many programs you are maintaining and/or upgrading. Your monitoring should also be rooted in business process, and may take some time to develop.

If you are a business looking to push an app onto the cloud, make sure you ask as many detailed questions as you need to to know that you are trusting your data to the right company. Ask about the patch management. If the cloud fails, how fast will the company have your data back up? What is the procedure for a data breech? How often are security patches implemented? Company should have a clear stance on moral responsibility, down to a legal document. Also, avoid any cloud company that won’t have this discussion with you. It is a very necessary transparency between the company and the client. Wherever possible get this kind of thing built into the contract.

Tidbits from the Question and Answer

Q: How can you be more introspective and see the blind spots that might come back to haunt you when setting up on the cloud? A: Look a vulnerability tools, like Java vericode, fortify, etc. Also look at the vulnerability on the physical side, such as access procedures.

Cloud for many people may be more expensive, but it's not just about decreasing the bottom line, but about increasing the top line. If you can increase the top line and keep the bottom line the same, you don't save money, but you MAKE more money, which is a winning proposition, especially for a small business.

Blog Entries

Ritu Arora on GHC Bloggers: Cloudy with a Chance of Security – Addressing Security and Privacy Risk at Scale in Cloud-based Delivery Systems

Retrieved from "http://community.anitaborg.org/wiki/index.php/Cloudy_with_a_Chance_of_Security_%E2%80%93_Addressing_Security_and_Privacy_Risk_at_Scale_in_Cloud-based_Delivery_Systems"
Personal tools