Securing the Cloud: Masterclass 1. Lee Newcombe (firstname.lastname@example.org) Infrastructure Services April 2013. Agenda. Introduction. Establishing a common point of view. Cloud Threats – who may attack your services?. Cloud Risks. And Benefits?. ?.
Lee Newcombe (email@example.com)
Cloud Computing:“…a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g. networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction…”
Essential Characteristics of Cloud Computing
• On-demand self-service
• Broad network access
• Resource pooling
• Rapid elasticity; and
• Measured service.
Software as a Service
Platform as a Service
Infrastructure as a Service
Cloud Software as a Service (SaaS). The capability provided to the consumer is to use the provider’s applications running on a cloud infrastructure. The applications are accessible from various client devices through either a thin client interface, such as a web browser (e.g. web-based e-mail), or a program interface…
Cloud Platform as a Service (PaaS). The capability provided to the consumer is to deploy onto the cloud infrastructure consumer-created or acquired applications created using programming languages, libraries, services, and tools supported by the provider…
Cloud Infrastructure as a Service (IaaS). The capability provided to the consumer is to provision processing, storage, networks, and other fundamental computing resources where the consumer is able to deploy and run arbitrary software, which can include operating systems and applications…
The Jericho Forum® Cloud Model represents an alternative mechanism to represent deployment models.
Are you are currently using cloud-based services within your organisation?
Are you currently using cloud-based services for production?
Combination of the above?
How many of you have tried the cloud but reverted to a more traditional approach?
However… Judge Susan Illston of the US District Court in San Francisco found that the "gag order" provision of the NSL law violates the First Amendment protections on freedom of speech
$25 for each account reissued
$5 for each account monitored but not reissued
Severity of fine will depend upon Acquirer / Merchant progress, co-operation, number of accounts at risk, what sensitive data has been stored i.e. CSC, Track 2
Failure by Acquirer to comply with ‘Acquirer Responsibilities’ defined in the Rules can incur a further $25k per day until compliant. The assessments for Wrongful Disclosure and Failure to Secure Data are up to USD 100,000 per violation. The assessments for Retention of Prohibited Data (mag stripe, CVC 2) are up to USD 100,000 per violation.
“A sports apparel retailer is fighting back against the arbitrary multi-million-dollar penalties that credit card companies impose on banks and merchants for data breaches by filing a first-of-its-kind $13 million lawsuit against Visa.
… Visa is not the only card company to go after Genesco and its banks. MasterCard did as well. The two companies combined imposed $15.6 million in fines and assessments, but Genesco has so far only sued Visa.”
Include stamp of approval from Legal here…
“The fundamental security organization of a system, embodied in its components, their relationships to each other and the environment, and the security principles governing its design and evolution”
Adapted from: ISO/IEC 42010:2007
The delivery responsibilities for the security services shifts from the consumer to the provider as you move from IaaS to SaaS.
Interfaces between consumer and provider present a risk of gaps in capability and poor/no/mis-communication between provider and consumer.
Getting ready for cloud adoption
Architecting for cloud services
Security in practice:
Operating in the cloud