To Cloud or Not To Cloud ? Michael YungImmediate Past President - ISACA HK / CSA HKM
Myth # 1 -Cloud is Too New
Not Quite Coined by Compaq ExecutiveGeorge Favaloro back in 1996
Myth # 2 -Cloud is Just a Fad
Not Quite We are talking about US$ 100B Public Cloud spending in 2015 (Forrester Research)
Myth # 3 -Cloud is Costly
Cloud Services Characteristics On-demand self-services Resource Pooling Rapid elasticity Measured services Source : AWS
Capacity – Traditional Ways Source : AWS
Capacity – Wastages and Dissatisfactions Source : AWS
Elastic Capacity – The Cloud Ways Source : AWS
Myth # 4 -Cloud is Not Secure
Insecure ? Truth is that data and systems residing in public or private clouds are as secure as you make them Typically, cloud-based systems can be more secure than existing internal systems if you do the upfront work required
Barriers Perceived Loss of control Lack of clarity around responsibilities, liabilities and accountability Lack of transparency / clarity in SLA / interoperability / awareness and expertise
Cloud … is not New is not a Fad is more Cost Effective is Secure *
To Jump or Not to Jump ?
Next Step ? Proper Risk Assessment
Risks and Security Concerns Vendor Lock In Poor SLA 3rd Party access to Data Poor DR Plan Few tools, procedures or standard formats available for data and service portability Service level affects confidentiality and availability The needs to protect the intellectual property, trade secrets, personal data; complied to regulations / laws in different geographical regions Business continuity and disaster recovery plans must be well documented and tested Service and contractual risks
Risks and Security Concerns Integration / Bandwidth Encryption and Identity Mgnt Testing and Monitoring Resource Allocation How to integrate the in-house systems to the Cloud ? High speed bandwidth ready ? Speedy encryption / decryption – in transit, at rest, destruction; Identity management Provider may not allow you to do thorough PEN test, audit; Are there good monitoring tools available ? Overbooking, underbooking; Handling of DOS attack; Payment cap Technology risks
Questions To Ask … When and where to use the cloud – the business case SLO (and then SLA) Availability, reliability, accessibility, performance and security Along with what best practices People, processes, change management etc. Along with what technologies, services, vendors Servers, storage, network, software etc.
Bear In Mind … Even though you are outsourcing some of your infrastructure to the cloud You are not outsourcing to vendor, the … Risk, Accountability and Compliance obligations Find the right Cloud Services Provider – qualified, Security Standards compliance
ISO 27001, 27002, 27017, 27018, 29100 SSAE 16, HIPAA, FedRAMP, FISMA. PCI-DSS Are Security Standards the answer ?
Standards Development / Setting Organizations (SDO / SSO) DMTF = Distributed Management Task Force ENISA = European Network and Information Security Agency ETSI = European Telecommunications Standards Institute IEC = International Electrotechnical Commission IEEE = Institute of Electrical and Electronics Engineers INCITS = International Committee for Information Technology Standards ISO = International Organization for Standardization ITU-T = International Telecommunication Union – Telecom NIST = National Institute for Standards and Technology OASIS = Organization for the Advancement of Structured Information Standards SNIA = Storage Networking Industry Association TCG = Trusted Computing Group Alphabet Soup
SDO / SSO Relationships Alphabet and Spaghetti Soup
Any Pointers ?
Do Our Homework … Self Assessment
Get Help from Professionals Companies and individuals with certifications An objective measurement of a professional’s knowledge and skills in Security, Governance and Cloud technology Committing the effort and resources to obtain certification indicates seriousness of prospective companies and individuals
Take Away Messages Credit : Ching Yiu
Take Away Messages Cloud is real and here to stay Take ownership and responsibility Review your current set up and the Cloud Services Provider with guidelines Focus in the SLO and SLA Ask for expert help from services providers, and professional organizations
To Cloud or Not To Cloud ? [email protected]
Thank You !!