Document

Report
”Sikkerhed i skyen – Cloud Computing”
VIDA seminar 12. maj 2011
JENS ROED ANDERSEN
Principal Consultant
www.roedinfosec.com
07-07-2015
AGENDA
• Me, myself & I…
• A helicopter view
• The future is now!
• What is Cloud Computing offering?
• Threat Scenario 2011: FUD (Fear, Uncertainty &
Doubt)?
• How can we do it securely (or ”you cannot stop a
tsunami”)?
• A process, not a product!
• Q&A
Me, Myself & I...
•
More than 16 years experience from working with IT
•
8 years as Chief Information Security Oficer, Arla Foods amba
•
Subject Matter Expert on security related to:
•
Cloud computing, production IT/SCADA, outsourcing and Risk
Management
•
Member of the counsil for IT Security & Privacy, chairman for
Danish IT Association (Aarhus branch)
•
International experience from Information Security Forum, Cloud
Security Alliance etc.
The world is changing…
Are you coming (or will you be staying behind)?
Delivering IT Services embedded with Managed Services
Monitorization
Communication to All
Diverse Business Needs
Differentiated Security
Regulations, requirements
Privacy
Personal Identifiable Data Protection
Cloud Computing
Web 2.0 attack vectors
New Technologies and Solutions
Managed Security Services
Smarter Malware
Targeted Attacks
Multi-Sourcing Environment
Software as a Service (SaaS)
Increased Zero-Days
Increased Criminal organizations
M&A, Investments, Divestments, JV
Digital Evidence
Less Investment
Evolving Threats
Enhanced Rootkits
Mobile Malware
De-perimeterization
Forensics
End-user empowerment
Virtualization
SCADA attack vectors (Stuxnet)
Data Retention
Economic Downturn
Money-driven professional criminals
Food for thought….
Source: Ericsson
Some wellknown facts on paradigm shift since
the 1970s
Mass production
Flexible production
Closed pyramids
Open networks
Stable routines
Continous improvement
Human Resources
Human Capital
Fixed plans
Flexible strategies
Internationalisation
Globalisation
Three tier markets
Highly segmented markets
A helicopter view on technological development
1771
The Industrial Revolution (machines, factories and canals)
1829
Age of steam, coal, iron and railways
1875
Age of steel and heavy engineering (electrical, chemical, civil, naval
1908
Age of automobile, oil, petrochemicals and mass production
1971
Age of information technology and telecommunications
20??
Age of biotech, nanotech, bioelectronics (and new materials?)
Source: Professor Carlota Perez, Universities of Cambridge, Tallinn and Sussex
Each surge is broken into two periods
Turning
point ??
Installation period (20-30 years)
•
•
•
•
•
•
”Creative destruction”
Battle between paradigmes
Concentration of investment
Income polarisation
Led by financial capital
From irruption to bubble
collapse
Major
technology
bubble
”Uptake”
Big Bang
Deployment period (20-30 years)
”maturity”
•
•
•
•
•
Collapse
We are here
Source: Professor Carlota Perez, Universities of Cambridge, Tallinn and Sussex
”Creative construction”
Widespread application of new
paradigm for innovation and growth
in the economy
Spreading of social benefits
Led by production capital
From ”golden age” to maturity
Next Big Bang
Time
The future is NOW!
• Web 2.0/3.0 and Social Software
• Children of the cloud/Digital natives:
– Mobbability (as opposed to organisation): Organisation and work in large
virtual groups
– Influency (as opposed to accountability): Being able to get away with
anything!
– Protovation (as opposed to innovation): Specific, iterative and very fast
product development
– Open authorship (as opposed to IPR): Open content to outsiders
– High ping quotient: Ready, set, answer…
What is Cloud Computing really offering?
• Economies of scale in innovation!
The drivers of Cloud Computing
•
•
•
•
•
Rising IT costs
Dependancy and complexity still going up
CAPEX!
Supply side: economies of scale
Demand side: constant fluctuations in demand
for IT
• The success of the Internet
• From CAPEX to OPEX
Summary: Economies of scale (at a large factor)
What is Cloud Computing really?
• Advantages:
–
–
–
–
Efficiency
Elasticity
Innovation
Security
• Disadvantages:
– Vendor lock-in
– Security
What is Cloud Computing really (2)?
• Infrastructure-as-a-Service
(IaaS): Raw processing power!
• Platform-as-a-Service (PaaS):
Rent a platform!
• Software-as-a-Service (SaaS):
Pre-packaged software
solutions delivered in the
browser.
LARGE COMPANIES ACTING AS SMALL…
…AND SMALL COMPANIES ACTING AS LARGE
Unified Communication & Collaboration
UCC
Communication:
•Telephone
•Push e-mail
•Call centre
•Teleconference
•Videoconference
•Voicemail
Source: Gartner
Traditional UC
Collaboration:
•e-mail
•UM
•Webconf.
•IM
•Presence
•Directory
•Wikis
•Blog
•contentsharing
•Social software
•collaboration tools
•Team workspaces
Enterprise 2.0
The convergence of communication and
collaboration
Collaboration
Communication
On premise
As-a-Service
THE THREAT SCENARIO
AND NOW TO SOMETHING COMPLETELY DIFFERENT
And then not….
Threat Scenario 2010/11: The drivers
(Gartner Group)
Regulators
Customers, employees
& citizens
Stakeholders
Malware
Consumerization
Wireless Devices
Plug&Play Storage
Web Mashups
SaaS
Technology
Growing Risk
New Delivery
Models
Cloud
SaaS
Outsourcing
Remote Access
Targetted
Bot Using
Data Stealing
Expectations
Criminals
Cybercrime
BUDGET
Fraud
Corp Espionage
Pro Cybercriminals
Hactivism/Terror
Summer of 2010: Stuxnet arrives…
Very advanced stuff, but nothing new
from a technological point of view:
• USB
• 0-day
• Rootkit
• C&C
• Etc…
What is technology related security, traditionally?
• A nuisance?
• A showstopper?
• An add-on to projects raising the costs?
An insurance….!
But why?
• Complex
• Regarded as tech stuff
• But includes almost all of a modern company
• Reveals any lack of governance or top management
involvement
• Timeconsuming (current reporting and threat analysis)
• Many business execs does not find it
businessoriented…
That will have to change!
Why do we need change?
2 MEGA-TRENDS:
1. Dependency
2. Complexity
Conclusion: Security is not at product you can
buy, it is a process you will have to master
New rules
User
Profile
Digital
natives
VPN
Google App
Engine
History
Unrealistic
Fully
Compliant
IaaS
PaaS
SaaS
Salesforce.com
HaaS
Citrix, Terminal
Sevices etc.
The Future?
Remote
Access
Traditional
LAN/WAN
Problematic
Delivery
Model
Amazon WS
MS Azure
Summary
• More of the same won’t do the job (no
business case)
• The ”audience” is changing
• Perimeter is gradually disappearing
• Platform control (ie. computer clients) will
become more difficult and expensive
• Cybercrime has become big business
• Poor usability = poor security
• Hence the platform must be unsafe
Demand for a simpler approach
• Basic rules of Confidentiality, Integrity & Availability is
(of course) still the most important case
• It will be too difficult and hence, too expensive to
protect the computer clients
• The Digital Natives will not put up with policies, rules
and regulations
• Basically we want to protect the data
• Theoretical concept developed in cooperation with the
Alexandra institute
• Practical implementation possible
Ignore the perimeter!
Primarily: Protect the data
Secure code on unsecure platform: ”If you love sombody…”
Preconditions:
- Control the exceptions (Asset Management)
- Harden Id-management (Authetication, usability, PW’s etc.)
- Create and rely on a secure encrypted tunnel
Slicing the elephant of security!
Phase 3: Selection & implementation
•Choice (business case)
Phase 1: Analysis
•Assets/Inventory (what)
Phase 2: State of
security
•Business Impact
•Selection of remediation effort
•Implementation
•Iterative process
•Validation & threats
•State of inventory (how)
•Evaluation (business case)
•Risk Apetite
•Risks (how much)
•Prioritisation
What should I do?
•
Realise that CC is coming (like it or not)!
•
Create an innovative culture within your IT organisation and
design an architecture for the future, not the past
•
Strengthen Governance & process based Risk Management
•
Create a policy/contract ”advisory service” for LoB
•
Establish Dataclassification & Asset Management
•
Manage the exceptions instead of the rule
•
Tighten your controls using Governance, Risk & Control tools
and monitor your systems and users continuously
•
Bring in the lawyers!
Learnings?
”What brought us here,
will not get us there…”
Carl-Henric Svanberg
ex-CEO, Ericsson
?

similar documents