”Sikkerhed i skyen – Cloud Computing” VIDA seminar 12. maj 2011 JENS ROED ANDERSEN Principal Consultant www.roedinfosec.com 07-07-2015 AGENDA • Me, myself & I… • A helicopter view • The future is now! • What is Cloud Computing offering? • Threat Scenario 2011: FUD (Fear, Uncertainty & Doubt)? • How can we do it securely (or ”you cannot stop a tsunami”)? • A process, not a product! • Q&A Me, Myself & I... • More than 16 years experience from working with IT • 8 years as Chief Information Security Oficer, Arla Foods amba • Subject Matter Expert on security related to: • Cloud computing, production IT/SCADA, outsourcing and Risk Management • Member of the counsil for IT Security & Privacy, chairman for Danish IT Association (Aarhus branch) • International experience from Information Security Forum, Cloud Security Alliance etc. The world is changing… Are you coming (or will you be staying behind)? Delivering IT Services embedded with Managed Services Monitorization Communication to All Diverse Business Needs Differentiated Security Regulations, requirements Privacy Personal Identifiable Data Protection Cloud Computing Web 2.0 attack vectors New Technologies and Solutions Managed Security Services Smarter Malware Targeted Attacks Multi-Sourcing Environment Software as a Service (SaaS) Increased Zero-Days Increased Criminal organizations M&A, Investments, Divestments, JV Digital Evidence Less Investment Evolving Threats Enhanced Rootkits Mobile Malware De-perimeterization Forensics End-user empowerment Virtualization SCADA attack vectors (Stuxnet) Data Retention Economic Downturn Money-driven professional criminals Food for thought…. Source: Ericsson Some wellknown facts on paradigm shift since the 1970s Mass production Flexible production Closed pyramids Open networks Stable routines Continous improvement Human Resources Human Capital Fixed plans Flexible strategies Internationalisation Globalisation Three tier markets Highly segmented markets A helicopter view on technological development 1771 The Industrial Revolution (machines, factories and canals) 1829 Age of steam, coal, iron and railways 1875 Age of steel and heavy engineering (electrical, chemical, civil, naval 1908 Age of automobile, oil, petrochemicals and mass production 1971 Age of information technology and telecommunications 20?? Age of biotech, nanotech, bioelectronics (and new materials?) Source: Professor Carlota Perez, Universities of Cambridge, Tallinn and Sussex Each surge is broken into two periods Turning point ?? Installation period (20-30 years) • • • • • • ”Creative destruction” Battle between paradigmes Concentration of investment Income polarisation Led by financial capital From irruption to bubble collapse Major technology bubble ”Uptake” Big Bang Deployment period (20-30 years) ”maturity” • • • • • Collapse We are here Source: Professor Carlota Perez, Universities of Cambridge, Tallinn and Sussex ”Creative construction” Widespread application of new paradigm for innovation and growth in the economy Spreading of social benefits Led by production capital From ”golden age” to maturity Next Big Bang Time The future is NOW! • Web 2.0/3.0 and Social Software • Children of the cloud/Digital natives: – Mobbability (as opposed to organisation): Organisation and work in large virtual groups – Influency (as opposed to accountability): Being able to get away with anything! – Protovation (as opposed to innovation): Specific, iterative and very fast product development – Open authorship (as opposed to IPR): Open content to outsiders – High ping quotient: Ready, set, answer… What is Cloud Computing really offering? • Economies of scale in innovation! The drivers of Cloud Computing • • • • • Rising IT costs Dependancy and complexity still going up CAPEX! Supply side: economies of scale Demand side: constant fluctuations in demand for IT • The success of the Internet • From CAPEX to OPEX Summary: Economies of scale (at a large factor) What is Cloud Computing really? • Advantages: – – – – Efficiency Elasticity Innovation Security • Disadvantages: – Vendor lock-in – Security What is Cloud Computing really (2)? • Infrastructure-as-a-Service (IaaS): Raw processing power! • Platform-as-a-Service (PaaS): Rent a platform! • Software-as-a-Service (SaaS): Pre-packaged software solutions delivered in the browser. LARGE COMPANIES ACTING AS SMALL… …AND SMALL COMPANIES ACTING AS LARGE Unified Communication & Collaboration UCC Communication: •Telephone •Push e-mail •Call centre •Teleconference •Videoconference •Voicemail Source: Gartner Traditional UC Collaboration: •e-mail •UM •Webconf. •IM •Presence •Directory •Wikis •Blog •contentsharing •Social software •collaboration tools •Team workspaces Enterprise 2.0 The convergence of communication and collaboration Collaboration Communication On premise As-a-Service THE THREAT SCENARIO AND NOW TO SOMETHING COMPLETELY DIFFERENT And then not…. Threat Scenario 2010/11: The drivers (Gartner Group) Regulators Customers, employees & citizens Stakeholders Malware Consumerization Wireless Devices Plug&Play Storage Web Mashups SaaS Technology Growing Risk New Delivery Models Cloud SaaS Outsourcing Remote Access Targetted Bot Using Data Stealing Expectations Criminals Cybercrime BUDGET Fraud Corp Espionage Pro Cybercriminals Hactivism/Terror Summer of 2010: Stuxnet arrives… Very advanced stuff, but nothing new from a technological point of view: • USB • 0-day • Rootkit • C&C • Etc… What is technology related security, traditionally? • A nuisance? • A showstopper? • An add-on to projects raising the costs? An insurance….! But why? • Complex • Regarded as tech stuff • But includes almost all of a modern company • Reveals any lack of governance or top management involvement • Timeconsuming (current reporting and threat analysis) • Many business execs does not find it businessoriented… That will have to change! Why do we need change? 2 MEGA-TRENDS: 1. Dependency 2. Complexity Conclusion: Security is not at product you can buy, it is a process you will have to master New rules User Profile Digital natives VPN Google App Engine History Unrealistic Fully Compliant IaaS PaaS SaaS Salesforce.com HaaS Citrix, Terminal Sevices etc. The Future? Remote Access Traditional LAN/WAN Problematic Delivery Model Amazon WS MS Azure Summary • More of the same won’t do the job (no business case) • The ”audience” is changing • Perimeter is gradually disappearing • Platform control (ie. computer clients) will become more difficult and expensive • Cybercrime has become big business • Poor usability = poor security • Hence the platform must be unsafe Demand for a simpler approach • Basic rules of Confidentiality, Integrity & Availability is (of course) still the most important case • It will be too difficult and hence, too expensive to protect the computer clients • The Digital Natives will not put up with policies, rules and regulations • Basically we want to protect the data • Theoretical concept developed in cooperation with the Alexandra institute • Practical implementation possible Ignore the perimeter! Primarily: Protect the data Secure code on unsecure platform: ”If you love sombody…” Preconditions: - Control the exceptions (Asset Management) - Harden Id-management (Authetication, usability, PW’s etc.) - Create and rely on a secure encrypted tunnel Slicing the elephant of security! Phase 3: Selection & implementation •Choice (business case) Phase 1: Analysis •Assets/Inventory (what) Phase 2: State of security •Business Impact •Selection of remediation effort •Implementation •Iterative process •Validation & threats •State of inventory (how) •Evaluation (business case) •Risk Apetite •Risks (how much) •Prioritisation What should I do? • Realise that CC is coming (like it or not)! • Create an innovative culture within your IT organisation and design an architecture for the future, not the past • Strengthen Governance & process based Risk Management • Create a policy/contract ”advisory service” for LoB • Establish Dataclassification & Asset Management • Manage the exceptions instead of the rule • Tighten your controls using Governance, Risk & Control tools and monitor your systems and users continuously • Bring in the lawyers! Learnings? ”What brought us here, will not get us there…” Carl-Henric Svanberg ex-CEO, Ericsson ?