the cloud beckons, but is it safe?
TRANSCRIPT
![Page 1: The Cloud Beckons, But is it Safe?](https://reader034.vdocuments.site/reader034/viewer/2022052621/55858d42d8b42ae41d8b538e/html5/thumbnails/1.jpg)
The Cloud Beckons, But is it Safe?
April 2012
![Page 2: The Cloud Beckons, But is it Safe?](https://reader034.vdocuments.site/reader034/viewer/2022052621/55858d42d8b42ae41d8b538e/html5/thumbnails/2.jpg)
The Cloud Beckons, But is it Safe?
#12NTCCSec
Laura Quinn Michael Enos
![Page 3: The Cloud Beckons, But is it Safe?](https://reader034.vdocuments.site/reader034/viewer/2022052621/55858d42d8b42ae41d8b538e/html5/thumbnails/3.jpg)
Evaluate This Session! Each entry is a chance to win an NTEN engraved iPad!
or Online at www.nten.org/ntc/eval
![Page 4: The Cloud Beckons, But is it Safe?](https://reader034.vdocuments.site/reader034/viewer/2022052621/55858d42d8b42ae41d8b538e/html5/thumbnails/4.jpg)
Introductions
Laura Quinn
Executive Director
Idealware
What are you hoping to get out of this session?
Michael Enos
Chief Technology Officer,
Second Harvest Food Bank of Santa
Clara and San Mateo Counties
![Page 5: The Cloud Beckons, But is it Safe?](https://reader034.vdocuments.site/reader034/viewer/2022052621/55858d42d8b42ae41d8b538e/html5/thumbnails/5.jpg)
What We’ll Cover Today
• Thinking About Cloud Security
• What Does Security Mean?
• What Does it Mean for You?
• A Multi-level Security Model
• What to Look for in a Vendor
![Page 6: The Cloud Beckons, But is it Safe?](https://reader034.vdocuments.site/reader034/viewer/2022052621/55858d42d8b42ae41d8b538e/html5/thumbnails/6.jpg)
What is The Cloud?
Internet or Someone Else’s Network
![Page 7: The Cloud Beckons, But is it Safe?](https://reader034.vdocuments.site/reader034/viewer/2022052621/55858d42d8b42ae41d8b538e/html5/thumbnails/7.jpg)
The Lure of the Cloud
Low cost of entry
Easy remote access
No complex infrastructure
But what about security?
![Page 8: The Cloud Beckons, But is it Safe?](https://reader034.vdocuments.site/reader034/viewer/2022052621/55858d42d8b42ae41d8b538e/html5/thumbnails/8.jpg)
How Do YOU Feel About Cloud Security?
![Page 9: The Cloud Beckons, But is it Safe?](https://reader034.vdocuments.site/reader034/viewer/2022052621/55858d42d8b42ae41d8b538e/html5/thumbnails/9.jpg)
Why the Concern?
<Cue video>
![Page 10: The Cloud Beckons, But is it Safe?](https://reader034.vdocuments.site/reader034/viewer/2022052621/55858d42d8b42ae41d8b538e/html5/thumbnails/10.jpg)
Cloud Security in the News
![Page 11: The Cloud Beckons, But is it Safe?](https://reader034.vdocuments.site/reader034/viewer/2022052621/55858d42d8b42ae41d8b538e/html5/thumbnails/11.jpg)
Under Siege
To be on the
Internet is to be
vulnerable to attack.
If you’re on the Internet, you’re in The Cloud
![Page 12: The Cloud Beckons, But is it Safe?](https://reader034.vdocuments.site/reader034/viewer/2022052621/55858d42d8b42ae41d8b538e/html5/thumbnails/12.jpg)
But We Do Lots of Things on the Internet
We shop online
We bank online
We post crazy
things on Facebook
Why is the cloud different? It’s not.
![Page 13: The Cloud Beckons, But is it Safe?](https://reader034.vdocuments.site/reader034/viewer/2022052621/55858d42d8b42ae41d8b538e/html5/thumbnails/13.jpg)
How Secure is Your On-Site Data?
Do any of these sound familiar?
• No one patches computers or is
responsible for network security
• You haven’t really thought
about passwords or
permissions
• No disaster recovery plans
• Staff hasn’t had any security
training
![Page 14: The Cloud Beckons, But is it Safe?](https://reader034.vdocuments.site/reader034/viewer/2022052621/55858d42d8b42ae41d8b538e/html5/thumbnails/14.jpg)
Myth
“We’re a tiny nonprofit.
We’re safe because no
one would target us for
cyber attack.”
![Page 15: The Cloud Beckons, But is it Safe?](https://reader034.vdocuments.site/reader034/viewer/2022052621/55858d42d8b42ae41d8b538e/html5/thumbnails/15.jpg)
Fact
Many data security breaches
are crimes of opportunity.
Organizations don’t always
consider the sensitivity of their
data until it’s exposed.
![Page 16: The Cloud Beckons, But is it Safe?](https://reader034.vdocuments.site/reader034/viewer/2022052621/55858d42d8b42ae41d8b538e/html5/thumbnails/16.jpg)
Myth
“Our data is safer
not in the cloud”
![Page 17: The Cloud Beckons, But is it Safe?](https://reader034.vdocuments.site/reader034/viewer/2022052621/55858d42d8b42ae41d8b538e/html5/thumbnails/17.jpg)
A Cloud Data Center
![Page 18: The Cloud Beckons, But is it Safe?](https://reader034.vdocuments.site/reader034/viewer/2022052621/55858d42d8b42ae41d8b538e/html5/thumbnails/18.jpg)
Is This Your Server Closet?
![Page 19: The Cloud Beckons, But is it Safe?](https://reader034.vdocuments.site/reader034/viewer/2022052621/55858d42d8b42ae41d8b538e/html5/thumbnails/19.jpg)
What Does Security Mean?
![Page 20: The Cloud Beckons, But is it Safe?](https://reader034.vdocuments.site/reader034/viewer/2022052621/55858d42d8b42ae41d8b538e/html5/thumbnails/20.jpg)
The Three Pillars of Information Security
![Page 21: The Cloud Beckons, But is it Safe?](https://reader034.vdocuments.site/reader034/viewer/2022052621/55858d42d8b42ae41d8b538e/html5/thumbnails/21.jpg)
Confidentiality
Information is available only to authorized parties.
![Page 22: The Cloud Beckons, But is it Safe?](https://reader034.vdocuments.site/reader034/viewer/2022052621/55858d42d8b42ae41d8b538e/html5/thumbnails/22.jpg)
Integrity
Information isn’t modified inappropriately, and that
you can track who made what change.
Drawing or picture of a
“Prudential”-like rock?
![Page 23: The Cloud Beckons, But is it Safe?](https://reader034.vdocuments.site/reader034/viewer/2022052621/55858d42d8b42ae41d8b538e/html5/thumbnails/23.jpg)
Availability
Assurance that data is
accessible when needed
by authorized parties.
![Page 24: The Cloud Beckons, But is it Safe?](https://reader034.vdocuments.site/reader034/viewer/2022052621/55858d42d8b42ae41d8b538e/html5/thumbnails/24.jpg)
Also: Physical Possession
Whoever has the
data could, for
instance, turn it
over to the
government
![Page 25: The Cloud Beckons, But is it Safe?](https://reader034.vdocuments.site/reader034/viewer/2022052621/55858d42d8b42ae41d8b538e/html5/thumbnails/25.jpg)
How Does This Apply to the Cloud?
![Page 26: The Cloud Beckons, But is it Safe?](https://reader034.vdocuments.site/reader034/viewer/2022052621/55858d42d8b42ae41d8b538e/html5/thumbnails/26.jpg)
Cloud Security
The use of the term “Cloud” is cloudy!
Three general types of clouds:
– Software-as-a-Service
– Hosted Private Cloud
– Co-located Private Cloud
All three have different security
models
![Page 27: The Cloud Beckons, But is it Safe?](https://reader034.vdocuments.site/reader034/viewer/2022052621/55858d42d8b42ae41d8b538e/html5/thumbnails/27.jpg)
Software as a Service
The vendor owns and manages all aspects of the environment.
For instance:
![Page 28: The Cloud Beckons, But is it Safe?](https://reader034.vdocuments.site/reader034/viewer/2022052621/55858d42d8b42ae41d8b538e/html5/thumbnails/28.jpg)
Hosted Private Cloud
The vendor owns and manages the equipment only, but all
software is managed by the client. The equipment is on the
vendors network. For instance:
28
![Page 29: The Cloud Beckons, But is it Safe?](https://reader034.vdocuments.site/reader034/viewer/2022052621/55858d42d8b42ae41d8b538e/html5/thumbnails/29.jpg)
Co-located Private Cloud
The vendor provides the physical environment only in a data
center, the client maintains the hardware and the software. For
instance:
![Page 30: The Cloud Beckons, But is it Safe?](https://reader034.vdocuments.site/reader034/viewer/2022052621/55858d42d8b42ae41d8b538e/html5/thumbnails/30.jpg)
What Does Security Mean For You?
![Page 31: The Cloud Beckons, But is it Safe?](https://reader034.vdocuments.site/reader034/viewer/2022052621/55858d42d8b42ae41d8b538e/html5/thumbnails/31.jpg)
Rules for Absolute Safety
Turn off your Internet
connection.
Allow no one access to
your data and systems.
But let’s be realistic…
![Page 32: The Cloud Beckons, But is it Safe?](https://reader034.vdocuments.site/reader034/viewer/2022052621/55858d42d8b42ae41d8b538e/html5/thumbnails/32.jpg)
Know What You’re Protecting
What kinds of data are you storing,
and how sensitive are they?
Think about its value on the open
market.
![Page 33: The Cloud Beckons, But is it Safe?](https://reader034.vdocuments.site/reader034/viewer/2022052621/55858d42d8b42ae41d8b538e/html5/thumbnails/33.jpg)
Red Flags
You need extremely tight
security to store:
• Donor’s credit card
numbers.
• Scanned images of checks.
• Donor’s bank account
information.
![Page 34: The Cloud Beckons, But is it Safe?](https://reader034.vdocuments.site/reader034/viewer/2022052621/55858d42d8b42ae41d8b538e/html5/thumbnails/34.jpg)
What’s Your Exposure?
Consider the impact of
exposure of your
confidential information,
both in monetary terms and
reputation.
![Page 35: The Cloud Beckons, But is it Safe?](https://reader034.vdocuments.site/reader034/viewer/2022052621/55858d42d8b42ae41d8b538e/html5/thumbnails/35.jpg)
What’s The Impact of an Outage?
How much staff
time could you
lose from a short
term or prolonged
outage?
![Page 36: The Cloud Beckons, But is it Safe?](https://reader034.vdocuments.site/reader034/viewer/2022052621/55858d42d8b42ae41d8b538e/html5/thumbnails/36.jpg)
Testing Your On-Site Security
Have you recently performed a:
• Check on whether your systems
have been recently patched?
• Systems penetration test ?
• Employee training on security
procedures?
• Backup/recovery test?
If not, you’d likely increase your security by moving
to the cloud.
![Page 37: The Cloud Beckons, But is it Safe?](https://reader034.vdocuments.site/reader034/viewer/2022052621/55858d42d8b42ae41d8b538e/html5/thumbnails/37.jpg)
A Multi-Level Security Model
![Page 38: The Cloud Beckons, But is it Safe?](https://reader034.vdocuments.site/reader034/viewer/2022052621/55858d42d8b42ae41d8b538e/html5/thumbnails/38.jpg)
Multi-Level Security is the Ideal
Physical Security
Network Security
Transmission Security
Access Controls
Protected Data Storage
![Page 39: The Cloud Beckons, But is it Safe?](https://reader034.vdocuments.site/reader034/viewer/2022052621/55858d42d8b42ae41d8b538e/html5/thumbnails/39.jpg)
Physical Security
• Guarded facilities
• Protection of your hardware and devices
• Power redundancy
• Co-location (redundant facilities)
![Page 40: The Cloud Beckons, But is it Safe?](https://reader034.vdocuments.site/reader034/viewer/2022052621/55858d42d8b42ae41d8b538e/html5/thumbnails/40.jpg)
Network Security
• Intrusion prevention
• Intrusion detection
• Firewalled systems
• Network proactive anti-virus protection
![Page 41: The Cloud Beckons, But is it Safe?](https://reader034.vdocuments.site/reader034/viewer/2022052621/55858d42d8b42ae41d8b538e/html5/thumbnails/41.jpg)
Transmission Security
Is data encrypted in
transit?
Is the network
secure?
![Page 42: The Cloud Beckons, But is it Safe?](https://reader034.vdocuments.site/reader034/viewer/2022052621/55858d42d8b42ae41d8b538e/html5/thumbnails/42.jpg)
Access Controls
• Ensuring the right people
have access to the right data
• Physical access to the server
• Training on appropriate
passwords and security
measures
![Page 43: The Cloud Beckons, But is it Safe?](https://reader034.vdocuments.site/reader034/viewer/2022052621/55858d42d8b42ae41d8b538e/html5/thumbnails/43.jpg)
Data Protection
• Data encryption
• Solid backup and
restore policies
• Ability to purge
deleted data
• Ability to prevent
government entities
from getting your data
with a subpoena
![Page 44: The Cloud Beckons, But is it Safe?](https://reader034.vdocuments.site/reader034/viewer/2022052621/55858d42d8b42ae41d8b538e/html5/thumbnails/44.jpg)
What to Look For in a Vendor
![Page 45: The Cloud Beckons, But is it Safe?](https://reader034.vdocuments.site/reader034/viewer/2022052621/55858d42d8b42ae41d8b538e/html5/thumbnails/45.jpg)
Description of Security Mechanisms
Documentation of all the facets of
security, and the staff can talk
about it intelligently.
Proves information security is on
the “front burner”
![Page 46: The Cloud Beckons, But is it Safe?](https://reader034.vdocuments.site/reader034/viewer/2022052621/55858d42d8b42ae41d8b538e/html5/thumbnails/46.jpg)
Uptime
Your connection to the internet may well be the weakest link.
Do they provide any guarantee of
uptime? Any historic uptime
figures?
Uptime figures are typically in 9s--
99%, 99.9% or 99.99%
![Page 47: The Cloud Beckons, But is it Safe?](https://reader034.vdocuments.site/reader034/viewer/2022052621/55858d42d8b42ae41d8b538e/html5/thumbnails/47.jpg)
Regulatory Compliance: HIPAA
Does the vendor support
organizations that need to be
compliant with HIPAA (the
Health Insurance Portability
and Accountability Act)?
![Page 48: The Cloud Beckons, But is it Safe?](https://reader034.vdocuments.site/reader034/viewer/2022052621/55858d42d8b42ae41d8b538e/html5/thumbnails/48.jpg)
Regulatory Compliance: SAS70 and SSAE16
Audit for security standards,
hardware, and processes.
Statement on Accounting
Standards 70 (SAS70)
Statement of Standards for
Attestation Engagements 16
(SSAE16)
![Page 49: The Cloud Beckons, But is it Safe?](https://reader034.vdocuments.site/reader034/viewer/2022052621/55858d42d8b42ae41d8b538e/html5/thumbnails/49.jpg)
Regulatory Compliance: PCI DSS Compliance
If you’re storing credit card
numbers, your vendor
needs to be compliant with
PCI DSS (Payment Card
Industry Payment Data
Security Standard)
![Page 50: The Cloud Beckons, But is it Safe?](https://reader034.vdocuments.site/reader034/viewer/2022052621/55858d42d8b42ae41d8b538e/html5/thumbnails/50.jpg)
In Summary
![Page 51: The Cloud Beckons, But is it Safe?](https://reader034.vdocuments.site/reader034/viewer/2022052621/55858d42d8b42ae41d8b538e/html5/thumbnails/51.jpg)
Understand the Value of Your Data
What is it worth to you?
To others?
What measures are
appropriate to protect it?
![Page 52: The Cloud Beckons, But is it Safe?](https://reader034.vdocuments.site/reader034/viewer/2022052621/55858d42d8b42ae41d8b538e/html5/thumbnails/52.jpg)
Your Data Is No Safer Than You Make It
Any computer
attached to the
internet is
vulnerable unless
you protect it.
The cloud isn’t, in
of itself, more or
less secure
![Page 53: The Cloud Beckons, But is it Safe?](https://reader034.vdocuments.site/reader034/viewer/2022052621/55858d42d8b42ae41d8b538e/html5/thumbnails/53.jpg)
But Many Vendors Make Your Data Really Safe
Choose vendors who
show they’re serious
about data protection
(not all vendors are
created equal).
Consider a vendor’s
regulatory compliance.
![Page 54: The Cloud Beckons, But is it Safe?](https://reader034.vdocuments.site/reader034/viewer/2022052621/55858d42d8b42ae41d8b538e/html5/thumbnails/54.jpg)
Questions?