Cloud Perspectives - Ottawa Seminar - Oct 6

Cloud PerspectivesNeil Bunn, P.Eng. - Chief Technology Officer

Theo van Wyk – Security Solution Architect Manager

October 6th, 2016

© 2015 Scalar Decisions Inc. Not for distribution outside of intended audience.

Defining Cloud

“Cloud Computing” by the NIST Definition is:

Cloud computing is a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and releasedwith minimal management effort or service provider interaction. This cloud model is composed of five essential characteristics, three service models, and four deployment models.

Which really means…..

2


Pragmatic View of Industry Change

§ Cloud is just another delivery model, but largely predicated on:

§ Automation§ Elasticity§ Pay-as-you-go (public cloud)

§ Cloud creates challenges for clients in security, processes, automation, internal governance, and controls.

§ Hyperscale IaaS providers will dominate the market§ Hybrid-Cloud (multi-provider / hybridization) required for business success and security§ Most clients forget about:

§ SLAs & Service§ Governance and Financial controls - lead to accidently “breaking the bank”

§ Security

3

© 2015 Scalar Decisions Inc. Not for distribution outside of intended audience. 4

Cloud Primer

Broad Network Access Automation Flexible Costing On-Demand

Self-Service

Resource Pooling

CloudCharacteristics

Software as a Service (SaaS)

Platform as a Service (PaaS)

Infrastructure as a Service (IaaS)

Service Models

Deployment Models

Public Cloud Hybrid Cloud Private Cloud


Primary reasons for adopting cloud

Source: Cloud Security Alliance, “HOW CLOUD IS BEING USED IN THE FINANCIAL SECTOR” SURVEY REPORT –March 2015


Top Cloud Applications Adopted

Source: Cloud Security Alliance, “HOW CLOUD IS BEING USED IN THE FINANCIAL SECTOR” SURVEY REPORT –March 2015


Successful Client Outcomes

Rapid Deployment & Flexibility

Higher Return on Technology Spend

Matching CapEx/OpEx to the Budget

Lower Cost of Development

Measurable Outcomes

“Multi-Cloud Platform approach…not all workloads are the same…and not all clouds are

the same!”

STRATEGIC PARTNERS


Our approach and strategic cloud partnerships

§ Partner with Multiple Providers (multi-cloud)

§ Amazon Web Services (AWS)§ Microsoft Azure§ IBM Softlayer

§ Provide consistent-feel managed services across client deployment options

§ Scalar Owned/Operated§ Client Owned/Operated§ HyperScaleProvider

§ Traditional Hosting Provider

Implement automation, policy and governance consistent across deployment option

10


Getting Started

Assess Perform a visibility assessment

Classify applications & data for public and private approaches

Design Design architecture & approach

Design for loose-coupling, scaling & security with spend management

Deploy Select a provider & deploy an application

Manage & monitor the environment like any other infrastructure

Scalar Cloud OfferingsSELF-MANAGED

CLOUD

1

CONSULTING & ADVISORY

2

MANAGED CLOUD

3

CONSULTING AND ADVISORY1

READINESS GOVERNANCEDESIGN TRANSFORMATION


Consulting and Advisory - Service Offerings

Scalar Consulting and Advisory services help customers plan, execute, and derive maximum value from their cloud environment. Engagements are typically project/deliverable-based, and include services such as:

• Cloud migration planning• Cloud readiness assessments

• Workload analysis

• Architecture and design• Deployment services

• Cloud optimization• Training

SELF-MANAGED CLOUD

BILLING SUPPORT CONTROL

2


Self-managed Cloud - Service Offerings

• Itemized billing • Customer Billing Portal with chargeback reporting

• Scalar-led support and escalation

Self-management appeals to customers who have the ability to manage their own cloud-based environment, and for whom maintaining that level of control is preferred. Customers select Scalar as their resell partner of choice, but otherwise access and manage the cloud via the selected Cloud Provider’s portal. There are 3 distinct values to purchasing your public cloud resources through Scalar:

MANAGED CLOUD3

MIGRATE SECURE MANAGE OPTIMIZE


Scalar Managed Cloud - Service Offerings

STANDARD - Includes basic deployment and monitoring services with SLO-backed response, and is generally appropriate for non-mission critical workloads.

PREMIUM - Provides a complete monitoring and optimization suite, along with rapid, SLA-backed response suitable for production workloads and other mission-critical environments.

Designed for customers who prefer to have Scalar provide management of their cloud infrastructure. Scalar provisions and manages cloud resources on the customer’s behalf along with providing access management, 24x7 monitoring and incident response, and continuous optimization. Cloud Management comes in 2 tiers:


Today’s Security Landscape

Traditional Countermeasures are Proving Ineffective

Rapidly Changing Threat Types

Regulatory Compliance & Corporate Governance Demands are Increasing

Security Budgets are Often Insufficient

Many Organizations are Blind to Security Threats that are Already Known

Hackers are Increasingly Motivated

!

!0 1 0 01 0 0 00 0 1 0

CLOUD & SECURITY


Why Security Breaches Continue to be Prevalent

Every technology eventually fails

Compliance programs often ignore business risk

Trying to keep hackers out is a losing battle

!


Cyber Incidents by Industry

Source: IBM Cyber Security Intelligence Index


Cloud Security Elements

Global Threat Intelligence & Research

Advanced Analytics

Protect Critical Assets

Robust Incident Handling

Understand Business Impact

Continuous Validation of Controls

!


Understand the Security Continuum

Integration & Middleware

Facilities

Hardware

APIs

Data Metadata Content

Applications

APIs

PresentationModality

PresentationPlatform

Abstraction

Core Connection & Delivery

Integration & Middleware

Facilities

Hardware

APIs

Abstraction


Facilities

Hardware

APIs

Abstraction


IaaSINFRASTRUCTUREAS A SERVICE

PaaSPLATFORM AS A SERVICE

SaaSSOFTWARE AS A SERVICE

Service Provider Security

Your Security

24


Unmanaged Shared Responsibility Model

25


Cloud Provider Responsibility

Your Responsibility

Foundation Services

Global Infrastructure

En

dp

oin

ts

Compute Storage Database Networking

RegionsAvailability

ZonesEdge Locations

Operating System & Network Configuration at Rest

Platform & Application Management

Customer Data

Client-side Data Encryption & Data Integrity Authentication

Server-side Encryption Provided by the Platform / Protection of Data at Rest

Network Traffic Protection Provided by the Platform / Protection of Data in Transit

Optional –Opaque

Data OS (in transit / at

rest)

Ide

ntity &

Acce

ss Ma

na

ge

me

nt

Managed Shared Responsibility Model

26

SECURITY BY DESIGN

PREPARE DEFEND RESPOND


Getting Started

Prepare Perform a risk assessment

Build an effective security program

Defend Deploy security infrastructure

Properly configure and continuously tune security elements

Respond Detect & respond to incidents quickly

Continuously validate the effectiveness of security controls

28


Steps forward….

1. Ensure effective governance, risk, and compliance processes exist2. Audit operational & business processes3. Manage, people, roles and identities4. Ensure proper protection of data5. Enforce privacy policies6. Assess security provisions for cloud applications7. Ensure secure cloud networks and connections8. Evaluate security of physical infrastructure and facilities9. Manage security terms in the service agreement10.Understand the security requirements of the exit process

29


Step 1 - Ensure effective Governance, Risk, and Compliance

Governance Risk ComplianceEnsure that you have a data asset inventory and it is classified based on its CIA protection requirements.

Established security and compliance policies & procedures.

Assess vendors, applications, processes and policies against aformalized threat-risk-assessment process.

Identify and map regulatory and legislative requirements.

FedRAMP, ITARFFIEC,GLBA, OSFI, PIPEDA

30


Step 2 - Audit operational & business processes

Assurance Certification AuditReview independentauditor’s report on cloud provider’s operations.

SSAE16 SOC2 Type 2CSAE3416, ISAE3402

Beyond audit assurance reports. Review current security certifications.

ISO27001ISO27018

Ensure access to the corporate audit trail.

Shared Information Gathering (SIG) Questionnaire

CSA Cloud Controls Matrix

3.0.1

31


Step 3 – Manage People, Roles, and Identities

Identity and Access Management

Authentication Role, Entitlement and PolicyManagement

Federated Identity Management, Provisioning anddelegation,Single Sign-On, and Identity & Access Audit.

Ensure support for strong,multi-factor authentication.

Ensure provider is able to describe and enforce security policies, user roles, and groups based on requirements.

32


Step 4 – Ensure protection of data

Encryption / Tokenization

Create a data asset catalog

Consider all forms of data

Encrypted for data privacy with approved algorithms and long, random keys;;

Encrypted before it passes from the enterprise to the cloud provider;;

Should remain encrypted in transit, at rest, and in use;;

Provider should never have access to decryption keys

Identify all data assets, classify them in terms of business criticality, ownership. Identify relationships between data assets.

Unstructured vs Structured data.

33


Step 5 – Enforce privacy policies

PIPEDA Security Privacy Standards

Ensure privacyrequirements within the SLA

June 2015 - new data breach notification provisions, with the enactment of the Digital Privacy Act.

ISO / IEC 27018 standard addresses the controls required for the protection of PII.

Specific clausesaround privacy of information.

34


Step 6 – Assess security provisions for cloud applications

IaaS PaaS SaaSCustomer has responsibility for the complete software stack including security.

Focus on provider’s network, physical environment, audit, authorization, and authentication considerations.

Customer has responsibility for application development and securing application.

Focus on audit, authorization, and authentication considerations.

Provider is responsible for application-tier security and are dependent upon terms in the SLA.

Understand the provider’s patching schedule, controls against malware, and release cycle.

35


Step 7 – Ensure secure cloud networks and connections

External Network

Internal Network

Traffic screeningDOS protectionIntrusion Detection/PreventionLogging and Notification

Client separation and protection from one another

Monitoring for intrusion attempts

36


Step 8 – Evaluate security of physical infrastructure and facilities

Facilities Continuity Plans Human Resources

Security controls related to facilities. Environmental, Equipment, telecommunications, etc.

Continuity of service in the face of environmental threats or equipment failures

Security controls on their staff.Background checks / screening, role changes, termination.

Security Awareness and Training

37


Step 9 – Manage security terms in the service agreement

Breach Notification

IncidentResponse

MeasuringPerformance

Include pertinent information with regards to notification

Containment of security incidents

Restoration of secure access

Forensics in investigating circumstances and causes of breach.

Metrics and standards for measuring performance and effectiveness of information security should be established in the service agreement.

ISO27004:2009ISO19086NIST 800-55 Rev.1

38


Step 10 – Understand the security requirements of the exit process

Exit Process Data DestructionDocumented exit process as part of the service agreement.

Customer data is deleted from the provider’s environment at the end of the exit process.

39


Setting yourself up for success

Leveraging cloud providers can enable companies in being*more* secure and compliant than before, in contrast to leveraging your own on premise systems.

Spend sufficient time to ensure:§ Information Governance Policy/Programs are defined and in place§ Services are Policy Compliant§ Improved Security Awareness & Actions Plans documented

40

Thank You

Presentations & Public Speaking

Cloud Perspectives - Ottawa Seminar - Oct 6