Cyber Security in Real-Time Systems

CSIRS

David Spinks - Chairman

February 2011

Quote by : Sun Tzu

As Sun Tzu, the military theoretician and strategist extraordinaire of

ancient China, wrote in his seminal work "The Art of War", "The skilful

leader subdues the enemy’s troops without any fighting; he captures their

cities without laying siege to them; he overthrows their kingdom without

lengthy operations in the field.”

Lush

Stuxnet

LSE

NYSE

E-Trading

RBS ATM

The Cloud Defined:

Cloud (IAAS) Pressures

Instant now

any time anywhere

Continued cost reduction

beyond OutsourcingLimitless

Flexibility

Limitless Volumes

Up and Down

IT Utility

Managed

Services

Secure

Services

What are the obstacles to Cloud Services ?

2008

What are the obstacles to Cloud Services ?

2009

2010

8

Into the (Cloud) Futurewith hp

SOURCING MODELS

TRADITIONAL

CONFIGURED

SERVICES

MANAGED

HOSTING

ENTERPRISE

CLOUD

SERVICES

ADVANCED

CLOUD

AUTOMATED

HOSTING

UTILITY

SERVICES

TECHNOLOGY

ISLAND

SYSTEMS

INTEGRATION

SERVICES

ECOSYSTEM

AG

ILIT

Y

So what are the security hot buttons?

Robust acceptable pan-client Information Security policies and procedures.

One single independent assurance certificate - no your auditors and will

not be allowed access.

Identity and access management need to get this working anyway!

Business continuity and IT DR acceptance of standard RTO and RPO.

Encryption (key management) will be a client responsibility this issue is

related to IdM!

Flexibility in contracts and please kill off the “old school” purchasing and

contracts departments!

Solutions and Best Practice :

11 April 20th, 2010 - v1

Review InfoSec Program Documentation Interview Subject Matter Experts (SME) Inspect Infrastructure & Controls

Complete Security/Continuity Checklists Cloud Computing Readiness Workshop Analyze Data & Determine Gaps

Cloud Computing Security Roadmap WorkshopCreate Service Improvement Plan (SIP) Create Remediation Roadmap

Cloud Computing Security Assessment Process Flow

1

4

7

2

5

8

3

6

9

Week 1 Week 2 Week 2

Week 2 Week 2 Week 3

Week 4 Week 4 Week 4

Confidential & Proprietary

Information of Hewlett-Packard

Company

Conclusions

Adoption of Cloud lessons leant not available

Implementation experiences limited

Security and risk management methods immature

Best practice evolving but gaps exist still

Views of regulators and auditors still not clear

Legal and regulatory issues (e-Discovery Jury is still out!)

Watch this space ....

Finally

Linkedin CSIRS : http://www.linkedin.com/groupRegistration?gid=3623430

David.spinks@hp.com

http://www.cloudsecurityalliance.org/

http://www.hp.com/hpinfo/newsroom/press/2009/090331xa.html

Q and A