Evaluating Risks of Cloud Based Services

Evaluating Risks of Cloud-Based Services

Ronald PoserinaSymantec.cloud - Director, Enterprise & Partners

SYMANTEC VISION 2011

What Does It Take to be Secure?

The Three T’s

• Talent

Evaluating Risks of Cloud-based Services 2

• Technology

• Time


Talent

• Do you have personnel that are knowledgeable on security risks and can lead your organization in best risk management practices?

• Are you willing to devote the financial resources to recruitment, training (initial and on-going), and personnel management?

Evaluating Risks of Cloud-based Services

Three T’s: Talent, Time, & Technology


Time

• Are your security defenses monitored and managed around the clock?

• Can your security personnel respond with sufficient speed and effectiveness to new security threats?

• Do you have the financial means to have this time devotion?




Technology

• In today’s and tomorrow’s dynamic and increasingly sophisticated and stealthy threat environment, do you have the most up-to-date and optimal mix of security technologies?

• As your organization’s working methods change (e.g., more distributed, mobile, collaborative, modular), is your security in synch?

• Time and $$$ again, do you have the resources to stay current on security innovations, evaluate products, test, and deploy?




Options

6

Build Cloud


Consider the Benefits: Services from the Cloud

•Predictable expense (OPEX)

•Reduced Infrastructure costs (heating, cooling, rack-space, etc)Lower TCO

•Simplifies Your Architecture

•Simplifies IT Operations and managementSimplification

•Best-of-breed layered threat protection in real-time

•Stops threats before they reach corporate networkSecurity

•Able to grow or reduce with your businessScalability

•Centralized management consoles and policy control

•24/7 expert supportEase of use


Can I Trust Public Clouds?

8


Top SaaS Concerns

Source: IDC, Cloud Computing Attitudes, April 2010, n = 255.

PublicPrivate

(% of respondents)

9Evaluating Risks of Cloud-based Services


Common Questions About the Cloud

• Data Locality – Where is my data?

• Data Access – Who can access my data in your company?

• Data Segregation – How is my data segregated from other customers?

• Regulatory Compliance – What do I need to know?

10

http://www.georgesmayblog.com/wp-content/uploads/2009/01/laptops_security2.jpg


Data Locality – Which Data Centers?

11

South Africa


Data Access – What Controls are in Place?

Change Control Processes

Multi-Factor Authentication

Secure data storage

Logging and audit trails

Threat modelling

Tracking code execution

Data path through systems

Ethical Hack/Penetration testing

Hashes used for all passwords

Encryption in motion / Encryption at rest

12


Physical Security

• Biometrics (palm print, retina scan, fingerprint reader); numerical entry pad; smart card swipe system; physical locks

• Systems situated in locked cages or suites

• Independent CC TV system within our suites/cages

• All access is logged and tracked and must be pre-scheduled

13


Data Security

• Developer access restricted to test systems

• Access Entitlement Reviews

• Use ISO 27001 standards for all employee vetting, and controls

• Limited access to physical mail to small monitored population

• Access to production infrastructure is via a secure segregated management network and encrypted protocols such as SSH and RDP over TLS

• Access to production systems via two-factor authentication

• controls over access to configuration files, system binaries etc

14


SaaS Certifications

15

http://www.google.com/imgres?imgurl=http://www.smenet.org/page/uploads/media/Newmont Logo.jpg&imgrefurl=http://www.smenet.org/page/?title=Precious_Metals_Processing_2007_-_Sponsor_List&usg=__sst3dP9a0BWqtZzLYqi1rf8_e94=&h=167&w=363&sz=48&hl=en&start=1&sig2=D8b-plfcwv2_CrkiQe0zbA&itbs=1&tbnid=9iLxACRga3xJPM:&tbnh=56&tbnw=121&prev=/images?q=newmont+mining+logo&hl=en&gbv=2&tbs=isch:1&ei=jCM7TOHCL82xnAex3ZG7Aw


Availability Concerns

• Do you guarantee system availability?

• In case of a major disaster, what major systems do you have in place?

16


Addressing Availability

• Remove Single Points of Failure

– Multiple systems, datacenters, feeds & vendors

– Geographically diverse operations centers

• Capacity Planning

• Business Continuity Planning

17


Perceived Loss of Control


• How do I know what the cloud is doing with my data?

• What capabilities will I have to control policy?

• Reporting and metrics are important and I need access on demand.

• What trouble-shooting or diagnostic tools will I have?

• How reliable and helpful with the vendors support team be?


Control Concerns – Management Portal


• Policy Management

• Reporting Access

• Troubleshooting / Tracking

• Multi-tiered levels of access

• Alerting and service news


Control Concerns – Getting Help

• 24x7x365 Global Technical Support Dedicated to SaaS Service

– Portal / Email / Telephone

– Multilingual

• Extensive documentation

• Online training videos

• Implementation plans

• Best Practices



Reputation – Who’s Using the Provider?Over 32,000 customers and billions of mails and web transactions processed daily

http://www.google.com/imgres?imgurl=http://cache.gawker.com/assets/images/gawker/2009/11/timeinclogog.jpg&imgrefurl=http://gawker.com/5396272/time-inc-layoffs-begin&usg=__wz-nmCUN25vOI50gMqVfTmqb398=&h=350&w=450&sz=68&hl=en&start=2&sig2=TCm7W7qgSEtYtk2QRkU5EQ&itbs=1&tbnid=sVPscSxOs1bDOM:&tbnh=99&tbnw=127&prev=/images?q=time+inc&hl=en&gbv=2&tbs=isch:1&ei=LSc7TJ7aC86PsgaP-sWpAQ

http://www.dow.com/

http://images.google.com/imgres?imgurl=http://www.breastcancercare.org.uk/images/lloydstsblarge_0.jpg&imgrefurl=http://www.breastcancercare.org.uk/content.php?page_id=2578&h=236&w=414&sz=18&hl=en&start=5&tbnid=eocZtXerLVo6wM:&tbnh=71&tbnw=125&prev=/images?q=lloyds+tsb&svnum=100&hl=en&lr=&rls=GGLG,GGLG:2005-32,GGLG:en&sa=N

http://images.google.com/imgres?imgurl=http://www.sdnl.nl/images/klm-logo.gif&imgrefurl=http://www.sdnl.nl/ramp-01.htm&h=145&w=206&sz=14&tbnid=224eFPPxkMOlSM:&tbnh=74&tbnw=105&prev=/images?q=klm+logo&start=1&sa=X&oi=images&ct=image&cd=1

http://www2.dupont.com/DuPont_Home/en_US/

http://www.lenovo.com/us/

http://www.wrigley.com/wrigley/index.asp

https://www.pnc.com/webapp/unsec/Gateway.do?siteArea=/PNC/Home/Gateway

http://www.google.com/imgres?imgurl=http://www.smenet.org/page/uploads/media/Newmont Logo.jpg&imgrefurl=http://www.smenet.org/page/?title=Precious_Metals_Processing_2007_-_Sponsor_List&usg=__sst3dP9a0BWqtZzLYqi1rf8_e94=&h=167&w=363&sz=48&hl=en&start=1&sig2=D8b-plfcwv2_CrkiQe0zbA&itbs=1&tbnid=9iLxACRga3xJPM:&tbnh=56&tbnw=121&prev=/images?q=newmont+mining+logo&hl=en&gbv=2&tbs=isch:1&ei=jCM7TOHCL82xnAex3ZG7Aw

http://www.google.com/imgres?imgurl=http://www.og-hpc.org/Rice2009/images33/Hess logo.jpg&imgrefurl=http://www.og-hpc.org/Rice2009/program.html&usg=__DG1L49nNVJdMZmVfXoWHCKOxCpU=&h=312&w=538&sz=13&hl=en&start=4&sig2=ad-5rrM1NRJkoQtY0Rqa8w&itbs=1&tbnid=iKc98kOMiI5_VM:&tbnh=77&tbnw=132&prev=/images?q=hess&hl=en&gbv=2&tbs=isch:1&ei=TCQ7TPuQMpShnweYzfDOBQ

http://www.google.com/imgres?imgurl=http://www.theautochannel.com/news/2008/07/25/094454.1-lg.gif&imgrefurl=http://www.theautochannel.com/news/2008/07/25/094454.html&usg=__D23X4en4KurFKzOYk2QiU0Y69CQ=&h=79&w=269&sz=4&hl=en&start=2&sig2=lXv4nTKQuAxaKXWuM--uaA&itbs=1&tbnid=6YIoZ_rY4i_YEM:&tbnh=33&tbnw=113&prev=/images?q=arvin+meritor&hl=en&gbv=2&tbs=isch:1&ei=8iQ7TIfpOYWHOL6_gYoK

http://www.google.com/imgres?imgurl=http://www.sandiego.edu/soles/images/ford_2.jpg&imgrefurl=http://www.sandiego.edu/soles/alumni/SOLES_fellows.php&usg=__wKJwAk64iMyuuLdsqSST16I9d4M=&h=306&w=667&sz=112&hl=en&start=1&sig2=UrxFH_Dhv4zBeSDjbwKG7w&um=1&itbs=1&tbnid=HXA2WKUACnCFWM:&tbnh=63&tbnw=138&prev=/images?q=ford&um=1&hl=en&rls=com.microsoft:en-us&tbs=isch:1&ei=RCY7TLrHK8ORsgaJ4azsAg

http://www.google.com/imgres?imgurl=http://www.ubu.es/ubu/cm/images?idMmedia=95490&imgrefurl=http://www.ubu.es/ubu/cm/ubu/tkContent;jsessionid=c192a00730d51aaef15803b344dcbd1bdb2b867f9854.e3uQahyRbxuNe3mQa3mMc3yLe6fznA5Pp7ftolbGmkTy?idContent=133253&locale=es_ES&textOnly=false&usg=__5qw0fm0uEY-Q3eqDtQcKigVHMiw=&h=413&w=1181&sz=111&hl=en&start=3&sig2=KTkK12428ZlWsDDS3duOvQ&itbs=1&tbnid=a6ooWxz0gnfccM:&tbnh=52&tbnw=150&prev=/images?q=coca+cola+logo&hl=en&gbv=2&tbs=isch:1&ei=Uic7TKeyIJaSsgbsj8ixAQ

http://www.google.com/imgres?imgurl=http://www.scaboston.org/images/state_street_blue_logo.jpg&imgrefurl=http://www.scaboston.org/sponsorship_2007.html&usg=__E1Y2Qz0kXNk090Tzs8NuQuenCss=&h=136&w=504&sz=18&hl=en&start=1&sig2=M55EZf7cOAtDnh6FzlWVVw&itbs=1&tbnid=7jWWoJY0MU3e7M:&tbnh=35&tbnw=130&prev=/images?q=state+street+logo&hl=en&gbv=2&tbs=isch:1&ei=4yc7TPCAA5Desgbe6dCiAQ


Service Level Agreements

• Know what you’re paying for

• Review contract terms and understand how SLA’s apply

• Ask how SLA’s are reported on

• What are you entitled to in the event SLA’s aren't met?

• Compare SLA’s of vendors your considering for like services



AntiSpameffectiveness

SLA 99% Feb

ruary

20

11

Pe

rform

ance

Spam false positive rate

SLA 0.0003%

AntiVirus false positive rate

SLA 0.0001%

Email & Web Service Availability

SLA 100%

AntiSpameffectiveness

SLA 99% Feb

ruary

20

11

Pe

rform

ance

99.99997%

Spam false positive rate

SLA 0.0003%

0.000007%

AntiVirus false positive rate

SLA 0.0001%

0.000003%

Email & Web Service Availability

SLA 100%

100%

23Evaluating Risks of Cloud-based Services

Service Level Agreements


The Symantec.cloud Difference

• SLA focused service model

– 100% Availability and 100% Virus protection (known and unknown)

– 99% Spam capture

– Latency guarantee under 60 seconds email 100 ms web

• Security focused

– SAS 70 Type II Audits on Datacenters

• Global Infrastructure

Delivery




• 13 Years of Experience in Delivering IT solutions from the cloud

• Skeptic™ Heuristics

• Converged Threat Analysis

• Integrated reporting and policy management

• Network design and Capacity planning

Technology




• Non-standard Support Model

• Dedicated Technical resources

Support



Rowan Trollope: 6 tips for companies moving into the cloud 1

1. Reputation - Check out the reputation of the service provider:

How long have they been offering cloud services, bearing in

mind that size isn't everything; many big companies are piling

into the market but don't know what they are doing

2. Security - Security is key. Really understand how secure your

data have to be, and ask the vendor how they would solve

your security problems

3. Resiliency - Investigate how the cloud provider makes back-up

copies of your data, how you can move the data to another

provider, and what happens if the provider goes out of

business



Rowan Trollope: 6 tips for companies moving into the cloud 1

4. Service Levels - Work hard to get a good service level

agreement with clear financial penalties to ensure a good

service.

5. Certification - Be wary of industry certifications, because they

capture just a moment in time. Do your own research on how

the vendor is performing

6. Try it out - Finally, try the service. The beauty of cloud

computing is that it's easy to switch on and off. Obviously

don't start your cloud adventure with confidential data or

mission-critical systems, but if the service works for you, you

can expand.


Thank you!

SYMANTEC PROPRIETARY/CONFIDENTIAL – INTERNAL USE ONLYCopyright © 2011 Symantec Corporation. All rights reserved.


Ron Poserina

[email protected]

+1 (646) 519-8121