What's New in RSA DLP v8.0
Security of SaaS and Private CloudConsiderations for CFOsIan
FarquharAdvisory Technology Consultant
1
Profile: Ian FarquharCareer:RSA, The Security Division of EMC
(2008-Present)Cisco Systems (2004-2008)Sun Microsystems
(1999-2004)Silicon Graphics/Cray Research (1994-1999)Macquarie
University Department of Research Electronics (1993-1994)Macquarie
University Office of Computing Services (1988-1993)
Twenty years of experience in computer and information
securityTechnology Evangelist for RSARSA specialist for ANZ in:Data
Loss PreventionCryptographyPolicySecurity evaluation
2
Definitions: Public vs. Private CloudAccording to Gartner: The
distinguishing characteristics of a private cloud environment are
that the infrastructure is internally owned and operated, and that
systems can be dynamically provisioned and activated. The
distinguishing characteristics of a public cloud environment that
are most important for security assessment and monitoring are that
the infrastructure is not owned by the customer and that the
service is provided via a shared infrastructure.
Or... (from the RSA Conference):A private cloud is inside the
firewall, a private cloud is outside.
Security CIA:Confidentiality, Integrity and Availability
Definition: Software-as-a-Service (SaaS)SaaS is the provision of
software in a services model.Gartner defines SaaS as "software
that's owned, delivered and managed remotely by one or more
providers." In a pure SaaS model, the provider delivers software
based on a single set of common code and data definitions that are
consumed in a one-to-many model by all contracted customers
anytime, on a pay-for-use basis, or as a subscription based on use
metrics. Other *aaS acronyms:PaaS: Platform-as-a-ServiceIaaS:
Infrastructure-as-a-ServiceSaaS and PaaS are not really new
conceptsMainframe-era Bureau Services were just SaaS or PaaSEven
virtualization is not new: IBM/VM circa 1969
Issues to Consider: SaaS (and Public Cloud)Legal issuesIf it
isnt in the contract, it should beWhat are the service level
agreements? How are they measured?Do they match your expectations?
What is the dispute process?Who owns your data?Where is it
processed?Where is the DR site? Where is it
replicated?Jurisdictional issuesData location (compliance)Legal
issues (eg. US Patriot Act)Legal search and seizure
considerationsSaaS provider closure or acquisitionWhat legal rights
do you have?If you can access the data, in what form? (and dont
forget the backups)How quickly could you migrate this business
function?
Issues to Consider: SaaS (and Public Cloud)Provider Terminating
ContractHow much notice do you get?Do you have any right of
appeal?Can they terminate your service and leave you without access
to your data?The Forced MarchWill upgrades at the SaaS provider
introduce unexpected work (cost)?Forced up-sell due to
discontinuation of an older versionHow much notice do you get?What
guarantees are in the contract?Connectivity and Performance
IssuesSaaS makes your business dependent on Internet accessDont
forget the SLAs from your ISP or carrierHow would your business
cope with a network outage?Dont forget to factor in the cost of
network managementIs your network traffic protected in transit?
(SSL issues.)
Issues to Consider: SaaS (and Public Cloud)ExpertiseIf you find
you need expertise above basic support, where does it come from and
how much does it cost?Generic Security IssuesEndpoint security
still is criticalWhat is the SaaS providers security posture?How do
they authenticate users?What guarantees do you have that the SaaS
provider is implementing best practice?Who can access your data?
(Separation).(Not applicable for pay as you go). How is the service
funded?
Fundamentally, HOW DO YOU KNOW?Or, WHAT IS THE RATIONAL BASIS
FOR YOUR TRUST?
Issues to Consider: Private CloudMost of the security issues
with Private Cloud are not newSome security features are better on
private cloud than on raw hardware (eg. DR)Limiting this to
private-cloud specific issuesAll best IT practice applies similarly
to private cloud, as it does to existing IT infrastructurePrivate
cloud is fundamentally about increasing efficiencyIssues:Network
infrastructure and designAdministrative access a rogue or careless
admin can do a lot of damageProliferation change control is still
critical for a well-run virtual infrastructureSoftware
licensingOrphaned VMsData sprawlSecurity patching and offline
VMsLegal search and seizureCapacity planningExcellent resource:
Cloud Security Alliancehttp://www.cloudsecurityalliance.org/
In SummarySaaS and Public CloudRead and understand the
contractDo a thorough cost-benefit analysisPlan for the
contingenciesTrust but verify
Private CloudAll current best practices apply to private clouds
tooPrivate clouds have some security characteristics which are
superior to raw metal ITThe majority of issues are operational this
is where to focus
10
