FBI Symposium on Cloud Computing and Security v2

NJVC Proprietary - Do Not Release

Cloud Computing and Security:

Assessing the Risks

Kevin L. Jackson

Vice President &

General Manager

NJVC Cloud Services

March 21, 2012





The New IT Era

rev date 3/21/2012

IDC September 2008


Data Processing Explosion


Cloud Computing

Not a new technology but a new approach in the provisioning and consumption of

information technology

A services oriented architecture (SOA) implemented typically on a virtualized infrastructure

(compute, storage, networks) using commodity components coupled with highly automated

controls enable the five essential characteristics of cloud computing.

Key Concerns Standards

Portability

Control/Availability

Security

IT Policy

Management / Monitoring

Ecosystem

Key Benefits Significant cost reductions

Reduced time to capability

Increased flexibility

Elastic scalability

Increase service quality

Increased security

Ease of technology refresh

Ease of collaboration

Increased efficiency


Cloud Computing: Value and

Capabilities Time

Reduce time to deliver/execute mission

Increased responsiveness/flexibility/availability

Cost

Optimizing cost to deliver/execute mission

Optimizing cost of ownership (lifecycle cost)

Increased efficiencies in capital/operational expenditures

Quality

Environmental improvements

Experiential improvements


Relational Databases and the Cloud

Country

Germany

BMW

Truck

Car

SUV

Volkswagen

…

…

…Audi

Japan

Toyota

Honda

Mazda

US

Ford

Chrysler

GM …

9

Search

German, BMW, Truck

German, BMW, Car

German, BMW, SUV

German Volkswagen, Truck

…

…

…

…

US, GM, SUV

3t 1t

The economics of data

storage led to the use of

content addressable storage,

flat storage architectures and

internet scaling.

Database design,

database tuning no

longer required with

infinite scalability and

consistent

responsiveness


Traditional Analytics

• • • • • • • • • • •

• • • • • • • • • • •

• • • • • • • • • • •

• • • • • • • • • • •

• • • • • • • • • • •

• • • • • • • • • • •

1

0

Traditionally, lexical searches, filtering or

Boolean search attributes are used to

reduce data to a “working set”. Analytical

tools are then applied to this “working

set”.

All Data Sources / Types

Tools/Analysis Reports/Conclusions


Cloud Enables Searching All the Data,

All the Time

1

1

• • • • • • • • • • •

• • • • • • • • • • •

• • • • • • • • • • •

• • • • • • • • • • •

• • • • • • • • • • •

• • • • • • • • • • •

Reports/Conclusions


Survey


Security Concerns


Governance Operational

Top Threats to Cloud Computing

Go

vern

ance

an

dEn

terp

rise

Ris

k M

anag

emen

tLe

gal a

nd

Elec

tro

nic

Dis

cove

ry

Co

mp

lian

ce a

nd

Au

dit

Info

rmat

ion

Life

cycl

e M

anag

emen

t

Po

rtab

ility

an

d

Inte

rop

erab

ility

Trad

itio

nal

Secu

rity

, Bu

sin

ess

Co

nti

nu

ity,

and

Dis

aste

r R

eco

very

Dat

a C

en

ter

Op

erat

ion

s

Inci

den

t R

esp

on

se,

No

tifi

cati

on

an

d

Rem

edia

tio

nA

pp

licat

ion

Secu

rity

Encr

ypti

on

an

dK

ey M

anag

emen

t

Iden

tity

an

dA

cce

ss M

anag

emen

t

Vir

tual

izat

ion

Abuse and Nefarious Use of CloudComputing

Insecure Interfaces and APIs

Malicious Insiders

Shared Technology Issues

Data Loss or Leakage

Account or Service Hijacking

Unknown Risk Profile


Sli

de

15


Sli

de

16


Sli

de

17


Sli

de

18


Overview

Sli

de

19


C&A vs FedRAMP

Standard Certification & Authorization

100% of required agency controls

60-90 days to complete

$80k-$300K

Repeat with each new agency: 5 agency cost $400K-$1.5M

FedRAMP (290 Controls)

80% of required agency controls

60 days to complete

$65-$240K

Agency specific controls for new implementations: 5 agency cost

$65K-$365K

Slide 20


Sli

de

21


Sli

de

22


Sli

de

23


Sli

de

24


Sli

de

25


Continuous Monitoring Deliverables

Vulnerability/Patch Management Scanning and Reporting

Configuration Scanning and Reporting

Incident Response Planning and Response

POA&M Mitigation and Remediation

Change Management and Control

Penetration Testing

A&A Documentation Maintenance

Contingency Plan Testing


NIST Cloud Computinghttp://collaborate.nist.gov/twiki-cloud-computing


My Advice Remember – Cloud computing is an emerging discipline

Learn about it. Don’t run away

This is not a new technology but extensive

automation of what you’re already used to

Same threat vectors. Same attacks but faster,

broader and automated using “resource

concentration”

Cloud will save you, not hurt you.

Be careful out there !!


Thank You !Kevin L. Jackson

Vice President

General Manger

NJVC Cloud Services

(703) 335-0830

[email protected]

http://www.NJVC.com

http://kevinljackson.blogspot.com

http://govcloud.ulitzer.com

mailto:[email protected]

http://www.njvc.com/

http://kevinljackson.blogspot.com/

http://kevinljackson.blogspot.com/

http://govcloud.ulitzer.com/