Major Hayden is a chief security architect at Rackspace who has over 5 years of experience in cloud operations. In his presentation, he discusses cloud hosting and the shift from managing computers to utilizing computing resources. He outlines the different types of cloud deployments including public, private, and hybrid clouds. Hayden also addresses common security questions about selecting cloud providers, contractual agreements, risks of company-owned servers, public cloud networking risks, and securely storing data in the cloud.

1. Cloud Security
Major Hayden, Rackspace

2. Why are we here today?
Cloud Security // ISACA San Antonio 2013-09-24 2

3. Who am I?
 Chief Security Architect at Rackspace
 Red Hat Certified Architect and MySQL DBA
 Five years of cloud operations experience
 Integrated Slicehost with Rackspace
 Launched Rackspace’s Cloud Servers product based on
Slicehost technology
 Launched Rackspace’s Open Cloud Servers powered by
OpenStack
Cloud Security // ISACA San Antonio 2013-09-24 3

4. Today’s big three
1. An understandable and repeatable definition of cloud
really does exist (and I’ll help you learn it)
2. There are different cloud deployment strategies and you
can secure each of them
3. Cloud hosting risks are very similar to the risks from
other IT hosting methods
Cloud Security // ISACA San Antonio 2013-09-24 4

5. What is cloud hosting?
Cloud Security // ISACA San Antonio 2013-09-24 5

6. Cloud hosting is a shift from
managing computers
to utilizing
computing resources
Cloud Security // ISACA San Antonio 2013-09-24 6

7. Cloud Security // ISACA San Antonio 2013-09-24 7

8. Cloud Security // ISACA San Antonio 2013-09-24 8
Colocation Dedicated Managed Cloud

9. Cloud Security // ISACA San Antonio 2013-09-24 9
Colocation Dedicated Managed Cloud

10. Cloud Security // ISACA San Antonio 2013-09-24 10
Colocation Dedicated Managed Cloud

11. Cloud Security // ISACA San Antonio 2013-09-24 11
Colocation Dedicated Managed Cloud

12. Key points
 Resources are always available
 Pay for what you use
 Fewer fixed costs, more variable costs
 Maintain business focus
Cloud Security // ISACA San Antonio 2013-09-24 12

13. Cloud hosting
brings new challenges
Cloud Security // ISACA San Antonio 2013-09-24 13

14. Homes vs. Apartments
Cloud Security // ISACA San Antonio 2013-09-24 14
Flickr: atelier_tee Flickr: oldtasty

15. Key points
 Can’t choose your neighbors
 Fluctuating performance
 Stay within the confines of the system
 Service providers can touch your data*
Cloud Security // ISACA San Antonio 2013-09-24 15

16. Cattle vs. Pets
(Credit goes to Gavin McCance at CERN for this analogy)
Cloud Security // ISACA San Antonio 2013-09-24 16

17. Key points
 Rely on automation
 Use configuration management
 Build in redundancy based on business needs
Cloud Security // ISACA San Antonio 2013-09-24 17

18. Cloud types:
Public, Private, and Hybrid
Cloud Security // ISACA San Antonio 2013-09-24 18

19. Benefits
 Public: easily expandable and cheap
 Private: host with provider or host internally,
fewer noisy neighbor issues, compliance is easier
 Hybrid: helpful for bridging into cloud, allows for
the workloads to run where they run best
Cloud Security // ISACA San Antonio 2013-09-24 19

20. Let’s go through
your questions
Cloud Security // ISACA San Antonio 2013-09-24 20

21. What due diligence should
a company perform when
selecting cloud services?
Cloud Security // ISACA San Antonio 2013-09-24 21

22. Due diligence
 Easy answer: Assess a cloud provider just as you
would any other provider of IT services
 Look for business practice and security maturity
 Test the provider thoroughly ahead of time
 Monitor the provider’s actions closely around
outages or when receiving support
Cloud Security // ISACA San Antonio 2013-09-24 22

23. What are some
good contractual
agreement clauses?
Cloud Security // ISACA San Antonio 2013-09-24 23

24. Contractual agreements
 Confidentiality and security requirements
 Encryption standards*
 Service description and SLA’s
 Indemnification
Cloud Security // ISACA San Antonio 2013-09-24 24

25. What are the risks
if the company
owns the servers?
Cloud Security // ISACA San Antonio 2013-09-24 25

26. Company-owned server risks
 Similar to self-hosted or vendor-hosted IT
services on dedicated equipment
 IT staff that maintain the servers will have some
level of access to virtual machine data
Cloud Security // ISACA San Antonio 2013-09-24 26

27. Does the internet-facing
nature of public cloud
create additional risks?
Cloud Security // ISACA San Antonio 2013-09-24 27

28. Public cloud networking risks
 About the same as internet-facing dedicated
hardware
 Some public clouds may have hardware
networking devices such as firewalls or load
balancers
 Other providers might provide a shared firewall
or load balancer environment to use
Cloud Security // ISACA San Antonio 2013-09-24 28

29. How do I securely store
data in cloud services?
Cloud Security // ISACA San Antonio 2013-09-24 29

30. Storing data in cloud
 Your data is never fully safe in any storage
 Understand your most probable threats first
 Make your data less useful to others
 Encryption with digital signatures
 Sharding
 Tokenization (can help with data transport laws)
 Hardware Security Module (HSM)
Cloud Security // ISACA San Antonio 2013-09-24 30

31. Thanks for inviting me!
Q&A?
Cloud Security // ISACA San Antonio 2013-09-24 31
Have more questions later?
major.hayden@rackspace.com
http://major.io/

32. Cloud Security
Major Hayden, Rackspace