SlideShare a Scribd company logo

Cloud computing due diligence WTF?

Security BSides London
Security BSides London

BSidesLondon 20th April 2011- @Jimmy Blake ----------------------------------------------------------------- The media hype, both positive and negative, around cloud computing is often sensationalist. The reality is that cloud computing has a place as a tool in the modern computing environment – but how do you realistically balance the benefits with the risks? ---- for more about Jimmy jimmyblake.com

Technology
1 of 20
Cloud Computing Due Diligence - WTF? Jimmy Blake @jimmyblake Security B-Sides London: Cloud Computing - WTF? Wednesday, 20 April 2011
Jimmy Who? • CSO for one of the UK’s largest SaaS providers • Talking mainly from a SaaS perspective • Dozens of client risk assessments a month • ISO 27001 Lead Auditor • These are my opinions, not necessarily those of my employer Security B-Sides London: Cloud Computing - WTF? Wednesday, 20 April 2011
Cloud Computing Don’t make me APT your cyber- defences http://csrc.nist.gov/groups/SNS/cloud-computing/ Essential Characteristics Service Model Deployment Model ...blah blah blah Security B-Sides London: Cloud Computing - WTF? Wednesday, 20 April 2011
Businesses Are Moving to the Cloud Well governed organisations make decisions after consideration of risk Security B-Sides London: Cloud Computing - WTF? Wednesday, 20 April 2011
Businesses Are Moving to the Cloud Well governed organisations make decisions after consideration of risk ...and we all know how many well governed organisations there are out there. Security B-Sides London: Cloud Computing - WTF? Wednesday, 20 April 2011
Who Does the Due Diligence?? • Understands security, not risk • Knows on-premise, not cloud • Still thinks he has a secure perimeter • Likes to be able to hug servers • He, and his toys, may be displaced by the solution Security B-Sides London: Cloud Computing - WTF? Wednesday, 20 April 2011
The Cost of Due Diligence: Do The Math Average Due Diligence Questionnaire = 2 hours Average Audit = 6 man hours 4,000 customers = 3,000 working days per annum ...and you want cost savings??? Security B-Sides London: Cloud Computing - WTF? Wednesday, 20 April 2011
Certification: ISO:IEC 27001:2005 • Scope? • Very few scopes include production platforms • Is your acceptable risk < or > then the provider’s? Security B-Sides London: Cloud Computing - WTF? Wednesday, 20 April 2011
ISO 27001: What They Really Mean Cloud Our On-Premise Provider’s 27002 controls 27002 controls Security B-Sides London: Cloud Computing - WTF? Wednesday, 20 April 2011
Certification: SAS-70 (soon SSAE16) • Control Statements • Great for auditing against SOX 404 controls Security B-Sides London: Cloud Computing - WTF? Wednesday, 20 April 2011
Getting Real How do you ensure physical access to your data centres is restricted to those who need it for a job function? By not having 100 customers a day walking through on audits... Security B-Sides London: Cloud Computing - WTF? Wednesday, 20 April 2011
Getting Real So I hope that answers your question on how we handle key rotation on our distributed filing system utilising AES 256-bit encryption? Can I The IT Manager backs up to ask how you do it at the moment? tape and leaves the tapes in the back of his car overnight. The tapes are encrypted of course? .... Please tell me the car isn’t left on his driveway overnight? .... Security B-Sides London: Cloud Computing - WTF? Wednesday, 20 April 2011
Turning the Tables RFP responses contain a lot of sensitive information How do you classify How many people completed RFP have access to completed responses? RFP responses? How do you ensure access How do you dispose control and prevent leakage of printed copies of RFP of completed RFP responses? responses? Security B-Sides London: Cloud Computing - WTF? Wednesday, 20 April 2011
Industry Representation or Prospects? Security B-Sides London: Cloud Computing - WTF? Wednesday, 20 April 2011
What We Need Software-as-a-Service is often about replacing specific on-premise solutions within the business Security B-Sides London: Cloud Computing - WTF? Wednesday, 20 April 2011
What We Need Software-as-a-Service is often about replacing specific on-premise solutions within the business baseline Cloud On-premise Provider risk risk Security B-Sides London: Cloud Computing - WTF? Wednesday, 20 April 2011
What We Need baseline On-premise risk Cloud Provider risk Security B-Sides London: Cloud Computing - WTF? Wednesday, 20 April 2011
What We’re Getting Great, now I’ve got 6 lots of audit and certification.... Security B-Sides London: Cloud Computing - WTF? Wednesday, 20 April 2011
A Final Plea Customers: Baseline on your current risk exposure Due your due diligence, but make it proportionate If you want champagne, expect to pay for it Industry Bodies: Come together for a unified standard of audit and assessment Represent cloud customers and the service provider, not infrastructure vendors Cloud Providers: Embrace transparency Security B-Sides London: Cloud Computing - WTF? Wednesday, 20 April 2011
Cloud Computing Due Diligence - WTF? Jimmy Blake @jimmyblake http://jimmyblake.com Security B-Sides London: Cloud Computing - WTF? Wednesday, 20 April 2011

Recommended

Triangle InfoSecon Conference program 2011
Triangle InfoSecon Conference program 2011Triangle InfoSecon Conference program 2011
Triangle InfoSecon Conference program 2011Travis Barnes
 
Moving forward. Building a culture of continuous improvement.
Moving forward. Building a culture of continuous improvement.Moving forward. Building a culture of continuous improvement.
Moving forward. Building a culture of continuous improvement.Agustin Argelich Casals
 
Martin Geddes - Hypervoice keynote
Martin Geddes - Hypervoice keynoteMartin Geddes - Hypervoice keynote
Martin Geddes - Hypervoice keynoteMartin Geddes
 
You built a security castle and forgot the bridge…now users are climbing your...
You built a security castle and forgot the bridge…now users are climbing your...You built a security castle and forgot the bridge…now users are climbing your...
You built a security castle and forgot the bridge…now users are climbing your...Security BSides London
 
Open Source Software Solutions for Clinical Research: Applications for HIV Re...
Open Source Software Solutions for Clinical Research: Applications for HIV Re...Open Source Software Solutions for Clinical Research: Applications for HIV Re...
Open Source Software Solutions for Clinical Research: Applications for HIV Re...UC San Diego AntiViral Research Center
 
Penetration testing must die
Penetration testing must diePenetration testing must die
Penetration testing must dieSecurity BSides London
 
Security YMCA
Security YMCASecurity YMCA
Security YMCASecurity BSides London
 
Your money, your media a DRMtastic (reverse|re) eng. tutorial
Your money, your media a DRMtastic (reverse|re) eng. tutorialYour money, your media a DRMtastic (reverse|re) eng. tutorial
Your money, your media a DRMtastic (reverse|re) eng. tutorialSecurity BSides London
 

Recommended

Triangle InfoSecon Conference program 2011
Triangle InfoSecon Conference program 2011Triangle InfoSecon Conference program 2011
Triangle InfoSecon Conference program 2011Travis Barnes
 
Moving forward. Building a culture of continuous improvement.
Moving forward. Building a culture of continuous improvement.Moving forward. Building a culture of continuous improvement.
Moving forward. Building a culture of continuous improvement.Agustin Argelich Casals
 
Martin Geddes - Hypervoice keynote
Martin Geddes - Hypervoice keynoteMartin Geddes - Hypervoice keynote
Martin Geddes - Hypervoice keynoteMartin Geddes
 
You built a security castle and forgot the bridge…now users are climbing your...
You built a security castle and forgot the bridge…now users are climbing your...You built a security castle and forgot the bridge…now users are climbing your...
You built a security castle and forgot the bridge…now users are climbing your...Security BSides London
 
Open Source Software Solutions for Clinical Research: Applications for HIV Re...
Open Source Software Solutions for Clinical Research: Applications for HIV Re...Open Source Software Solutions for Clinical Research: Applications for HIV Re...
Open Source Software Solutions for Clinical Research: Applications for HIV Re...UC San Diego AntiViral Research Center
 
Penetration testing must die
Penetration testing must diePenetration testing must die
Penetration testing must dieSecurity BSides London
 
Security YMCA
Security YMCASecurity YMCA
Security YMCASecurity BSides London
 
Your money, your media a DRMtastic (reverse|re) eng. tutorial
Your money, your media a DRMtastic (reverse|re) eng. tutorialYour money, your media a DRMtastic (reverse|re) eng. tutorial
Your money, your media a DRMtastic (reverse|re) eng. tutorialSecurity BSides London
 
Cloud Security: Perception Vs. Reality
Cloud Security: Perception Vs. RealityCloud Security: Perception Vs. Reality
Cloud Security: Perception Vs. RealityInternap
 
Cloud security and cyber security v 3.1
Cloud security and cyber security v 3.1Cloud security and cyber security v 3.1
Cloud security and cyber security v 3.1CloudExpoEurope
 
DTS Solution - ISACA UAE Chapter - ISAFE 2014 - RU PWNED - Living a Life as a...
DTS Solution - ISACA UAE Chapter - ISAFE 2014 - RU PWNED - Living a Life as a...DTS Solution - ISACA UAE Chapter - ISAFE 2014 - RU PWNED - Living a Life as a...
DTS Solution - ISACA UAE Chapter - ISAFE 2014 - RU PWNED - Living a Life as a...Shah Sheikh
 
Build a network to thrive in the Digital age
Build a network to thrive in the Digital ageBuild a network to thrive in the Digital age
Build a network to thrive in the Digital ageFiona Sexton
 
DevOps and the cloud: all hail the (developer) king - Daniel Bryant, Steve Poole
DevOps and the cloud: all hail the (developer) king - Daniel Bryant, Steve PooleDevOps and the cloud: all hail the (developer) king - Daniel Bryant, Steve Poole
DevOps and the cloud: all hail the (developer) king - Daniel Bryant, Steve PooleJAXLondon_Conference
 
JAXLondon 2015 "DevOps and the Cloud: All Hail the (Developer) King"
JAXLondon 2015 "DevOps and the Cloud: All Hail the (Developer) King"JAXLondon 2015 "DevOps and the Cloud: All Hail the (Developer) King"
JAXLondon 2015 "DevOps and the Cloud: All Hail the (Developer) King"Daniel Bryant
 
Exponential-e | Cloud Revolution Seminar at the Ritz, 20th November 2014
Exponential-e | Cloud Revolution Seminar at the Ritz, 20th November 2014Exponential-e | Cloud Revolution Seminar at the Ritz, 20th November 2014
Exponential-e | Cloud Revolution Seminar at the Ritz, 20th November 2014Exponential_e
 
A Blueprint for Cloud-Native Financial Institutions
A Blueprint for Cloud-Native Financial InstitutionsA Blueprint for Cloud-Native Financial Institutions
A Blueprint for Cloud-Native Financial InstitutionsAngelo Agatino Nicolosi
 
Cloud Team Alliance @ EU Buxelles
Cloud Team Alliance @ EU BuxellesCloud Team Alliance @ EU Buxelles
Cloud Team Alliance @ EU BuxellesMariano Cunietti
 
AWS per il settore pubblico in Italia
AWS per il settore pubblico in ItaliaAWS per il settore pubblico in Italia
AWS per il settore pubblico in ItaliaAmazon Web Services
 
AWS re:Invent 2016: IoT and Beyond: Building IoT Solutions for Exploring the ...
AWS re:Invent 2016: IoT and Beyond: Building IoT Solutions for Exploring the ...AWS re:Invent 2016: IoT and Beyond: Building IoT Solutions for Exploring the ...
AWS re:Invent 2016: IoT and Beyond: Building IoT Solutions for Exploring the ...Amazon Web Services
 
Structure 2014 - Launchpad Competition
Structure 2014 - Launchpad CompetitionStructure 2014 - Launchpad Competition
Structure 2014 - Launchpad CompetitionGigaom
 
2011 VMI DEMO Conference Highlights
2011 VMI DEMO Conference Highlights2011 VMI DEMO Conference Highlights
2011 VMI DEMO Conference HighlightsJulie_Vasquez
 
DevOps Con 2015: Radical Agility with Autonomous Teams and Microservices in t...
DevOps Con 2015: Radical Agility with Autonomous Teams and Microservices in t...DevOps Con 2015: Radical Agility with Autonomous Teams and Microservices in t...
DevOps Con 2015: Radical Agility with Autonomous Teams and Microservices in t...Henning Jacobs
 
Dev ops con 2015 radical agility with autonomous teams and microservices in...
Dev ops con 2015 radical agility with autonomous teams and microservices in...Dev ops con 2015 radical agility with autonomous teams and microservices in...
Dev ops con 2015 radical agility with autonomous teams and microservices in...Jan Löffler
 
Radical Agility with Autonomous Teams and Microservices in the Cloud
Radical Agility with Autonomous Teams and Microservices in the CloudRadical Agility with Autonomous Teams and Microservices in the Cloud
Radical Agility with Autonomous Teams and Microservices in the CloudZalando Technology
 
E Crime Symposium June 10
E Crime Symposium June 10E Crime Symposium June 10
E Crime Symposium June 10Simon Wardley
 
2011-08-10 In-Q-Tel Technology Focus Day, Trends & Observations in Open Sourc...
2011-08-10 In-Q-Tel Technology Focus Day, Trends & Observations in Open Sourc...2011-08-10 In-Q-Tel Technology Focus Day, Trends & Observations in Open Sourc...
2011-08-10 In-Q-Tel Technology Focus Day, Trends & Observations in Open Sourc...Shawn Wells
 
Bridging the Enterprise and the Cloud from Layer 7
Bridging the Enterprise and the Cloud from Layer 7Bridging the Enterprise and the Cloud from Layer 7
Bridging the Enterprise and the Cloud from Layer 7CA API Management
 
CIO Summit Berlin 2011
CIO Summit Berlin 2011CIO Summit Berlin 2011
CIO Summit Berlin 2011Jitscale
 
Agnitio: its static analysis, but not as we know it
Agnitio: its static analysis, but not as we know itAgnitio: its static analysis, but not as we know it
Agnitio: its static analysis, but not as we know itSecurity BSides London
 
The Funny Thing About Information Security
The Funny Thing About Information SecurityThe Funny Thing About Information Security
The Funny Thing About Information SecuritySecurity BSides London
 

More Related Content

Similar to Cloud computing due diligence WTF?

Cloud Security: Perception Vs. Reality
Cloud Security: Perception Vs. RealityCloud Security: Perception Vs. Reality
Cloud Security: Perception Vs. RealityInternap
 
Cloud security and cyber security v 3.1
Cloud security and cyber security v 3.1Cloud security and cyber security v 3.1
Cloud security and cyber security v 3.1CloudExpoEurope
 
DTS Solution - ISACA UAE Chapter - ISAFE 2014 - RU PWNED - Living a Life as a...
DTS Solution - ISACA UAE Chapter - ISAFE 2014 - RU PWNED - Living a Life as a...DTS Solution - ISACA UAE Chapter - ISAFE 2014 - RU PWNED - Living a Life as a...
DTS Solution - ISACA UAE Chapter - ISAFE 2014 - RU PWNED - Living a Life as a...Shah Sheikh
 
Build a network to thrive in the Digital age
Build a network to thrive in the Digital ageBuild a network to thrive in the Digital age
Build a network to thrive in the Digital ageFiona Sexton
 
DevOps and the cloud: all hail the (developer) king - Daniel Bryant, Steve Poole
DevOps and the cloud: all hail the (developer) king - Daniel Bryant, Steve PooleDevOps and the cloud: all hail the (developer) king - Daniel Bryant, Steve Poole
DevOps and the cloud: all hail the (developer) king - Daniel Bryant, Steve PooleJAXLondon_Conference
 
JAXLondon 2015 "DevOps and the Cloud: All Hail the (Developer) King"
JAXLondon 2015 "DevOps and the Cloud: All Hail the (Developer) King"JAXLondon 2015 "DevOps and the Cloud: All Hail the (Developer) King"
JAXLondon 2015 "DevOps and the Cloud: All Hail the (Developer) King"Daniel Bryant
 
Exponential-e | Cloud Revolution Seminar at the Ritz, 20th November 2014
Exponential-e | Cloud Revolution Seminar at the Ritz, 20th November 2014Exponential-e | Cloud Revolution Seminar at the Ritz, 20th November 2014
Exponential-e | Cloud Revolution Seminar at the Ritz, 20th November 2014Exponential_e
 
A Blueprint for Cloud-Native Financial Institutions
A Blueprint for Cloud-Native Financial InstitutionsA Blueprint for Cloud-Native Financial Institutions
A Blueprint for Cloud-Native Financial InstitutionsAngelo Agatino Nicolosi
 
Cloud Team Alliance @ EU Buxelles
Cloud Team Alliance @ EU BuxellesCloud Team Alliance @ EU Buxelles
Cloud Team Alliance @ EU BuxellesMariano Cunietti
 
AWS per il settore pubblico in Italia
AWS per il settore pubblico in ItaliaAWS per il settore pubblico in Italia
AWS per il settore pubblico in ItaliaAmazon Web Services
 
AWS re:Invent 2016: IoT and Beyond: Building IoT Solutions for Exploring the ...
AWS re:Invent 2016: IoT and Beyond: Building IoT Solutions for Exploring the ...AWS re:Invent 2016: IoT and Beyond: Building IoT Solutions for Exploring the ...
AWS re:Invent 2016: IoT and Beyond: Building IoT Solutions for Exploring the ...Amazon Web Services
 
Structure 2014 - Launchpad Competition
Structure 2014 - Launchpad CompetitionStructure 2014 - Launchpad Competition
Structure 2014 - Launchpad CompetitionGigaom
 
2011 VMI DEMO Conference Highlights
2011 VMI DEMO Conference Highlights2011 VMI DEMO Conference Highlights
2011 VMI DEMO Conference HighlightsJulie_Vasquez
 
DevOps Con 2015: Radical Agility with Autonomous Teams and Microservices in t...
DevOps Con 2015: Radical Agility with Autonomous Teams and Microservices in t...DevOps Con 2015: Radical Agility with Autonomous Teams and Microservices in t...
DevOps Con 2015: Radical Agility with Autonomous Teams and Microservices in t...Henning Jacobs
 
Dev ops con 2015 radical agility with autonomous teams and microservices in...
Dev ops con 2015 radical agility with autonomous teams and microservices in...Dev ops con 2015 radical agility with autonomous teams and microservices in...
Dev ops con 2015 radical agility with autonomous teams and microservices in...Jan Löffler
 
Radical Agility with Autonomous Teams and Microservices in the Cloud
Radical Agility with Autonomous Teams and Microservices in the CloudRadical Agility with Autonomous Teams and Microservices in the Cloud
Radical Agility with Autonomous Teams and Microservices in the CloudZalando Technology
 
E Crime Symposium June 10
E Crime Symposium June 10E Crime Symposium June 10
E Crime Symposium June 10Simon Wardley
 
2011-08-10 In-Q-Tel Technology Focus Day, Trends & Observations in Open Sourc...
2011-08-10 In-Q-Tel Technology Focus Day, Trends & Observations in Open Sourc...2011-08-10 In-Q-Tel Technology Focus Day, Trends & Observations in Open Sourc...
2011-08-10 In-Q-Tel Technology Focus Day, Trends & Observations in Open Sourc...Shawn Wells
 
Bridging the Enterprise and the Cloud from Layer 7
Bridging the Enterprise and the Cloud from Layer 7Bridging the Enterprise and the Cloud from Layer 7
Bridging the Enterprise and the Cloud from Layer 7CA API Management
 
CIO Summit Berlin 2011
CIO Summit Berlin 2011CIO Summit Berlin 2011
CIO Summit Berlin 2011Jitscale
 

Similar to Cloud computing due diligence WTF? (20)

Cloud Security: Perception Vs. Reality
Cloud Security: Perception Vs. RealityCloud Security: Perception Vs. Reality
Cloud Security: Perception Vs. Reality
 
Cloud security and cyber security v 3.1
Cloud security and cyber security v 3.1Cloud security and cyber security v 3.1
Cloud security and cyber security v 3.1
 
DTS Solution - ISACA UAE Chapter - ISAFE 2014 - RU PWNED - Living a Life as a...
DTS Solution - ISACA UAE Chapter - ISAFE 2014 - RU PWNED - Living a Life as a...DTS Solution - ISACA UAE Chapter - ISAFE 2014 - RU PWNED - Living a Life as a...
DTS Solution - ISACA UAE Chapter - ISAFE 2014 - RU PWNED - Living a Life as a...
 
Build a network to thrive in the Digital age
Build a network to thrive in the Digital ageBuild a network to thrive in the Digital age
Build a network to thrive in the Digital age
 
DevOps and the cloud: all hail the (developer) king - Daniel Bryant, Steve Poole
DevOps and the cloud: all hail the (developer) king - Daniel Bryant, Steve PooleDevOps and the cloud: all hail the (developer) king - Daniel Bryant, Steve Poole
DevOps and the cloud: all hail the (developer) king - Daniel Bryant, Steve Poole
 
JAXLondon 2015 "DevOps and the Cloud: All Hail the (Developer) King"
JAXLondon 2015 "DevOps and the Cloud: All Hail the (Developer) King"JAXLondon 2015 "DevOps and the Cloud: All Hail the (Developer) King"
JAXLondon 2015 "DevOps and the Cloud: All Hail the (Developer) King"
 
Exponential-e | Cloud Revolution Seminar at the Ritz, 20th November 2014
Exponential-e | Cloud Revolution Seminar at the Ritz, 20th November 2014Exponential-e | Cloud Revolution Seminar at the Ritz, 20th November 2014
Exponential-e | Cloud Revolution Seminar at the Ritz, 20th November 2014
 
A Blueprint for Cloud-Native Financial Institutions
A Blueprint for Cloud-Native Financial InstitutionsA Blueprint for Cloud-Native Financial Institutions
A Blueprint for Cloud-Native Financial Institutions
 
Cloud Team Alliance @ EU Buxelles
Cloud Team Alliance @ EU BuxellesCloud Team Alliance @ EU Buxelles
Cloud Team Alliance @ EU Buxelles
 
AWS per il settore pubblico in Italia
AWS per il settore pubblico in ItaliaAWS per il settore pubblico in Italia
AWS per il settore pubblico in Italia
 
AWS re:Invent 2016: IoT and Beyond: Building IoT Solutions for Exploring the ...
AWS re:Invent 2016: IoT and Beyond: Building IoT Solutions for Exploring the ...AWS re:Invent 2016: IoT and Beyond: Building IoT Solutions for Exploring the ...
AWS re:Invent 2016: IoT and Beyond: Building IoT Solutions for Exploring the ...
 
Structure 2014 - Launchpad Competition
Structure 2014 - Launchpad CompetitionStructure 2014 - Launchpad Competition
Structure 2014 - Launchpad Competition
 
2011 VMI DEMO Conference Highlights
2011 VMI DEMO Conference Highlights2011 VMI DEMO Conference Highlights
2011 VMI DEMO Conference Highlights
 
DevOps Con 2015: Radical Agility with Autonomous Teams and Microservices in t...
DevOps Con 2015: Radical Agility with Autonomous Teams and Microservices in t...DevOps Con 2015: Radical Agility with Autonomous Teams and Microservices in t...
DevOps Con 2015: Radical Agility with Autonomous Teams and Microservices in t...
 
Dev ops con 2015 radical agility with autonomous teams and microservices in...
Dev ops con 2015 radical agility with autonomous teams and microservices in...Dev ops con 2015 radical agility with autonomous teams and microservices in...
Dev ops con 2015 radical agility with autonomous teams and microservices in...
 
Radical Agility with Autonomous Teams and Microservices in the Cloud
Radical Agility with Autonomous Teams and Microservices in the CloudRadical Agility with Autonomous Teams and Microservices in the Cloud
Radical Agility with Autonomous Teams and Microservices in the Cloud
 
E Crime Symposium June 10
E Crime Symposium June 10E Crime Symposium June 10
E Crime Symposium June 10
 
2011-08-10 In-Q-Tel Technology Focus Day, Trends & Observations in Open Sourc...
2011-08-10 In-Q-Tel Technology Focus Day, Trends & Observations in Open Sourc...2011-08-10 In-Q-Tel Technology Focus Day, Trends & Observations in Open Sourc...
2011-08-10 In-Q-Tel Technology Focus Day, Trends & Observations in Open Sourc...
 
Bridging the Enterprise and the Cloud from Layer 7
Bridging the Enterprise and the Cloud from Layer 7Bridging the Enterprise and the Cloud from Layer 7
Bridging the Enterprise and the Cloud from Layer 7
 
CIO Summit Berlin 2011
CIO Summit Berlin 2011CIO Summit Berlin 2011
CIO Summit Berlin 2011
 

More from Security BSides London

Agnitio: its static analysis, but not as we know it
Agnitio: its static analysis, but not as we know itAgnitio: its static analysis, but not as we know it
Agnitio: its static analysis, but not as we know itSecurity BSides London
 
The Funny Thing About Information Security
The Funny Thing About Information SecurityThe Funny Thing About Information Security
The Funny Thing About Information SecuritySecurity BSides London
 
Practical Crypto Attacks Against Web Applications
Practical Crypto Attacks Against Web Applications Practical Crypto Attacks Against Web Applications
Practical Crypto Attacks Against Web Applications Security BSides London
 
Jedi mind tricks for building application security programs
Jedi mind tricks for building application security programsJedi mind tricks for building application security programs
Jedi mind tricks for building application security programsSecurity BSides London
 

More from Security BSides London (8)

Agnitio: its static analysis, but not as we know it
Agnitio: its static analysis, but not as we know itAgnitio: its static analysis, but not as we know it
Agnitio: its static analysis, but not as we know it
 
The Funny Thing About Information Security
The Funny Thing About Information SecurityThe Funny Thing About Information Security
The Funny Thing About Information Security
 
Breaking out of restricted RDP
Breaking out of restricted RDPBreaking out of restricted RDP
Breaking out of restricted RDP
 
Breaking, Entering and Pentesting
Breaking, Entering and Pentesting Breaking, Entering and Pentesting
Breaking, Entering and Pentesting
 
All your logs are belong to you!
All your logs are belong to you!All your logs are belong to you!
All your logs are belong to you!
 
Practical Crypto Attacks Against Web Applications
Practical Crypto Attacks Against Web Applications Practical Crypto Attacks Against Web Applications
Practical Crypto Attacks Against Web Applications
 
Jedi mind tricks for building application security programs
Jedi mind tricks for building application security programsJedi mind tricks for building application security programs
Jedi mind tricks for building application security programs
 
Dns tunnelling its all in the name
Dns tunnelling its all in the nameDns tunnelling its all in the name
Dns tunnelling its all in the name
 

Recently uploaded

Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...apidays
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...apidays
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MIND CTI
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAndrey Devyatkin
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdfSandro Moreira
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusZilliz
 
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...apidays
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingEdi Saputra
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodJuan lago vázquez
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyKhushali Kathiriya
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobeapidays
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Jeffrey Haguewood
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMESafe Software
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProduct Anonymous
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Angeliki Cooney
 
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot ModelMcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot ModelDeepika Singh
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfOrbitshub
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...Zilliz
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century educationjfdjdjcjdnsjd
 

Recently uploaded (20)

Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with Milvus
 
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
 
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot ModelMcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 

Cloud computing due diligence WTF?

  • 1. Cloud Computing Due Diligence - WTF? Jimmy Blake @jimmyblake Security B-Sides London: Cloud Computing - WTF? Wednesday, 20 April 2011
  • 2. Jimmy Who? • CSO for one of the UK’s largest SaaS providers • Talking mainly from a SaaS perspective • Dozens of client risk assessments a month • ISO 27001 Lead Auditor • These are my opinions, not necessarily those of my employer Security B-Sides London: Cloud Computing - WTF? Wednesday, 20 April 2011
  • 3. Cloud Computing Don’t make me APT your cyber- defences http://csrc.nist.gov/groups/SNS/cloud-computing/ Essential Characteristics Service Model Deployment Model ...blah blah blah Security B-Sides London: Cloud Computing - WTF? Wednesday, 20 April 2011
  • 4. Businesses Are Moving to the Cloud Well governed organisations make decisions after consideration of risk Security B-Sides London: Cloud Computing - WTF? Wednesday, 20 April 2011
  • 5. Businesses Are Moving to the Cloud Well governed organisations make decisions after consideration of risk ...and we all know how many well governed organisations there are out there. Security B-Sides London: Cloud Computing - WTF? Wednesday, 20 April 2011
  • 6. Who Does the Due Diligence?? • Understands security, not risk • Knows on-premise, not cloud • Still thinks he has a secure perimeter • Likes to be able to hug servers • He, and his toys, may be displaced by the solution Security B-Sides London: Cloud Computing - WTF? Wednesday, 20 April 2011
  • 7. The Cost of Due Diligence: Do The Math Average Due Diligence Questionnaire = 2 hours Average Audit = 6 man hours 4,000 customers = 3,000 working days per annum ...and you want cost savings??? Security B-Sides London: Cloud Computing - WTF? Wednesday, 20 April 2011
  • 8. Certification: ISO:IEC 27001:2005 • Scope? • Very few scopes include production platforms • Is your acceptable risk < or > then the provider’s? Security B-Sides London: Cloud Computing - WTF? Wednesday, 20 April 2011
  • 9. ISO 27001: What They Really Mean Cloud Our On-Premise Provider’s 27002 controls 27002 controls Security B-Sides London: Cloud Computing - WTF? Wednesday, 20 April 2011
  • 10. Certification: SAS-70 (soon SSAE16) • Control Statements • Great for auditing against SOX 404 controls Security B-Sides London: Cloud Computing - WTF? Wednesday, 20 April 2011
  • 11. Getting Real How do you ensure physical access to your data centres is restricted to those who need it for a job function? By not having 100 customers a day walking through on audits... Security B-Sides London: Cloud Computing - WTF? Wednesday, 20 April 2011
  • 12. Getting Real So I hope that answers your question on how we handle key rotation on our distributed filing system utilising AES 256-bit encryption? Can I The IT Manager backs up to ask how you do it at the moment? tape and leaves the tapes in the back of his car overnight. The tapes are encrypted of course? .... Please tell me the car isn’t left on his driveway overnight? .... Security B-Sides London: Cloud Computing - WTF? Wednesday, 20 April 2011
  • 13. Turning the Tables RFP responses contain a lot of sensitive information How do you classify How many people completed RFP have access to completed responses? RFP responses? How do you ensure access How do you dispose control and prevent leakage of printed copies of RFP of completed RFP responses? responses? Security B-Sides London: Cloud Computing - WTF? Wednesday, 20 April 2011
  • 14. Industry Representation or Prospects? Security B-Sides London: Cloud Computing - WTF? Wednesday, 20 April 2011
  • 15. What We Need Software-as-a-Service is often about replacing specific on-premise solutions within the business Security B-Sides London: Cloud Computing - WTF? Wednesday, 20 April 2011
  • 16. What We Need Software-as-a-Service is often about replacing specific on-premise solutions within the business baseline Cloud On-premise Provider risk risk Security B-Sides London: Cloud Computing - WTF? Wednesday, 20 April 2011
  • 17. What We Need baseline On-premise risk Cloud Provider risk Security B-Sides London: Cloud Computing - WTF? Wednesday, 20 April 2011
  • 18. What We’re Getting Great, now I’ve got 6 lots of audit and certification.... Security B-Sides London: Cloud Computing - WTF? Wednesday, 20 April 2011
  • 19. A Final Plea Customers: Baseline on your current risk exposure Due your due diligence, but make it proportionate If you want champagne, expect to pay for it Industry Bodies: Come together for a unified standard of audit and assessment Represent cloud customers and the service provider, not infrastructure vendors Cloud Providers: Embrace transparency Security B-Sides London: Cloud Computing - WTF? Wednesday, 20 April 2011
  • 20. Cloud Computing Due Diligence - WTF? Jimmy Blake @jimmyblake http://jimmyblake.com Security B-Sides London: Cloud Computing - WTF? Wednesday, 20 April 2011