Securing the Cloud: Masterclass 2 Lee Newcombe Infrastructure Services April 2013

2 Copyright © Capgemini All Rights Reserved Managing Security in the Cloud 2 Agenda The Future Cloud? The Perfect Storm – BYOD, Social Media, Big Data, Cloud Identity in the Cloud Introduction Conclusions Service Management -> Service Orchestration ?

3 Copyright © Capgemini All Rights Reserved Managing Security in the Cloud 2 The questions you asked… How is the security landscape changing and how must it evolve in the next 5 years? How do fast moving trends such as mobile, social business, BYOD and ‘bring your own cloud’ complicate security strategies? Considering security as an enterprise issue, not simply as a cloud one Addressing service integration in the cloud Looking at the future of identity in the cloud: requirements, risks and opportunities

4 Copyright © Capgemini All Rights Reserved Managing Security in the Cloud 2 Agenda Introduction The Perfect Storm – BYOD, Social Media, Big Data, Cloud Identity in the Cloud The Future Cloud? Conclusions Service Management -> Service Orchestration ?

5 Copyright © Capgemini All Rights Reserved Managing Security in the Cloud 2 The Future Cloud  Public Cloud Providers likely to continue to be subject to rapid amalgamation  Terremark – bought by Verizon  Savvis – bought by Century Link  Heroku – bought by Salesforce.com  Nimbula – bought by Oracle  Amalgamation will lead to a smaller set of major public cloud providers  Smaller players will exist to serve niche markets (e.g. HMG)  Big Outsourcing firms will continue to offer “enterprise” cloud services  Likely to continue to struggle to justify premiums over the likes of AWS

6 Copyright © Capgemini All Rights Reserved Managing Security in the Cloud 2  Interoperability will remain problematic  Niche vendors will continue to exist enable cross-cloud operations  Rising importance of service brokers and SIAM capabilities  “Cloud First" attitude will become standard – not just in Government  Compromises will occur. The sky will fall… but the cloud paradigm will survive. The Future Cloud

7 Copyright © Capgemini All Rights Reserved Managing Security in the Cloud 2 Evolving Compliance Requirements The DPA requires the data controller to have a written contract … requiring that the “data processor is to act only on instructions from the data controller” and “the data processor will comply with security obligations equivalent to those imposed on the data controller itself.” Cloud customers should take care if a cloud provider offers a ‘take it or leave it’ set of terms and conditions without the opportunity for negotiation. Such contracts may not allow the cloud customer to retain sufficient control over the data in order to fulfil their data protection obligations. Cloud customers must therefore check the terms of service a cloud provider may offer to ensure that they adequately address the risks discussed in this guidance

8 Copyright © Capgemini All Rights Reserved Managing Security in the Cloud 2 Evolving Compliance Requirements It’s important to note that all cloud services are not created equal. Clear policies and procedures should be agreed between client and cloud provider for all security requirements, and responsibilities for operation, management and reporting should be clearly defined and understood for each requirement Without adequate segmentation, all clients of the shared infrastructure, as well as the CSP, would need to be verified as being PCI DSS compliant in order for any one client to be assured of the compliance of the environment. This will likely make compliance validation unachievable for the CSP or any of their clients

9 Copyright © Capgemini All Rights Reserved Managing Security in the Cloud 2 Requires details of the “system” – not just the controls Requires a written statement of assertion Assurance – new Standards SAS70 SSAE16

10 Copyright © Capgemini All Rights Reserved Managing Security in the Cloud 2 Cloud Security Alliance OCF

11 Copyright © Capgemini All Rights Reserved Managing Security in the Cloud 2 AWS Changes – Evolving Security 3/aws-trusted-advisor-update-trial- new-features.html

12 Copyright © Capgemini All Rights Reserved Managing Security in the Cloud 2 AWS Changes – Evolving Security Release: Amazon EC2 on

13 Copyright © Capgemini All Rights Reserved Managing Security in the Cloud 2 New “Cloud” ways of thinking… for example

14 Copyright © Capgemini All Rights Reserved Managing Security in the Cloud 2 Agenda Introduction The Future Cloud? Identity in the Cloud The Perfect Storm – BYOD, Social Media, Big Data, Cloud Conclusions Service Management -> Service Orchestration ?

15 Copyright © Capgemini All Rights Reserved Managing Security in the Cloud 2 The Perfect Storm - BYOD Bring Your Own Disaster Device (BYOD)  BYOD or CYOD?  Business driven desire for mobile working  End point protection Entry point to your trusted domain Holds your data Duress?  Data Protection Better in the cloud? Encrypted on device? Remote wipe? Of my device?!  Mobile Device Management

16 Copyright © Capgemini All Rights Reserved Managing Security in the Cloud 2 The Perfect Storm - Social Media  Twitter, LinkedIn, Facebook, Google+, etc  the “Consumer Cloud”  Reputation Management  Damaging Tweets by employees  Damaging comments from customers  Hacked accounts: Burger King, BBC…  Personal vs Business. Identity in the cloud?  More later  Data exfiltration  Are you monitoring the data your users send via these channels?

17 Copyright © Capgemini All Rights Reserved Managing Security in the Cloud 2 The Perfect Storm – Big Data  Big Data  How Big is Big?  NoSQL?  Pseudonymisation…  Anonymisation… Fine so long as you know nothing about your target Fine so long as compute resource remains expensive and exclusive -

18 Copyright © Capgemini All Rights Reserved Managing Security in the Cloud 2 Big Data (continued)  Where is the data coming from? Trust? Validation?  Where are you going to put it? NoSQL vs RDBMS? Cloud or on-premise?  How are you going to control access to it?  Compliance How much anonymisation is enough? edia/documents/library/Data_Protection/Practical_application/anonymisatio n_code.ashx

19 Copyright © Capgemini All Rights Reserved Managing Security in the Cloud 2 The Perfect Storm - Cloud Cloud is the ANSWER! But what was the question

20 Copyright © Capgemini All Rights Reserved Managing Security in the Cloud 2 Putting it all together…  Big Data  Social Media usage  Research and Development  Modelling  Device and Data usage (SIEM)  Stored and processed in the cloud  NoSQL. Not much security either  Accessed from users personal devices Anybody see any security issues here?

21 Copyright © Capgemini All Rights Reserved Managing Security in the Cloud 2 Putting it all together… to fix it  Mobile Device Management  DRM?  Big Data security… See CSA Paper  Anonymisation  Security Architecture

22 Copyright © Capgemini All Rights Reserved Managing Security in the Cloud 2 Agenda Introduction The Future Cloud? Identity in the Cloud Service Management -> Service Orchestration Conclusions The Perfect Storm – BYOD, Social Media, Big Data, Cloud ?

23 Copyright © Capgemini All Rights Reserved Managing Security in the Cloud 2 Management of Infrastructure -owned or client assets Systems Integrators Service Integrators Service consolidation Opportunity to leverage service desk and management assets “Service Broker” Enabler of Cloud propositions Aggregation and orchestration of many cloud-based services Service Orchestration Service Aggregation Service Integration Service Management Service Integration and Management - SIAM

24 Copyright © Capgemini All Rights Reserved Managing Security in the Cloud 2 SIAM and Security  Sits across the top of the cloud services  Responsible for ensuring consistent service levels to the customer across their cloud services  Harmonisation/orchestration of disparate SLAs  But also a good place to incorporate central set of security capabilities:  Security Monitoring  Identity and Access Management  Certificate Authority  Service Monitoring and Management  Security Management Consistent content filtering? Consistent network access controls?  Potentially a cloud service itself

25 Copyright © Capgemini All Rights Reserved Managing Security in the Cloud 2 Agenda Introduction The Future Cloud? The Perfect Storm – BYOD, Social Media, Big Data, Cloud Identity in the Cloud Conclusions Service Management -> Service Orchestration ?

26 Copyright © Capgemini All Rights Reserved Managing Security in the Cloud 2 Identity in the Cloud Digital Identity: “ a set of claims made by one digital subject about itself or another digital subject.” - Kim Cameron’s Laws of Identity  Jericho Forum Identity Commandments  Physical entities can have more than one persona… Employee Husband Father Elven Wizard Citizen Customer Shadowy criminal mastermind

27 Copyright © Capgemini All Rights Reserved Managing Security in the Cloud 2 Identity in the Cloud  Identities are necessary to:  Establish relationships Especially commercial relationships But also citizen and HMG interactions  It is not necessary for EVERY relationship I have to know EVERYTHING about all of my identities  Identity Providers More like Persona Providers. But IdP is the standard term…  Attribute Providers Is my driving licence valid? Is my CLAS membership valid? Am I really tall, dark, handsome and incredibly wealthy? – You also need to trust your Attribute Providers.

28 Copyright © Capgemini All Rights Reserved Managing Security in the Cloud 2 Federated Identity Management

29 Copyright © Capgemini All Rights Reserved Managing Security in the Cloud 2 Cabinet Office Citizen Identity Assurance Model “Our preferred solution suggests the use of ‘hubs’ (technical intersections) which allow identities to be authenticated by contracted private sector organisations without an individual’s data being centrally stored or privacy being breached by unnecessary data and details of the user being openly ‘shared’ with either transacting party.”

30 Copyright © Capgemini All Rights Reserved Managing Security in the Cloud 2 Cabinet Office Citizen Identity Assurance Model

31 Copyright © Capgemini All Rights Reserved Managing Security in the Cloud 2 Federated Identity Management  Better for your organisations  Establish a single identity repository and federate out across your cloud services  Manage identity and provisioning in one place  Easier to plug’n’play cloud services through identity re-use  Less management overhead – federate with your trusted partners  Better for your customers  Less of their data will be compromised in a single event  Fewer passwords to remember  Consider integration with the consumer cloud via OAuth, OpenID, Facebook Connect etc

32 Copyright © Capgemini All Rights Reserved Managing Security in the Cloud 2 OAuth – an example Services that support OAuth 2 37signals (draft 5) Box Facebook's Graph API (see sociallipstick.com/?p=239) Foursquare Geoloqi GitHub Google Meetup Salesforce SoundCloud Do.com (draft 22) Windows Live

33 Copyright © Capgemini All Rights Reserved Managing Security in the Cloud 2 Agenda Introduction The Future Cloud? The Perfect Storm – BYOD, Social Media, Big Data, Cloud Conclusions Identity in the Cloud Service Management -> Service Orchestration ?

34 Copyright © Capgemini All Rights Reserved Managing Security in the Cloud 2 Conclusions The Cloud market will change rapidly over the next few years More accepted Fewer players Cloud risks stay much the same Same threat actors Same vulnerabilities Potentially greater impacts as usage increases The “Perfect Storm” will begin to worry end users Humans don’t like to be watched Anonymisation doesn’t often really work for both data controller and data subject Federated identity management will be the way ahead Getting your SIAM right is key to successful operation in the Cloud

35 Copyright © Capgemini All Rights Reserved Managing Security in the Cloud 2 Q&A

36 Copyright © Capgemini All Rights Reserved Managing Security in the Cloud 2 Moving HR to the cloud Securing the Cloud: More Workshops! Moving R&D services to the cloud Retiring and replacing your collaboration platform John Martinez John ArnoldLee Newcombe

The information contained in this presentation is proprietary. Rightshore® is a trademark belonging to Capgemini © 2012 Capgemini. All rights reserved. About Capgemini With more than 120,000 people in 40 countries, Capgemini is one of the world's foremost providers of consulting, technology and outsourcing services. The Group reported 2011 global revenues of EUR 9.7 billion. Together with its clients, Capgemini creates and delivers business and technology solutions that fit their needs and drive the results they want. A deeply multicultural organization, Capgemini has developed its own way of working, the Collaborative Business Experience TM, and draws on Rightshore ®, its worldwide delivery model.