Cloud Security Scenario Jay Heiser @JayHeiser1 STRATEGIC PLANNING ASSUMPTION Through 2020, 95% of cloud security failures will be the customer’s fault. Why it won't happen: Why it will happen: • If a provider failure does occur, it could have huge levels of impact. • The history of public cloud computing has been remarkably free of provider failures. • The cloud market continues to be financially weak. • Cloud service providers are under huge market and Internet pressure: – They must make security a priority. They have no choice. KEY ISSUES 1.How worried should you be about which public cloud risks? 2.What do you need to do to manage those risks? 15.7% CAGR Gartner Public Cloud Services Forecast, 1Q15 In the next five years, enterprises will spend $1.2 trillion on public cloud services (2015-2019) $277 $240 $206 $130 2013 $152 2014 $176 2015 2016 Source: "Forecast: Public Cloud Services, Worldwide, 2013-2019, 1Q15 Update" (G00275962) 2017 2018 2019 Billions of dollars $316 16% Where Is Everybody in Cloud Computing Adoption? 20% are resisting clouds Don't understand the model 40% are trying to get started Struggling with the cloud strategy 30% are experimenting Developing best practices 10% are innovating Lots of clouds What About Security? Cloud Adoption Survey (2014) What are the top three reasons for NOT considering a public cloud-based model? n = 210, Base: Does not primarily employ Public Cloud for IaaS, Paas and/or SaaS Security and/or privacy concerns 63% Concerns about government snooping 29% Data integration challenges 26% Compliance requirements prevent public cloud usage 23% Lack of internal skills to manage public cloud services 23% Data center locations don't meet data sovereignty… 19% Insufficient SLAs from cloud service providers 15% Time to deployment 12% Difficulty of development 11% Lack development tools and resources 11% Lack of cloud service provider options 11% Dislike for release schedules and impact on app… 8% Public cloud services are not environmentally friendly Other Up to 3 responses allowed 8% 1% Cybercriminals Are Not Stealing Cloud Storage. They Are Stealing Your User's Accounts Phishing is the biggest source of cloud security failure. Enterprises Are Focusing on the Wrong Party to Improve Security Cloud services are not getting breached. Most security incidents are the customer's fault. The big story in cloud security is that big hacks and failures have not occurred. Organizations Rushing to the Cloud Underestimate the Effort to Control How It Will Be Used • Account and virtual machine management. • Access control: – Inappropriate internal shares. – Public shares. • Visibility and control of activity: – Sanctioned and unsanctioned usage. – Incident response. – E-discovery. • Integration with other services. • Recovery after provider bankruptcy or accident . How will you support someone else's applications when they break? Use a Life Cycle Approach for Cloud Governance Policies Usually needs more attention End of life Requirements analysis Continuous management Risk acceptance Implementation Most enterprises are only addressing part of the life cycle Base Your Cloud Usage Decisions Around the Public Cloud Risk Domains Ability to support unanticipated future needs Agility Regulatory and other legal requirements Service Compliance Availability disruptions and data loss Changes in cloud provider business model or viability Supplier Security Confidentiality and data control Evolving Cloud Encryption Approaches • Relatively easy: – Extend data encryption to endpoints • Becoming easier: – Customer-managed key (CMK) • Difficult or impossible: – Format preserving – Searchable – Homomorphic Externally applied encryption can break cloud application functionality