Cloud Integration

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Course
Time
8 hours 25 minutes
Difficulty
Advanced
CEU/CPE
9
Video Transcription
00:00
>> Going right hand in hand with third-party governance,
00:00
we need to talk just a little bit
00:00
about Cloud integration.
00:00
Let's go ahead and just give
00:00
a definition for Cloud Computing.
00:00
Sometimes there's some mystery around the Cloud.
00:00
Here's a definition from NIST special publication
00:00
800-145 where Cloud Computing
00:00
is defined as a model for enabling,
00:00
ubiquitous, convenient,
00:00
on-demand network access to a shared pool of
00:00
resources that can be rapidly
00:00
provisioned and de-provision with minimal effort.
00:00
Again, I paraphrased a little bit here,
00:00
but we have a couple of really important pieces
00:00
which is why we're also
00:00
interested in moving to the Cloud.
00:00
Ubiquitous access, we can access
00:00
our Cloud-based resources from anywhere.
00:00
We can scale up or down as necessary
00:00
because we're utilizing a shared pool of
00:00
resources at the Cloud service provider,
00:00
whereas realistically if everything I had
00:00
was on-prem and I needed to spin up 100 servers,
00:00
that's going to take a lot of time.
00:00
It's going to cost a lot of money.
00:00
But I can do it in a matter of
00:00
seconds with my Cloud-based resources.
00:00
Scale-up and down, flexibility, elasticity,
00:00
the cost-savings idea is
00:00
moving to the Cloud probably will save you some money.
00:00
It'll certainly save you
00:00
capital expenses, those upfront expenses.
00:00
When you talk about opening up
00:00
a data center or building a data center,
00:00
the costs are astronomical.
00:00
You don't have that initial cost.
00:00
You don't have the maintenance costs,
00:00
the day-to-day fees.
00:00
You don't have to heat and cool.
00:00
There's so many cost savings.
00:00
You may wind up paying more operational cost.
00:00
Absolutely, you're going to be
00:00
paying a monthly or quarterly fee,
00:00
however, that's negotiated.
00:00
It's a balance. You got to look at
00:00
all pieces of the puzzle.
00:00
You got to think about total cost of ownership.
00:00
You have to think about what resources you're
00:00
migrating to the Cloud and of course,
00:00
you have to think about the needs
00:00
for the security of your assets.
00:00
These Cloud drivers are
00:00
just illustrated out a little graphic to see,
00:00
and the 24-hour support,
00:00
and paying as you use and all
00:00
these sound great and they are,
00:00
but we do have to consider the security risks,
00:00
some of the main ones.
00:00
First of all, your data is distributed.
00:00
It's no longer on-prem.
00:00
I'm old-fashioned I know,
00:00
but I like to have my data on a server I can touch.
00:00
Of course, as our organizations grow larger
00:00
and we become multi-international companies,
00:00
that physical instance of
00:00
our data on a physical server in our server room,
00:00
that's really gone away.
00:00
But what I mean by that more as I
00:00
like it under my direct control.
00:00
Now, our data is
00:00
distributed perhaps throughout the world
00:00
when we're storing this in the Cloud,
00:00
we have to consider that each different region,
00:00
there are different jurisdictional issues
00:00
for laws and regulations.
00:00
Whereas I may have a very stringent requirement for
00:00
the protection of my data
00:00
depending on where that data is stored,
00:00
those locations may not have the same requirements.
00:00
Also, there are other considerations like search and
00:00
seizure and due process and
00:00
all those pieces that may not
00:00
be available or afforded to me based
00:00
on other locations dependent
00:00
upon the location of where my data are stored.
00:00
That's always a concern.
00:00
It's always something to think about.
00:00
Probably the greatest risk is
00:00
the multi-tenancy piece is that as long as we're using
00:00
public Cloud which basically is a Cloud-based resources,
00:00
physical resources shared by
00:00
multiple tenants or customers.
00:00
While in that instance,
00:00
we're going to have 10,
00:00
15 other companies sharing
00:00
the hard drive that we're using.
00:00
Anytime you're on the same physical devices,
00:00
there's always an increased threat.
00:00
I don't know what the other customers are doing.
00:00
I don't know how they are protecting their systems.
00:00
Yes, the Cloud service provider
00:00
should be protecting their hypervisor,
00:00
should ensure true isolation from
00:00
one virtual client to the next, absolutely.
00:00
But we just don't know.
00:00
If you think about things like VM escapes where
00:00
malicious code might hop from one VM to another.
00:00
The security of the hypervisor
00:00
is ideally going to prevent something like that,
00:00
but the risks are increased.
00:00
Another concern is that we're not transferring liability,
00:00
we're transferring risk and there's a difference.
00:00
When I say I'm transferring risk,
00:00
I have another organization that
00:00
is sharing in the potential loss.
00:00
But I am still liable for the protection of my data.
00:00
If I'm a health care provider and I've
00:00
chosen to store some data in the Cloud,
00:00
I don't get to just go.
00:00
Thank goodness. I don't have to worry about that anymore.
00:00
It's in the Cloud. I'm still
00:00
liable for the protection of my data.
00:00
Now if this Cloud service provider
00:00
doesn't adequately protect that data,
00:00
then as long as I have a service level agreement then
00:00
I have the ability of having some compensation.
00:00
That's the sharing of the loss.
00:00
But the liability still remains
00:00
on me as I'm the data owner.
00:00
I've been entrusted with this data by
00:00
my customers, my patients, whomever.
00:00
Regardless of the Cloud models,
00:00
we'll talk about the different types of Cloud models,
00:00
but always the data owner maintains
00:00
responsibility and you can read into
00:00
that liability as well.
00:00
Now I've mentioned this idea of
00:00
the service level agreement.
00:00
Sometimes I'll hear folks make a blanket statement,
00:00
they'll protect it better than we will,
00:00
talking of the Cloud service provider.
00:00
You don't know that?
00:00
I don't have any guarantee of that
00:00
except what's in the contract.
00:00
In the contract specifically,
00:00
the service level agreement will
00:00
state the degree of security that's provided
00:00
as well as the consequences
00:00
to the Cloud service provider if they
00:00
don't meet what's been
00:00
documented in the service level agreement.
00:00
I'm allowed some form of compensation,
00:00
but only to the degree that that's guaranteed.
00:00
We don't have any just blanket,
00:00
it'll all work out,
00:00
everything's good, they care
00:00
about our data as much as we do.
00:00
Those just aren't realistic ideas.
00:00
Third-party governance,
00:00
we'll talk about that in another section.
00:00
Third-party governance says, hey,
00:00
we've got to know what our requirements
00:00
are and we've got to read
00:00
these service level agreements in these contracts and
00:00
we've got to ensure that we choose
00:00
a provider that meets our needs,
00:00
the responsibility is on us.
00:00
Sometimes yes.
00:00
The Cloud service provider
00:00
may have higher requirements for
00:00
privacy or availability or whatever.
00:00
But the bottom line is we don't
00:00
know until we look at the contract.
00:00
Let's look at the various models
00:00
that we can see in the Cloud.
00:00
Now, when you see this AAS as a service.
00:00
The first is software as a service,
00:00
then we have platform as a service
00:00
and infrastructure as a service.
00:00
But quite honestly, everything today is as a service.
00:00
They have business continuity,
00:00
disaster recovery as a service,
00:00
identity management as a service,
00:00
security as a service.
00:00
Right now you're getting Kelly as
00:00
a service because I'm coming to
00:00
you over the web instead of
00:00
sitting in front of you at your desk.
00:00
We're going to see all branch outs,
00:00
but the three most basic services, software,
00:00
platform, and infrastructure,
00:00
and which one you use really depends on your needs.
00:00
You can use just one or the other or all three.
00:00
The most common by far is software as a service and
00:00
almost everybody has used software as a service.
00:00
If you've used e-mail like
00:00
Outlook or Yahoo or any of that,
00:00
you're using software as a service.
00:00
Not Yahoo, but if you've used Gmail or any of
00:00
those other applications because you go to
00:00
a website and you access a service through their site,
00:00
you're not downloading and
00:00
installing Gmail on your system.
00:00
Office 365, I go out to a web page and I use Office.
00:00
Most software providers are
00:00
focusing on their software as
00:00
a service features and functionality.
00:00
The days of going out to the store and buying
00:00
a CD and coming home and
00:00
installing that disc on your system,
00:00
those days are really behind us and we're
00:00
focusing on accessing through the web.
00:00
It's great for me as
00:00
an organization because I don't have to
00:00
specifically install the apps on all of these systems.
00:00
I don't have to patch the systems.
00:00
I don't have to worry about the hardware or
00:00
software on my systems.
00:00
I simply need my users to go to the site.
00:00
They can run the software that is
00:00
stored in the default location
00:00
for that software service,
00:00
so ideally it would be backed up, ideally,
00:00
it would be accessible from
00:00
wherever on the planet I'm able to access these systems.
00:00
We always want the details.
00:00
Don't forget, I will always
00:00
be liable for the protection of my data though.
00:00
Again, even though I'm
00:00
using a different application
00:00
that I'm accessing on the web,
00:00
and that application is storing
00:00
my data in the backend database,
00:00
I have the liability as the data owner.
00:00
Now, if you're developing your own software,
00:00
when we talk about software development,
00:00
a developer has to have access
00:00
to a wide variety of tools.
00:00
They have to have different platforms.
00:00
They have to be able to test all different environments.
00:00
They need files like
00:00
library files that are not
00:00
free that can contain collections of code.
00:00
They can utilize platform as
00:00
a service from Cloud service providers and
00:00
it winds up being
00:00
a very flexible environment
00:00
which they can design their applications.
00:00
They have a back-end database to store
00:00
data that's accessed through those applications,
00:00
a runtime environment which the app runs.
00:00
That's platform as a service.
00:00
Then last but not least,
00:00
we have infrastructure as a service.
00:00
A lot of times when people say they're
00:00
migrating to the Cloud, this is what they mean.
00:00
What they're doing is they're utilizing
00:00
the computing resources at a Cloud service provider
00:00
as opposed to having these servers
00:00
on-prem or having their own data center on-prem.
00:00
So many costs associated with having
00:00
50 servers or 500 servers or 5,000 servers.
00:00
I need the space.
00:00
I need the hardware,
00:00
I have upfront cost,
00:00
I have to heat, I have to cool,
00:00
I have to physically protect.
00:00
All of those elements of storing,
00:00
all these servers on-premises.
00:00
I go out and I buy all these
00:00
servers and then in three years,
00:00
I have to update all the hardware on them again,
00:00
not my problem when I
00:00
migrate my infrastructure to the Cloud.
00:00
With infrastructure as a service,
00:00
everything that used to be in my data center,
00:00
all the network appliances for connectivity
00:00
and isolation and separation, my firewalls,
00:00
all elements of my network generally are migrated up to
00:00
the Cloud and they're virtualized
00:00
so that I still have to configure and control.
00:00
I'm still responsible for securing
00:00
the devices and creating the environment.
00:00
It's just being done with software now as opposed
00:00
to physical servers that I'm configuring.
00:00
There are a lot of benefits to migrating to the Cloud.
00:00
We've talked about those,
00:00
the big ones saving
00:00
those upfront costs and ideally costs overall.
00:00
Being able to access the resources
00:00
from anywhere you want.
00:00
The scalability of being able to scale very
00:00
quickly to a very large amount of
00:00
resources down to very small and paying as I go.
00:00
Lots of benefits here.
00:00
You can't forget the security issues,
00:00
there are multi-tenancy and jurisdiction.
00:00
Those are a couple of the big ones to think about.
00:00
Often we all get on
00:00
board with a specific technology and everybody
00:00
migrates to the new technology and
00:00
then folks start migrating back because they've realized,
00:00
hey, this may not have been
00:00
the perfect solution for what I needed in this instance.
00:00
The Cloud is not a one size fits all environment,
00:00
not everything should go up to the Cloud all
00:00
the time and we know that,
00:00
but it's a case-by-case, risk-by-risk decision.
Up Next