After the talks we broke into Vendor Tracks and Open Space discussions - one of the attendees suggested a session around security which I volunteered to moderate. I've written up these discussions and the write-up is shown below. If any of the attendees feel I missed anything out or have misrepresented the conversation please feel to comment or drop me an email. Enjoy!
London CloudCamp #5 Open Space – Security (Room 3)
Chatham House rule applies!
i) Public sector in the Cloud
Discussion began with whether the Public Sector would adopt cloud due to their security requirements. It was noted that the UK Government is planning a G-Cloud as part of the Data Centre Consolidation Strategy – this was also a recommendation into the Carter Review (Digital Britain). Attendees were also pointed towards the blog of John Suffolk, the HMG CIO – http://johnsuffolk.typepad.com. It was thought unlikely that public clouds would be suitable for processing of protectively marked information (i.e. RESTRICTED and above) – although it may be possible to use them for storage and transport if data is encrypted and decrypted on-premise. There was thought to be more likelihood of public clouds being used within local government where security requirements are less stringent due to their data typically being at PROTECT. The main sticking point from a security perspective was currently thought to be around the lack of assured products to support domain separation.
ii) Certificate based authentication
There was a discussion as to whether cloud computing made it difficult to use server certificate based authentication due to the need to tie certificates to domain names or IP addresses. It was not thought to be a problem with IaaS (where this can be controlled by the consumer – if the right technologies are used). Thought to be problematic with PaaS and SaaS.
iii) PCI-DSS and ISO27001
There was a question as to the overlap between PCI-DSS and ISO27001. The group believed that there is significant overlap between the two standards but that PCI-DSS was more prescriptive and so compliance with ISO27001 did not mean compliance with PCI-DSS. PCI-DSS has specific requirements around handling of cardholder data, vulnerability assessments etc that are more granular than those within ISO27001. The recent blog post including the AWS statement that it was not possible to be completely PCI-DSS level 1 compliant using only their EC2 and S3 services was discussed. It was noted that you can simply hand off payment processing to a third party payment processor or keep such processing in-house. It was also noted that there is a separate PCI standard covering the development of payment processing applications.
iv) Privacy
We had a brief discussion around privacy legislation – one of the attendees noting that Germany is about to enact a notification law such that any organisation suffering a data breach must notify all affected customers (either by individual letter or by taking out a 2 page advert in a national newspaper).
v) Use of cloud resources for illegal purposes
We had a particularly interesting conversation around the use of cloud computing resources for illegal purposes – for example the distribution of cracked software keys. This discussion was illustrated through real examples of previously identified instances of such activity. This does raise interesting questions about whether cloud providers should be monitoring for such activity or whether they, like telco's, should act simply as carriers.
vi) Data leakage
The idea that data could be split throughout the cloud to make re-constitution more difficult was discussed. It was thought that this was already one of the benefits of cloud computing – should a service provider lose a disk, it is most likely to contain fragments from a number of clients rather than a substantial chunk of a single organisation's data.
Miranda Mowbray's obfuscation tool and the Vanish tool (Washington State University) were mentioned as being of interest to those looking to keep sensitive data under control. Both noted as being primarily of academic interest at this time.
vii) Virtual Desktop Infrastructures
There was some discussion of VDI in the cloud. Noted that the public sector may “browse-down” from a more sensitive domain to a lesser domain, e.g. to offer Internet access via terminal services but that "browse-up” was frowned upon.
viii) Security Benefits
It was thought that the cloud model can offer some security benefits – e.g. Increased/improved security monitoring, patching, security expertise and physical security. Likely to be of more benefit to SMEs but could also be of benefit to larger organisations (most of whom should already have invested in the necessary functions).
ix) Security as a Service
The prospects of security as a service were discussed. It was noted that businesses such as MessageLabs have been doing this for years! Security filtering in the cloud is a valid service. Could also expect to see identity providers in the cloud in the future.
No comments:
Post a Comment