Jimmy Blake - Cloud Computing

the aim of my talk today really um it's got more to do with basically condensing various rants that i've had in pubs with various people in the cloud community uh over the last couple of years into one condensed rant of 30 minutes about how customers do due diligence and how cloud vendors represent themselves uh so a little bit about myself i work for one of the uk's largest um software as a service vendors not going to mention their name because it's i'm not here to pitch i'm here to tell you my experiences uh in the uh sort of cloud security arena um but we are the second fastest growing tech company in europe so we're quite

successful as a european company i'm talking mainly from the sas perspective you'll see that one of my slides is talking about the fact that the cloud is a very all-encompassing term and in fact it seems to encompass everything at the moment from hosting vendors uh all the way down to actually dropping something as a private cloud on your own premise but my perspective is software as a service because that's the background that i've come from every month i conduct thousands of risk assessments from customers so i get some idea of what customers want what they expect uh which are sometimes not always the same thing uh and also my background is as an iso 27001 lead auditor before uh i joined my

current company um the other thing is as always these are the opinions these are definitely my opinions not that of my employer and you know do not try these stunts at home i'm a trained professional and all that kind of thing so as i said earlier one of the interesting things is um the definition of cloud computing cloud computing actually was in place long before anyone tried to define it so one of the largest uh and most uh sort of trusted definitions was created by nist and then taken up by the cloud security alliance uh what you tend to see is it's got the uh the three elements the service model like how it's delivered software as a service uh

platform as a service infrastructure as a service private cloud the essential characteristics elasticity and then the deployment model blah blah blah blah the problem with this is that the definitions are so broad that almost everything is a cloud so um when you start talking about cloud due diligence and cloud computing and you start to get people like anisa writing a very good document of considerations customers need to take into account when they're reviewing the security of a cloud service provider the problem is it's a very broad um set of guidance and customers read this you know anissa document that's 40 50 pages long and they go i don't know what am i buying platform as a service infrastructure as a service

so part the problem is cloud computing is being used by all sorts of vendors to pitch their products so if you look at virtualization it's no longer virtualization it's now a cloud enabler and whether that's a uh you're a service provider or whether you are actually deploying uh products on premise so this is a part of the problem that we really have to define what part of cloud computing you're assessing the risk on so i mean the inevitable thing is that people are moving to the cloud it's happening you know even governments are looking at it now but i tend to uh see cloud customers as like worried parents it's the first time they've ever got a

babysitter in yeah and they go out for a nice meal they want to enjoy themselves and then they spend the whole time on the phone to the babysitter going is the kid awake is the kid all right you know is he alright has he got to sleep has he eaten and things like that so they want all the benefits of cloud computing but then they don't stop worrying about their data in the cloud and that's even after they've done a hideous amount of due diligence on the cloud provider so the first thing i'd say for anyone that's considering going into the cloud is it really sensible you know classify your data and if you're never going to be happy

with it not being on servers you can go and kiss and hug and cuddle and see nice flashy blinky lights don't put it in the cloud don't waste my time you know and a day of my time filling out a due diligence questionnaire if you've deliberately loaded it so that i will never pass your due diligence let's just you know kiss make up hug and go in two separate directions now so really that is the most important thing classify your data what's its sensitivity what's its criticality you know what's your rto and rpo of it for an availability perspective and you know what would happen if it was breached because that sets the tone for

the amount of due diligence that you should do on the cloud service provider so we all know that well-governed organizations make all decisions you know taking into account risk the fact that is the business uh people that are mainly making the decision to move to the cloud because they've got some photos on flickr and they suddenly think it's a good idea to put all their corporate data in the cloud but i mean i was at the first uk cloud security alliance meeting the other day and there were probably 200 people there and there were three cloud vendors there were 120 consultants from kpmg and accenture and everyone else telling us how the perfect world should work but

the problem is it's not really how businesses work so we all know how many organizations are well governed we may work for one we have worked for one in the previous business the reality is most organizations do not really make all of their decisions based on risk and a balance of risk so that's one of the things that i'm going to go into but so you've made the decision to go into the cloud the business people have made the decision the problem with the business people that are running the business units that hold the budgets is they don't know anything about the technology so they don't know about the risks involved in those technologies so who do

they go to to assess the risk of the service provider they go to their i.t team and their i.t team don't really understand risk they're not risk management people they're security people we keep everything secure we stop external attacks what they don't do is look at how much risk is there in what we're currently doing on premise and how much risk does this service provider provide us what are the different kinds of risks and what is the balance of risk between the two of them what they do as i'll talk about later is they count the amount of controls they've got on premise and then go to the service provider and say can you provide those

controls which doesn't really um tackle the risk so as i mentioned earlier you know they like to be able to go and see servers this guy the it risk guy probably comes from a network background he likes to have kit he likes to see it and it gives him a nice warm feeling in his stomach the other thing is these guys are the ones that are going to be made redundant by cloud computing so the people that are doing the risk assessment of the cloud vendor are the people that's going to be made redundant if you move to the cloud now i don't know if that would tarnish your view of the person you're supposedly

independently evaluating but in my experience it does from dealing with a lot of these people no matter what you tell them the answer is not the right one the other thing is about it is due diligence is incredibly expensive now i'm not expecting you as a customer of cloud services to really care how much it cost me to do it but the more time i spend answering due diligence question as an audit question is the less time me and my staff are actually protecting your data and assessing the real risk to that data and this is just to give you an indication of our current level of customers in the uk's 4 000 customers million subscribers

so the average due diligence questionnaire that we get before someone buys from us and we're on boarding a couple hundred customers a month takes two hours to complete our average audit on our existing customers takes six hours which may involve uh travel to and from one of our data centers to give them a tour so with four thousand customers that is three thousand days of due diligence our current growth rate is seven and a half thousand percent over the last four years so i'm estimating at this current growth rate i'm going to have to have a staff of 40 people within three years just to do due diligence from customers it's not scalable you know this just

does not work this uh and every single piece of advice you see from everyone is do due diligence an audit on your cloud service providers well if you want to do that the cost of cloud services are going to go up to cover that human cost of answering those rfps unless of course you'd like me to take operational staff off securing your data that is so one of the things to get around this is to look at certification and you know so i usually get asked are you iso 27001 certified yes go to end of questionnaire i'm signed off i've got a tick in the box now i spent enough time being an iso auditor to learn that iso

27001 means nothing unless you look into what the service provider is telling you so the first thing is scope there is not a single software as a service vendor in the uk that includes their service platform in the scope of their iso 27001 our major competitor only has their hr and finance department covered by their 27.001 so all your data is being moved around networks and handled by people which have not been included in the information security management system check the scope from anyone who's giving you a 27.001 the other thing is i can define my level of acceptable risk so as a business i can go to the board and i say how much

acceptable risk are we willing to take well we're a young startup company growing fast we may be willing to take 30 million pounds worth of risk a week that means i can accept almost every risk and still get an iso 27001 certificate saying my security system is working so make sure your risk is your cust your risk is the same as the service provider's level of acceptable risk but what i tend to find about 27.001 is they're not actually interested in 27.001 at all they're interested in how many controls are on your statement of applicability if you don't know and you're not involved in the compliance side of things in the 27.001 there's a standard say you're managing a

security system and then there's a set of controls which are not obligatory which you may or may not use from a sister's standard called twenty seven zero zero one twenty seven zero zero two sorry there's 133 of these just to give you some indication our statement of applicability has 128 of those 133 which is why we're not certified yet because that's a horrific uh amount of controls to put in but our customers what they tend to do is they will just send us a list of 27.002 controls and go which ones do you do and then they will take a percentage of that 133 and that will be your success score for whether you're chosen as a

event or not and that's completely artificial because some of those relate to e-commerce for instance we don't do e-commerce so you know um some of them relate to outsource software development we don't do outsourced software development so we get an x in that box straight away so 27001 it's great to work out if a company has a security system in place for managing security assessing risk and things like that but it's not a great standard to actually work out what risks your data are facing within that operator there's another standard we usually see sas 70. now 70 can be actually quite a good standard but the way most people use it it isn't so sas 70

what you literally do is you write control statements so it's up to you you can write whatever you want so i can write a control statement about how we onboard employees how about we review access control i can choose whatever topics in a security scope that i want a control statement then an external auditor comes in and just make sure what i'm saying is true it's good standard from that perspective because i could literally write a statement about every single one of our 27002 controls and then you would see how we're actually doing them so it gives you a little bit more transparency about how we're doing things internally and you get the fact that auditors come

in and audited it the problem is most sas 70 only relates to a very limited subset of controls which are defined in the sarbanes-oxley act because the requirements to conform to sox 404 controls requires a sas 70 statement so if you're a listed u.s company so the fact is 70 is used in the wrong way uh really if you're a uk company or a global company it's very us-centric as well and it's being removed soon and being replaced by the stamp addressed envelope sort of uh standard i don't know what it is say so the thing is we've got these two sort of standards that people using as yardsticks to uh to test this and they

really don't work so what we end up actually doing is answering a very long rfp from every single customer about every single possible control some of which are completely inapplicable for us so i just want to give you some examples of some of the things that i've seen so one of the questionnaires i typically get is how do you limit physical access to your data centers where my data will be and then the same questionnaire they'll say can i do a tour your data center so and as i mentioned earlier a footfall of 3 000 you know or 300 3 000 customers a year doing an audit on our data center you don't want those

walking through your data center so the thing is they go oh can't you just do it for us you know and everyone asks can't you just do it for us so the thing is is they're asking things and they're expecting things and then what they want to do is completely contradictory to to what's uh uh what they're asking for so it's not really security though after after this yeah everybody thought about what they want this is another real life example i spent 45 minutes on the phone to a customer we have a proprietary distributed filing system that works on a grid which has inherent encryption and i spent 45 minutes with this guy drilling in to how does our key rotation

work how do we do that how do we manage our keys and i just stopped at one point i said so what do you do currently are we back up to take and is that encrypted no and what do you do with the tapes oh we take them off site how do we take them off site in the back of the it manager's car and where does he keep his car overnight on his driveway so the guy's quizzing us for 45 minutes about how we use aes encryption and how we do key rotation yet at the moment he's taking his backup tapes which are unencrypted and leaving them in the back of a car on a driveway

overnight so the thing is is what they've actually got to get is here is the current level their baseline of what they've got security all they need is that much better and it's a solution but they're asking us questions about out here what you've really got to do is base your level of risk on what you're currently doing on premise and then decide but the service provider offers more or less risk and if he offers if he provides more risk other contractual controls or other controls or asking for more transparency that will bring that down or is the cost saving so great that it's worth taking that extra risk and that is a business risk management

decision not a security one so i've started to turn the tables a little bit now so when i get an rfp from a customer i send him a questionnaire and i say how do you class you know there's a lot of confidential information in this rfp information about our infrastructure our processes our ids spend our ips vendor how we do vulnerability analysis so i send them a question now i said how do you classify rrfps and they go we don't hang on you just sent me a questionnaire about classification and how we do it internally okay how many people have access to my completed rfp within your organization oh we don't know we put it on a file

share somewhere okay um does anyone print this out and review it oh yeah people print it out how do you ensure they dispose of that rfp with all our confidential information oh we don't so this customer is saying we're going to outsource one of our business processes to a service provider and we have this expectation of security yet all our internal processes are completely utterly screwed up so they are thinking that we represent the greatest amount of risk to them in their overall so you know typically we're an email service providers what we do archiving and continuity that kind of stuff and most of the systems we're connecting to um probably could do with a little bit more improvement in

in quite a few number of situations uh and actually they represent much less risk moving moving to ourselves but the thing is because this mindset is around has to be secure every single possible thing has to be done yet when they're doing stuff on promise they don't have that same level of expectation which is very frustrating for myself so who have we got to represent us in this this uh this challenge we face as service providers the iso 2701 doesn't really work and sas 70 isn't really the right kind of standard we have the cloud security alliance if you're going to infosec tomorrow they have a summit at infosec now if you look at the member page

of the cloud security alliance there's not a single cloud service provider on there they're all infrastructure vendors so as a member of the cloud security alliance i feel more like a prospect than i do as um being represented so infrastructure vendors and if you look at things like cloud audit that has now been merged into the cloud security alliance and cam eventually that is heavily represented in fact its chair works for cisco and and vmware and surprisingly enough you tend to find that virtualization takes quite a heavy um place in all of the cloud security alliance's material if you look at their guidance the 2.1 guidance i think virtualization's made mentioned a couple of hundred times well you can

build a service platform without any form of virtualization at all with proper multi-tenancy and everything else in fact it's what we've done based on a couple of thousand servers and we built our own platform so the problem is the vendors have too much of an invested interest in um the fact that they're on premise you know if you look at us we replace roughly about eight servers on premise with our service so you see these infrastructure vendors um their profits going down as people move to the cloud so they're looking at new ways to reinvent themselves and that's by embedding themselves in the cloud providers you must use virtualization you must do that and the

other thing is is the invention of this whole idea of the private cloud you know i haven't got a slide on this but i've got enough time to quickly touch on it and that is i mentioned earlier that there's this amorphous term the cloud that covers everything and there are different tiers of the cloud as you go through the software as a service platform as a service infrastructure as a service and then private clouds they have different levels of abstraction with software as a service everything is abstracted hardware software expertise because you're typically replacing a single horizontal solution new business crm accounts or in our case email with one service in the cloud so everything is

abstracted and as you start to move down those layers you take on more and more responsibility until you get to a private cloud which isn't really a cloud at all it's virtualized on-premise products but cloud sounded good and it had some buzz so virtualization vendors created this idea of a private cloud i actually have this other presentation it starts off where you have different types of clouds in the atmosphere and um you know you gradually work closest and the one closest to the ground closest to what you do at the moment is fog and that's how i look at private clouds you know the fog because you can see through them they're not transparent there's no

abstraction you see everything that's working in there you're just taking hardware complexity and making it software complexity and from a security perspective virtualization you know you've got eight products looking from an email perspective if you virtualize those you've now got nine products or ten if you look at the host operating system of the hypervisor you've got the hypervisor itself you've now got ten administrative interfaces ten chances to do misconfigurations and everything else virtualization doesn't really change you know solves the problem it just changes its nature slightly so what do we need as i mentioned earlier um software as a service is largely about replacing very specific horizontal solutions within the business so in our case email

as i mentioned crm if you're going to salesforce.com netsuite for things like accounts and resource planning and things like that what we really need is an ability for companies to baseline what they're doing right so they can use a traditional qualitative or quantitative risk assessment process to work out how much financial risk their current solutions and controls and risks that they face present them and then what they need is a way to assess the risks of the service provider and those risks will be totally different so the standard risk assessment models and the threats you look at are different when you go to a cloud provider we have different risks that we represent some of the same ones some different ones so

it allows you to do that balance you can work out will i have more risk will i have less risk and what's the differential and are there controls contractual like i mentioned earlier about the transparency to try and bring that risk down unfortunately what we're getting my friends the cloud security alliance are up there again these are different cloud industry bodies and i have to point out when i made that diagram earlier with all the vendor logos on them it's pretty much the same across all these vendors dominate all of these infrastructure vendors so now all of these have come up with their own standard for evaluating the risk of a cloud in a cloud environment the cloud

industry forum has euro cloud has some of these are external audits some of them are self-assessment questionnaires one of the best ones i've seen so far is actually cam which cloud audit has been merged into so so what they're all coming up with is their own standard so now i expect most of my customers to still be sending me rfps rfis i now have to certify to sas 70 iso 27001 i have to complete the cloud industry form self-assessment questionnaire i have to do the euro cloud external audit as well my situation is not getting better and having all these different standards is not helping the customer either so i understand that you know because now everything's a cloud

there's a large chunk of things that all these industry bodies can start getting their teeth into but personally myself i'd like to see something like the cloud security alliance taking on the responsibility of security from all these other ones but it isn't going to happen because i'm members of all of these and yeah they're never going to come together so here's my plea so i've got about four or five minutes after this for any questions from my perspective but first thing is if you're a customer look at your current risk you know what are you doing on premise what is your pound shillings and pence figure for the amount of risk you're exposed to with

what you're doing on premise then forget about what the cloud service provider is doing do a complete audit of that cloud service provider yeah either by going through their statement of applicability or their control statements into sas 70 and then do a risk assessment on that service provider and get the same pounds shillings and pence and that gives you two figures cloud on premise then look at the differential differentiator is there more risk less going to the cloud what controls this is standard like risk assessment and risk management 101 that you do in an organization but the thing is people don't do it they just throw a questionnaire at the cloud service provider and don't really

do anything apart from go from the person that's ticked the most boxes when it comes back the other thing is if you want champagne expect to pay for it so the other thing is if you want to come in and audit me every year don't expect to have a cost saving on top of what you're currently doing yeah the cost saving because my overheads have gone up and i have to pass those overheads to the rest of the business which means the cost of our service goes up so that means the motivations for going to the cloud which is almost predominantly at the moment not about managing complexity of on-house solutions it's not about focusing on

core business i'm going back to my first slide about companies really don't govern themselves very well it's all about saving money so um you know what you need to do is if you expect you know the earth expect to pay for it and with there are tears of cloud service providers um in the software and service arena so we have people we compete with which are very much commodity products they're consumer products um some of them from very large vendors with multi-colored logos um but the thing is you get what you pay for and we're more expensive and we didn't decide to go down a race to the bottom we decided to maintain you know that

level and standard of security um but we won't drop our prices but then again don't expect you know this all 133 questions to be ticked exactly as you want unless you're going to pay for it so you know look at the price of a cloud service provider and what you actually need and then take that decision based on are you paying over the top because i don't actually need this level of security so you could go to one of those commodity services my ceo oversees his presentation i'm dead so the industry bodies as i said i wish they'd come together and just come up with one standard for audit the other thing is i wish they'd represent both the

customer and the service provider not the person trying to sell stuff to the service provider and cloud providers we need to embrace our we need to embrace transparency so i've got project on the moment to try and give customers metrics about how the system that they're actually on is performing and sort of things like that i think there's a lot of cloud providers are very cagey about giving you information and there is some information i won't give you because it's related to our intellectual property and how we build our grid and things like that but there are other things i can give you to compensate for the fact that i can't disclose that information so if a cloud provider isn't

telling you something it could be because they can't afford that overhead if you're asking a very specific question but they should have prepared in advance to set standard answers to all the sort of usual queries that you get so that is in effect my rant my man says customers have don't really assess the risk properly in cloud service providers they use the wrong standards for doing it they have unreasonable reasonable expectations uh a lot of the time and the people that are supposed to be representing us and giving us a much better solution to this aren't really representing us they're working out ways to sell products to us so that we can maintain where we are not

actually get any better at doing this so if anyone's got any suggestions on how to make this better i would i would gladly take them because like i say i'm um a member of the cloud security alliance as well and this is actually something that i've proposed to them as something they need to be considering as a work area within the uk

you