AWS re:Inforce 2019: Balancing Cloud Innovation and Security (GRC317)



okay I think is you saw now right the mic okay all right good afternoon everyone and thank you for being here welcome everyone so this session is about how innovation and security actually is more about security assurance right so we are going to dive deep in terms of the crowd accreditation systems that are in play today in the world so let's get started so in the recent years you will see that there is an emergence of fintax industry in the world and that has caused the financial institution in particular to started reading about the way they look at new technologies and change their approach in the adoption of new technologies they know that if they do not change they are going to get absolute very quickly and replaced by all the various new fintax services that are out there so for financial institutions that have embraced the public clouds they have started to realize the efficiency that they can gain by using the cloud for example by in the area of high-performance computing data analytics digital transformation security and compliance as well as disaster recovery cloud has also enabled a lot of this financial institution to innovate faster and open new market opportunities at the same time for example they can now experiment with new mobile applications and find out whether the customer likes those news experience through their usage and also through their response and through the experimentation they can iterate very quickly and innovate very fast so that allows them to open up new markets and address new customer needs as they grow so and the Audis can be done without actually the need for investing in expensive infrastructure and and also the data center itself financial institution of course can also they have petabytes of data about the customer transactions and all the things that are going on in the industry so they can actually use cloud-based setup cloud-based data leaks and and establish curing services to be able to do data analytics and find out the behavior patterns of customers and so on very quickly again without the needs to set up data warehouses so these are so so in fact if you look at every industry itself there are there are changes that are going on and every industry there are early adopters of crowds that are using the cloud technology in very meaningful ways so governments are also starting to pay attention to crowd to the crowd especially in the public cloud space itself as well so they are learning that the ability to innovate is becoming very critical and and transformative for the government's especially in the area of providing better citizens experience strengthening public safety as well as lowering cost so they are more than today they are more than 5,000 organization government organizations 10,000 educational institutions and 28,000 nonprofit organizations that are already on AWS crowd so a lot of these customers have have now recognized that it is not just innovations that are the good reasons for using crowd but in fact security is also an important factor which I will elaborate slightly slightly later right so but if security is not positioned carefully especially when we look at how to gain security assurance of cloud service provider not just high skill cloud service provider like AWS but also these provider Oh on top of the infrastructure stack itself especially like the SAS provider right you will find that it could be security could become a showstopper it could become a bottleneck in the crowded option journey that can slow down the entire program of how adoption and and crowd migration so so-called security accreditation is one of those very key areas that especially government's need to pay attention of course and the price has also been doing a lot of those things but they are predominately basing the approach on like international standards and industry best practices which again I will talk about that later on so the objective of this session is really for us to share best practices from our observation and participation in many of these crowd accreditation programs both in the government as well as in the commercial sectors so we will take a quick overview of the current situation especially in the international space of what the government's are doing right what are the approaches they are taking for example publishing a crofist policy or crab ID for policy establishing a crowd security accreditation scheme and some of the challenges that they are they are dealing with today so we will dive deep into the some of this accreditation scheme and present a proposed framework in terms of what is what is the way that could actually balance the desire to use crowd 2-foot to innovate faster and at the same time achieve the security objective of using cloud as well and not compromising any security right so we also review from the perspective of share responsibility model what are the implications when you are moving into the crowd right given that public clouds in the public arena service possibility is is a very important area to pay attention to after that then I will summarize what we have go through before we close the session itself so let's dive in so if you look at this chart itself right since 2011 the US federal government launched the FedRAMP program with with the crowd first strategy right today we have about 22 governments in the world that have published some form of the Crawfords or a crowd by default or a more recently a crowd smart crowd native kind of a policy or so that is what the UK government has done recently there are also a lot number of governments that did not have a formal policy in place but they are also very going very quickly in terms of adopting crowd and looking at how to leverage the crowded public remit self right to you know be faster to to provide new experience to their citizens and and also new private services and so on so why probably crowd you may ask right so these are some of the reasons that the various governments have stated in their caucus policy or the crowd by default strategy and so on so I would not read this in detail but just to summarize right these are the key attributes that they are looking at right these are key benefits that are looking for and and in fact we we all know that public health in facts are providing a lot of these capabilities a lot of these benefits are not just to the governments but also to the commercial enterprise world for the last decade or so right more than the decades so in particular I'd like to point out right like for example cost saving cost saving we have the capability by using public cloud you convert write your capital expense to variable expense and because of the economic of skills that a WS provide the variable expense tends to be much lower than any enterprise organization can achieve by by their own branding their ordinary centers and on-premise services agility the ability for any organizations to be able to spin up hundreds of thousands of servers right within minutes and able to address big loads very quickly right with velocity elastic city it means that they can scale up and down very fast right when the demand is higher especially in the government context when you look at the need to provide for say emergency response or emergency situation where you need to announce a particular situation and you can expect suddenly there will be a search of traffic to your website or in the use of your mobile apps things like that right and and you won't want to provision for thousands of servers to cater for this kind of peak situation right when there is daisen a lot of emergency going on and if there's a lot of emergency every day then there is a bigger problem to solve right in the first place so normally your provision on what isn't a normal traffic and then when you know any emergency situation you can sex queue up very quickly and you can address all those southern states of of loss and that is what elasticity in the public cloud can provide right of course resiliency is is something that we view within AWS cloud infrastructure as you attend as you listen to Steve Smith our CII so talked yesterday the keynote yesterday he's shown the global infrastructure that we have we have 21 region in the world and 66 availability zone that can allow applications to load balance between the every region of between regions and do the automatically failover and load balancing and so forth right so application can be highly resilient you you can make sure their application is highly available even when the data center is down right so of course operational efficiency comes along with all this and I think more importantly is the security right in fact crowd itself provides several security advantages for example one one good thing about one one very strong benefit I would say is that if you compared to traditional organization in fact especially for government organizations that have been running data centers for many years for that case you'll find that you start to lose track of the inventory of servers and devices that you have in your environment and this is a big problem not just in government also in many enterprise that are on-premise right so just to get an inventory of these these devices and server you have to invest a lot of money to buy software to install agents right – to start collating all this information the crowd itself actually provides a clean sheet for you to start all over again in the sense that you'll as I mean or your legacy application and new applications that you need you can experiment with a new infrastructure with a new security architecture and if this doesn't work you can quickly deprovision it within minutes without resale and restart again and doing this itself you only pay for what you are using and you are not going to you are not required to invest out front millions of dollar in order to be able to do that kind of things right so you can experiment from small to be very quickly and another very important advantage is that in in hyper cloud services like AWS itself there are already many security tools and services I believe in the last in in yesterday's and today session you have heard a lot about all the security tools right crowd cheers crowd Ward's configs inspectors security hubs and so on there's so many tools out there right that you can actually use right just by clicking buttons you know and you are not going you don't need to him to negotiate with any vendors right for a free trial right oh-o-oh get a budget of multi-million dollars to acquire the lies in order to use these security tools or services right and same for all the others security service solution they are available in the marketplace itself right you can again use them and only pay for what you what you are using if you are not you going to use them anymore you disable the tool and that's it to stop paying for it right and and that again is a very important capabilities for you to experiment to actually be able to solve problem very quickly right and protect your information and move on right and things doesn't work you can start all over again all right very quickly with very low risk so these are the key motivators for really for governments organization and of course also for enterprise to want to move to the crowd quickly right and of course the behind all this thing is to drive innovation provide better experience and differentiate themselves against their competitors or or other other providers out there above cost governments start to compare with other governments these days as well so there are some kind of virtual competitions that are showing that is going on but of course this this benefits itself are not the not sufficient enough to drive to make sure that adoption is successful all right there are other factors that have to be considered so these are the top concerns again for in a crowd adoption journey itself right again you see security as one of the top concern it is one of the key enabler that I mentioned early on and it is also a concern because there are fears out there feels because of the perception of crowds security right so so you have to address this and and it is very important in any crush on e to be able to address this of course you have to have a plan or a strategy and a plan to address the legacies legacy system you have to obscure the people in order to be able to operate in a crowd to be able to develop in a crowd itself or hire new talents so all these require budgets right to be able to to get things going right so there are two things that has to happen in order to be able to progress fast through the journey but we were diving in in the security accreditation area so when you look at cross security accreditation there are many ways to do it right there there are different processes there different governments or enterprises establish right so there there probably a lot of Cal levels here so so I I would not talk about cats right but it's similar things that you can there are many ways to cook your meals so to say right so but we can boil down to four critical steps when we talk about an accreditation system the number one is to establish the security requirements what are the requirements that you need the crowd security provider to fulfill to be able to to to comply with threat to to meet before you can gain the confidence right so this normally should be at least the same if not higher standards than what you have been operating on in the traditional environment right so from the crowd security provides car service provider perspective is to be able to document and implement this security plan itself right to achieve these requirements so so in the u.s. there is this Phipps 800 there's 53 standards right there establish the federal government information security security and privacy requirements and in the commercial world out there is the 27,000 series of standards right so call the information security information security management systems and related standards we will talk to every mall it run on that and once you have these security requirements you develop an audit process or assessment process so that you determine who should be the one doing the audit so db8 Aparri also will be some some organization such as an internal audit organizations within the departments to be able to perform this kind of audit assessment to to know that the the service providers are able to meet the requirements right to be able to validate their practices their policy and so on so they are also international standard out there that prescribed some of the guidance in terms of how how to audit an information security management system lost audio okay so yeah so twenty six twenty seven thousand and twenty seven thousand and six is is the international standard they're specifically designed right to help establish the auditing procedures against the 27001 series of standards right and nineteen thousand and eleven is it's a generic mo generic auditing auditing guidelines right for for ITER's so so with that you can go through the assessment itself right CSP will have to go through the assessment and after the assessment normally will produce a report an assessment report and the odd and and the organized the authority have to assign right who should be the one that decide whether the CSP passed out or doesn't pass the assessment itself doesn't meet the criteria how to provide the authorizations Lybia centralized body made up of multiple stakeholders like the joint authorization board in the case of the Ferrum the federal federal authorization reso transition and management program right Ferrum itself the user joint authorization board and every agency can also have this authorization body established right in the in the case of the I so it is basically the auditors that do the accreditation and then the the user organization would decide whether to authorize the provider or not all right so so then you will go through the authorization the CSP will have to submit a report of assessment and other supporting documentation and finally it is to keep the system running so this is the maintenance phase this is a very important phase because you you have to make sure that whatever changes that are going on in the environment they are get updated right do you need to do a reassessment when will you do a reassessment and and will you focus on only the Delta or you assess everything over again and and and in the case of the fat Ram there's also continuous monitoring where where every changes that are going on in the system the CSP will have to revise the the report right to the to the authority itself right to maintain the the authorization right so different scheme will use different approach in all these four phases so we are type deep again deeper again right so so this is a snapshot of some of the more prominent schemes that are available globally today right so they are these are all government government-run accreditation program except for the last one right which is the Japan Ministry of economics and trade Trade and Industry joint joint development with Ministry of Internal Affairs Commission right for a new cloud service provider health securities cloud services security accreditation scheme they call it the registration scheme right so this is still in development today right and but the rest are already in operation you will find that every single one actually has slight different favor in terms of the approach that the adop right so say for for fair Ram itself was the most the the first one that actually came on board right and has very established standard by established operation today right it has gone through several changes and then the a you the Australia I wrap right is is another program that mirrors to some extent the FedRAMP but it's based on their own information security manual but the information security manual cover all of the government's requirements which are about 50% of them actually does not fit into kraut requirements so the awestruck Australia signal Directorate is actually changing the standards itself they are upgrading the standard a new revision is actually in coming out very soon China also have his own own scheme right the China scheme is based on file level of security right impact level right from impacting individuals all the way to impacting national security right so most organization in the commercial world we have to gain at least level three but level four and five are meant for government use the difference is that the China's system today they are not they're still not allowing the use of public cloud in the government itself right so it is many public but the certification is required for all cloud systems right when they are even serving the commercial world commercial requirements so Germany has a has a very different scheme which I will talk about later on and India India actually simplify a lot of the approach basically they again they adopt the international standard and they use an RFP approach publishing a request for proposal there is $0 and for CSP to to get accredited basically you you submit a tender kind of a tender for the proposal by submitting all your documentation and go through an audit to validate that all your certification is correct and you actually have the service that you claim that you are providing you know and the Vizia data center and order so the the India Environment system is a much much more simplified approach which which is which actually is very low cost to maintain and to operate as well right the chisa program is is quite stringent because of very specific requirements that they have specified in their standards right and Korea itself actually have two standards run one is the the Korean Information school and Internet Security Agency standards the other one is the his recon is a version of the 27001 standard is more broadly used in the industry itself and Singapore has a multi-tier cloud security standards again three level and level three is meant for regulated work laws right and again Singapore standards is based out of the 27001 standards right and only laboratory have more additional requirements right there are specified Bini for regulated book loss needs I already mentioned about Japan so I'm not elaborate further adding another area to pay attention to is really on the maintenance aspect right well we look at the maintenance the cycle is mostly three-year cycle with annual annual civilians audit except for fed Rams and the Kissel requirements that they have continuous morning drink needs right so you have to provide reports of changes that are going on in the environment so this these various schemes are not without problems I they all have challenges and so these are the top challenges top six challenges that we have observed and experienced over the past years as well all right so one of the the t1 is really about developing and maintaining the standards and the auditing process as well as the authorizing authorization process itself all right so so whether you adopt a particular standard or you develop right the if you reinvent of you you create new ones you will take more time basically right the type of workloads how to decide the workloads that you want to be able to run in the public cloud especially for governments they are concerned about classified information up to what level of classification and what glows be be actually running in a public cloud right this will actually grow this will actually change as the confidence in public cloud security escalator goes up over time if we have seen that actually in several governments like for example in Singapore as well as in Australia now Australia governments are already able to use public cloud for protected information which is a higher level of classification and Singapore is already gone into restricted classification kind of information right skew and expertise I mentioned right it's not just about people within the government organisation able to do the app provide the standards and know about the security of the crowd but it's also the the Assessor do you have a pool of people out there that are able to do the assessment able to do the audit right one of the program that we've gone through there is a shortage of Assessors so so there's a long queue of requests for accreditation but the Assessors are so busy that that they couldn't really get on board on the only program itself to do the assessment and then when it comes to the authorisation then there's another challenge is that the the agency that's supposed to be doing the authorization do not have the the resources to be able to handle the queue of reports that have been submitted so so some some reports have to wait like died nearly a year before they actually get review and get access so that all these basically errands to the time for authorization itself so if we if you look at now of course one of the other things that is important is the additional addition of new services right how you cater for that a lot of these schemes really didn't really provide for new services and they start to change over time to handle this so one of the example we can look at is the journey that the Ferrum system has gone through so in 2010 Ebury right the US federal CIO announced about the idea of the FedRAMP of the federal risk authorization management program itself right and a few months later in June they publish the establish the baseline standards right create the standards and then in November they publish it for public comment and until the next year February then the krafla strategy came out right in the federal government and it became formal policy and those in December 2011 so this itself is already one year passed more than one year has gone right and until May 2012 10 nine Assessors get accredited you have to get a pool of Assessors to be trained obscure to know how to audit the crowd and then get the accreditation and then they started they start to they start to actually to the accreditation in June 2012 right 30 of them launched and and the first provisional authorized authorization authorized to operate right basically the authorization itself but this provisional was really was published in in December 2012 an AWS became the first right in May 2013 to actually gain the authorizes authorized to operate from one sponsoring agency itself right so this process itself you look at it it takes three three years and three months right from beginning to end even if you come from the first Crawford strategy on what it is two years and three months all right so that is a long time right and Japan in fact is taking more or less the same journey right they promise the crowd first policy in early 2018 the establish a working group in July 2018 right to start working on the the entire scheme and then early this year they start to work on the the standards requirements to consolidate to to start mapping FedRAMP right the I rep the REI Sam he changed 7001 and also their common standard study they have published two years ago for use in the government itself right so the standard today has not been formalized right and the scheme is going on trial probably starting in July they have that there is the plan but whether you will launch on time we are yet to to be notified in fact today the ministry is going to announce plan for the trial itself right so as you can see that whole process takes a long time so we actually need a system that is that can actually go faster then this traditional approach right so what what is a good system to do that right of course what we are saying is that the existing systems are not failure failure right they are just having challenges that we have to address so we have to I iterate right to continue to make improvement right then we can become successful so so – to have a good system itself first of all we look at the criteria what what what does it take to have a good accreditation system right so you need to be efficient to operate right that means timely to enable the crowd adoption journey to move fast right minimize the use of resources right because especially for security resources they are very limited right and to train someone to become a security professional it takes time as well right and loading crowd takes takes time right so you want to be able to focus your resource on the most valuable assets in the most critical path in your crowd journey rather than then everything right that is going on right and of course the cost itself is also important as you go up the stack right you will be all the startups that are providing solution right you do want them to be you you do want a system where they have to pay a lot of money right before they can actually sell to the government right so the again the government will not be able to enjoy those those services and innovate fast right so you will defeat the purpose of a crofist policy you want it to be effective meaning that it can address the dynamic changes that are going on in the crowd space itself right I know no space space and you want to be able to maximize we use how do i inherit existing schemes as this ting certification can I reuse them as much as possible right and of course we have to recognize that there is no perfect security right so same for security assurance same for security accreditation there is no perfect system what is the most practical way that – in order to move on right how to be Prime acting about it basically right so those are the criteria and and that's why the prime minister of Singapore right this alone he mentioned in the conference last year that we must continually continually strike the right balance between security and usability right you want to be able to use it and secure right where is the balance so before we dive in further right so the these are the two schemes that are actually very popular today in the commercial world the ISO 27001 standard and the American is to of Certified Public Accountants scheme the sock standards right the Sox practice the system and organization control reporting practice all right so the ISO standard has been in operations since the early 1990s or mid 1990s right where it started with a brief pretty standard seven seven nine nine right service and nine 9's – was the certification itself and any evolve over the years right so today they are actually more than 20,000 organization maybe even more than that right maybe about 40,000 that actually has been certified under this particular scheme when when I when a working group work on this particular standard to do the revision from from the – 0:07 version to the – 0 1 3 version there were more than 2000 by more than 50 countries in the world right to help improve the standard so every revision there are thousands of contribution and today the working group is still very active and they are still undergoing revision in fact the standards this is still undergoing revision as we speak right so this is something that every countries every national bodies that is a member of ISO can actually participate contribute inference and raise the bar for the for the standards itself the stock standard the stock approach is very common especially in the financial institution because of fiduciary reporting requirements on service provider integrity and security right so you have soft 1 2 & 3 3 is basically a public a summary of soft to report on the website right and soft 2 itself is the Easter is the most important report itself because it talks about the it actually reports on the actual security practice security and privacy practice of the organization been as I mean by the auditors right so so this this standards itself this is based on the sSAE this time the the statement of statement on standards of attestation as I say acted right and the assurance reports on controls at the service organization is a340 too so these are the sSAE are the american standard and the ioc is the international standard all right basically so it has a long history as well since 1992 right evolved from the SAS 70 reporting recess time for statements on auditing standard so the financial industry basically use this as a means to know that the service provider is of good integrity and security when they provide service to the financial organization right so they are besides the the brought adoption and usage of these standards itself the another the another important point another important difference is the way the audits have been executed of being carried out so I saw itself it's a three year cycle so so every three years there's a fool or detect goes on to get a recertification and every year there is a civilian Adi right there basically as I mean what has changed and uncovering certain scopes that will probably not given full more attention in the previous audit that kind of things right so there is a there's a change of focus in civilian audit and then recertification every every three years and but for the Sox tendered itself it is a six money cycle so basically the auditors sits in the premises of the pit ODT organization so they come to us in in you know in our office they pack themselves there so a team of people parked themselves in our organizations and they they start to review our practice against our policy right to to to be able to validate and know that we are actually practicing our policy what we said itself so this is very important right so so if so and every six month they will issue a report and the report is serviced hundred oval pages right so when you look at the stock to report you can have a very deep insight on our actual practice within the organization itself so this is kind of a continuous monitoring or continuous audit that is going on right every six Monday's report and and so with the auditor actually inside the organization doing this continuous audit there is also a high chance a much higher chance that the auditor would catch problem as part of this process itself so this is another benefit of Sox reporting right so as a result of this this high bar in terms of these different standards that are out there so the Canadian government has actually adapted accepted these standards as the prerequisite for their part part of their crowd strategy and it and they did not implement a separate accreditation program as a result so this this is something of a good example to follow in fact all right so another very interesting example that we we have seen is the German or sorry before that sorry ice to talk about this first yeah so this is a snapshot of all the some of the government and industry certifications right schemes that we have achieved and continue to maintains over the years so in the commercial sector in fact all the enterprises startups right all these different industry organizations are relying a lot on these standards to to gain assurance of service providers like AWS and this actually saved them a lot of time a lot of efforts right and cost in terms of compliance right and more importantly they are able to leverage this to innovate faster and focus on differentiating their services right to their customers with high confidence of the security of the crowd all right so so adopting this the fundamental approach basically in the commercial world right so as I mentioned another interesting scheme out there is the German C Phi so called the cloud computing compliance control catalog ISO C Phi actually is based a lot on the ISO standards and and the basically again adopt the sock to report as the prerequisite alright so by using sock to and I saw itself they only required to verify some of these controls and with certain add-ons that they have and one other difference that they have implemented is the self disclosure itself so so disclosure basically is two provide more transparency of the crowd service provider in terms of things like the data location the place of jurisdiction all right the sort of certificates the supplication and duties of investigation and disclosure towards government's agency so they know what is the jurisdiction right whether law enforcement access would there be any problem you know all those are those questions that they may have is covered under the self disclosure itself so service provide they'll provide the kind of transparency so the Singapore standard the the multi-tier crowd security standard basically have the same same approach in terms of self disclosure so certified CSP basically publish their self disclosure in the government websites or the IMD a website in in Singapore right so so this is again a very useful approach right that saves a lot of course resources right by doing the verification of the existing certification and only doing validation through the audit of additional controls that are over and above existing certification and some reporting requirements so besides the the certification itself the standards itself right that laid the foundation in terms of security requirements the other aspect is the workloads how do I classify how do I determine what kind of laws can go into the crowd right so a lot of cuts traditionally to determine what kind of data can go into what system who can access what is basically the data classification approach right so this approach is based on how sensitive or how strategy are the information and the classification level right so and based on that you evaluate the IT system whether it can meet the classification and also the security clearance of the people involved in assessing the system and the information itself right but this approach has certain problems when it comes to the crown itself right so the challenges are basically we require the system to be very stable if they are changed then you have to re-evaluate the system right in the traditional environment system don't change that frequently right but in the internet environment first of all there are vulnerabilities update almost like everyday right so you have to assess the severity severity of the vulnerabilities and then you have to update the system once you know that this vulnerabilities is going to affect your your environment the patch is available you have to do update and you can be reassessing all these all over again just because of the ongoing updates and knocked all of that right so this provided at AWS right we we launched so many services every year right from 2011 there are active services updates and features right to last year there were nearly 2000 services and of the updates and features right so every year there are so many new services so you apply the old approach of data graphics classification which basically based on the military and intelligence organizations requirement you are going to get stuck right how do I proceed how do I do if all these changes that are going on so this this can be very challenging if you just take this lock store and barrier and try to use it right so we propose a slightly different approach first of all by having a tier approach the three tier system for example to classify based on the impact level Ferrum is also based on impact level far away right so how impactful if the data or the systems have been compromised right so it is for informations that are unclassified or public all day right normally the impact is low to to none right for administrative or restricted information so the same restricted in the context of Singapore Malaysia right restricted is actually the lowest classification but in some other organization restricted is the highest right so we have to be careful what we probably mean here right so the impact could be minimum right to be medium at most right because of administrative but mostly because of the aggregation that we are looking at right and then for high impact those are things that probably related to national defense strategy trade initiative or maybe national intelligence kind of information right so for each of this tier then you define the security deployment model what kind of security do I need to address the needs for this different impact level right so you can divide it again level one level two level three so I stayed as basic strong and in that protection right so for basic security basically you can use what Adi makes baseline security features that are already available in a crowd environment right and then when you move up the ladder to strong you can look at additional requirement like multi-factor authentication is a mass use of encryption it's a mass high availability architecture is a mass right so you up level the requirements with additional controls right and then when it comes to in-depth protection that you add on additional requirements like maybe there's a mandatory segregation of the network using V PC right or maybe you need a direct connect connection to the to the to the AWS region itself instead of going via the internet to come in right you need mandatory encryption maybe with certain encryption devices that you want to use right or keys that you are managing yourself something like that right so that would allow you to go higher and higher up the important about this is that first of all the level 1 & 2 or tier 1 and tier 2 su constitute maybe 80 or 90 percent of your workloads right it cannot be like majority of the overload are highly sensitive and classified then the government will stop operating right everything is sensitive then how is it going to serve the problem right that can be a problem right so we see that maybe 10 to 20 percent is really the real sensitive right in fact a lot of a lot of things are like that right so when when I was in my previous organization we as I'm in the the IP the intellectual property of our products right often we find that about 10 to 15 percent of the code are really the IP protect release require I people faction the rest of the crew decided to party cause open-source cool right well coach that you you probably has been reused many times right they are no longer that's ice-t right so the call data tends to be only about 10-15 percent at most 20 percent right so with this device what what it means is that now you can actually go fast right you can actually apply things like the German C Phi or the Singapore M TCS approach right to do verification for tier 1 and tier 2 and 42 maybe you want the audit to take place for the additional controls that you are on so this allows you to actually move very fast within a couple of months you can clear the service provider to to operate so this tier 1 and tier 2 rules even for tier 1 actually simple verification approach means that within a man or two you can actually start going right and what this means is that you can focus your variable resources on what is really critical the critical workloads out there the 10 to 20% of the workload they are really critical if you want to go deep to really as I mean what the service provider are doing in those area of concern right the additional controls that you really need to have alright those are the things and you can take your time to do that they can see 6 month I months no problem because majority of your workload is already going on right so another advantage she said because you are you start early what what does that mean it means that you can actually learn about what is what is really about using the crowd what is really about security in the crowd itself and through their experience you gain more knowledge more experience about the crowd security you can apply them in the tier 3 layers right so then your experience is used in protecting the most critical resource in the organization itself so that is really critical right so this is the real benefits of taking this approach so so this just basically summarized the approach versus the challenges that we talked about early on and basically all these means that you are able to meet the criteria that you set up earlier on right so I would not I will not go through the detail yeah in the interest of time right but you can read it read it slightly to run basically if you want to so adding another key key area of concern really is the share responsibility area right if you look at a lot of this approach that the government takes right when you start a methods I meaning the public crowd is so the tendency is to look at the cloud service provider how secure they are how how can I gain confidence how can I trust them right where are my data all those questions keep on coming up right but I forget that there is a part of responsibility that they are they they have to take care of right how do I make sure that our guys our people know how to secure stuff in the in the crowd itself right so anything that is below the virtualization layer right the host operating system the tradition the physical hardware the data center we are responsible we take care of it right we manage it but we expect our customers to be able to secure those things although we provide guidance we provide to services and order to help customer but the government's the enterprise they need policies the unique ID ins they need training right to address those things and this is the part that often miss out and that's why a lot of organization right have exposed data out there because they forget that even though the CSP is secure whatever workload they running in the CSP may not be secured properly right so that is the part that they really need to pay attention right and and that is the implication right so basically governments need to establish a a government-wide policy right in terms of how they are going to secure the alwah glue inside the crown right the of the crop had the security assurance right the accreditation system with the care of that but don't put all your eggs into their basket right make sure that any % of your resources actually focus on this and not in the accreditation because service provided I asked have so many accreditation right like Steve mentioned early yesterday we have 210 right the last count in terms of certification and attestation right so so this is very important and the other important aspect right is to re-engineer the IT operations and processes so that the people and the processes are able to operate the crowd and not based on the traditional approach because the crowd environment is very different right the fundamentals are the same right IP technologies all those things are the same VPC security groups are very similar to things like firewall networking right all those things very similar but they are still very different right so there is a new approach that you have to apply and so that's why again I could our prime minister of Singapore saying this right fundamental reengineering of government is essential to provide better and faster public services and this is what he is referring to they have to basically train we train the workforce to be able to operate the crowd to be able to use the right services for the white right hire application and able to provide the security to protect their data accordingly so the outcomes of this approach basically is to help you realize the benefits of crowd first policy earlier and faster crowd absorption right so by tearing the the workloads itself you can make sure that majority of them can go through very quickly right so better risk management and better returns in terms of your security investment all right so you can as I mentioned you can learn from your low sensitive workload right by going fast with that you can learn because even those feel given those get exposed you are not going to have serious consequences but you can learn very quickly and because of the the the elasticity and the agility of of the crowd itself you can shut down system very quickly you can do your investigation very very quickly as well right so you can respond far you connect on it fast and you learn fast and that experience allow you to make sure that you can protect the most critical workloads with the most important resource as well right and increase focus on implementing your user site of the share responsibility invest in this area and you will get very good outcome in terms of your crowd journey right so what are other governments doing about crowd innovation right so there is a whole lot of it right as I mentioned more than 5,000 government organization already using the crowd more than 10,000 education is – and 28,000 non-for-profit organization already using the crowd so there are many case studies out there so I wish you to visit this website and take a look at some of the example all day and one particular example I like to cite I still have a few minutes right is that the Singapore government again right a few years ago they started to consolidate all their web presence right a few hundred website consolidated into a common web platform right so all the bread presents in fact our private information in the first place so that is the best place to start right your your experience in the private cloud itself right and by doing that they realized that usually in the traditional environment they could take an owl to actually apply a security patch and some time the patch will feel and they will encounter intermittent failure of up to 30 minutes of tower time right when you move to the crowd itself right the the the time for the time for patch reduced from an hour to seven minutes there is a hundred and fifty percent improvement right when you count the number of servers they have hundreds of website so it is maybe a thousand or more than thousand servers out there right the kind of skill anchoring 50% or seven minutes is really important right considering the windows of our abilities compared to one hour of our ability over thousands of server and seven minutes of our abilities exposure that is tremendous improvement in terms of efficiency as well as security I think that it's most important to every one of us right so to in closing basically right gaining assurance is a key aspect it's a very important aspect right to move forward in your crowd adoption journey but it is not the only thing right and it's too demure so stop you shouldn't need to wait you can adopt a process that allows you to run faster right so we learn from early adopters right we learn from the problem how probably probably organization as well as commercial organizations and you can adopt international standards and and industry best practices they are the Vietnam they are not going to be worse than any organization security policy put it that way right because they are contributed by people from those organizations actually from governments and from enterprise participating in all these standards bodies right use the 80/20 principles right I must reinforce eyes that that allow you to lower to allow you to move low impact or medium impact will lose faster and learn from their experience right and of course take care of the user side of the share responsibility model don't forget that you need to have policies to manage what is in the crowd as well as re-engineer the operations and processes to be able to to operate security in the crowd as mentioned by Steve yesterday security has to be integrated part of the operation right throughout the organization in order to be successful and effective with that I think yeah so what's next is there are a couple of websites and and white papers out there that I wish you to follow up as well right so the compliance website give you more information about our compliance program this SmartCloud native policy white papers basically describe the process that other governments have gone through in the crowded option journey how they address some of the challenges that I mentioned the budget issues legacy system procurement system there's a big shift from capital expense to very to variable expense so the procurement processes has to change how did how they manage that right how they obscure the people and and hire new talents to to deal with to be able to to go into plow faster and gain experience and of course the papers over there the adult classification talks about some of the best practices out there in other governments and logical that separation basically talks about how we meet the u.s. DoD high-sensitivity requirements right they have a requirements for fiscal isolation physical separation of halfway right but we work with them and proof to prove that in fact the VPC dedicated host allocated instant encryption right and the use of diameters or this combined in various way we can actually achieve the requirements for the DoD the objective that they need to achieve is can be achieved through logical separation you don't need to actually have physical separation and you can still do it right and and these people basically describe the rationale behind and and and the facts that that the justification that substantiate all those data itself and then the five way organizations how they get compromised right the five which the organization get compromised and how to protect yourself this this block basically talks about the common malware approach right like social engineering attacks or that and how they actually gain access into all the organization and how things like data residency localization or physical separation is not going to solve your problem right but having proper security architecture right proper security management looking at every stack especially in terms of monitoring having proper Jews or these are important to be able to address this kind of issues out there there are constantly changing okay with that thank you very much for your attention I'm glad that we still have an audience here after one hour thank you [Applause]

Be First to Comment

Leave a Reply

Your email address will not be published. Required fields are marked *