I've Looked At Cloud From Both Sides Now

So with a warm welcome, I would like to introduce Algis. Thank you. ♪ Swirls and curls of angel hair ♪ ♪ And ice cream castles in the air ♪ ♪ And feathered canyons everywhere ♪ ♪ I've looked at clouds that way ♪ ♪ They only block the sun ♪ ♪ They're rain and snow on everyone ♪ ♪ So many things I would have done ♪ ♪ But clouds got in my way ♪ I've looked at clouds from both sides now And down and still somehow It's clouds illusions I recall near me Alright, good afternoon everyone Welcome back after lunch Does anyone by any chance happen to have recognized the dulcet voice that was behind that song

behind that interpretation of the song? Anyone at all?

So, not many Star Trek fans here today. Well... We're at a security conference, so I figured I'd try to get, you know, from the dark side of the geeky realm. It's the gentleman on the left. It's Leonard Nimoy. In the days of the 70s and the 80s, it became quite popular for a lot of these actors to start dabbling into the musical realm. They thought they were good at something or more or less good at something, that perhaps they could be more or less good at something else. And so I figured that it would be logical to lead with, you know, the original author and the singer of the song, Joni Mitchell, a proud Canadian. And apologies to those illustrious

artists who have much, much, much better versions of this song, including the illustrious names that are there, including, of course, Sporty Spice and Courtney Love and the rest of that. And for anyone wondering, again, for those that are in the Star Trek geeky realm, there is no... William Shatner version. Now, why am I bringing that up? Well, Bill Shatner, all around nice guy, famous Montrealer, I am from Montreal, McGill University alumnus, and even the Student Union building is named after him. best known as an actor Perhaps in loose a sense of the terms. He's an author writes about Star Trek producers produces stuff about Star Trek directs stuff as well But he is also a recording artist like you could have seen from you know

He shared the other half of that CD cover eight albums now for those who like eclectic Bill Shatner is is best known as an actor, but he's second best known as what I would say to be a spoken word artist. He's got a certain way of expressing himself and I guess perhaps he sings as well or as badly as I do. So he didn't create the spoken word realm but well just by watching this clip I think that you'll see that he's nailed it. Oh, I miss the earth so much. I miss my wife. It's lonely. Timeless. So there were... Thanks Bill. Thanks for going beyond the realm of television. Really appreciate it. Oh yeah. So

my talk today is on cloud. Oh no, no, no. None of that music again. So talk is on cloud. I wasn't a proponent of it or a big fan of it. I work exclusively in it now and I just wanted to share a few stories or insights. Standard disclaimer, these are my opinions. You may not share them. Please feel free to challenge me. There's a question and answer session at the end. All right? So if we can start with an informal poll for those that are here, just so I can get an idea of the room. Who has sensitive data in the cloud? Talking about nominative data. Personal data, business confidential data, awesome. Who's planning to move sensitive data to the cloud?

All right, yeah, some of them have and some of them are putting in more. Who has decided not to move that stuff into the cloud? All right, awesome, and we'll cover some of these aspects. Who has buzz term, buzzword of these days, who has critical infrastructure in the cloud? Awesome, networking, yeah, databases, right? Who's planning to move that stuff into there? Who's got management that's forcing them to do this? Awesome. And who doesn't want to even go there? Awesome. I feel like I've got feet on every side of this one. So we've got the cloud. And There you go. So we've got all sorts of just a few definitions to just ramp up people who may

be more or less familiar with it. So we've got infrastructure as a cloud. So that would be your material stuff and everything or foundational type of stuff. You've got software as a service. And that's usually the stuff that you interact with directly, right? Your application level stuff. And then you got PaaS, which is somewhere in the middle. And then you've got a bunch of Yeah, asses. And then you've got public, which means that you subscribe to something, and you've got private, which means you have it all in-house, and a lot of organizations still do this today. And then you've got hybrid, so you've got, again, a foot on each side. So maybe an organization might

decide to, you know, go in and get an account in AWS and do all sorts of big data, cool stuff, but yet they may decide to keep some of their sensitive data or some stuff that doesn't port as well outside. Today's technical focus seems to be more on third-party processing and storage. I saw that the SANS Institute is a sponsor for this event. SANS used to offer a course that was private cloud, and now they've put that aside, and now their only offerings are dealing with the public cloud. And that's where the market has tended to go these days. Upper management focus seems to be fixated on cost cutting. All right, and we'll look at this again a little bit later, but it's a huge one, right? They want

to be able to streamline things. This thing is a magic thing, this cloud thing, and we can cut operational costs. We don't have to buy anything. And at the end of the day, we're just going to have, you know, a couple trained monkeys, perhaps one to watch the presentations of the other, and that's going to be pretty much it, and everything just magically runs itself. The obligatory definition, right? Cloud is what? Allows you to, once you have a subscription, to add as much processing power as you want, perhaps on demand, perhaps automagically, and a whole bunch of other capabilities, and managed networks, service storage, application services, you name it, this thing does it. It's a

magic all-in-one. So basically, if you've got a computer or a phone, and a logger digital, and you've got a credit card, you've got some of that cloud action going for you. So all is good. It's really great. A lot of benefits here. I put little asterisks next to the ones that attracts upper management attention. Certainly you don't have to buy anything, right? It's a subscription model when you're going out and, you know, into the cloud. Your AWS is in your Azure's of this world. And it should reduce overall costs. Simplifies accounting because you just got one bill to pay or at least one per instance. You've got on-demand self-service, you've got a perception of having reduced training burden. You know, if this stuff is in

the cloud, the security can be handled by those magicians over there, and rightfully so, to a certain degree. And there's a whole bunch of technical improvements, many of which you have certainly seen, and some of this I've mentioned already. Now, just to go again with the Star Trek thing, it's no longer a place Where no man has gone before. Many people use it. Many organizations do it. This is just an example. There are hundreds. There's a new series of Amazon Web Services commercials that are out these days. that basically scroll through all the different kinds of organizations or services or clients that they have and they're pretty ubiquitous and you know, they're the big player,

but there's a few there as well. And they dabble from private to public services, the province of Quebec where I live, they're absolutely huge there and they've decided to go all in in the cloud. But then you have to be careful when you first look at this to see well, when people say all in, what do they really mean? And in some organizations that, like I had mentioned a little bit earlier, they put in some or most or strategic aspects or high availability aspects in the cloud, but some of the components they keep internal. So by going through a subscription-based model like your Azure's and your Google Cloud and your AWS, are we really raising that security bar? You know, they've got experts

there. They're competent, they're certified, that's what they say on their websites, that's what I've seen by meeting these people. They really do have competent people there. And their configurations are supposed to be, you know, sanitized for our protection, well protected, well configured, reasonably well configured, and so on. But yet these things have to be permissive enough with respect to their configurations that people can actually use them from the get-go. And we already had a few talks, I believe this morning, certainly one that I was able to attend, where we addressed that particular issue that things are generally insecure by default, even security software. And this goes as well with respect to the cloud. And we need to go and look through the soft wording in

SLAs. Now I took a quick look just before this talk to see what buzzwords are considered to be very popular these days in SLAs. Azure uses, actually explains what they mean, what we consider by being available or highly available. So they use these terms, but then they propose a definition of what it really means to them and maybe not necessarily to us. Whereas AWS likes to use this term that they will do everything that is commercially reasonable to ensure high availability. So, despite the soft wording and perhaps there's certainly disclaimers in there as well, there's an issue to see beyond the soft wording and see, okay, so they're doing the, you know, CYA exercise, but

what are we really getting and is it better than what we can do at home? So despite the fear, despite the uncertainties, and despite the doubts, the security benefits of going in the cloud are real. You've got an SLA, you've got someone to go after. They are demonstrable. They can have certifications. You've got these SOC 2 things, an ISO 27001, beautiful certificates that they put on their walls. You've got FedRAMs for the organizations that can actually attain those lofty goals. And the benefits are tangible for an organization. If they're doing some stuff that your organization doesn't need to anymore, then that's awesome. And we have a history of trusting other organizations to protect assets, right? The

newborns, money, vaults, our passwords at work. We use usually a corporate password vault these days, and many of us have our own on our smartphones. And we trust them to do the right things. So tamper-proof ID bracelets for the newborns, locked doors, things like that, video cameras, two keys for opening a safety deposit box. And look, even Wells Fargo in the old days, I understand they've got some challenges these days, but as one of the original ones that went coast to coast in the United States, they didn't even go by security through obscurity, they were advertising as they were going through the wild, wild west. And there are strength in numbers, right? So the more people are

using a certain service, the more the cost per head go down, so to speak, and you're able to invest perhaps more in protection mechanisms that can serve all. And cloud service providers have many high-profile customers that they can't alienate, or they'll lose that segment, they'll lose trust, and they'll lose that segment of business. But there's always that cost-cutting thing that comes into play. But what if we all end up sharing the same weaknesses? After all we're all putting our money in the same banks, right? All putting the babies in the same nursery, all going to the same three main, but there are many smaller players, cloud service providers. What happens? We're all in and we all end up being vulnerable

to the same thing. A thing that we're not even under control of. What if somebody finds that Achilles heel? We've got, everyone's got the same Achilles heel and we may all be end up being vulnerable to one strategically placed, well-placed, targeted attack. And I apologize again to those Star Trek fans and mixing with Star Wars. Apparently that is forbidden, but I thought the Big Bang Theory took care of that by grouping everything together. And then we can feel comforted in saying, well, okay, well, we might be gone down and we're just one of these little stars here and we've got company and misery loves company. So there are cloud related business risks and there's a few that are listed there, right?

Our reputation could be stained due to something that happens that is outside of our control. It could be a regulatory pressure that say, "Oh, well, you know, you really have to do your due diligence and if you transfer your due diligence to a third party, well, then you're ultimately responsible." But yet you can't really see through that opaque wall of what's going on there in the Azure world. And you've got multi-tenancy issues, so again, you know, you're subscribing and how do you ensure that your, you know, your Ford and then your next door neighbor's General Motors and you're both in the same search provider, how can you ensure that they can't go peek and see

what's going on in your side of the world? And of course the privacy issues with GDPR and so on, how do you ensure that people are adequately protected with their information? How do you make sure that according to the European law of which you may be subject to either as a business decision or because of legal issues if you happen to have a business direct business relations or a regional office for a company based in Europe and all of a sudden you say well you know according to GDPR you have the right to be forgotten right according to the laws over there you on request you can say I want all traces erased of me

how do you really do that effectively in the cloud How do you remove all those traces, not only in the instances that you know of, but those mystery hidden AWS instances that they don't advertise to ensure the resiliency and the high availability? How do you ensure that it gets erased from all of their backups? And where are those backups? So we'll address a few challenges. There's a short list there.

At the end of the day, trying to avoid our, you know, try to perhaps cut our subscription to the Dumpster Fire of the Month Club. I should be hearing a little bell in the back of the room every time we mention Dumpster Fire during the course of these sessions. So, first one: over-reliance on SLAs, on service level agreements and third-party audit reports. Third party certificates and audit reports don't paint full pictures. Who's had the luck and privilege and honour to have to look at these kind of reports when doing assessments, right, of these third parties, right? Who enjoys doing this? Who can see through the opaqueness of the way these things are written? You know,

you go on the Azure website, right? And, oh my goodness gracious, there's dozens of these things, right? And Amazon is worse. And they do great things. They allow you to do a lot of wonderful things. But they're very dense and they're very difficult. You know, you've got a certificate that's saying we're ISO 27001 compliance, right? So they've got an information security management system in place. They have control over their controls. Awesome. They list all of the controls that are in the associated standard ISO 27002. All these different things that they have controls from an administrative perspective and technical perspective, compliance perspective, you name it perspective. But yet the details, what do they check? Where do

they check? Now we got a certificate man, trust us. So you don't paint the full picture, so you got to fill in the gaps. How do you fill in the gaps? Oh, we got a security questionnaire. Who has security questionnaires that send out to organizations? Less and less than before, right? Who gets responses back? And for those that get responses back, are those responses even remotely useful for what it is that you're trying to do? You're either going to get these vendors that reply and say everything is compliant, one word, responses, or they go on and say, well, applicable to this, but then you don't know applicable to what, and then at the end of

the day, you're playing whack-a-mole and trying to figure what is going on. So you don't really get a full picture either way.

Cloud service providers are increasingly open and tolerant to stress and pentesting. That's a good news, right? Nowadays, aside from perhaps the administrative interface to manage your account, and perhaps as long as you get yourself a dedicated IP space, you could pretty much, you know, go for gold and try to hammer away and find out the weaknesses. So that's good. The problem is often in these implementations, you don't really get the information or the results or the answers back from your tools that you would expect to get. Packets get dropped, connections get reset. It's really tough to find out what's going on even when you do your due diligence by going beyond a questionnaire and actually passing them to the test. And it can be very

difficult to change clauses in agreements. Who's tried to change clauses in CSP agreements? I know I have, many times. Who has been successful? I know I haven't. And that's usually the case when smaller organizations, people that are not at the top tier of this world, the FedExes and the military organisms of our country don't have the power over these vendors. So one of the tactics that are being proposed is, well, find someone your own size. You know, using the old one neck to choke metaphor, you know, finding someone that you've got a handle on, that they are ready to respond to your needs and your whims or your particular aspects that perhaps the biggest vendors just simply declined to

do. And if you don't like it, just go to door number two. Second aspect is loss of hands-on control to your data, right? We're letting Jesus take the wheel. Or in this case, we are letting the Azers and the Googles and the AWSs take control of it, we're buying a subscription, we accept your terms and conditions, we give you money, please do the right thing. The challenge is though, is that even though you know on a contract where your data is going, you may not necessarily know where that shadow instance is in AWS, like I was mentioning, or where those backups are located. You may have limited visibility or absolutely none at all. For those

that are outside of the US, they're impacted by the Cloud Act that was enacted here a few years ago. See, I'm in Canada, and the example that I know in one of my clients that they faced is they had an obligation that all of their data would have to be residing in their country, such as in Canada. Oh, we're covered. That was our requirement, and we checked it off. Then this law comes into place and said, well, okay, well, Where's Google based? Where's AWS based? Where's Microsoft based with Azure? Well, any US resident or citizen that happens to have information outside of the country, all of a sudden now the doors have to be opened

and that data needs to be made accessible to the affected authorities. And then these organizations have to now be able to turn around and pivot and respond to these requests instead of turning around and doing the easy thing, which is just give them everything. If you have encryption as a way, as a magical tool to have control over your data, or at least to read capabilities to your data, where is it implemented? Who has the keys? Is it in the same cloud provider's hands? Are you protecting those keys? Okay, how are those keys protected? If you're storing the keys locally in your organization, this is becoming more and more prevalent. Who's got control over unlocking those keys? and so

on, just because you got encryption is at the end of the day is who's got the keys in hand is really the one that has access to the data. And then it's my biggest pain point, and that's vendor lock-in. Now I worked in the telephony industry before, and vendor lock-in was a very, very real thing. And vendors, especially the bigger vendors, when they saw that technology is evolving from say, in mobility, from 2G to 3G to 4G and now 5G, and there's already work groups set up for 6G, there's an opportunity to dump that vendor that we don't really like so much and go to another one. But you still want to keep those things

like a customer database. in these home location registers, for example, these glorified databases that you've got basically all the client data in. And then you want to port it over and you've got this contractual agreement that says, "Okay, we have access to our data. It is inside your equipment. We want it out now." And what organizations found out is that it ain't so easy. If they would give it to you, it would be in a format that wouldn't be readable, or it would be in a format that seems to be readable, and then, well, good luck to you. And, um... in organizations you can stumble on things as trivial as the character set that you use to be able to run into major major problems in terms of

porting data from one environment to another. This exists certainly in the cloud as well. Who here, if any, and I'm hoping to see at least one hand, has a plan to be able to back up and restore in another cloud vendor's environment? Awesome, and I hope there's going to be more of you in the future. It ain't that easy, I'm sure. I'm pretty sure a lot of the people that raise their hands, they have the bruise marks to be able to prove it. Can you retrieve your data in a standardized usable format? Your JSONs, your XMLs. Imagine how big these things are going to be for some instances. Have you generated dumps backups? Have you made them available? And have you actually attempted to do

restoration? Right, nice to have a backup plan, but a backup plan without a restore plan or a tested restore plan that works ain't much of a plan. A few other bonus parts. Like I've mentioned before, a lot of organizations look at cloud as a magic way to cut costs. We don't have to buy. Our organization has decided our new five-year plan or our new strategic plan says we are not buying anything anymore, we are going subscription-based. We're going to save money. And look, the cloud is there to save us. And there are other organizations that say, "Alright, we don't like to have operational costs." Right? The day-to-day stuff, all our people doing the hands-on monitoring and management of these solutions. We want to cut costs there.

So we want to buy. Now I worked recently as a client for, as a subcontractor for an organization that they wanted to cut costs. And they actually did the opposite of the first part. Said, "Alright, you are a cloud provider. We want to buy three years worth." Three years, in our opinion, is a capex expense. Who here in this room has seen an organization go from one end to the other end and back again? I think I've got whiplash with many of the contracts that I've been under. What they're trying to do is say that we want to save on both. How are you able to save on operational expenses and on capital expenses? Again, it's that magical cloud.

And while hands-on technical control is given to the third party in exchange for your money, the suggestion would be is you tend to refocus. Not eliminate, say, a security team or an operational team, but allow them to refocus on things that you're supposed to do, that you're bound to do by contract, such as oversight. Right? If you, an organization outsources to a third party, that organization is still responsible for the execution of those functions that have been outsourced. Well, if you don't do the oversight, then all of a sudden you're doing less than you've done before and you're exposed to aspects such as negligence. And then you should have some available bandwidth to actually do the stuff, say from a security perspective, that you've always wanted to

do, but you've always been so busy doing with respect to good housekeeping. or basic sanitization, basic encryption or access controls or that kind of thing. That would give you the opportunity to refocus, perhaps with a smaller team, but a team nonetheless. Then you got the elephant in the room, shadow IT. Now you've got these capabilities where everyone has got access to the internet or phone, for those that go by phone. and a credit card to be able to get something in the cloud for yourself if your organization is not quick enough to be able to get that thing for you. I was in an engagement recently, an audit engagement, where an organization was too slow in providing capability

to have a governance platform introduced, a GRC platform, right? Governance, risk management, compliance. But they had to do it for regulatory purposes. And so what they did is they They got their own subscription. They pitched in, three, four people in the team, ponied up ten bucks or so a month, and they got themselves a SaaS subscription to a solution that provides this GRC capability, including all of their audit report findings, including basically a blueprint to all the weaknesses, a blueprint to the Death Star. And they had not implemented the necessary security configurations. They had a shared password with a shared account, default password. Well, you can possibly imagine. So shadow IT is a big thing that needs to be looked at and considered. And that's basically why it's

been flagged out there. Just because you're going cloud, chances are if you're not moving fast enough, others are doing it one step or two steps ahead of you. So is cloud the final frontier? I don't think so. Cloud is relatively new. It's only been around for what, 20 odd years or so? I know that it's become a recently, you know, we're using that word term now. We had other terms for it before. And there'll probably be some other cool stuff that comes up at some point along the way. But right now, this is what we got. And it's very compelling. And so while it will not be the final frontier, it is the current one. So I would have three suggestions. And one of them is to just do

the oh yeah, oh yeah, and drink the Kool-Aid. It's there, people want it, contractual obligations are less and less binding for you to have direct control of some of the information inside your organization. They're more permissive to having it outsourced to a third party. And it is so compelling from a financial perspective and from a security perspective, it really gives organizations a new way to pivot and say, "Okay, can we give up the good housekeeping thing and stop dealing with the trivialities that have been stuck doing for years or decades, and we can move on to application-specific or business-specific risks and deal with the stuff that is really hurting us and not just doing the basic housekeeping stuff?" Trusting but verifying. Demand transparency

from your vendors. Scrutinize those assessments. Ask questions and if they're not answering, maybe pivot and find someone else who may. Heck, for all you know, there might be a reseller of those big boys that might be more responsive to answer the questions you're asking but the big boys aren't answering. And finally, controlling your data. Make sure that you can repatriate when you want. make sure that you protect it when it's sending somewhere else, and make sure that you're managing and controlling the keys. So that's basically the content. Now if I could oblige, if it's possible, to just dim the lights a little bit, if it's within our control, and if not, I can still do it in the

daylight. I'd like to wrap up with using the inspiration that I got from the very beginning of this session, and share my thoughts and my experiences of the Aspen. I thought it earned my silvered hair, got her lose it and didn't care. Then clouds popped up from everywhere. I feared clouds that way. But now I see I've just begun. Clouds advances I just can't outrun. So many things I could have done. Once clouds

I wasn't able to choose the word to... Mind, that's why I inserted there. Great app, Chateau Retrie, I'm pushing it. Best $10 I have invested in my life. Thank you very much for your patience and understanding. Do we have any questions? Any questions? Did I hear a peep? I've got, to encourage people to ask questions, I've got beautiful CDs for those that have CD readers. Off the space that album. They make great coffee mug coasters. If there are no questions, thank you very much. You're more than welcome to pick these up. Have a great rest of the conference. It's a wonderful event.