Upload
others
View
10
Download
0
Embed Size (px)
Citation preview
Cloud Base Service vs. On Premise What Physical Security Practitioners need to know
Joey St. Jacques Hydro Ottawa
Ottawa ,Ontario, Canada
This session will cover some of the challenges facing Physical Security practitioners in determining if a Cloud Base Service Solutions is ideal for their organization.
Hydro Ottawa which provides electrical distribution and generation for the National Capital Region in Ottawa, Ontario, Canada will discuss the successes and the challenges faced when integrating a Cloud-Base Enterprise Access Control Platform.
Overview
Company Profile
Driving Factors for Cloud Computing
Overview of the Cloud
Business Case (SOW)
• Vendor - Criteria
• Return on Investment
• Capital vs. Operating
• Cyber Security – Compliance
• Privacy – Data Location
Security of the Cloud
• Perimeter Layer
• Infrastructure
• Data Layer
• Environmental Layer
Benefits /Lessons Learned
Questions
Hydro Ottawa Holding Inc., [Hydro Ottawa] is 100 percent owned by the City of Ottawa. The core businesses of the
Corporation are electricity distribution, renewable energy generation and related services.
Energy Ottawa Inc.
Energy Ottawa is the largest municipally owned producer of green power in Ontario
➢ Six run-of-the-river hydroelectric generation plants
➢ Ten additional run-of-the-river facilities in Ontario and upper New York State
➢ Hold interests in two landfill gas-to-energy joint ventures
Company Profile
CEATI’s efforts are driven by 130+ participating organizations (electric utilities, governmental agencies), represented within 20
topic-focused programs across generation, transmission and distribution.
The Centre for Energy Advancement through Technological Innovation (CEATI)
Physical & Cyber Security Chair
WHAT WE KNOW TODAY.......
➢Most organizations see security as cost centers
➢Security practitioners are tasked to review costs - reduction/efficiencies
➢Justify our budgets
➢Doing more with less
Driving Factors For Cloud Computing - What Keeps OUR CIO Awake at Night?
How much time does your IT team spend managing & updating infrastructure related to legacy systems?
Are they trained experts and efficient in managing?
Network/Cyber Security
Is my solution secure?
Uptime & Resiliency
Is it running?
Total Cost of Ownership
Can I afford it?
Service
Is there a knowledgeable and reliable
integrator available?
Driving Factors For Cloud Computing - IT & OT Convergence
IT and OT groups traditionally have had different reporting structures, objectives and skill set
Driving Factors for Cloud Computing - Cloud Adoption
Convenience
Cyber Security
Mobile
• True Mobility
• Control from anywhere
• No configuration & maintenance
• Web server
• Firewall
• Redundancy/Failover
• Updates/Patches
• Secure by Design
• Encrypted by Default
What is CLOUD COMPUTING? Cloud computing is the on-demand delivery of computing services — servers, storage, databases, networking, software, analytics, and more — over the Internet. Companies offering these computing services are called cloud providers and typically charge for cloud computing services based on usage, similar to how you’re billed for water or electricity at home.
Private Datacenter / Colocation Compute / Storage / or Network Hardware
Virtual Infrastructure
WHAT IS CLOUD COMPUTING?
Foundation Services
Compute Storage Database Networking
Infrastructure
Client-side DataEncryption
Server-side DataEncryption
Network TrafficProtection
Platform, Applications, Identity & Access Management
Operating System, Network & Firewall Configuration
Customer content
Customers are
responsible for end-to-
end security in their on-
premise
data centers
Traditional On-Premise Security Model
AWS Foundation Services
Compute Storage Database Networking
Client-side Data Encryption
Server-side Data Encryption
Network Traffic Protection
Platform, Applications, Identity & Access Management
Operating System, Network & Firewall Configuration
Customer content
AWS Global Infrastructure
Regions
Availability Zones
Edge Locations
Customer
responsibility
AWS responsibility
AWS Security Model when using IaaS (EC2 instances)
Foundation Services
Compute Storage Database Networking
Client-side Data Encryption
Server-side Data Encryption
Network Traffic Protection
Platform, Applications, Identity & Access Management
Operating System, Network & Firewall Configuration
Customer content
AWS Global Infrastructure
Regions
Availability Zones
Edge Locations
Customer
responsibility
AWS responsibility
AWS Security Model when using PaaS (managed services)
➢Increased agility
➢Elasticity – Stop guessing at capacity
➢Move from capital expense to variable expense
➢Breadth of services
➢Go global in minutes
PRIMARY DRIVERS FOR MOVING TO THE CLOUD
BUSINESS CASE FOR CLOUD:
A CUSTOMER PERSPECTIVE
Hydro Ottawa Case Study
Statement of Work
➢Determining if a Cloud Base Service Solutions (Software as a Service -SaaS) is ideal for Hydro Ottawa
➢Integrating a Cloud-Base Enterprise Access Control Platform.
The Big Picture – Solve a Problem
➢Hydro Ottawa: Need a new access control system
➢Hydro Ottawa: There are issues and outgrown system
➢Hydro Ottawa: Its old and outdated
➢Hydro Ottawa: We didn’t do the upgrades or properly maintain it
➢Hydro Ottawa: We were busier than we thought, didn’t budget funding for future upgrades, rarely did a backup, had existing responsibilities, etc.
About Feenics & KEEP
Feenics is the company name – (like Phoenix)
Leader in cloud base access control system
“Keep” is the product name➢Keep – a reference to the most secure part of the castle➢Keep incorporates multiple layers of security and privacy protection (customers data)
Feenics uses AWS to host Keep instance for customers
Customer’s Keep instance is:
➢Always on up-to-date software➢ Full fledged access control➢High availability and resiliency ➢Scalable➢Secured➢Always backed up – provides clients disaster recovery
Criteria - Features
➢On-the-Go Access Control
➢Push Notification Alerts
➢Door Control On-the-Fly
➢Global Lockdown
➢Mobile Monitoring • Know the status of your facility when it is
empty
➢Personnel Management • Access levels• Deactivate a badge from any device
anywhere in the world
➢Full Building Control • BAS• Video• Biometrics
➢Visitor Management
Criteria - Features
Secure by Design
No default passwordsTwo Factor Authentication
Security Level➢Higher the Level the less information
returned on an invalid login.
Create & Enforce Password Policies➢Strength requirements can be set ➢Change every x days.➢Change their password on next login.➢A user can be restricted from changing
their password.
Integration - LDAP/Active Directory
Outdated employee/contractor information
➢Attributes
• Name
• Location
• Business unit
• Email address
➢Access privileges
➢Photo identification
➢Share specialized data using Keep “Custom Forms”
➢Define synchronization intervals – AD
➢Automatically revoke employee access upon termination via Human Resource on-boarding and off-boarding
HOL AD
BUILDING #1
BUILDING #2
LDAP
APP
LSVR
ALARM
MONITOR
ALARM
MONITOR
Integration
Return on Investment - Actual Server Costs
Spending $2,500 on a server really means ~ $8,300 in facility capital to provide:➢Real estate to house server➢Cap ex for hardware, racks, power supplies➢Depreciation/obsolescence ➢Power consumption➢Cooling costs➢Operations maintenance
Average cost per Kwh➢US $0.13➢Canada is $0.10
Examples: ➢HP DL-380 with 2 Quad core CPUs is about
$1,200.00 a year in electricity and cooling**➢Dell/HP 1U closer to $500 per year
Source: Forbes.com, “Servers: Why Thrifty Isn’t Nifty”
Return on Investment - Labor & Opportunity Cost
Cost for managing, maintaining & updating infrastructure related to legacy access control?➢Apply fixes, patches, upgrades➢Downtime➢Performance tuning➢Rewrite customizations➢Rewrite integrations➢Upgrade dependent applications
Ongoing burden on IT Maintain/upgrade➢Hardware➢Network Security➢Database➢Training
Capital vs. Operating Expenditures
Purchase of license can be capitalized as intangible asset and amortised over its useful economic life (license period)
Implementation costs can usually be capitalized if they are development activities
Purchased hardware can be capitalized as a tangible fixed asset and depreciated over its useful economic life
Committing to a usage period or a recurring rolling
contract requires the costs to be recorded as operating
expense over the service period
Implementation costs can usually be capitalized if they
are development activities however fewer costs may be
capitalized in practise
An on-demand or multi-year usage contract (reserved
instance or dedicated host),means that the costs must
be recorded as operating expense over the service
period, if contract is not finance lease.
On Premise Cloud
Software
Implementation
Hardware
Source: Deloitte – Cloud Capitalization
Cyber SecurityFrameworks/Maturity Models
The focus/purpose of the framework….includes
➢ IT Governance
➢ IT Enterprise Architecture
➢ IT Data Governance
➢ IT Internal Control
➢ IT Competency
➢ IT Risk Management
➢ IT Strategy
➢ IT Automation
SSAE 16-18 Compliance reporting certification is the name of the standard practiced by auditors.
So the Cloud is where? Amazon web services
Customers can run their applications and workloads in the Canada (Central) Region in one of 2 availability zones.
End-users based in Canada can leverage the Canada Region to avoid up-front expenses, long-term commitments, and scaling challenges associated with maintaining and operating their own infrastructure. Canada joins Northern Virginia, Ohio, Oregon, Northern California and AWS GovCloud
AWS Region in Montreal is one of 22 worldwide, bringing the total number of Availability Zones to 69 globally.
In addition to the Region, AWS Canada has three Edge Locations – one in Montreal and two in Toronto.
“Security OF the Cloud” - AWS is responsible for protecting the infrastructure that runs all of the services offered in the
AWS Cloud.
“Security IN the Cloud” - Customer responsibility will be determined by the
AWS Cloud services that a customer selects.
Shared
Responsibility
Model
Our Data Centers
Our data centers provide protection at every layer:
➢ Perimeter Layer
➢ Infrastructure Layer
➢ Data Layer
➢ Environmental Layer
Take a virtual tour: https://aws.amazon.com/compliance/data-center/data-centers/
➢ACCESS IS SCRUTINIZED
➢ENTRY IS CONTROLLED AND
MONITORED
➢AWS DATA CENTER WORKERS ARE
SCRUTINIZED, TOO
➢MONITORING FOR UNAUTHORIZED
ENTRY
➢AWS SECURITY OPERATIONS
CENTERS MONITORS GLOBAL
SECURITY
Perimeter Layer
➢LAYER-BY-LAYER ACCESS REVIEW
➢MAINTAINING EQUIPMENT IS A PART OF
REGULAR OPERATIONS
➢EMERGENCY-READY BACKUP
EQUIPMENT
Infrastructure Layer
➢TECHNOLOGY AND PEOPLE
WORK TOGETHER FOR ADDED
SECURITY
➢PREVENTING PHYSICAL AND
TECHNOLOGICAL INTRUSION
➢SERVERS AND MEDIA RECEIVE
EXACTING ATTENTION
➢THIRD-PARTY AUDITORS VERIFY
OUR PROCEDURES AND SYSTEMS
Data Layer
➢PREPARED FOR THE UNEXPECTED
➢HIGH AVAILABILITY THROUGH
MULTIPLE AVAILABILITY ZONES
➢SIMULATING DISRUPTIONS &
MEASURING OUR RESPONSE
➢GREENER IN THE AWS CLOUD
Environmental Layer
INHERIT GLOBAL SECURITY AND COMPLIANCE CONTROLS
➢Benefit from AWS Regulatory Compliance Efforts
➢Cloud-based PhySec systems should ride on already compliant and established
providers
➢HSPD-12 & FICAM (PIV) Compliant Access Control
➢SOC Compliance
➢GDPR Compliance
AWS REGULATION & COMPLIANCE
• Understand your business case
• Collaborate with other divisions
• Business process optimization
• Cost efficiencies and Total Cost of Ownership (TCO)
STARTING YOUR CLOUD JOURNEY
Benefits - Summary➢Minimal upfront costs
➢Shorten deployment time
➢Always have a trained experts managing our system
➢Always patched and up-to-date
➢Monthly updates
➢Eliminates problems and costs associated with
• Hardware maintenance and obsolescence
• Service calls due to server and update issues
• Risk due to server failure/lack of backups
➢Remote support and assistance -reduce the need to come onsite to upgrade
➢Scalable & flexible
➢Secure mobile access
➢Reduce the system TCO
Lessons Learned
➢Selecting the right computing option for your workload
➢Choosing the cloud consumption models to best fit your requirements
➢Reducing operating costs by leveraging application and data services available within the cloud platform
➢Addressing security and management challenges
➢Have a conversation with other divisions – organizational buy-in/support
➢Vendor and Integrator need to be aligned
QUESTIONS?
Joey St. Jacques – Hydro Ottawa
James Armitage - Amazon
Fadi Hajjar- Feenics