• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
CIS13: Security's New Normal: Is Cloud the Answer?
 

CIS13: Security's New Normal: Is Cloud the Answer?

on

  • 441 views

Sally Hudson, Research Director, Security Products and Services, IDC ...

Sally Hudson, Research Director, Security Products and Services, IDC
This session will look at cloud benefits and challenges from a security standpoint and present customer trends and concerns from IDC's demand-side research programs. Special emphasis will be placed on identity issues as they relate to cloud, social and mobile concerns and how they map to the agendas, policies and budgets of the IT enterprise.

Statistics

Views

Total Views
441
Views on SlideShare
441
Embed Views
0

Actions

Likes
0
Downloads
3
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    CIS13: Security's New Normal: Is Cloud the Answer? CIS13: Security's New Normal: Is Cloud the Answer? Presentation Transcript

    • Security’s New Normal: Is Cloud the Answer? Prepared by IDC for: Cloud Identity Summit July 2013 Sally J. Hudson Research Director Identity and Access Management BuyerPulse
    • Security Perimeters: New Normal
    • 3rd Platform Built on Four Pillars
    • Four Pillars of 3rd Platform: §  Mobile – Creates need for stronger access controls and authentication. Expect more partnerships, acquisitions and innovations in the mobile space. §  Cloud – driving need for FSSO and authentication, user provisioning, privileged id management §  Social Networking – companies want to leverage this, but are cautious due to security concerns. Authentication and federation. §  Big Data – in conjunction with security, rich identity profiles and threat prevention and fraud detection
    • 3rd Platform Customer Requirements Fixed §  Global consumer & corporate privacy & security regulations (civil law) §  Law enforcement ( criminal law) §  Instantaneous, & assured communications with negligible downtime §  Revenue creation and profitability §  Apps (write once, test everywhere) Fluid §  Communities of shared interest & social pressures (good, bad, gray), §  Control issues (risk, acceptable speech, reputation, privacy, & trust ) §  Under-web of sensors & monitoring §  Services-based approach vs. client-orientation
    • §  Consolidate §  Virtualize §  Automate §  Optimize §  Host/Outsource Consolidate §  Biz Efficiency §  Innovate §  Modernize §  Mobile/Social §  Biz Analytics Collaborate §  Actuarial Data §  Predictable Operational Expenses §  Risk §  Compliance Calculate COO’s New Normal: Issues in 2013
    • Consolidate: Old Issues & New Solutions §  New q  Worldwide core controls that minimize differences q  Auditors collaborate with IT to help design compliance dashboard for a variety of non- IT groups q  Common worldwide controls that are cloud-based §  Old q  Company siloed by business units and geography q  Custom controls q  Auditors were the enemy q  Senior management confused about corporate-wide polices q  Little anticipation or planning for pending regulations
    • Shifting IT Spend: Private Cloud is near term cloud strategy Q. Please estimate how much of your company's IT budget will be allocated to buying and managing these different types of IT services 49% 37% 16% 16% 13% 19% 11% 15% 11% 13% 0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100% Today 24 Months Public Cloud Private cloud - Hosted Private Cloud Inhouse Outsourced IT Traditional IT §  Enterprises see private cloud as the onramp to cloud for the next 24 months §  Automation and elasticity will become the mantra §  Pre-integrated modularity will become critical Source: IDC’s Cloud Computing Survey, January 2011 n=603
    • Cloud Providers: Can You Trust Them? §  SLAs can offer complete visibility and “partnership” with the Cloud provider §  Capex à Opex expense = Making friends with the CEO and CFO again §  Defensible posture and extensible “modular” architecture §  Pay as you go §  And more…
    • Cloud Benefits and Challenges -80% -60% -40% -20% 0% 20% 40% 60% 80% Pay-as-you-go (opex) Easy/fast to deploy to end-users Pay only for what you use Allows us to reduce IT headcount Makes sharing with partners simpler Encourages standard systems More sourcing choices Faster deployment of new services Regulatory requirement restrictions Performance/response times Availability/service provider uptime Not robust enough for critical apps Not enough ability to customize Hard to integrate, manage w/in-house IT May cost more Security Reliability Availability, Security, Total Cost Time to deploy Pay for Use Collaboration
    • Cloud Security & Compliance: Tablestakes for Enterprise Clouds Q.  Rate  these  statement  about  cloud  security   % sample rating 4 & 5 §  Issue: Security & compliance §  Data in motion more important than data at rest §  Key management stays with customer §  Issue: Metrics §  Risk guarantees §  Threats/Attacks §  Breaches §  Privileged & Customer Access §  Continuous Compliance
    • Indemnification is Explicit “You agree to indemnify and hold Yahoo! and its subsidiaries, affiliates, officers, agents, employees, partners and licensors harmless from any claim or demand….” Data Locality Cannot be Guaranteed “Personal information collected by Google may be stored and processed in the United States or any other country in which Google Inc. or its agents maintain facilities. By using the Service, you consent to any such transfer of information outside of your country….” Service Interruption is Permissible “Yahoo! reserves the right at any time and from time to time to modify or discontinue, temporarily or permanently, the Yahoo! Services (or any part thereof) with or without notice. You agree that Yahoo! shall not be liable to you or to any third party for any modification, suspension or discontinuance of the Yahoo! Services (or any part thereof).….” Intellectual Property Rights are Abdicated to Providers “By submitting, posting or displaying Content on or through Google services which are intended to be available to the members of the public, you grant Google a worldwide, non-exclusive, royalty-free license to reproduce, publish and distribute such Content on Google services for the purpose of displaying and distributing Google services.….” Cloud Security & Compliance: Consumer Cloud T’s & C’s excludes Security §  Lack of security in consumer clouds today is explicitly stated §  Data is an organizations most valuable asset §  Large providers become a target and a single point of failure
    • Cloud Mobile Social Networks Big Data (Threat Intelligence) Predictive Privileged Access Management, Federated Identity, Multi-factor Authentication, Data Protection, & Vulnerability Assessment Strong Authentication, Data Protection, & Granular Access Controls Data Loss prevention with data protection & justification for violations. Raw and analyzed threat feeds from multiple sources integrated with all management consoles Proactive VPN, Single Sign-On, & Strong Passwords Mobile Device Management Keyword-based monitoring & logging Network monitoring and SIEM Reactive Access control Device Password Acceptable Use Policy Signature-based detection Goals: 1) Timely remediation of existing breaches. 2) Early detection & mitigation of advanced, targeted, attacks. 3) Policy monitoring & enforcement of internal and external regulations. Essential Guidance: New Normal & Securing 3rd Platform
    • Essential Guidance §  Cloud offerings should allow you to examine your IT investments strategically and avoid point solution thinking §  Make sure your services firm can clearly articulate their differentiated offers, methodologies, tools and processes, certifications and domain expertise before embarking on a major IT transformation or initiative
    • Email me at: sjhudson@idc.com Follow me at: twitter.com/@sjhudson11 Contact Information