#CloudSec13What You Havent Heard (Yet)About Cloud Security    Andrew Hay           Wendy Nather    Chief Evangelist,    Re...
Session Agenda• Cloud security trends and observations from 451  Research• Current cloud adoption trends and future indivi...
Trends in Cloud SecurityWendy Nather, Research Director, Enterprise Security
Cloud forecast: Relatively sanguineLarge numbers of enterprises using some form of cloud servicesMost say they’re concerne...
Security Requirements for Cloud          What security-related requirements did you or will you require of your cloud comp...
Application Hosting ‘in the Cloud’: Finance and HR Systems How concerned is your organization about the security of these ...
Application Hosting ‘in the Cloud’: ERP Solutions and Email How concerned is your organization about the security of these...
Application Hosting ‘in the Cloud’: Database/Data warehouses  How concerned is your organization about the security of the...
Types of Cloud-based Security Services: Part 1           Including those delivered by MSSPs, what types of cloud-based sec...
Types of Cloud-based Security Services: Part 2          Including those delivered by MSSPs, what types of cloud-based secu...
Who, what and why …More organizations are moving to cloud- Well-defined, granular business operations that go well with Sa...
What’s going to be slowerLegacy stacksDistributed systems with multiple owners Governance issues Getting the right level...
What’s more likelyMore aging-out of legacy systems and greenfield migration to newones (particularly pre-packaged IaaS, Pa...
How to mitigate the riskRisk from dynamic          Well-documented, secure  environment               VM lifecycleRisk fro...
TheSecurity andand the 2012 2012 SurveyThe Security the Cloud CloudSurvey
The Security and the Cloud 2012 Survey• Started on August 10th, 2012• Questions about current cloud usage, future deployme...
TotalNumber of ServersTotal Number of Servers                              Number of servers in organization “More than ha...
Cloud Adoption BreakdownCloud Adoption BreakdownBreakdown of cloud hosting environments being used                        ...
Cloud AdoptionCloud Adoption
Server BreakdownServer Breakdown  Percentage of servers in use, by compute environment
HowPublic Cloud Servers Are Used UsedHow Public Cloud Servers AreHow do you use your public cloud servers today?“The top 3...
Single Biggest Cloud Use CaseSingle Biggest Cloud Use Case “If we were to remove the ‘we do not host applications in publi...
HowPublic Cloud Servers Will Be Used Be UsedHow Public Cloud Servers WillHow will you use your public cloud servers in 201...
WhoOversees Cloud Security?Who Oversees Cloud Security?Who oversees cloud security in your organization?“The majority of r...
Cloud Security Concerns in 2012Cloud Security Concerns in 2012Concerns about public cloud hosting
Cloud Security ConcernsSingle Greatest Cloud Security Concern                               Concern change,               ...
Best‘Other’ CommentBest „Other‟ CommentQ: What is your absolute greatest security concernabout the public Cloud?A: Clouds ...
TheSurvey: Findings FindingsThe Survey: Key   – 4 out of 5 respondents stated that their companies are actively using     ...
TheSurvey: Findings FindingsThe Survey: Key   – Business critical applications are now running in the public cloud with   ...
TheSurvey: Findings FindingsThe Survey: Key   – Concerns for compliance with PCI and other standards in public     cloud r...
The Survey: FindingsExamine The Findings For Yourself cloudpassage.com/resource-center/get/security-and-the-cloud-2012
Questions?         Wendy Nather                         Andrew HayResearch Director at 451 Research   Chief Evangelist at ...
Thank Youwww.cloudpassage.com  @cloudpassage
Upcoming SlideShare
Loading in …5
×

What You Haven't Heard (Yet) About Cloud Security

997 views
888 views

Published on

Did you know that 4 out of 5 companies are using cloud architectures? Did you also know that 22% of cloud hosting users believe that their cloud service provider is responsible for the security of their cloud server instances, yet 38% have a high level of concern with losing control of their servers and data in public cloud environments?

Join Andrew Hay, Chief Evangelist at CloudPassage, and Wendy Nather, Research Director at 451 Research, as they dive into these and other findings from the CloudPassage 2012 Security and the Cloud survey. Wendy Nather will also discuss cloud security related trends and observations from 451 Research's findings.

During this live 30-minute webinar, you will learn about:

-The challenges and fears identified by individuals looking to embrace cloud architectures
-Current cloud adoption trends and future individual and organizational expansion plans
-How people are securely delivering applications using cloud architectures

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
997
On SlideShare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
24
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide
  • The majority of respondents (90.1%) were from the United States but 20 individuals responded from other countries – including Canada, Ireland, India, Korea, Japan, Switzerland, South Africa, Mexico, Italy, and the United Kingdom.The respondents also represented 49 distinct industry verticals including financial services, software, manufacturing, business services, education, and others.
  • We asked respondents to indicate how many total number of servers that their organizations operated including, but not limited to, virtual servers, traditional hardware servers and cloud servers.The two largest server ranges on the survey, as shown in Table 2, appeared to be the 101-500 range, with 53 respondents and 26.4% of the vote, and the 501-5,000 range, with 58 respondents and 28.9% of the vote. This means that more than half (55.3%) of respondents own and operate between 101 and 5,000 servers – a range often representing the typical enterpriseorganization server deployment spread.
  • We asked individuals what type of cloud hosting environment their company used to help understand how, exactly, cloud was being adopted. We avoided forcing respondents to specify exactly what virtualization hypervisor platforms were being used to run their clouds, such as VMWare, Citrix, OpenStack, CloudStack, and others, as we expected such a wide variety of responses – including quite a few where the respondent had no knowledge of the architecture being employed.In an effort to determine our respondents’ first foray into cloud computing we posed the question “Which cloud environment did you use first”. Not surprisingly, the majority of respondents (52.2%) claimed that private cloud was their first cloud architecture while only 28.9% claimed public cloud. A small number (18.9%) claimed that they had no knowledge of which cloud environment was first used. The breakdown of cloud environment use can be seen in the bottom table.The results are not all that surprising. Very few organizations are going to make the jump from traditional on-premises physical server deployments, in which they have complete control, to shared public cloud environments where they control but a piece of the architecture’s security. It’s likely the same apprehension that homeowners feel when choosing to move from a house to an apartmentcomplex.
  • Not surprisingly, private cloud usage tipped the scales with 73 respondents answering that they used private clouds within their company. Though private cloud leads the pack with 36.3% of respondents, we can’t help but wonder if people employing traditional on-premises virtualized infrastructures, such as VMWare ESX, Citrix, and others, also answered ‘private cloud’ as it most closely aligns with how their virtualized compute environment is used.
  • The majority of respondents (87) claim that they only have between 1 and 25 percent of their servers in public cloud architectures – a modest 10.1% increase compared to public cloud architecture deployment for the same range. 22 respondents, compared to only 5 in the public range, claim to be using private cloud for between 26 and 50 percent of the servers in their environment.Virtualized and Data Center server deployment ranges are fairly similar. 35 respondents claimed that they had between 1 and 25 percent of their servers in virtualized architectures compared to 54 with between 1 and 25 percent in data center architectures. 76 respondents claimed between 26 and 50 percent of their servers in virtualized architectures compared to 74 in the same range for data center architectures. Only 57 respondents claimed that more than 50 percent of their servers resided in virtualized architectures. 45 respondents claimed that more than 50 percent oftheir servers resided in data center architectures.
  • One of the most ambitious questions we posed in this year’s survey was aimed at determining how respondents were using the public cloud.The top 3 public cloud use cases, based on responses, appear to be the deploying of external applications (25.9%), the deploying of internal applications (22.4%), internal development and testing (20.9%).We also expected temporary workload, but not necessarily big data, to be higher. Various companies are using public cloud for temporary workload activities. The reason we say ‘not necessarily big data’ is because organizations that perform big data analytics continue to rely on internal compute grids for processing or, at best, private clouds under their complete control. These organizations have only begun to look to public cloud to help with genome sequencing, bioinformatics, molecular and financial modeling, and new drug discovery, in an elastic and temporary fashion.One last point on this slide, If we were to remove the ‘we do not host applications in public cloud environments’ answer from the total, we see that roughly 80% of respondents are using mission critical applications in the public cloud today.
  • If we were to remove the ‘we do not host applications in public cloud environments’ answers, in addition to ‘other’, the data points to 41% of respondents claiming that the deploying of external applications is their single biggest concern
  • What applications do you plan to run in public cloud hosting environments one year from now?Based on the data it appears as though temporary workload / big data deployment by respondents is poised to increase by 70.4% next year. The next biggest jump is for media (30.6%) followed by internal development and testing (28.6%).According to an EMC-sponsored study of 151 IT managers published in June 2012, one third said they plan to move some mission-critical applications to the cloud in the next year. Within two years, the IT managers said they will migrate 26 percent of their mission-critical applications to the cloud, and in five years, 44 percent of their mission-critical apps will be in the cloud.
  • Cloud security is a top-down approach in some organizations and 23.4% of respondents stated that their senior technology leadership (CIO/CTO) was responsible for security. Only 14.4% claimed, however, that organizational cloud security was the purview of its senior security leadership team (CSO/CISO).The majority of respondents (25.9%) claimed that central systems administrators, infrastructure or DevOps professionals oversaw cloud security within their organization.Another way to think about it is that more than 65% of responsibility for cloud security is centralized, and only a small amount within the BU itself.
  • They say that every cloud has a silver lining. Unfortunately, in the world of cloud computing, this isn’t always the case. To better understand the concerns of respondents we asked severalquestions around their spectrum of concerns, their single biggest concern, and a question designed to measure knowledge about the separation of security responsibility in cloud architectures.We asked respondents to rate their level of concern about public cloud issues using LOW, MEDIUM, or HIGH rankings.The concerns that were considered HIGH were security and compliance. 69.2% of respondents felt that security ranked as a HIGH concern – the highest total number responses we saw. Only8.0% of respondents felt security concerns warranted a LOW rating. Compliance concerns, on the other hand, had respondents worried. 45.3% of respondents cited compliance as being a HIGHconcern and 35.3% stated that it was a MEDIUM concern. Less than a quarter (19.4%) of respondents believed compliance was only a LOW concern – perhaps because their organizations were not bound by regulatory mandates or compliance initiatives.
  • An interesting drop from 2011 to 2012 was how respondents selected the ‘we have no security concerns’ answer. In 2011 we saw 16.4% state they had no concerns but in 2012 the percentage of respondents that selected this answer was a mere 7.0%. We attribute this to a combination of education about security challenges in cloud environments and an increase in the number of high profile breaches since our 2011 survey.My takeaway is that concerns over innate elements of cloud (that can’t be changed) dropped a lot (multi-tenancy, lack of perimeter, provider access), but PCI and “Tools don’t work” stayed relatively high.
  • The ‘Other’ option resulted in some interesting comments. One respondent stated that they were concerned with the general lack of adequate security, accountability, and survivability of data under others’ control. Another respondent claimed that cloud accounts could get easily compromised and servers can just as easily be taken down. An interesting response was with regards to FDA validation and controlled environment compliance – a response that we would have expected to fall under the blanket ‘Achieving compliance with PCI or other standards’ response. The winner, however…well one respondent claimed that they didn’t use a cloud as “clouds are for angles” – which we believe was either a typo or some sort of existential geometry argument that we simply don’t understand.
  • The Survey: Findings
  • The Survey: Findings
  • The fact that 78.1% of respondents are aware that there is a separation in responsibility between cloud service provider architecture and organizational servers, application and data, shows that education about cloud is increasing.
  • The Survey: Findings
  • What You Haven't Heard (Yet) About Cloud Security

    1. 1. #CloudSec13What You Havent Heard (Yet)About Cloud Security Andrew Hay Wendy Nather Chief Evangelist, Research Director, CloudPassage, Inc. Enterprise Security, 451 Research
    2. 2. Session Agenda• Cloud security trends and observations from 451 Research• Current cloud adoption trends and future individual and organizational expansion• How people are securely delivering applications using cloud architectures
    3. 3. Trends in Cloud SecurityWendy Nather, Research Director, Enterprise Security
    4. 4. Cloud forecast: Relatively sanguineLarge numbers of enterprises using some form of cloud servicesMost say they’re concerned about securityAnd yet …Most don’t plan to use security!
    5. 5. Security Requirements for Cloud What security-related requirements did you or will you require of your cloud computing? Please include certifications, qualifications, frameworks, and functionality in your response.* Informal Due Diligence 25% Datacenter Certification 13% SSAE 16 6% PCI 6% Formal Risk Assessment 6% CSA 6% Contractual Security Requirements 6% Agreement to SLAs 6% Source: None 38% TheInfoPro, a service of 451 Research Daniel Kennedyn=16. *Note that due to multiple responses per interview, totals may exceed 100%. dkennedy@theinfopro.com
    6. 6. Application Hosting ‘in the Cloud’: Finance and HR Systems How concerned is your organization about the security of these types of applications running ‘in the cloud’, where cloud in this context denotes external hosting? Finance Systems HR Systems Extremely Concerned 50% Extremely Concerned 46% Very Concerned 21% Very Concerned 31% Somewhat Concerned Somewhat Concerned 8% Minimally Concerned 29% Minimally Concerned 15% Source: Not at All Concerned Not at All Concerned TheInfoPro, a service of 451 Research Daniel Kennedy dkennedy@theinfopro.comLeft Chart, n=14; Right Chart, n=13. Information Security Wave 15
    7. 7. Application Hosting ‘in the Cloud’: ERP Solutions and Email How concerned is your organization about the security of these types of applications running ‘in the cloud’, where cloud in this context denotes external hosting? ERP Solutions Email Extremely Concerned 36% Extremely Concerned 23% Very Concerned 36% Very Concerned 31% Somewhat Concerned 9% Somewhat Concerned 23% Minimally Concerned 9% Minimally Concerned 8% Source: Not at All Concerned 9% Not at All Concerned 15% TheInfoPro, a service of 451 Research Daniel KennedyLeft Chart, n=11; Right Chart, n=13. dkennedy@theinfopro.com Information Security Wave 15
    8. 8. Application Hosting ‘in the Cloud’: Database/Data warehouses How concerned is your organization about the security of these types of applications running ‘in the cloud’, where cloud in this context denotes external hosting? Database/Data warehouses Extremely Concerned 23% Very Concerned 46% Somewhat Concerned 8% Minimally Concerned 8% Not at All Concerned 15% Source: TheInfoPro, a service of 451 Research Daniel Kennedyn=13. dkennedy@theinfopro.com Information Security Wave 15
    9. 9. Types of Cloud-based Security Services: Part 1 Including those delivered by MSSPs, what types of cloud-based security services are you using today? Intrusion Content Filtering, Secure Email, or Detection/Prevention, Firewalls, VPNs Based Anti-virus/Anti-Spam on SSL, or Wireless Security Using Using 14% 7% In Plans for In Plans for Next 18 Next 18 Months Months 7% 29% Not in Plan 64% Not in Plan 79% Source: TheInfoPro, a service of 451 Research Daniel Kennedy dkennedy@theinfopro.comLeft Chart, n=14; Right Chart, n=14. Information Security Wave 15
    10. 10. Types of Cloud-based Security Services: Part 2 Including those delivered by MSSPs, what types of cloud-based security services are you using today? Security Information Event Log Management (SIEM), or Vulnerability/Risk Management In Plans for Next 18 Months 7% Not in Plan 93% Source: TheInfoPro, a service of 451 Research Daniel Kennedy dkennedy@theinfopro.comn=14. Information Security Wave 15
    11. 11. Who, what and why …More organizations are moving to cloud- Well-defined, granular business operations that go well with SaaS - CRMs (hello Salesforce!) - Email - Office-like applications - Human resources - Payroll- Disposable, clonable uses - Development and testing - Honeypots and honeyclients - Data processing and analysis
    12. 12. What’s going to be slowerLegacy stacksDistributed systems with multiple owners Governance issues Getting the right level of multi-tenancy Version drift and overall inertia http://www.shaldon-devon.co.uk
    13. 13. What’s more likelyMore aging-out of legacy systems and greenfield migration to newones (particularly pre-packaged IaaS, PaaS and SaaS)Changing business processes to fit into cloud (hello Procrustes!)Why?Because the cloud has more economies of scale and better securitywhen there are fewer options.
    14. 14. How to mitigate the riskRisk from dynamic Well-documented, secure environment VM lifecycleRisk from larger scale Build fail-safes into your fail-safesDormant VM risk Authentication, encryptio nShared risk Well-documented processes, contractsUnknown risk Visibility (real-time & historical)
    15. 15. TheSecurity andand the 2012 2012 SurveyThe Security the Cloud CloudSurvey
    16. 16. The Security and the Cloud 2012 Survey• Started on August 10th, 2012• Questions about current cloud usage, future deployment plans, and security and compliance related concerns• Asked to identify the types of cloud, virtual, and physical compute architectures currently in use
    17. 17. TotalNumber of ServersTotal Number of Servers Number of servers in organization “More than half (55.3%) of respondents own and operate between 101 and 5,000 servers – a range often representing the typical enterprise organization server deployment spread.” – Andrew Hay, CloudPassage, Inc.
    18. 18. Cloud Adoption BreakdownCloud Adoption BreakdownBreakdown of cloud hosting environments being used “The majority of respondents claim that they only have between 1 and 25 percent of their servers in public cloud architectures – a modest 10.1% increase compared to public cloud architecture deployment for the same range.” – Andrew Hay, CloudPassage, Inc. Which cloud environment did you use first? “The majority of respondents (52.2%) claimed that private cloud was their first cloud architecture while only 28.9% claimed public cloud.” – Andrew Hay, CloudPassage, Inc.
    19. 19. Cloud AdoptionCloud Adoption
    20. 20. Server BreakdownServer Breakdown Percentage of servers in use, by compute environment
    21. 21. HowPublic Cloud Servers Are Used UsedHow Public Cloud Servers AreHow do you use your public cloud servers today?“The top 3 public cloud use cases, based on responses, appear to be thedeploying of external applications (25.9%), the deploying of internalapplications (22.4%), internal development and testing (20.9%).”– Andrew Hay, CloudPassage, Inc.
    22. 22. Single Biggest Cloud Use CaseSingle Biggest Cloud Use Case “If we were to remove the ‘we do not host applications in public cloud environments’ answers, in addition to ‘other’, the data points to 41% of respondents claiming that the deploying of external applications is their single biggest concern.” – Andrew Hay, CloudPassage, Inc.
    23. 23. HowPublic Cloud Servers Will Be Used Be UsedHow Public Cloud Servers WillHow will you use your public cloud servers in 2013? “The only category due to decrease over the next year is the „we do not host applications in public cloud environments‟ answer.” – Andrew Hay, CloudPassage, Inc.
    24. 24. WhoOversees Cloud Security?Who Oversees Cloud Security?Who oversees cloud security in your organization?“The majority of respondents (25.9%) claimed that central systemsadministrators, infrastructure or DevOps professionals oversaw cloud securitywithin their organization.”– Andrew Hay, CloudPassage, Inc.
    25. 25. Cloud Security Concerns in 2012Cloud Security Concerns in 2012Concerns about public cloud hosting
    26. 26. Cloud Security ConcernsSingle Greatest Cloud Security Concern Concern change, 2011 to 2012 “In 2011 we saw 16.4% state they had no concerns but in 2012 the percentage of respondents that selected this answer was a mere 7%. We attribute this to a combination of education about security challenges in cloud environments and an increase in the number of high profile breaches since our 2011 survey.” – Andrew Hay, CloudPassage, Inc.
    27. 27. Best‘Other’ CommentBest „Other‟ CommentQ: What is your absolute greatest security concernabout the public Cloud?A: Clouds are for angles “One respondent claimed that they didn’t use a cloud as ‘clouds are for angles’ – which we believe was either a typo or some sort of existential geometry argument that we simply don’t understand.” – Andrew Hay, CloudPassage, Inc.
    28. 28. TheSurvey: Findings FindingsThe Survey: Key – 4 out of 5 respondents stated that their companies are actively using cloud architectures – Concerns about multi-tenancy, the lack of perimeter defenses and/or network controls, and provider access to guest servers show significant decrease since our 2011 survey
    29. 29. TheSurvey: Findings FindingsThe Survey: Key – Business critical applications are now running in the public cloud with publicly facing applications leading amongst all other use cases – The biggest growth area for 2013 appears to be in the utilization of public cloud for variable workload bursts with a projected 70% increase in deployment
    30. 30. TheSurvey: Findings FindingsThe Survey: Key – Concerns for compliance with PCI and other standards in public cloud remain high – Users are becoming smarter about security in cloud environments with nearly 80% stating that they are aware that the security of their servers is not the sole responsibility of their cloud service providers
    31. 31. The Survey: FindingsExamine The Findings For Yourself cloudpassage.com/resource-center/get/security-and-the-cloud-2012
    32. 32. Questions? Wendy Nather Andrew HayResearch Director at 451 Research Chief Evangelist at CloudPassage @451wendy @andrewsmhay
    33. 33. Thank Youwww.cloudpassage.com @cloudpassage

    ×