Discuss 5 Attributes of Cloud and Impacts which they pose for Security
Discuss initial phase of Cloud Computing
How its focus shifted from cool technology to Cost Reduction Efforts
How organizations begin to see the cloud as a means of increasing revenues
Then seen as a transformative element, Shift of perception particularly by non IT organizations to leverage the cloud as a opportunity
Focus on Competitive, Non Cloud vendors leveraging the cloud to convert internal APIs from Expenses to assets. Highlight Brinks Cloud based money management offering and fact that this shift has resulted in a change to how organizations operate.
Introduce Network Workload Story and How perceptions changed (Angry Villagers Torches->agreement)
Highlight the results of IBM network world tech debate, initial perceptions we lost then we ended up building momentum and more than 2/3 agreed with arguments, then lead to the 4 arguments used in the article.
First those who adopt cloud based technologies do so in a deliberate way they start with individual workloads, we know from customers, market data etc that customers typically adopt one cloud then move to another etc.
Currently organizations have no clue where there critical data is and as data grows exponentially its harder and harder for organizations to keep track of that data
When we ask executives what their critical data is they cant tell us in fact the boundaries for what’s important and what is not important is completely lost, making it that much harder to really secure.
As a result Security Personnel become great wall builders, the issue is that we continue to build walls and lose focus on what we are protecting and the various ways it can be exploited. We also lose the ability to granularly track information. This means we poke holes in ports for multiple applications etc meaning we degrade overall security
Once an organization gains clarity of their information they can identify what really matters and leverage that asset
Financially organizations benefit from cloud
Organizations are spending less than in past, As a result there is less money to spend
Inversely Cloud Vendors have money allocated for competitive reasons. Ultimately Security remains the only competitive lever most vendors can pull so it’ s a priority
Organizations have to keep up with security
Security requires vigilance organizations already are overloaded (tell story of startup from past history)
Services allows them to ease the burden (Security as a Service Argument)
Security skills are hard to find and security is hard
Is this who you want doing your security
Or do you want a professional
Clouds have multiple delivery models – Note Gartner wants us to play this up more because they believe confusion on this topic and following slides. My approach is forget concepts of “The Cloud” its not a single entity but much more complex and interesting
Play to Gartner and their args multiple deployment paths, talk security in context here. May need to cut short this is a long preso already
The Message One Size doesn’ t fit all and btw there are lots of types of clouds. We need to hammer this home because we keep highlighting Public hosted not private.
IBM is different, may update image to show lots of fishbowls moving back on horizon?
Our 4 stage approach to cloud security.
Standard secure by design refer to our experiences. We need to promote this more once we nail foundational controls tie to Rational/WebSphere/Information Management and Tivoli Cloud story. We have assets just need to cauterize story right now I seem to be only one giving it.
This is where we engage in workload discussion, talk to each type of workload and how security varies ( actually only a couple otherwise takes wayy too long) Discuss Healthcare->Education->Development?
LotusLive its easy and how security themes and our foundational strategy apply
Explain Service Enabled,
Researchy things like Lotus work the IPS stuff and Mobile work, we might want to include trusted domain and some of the other services we are exploring for example those in IM
Our portfolio, WE have breadth and depth only vendor
How we can focus on a private scenario
Whats new – TEMS, Juniper Partnership, WebSphere Virtuoso…
Talk about challenges encourage consultative services Trusted Guide my usual blah blah
Security cloud forum_2011
Choosing the Right Security Strategy for Cloud Computing Harold Moss CTO/Chief Architect Cloud Security Strategy
Applying Workload Driven Security to a Private Cloud Intrusion Prevention Monitoring Access Management Data Security Application Evaluation Database Design/Test Virtual Server Protection Security Event Monitoring Provisioning
Example: Cloud Security in the Public Space Firewall IPS Data Protection Access Identity Federated Identity VM Protection Patch Mgmt. Configuration Mgmt. Security Event Log Mgmt. Audit Vulnerability Mgmt.
Preparing to Move to the Cloud <ul><li>“ Cloud Computing” is complex where to begin: </li></ul><ul><ul><li>Engage Experts who have had prior success in the cloud. </li></ul></ul><ul><ul><li>Establish a set of measures that clarify what a successful engagement in the cloud would look like. </li></ul></ul><ul><ul><li>If externally hosting your cloud ensure that your vendor is reliable </li></ul></ul><ul><ul><li>Identify what workloads you are most comfortable with don’t just dive in. </li></ul></ul><ul><ul><li>Determine the appropriate security for your workload, and leverage managed services where possible </li></ul></ul><ul><ul><li>Build Consensus upfront, one sided decisions tend to fail in the cloud </li></ul></ul>
IBM Cloud Security Guidance <ul><li>Based on cross-IBM research and customer interaction on cloud security </li></ul><ul><li>Highlights a series of best practice controls that should be implemented </li></ul><ul><li>Broken into 7 critical infrastructure components: </li></ul><ul><ul><li>Building a Security Program </li></ul></ul><ul><ul><li>Confidential Data Protection </li></ul></ul><ul><ul><li>Implementing Strong Access and Identity </li></ul></ul><ul><ul><li>Application Provisioning and De-provisioning </li></ul></ul><ul><ul><li>Governance Audit Management </li></ul></ul><ul><ul><li>Vulnerability Management </li></ul></ul><ul><ul><li>Testing and Validation </li></ul></ul>
Cloud Security Whitepaper <ul><li>Trust needs to be achieved, especially when data is stored in new ways and in new locations, including for example different countries. </li></ul><ul><li>This paper is provided to stimulate discussion by looking at three areas: </li></ul><ul><ul><li>What is different about cloud? </li></ul></ul><ul><ul><li>What are the new security challenges cloud introduces? </li></ul></ul><ul><ul><li>What can be done and what should be considered further? </li></ul></ul>http://www-03.ibm.com/press/us/en/attachment/32799.wss?fileId=ATTACH_FILE1&fileName=10-0861_US%20Cloud%20Computing%20White%20Paper_Final_LR.pdf
Why IBM <ul><li>IBM is the only company with the Breadth and depth of products, technologies, services and business partners to provide end-to-end security. </li></ul><ul><li>IBM has over 200 Security related products and over 3500 Highly Skilled Security professionals </li></ul><ul><li>IBM has over 40 years of security development and innovation experience </li></ul><ul><li>IBM has six worldwide research labs innovating security technology and nine security operations centers. </li></ul><ul><li>IBM analyzes more than 13 billion security events on behalf of its clients and block more than 150 million attacks each day. </li></ul><ul><li>IBM is one of the most trusted companies in the World. </li></ul>