What an Enterprise Should Look for in a Cloud Provider

  • 546 views
Uploaded on

This session will address the security and compliance aspects that an enterprise should insist on from a cloud provider. The mechanisms for cloud annexation that provide security and compliance will …

This session will address the security and compliance aspects that an enterprise should insist on from a cloud provider. The mechanisms for cloud annexation that provide security and compliance will be described and the architecture of Novell Cloud Security Service will be presented. Presenters will emphasize the contribution that Novell Cloud Security Service makes to intelligent workload management because of cloud security and compliance.

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads

Views

Total Views
546
On Slideshare
0
From Embeds
0
Number of Embeds
0

Actions

Shares
Downloads
55
Comments
0
Likes
0

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. What an Enterprise Should Look for in a Cloud Computing Provider Tom Cecere Director, Novell Cloud Security Service March 23, 2010
  • 2. Takeaways for Today • Cloud computing offers the potential for big savings and huge increases in flexibility for enterprise IT • Large enterprises are telling analysts, researchers and cloud providers that it’s hard to trust cloud-based solutions • But don’t let that fool you – people are using them like mad, with 20-40% growth in 2009 in some sectors • Security is a primary concern, but it comes in many guises • Regulations and finances are driving use and risk, leaving you with security holes you never had before • Security is the responsibility of both you and your vendors of choice 2 © Novell, Inc. All rights reserved.
  • 3. Cloud Computing: What Is It, Why and How Much Do We Use It?
  • 4. Forrester Definition: Cloud Computing: A standardized IT capability (services, software, or infrastructure) delivered via the Internet in a pay-per-use, self-service way 4 © Novell, Inc. All rights reserved.
  • 5. Breaking It Down a Bit SaaS … Salesforce.com, Netsuite, Web-based Services Software-as-a-service Ultimate, Taleo, LinkedIn, Facebook Software-platform-as-a-service Google App Engine, Azure, Force Virtual-infrastructure-as-a-service Sun, IBM, Azure IaaS … Amazon, Go-Grid, Physical-infrastructure-as-a-service OpSource, COLT, etc. Source: Forrester Research. August 2008 “Future View: The New Tech Ecosystems of Cloud, Cloud Services, and Cloud Computing” 5 © Novell, Inc. All rights reserved.
  • 6. Cloud Computing Really Is the Next Big Thing Who are your two largest users of cloud services? FIGURE 12. The two largest users of cloud services MID TIER ENTERPRISE SAAS PROVIDERS SMB DEVELOPERS Note: mid-tier sector ENTERPRISE (250-1000 employees and revenue between ISV'S $50m and $1b) OTHER PAAS OTHER SOHO 0% 10% 20% 30% 40% 50% 60% Gartner predicts that the market for total cloud services will reach $150B by 2013 Source: Tier 1 research “Cloud Infrastructure Services – Managed Hosters”, based on poll of top 50 managed hosters in US and Europe 6 © Novell, Inc. All rights reserved.
  • 7. Early Cloud Examples US Army — Testing troop vulnerability application on cloud platform Eli Lilly — Drug research Nasdaq — Market Replay service USA.gov — Public information portal that flexes with traffic fluctuations Starbucks — My Starbucks Ideas online customer collaboration built on Force.com Indy500.com — Streams live race footage and statistics Harvard Medical School — Genetic testing models and simulations 7 © Novell, Inc. All rights reserved.
  • 8. Enterprises Cite Flexibility and On Demand over Cost Reasons for IaaS “How important were the following in your firm's decision to adopt pay-per-use hosting of virtual servers (also known as cloud computing)?” 8 © Novell, Inc. All rights reserved.
  • 9. SaaS Adoption Growing As Model Matures: $8B in ’09 to $14.7B in ‘12 With Customer Relationship Management and Content/Communication and Collaboration leading the way 9 © Novell, Inc. All rights reserved. Source: Gartner Saas Trends 2007-2012
  • 10. Ok, If It’s So Great, Why Not Use the Cloud for Everything?
  • 11. Security is the Top Challenge for Customers Moving to Cloud Services What are the top two most critical challenges for customers looking to move to a utility/cloud? FIGURE 15. Top challenges for customers moving to cloud services NERVOUS ABOUT SECURITY CULTURAL/ORGANIZATIONAL (RESOURCE OWNERSHIP) ON PREMISE SOFTWARE/LEGACY INFRASTRUCTURE PRODUCT/SERVICE OPTION AVAILABLE SHARED RESOURCES REGULATION/COMPLIANCE AVAILABLILITY/UPTIME SOFTWARE LICENSING CxO SPONSORSHIP 0% 10% 20% 30% 40% 50% Source: Tier 1 research “Cloud Infrastructure Services – Managed Hosters”, based on poll of top 50 managed hosters in US and Europe 11 © Novell, Inc. All rights reserved.
  • 12. The Two Largest Users of Cloud Services: Mid-tier Enterprise and SaaS Providers Who are your two largest users of cloud services? FIGURE 12. The two largest users of cloud services MID TIER ENTERPRISE SAAS PROVIDERS Note: mid-tier sector (250-1000 employees SMB and revenue between $50m and $1b) DEVELOPERS ENTERPRISE ISV'S OTHER PAAS OTHER SOHO 0% 10% 20% 30% 40% 50% 60% Source: Tier 1 research “Cloud Infrastructure Services – Managed Hosters”, based on poll of top 50 managed hosters in US and Europe 12 © Novell, Inc. All rights reserved.
  • 13. Security Worries for Enterprises Physical Security GRC Manageability • Physical data location • Identity, compliance • Responsive provisioning/de- • Physical data security • Manageability of resources provisioning users across in the cloud multiple services • Multiple identities to • How to apply roles / policies manage across multiple services • Compliance enforcement • Cloud workload management • Usable for a broader set of workloads Financial Contractual • Audit • Software licensing problems • Need to rewrite internal • SLAs, proof of 99.99+% applications uptime • How to leverage existing • Intellectual property investments in the data concerns center • References 13 © Novell, Inc. All rights reserved.
  • 14. Security Worries for Enterprises Physical Security GRC Manageability • Physical data location • Identity, compliance • Responsive provisioning/de- • Physical data security • Manageability of resources provisioning users across in the cloud multiple services • Multiple identities to • How to apply roles / policies manage across multiple services • Compliance enforcement • Cloud workload management • Usable for a broader set of workloads Financial Contractual • Audit • Software licensing problems • Need to rewrite internal • SLAs, proof of 99.99+% applications uptime • How to leverage existing • Intellectual property investments in the data concerns center • References 14 © Novell, Inc. All rights reserved.
  • 15. What Are the Key Risks?
  • 16. Summary The Cloud Amplifies IT Challenges and Opportunities • Data that is safe for you to store inside your firewall is now outside • Access to compute resources that your company is paying for is available with simple user name/password authentication • Your compute jobs may be running on many machines; may be backed up on many storage networks, and may be exported without your knowledge Identity, authorization and audit for employees, customers, patients and workloads is the future of computing security! 16 © Novell, Inc. All rights reserved.
  • 17. What Do Enterprises Have To Do?
  • 18. Attach the Same Governance and Access Policies to the Cloud as We Have Internally Internal Cloud External Cloud (on-premise) (off-premise) Business Service Management Software IT Service Management as a Service Platform as a Service Internal Internal External Capacity Capacity Capacity Infrastructure Legacy Abstracted and Managed as a Service disaggregated Outsource IT resources Provider Telco Amazon EC2 Governance and Compliance Firewall 18 © Novell, Inc. All rights reserved.
  • 19. Action Items • Do a Cloud Computing Discovery project – Don’t forget to ask Accounting how many purchase orders and credit card reimbursements you have to Amazon Web Services! – Software usage analysis will discover SaaS products being used at your site • Ask your CISO (or if you are one, your team ☺) to prepare a report card on the security issues we’ve discussed • Every new cloud computing provider should be evaluated both in terms of positives and in terms of security impact 19 © Novell, Inc. All rights reserved.
  • 20. Sample Cloud Computing Report Card Acme Platform Services Physical Security GRC Manageability • Physical data location • Identity, compliance • Responsive provisioning/ • Physical data security • Manageability of de-provisioning users resources in the cloud across multiple services • Multiple identities to • How to apply roles/policies manage across multiple services • Compliance enforcement • Cloud workload management • Usable for a broader set of workloads Financial Contractual • Audit • Software licensing • Need to rewrite internal problems applications • SLAs, proof of 99.99+% • How to leverage existing uptime investments in the data • Intellectual property center concerns • References 20 © Novell, Inc. All rights reserved.
  • 21. Action Items (cont) • Make a plan to solve the worst 3 problems in 2010 • Prohibit any more cloud providers until their offerings easily snap into YOUR access and governance policies – Consider a portal where you can control (or even require multiple authentication methods for) access to Cloud resources • Insist on audit information you can use from your current providers • Investigate managed clouds from trusted MSPs 21 © Novell, Inc. All rights reserved.
  • 22. What Should I Expect from My Cloud Vendors?
  • 23. Vendors SAS 70 Other transparency Identity protection and user-controlled access/authorization Audit trail Trusted Cloud Initiative 23 © Novell, Inc. All rights reserved.
  • 24. SAS 70 Certification • Created by American Institute of Certified Public Accountants Represents that a service organization has been through an in-depth audit of their control objectives and control activities, which often include controls over information technology and related processes • Independent “service auditor” issues opinion on servicer’s controls, useable by servicer and their customers • Type I: a snapshot on a specific date, self reported • Type II: Opinion delivered about ongoing controls 24 © Novell, Inc. All rights reserved.
  • 25. Other Transparency Issues • Who can reach data? • What level of encryption is available? Practical? • Where is data located? • Where is computer located? • SLA terms (Microsoft requires an NDA to even see their SLA model agreement!) 25 © Novell, Inc. All rights reserved.
  • 26. Identity Protection • What is the process for: – Provisioning identities? – Guarding them? – De-provisioning with role changes? • Does vendor support multi-factor authentication? • Do they support standards-based federation? 26 © Novell, Inc. All rights reserved.
  • 27. Audit/GRC • How do you find out what’s going on inside your vendor’s data center? • How do you check up on SLA terms? • Can you reconcile information you do receive with the rest of your GRC inspection regime? • Is sensitive data moving through scale-out or through backup? 27 © Novell, Inc. All rights reserved.
  • 28. Trusted-Cloud Initiative Novell/CSA partnership initiative now prominently displayed to CSA members 28 © Novell, Inc. All rights reserved.
  • 29. Responsibility Physical Security GRC Manageability • Physical data location • Identity creation • Responsive provisioning/ • Physical data security • Manageability of de-provisioning users resources in the cloud across multiple services • Simplify identity • How to apply roles/policies management across multiple services • Compliance enforcement • Cloud workload management • Ability to move workloads to different vendor(s) Financial Contractual • Audit • Software licensing • Avoid re-writing internal problems Vendor applications • SLAs, proof of 99.99+% Enterprise • Leveraging existing uptime investments in the data • Intellectual property Joint center concerns • References 29 © Novell, Inc. All rights reserved.
  • 30. Questions
  • 31. Unpublished Work of Novell, Inc. All Rights Reserved. This work is an unpublished work and contains confidential, proprietary, and trade secret information of Novell, Inc. Access to this work is restricted to Novell employees who have a need to know to perform tasks within the scope of their assignments. No part of this work may be practiced, performed, copied, distributed, revised, modified, translated, abridged, condensed, expanded, collected, or adapted without the prior written consent of Novell, Inc. Any use or exploitation of this work without authorization could subject the perpetrator to criminal and civil liability. General Disclaimer This document is not to be construed as a promise by any participating company to develop, deliver, or market a product. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. Novell, Inc. makes no representations or warranties with respect to the contents of this document, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. The development, release, and timing of features or functionality described for Novell products remains at the sole discretion of Novell. Further, Novell, Inc. reserves the right to revise this document and to make changes to its content, at any time, without obligation to notify any person or entity of such revisions or changes. All Novell marks referenced in this presentation are trademarks or registered trademarks of Novell, Inc. in the United States and other countries. All third-party trademarks are the property of their respective owners.