Your SlideShare is downloading. ×
Cloud Security ("securing the cloud")
Cloud Security ("securing the cloud")
Cloud Security ("securing the cloud")
Cloud Security ("securing the cloud")
Cloud Security ("securing the cloud")
Cloud Security ("securing the cloud")
Cloud Security ("securing the cloud")
Cloud Security ("securing the cloud")
Cloud Security ("securing the cloud")
Cloud Security ("securing the cloud")
Cloud Security ("securing the cloud")
Cloud Security ("securing the cloud")
Cloud Security ("securing the cloud")
Cloud Security ("securing the cloud")
Cloud Security ("securing the cloud")
Cloud Security ("securing the cloud")
Cloud Security ("securing the cloud")
Cloud Security ("securing the cloud")
Cloud Security ("securing the cloud")
Cloud Security ("securing the cloud")
Cloud Security ("securing the cloud")
Cloud Security ("securing the cloud")
Cloud Security ("securing the cloud")
Cloud Security ("securing the cloud")
Cloud Security ("securing the cloud")
Cloud Security ("securing the cloud")
Cloud Security ("securing the cloud")
Cloud Security ("securing the cloud")
Cloud Security ("securing the cloud")
Cloud Security ("securing the cloud")
Cloud Security ("securing the cloud")
Cloud Security ("securing the cloud")
Cloud Security ("securing the cloud")
Cloud Security ("securing the cloud")
Cloud Security ("securing the cloud")
Cloud Security ("securing the cloud")
Cloud Security ("securing the cloud")
Cloud Security ("securing the cloud")
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Cloud Security ("securing the cloud")

798

Published on

Vic Winkler's 2011 FOSE presentation in Washington DC. The talk was based on the book: "Securing the Cloud" (Elsevier 2011). …

Vic Winkler's 2011 FOSE presentation in Washington DC. The talk was based on the book: "Securing the Cloud" (Elsevier 2011).

Highlights:
--Top 10 Cloud Security Concerns;
--Is organizational control good for cloud security?;
--Architectural examples for cloud security

Published in: Technology, Business
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
798
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
45
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. NGI-4: CloudThe Technical Foundations of Security and Interoperability Overview Vic Winkler July 2011 Washington, DC Booz | Allen | Hamilton
  • 2. The Technical Foundations of Security and InteroperabilityThis presentation is based on my book: “Securing the Cloud: Cloud Computer Security Techniques and Tactics” Vic Winkler (Elsevier/Syngress May 2011) Graphics are Copywrited by Elsevier/Syngress 2011My experiences in designing, implementing and operating the security for: “SunGrid” (2004+), “Network.com” (2006+) and “The Sun Public Cloud” (2007+) …And research into best practices in cloud security (2008-2011)Previously, I: Was a pioneer in network and systems based intrusion detection Designed a B1 trusted Unix system Graphics copyright Elsevier/Syngress 2011 Booz | Allen | Hamilton 2
  • 3. A Brief, Distorted View of History  Overview Continuing Technology Evolution Graphics copyright Elsevier/Syngress 2011 Booz | Allen | Hamilton 3
  • 4. More “Evolution” than “Revolution” So, what is “cloud”? Graphics copyright Elsevier/Syngress 2011 Booz | Allen | Hamilton 4
  • 5. A Minor Problem With Words… Most common question: Is “cloud” secure? Booz | Allen | Hamilton 5
  • 6. Booz Allen: Cloud Computing “Quick Look” AssessmentThe QLA approach analyzes the organization and its potential cloud candidate functions and applicationsacross eight Cloud Computing Factors, providing an in-depth assessment and suitability rating for each. Business/Mission Technology Economics Security Governance & Policy IT Management Organization Change Management Booz | Allen | Hamilton 6
  • 7. Cloud: A Model for Computing, A Model for Service Delivery• “Cloud Services" – IT model for service delivery: Expressed, delivered and consumed over the Internet or private network – Infrastructure-as-a-Service (IaaS) – Platform-as-a-Service (PaaS) – Software-as-a-Service (SaaS)• “Cloud Computing”– IT model for computing – Environment composed of IT components necessary to develop & deliver "cloud services” Graphics copyright Elsevier/Syngress 2011 Booz | Allen | Hamilton 7
  • 8. The Services StackTwo Perspectives What about security? …“Confidentiality”, “Integrity” and “Availability”? Graphics copyright Elsevier/Syngress 2011 Booz | Allen | Hamilton 8
  • 9. The NIST Cloud Model Graphics copyright Elsevier/Syngress 2011 Booz | Allen | Hamilton 9
  • 10. Security Concerns?• 10. Unknown Risks: Concern that cloud computing brings new classes of risks and vulnerabilities• 9. Control over Data: User data may be comingled with data belonging to others.• 8. Legal and Regulatory Compliance: It may be difficult (unrealistic?) to utilize public clouds when data is subject to legal restrictions or regulatory compliance• 7. Disaster Recovery and Business Continuity: Cloud tenants and users require confidence that their operations and services will continue despite a disaster• 6. Security Incidents: Tenants and users need to be informed and supported by a provider• 5. Transparency: Trust in a cloud provider’s security claims entails provider transparency• 4. Cloud Provider Viability: Since cloud providers are relatively new to the business, there are questions about provider viability and commitment• 3. Privacy and Data concerns with public or community clouds: Data may not remain in the same system, raising multiple legal concerns• 2. User Error: A user may inadvertently leak highly sensitive or classified information into a public cloud• 1. Network Availability: The cloud must be available whenever you need it Graphics copyright Elsevier/Syngress 2011 Booz | Allen | Hamilton 10
  • 11. Security ConcernsSensitive Data & Regulatory Compliance Graphics copyright Elsevier/Syngress 2011 Booz | Allen | Hamilton 11
  • 12. Security ConcernsTransparency Graphics copyright Elsevier/Syngress 2011 Booz | Allen | Hamilton 12
  • 13. Security ConcernsExample of Private Cloud Concerns Graphics copyright Elsevier/Syngress 2011 Booz | Allen | Hamilton 13
  • 14. Security ConcernsTrade Offs Graphics copyright Elsevier/Syngress 2011 Booz | Allen | Hamilton 14
  • 15. Cloud Services are Expressed From Cloud IT Infrastructure Graphics copyright Elsevier/Syngress 2011 Booz | Allen | Hamilton 15
  • 16. Virtualization and Elastic Service Expression Graphics copyright Elsevier/Syngress 2011 Booz | Allen | Hamilton 16
  • 17. Is Organizational Control Good for Security? Graphics copyright Elsevier/Syngress 2011 Booz | Allen | Hamilton 17
  • 18. Scope of Control Graphics copyright Elsevier/Syngress 2011 Booz | Allen | Hamilton 18
  • 19. IaaS, PaaS and SaaS:Data Ownership Graphics copyright Elsevier/Syngress 2011 Booz | Allen | Hamilton 19
  • 20. Organizational Control with Private versus Public Graphics copyright Elsevier/Syngress 2011 Booz | Allen | Hamilton 20
  • 21. Cloud Demands Advanced Management Capabilities(This should benefit security) Graphics copyright Elsevier/Syngress 2011 Booz | Allen | Hamilton 21
  • 22. Planning for Competitive Pricing(…in other words, “cost-effective security”) Graphics copyright Elsevier/Syngress 2011 Booz | Allen | Hamilton 22
  • 23. Planning for Fundamental Changes Graphics copyright Elsevier/Syngress 2011 Booz | Allen | Hamilton 23
  • 24. Patterns are Key for Cloud Infrastructure Graphics copyright Elsevier/Syngress 2011 Booz | Allen | Hamilton 24
  • 25. …Patterns are Key for Cloud Infrastructure Graphics copyright Elsevier/Syngress 2011 Booz | Allen | Hamilton 25
  • 26. …Patterns are Key for Cloud Infrastructure Graphics copyright Elsevier/Syngress 2011 Booz | Allen | Hamilton 26
  • 27. ExampleSeparate Paths, Separate Networks Graphics copyright Elsevier/Syngress 2011 Booz | Allen | Hamilton 27
  • 28. Example…Separate Paths, Separate Networks Graphics copyright Elsevier/Syngress 2011 Booz | Allen | Hamilton 28
  • 29. Assessment:Is it “Correct”, “Secure” and Does it Meet Requirements? Graphics copyright Elsevier/Syngress 2011 Booz | Allen | Hamilton 29
  • 30. How Much Assurance? Graphics copyright Elsevier/Syngress 2011 Booz | Allen | Hamilton 30
  • 31. Operationally, How Will you Know? Graphics copyright Elsevier/Syngress 2011 Booz | Allen | Hamilton 31
  • 32. Security MonitoringA High-Volume Activity Graphics copyright Elsevier/Syngress 2011 Booz | Allen | Hamilton 32
  • 33. Monitoring Really Wants To BeA Near-Real-Time Feedback Loop Graphics copyright Elsevier/Syngress 2011 Booz | Allen | Hamilton 33
  • 34. Beyond Security MonitoringIntegrated Operational Security Graphics copyright Elsevier/Syngress 2011 Booz | Allen | Hamilton 34
  • 35. ExampleSecurity Use for CMDB Graphics copyright Elsevier/Syngress 2011 Booz | Allen | Hamilton 35
  • 36. Defense-in-Depth in Infrastructure Graphics copyright Elsevier/Syngress 2011 Booz | Allen | Hamilton 36
  • 37. What are the BIG Lessons?• Provider – Model T approach: Any color the customer wants …as long as it’s “black” • Special requests undercut profits – Plan ahead: Focus on eventual operations costs and on the certainty of change to the infrastructure – Seek to automate almost everything: • Identify procedures/processes to drive down costs • Identify and refine patterns – Segregate information • Don’t mix infrastructure management information • …with security information • …with customer data …etc. – Architect for completely separate paths: • (Public) (Infrastructure control) (Network device control) (Security management) • Entails a differentiated set of networks • Isolate, Isolate, Isolate • Encrypt, Encrypt, Encrypt• Consumer – Who is the provider? – What are you really buying? Transparency, independent verification, indemnification? Booz | Allen | Hamilton 37
  • 38. Thank You Business: Winkler_Joachim@BAH.Com Personal: Vic@VicWinkler.Com Phone: 703.622.7111 “Securing the Cloud: Cloud Computer Security Techniques and Tactics” Vic Winkler (Elsevier/Syngress 2011) Graphics copyright Elsevier/Syngress 2011 Booz | Allen | Hamilton 38

×