NGI-4: CloudThe Technical Foundations of Security and Interoperability Overview                                           ...
The Technical Foundations of Security and InteroperabilityThis presentation is based on my book:    “Securing the Cloud: C...
A Brief, Distorted View of History   Overview                                                                            ...
More “Evolution” than “Revolution”                                                                                        ...
A Minor Problem With Words…            Most common question: Is “cloud” secure?                                           ...
Booz Allen:         Cloud Computing “Quick Look” AssessmentThe QLA approach analyzes the organization and its potential cl...
Cloud:          A Model for Computing,          A Model for Service Delivery•   “Cloud Services" – IT model for    service...
The Services StackTwo Perspectives                                                                     What about security...
The NIST Cloud Model                       Graphics copyright Elsevier/Syngress 2011   Booz | Allen | Hamilton   9
Security Concerns?•   10. Unknown Risks: Concern that cloud computing brings new classes of risks and    vulnerabilities• ...
Security ConcernsSensitive Data & Regulatory Compliance                     Graphics copyright Elsevier/Syngress 2011   Bo...
Security ConcernsTransparency                    Graphics copyright Elsevier/Syngress 2011   Booz | Allen | Hamilton   12
Security ConcernsExample of Private Cloud Concerns                    Graphics copyright Elsevier/Syngress 2011   Booz | A...
Security ConcernsTrade Offs                    Graphics copyright Elsevier/Syngress 2011   Booz | Allen | Hamilton   14
Cloud Services are Expressed From Cloud IT Infrastructure                     Graphics copyright Elsevier/Syngress 2011   ...
Virtualization and Elastic Service Expression                      Graphics copyright Elsevier/Syngress 2011   Booz | Alle...
Is Organizational Control Good for Security?                      Graphics copyright Elsevier/Syngress 2011   Booz | Allen...
Scope of Control                   Graphics copyright Elsevier/Syngress 2011   Booz | Allen | Hamilton   18
IaaS, PaaS and SaaS:Data Ownership                       Graphics copyright Elsevier/Syngress 2011   Booz | Allen | Hamilt...
Organizational Control with Private versus Public                      Graphics copyright Elsevier/Syngress 2011   Booz | ...
Cloud Demands Advanced Management Capabilities(This should benefit security)                   Graphics copyright Elsevier...
Planning for Competitive Pricing(…in other words, “cost-effective security”)                      Graphics copyright Elsev...
Planning for Fundamental Changes                    Graphics copyright Elsevier/Syngress 2011   Booz | Allen | Hamilton   23
Patterns are Key for Cloud Infrastructure                      Graphics copyright Elsevier/Syngress 2011   Booz | Allen | ...
…Patterns are Key for Cloud Infrastructure                     Graphics copyright Elsevier/Syngress 2011   Booz | Allen | ...
…Patterns are Key for Cloud Infrastructure                     Graphics copyright Elsevier/Syngress 2011   Booz | Allen | ...
ExampleSeparate Paths, Separate Networks                    Graphics copyright Elsevier/Syngress 2011   Booz | Allen | Ham...
Example…Separate Paths, Separate Networks                    Graphics copyright Elsevier/Syngress 2011   Booz | Allen | Ha...
Assessment:Is it “Correct”, “Secure” and Does it Meet Requirements?                     Graphics copyright Elsevier/Syngre...
How Much Assurance?                  Graphics copyright Elsevier/Syngress 2011   Booz | Allen | Hamilton   30
Operationally, How Will you Know?                    Graphics copyright Elsevier/Syngress 2011   Booz | Allen | Hamilton  ...
Security MonitoringA High-Volume Activity                     Graphics copyright Elsevier/Syngress 2011   Booz | Allen | H...
Monitoring Really Wants To BeA Near-Real-Time Feedback Loop                    Graphics copyright Elsevier/Syngress 2011  ...
Beyond Security MonitoringIntegrated Operational Security                      Graphics copyright Elsevier/Syngress 2011  ...
ExampleSecurity Use for CMDB                    Graphics copyright Elsevier/Syngress 2011   Booz | Allen | Hamilton   35
Defense-in-Depth in Infrastructure                      Graphics copyright Elsevier/Syngress 2011   Booz | Allen | Hamilto...
What are the BIG Lessons?•   Provider     – Model T approach: Any color the customer wants …as long as it’s “black”       ...
Thank You        Business:    Winkler_Joachim@BAH.Com        Personal:    Vic@VicWinkler.Com        Phone:       703.622.7...
Upcoming SlideShare
Loading in...5
×

Cloud Security ("securing the cloud")

922
-1

Published on

Vic Winkler's 2011 FOSE presentation in Washington DC. The talk was based on the book: "Securing the Cloud" (Elsevier 2011).

Highlights:
--Top 10 Cloud Security Concerns;
--Is organizational control good for cloud security?;
--Architectural examples for cloud security

Published in: Technology, Business
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
922
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
51
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Cloud Security ("securing the cloud")

  1. 1. NGI-4: CloudThe Technical Foundations of Security and Interoperability Overview Vic Winkler July 2011 Washington, DC Booz | Allen | Hamilton
  2. 2. The Technical Foundations of Security and InteroperabilityThis presentation is based on my book: “Securing the Cloud: Cloud Computer Security Techniques and Tactics” Vic Winkler (Elsevier/Syngress May 2011) Graphics are Copywrited by Elsevier/Syngress 2011My experiences in designing, implementing and operating the security for: “SunGrid” (2004+), “Network.com” (2006+) and “The Sun Public Cloud” (2007+) …And research into best practices in cloud security (2008-2011)Previously, I: Was a pioneer in network and systems based intrusion detection Designed a B1 trusted Unix system Graphics copyright Elsevier/Syngress 2011 Booz | Allen | Hamilton 2
  3. 3. A Brief, Distorted View of History  Overview Continuing Technology Evolution Graphics copyright Elsevier/Syngress 2011 Booz | Allen | Hamilton 3
  4. 4. More “Evolution” than “Revolution” So, what is “cloud”? Graphics copyright Elsevier/Syngress 2011 Booz | Allen | Hamilton 4
  5. 5. A Minor Problem With Words… Most common question: Is “cloud” secure? Booz | Allen | Hamilton 5
  6. 6. Booz Allen: Cloud Computing “Quick Look” AssessmentThe QLA approach analyzes the organization and its potential cloud candidate functions and applicationsacross eight Cloud Computing Factors, providing an in-depth assessment and suitability rating for each. Business/Mission Technology Economics Security Governance & Policy IT Management Organization Change Management Booz | Allen | Hamilton 6
  7. 7. Cloud: A Model for Computing, A Model for Service Delivery• “Cloud Services" – IT model for service delivery: Expressed, delivered and consumed over the Internet or private network – Infrastructure-as-a-Service (IaaS) – Platform-as-a-Service (PaaS) – Software-as-a-Service (SaaS)• “Cloud Computing”– IT model for computing – Environment composed of IT components necessary to develop & deliver "cloud services” Graphics copyright Elsevier/Syngress 2011 Booz | Allen | Hamilton 7
  8. 8. The Services StackTwo Perspectives What about security? …“Confidentiality”, “Integrity” and “Availability”? Graphics copyright Elsevier/Syngress 2011 Booz | Allen | Hamilton 8
  9. 9. The NIST Cloud Model Graphics copyright Elsevier/Syngress 2011 Booz | Allen | Hamilton 9
  10. 10. Security Concerns?• 10. Unknown Risks: Concern that cloud computing brings new classes of risks and vulnerabilities• 9. Control over Data: User data may be comingled with data belonging to others.• 8. Legal and Regulatory Compliance: It may be difficult (unrealistic?) to utilize public clouds when data is subject to legal restrictions or regulatory compliance• 7. Disaster Recovery and Business Continuity: Cloud tenants and users require confidence that their operations and services will continue despite a disaster• 6. Security Incidents: Tenants and users need to be informed and supported by a provider• 5. Transparency: Trust in a cloud provider’s security claims entails provider transparency• 4. Cloud Provider Viability: Since cloud providers are relatively new to the business, there are questions about provider viability and commitment• 3. Privacy and Data concerns with public or community clouds: Data may not remain in the same system, raising multiple legal concerns• 2. User Error: A user may inadvertently leak highly sensitive or classified information into a public cloud• 1. Network Availability: The cloud must be available whenever you need it Graphics copyright Elsevier/Syngress 2011 Booz | Allen | Hamilton 10
  11. 11. Security ConcernsSensitive Data & Regulatory Compliance Graphics copyright Elsevier/Syngress 2011 Booz | Allen | Hamilton 11
  12. 12. Security ConcernsTransparency Graphics copyright Elsevier/Syngress 2011 Booz | Allen | Hamilton 12
  13. 13. Security ConcernsExample of Private Cloud Concerns Graphics copyright Elsevier/Syngress 2011 Booz | Allen | Hamilton 13
  14. 14. Security ConcernsTrade Offs Graphics copyright Elsevier/Syngress 2011 Booz | Allen | Hamilton 14
  15. 15. Cloud Services are Expressed From Cloud IT Infrastructure Graphics copyright Elsevier/Syngress 2011 Booz | Allen | Hamilton 15
  16. 16. Virtualization and Elastic Service Expression Graphics copyright Elsevier/Syngress 2011 Booz | Allen | Hamilton 16
  17. 17. Is Organizational Control Good for Security? Graphics copyright Elsevier/Syngress 2011 Booz | Allen | Hamilton 17
  18. 18. Scope of Control Graphics copyright Elsevier/Syngress 2011 Booz | Allen | Hamilton 18
  19. 19. IaaS, PaaS and SaaS:Data Ownership Graphics copyright Elsevier/Syngress 2011 Booz | Allen | Hamilton 19
  20. 20. Organizational Control with Private versus Public Graphics copyright Elsevier/Syngress 2011 Booz | Allen | Hamilton 20
  21. 21. Cloud Demands Advanced Management Capabilities(This should benefit security) Graphics copyright Elsevier/Syngress 2011 Booz | Allen | Hamilton 21
  22. 22. Planning for Competitive Pricing(…in other words, “cost-effective security”) Graphics copyright Elsevier/Syngress 2011 Booz | Allen | Hamilton 22
  23. 23. Planning for Fundamental Changes Graphics copyright Elsevier/Syngress 2011 Booz | Allen | Hamilton 23
  24. 24. Patterns are Key for Cloud Infrastructure Graphics copyright Elsevier/Syngress 2011 Booz | Allen | Hamilton 24
  25. 25. …Patterns are Key for Cloud Infrastructure Graphics copyright Elsevier/Syngress 2011 Booz | Allen | Hamilton 25
  26. 26. …Patterns are Key for Cloud Infrastructure Graphics copyright Elsevier/Syngress 2011 Booz | Allen | Hamilton 26
  27. 27. ExampleSeparate Paths, Separate Networks Graphics copyright Elsevier/Syngress 2011 Booz | Allen | Hamilton 27
  28. 28. Example…Separate Paths, Separate Networks Graphics copyright Elsevier/Syngress 2011 Booz | Allen | Hamilton 28
  29. 29. Assessment:Is it “Correct”, “Secure” and Does it Meet Requirements? Graphics copyright Elsevier/Syngress 2011 Booz | Allen | Hamilton 29
  30. 30. How Much Assurance? Graphics copyright Elsevier/Syngress 2011 Booz | Allen | Hamilton 30
  31. 31. Operationally, How Will you Know? Graphics copyright Elsevier/Syngress 2011 Booz | Allen | Hamilton 31
  32. 32. Security MonitoringA High-Volume Activity Graphics copyright Elsevier/Syngress 2011 Booz | Allen | Hamilton 32
  33. 33. Monitoring Really Wants To BeA Near-Real-Time Feedback Loop Graphics copyright Elsevier/Syngress 2011 Booz | Allen | Hamilton 33
  34. 34. Beyond Security MonitoringIntegrated Operational Security Graphics copyright Elsevier/Syngress 2011 Booz | Allen | Hamilton 34
  35. 35. ExampleSecurity Use for CMDB Graphics copyright Elsevier/Syngress 2011 Booz | Allen | Hamilton 35
  36. 36. Defense-in-Depth in Infrastructure Graphics copyright Elsevier/Syngress 2011 Booz | Allen | Hamilton 36
  37. 37. What are the BIG Lessons?• Provider – Model T approach: Any color the customer wants …as long as it’s “black” • Special requests undercut profits – Plan ahead: Focus on eventual operations costs and on the certainty of change to the infrastructure – Seek to automate almost everything: • Identify procedures/processes to drive down costs • Identify and refine patterns – Segregate information • Don’t mix infrastructure management information • …with security information • …with customer data …etc. – Architect for completely separate paths: • (Public) (Infrastructure control) (Network device control) (Security management) • Entails a differentiated set of networks • Isolate, Isolate, Isolate • Encrypt, Encrypt, Encrypt• Consumer – Who is the provider? – What are you really buying? Transparency, independent verification, indemnification? Booz | Allen | Hamilton 37
  38. 38. Thank You Business: Winkler_Joachim@BAH.Com Personal: Vic@VicWinkler.Com Phone: 703.622.7111 “Securing the Cloud: Cloud Computer Security Techniques and Tactics” Vic Winkler (Elsevier/Syngress 2011) Graphics copyright Elsevier/Syngress 2011 Booz | Allen | Hamilton 38
  1. Gostou de algum slide específico?

    Recortar slides é uma maneira fácil de colecionar informações para acessar mais tarde.

×