Your SlideShare is downloading. ×
0
Cloud security jean pawluk ewf talk sept 2009
Cloud security jean pawluk ewf talk sept 2009
Cloud security jean pawluk ewf talk sept 2009
Cloud security jean pawluk ewf talk sept 2009
Cloud security jean pawluk ewf talk sept 2009
Cloud security jean pawluk ewf talk sept 2009
Cloud security jean pawluk ewf talk sept 2009
Cloud security jean pawluk ewf talk sept 2009
Cloud security jean pawluk ewf talk sept 2009
Cloud security jean pawluk ewf talk sept 2009
Cloud security jean pawluk ewf talk sept 2009
Cloud security jean pawluk ewf talk sept 2009
Cloud security jean pawluk ewf talk sept 2009
Cloud security jean pawluk ewf talk sept 2009
Cloud security jean pawluk ewf talk sept 2009
Cloud security jean pawluk ewf talk sept 2009
Cloud security jean pawluk ewf talk sept 2009
Cloud security jean pawluk ewf talk sept 2009
Cloud security jean pawluk ewf talk sept 2009
Cloud security jean pawluk ewf talk sept 2009
Cloud security jean pawluk ewf talk sept 2009
Cloud security jean pawluk ewf talk sept 2009
Cloud security jean pawluk ewf talk sept 2009
Cloud security jean pawluk ewf talk sept 2009
Cloud security jean pawluk ewf talk sept 2009
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Cloud security jean pawluk ewf talk sept 2009

363

Published on

cloud ewf

cloud ewf

Published in: Technology, Business
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
363
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
4
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Cloudy Weather Cloud Computing Security Jean Pawluk Chief Architect Prepared for Executive Women’s Forum Emerging Technology Workshop September, 2009 ©Jean Pawluk
  • 2. With great opportunity, comes great risk ©Jean Pawluk09/24/2009 Jean Pawluk 2
  • 3. In the Way Back Machine… Think back to the time of "big iron" • Ruled by mainframes and minis • Few mobile devices Think again about the last few years : Big changes that occurred with the Internet and mobility of devices Today’s evolution • Convergence of the two • Ubiquity of compute power ©Jean Pawluk09/24/2009 Jean Pawluk 3
  • 4. Opportunity to discover … ©Jean Pawluk09/24/2009 Jean Pawluk 4
  • 5. Cool Hype…… & lots of confusionConfusion abounds today as several ideas and services are labeled “cloud computing” A few myths exist: • Cloud computing is new revolution (it’s an old idea) • Cloud computing is just virtualization • Internet and Web are the cloud • Every vendor has different cloud • Everything will be in the cloud (as if)Nevertheless: Under the hype a very important paradigm shift is occurring that is similar to the move to the Internet ©Jean Pawluk 09/24/2009 Jean Pawluk 5
  • 6. You can find the cloud today………Swarms of connected technology Examples  Social Networks and business services, which  Virtual Worlds are offered, bought, sold, used,  Games repurposed  Blogs  Books & Magazines & Newspapers  “free” EmailOn shared worldwide networks of  Data everywhere / all of the time service providers, consumers,  Market Research aggregators, and brokers  Census  Data aggregators  Marketing collateral- Creating -  Video  Phone  TV New ways of offering, using, and  Photos organizing information and  Music ©Jean Pawluk functionality  Virtual desktops  Search engines09/24/2009 Jean Pawluk 6
  • 7. Next ? So when will we …..  Stop talking about the Internet (which was the “cloud” ) and when will the Cloud be omnipresent  Move from managers of technology to managers of services…  Move from a focus on cost to a focus on value…  Move from overhead to a team that enables growth… ©Jean Pawluk 09/24/2009 Jean Pawluk 7
  • 8. Cloud-onomics CLOUD COMPUTING AGILITY + BUSINESS & IT ALIGNMENT + SERVICE FLEXIBILITY + INDUSTRY STANDARDS = OPTIMIZED BUSINESS …allows you to optimize new investments for direct business benefitsVIRTUALIZATION + ENERGY EFFICIENCY + STANDARDIZATION + AUTOMATION = Reduced Cost …leverages virtualization, standardization and automation to free up operational budget for new investment ©Jean Pawluk Courtesy and Copyright of IBM 09/24/2009 Jean Pawluk 8
  • 9. Cloud Computing Business Drivers Cost Pay per use No hardware or startup costs   Low investment in capital expenditure & time-to-live Flexibility  Use cloud computing services when needed  Dynamically grow and shrink services Simplicity  Typically browser based user interfaces Response  Speed to market  Fast resourcing - provisioning and de-provisioning processing etc Availability  Many cloud service providers have global, robust network, CPU and application capability ©Jean Pawluk09/24/2009 Jean Pawluk 9
  • 10. Several Cloud Deployment Models  Private Enterprise / Internal Cloud  Managed Private Cloud  External Public Cloud  Hybrid Combination ©Jean PawlukJericho Cloud Cube Model 09/24/2009 Jean Pawluk 10
  • 11. Public Cloud Computing: From a user perspective• User: – Builds a web application, – Using a standard platform and database – Upload this application to a cloud provider• Cloud provider – Provisions the services – Scales the application and the database together• User – Doesn’t care about which servers, which databases, which hardware, how much memory (the cloud platform handles all of that) – Users are totally free from any technical complexity other than the service itself• Cloud provider Great idea but where are – Decides how to cache content, how and where to deploy servers based on demand, performs backups, and even has the ability for the the data security controls business to distinguish "production" from "staging" deployments in this point of view – Has ongoing management and monitoring of the external service ???• User: – Only pays for what is used when user needs it – Everything else is a implementation detail ©Jean Pawluk 09/24/2009 Jean Pawluk 11
  • 12. Evolving Cloud Architectures Central architectural concept is XaaS ( everything) as a service: Core being: •IAAS (Infrastructure) •PAAS (Platform) •SASS (Software) Yet - Security is off to the side The lower down the stack a Cloud provider stops, the more security you are tactically responsible for implementing & ©Jean Pawluk managing yourself Jean Pawluk09/24/2009 12 Diagram Courtesy of Chris Hoff
  • 13. Risk - Who controls security? You “SLA” security The lower down the stack a Cloud provider stops, the more security you are tactically responsible for implementing & managing yourself SaaS You build in your IaaS PaaS own security IaaS ©Jean Pawluk09/24/2009 Jean Pawluk 13
  • 14. READ the fine print… 72 Security We strive to keep Your Content secure, but cannot guarantee that we will be successful at doing so, given the nature of the Internet Accordingly, without limitation to Section 43 above and Section 115 below, you acknowledge that you bear sole responsibility for adequate security, protection and backup of Your Content and Applications We strongly encourage you, where available and appropriate, to (a) use encryption technology to protect Your Content from unauthorized access, (b) routinely archive Your Content, and (c) keep your Applications or any software that you use or run with our Services current with the latest security patches or updates We will have no liability to you for any unauthorized access or use, corruption, deletion, destruction or loss of any of Your Content or Applications ©Jean Pawluk Source -http://awsamazoncom/agreement/
  • 15. What’s ready for the cloud? When the processes, applications and data are largely independent When the points of integration are well defined When a lower level of security will work just fine When the core internal enterprise architecture is healthy When the Web is the desired platform When cost is an issue When the applications are new ©Jean Pawluk Courtesy and Copyright of David Linthicum09/24/2009 Jean Pawluk 15
  • 16. Cloud Computing Services Players:  Infrastructure - Computing infrastructure, typically a platform virtualization environment, as a service  Full virtualization (GoGrid, Skytap)  Grid computing (Sun Grid)  Management (RightScale)  Compute (Amazon Elastic Compute Cloud)  Platform - The delivery of a computing platform, and/or solution stack as a service  Web application frameworks  Ajax (Caspio)  Python Django (Google App Engine)  Ruby on Rails (Heroku)  Web hosting (Mosso)  Proprietary (Azure, Force.com)  Storage - Data storage as a service, billed on a utility basis, eg per gigabyte / month  Database (Amazon SimpleDB, Google App Engines BigTable datastore)  Network attached storage (MobileMe iDisk, CTERA Cloud Attached Storage, Nirvanix CloudNAS )  Synchronization (Live Mesh Live Desktop component, MobileMe push functions)  Web service (Amazon Simple Storage Service, Nirvanix SDN) ©Jean Pawluk09/24/2009 Jean Pawluk 16
  • 17. Cloud Computing Services Players (more) Business Services - Interoperable machine-to-machine interaction over a network accessed by other cloud computing components, or directly by end users  Identity (OAuth, OpenID)  Integration (Amazon Simple Queue Service)  Payments (Amazon Flexible Payments Service, Google Checkout, PayPal)  Mapping (Google Maps, Yahoo! Maps)  Search (Alexa, Google Custom Search, Yahoo! BOSS)  Others (Amazon Mechanical Turk) Application - Cloud based software, that often eliminates the need for local installation  Peer-to-peer / volunteer computing (Bittorrent, BOINC Projects, Skype)  Web application (Facebook)  Software as a service (Google Apps, Salesforce)  Software plus services (Microsoft Online Services) ©Jean Pawluk 09/24/2009 Jean Pawluk 17
  • 18. What’s not ready for the cloud? When the processes, applications and data are largely coupled When the points of integration are not well defined When a high level of security is required When the core internal enterprise architecture needs work When the application requires a native interface When cost is an issue When the applications are legacy Courtesy and Copyright of David Linthicum ©Jean Pawluk09/24/2009 Jean Pawluk 18
  • 19. What’s not ready for the cloud? (more)1. Work which depends on sensitive data normally restricted to the Enterprise  Employee Information - Not ready to move enterprise info into a public cloud with high sensitivity of the data  Health Care Records – Do not move until the security of the cloud provider is well established2. Work composed of multiple, co-dependent services  High throughput online transaction processing3. Work requiring a high level of auditability, accountability and regulation  Work subject to Sarbanes-Oxley4. Work based on 3rd party software which does not have a cloud aware licensing strategy5. Work requiring detailed chargeback or utilization measurement as required for capacity planning or departmental level billing6. Work requiring customization (eg customized SaaS) ©Jean Pawluk09/24/2009 Jean Pawluk 19
  • 20. Security Questions – They go on & on …Shared Infrastructure Massively scalable • As we open up systems, can we • Where does our data reside? expect the same security, In a foreign country? reliability, & availability? Mobility & Flexibility • Who are you sharing that server • Will vendor relationship with? management hamperConsumption-based pricing mobility? • What happens if you don’t pay • Can any “fly-by-night” coder your bill? Do you lose your & service be a cloud? data? • Will we see service brokers • How do we control and monitor emerge? consumption? Internet-based & easilyImproved Business Continuity accessible • What infrastructure is the • Will the cloud enable an applications running on? increase of shadow IT? • What protection do we have against outages? ©Jean Pawluk • What legal recourse do we have? 09/24/2009 Jean Pawluk 20
  • 21. Cloud Security - Areas of Concern Information lifecycle management Governance and Enterprise Risk Management Compliance & Audit General Legal eDiscovery Encryption and Key Management Identity and Access Management Storage Virtualization Application Security Trust Time Bomb Portability & Interoperability Data Center Operations Management Incident Response, Notification, Remediation "Traditional" Security impact (business continuity, disaster recovery, physical security) ©Jean Pawluk09/24/2009 Jean Pawluk 21
  • 22. Back to the Future: Co-existing delivery models ? Security Issues will occur crossing between private Service Consumers and public use Services Services Services Service Integration Service Integration Service Integration Traditional Public Private Cloud Enterprise IT Clouds Enterprise  Mission Critical  Test Systems  Variable Storage  Packaged Apps  Storage Cloud  Software as a Service  High Compliancy  Developer Systems  Web Hosting ©Jean Pawluk SAAS, IAAS & PAAS Public / Private Example09/24/2009 Jean Pawluk 22
  • 23. Summary  Cloud Computing is real and transformational  Cloud Computing can be secured but also can carry increased risk due to aggregation of assets  Cloud needs • Broad governance approach • Tactical fixes  Know that there is “no free lunch” ©Jean Pawluk09/24/2009 Jean Pawluk 23
  • 24. Bridge the chasm from now to future…  Take the time now to tackle future issues:  Practical, technical issues are addressed  Security issues are addressed  Confidence will increase as Cloud Computing evolves and mainstreams lifecycle  Hype reduces over time So don’t rush…think and do it right ©Jean Pawluk 09/24/2009 Jean Pawluk 24
  • 25. Cloud Security Alliance Call to Action  Discussions & announcements on LinkedIn  Join us, help make our work better  Other research initiatives and events being planned • www.cloudsecurityalliance.org • info@cloudsecurityalliance.org • Twitter: @cloudsa, #csaguide • LinkedIn: Cloud Security Alliance group www.linkedin.com/groups?gid=1864210 ©Jean Pawluk09/24/2009 Jean Pawluk 25

×