Cloudy Weather Cloud Computing Security       Jean Pawluk           Chief Architect             Prepared for      Executiv...
With great opportunity, comes great risk                                        ©Jean Pawluk09/24/2009                Jean...
In the Way Back Machine… Think back to the time of "big iron"     • Ruled by mainframes and minis     • Few mobile devices...
Opportunity to discover …                              ©Jean Pawluk09/24/2009      Jean Pawluk                  4
Cool Hype…… & lots of confusionConfusion abounds today as several ideas and services are   labeled “cloud computing”  A fe...
You can find the cloud today………Swarms of connected technology                   Examples                                  ...
Next ?   So when will we …..         Stop talking about the Internet (which was the “cloud” ) and when          will the ...
Cloud-onomics                               CLOUD COMPUTING   AGILITY                   +    BUSINESS &                   ...
Cloud Computing Business Drivers Cost        Pay per use No hardware or startup costs                    Low investment ...
Several Cloud Deployment Models       Private Enterprise / Internal Cloud       Managed Private Cloud       External Pu...
Public Cloud Computing:                                        From a user perspective•    User:     – Builds a web applic...
Evolving Cloud Architectures                                                        Central architectural                 ...
Risk - Who controls security?    You   “SLA”  security                        The lower down the stack a Cloud provider st...
READ the fine print… 72 Security We strive to keep Your Content secure, but cannot guarantee that we will be successful at...
What’s ready for the cloud?    When the processes, applications and data are largely     independent    When the points ...
Cloud Computing Services Players:       Infrastructure - Computing infrastructure, typically a platform virtualization   ...
Cloud Computing Services Players                                                       (more) Business Services - Interope...
What’s not ready for the cloud?    When the processes, applications and data are largely     coupled    When the points ...
What’s not ready for the cloud?                                              (more)1.    Work which depends on sensitive d...
Security Questions – They go on & on …Shared Infrastructure                                Massively scalable   • As we op...
Cloud Security - Areas of Concern   Information lifecycle management   Governance and Enterprise Risk Management   Comp...
Back to the Future:         Co-existing delivery models ?                                                               Se...
Summary  Cloud Computing is real and transformational  Cloud Computing can be secured but also can carry   increased ris...
Bridge the chasm from now to future…        Take the time now to tackle future issues:              Practical, technical...
Cloud Security Alliance                 Call to Action  Discussions & announcements on LinkedIn  Join us, help make our ...
Upcoming SlideShare
Loading in …5
×

Cloud security jean pawluk ewf talk sept 2009

501 views
438 views

Published on

cloud ewf

Published in: Technology, Business
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
501
On SlideShare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
4
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Cloud security jean pawluk ewf talk sept 2009

  1. 1. Cloudy Weather Cloud Computing Security Jean Pawluk Chief Architect Prepared for Executive Women’s Forum Emerging Technology Workshop September, 2009 ©Jean Pawluk
  2. 2. With great opportunity, comes great risk ©Jean Pawluk09/24/2009 Jean Pawluk 2
  3. 3. In the Way Back Machine… Think back to the time of "big iron" • Ruled by mainframes and minis • Few mobile devices Think again about the last few years : Big changes that occurred with the Internet and mobility of devices Today’s evolution • Convergence of the two • Ubiquity of compute power ©Jean Pawluk09/24/2009 Jean Pawluk 3
  4. 4. Opportunity to discover … ©Jean Pawluk09/24/2009 Jean Pawluk 4
  5. 5. Cool Hype…… & lots of confusionConfusion abounds today as several ideas and services are labeled “cloud computing” A few myths exist: • Cloud computing is new revolution (it’s an old idea) • Cloud computing is just virtualization • Internet and Web are the cloud • Every vendor has different cloud • Everything will be in the cloud (as if)Nevertheless: Under the hype a very important paradigm shift is occurring that is similar to the move to the Internet ©Jean Pawluk 09/24/2009 Jean Pawluk 5
  6. 6. You can find the cloud today………Swarms of connected technology Examples  Social Networks and business services, which  Virtual Worlds are offered, bought, sold, used,  Games repurposed  Blogs  Books & Magazines & Newspapers  “free” EmailOn shared worldwide networks of  Data everywhere / all of the time service providers, consumers,  Market Research aggregators, and brokers  Census  Data aggregators  Marketing collateral- Creating -  Video  Phone  TV New ways of offering, using, and  Photos organizing information and  Music ©Jean Pawluk functionality  Virtual desktops  Search engines09/24/2009 Jean Pawluk 6
  7. 7. Next ? So when will we …..  Stop talking about the Internet (which was the “cloud” ) and when will the Cloud be omnipresent  Move from managers of technology to managers of services…  Move from a focus on cost to a focus on value…  Move from overhead to a team that enables growth… ©Jean Pawluk 09/24/2009 Jean Pawluk 7
  8. 8. Cloud-onomics CLOUD COMPUTING AGILITY + BUSINESS & IT ALIGNMENT + SERVICE FLEXIBILITY + INDUSTRY STANDARDS = OPTIMIZED BUSINESS …allows you to optimize new investments for direct business benefitsVIRTUALIZATION + ENERGY EFFICIENCY + STANDARDIZATION + AUTOMATION = Reduced Cost …leverages virtualization, standardization and automation to free up operational budget for new investment ©Jean Pawluk Courtesy and Copyright of IBM 09/24/2009 Jean Pawluk 8
  9. 9. Cloud Computing Business Drivers Cost Pay per use No hardware or startup costs   Low investment in capital expenditure & time-to-live Flexibility  Use cloud computing services when needed  Dynamically grow and shrink services Simplicity  Typically browser based user interfaces Response  Speed to market  Fast resourcing - provisioning and de-provisioning processing etc Availability  Many cloud service providers have global, robust network, CPU and application capability ©Jean Pawluk09/24/2009 Jean Pawluk 9
  10. 10. Several Cloud Deployment Models  Private Enterprise / Internal Cloud  Managed Private Cloud  External Public Cloud  Hybrid Combination ©Jean PawlukJericho Cloud Cube Model 09/24/2009 Jean Pawluk 10
  11. 11. Public Cloud Computing: From a user perspective• User: – Builds a web application, – Using a standard platform and database – Upload this application to a cloud provider• Cloud provider – Provisions the services – Scales the application and the database together• User – Doesn’t care about which servers, which databases, which hardware, how much memory (the cloud platform handles all of that) – Users are totally free from any technical complexity other than the service itself• Cloud provider Great idea but where are – Decides how to cache content, how and where to deploy servers based on demand, performs backups, and even has the ability for the the data security controls business to distinguish "production" from "staging" deployments in this point of view – Has ongoing management and monitoring of the external service ???• User: – Only pays for what is used when user needs it – Everything else is a implementation detail ©Jean Pawluk 09/24/2009 Jean Pawluk 11
  12. 12. Evolving Cloud Architectures Central architectural concept is XaaS ( everything) as a service: Core being: •IAAS (Infrastructure) •PAAS (Platform) •SASS (Software) Yet - Security is off to the side The lower down the stack a Cloud provider stops, the more security you are tactically responsible for implementing & ©Jean Pawluk managing yourself Jean Pawluk09/24/2009 12 Diagram Courtesy of Chris Hoff
  13. 13. Risk - Who controls security? You “SLA” security The lower down the stack a Cloud provider stops, the more security you are tactically responsible for implementing & managing yourself SaaS You build in your IaaS PaaS own security IaaS ©Jean Pawluk09/24/2009 Jean Pawluk 13
  14. 14. READ the fine print… 72 Security We strive to keep Your Content secure, but cannot guarantee that we will be successful at doing so, given the nature of the Internet Accordingly, without limitation to Section 43 above and Section 115 below, you acknowledge that you bear sole responsibility for adequate security, protection and backup of Your Content and Applications We strongly encourage you, where available and appropriate, to (a) use encryption technology to protect Your Content from unauthorized access, (b) routinely archive Your Content, and (c) keep your Applications or any software that you use or run with our Services current with the latest security patches or updates We will have no liability to you for any unauthorized access or use, corruption, deletion, destruction or loss of any of Your Content or Applications ©Jean Pawluk Source -http://awsamazoncom/agreement/
  15. 15. What’s ready for the cloud? When the processes, applications and data are largely independent When the points of integration are well defined When a lower level of security will work just fine When the core internal enterprise architecture is healthy When the Web is the desired platform When cost is an issue When the applications are new ©Jean Pawluk Courtesy and Copyright of David Linthicum09/24/2009 Jean Pawluk 15
  16. 16. Cloud Computing Services Players:  Infrastructure - Computing infrastructure, typically a platform virtualization environment, as a service  Full virtualization (GoGrid, Skytap)  Grid computing (Sun Grid)  Management (RightScale)  Compute (Amazon Elastic Compute Cloud)  Platform - The delivery of a computing platform, and/or solution stack as a service  Web application frameworks  Ajax (Caspio)  Python Django (Google App Engine)  Ruby on Rails (Heroku)  Web hosting (Mosso)  Proprietary (Azure, Force.com)  Storage - Data storage as a service, billed on a utility basis, eg per gigabyte / month  Database (Amazon SimpleDB, Google App Engines BigTable datastore)  Network attached storage (MobileMe iDisk, CTERA Cloud Attached Storage, Nirvanix CloudNAS )  Synchronization (Live Mesh Live Desktop component, MobileMe push functions)  Web service (Amazon Simple Storage Service, Nirvanix SDN) ©Jean Pawluk09/24/2009 Jean Pawluk 16
  17. 17. Cloud Computing Services Players (more) Business Services - Interoperable machine-to-machine interaction over a network accessed by other cloud computing components, or directly by end users  Identity (OAuth, OpenID)  Integration (Amazon Simple Queue Service)  Payments (Amazon Flexible Payments Service, Google Checkout, PayPal)  Mapping (Google Maps, Yahoo! Maps)  Search (Alexa, Google Custom Search, Yahoo! BOSS)  Others (Amazon Mechanical Turk) Application - Cloud based software, that often eliminates the need for local installation  Peer-to-peer / volunteer computing (Bittorrent, BOINC Projects, Skype)  Web application (Facebook)  Software as a service (Google Apps, Salesforce)  Software plus services (Microsoft Online Services) ©Jean Pawluk 09/24/2009 Jean Pawluk 17
  18. 18. What’s not ready for the cloud? When the processes, applications and data are largely coupled When the points of integration are not well defined When a high level of security is required When the core internal enterprise architecture needs work When the application requires a native interface When cost is an issue When the applications are legacy Courtesy and Copyright of David Linthicum ©Jean Pawluk09/24/2009 Jean Pawluk 18
  19. 19. What’s not ready for the cloud? (more)1. Work which depends on sensitive data normally restricted to the Enterprise  Employee Information - Not ready to move enterprise info into a public cloud with high sensitivity of the data  Health Care Records – Do not move until the security of the cloud provider is well established2. Work composed of multiple, co-dependent services  High throughput online transaction processing3. Work requiring a high level of auditability, accountability and regulation  Work subject to Sarbanes-Oxley4. Work based on 3rd party software which does not have a cloud aware licensing strategy5. Work requiring detailed chargeback or utilization measurement as required for capacity planning or departmental level billing6. Work requiring customization (eg customized SaaS) ©Jean Pawluk09/24/2009 Jean Pawluk 19
  20. 20. Security Questions – They go on & on …Shared Infrastructure Massively scalable • As we open up systems, can we • Where does our data reside? expect the same security, In a foreign country? reliability, & availability? Mobility & Flexibility • Who are you sharing that server • Will vendor relationship with? management hamperConsumption-based pricing mobility? • What happens if you don’t pay • Can any “fly-by-night” coder your bill? Do you lose your & service be a cloud? data? • Will we see service brokers • How do we control and monitor emerge? consumption? Internet-based & easilyImproved Business Continuity accessible • What infrastructure is the • Will the cloud enable an applications running on? increase of shadow IT? • What protection do we have against outages? ©Jean Pawluk • What legal recourse do we have? 09/24/2009 Jean Pawluk 20
  21. 21. Cloud Security - Areas of Concern Information lifecycle management Governance and Enterprise Risk Management Compliance & Audit General Legal eDiscovery Encryption and Key Management Identity and Access Management Storage Virtualization Application Security Trust Time Bomb Portability & Interoperability Data Center Operations Management Incident Response, Notification, Remediation "Traditional" Security impact (business continuity, disaster recovery, physical security) ©Jean Pawluk09/24/2009 Jean Pawluk 21
  22. 22. Back to the Future: Co-existing delivery models ? Security Issues will occur crossing between private Service Consumers and public use Services Services Services Service Integration Service Integration Service Integration Traditional Public Private Cloud Enterprise IT Clouds Enterprise  Mission Critical  Test Systems  Variable Storage  Packaged Apps  Storage Cloud  Software as a Service  High Compliancy  Developer Systems  Web Hosting ©Jean Pawluk SAAS, IAAS & PAAS Public / Private Example09/24/2009 Jean Pawluk 22
  23. 23. Summary  Cloud Computing is real and transformational  Cloud Computing can be secured but also can carry increased risk due to aggregation of assets  Cloud needs • Broad governance approach • Tactical fixes  Know that there is “no free lunch” ©Jean Pawluk09/24/2009 Jean Pawluk 23
  24. 24. Bridge the chasm from now to future…  Take the time now to tackle future issues:  Practical, technical issues are addressed  Security issues are addressed  Confidence will increase as Cloud Computing evolves and mainstreams lifecycle  Hype reduces over time So don’t rush…think and do it right ©Jean Pawluk 09/24/2009 Jean Pawluk 24
  25. 25. Cloud Security Alliance Call to Action  Discussions & announcements on LinkedIn  Join us, help make our work better  Other research initiatives and events being planned • www.cloudsecurityalliance.org • info@cloudsecurityalliance.org • Twitter: @cloudsa, #csaguide • LinkedIn: Cloud Security Alliance group www.linkedin.com/groups?gid=1864210 ©Jean Pawluk09/24/2009 Jean Pawluk 25

×