Big 12 Internal Auditor - Tech Trends

641 views

Published on

2010 Big 12 Internal Auditors Conference, 10 Technology Trends to Consider

Published in: Education
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
641
On SlideShare
0
From Embeds
0
Number of Embeds
5
Actions
Shares
0
Downloads
15
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Big 12 Internal Auditor - Tech Trends

  1. 1. EMERGING TECHNOLOGY TRENDS A VIEW FROM A CAMPUS DATACENTER David Horton Geoff Wilson Kendall George Mark Ferguson Chris Jones University of Oklahoma Information Technology Tuesday, May 18, 2010
  2. 2. 10 TRENDS & LOTS OF QUESTIONS Going forward, these trends will require close collaboration to protect your university. • Computing Power • Cloud Computing • Virtualization • The Other Campus Network • Green IT • Consumerization • Storage Growth • Social Computing • Data Centers • Emerging Threats Tuesday, May 18, 2010
  3. 3. TO PARTICIPATE TODAY Please, turn your electronic devices on. We want to hear from you! • Tweet: Use #b12iac to tag your tweet • Email: send comment or question to b12iac@tweetmail.com • Join the discussion Tuesday, May 18, 2010
  4. 4. 10 TRENDS • Computing Power • Cloud Computing • Virtualization • The Other Campus Network • Green IT • Consumerization • Storage Growth • Social Computing • Data Centers • Emerging Threats Tuesday, May 18, 2010
  5. 5. COMPUTING POWER Today’s desktop computer can challenge an enterprise- class server from just 5 years ago. Tuesday, May 18, 2010
  6. 6. COMPUTING POWER Today’s desktop computer can challenge an enterprise- class server from just 5 years ago. • Moore’s Law • Multi-Core • 64-Bit • More power, smaller package Tuesday, May 18, 2010
  7. 7. Tuesday, May 18, 2010
  8. 8. COMPUTING POWER Today’s desktop computer can challenge an enterprise- class server from just 5 years ago. • Moore’s Law • Multi-Core • 64-Bit • More power, smaller package Tuesday, May 18, 2010
  9. 9. Tuesday, May 18, 2010
  10. 10. COMPUTING POWER Today’s desktop computer can challenge an enterprise- class server from just 5 years ago. • Moore’s Law • Multi-Core • 64-Bit • More power, smaller package Tuesday, May 18, 2010
  11. 11. COMPUTING POWER Today’s desktop computer can challenge an enterprise- class server from just 5 years ago. • Moore’s Law • Multi-Core • 64-Bit • More power, smaller package Tuesday, May 18, 2010
  12. 12. COMPUTING POWER Today’s desktop computer can challenge an enterprise- class server from just 5 years ago. Auditing Impact • What are we going to do with all this power? • What if this power falls into the wrong hands? Tuesday, May 18, 2010
  13. 13. VIRTUALIZATION A data center in a box. Tuesday, May 18, 2010
  14. 14. VIRTUALIZATION A data center in a box. • What is virtualization? Tuesday, May 18, 2010
  15. 15. APP APP APP OS OS OS ESX Tuesday, May 18, 2010
  16. 16. Tuesday, May 18, 2010
  17. 17. Tuesday, May 18, 2010
  18. 18. DEMO Tuesday, May 18, 2010
  19. 19. VIRTUALIZATION A data center in a box. Auditing Impact • Where is my server? • Where is my data? • How can we leverage this technology to protect the university’s data? Tuesday, May 18, 2010
  20. 20. GREEN IT Cost-containment, data security and environmental impact are all factors driving interest Tuesday, May 18, 2010
  21. 21. GREEN IT Cost-containment, data security and environmental impact are all factors driving interest • Energy Efficiency • Disposal Tuesday, May 18, 2010
  22. 22. Tuesday, May 18, 2010
  23. 23. GREEN IT Cost-containment, data security and environmental impact are all factors driving interest • Energy Efficiency • Right Sizing • Shared Resources • Run Hotter • Power-Off and Sleep • Consolidated Data Centers Tuesday, May 18, 2010
  24. 24. GREEN IT Cost-containment, data security and environmental impact are all factors driving interest • Disposal • Reduce • Reuse • Recycle Tuesday, May 18, 2010
  25. 25. GREEN IT Cost-containment, data security and environmental impact are all factors driving interest Auditing Impact • Who drives green? • How do we incentivize green? • What is being measured to be green?  • What has to be considered to responsibly and safely dispose of equipment? • Who gets your old computers? And do they get your old data too? Tuesday, May 18, 2010
  26. 26. 10 TRENDS • Computing Power • Cloud Computing • Virtualization • The Other Campus Network • Green IT • Consumerization • Storage Growth • Social Computing • Data Centers • Emerging Threats Tuesday, May 18, 2010
  27. 27. STORAGE GROWTH Digital Data continues to grow exponentially creating technical, security, and compliance challenges. Tuesday, May 18, 2010
  28. 28. STORAGE GROWTH Digital Data continues to grow exponentially creating technical, security, and compliance challenges. Technology Changes • Enterprise Search – finding the • Encryption (CPU power) needle has never been easier • De-duplication • Snapshot Backups • Secure erase • Solid-State Drives • File/Thin Virtualization • Spin-down technologies Continuous innovation (more, smaller, cheaper, faster) Tuesday, May 18, 2010
  29. 29. STORAGE GROWTH Digital Data continues to grow exponentially creating technical, security, and compliance challenges. Gigabyte 1000 Megabytes Terabyte 1000 Gigabytes Petabyte 1000 Terabytes ? 1000 Petabytes Zettabyte 1000 Exabytes Yottabyte 1000 Zettabytes Tuesday, May 18, 2010
  30. 30. STORAGE GROWTH Digital Data continues to grow exponentially creating technical, security, and compliance challenges. Why so much growth? • Knowledge workers/students create • Medical data and consume data • Security cameras • Classroom content • Log data • Research data creation, federation • Data replication for reliability and • Data mining across disparate disaster recovery sources, combining large • Backups warehouses • Archive • Document Imaging Digital world (music, photos, video, eBooks) Tuesday, May 18, 2010
  31. 31. STORAGE GROWTH Digital Data continues to grow exponentially creating technical, security, and compliance challenges. Enterprise Data Center Storage Growth Industry Example • 3,304 Petabytes shipped in Q409 + 33% from Q408 (source:IDC) OUHSC Example • Doubled every 18 months since 2002 • 76M emails archived • ~1M new per week • 4M files archived Tuesday, May 18, 2010
  32. 32. STORAGE GROWTH Digital Data continues to grow exponentially creating technical, security, and compliance challenges. Multiplier Example: Email Primary Site Disaster Recovery orig copy archive archive b/u b/u Off-site storage tape Tuesday, May 18, 2010
  33. 33. STORAGE GROWTH Digital Data continues to grow exponentially creating technical, security, and compliance challenges. Enterprise Spectrum of Management Managed User Managed Portable, mobile, office, desks, homes, laptops, bags, protected in data center purses Rigorous daily operational procedures for small teams; Varies with user - 10,000 users backup, off-site storage, DR copies Designed with compliance in mind, encryption, AUP, Often bypasses compliance Data retention, eDiscovery, data destruction 1 Petabyte 10 Petabyte Mixed use data, personal and university; sometimes Data classification confidential Expensive, cost sharing to campus Individually inexpensive - costs often hidden or bundled Understood risk, largely mitigated Risk is significant and widespread Tuesday, May 18, 2010
  34. 34. STORAGE GROWTH Digital Data continues to grow exponentially creating technical, security, and compliance challenges. Auditing Impact Where does University data reside? “Show me the data.” How do we classify all of this data? We have new tools that search for SSNs, account numbers, credit cards: What is it OK to do? Are university policies and procedures relevant to the digital age? With growing use of encryption, how do we recover important data? How do we pay/chargeback departments, researchers, users for “managed” storage? How do we “push forward” 1,000s of Terabytes of data across every changing technologies? How do we verify data integrity over time? Do the capabilities of the organization match the magnitude of the problem? Tuesday, May 18, 2010
  35. 35. DATA CENTERS Protect, power and cool your data and computing assets with a strategy not just a facility. Tuesday, May 18, 2010
  36. 36. DATA CENTERS Protect, power and cool your data and computing assets with a strategy not just a facility. “Machine Rooms” • OU HSC – 10 years ago IT primarily housed administrative systems • We built “machine room” data centers • Retrofitted • Multiple small rooms around campus • Minimal redundancy • We designated one of these on-campus as our “DR” site Tuesday, May 18, 2010
  37. 37. DATA CENTERS Protect, power and cool your data and computing assets with a strategy not just a facility. Then We Hit a Growth Spurt • Compliance and closer attention to management and security because hackers loved higher ed • Consolidation of distributed servers • Too difficult to secure servers in small closets/offices across campus • For OU HSC, HIPAA response included moving PHI into our data center • Now located in the data center, applications and data grew rapidly • Electronic medical applications and data • High Performance Clusters (HPC) for research cyber infrastructure • Security tools and technologies Tuesday, May 18, 2010
  38. 38. DATA CENTERS Protect, power and cool your data and computing assets with a strategy not just a facility. Growth Collides with Deficiencies • Space • All that compute power and storage requires power and generates heat • Additional Cooling • Service Availability Tuesday, May 18, 2010
  39. 39. DATA CENTERS Protect, power and cool your data and computing assets with a strategy not just a facility. User Expectations Up, Tolerance Down Uptime % Downtime 3 days 15 hours 99% 36 minutes 8 hours 46 99.9% minutes 99.99% 53 minutes 99.999% 5 minutes Tuesday, May 18, 2010
  40. 40. DATA CENTERS Protect, power and cool your data and computing assets with a strategy not just a facility. Data Center Options for Reliability & Availability • Utility Feeds • Cooling Sources • Generators • Cooling Units • Battery Systems • N, N+1, 2N, 2(N+1) • A + B Circuit Paths • Multiple Data centers Multipliers = $$$$ = Business decision Tuesday, May 18, 2010
  41. 41. DATA CENTERS Protect, power and cool your data and computing assets with a strategy not just a facility. OU Data Center Strategy Considerations • Outsourcing given serious thought for Norman campus • Container data centers are interesting – follow the energy Planned • Consolidating from machine rooms into two new, higher reliability centers – one at Norman and one at OKC HSC • Modular design – build in phases • Modular reliability – build in pods • DR across campuses instead of across buildings Tuesday, May 18, 2010
  42. 42. DATA CENTERS Protect, power and cool your data and computing assets with a strategy not just a facility. Auditing Impact Facilities are the basic building blocks for availability and security of IT assets and services – what is your institutional strategy for data centers? Do your campuses work closely together enough to collaborate on a university strategy? Are your business applications understood well enough for IT to apply the appropriate facility reliability investments? Tuesday, May 18, 2010
  43. 43. CLOUD COMPUTING Your data and services are “out there” on the Internet and may not be under your control. Tuesday, May 18, 2010
  44. 44. CLOUD COMPUTING Your data and services are “out there” on the Internet and may not be under your control. What is Cloud Computing? • IT services delivered in an on-demand, subscription model relying on economies of scale from (massively) shared services • Cloud Computing is as much a business model as it is an IT architectural and support model • Promises to let you focus on your core business and forget about the underlying technology (i.e. surrender control) • Not new – combination of models taking advantage of technology trends • Often thought of today as a form of outsourcing – moving Email, ERP, student systems – “out to the cloud” Tuesday, May 18, 2010
  45. 45. CLOUD COMPUTING Your data and services are “out there” on the Internet and may not be under your control. Not all clouds are the same • Dominated by massive “Public Cloud” service providers like Google, Microsoft, & Amazon • Many small service providers use the Public Cloud model to deliver specialty applications and services • Large multi-site, multi-division enterprises are adopting the cloud model for internal use building “Private Clouds” • Don’t forget this is also a business model so these large enterprises typically chargeback for IT services • Hybrid Clouds integrate internal Private clouds with external Public cloud services for elastic supply management and Disaster Recovery Tuesday, May 18, 2010
  46. 46. CLOUD COMPUTING Your data and services are “out there” on the Internet and may not be under your control. Cloud Computing & Higher Education • Lots of interest, lots already in place today • OUHSC uses hosted LMS, hosted specialty applications for medical student management, IT service desk tools, IT security monitoring services • OU continues to evaluate student and alumni email services • Important considerations for linking cloud services back to campus for Identity Management, authentication, encryption • OU is offering departments a growing number of services using a private-cloud model Tuesday, May 18, 2010
  47. 47. CLOUD COMPUTING Your data and services are “out there” on the Internet and may not be under your control. Cloud Computing & Higher Education • Example: Dropbox Tuesday, May 18, 2010
  48. 48. CLOUD COMPUTING Your data and services are “out there” on the Internet and may not be under your control. Auditing Impact Can you find your data? Was your data destroyed properly? Who all has access? Is the cloud-based service available when you need it? Is the SLA your only auditable control? What recourse do you have? Mega providers are large, attractive targets for cyber-warfare Globalization concerns – world unrest Venture capital hotspot (think: dot-com) subsidizing costs for many Tuesday, May 18, 2010
  49. 49. 10 TRENDS • Computing Power • Cloud Computing • Virtualization • The Other Campus Network • Green IT • Consumerization • Storage Growth • Social Computing • Data Centers • Emerging Threats Tuesday, May 18, 2010
  50. 50. THE “OTHER” CAMPUS NETWORK The mobile provider network provides us with high speed connectivity in the palms of our hands. Tuesday, May 18, 2010
  51. 51. THE OTHER CAMPUS NETWORK The mobile provider network provides us with high speed connectivity in the palms of our hands. High Speed Applications • Security controls focused on traditional networks that we own and operate • Mobile provider network is putting high speed connectivity in the palm of our hands • LTE (Verizon & AT&T) and WiMAX (Sprint) are the upcoming 4G networks • 1+ Mbps, one-way latency < 50 milliseconds Tuesday, May 18, 2010
  52. 52. THE OTHER CAMPUS NETWORK The mobile provider network provides us with high speed connectivity in the palms of our hands. • Growing reliance and expectation of mobile provider networks • Mobility as an enabler • Users are doing more with their smartphones • Security controls of mobile devices need heavier scrutiny • Often security policies are inconsistently enforced • Business data will end up on mobile devices • Security controls often will not carry over to mobile devices Tuesday, May 18, 2010
  53. 53. THE OTHER CAMPUS NETWORK The mobile provider network provides us with high speed connectivity in the palms of our hands. Network Perimeter Tuesday, May 18, 2010
  54. 54. THE OTHER CAMPUS NETWORK The mobile provider network provides us with high speed connectivity in the palms of our hands. Auditing Impact What kinds of controls are available for the other campus network? Are these controls verifiable?  Have you verified that these controls work? What kind of networking will the university need to provide in the future? How do we control the access to the network in the classroom? What is the network strategy for existing in a hybrid environment? How do we balance investments across the two networks? Tuesday, May 18, 2010
  55. 55. 10 TRENDS • Computing Power • Cloud Computing • Virtualization • The Other Campus Network • Green IT • Consumerization • Storage Growth • Social Computing • Data Centers • Emerging Threats Tuesday, May 18, 2010
  56. 56. CONSUMERIZATION Employees & students are technology consumers and they are blurring the lines between work and home. Tuesday, May 18, 2010
  57. 57. CONSUMERIZATION Employees & students are technology consumers and they are blurring the lines between work and home. "The consumerization of IT focuses on how enterprises will be affected by and can take advantage of new technologies and models that originate and develop in the consumer space, rather than in the enterprise IT sector." Gartner, 2009 Tuesday, May 18, 2010
  58. 58. CONSUMERIZATION Employees & students are technology consumers and they are blurring the lines between work and home. Speed Usability Connectivity Availability Storage Reliability Tuesday, May 18, 2010
  59. 59. CONSUMERIZATION Employees & students are technology consumers and they are blurring the lines between work and home. Influences • Samsung, the largest technology company in the world, sees half of its revenue being generated by consumer devices. • By 2013, mobile devices will outnumber PCs as the most common device for accessing the web. Gartner, 2009 • In 2009, for the first time, the amount of data in text, e-mail messages, streaming video, music and other services on mobile devices surpassed the amount of voice data. New York Times, May 13, 2010 Tuesday, May 18, 2010
  60. 60. CONSUMERIZATION Employees & students are technology consumers and they are blurring the lines between work and home. Auditing Impact Synchronizing rapidly changing consumer technology with organizational controls. Complicates long term planning for the organization. "Whack-a-mole" approach to managing new technology. Presumptions of privacy Tuesday, May 18, 2010
  61. 61. SOCIAL COMPUTING People are living and working in shared, online spaces with little concern for “institutional” needs. Tuesday, May 18, 2010
  62. 62. SOCIAL COMPUTING Much life is being lived in shared, online spaces with little concern for “institutional” needs. "Social computing is the way people use technology to interact and create communities..." Gartner 2008 Tuesday, May 18, 2010
  63. 63. SOCIAL COMPUTING Much life is being lived in shared, online spaces with little concern for “institutional” needs. Why Social Computing? How are They Used? •Low Barrier To Usage •In The Classroom: Ustream/ •Alerting YouTube For Lecture Capture •Staying Up With Current •I Hate Ozone Activities •Microblogging/Activity •Self-organization Stream •Unexpected Connections Tuesday, May 18, 2010
  64. 64. SOCIAL COMPUTING Much life is being lived in shared, online spaces with little concern for “institutional” needs. Tuesday, May 18, 2010
  65. 65. SOCIAL COMPUTING Much life is being lived in shared, online spaces with little concern for “institutional” needs. Auditing Impact Flow of information into and out of the institution. Communities of interest will extend beyond organizational boundaries Life-Work: Balance vs. Conflict Tuesday, May 18, 2010
  66. 66. 10 TRENDS • Computing Power • Cloud Computing • Virtualization • The Other Campus Network • Green IT • Consumerization • Storage Growth • Social Computing • Data Centers • Emerging Threats Tuesday, May 18, 2010
  67. 67. EMERGING THREATS The nature and capability of threats have reached a new level of sophistication and impact. Tuesday, May 18, 2010
  68. 68. EMERGING THREATS The nature and capability of threats have reached a new level of sophistication and impact. In the Year 2000 ILOVEYOU virus VBScript worm Used Outlook email to mass mail itself to all of your contacts Executes a password-stealing trojan Infected 10,000,000+ systems Estimated 5.5 billion in damages Tuesday, May 18, 2010
  69. 69. EMERGING THREATS The nature and capability of threats have reached a new level of sophistication and impact. How malware has changed Motivation: from credibility to profit Internet Safety: nothing is safe Blending into the crowd: using standard ports (http/https) Control Structure: IP whack-a-mole Sophistication: packed, obfuscated, self-protecting, stealth, encryption Tuesday, May 18, 2010
  70. 70. EMERGING THREATS The nature and capability of threats have reached a new level of sophistication and impact. Next level malware: Torpig Targets financial data via phishing (300 banks preconfigured) !"#$%&$'()$*(+$,-$,( ;,/-$<=>(;5?"@5A'( Waits for user to visit site +$,-$,( :$*,55&(898(+$,-$,( Inserts fake forms onto page C( B( 45,6/7(898(+$,-$,( ./%01(23$,( Tuesday, May 18, 2010
  71. 71. EMERGING THREATS The nature and capability of threats have reached a new level of sophistication and impact. Next level malware: Torpig Targets financial data via phishing (300 banks preconfigured) !"#$%&$'()$*(+$,-$,( ;,/-$<=>(;5?"@5A'( Waits for user to visit site +$,-$,( D( :$*,55&(898(+$,-$,( Inserts fake forms onto page C( E( F( B( G( 45,6/7(898(+$,-$,( ./%01(23$,( Tuesday, May 18, 2010
  72. 72. EMERGING THREATS The nature and capability of threats have reached a new level of sophistication and impact. Next level malware: Torpig Targets financial data via phishing (300 banks preconfigured) !"#$%&$'()$*(+$,-$,( ;,/-$<=>(;5?"@5A'( Waits for user to visit site +$,-$,( D( :$*,55&(898(+$,-$,( Inserts fake forms onto page C( E( F( B( G( H( 45,6/7(898(+$,-$,( I( J( ./%01(23$,( BK( Tuesday, May 18, 2010
  73. 73. Torpig Form On Real Site Tuesday, May 18, 2010
  74. 74. Anti-virus Approval Tuesday, May 18, 2010
  75. 75. EMERGING THREATS The nature and capability of threats have reached a new level of sophistication and impact. Next level malware: Torpig Incredibly sophisticated design Persists across reboots !"#$%&$'()$*(+$,-$,( ;,/-$<=>(;5?"@5A'( +$,-$,( Shifts cmd+control server domain based on Twitter trendsC( :$*,55&(898(+$,-$,( Copies all user documentsB( to HelpAssistant user 45,6/7(898(+$,-$,( Very difficult to find ./%01(23$,( Tuesday, May 18, 2010
  76. 76. EMERGING THREATS The nature and capability of threats have reached a new level of sophistication and impact. Auditing Impact Compromise will happen, are we prepared to respond? Are you sure you know where the sensitive data resides? What are the appropriate layers of defenses for these threats? Can we really give users rights to install software yet maintain control of a system? Tuesday, May 18, 2010
  77. 77. Auditing Impact & Discussion • Are you sure you know where the sensitive data • Are university policies and procedures relevant to the resides? digital age? • Can we really give users rights to install software yet • With growing use of encryption, how do we recover maintain control of a system? important data? • What kinds of verifiable “controls” are available for the • How do we pay/chargeback departments, researchers, other campus network? users for “managed” storage? • What is the network strategy for existing in a hybrid • How do we “push forward” 1,000s of Terabytes of data environment? across every changing technologies? • What are we going to do with all this power? • How do we verify data integrity over time? • What if this power falls into the wrong hands? • Do the capabilities of the organization match the magnitude of the problem? • Where is my server? • Facilities are the basic building blocks for availability and • Where is my data? security of IT assets and services – what is your • How can we leverage this technology to protect the institutional strategy for data centers? university’s data? • Do your campuses work closely together enough to • Where does University data reside? “Show me the collaborate on a university strategy? data.” • Are your business applications understood well • How do we classify all of this data? enough for IT to apply the appropriate facility reliability • We have new tools that search for SSNs, account investments? 1 numbers, credit cards: What is it OK to do? • Can you find your data? • Was your data destroyed properly? Tuesday, May 18, 2010
  78. 78. Auditing Impact & Discussion • Who all has access? • What is the network strategy for existing in a hybrid environment? • Is the cloud-based service available when you need it? • Synchronizing rapidly changing consumer technology • Is the SLA your only auditable control? with organizational controls. • What recourse do you have? • Complicates long term planning for the organization. • Mega providers are large, attractive targets for cyber- • "Whack-a-mole" approach to managing new warfare technology. • Globalization concerns – world unrest • Presumptions of privacy • Venture capital hotspot (think: dot-com) subsidizing • Flow of information into and out of the institution. costs for many • Communities of interest will extend beyond • What kinds of controls are available for the other organizational boundaries campus network? • Life-Work: Balance vs. Conflict • Are these controls verifiable?  Have you verified that these controls work? • Compromise will happen, are we prepared to respond? • How do we balance investments across the two networks? • Are you sure you know where the sensitive data resides? • What kind of networking will the university need to provide in the future? • What are the appropriate layers of defenses for these threats? • How do we “control” the access to the network in the classroom? • Can we really give users rights to install software yet Tuesday, May 18, 2010 2
  79. 79. 10 TRENDS & LOTS OF QUESTIONS Going forward, these trends will require close collaboration to protect your university. Users Audit IT Admin Compliance Security Legal & Finance Tuesday, May 18, 2010
  80. 80. 10 TRENDS & LOTS OF QUESTIONS Going forward, these trends will require close collaboration to protect your university. T H A N K YO U ! Get the slides at http://bit.ly/b12iac david-horton@ouhsc.edu mark-ferguson@ouhsc.edu ggwilson@ou.edu kendallg@ou.edu chris-jones@ouhsc.edu Tuesday, May 18, 2010

×