• Save
Migrating To Cloud & Security @ FOBE 2011
Upcoming SlideShare
Loading in...5
×

Like this? Share it with your network

Share

Migrating To Cloud & Security @ FOBE 2011

  • 1,589 views
Uploaded on

Copy of Presentation made at International Conference on Facets of Business Excellence, Leveraging Information Technology, for Strategic Adavantage.

Copy of Presentation made at International Conference on Facets of Business Excellence, Leveraging Information Technology, for Strategic Adavantage.

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads

Views

Total Views
1,589
On Slideshare
1,582
From Embeds
7
Number of Embeds
2

Actions

Shares
Downloads
0
Comments
0
Likes
0

Embeds 7

https://twitter.com 6
https://www.linkedin.com 1

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide
  • Cloud computing ('cloud') is an evolving term that describes the development of many existing technologies and approaches to computing into something different. Cloud separates application and information resources from the underlying infrastructure, and the mechanisms used to deliver them.
  • Essential Characteristics of Cloud Computing Cloud services exhibit five essential characteristics that demonstrate their relation to, and differences from, traditional computing approaches: • On-demand self-service. A consumer can unilaterally provision computing capabilities such as server time and network storage as needed automatically, without requiring human interaction with a service provider. • Broad network access. Capabilities are available over the network and accessed through standard mechanisms that promote use by heterogeneous thin or thick client platforms (e.g., mobile phones, laptops, and PDAs) as well as other traditional or cloudbased software services. • Resource pooling. The provider’s computing resources are pooled to serve multiple consumers using a multi-tenant model, with different physical and virtual resources dynamically assigned and reassigned according to consumer demand. There is a degree of location independence in that the customer generally has no control or knowledge over the exact location of the provided resources, but may be able to specify location at a higher level of abstraction (e.g., country, state, or datacenter). Examples of resourcesinclude storage, processing, memory, network bandwidth, and virtual machines. Even private clouds tend to pool resources between different parts of the same organization. • Rapid elasticity. Capabilities can be rapidly and elastically provisioned — in some cases automatically — to quickly scale out; and rapidly released to quickly scale in. To the consumer, the capabilities available for provisioning often appear to be unlimited and can be purchased in any quantity at any time. • Measured service. Cloud systems automatically control and optimize resource usage by leveraging a metering capability at some level of abstraction appropriate to the type of service (e.g., storage, processing, bandwidth, or active user accounts). Resource usage can be monitored, controlled, and reported — providing transparency for both the provider and consumer of the service. It is important to recognize that cloud services are often but not always utilized in conjunction with, and enabled by, virtualization technologies. There is no requirement, however, that ties the abstraction of resources to virtualization technologies and in many offerings virtualization by hypervisor or operating system container is not utilized. Further, it should be noted that multi-tenancy is not called out as an essential cloud characteristic by NIST but is often discussed as such. Please refer to the section on multi-tenancy featured after the cloud deployment model description below for further details.
  • Essential Characteristics of Cloud Computing Cloud services exhibit five essential characteristics that demonstrate their relation to, and differences from, traditional computing approaches: • On-demand self-service. A consumer can unilaterally provision computing capabilities such as server time and network storage as needed automatically, without requiring human interaction with a service provider. • Broad network access. Capabilities are available over the network and accessed through standard mechanisms that promote use by heterogeneous thin or thick client platforms (e.g., mobile phones, laptops, and PDAs) as well as other traditional or cloudbased software services. • Resource pooling. The provider’s computing resources are pooled to serve multiple consumers using a multi-tenant model, with different physical and virtual resources dynamically assigned and reassigned according to consumer demand. There is a degree of location independence in that the customer generally has no control or knowledge over the exact location of the provided resources, but may be able to specify location at a higher level of abstraction (e.g., country, state, or datacenter). Examples of resourcesinclude storage, processing, memory, network bandwidth, and virtual machines. Even private clouds tend to pool resources between different parts of the same organization. • Rapid elasticity. Capabilities can be rapidly and elastically provisioned — in some cases automatically — to quickly scale out; and rapidly released to quickly scale in. To the consumer, the capabilities available for provisioning often appear to be unlimited and can be purchased in any quantity at any time. • Measured service. Cloud systems automatically control and optimize resource usage by leveraging a metering capability at some level of abstraction appropriate to the type of service (e.g., storage, processing, bandwidth, or active user accounts). Resource usage can be monitored, controlled, and reported — providing transparency for both the provider and consumer of the service. It is important to recognize that cloud services are often but not always utilized in conjunction with, and enabled by, virtualization technologies. There is no requirement, however, that ties the abstraction of resources to virtualization technologies and in many offerings virtualization by hypervisor or operating system container is not utilized. Further, it should be noted that multi-tenancy is not called out as an essential cloud characteristic by NIST but is often discussed as such. Please refer to the section on multi-tenancy featured after the cloud deployment model description below for further details.
  • Westpac has a long and proud history as Australia's first and oldest bank. It was established in 1817 as the Bank of New South Wales.
  • Westpac has a long and proud history as Australia's first and oldest bank. It was established in 1817 as the Bank of New South Wales.
  • Westpac has a long and proud history as Australia's first and oldest bank. It was established in 1817 as the Bank of New South Wales.

Transcript

  • 1. Disclaimer : Scope of this paper is limitedto challenges to management formigration of Information Technologyresources to the cloud computingenvironment. Intentionally technicalissues have been avoided and onlyemerging corporate governance issuesare highlighted, especially those whichare lesser discussed but likely to havemajor impact on decision making by non-technocrat management
  • 2. Cloud Computing Market size EstimatesUS Federal Government - $26.1 Billion (CAGR40%) by 2015.Worldwide - $148.8 billion by 2012China has recently announced launching theproject “Sea of Cloud”Chinese cloud computing market - 1 trillionYuan ($154 Billion) in next few years.
  • 3. Cloud ComputingMigration To Cloud will not be an option but anecessityEmerging Challenges for managersInternational effortsPlanning Migration to CloudEvolving Assurance Framework
  • 4. Ubiquitous Connectivity Virtualization Broadband NetworkingWeb 2.0 Multi Tenancy Out Sourcing Utility Service Computing Oriented Clustering Architecture
  • 5. “ A model for enabling convenient, on- demand network access to a shared pool of configurable computing resources (e.g. networks, servers, storage, applications, and services) that can rapidly provisioned andreleased with minimal management effort or service provider interaction”
  • 6. Massive Scale Resilient Computing Geographic Homogeneity Distribution Virtualization Service OrientationLow Cost Software Advanced Security
  • 7. Cloud Efficiencies and improvements Improved Cost Time Power Unlimited Improved processEfficiencies Efficiencies Efficiencies capacity Security control Standardized updated base Top quality Burst image security Capacity Procurement Near to products to generation production Centrally auditable log server Dynamic Short top quality use of duration security project capacity professionals Centralized authentication utilization Reduced system Any place overhead Cancelled connectivity power top quality or failed consumption Improved security mission forensics processes
  • 8. CAPEX to OPEX Capital Sunken cost Depreciation costExpenditure on IT Actual usage cost Data Centre IT professionalsObsolescence cost running and costs maintainance costs
  • 9. Source: Federal Cloud Computing Strategy, by Vivek Kundra, US Chief Information Officer
  • 10. DSCI – WIPRO SURVEY
  • 11. Unlike money when data Solutiongets stolen the owner may • Strong Identity Management not even know because • Rigid access control data can be just copied mechanisms and taken away while • Log Management original data stays unperturbed.
  • 12. SolutionOwn IT department may feel threatened and thus take • Third party should actions causing aversion to undertake migration migration to cloud. analysis • Strong and firm management • Must identify cost Decommissioning / moth reduction mechanism at balling released IT assets initial stage itselfand retrenchment of IT staff
  • 13. Global nature ofInternet can make life Solution easy for fly by night • Due diligence in operators selection of CSP • Industry Confederations have role to play CSP has entered in • International business to capture ombudsman required the opportunity but lacks seriousness
  • 14. SolutionOrganisational data may be • International Cooperation kept in several country • Bilateral/multi lateral causing jurisdictional and treatieslaw enforcement challenges • Coordination amongst LEAs across the globe.
  • 15. Law enforcement orders againstone co-tenant can cause seizure Solution of other co-tenants data also • Policies, Procedures and Rules by government • Training and capacity building in police force/ Law enforcement will face serious Cyber Forensicchallenges. A too strict a regime can Specialists/ Legalhurt the industry and CSPs may just fraternity move out the country, affecting revenue and security; while toocomfortable zone may provide free play ground to cyber criminals
  • 16. The co- tenancy poses Solution new challenges such as • Continuous R&D data overflow, Side – • Log analysis by CSP as channel well as user (may be byattacks, reminiscent data third party) recovery, and other • Assurance framework technical and social and audit engineering attack
  • 17. Solution • Policy, procedures and rules to protect the CSPs are far more powerful comparative weak usersthan the Cloud users may cause (SMEs) skew in drafting and implementation of contracts • Formation of cloud users confederation / group • National and International ombudsman
  • 18. Auditor must Competent and understand cloud expert Auditor technology Auditor must Solutionunderstand complex • Second party audit /governance and legal expert representing cloud issues affecting user migration to cloud • Should be included in SLA
  • 19. Methodology for Establishing and Enforcing SLA
  • 20. 1. Short title, extent, commencement and application.Subsection (2) – It shall extend to the whole of Indiaand, save as otherwise provided in this Act, it applies also to any offence or contravention thereunder committed outside India by any person.
  • 21. 75. Act to apply for offence or contravention committed outside India. -(1) Subject to the provision of sub- (2) For the purposes of sub- section (2), the provisions of this section(1), this act shall apply toAct shall apply also to any offence an offence or contravention or contravention committed committed outside India by any outside India by any person person if the act or conduct irrespective of his nationality. constituting located in India.
  • 22. Indo-US Cyber Security Forum
  • 23. Published Standards• ISO/IEC 27000 — Information security management systems — Overview and vocabulary• ISO/IEC 27001 — Information security management systems — Requirements• ISO/IEC 27002 — Code of practice for information security management• ISO/IEC 27003 — Information security management system implementation guidance• ISO/IEC 27004 — Information security management — Measurement• ISO/IEC 27005 — Information security risk management• ISO/IEC 27006 — Requirements for bodies providing audit and certification of information security management systems• ISO/IEC 27011 — Information security management guidelines for telecommunications organizations based on ISO/IEC 27002• ISO/IEC 27031 — Guidelines for information and communications technology readiness for business continuity• ISO/IEC 27033-1 — Network security overview and concepts• ISO/IEC 27035 — Security incident management• ISO 27799 — Information security management in health using ISO/IEC 27002
  • 24. First serious attempt to harmonise International laws on cyberspace.Opened for Signature – 23 Nov 2001Entry into force – 1 Jul 2004Ratified/Accession – 32 CountriesSigned but not yet ratified – 15 CountriesMajor missing – Russia.Even USA has recorded reservations
  • 25. IT Security — Security techniques — Guidelines foridentification, collection, acquisition, and preservation of digitalevidence (DRAFT - new title)provides detailed guidance that describes the process forrecognition and identification, collection and/or acquisition andpreservation of digital data which may contain information ofpotential evidential value. This document includes physical anddocumentary activities deemed necessary in supporting inter-jurisdictional recognition of collected and/or acquired potentialdigital evidence
  • 26. Helping the European Commission, the Member States and thebusiness community to address, respond and especiallyto prevent Network and Information Security problems.ENISA is as a body of expertise, set up by the EU to carry outvery specific technical, scientific tasks in the field of InformationSecurity, working as a "European Community Agency".Nov 20, 2009 published Cloud Computing Risk Assessment
  • 27. CSA is a not-for-profit organization led by a broad coalition ofindustry practitioners, corporations, associations and otherkey stakeholders.Mission Statement : To promote the use of best practices forproviding security assurance within Cloud Computing, andprovide education on the uses of Cloud Computing to helpsecure all other forms of computing.Issued Security Guidance for Critical Areas of Focus in CloudComputing V2.1 in Dec 2010
  • 28. Triangle to Square
  • 29. Contact DetailsWeb : www.xcyss.inE-mail : cmd@xcyss.comTele : +91-11-25128910Mobile : +91- 9953286928Blogs: http://cyber-crime-in-india.blogspot.com/http://security-of-cyberspace.blogspot.com/
  • 30. Reference ListAlcatel-Lucent 2010, Presentation at Securecloud, 2010, Barcelona , viewed on 18th October, 2010, <https://cloudsecurityalliance.org/sc2010.html>Cloud Security Alliance Guide V 2.16 2009, Security Guidance for Critical Area of Focus in Cloud Computing V 2.1 , viewed on 18thOctober, 2010, <https://cloudsecurityalliance.org/csaguide.pdf>Commander Mukesh, Saini (Retd.) 2011, Next Challenge for governance - the Cloud Computing, Thinking Aloud, pp 28-30, June, 2011Courtney, Martin 2011, Interview: Brian Gammage, Gartner, viewed on 18thOctober, 2010, <http://www.computing.co.uk/ctg/interview/1930935/interview-brian-gammage-gartner>Data Security Council of India 2010, Data protection Challenges in Cloud Computing - an Indian perspective, viewed on 18thOctober, 2010, <http://www.dsci.in/sites/default/files/Data%20Protection%20Challenges%20in%20Cloud%20Computing.pdf>European Network and Information Security Agency 2009, Cloud Computing Risk Assessment, viewed on 18thOctober, 2010, <http://www.enisa.europa.eu/act/rm/files/deliverables/cloud-computing-risk-assessment>Grance Tim 2010, Cloud Computing Paradigm, Presentation at NIST on 16 March 2010ISO 27001 Security 2011, ISO/IEC 27037, viewed on 18th October, 2010, <http://www.iso27001security.com/html/27037.html>James F. Willams 2011, NASAs Nebula Cloud Computing Initiative, viewed on 18thOctober, 2010, <http://fms.treas.gov/sfc/NASA%20Cloud%20Computing%20Agency%20Case%20Study%20Presentation.pdf>Jeff Vance 2010, Datamation. 5 Cloud computing prediction for 2011 , viewed on 18th October, 2010, <www.itmanagement.earthweb.com/feature/5-Cloud-Computing-Predictions-for-2011-3919196.htm>Market Research Media 2009, U.S. Fedral Cloud Computing Market Forecast 2010-2015, viewed on 18thOctober, 2010, <www.marketresearchmedia.com/2009/05/20/us-fedral-cloud-computing-market-forecast-2010-2015/>National Institute of Standards and Technology 2011, The NIST defination of Cloud Computing (Draft), SP -880-145, viewed on 18thOctober, 2010, <http://csrc.nist.gov/publications/drafts/800-145/Draft-SP-800-145_cloud-definition.pdf>Shanghai Security News 2011, News Xinhuanet. The virtualization of a nation, cloud computing in China takes hold, viewed on 18thOctober, 2010, <www.news.xinhuanet.com/english2010/china/2011-06/29/c_13956822.htm>Vishal Khera 2010, Planning for Cloud Implementation, Presentation at Securecloud, 2010 at Barcelona, viewed on 18thOctober, 2010, <https://cloudsecurityalliance.org/sc2010.html>