Your Data Center Boundaries Don’t Exist Anymore!
Upcoming SlideShare
Loading in...5
×
 

Your Data Center Boundaries Don’t Exist Anymore!

on

  • 865 views

In the pre-cloud era, data centers were simpler to define and restrict. As organizations move to public, private, and hybrid clouds, they have to account for internal, industrial, and government ...

In the pre-cloud era, data centers were simpler to define and restrict. As organizations move to public, private, and hybrid clouds, they have to account for internal, industrial, and government compliance initiatives and oversight that impacts data center architecture and information flow. This session describes data center challenges in the Cloud Era and articulates real-life best practices to address those challenges.

Statistics

Views

Total Views
865
Views on SlideShare
865
Embed Views
0

Actions

Likes
0
Downloads
18
Comments
0

0 Embeds 0

No embeds

Accessibility

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

Your Data Center Boundaries Don’t Exist Anymore! Your Data Center Boundaries Don’t Exist Anymore! Presentation Transcript

  • Your Data Center Boundaries Don’t Exist Anymore! Joram Borenstein (CISSP, CISA) Director, Compliance & Risk Management RSA, The Security Division of EMC© Copyright 2012 EMC Corporation. All rights reserved. 1
  • Agenda Boundaries don’t exist … let me prove it to you! A Cautionary Tale: What This Presentation is NOT About Proof-Points (aka “Critical Issues in Oversight & Compliance”) OK, So What’s Going On Here? Real-Life Best Practices to Mitigate These Challenges Conclusion: Open Questions© Copyright 2012 EMC Corporation. All rights reserved. 2
  • Boundaries© Copyright 2012 EMC Corporation. All rights reserved. 3
  • Boundaries: In Our Personal Lives© Copyright 2012 EMC Corporation. All rights reserved. 4
  • Boundaries: In Our Devices© Copyright 2012 EMC Corporation. All rights reserved. 5
  • Boundaries: Employees’ Access to Cloud Amazon  Mozy VMWare  DropBox Google  Facebook salesforce.com  EverNote  … and others© Copyright 2012 EMC Corporation. All rights reserved. 6
  • What This Presentation Is NOT About© Copyright 2012 EMC Corporation. All rights reserved. 7
  • What This Presentation is NOT About Using Virtualization for new-fangled Data Center tricks New Product Announcements How to re-architect your Data Center It is about – Compliance – Auditing – Adjustments in organizational culture© Copyright 2012 EMC Corporation. All rights reserved. 8
  • Data Center Compliance Challenges Visibility Lack of visibility into servers, storage or network infrastructure Automation Difficult to validate technical control measurement Audit No centralized record keeping as audit trail Virtualization New abstraction layers complicate compliance validation© Copyright 2012 EMC Corporation. All rights reserved. 9
  • Proof-Points© Copyright 2012 EMC Corporation. All rights reserved. 10
  • Proof: Press & Analyst Community #s “Morgan Stanley estimates the percentage of IT departments using the public cloud to rise from 28% in 2011 to 51% by 2014.” – (April 2012 source: http://www.marketwatch.com/story/mozy-expanding-cloud-footprint-within-enterprise- 2012-04-10 ) “More Than One-Third of IT Budgets Now Spent on Cloud” – (April 2012, source: http://www.forbes.com/sites/joemckendrick/2012/04/11/more-than-one-third-of-it- budgets-now-spent-on-cloud-survey/ based on IDG Enterprise Cloud Computing Study (Jan 2012)) “55% ... are using cloud in some capacity today” – (Feb 2012 source: http://www.thedatachain.com/news/2012/2/mid_size_businesses_lead_the_way_in_cloud_adoption )© Copyright 2012 EMC Corporation. All rights reserved. 11
  • Proof: Start-Up Funding No boundaries lead to … lots of concern (risk scenarios) Thesis: basic security building blocks for clouds Sample Companies – CloudSwitch – PerspecSys Systems) (now – Co3Sys – Gazzang VRZN/TRMK) – salesforce.com – High Cloud – enStratus (acquiring Security – Vaultive Navajo – Many others … Some of these are simple email encryption gateway vendors Some assist with migration from legacy OP to cloud© Copyright 2012 EMC Corporation. All rights reserved. 12
  • Proof: An Increasing # of Certifications… AICPA (American Institute of Certified Public Accountants) AT 101 = Attest Engagements 3 new reporting designations (“Service Organization Control (SOC) reports”) – SOC 1 – SOC 2 – SOC 3 FYI … SAS-70 = SOC 1 = ISAE-3402© Copyright 2012 EMC Corporation. All rights reserved. 13
  • Certifications: General Questions SOC 3? What does my business do? SOC 2 Who are my customers? Type 1 ? What are they buying from me? SOC 1 Type 2 What sort of customer information do/will I have? ? What guarantees/confidence do my customers need from my company? What certifications do my competitors have? What IT certifications do my financial auditors recommend I get? Do I have an IT auditor? Should I? I thought this was only for PII and PHI data such as PCI and HIPAA? OK, so I chose a SOC 1 … now do I need a Type 1 or a Type 2?© Copyright 2012 EMC Corporation. All rights reserved. 14
  • Certifications: Data Center–Specific Questions Am I prepared as an organization to go through an IT audit? – Do I have a consistent set of controls in place? Can I get my DC provider to answer IT audit questions? – What does my contract allow? Does my DC provider have its own certifications? – Which one(s)? – Do they suffice? What is my DC architecture? – Is it still applicable? – Is the IT Auditor going to understand it? Agree with it? Allow it?© Copyright 2012 EMC Corporation. All rights reserved. 15
  • OK, So What’s Going On Here?© Copyright 2012 EMC Corporation. All rights reserved. 16
  • Do Your Own People Understand TheseIssues? “In-The-Trenches” personnel – Can they articulate the changes? Your Sales Force – Are they aware of how to talk with customers? – Of how contracts might need to change? Your Legal Department – Are they aware of new privacy legislation? – Are they aware of new compliance needs? Senior Management – Do they understand the risks? – Can they articulate a vision to customers, partners, and employees? Your HR Team – “7/10 think their IT departments need to expand their skills to keep up with cloud trends.” – (April 2012, source: http://www.forbes.com/sites/joemckendrick/2012/04/11/more-than-one-third-of-it-budgets-now- spent-on-cloud-survey/ based on IDG Enterprise Cloud Computing Study (Jan 2012))© Copyright 2012 EMC Corporation. All rights reserved. 17
  • What Are the Compliance Implications? Industrial – Consortia – Standards groups Governmental – Within your own country – In other countries you do business in Internal – Audit – Compliance© Copyright 2012 EMC Corporation. All rights reserved. 18
  • What Are the Regulatory Issues? Forbidding certain countries Scoping audits Virtualization – … make this more complicated for most people “Elastic” environments Shared equipment© Copyright 2012 EMC Corporation. All rights reserved. 19
  • What Are the Governance Issues? Are we prepared? Do we understand the implications? Do our existing models still work? Include our service providers within our governance model?© Copyright 2012 EMC Corporation. All rights reserved. 20
  • Real-Life Best Practices to Mitigate These Challenges© Copyright 2012 EMC Corporation. All rights reserved. 21
  • Real-Life Best Practices to MitigateThese Challenges1. Educate EVERYONE2. Re-assess contractual agreements with Service Providers3. Keep Track of Certifications4. Keep Track of New Legislation5. Pick a set of controls which are adaptive© Copyright 2012 EMC Corporation. All rights reserved. 22
  • #1: Educate Everyone Yes … this takes time Yes … people won’t understand you at first Especially the executives!! – Helps $ – Helps when escalation occur – Just plain helps to provide transparency The Legal Team is your friend Why Is This Important? – You will need these people! – Decisions across functions will be impacted by these realities – These teams will eventually have to adjust© Copyright 2012 EMC Corporation. All rights reserved. 23
  • #2: Re-Assess Contracts With Who? – Data Center providers – Service providers – Customers Why? – You have new risks to consider! – Contractual language may no longer be applicable – SLAs take on new meaning in new contexts – You (might) need new protections© Copyright 2012 EMC Corporation. All rights reserved. 24
  • #3: Keep Track of New Certifications What do your customers want? What does your Internal Audit Team demand? What do your IT Auditors recommend? What do your financial auditors recommend? What are you committed to contractually?© Copyright 2012 EMC Corporation. All rights reserved. 25
  • #4: Keep Track of New Legislation  Cloud-related legislation is appearing in many places  Here’s one recent example  European Commission (Jan 2012)  Revising the EU’s 1995 Data Protection Directive  “ ... the transfer of data to third countries has become an important factor in daily life. There are no borders online and cloud computing means data may be sent from Berlin to be processed in Boston and stored in Bangalore.”  (source: http://ec.europa.eu/justice/newsroom/data- protection/news/120125_en.htm)© Copyright 2012 EMC Corporation. All rights reserved. 26
  • #5: Pick a Control Set(s) Which adapts as your needs change Which has industry support Which makes sense for your organization Which your customers will respect & support Keep track of new sets coming out – e.g. HITRUST in the US is not only for healthcare Re-visit alternative control set(s) regularly Considering layering them on top of one another© Copyright 2012 EMC Corporation. All rights reserved. 27
  • Conclusion: Open Questions© Copyright 2012 EMC Corporation. All rights reserved. 28
  • Conclusion: There are emerging best practices that will help in managing the “data center without boundaries” – An effective strategy based on governance, controls and visibility is essential. There are still lots of open questions – What impact will regulatory changes have? – How do you articulate your vision of the data center without boundaries? Get involved – Participate in working groups from consortia and others – Attend events such as these to hear about new revelations and innovations – Comment on privacy legislation© Copyright 2012 EMC Corporation. All rights reserved. 29
  • Provide Feedback & Win!  125 attendees will receive $100 iTunes gift cards. To enter the raffle, simply complete: – 5 sessions surveys – The conference survey  Download the EMC World Conference App to learn more: emcworld.com/app© Copyright 2012 EMC Corporation. All rights reserved. 30
  • © Copyright 2012 EMC Corporation. All rights reserved. 31