Controlling Clouds: Beyond Safety
Upcoming SlideShare
Loading in...5
×
 

Like this? Share it with your network

Share

Controlling Clouds: Beyond Safety

on

  • 1,169 views

As an industry, we’ve mostly moved on from naive notions about cloud computing being inherently “safe” or “risky.” However, more sophisticated discussions require both greater nuance and ...

As an industry, we’ve mostly moved on from naive notions about cloud computing being inherently “safe” or “risky.” However, more sophisticated discussions require both greater nuance and greater rigor. This presentation takes attendees through frameworks for evaluating and mitigating potential issues in hybrid cloud environments, discusses key risk factors to consider, and describes some of the relevant standards and provider certifications. This is a broad and sometimes complex topic. However, it’s very manageable if individual risk factors are considered systematically and specifically. This session will give IT professionals tools and knowledge to help them make informed decisions.

Statistics

Views

Total Views
1,169
Views on SlideShare
518
Embed Views
651

Actions

Likes
0
Downloads
3
Comments
0

34 Embeds 651

http://bitmason.blogspot.com 413
http://bitmason.blogspot.ca 104
http://bitmason.blogspot.in 24
http://bitmason.blogspot.com.br 20
http://bitmason.blogspot.co.uk 14
http://www.bitmason.blogspot.ca 8
http://bitmason.blogspot.com.au 7
http://bitmason.blogspot.de 7
http://bitmason.blogspot.fr 6
http://bitmason.blogspot.tw 6
http://bitmason.blogspot.kr 5
http://newsblur.com 5
http://bitmason.blogspot.com.es 4
http://bitmason.blogspot.sg 3
http://bitmason.blogspot.co.at 2
http://bitmason.blogspot.it 2
http://feedly.com 2
http://bitmason.blogspot.cz 2
http://bitmason.blogspot.hk 2
http://www.inoreader.com 1
http://bitmason.blogspot.sk 1
http://bitmason.blogspot.fi 1
http://bitmason.blogspot.ro 1
http://bitmason.blogspot.se 1
http://bitmason.blogspot.no 1
http://www.copyscape.com 1
http://bitmason.blogspot.pt 1
http://bitmason.blogspot.jp 1
http://bitmason.blogspot.be 1
http://bitmason.blogspot.dk 1
http://bitmason.blogspot.com.ar 1
http://bitmason.blogspot.ru 1
http://cloud.feedly.com 1
http://connections1275.rssing.com 1
More...

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

Controlling Clouds: Beyond Safety Presentation Transcript

  • 1. CONTROLLING CLOUDS: BEYOND SAFETY GORDON HAFF (@ghaff) CLOUD EVANGELIST NOVEMBER 2013
  • 2. ABOUT ME Red Hat Cloud Evangelist Twitter: @ghaff Google+: Gordon Haff Email: ghaff@redhat.com Blog: http://bitmason.blogspot.com Flickr: http://www.flickr.com/photos/bitmason/ Formerly: Illuminata (industry analyst), Data General (minicomputers/Unix/NUMA/etc.), shareware developer
  • 3. IS IT SAFE?
  • 4. INTEGRITY SAFETY =~ PRIVACY CONTINUITY SECURITY CreditJackman Chiu cc/flickr http://www.flickr.com/photos/lewolf011/7283101824
  • 5. BUT IN THE WORDS OF INIGO MONTOYO
  • 6. THE REALITY (IN TWITTER SHORTHAND)
  • 7. WHAT I’LL COVER What’s new What isn’t new Certifications The broader view—examples from the Cloud Security Alliance
  • 8. WHAT’S NEW-ISH Shared responsibility model New (higher) levels of abstraction “Rules of the road” still developing
  • 9. SHARED RESPONSIBILITY: CLOUD PROVIDER VIEW Source: Cloud Security Alliance
  • 10. ABSTRACTIONS HIDE (BY DESIGN) IaaS PaaS SaaS APPLICATION APPLICATION PLATFORM (JBOSS, PHP, RUBY, ETC) OPERATING SYSTEM (RHEL) VIRTUALIZATION (RHEV) HARDWARE (x86) STORAGE (RHS) Managed and Controlled by Customer (IT, Dev, or User) Automated and Managed by the Public or Private Cloud Offering Increased Control Increased Automation
  • 11. PERVASIVE SELF-SERVICE CONSUMERIZED EXPECTATIONS SCALE CreditJulie Blaustein, cc/flickr http://www.flickr.com/photos/25138992@N00/4960914218
  • 12. BROADLY: CLOUD IS SHIFT TO DELIVERY OF SERVICES RATHER THAN INFRASTRUCTURE
  • 13. BUT MUCH DOESN’T CHANGE If your security practices suck in the physical realm, you’ll be delighted by the surprising lack of change when you move to cloud. Chris Hoff Credit: Michael Rosenstein, cc/flickr http://www.flickr.com/photos/michaelcr/1508784073/
  • 14. ITIL BEST PRACTICES HIGHLY RELEVANT TO SERVICE DELIVERY THROUGH CLOUD ITIL Service Strategy provides guidance on generating a strategy for a major shift in service delivery ITIL practices can help design cloud computing as appropriate end-to-end services
  • 15. COST/BENEFIT STILL APPLIES RISK = LIKELIHOOD * IMPACT Source: ENISA
  • 16. EXAMPLE: COMPLIANCE CHALLENGES
  • 17. THE NICE THING ABOUT CERTIFICATIONS IS THAT THERE ARE SO MANY OF THEM SAS 70 Specifically created for financial auditors of service organizations ISO/IEC 27001 Information security management system standard published in 2005 PCI DSS For organizations processing credit card transactions FedRAMP Security Controls Framework for US Federal agencies HIPAA US healthcare
  • 18. SOC 2 AND 3 Report can be issued on one or more Trust Services Principles Security Availability Processing integrity Confidentiality Privacy Type 1: Suitability of design See www.webtrust.org Type 2: Suitability of design and effectiveness SOC 3 is a condensed public version of SOC 2 Mostly in the US today
  • 19. CSA CLOUD CONTROLS MATRIX 98 “control areas” in 11 categories Example: Security Architecture - Production / NonProduction Environments Each mapped to areas of relevance Examples: IaaS, PaaS, SaaS, corporate governance, and supplier relationships Each mapped to relevant regulations and certifications Examples: NIST, PCI DSS
  • 20. 11 DOMAINS Compliance (CO) Operations Management (OM) Data Governance (DG) Risk Management (RI) Facility Security (FS) Release Management (RM) Human Resources (HR) Resiliency (RS) Information Security (IS) Security Architecture (SA) Legal (LG) Some examples…
  • 21. COMPLIANCE Audit controls Limitations of third-party auditability can be a concern for public cloud users Regulatory mapping Can be especially important to understand where data resides CreditEvan Long, cc/flickr http://www.flickr.com/photos/clover_1/1178035169/
  • 22. DATA GOVERNANCE Controls to prevent data leaks in a multi-tenant environment Red Hat uses SELinux as part of Red Hat Enterprise Linux and OpenShift security measures Support for Virtual Private Clouds (VPC) on Amazon Web Services
  • 23. INFORMATION SECURITY Identity and Access Control Store and manage timely identity information about every person who accesses the cloud resources and determine their level of access Still evolving for cloud use cases, but critical to get it right
  • 24. SECURITY ARCHITECTURE Multi-factor authentication Card keys+PIN Establishment and implementation of encryption policies Key management User policies for mobile devices
  • 25. SECURITY ARCHITECTURE Segmentation and restricted connections in network environments “Networks shared with external entities shall have a documented plan detailing the compensating controls used to separate network traffic between organizations” One of the reasons VPCs are interesting to many organizations
  • 26. BUT IT’S NOT ABOUT BEING AN INHIBITOR Remember the cost/benefit tradeoff Your organization is (almost certainly) using public clouds A private cloud that doesn’t provide cloud agility isn’t a cloud Automation, streamlined process, clearly-defined policy help users and reduce risk
  • 27. SOURCES FOR A BROADER CLOUD GOVERNANCE VIEW Deloitte Cloud Computing Risk Intelligence Map Cloud Computing Security Risk Assessment CSIS 20 Critical Security Controls Cloud Security Alliance STAR and Cloud Controls Matrix Links: http://www.isaca.org/Groups/Professional-English/cloudcomputing/GroupDocuments/Deloitte%20Risk%20Map%20for%20Cloud%20Computing.pdf http://www.enisa.europa.eu/activities/risk-management/files/deliverables/cloud-computing-risk-assessment http://www.cloudsecurityallia nce.org http://www.sans.org/critical-security-controls/guidelines.php
  • 28. FOR A GOOD VIEW OF INFOSEC IN A DEVOPS AGE The DevOps revolution is the moment that every information security practitioner has been waiting for. The death spiral can be broken, and this book shows you how. JOSHUA CORMAN
  • 29. QUESTIONS? THANK YOU. Gordon Haff ghaff@redhat.com Twitter: @ghaff Google+: Gordon Haff Blog: bitmason.blogspot.com