• Save
Cloud01: Best Practices for Virtual Cloud Security - H. Del Castillo, AIPMM
Upcoming SlideShare
Loading in...5
×
 

Cloud01: Best Practices for Virtual Cloud Security - H. Del Castillo, AIPMM

on

  • 370 views

I want to thank everyone who attended this presentation at AFCOM Data Center World Fall 2011 in Orlando, FL. ...

I want to thank everyone who attended this presentation at AFCOM Data Center World Fall 2011 in Orlando, FL.

Studies show the number of data centers deploying virtual cloud computing will rapidly increase in the next five years. Other studies show that the number of Internet attacks and their level of sophistication will also grow significantly. This session identifies approaches to reduce the risk of business disruptions resulting from inadequate virtual security controls in a data center. It will cover utilizing best practices for security configurations, measuring information security status, and making rational decisions about security investments.

Connect with me if you have any questions or need additional information.

Please favorite this if you like it. I look forward to seeing you again soon.

Regards,
Hector Del Castillo
http://linkd.in/hdelcastillo

Statistics

Views

Total Views
370
Views on SlideShare
370
Embed Views
0

Actions

Likes
1
Downloads
0
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

Cloud01: Best Practices for Virtual Cloud Security - H. Del Castillo, AIPMM Cloud01: Best Practices for Virtual Cloud Security - H. Del Castillo, AIPMM Presentation Transcript

  • Hector Del CastilloAIPMMlinkd.in/hdelcastillo
  • What We Will Discuss1. What is cloud security2. Current situation3. Dimensions of cloud security4. Security risks5. Critical areas6. Approaches to reduce risk7. Key takeaways
  • What is Cloud Security?• An evolving sub-domain of computer security• A broad set of policies, technologies, and controls deployed to protect data, applications, and the associated infrastructure of cloud computing• Should not be confused with ‘cloud-based’ security software offerings• Many commercial software vendors have cloud-based offerings such as anti-virus or vulnerability management View slide
  • Current Situation• Analysts estimate that cloud computing adoption will continue to rapidly increase• A single, massive cloud data center contains more computers than were on the entire internet just a few years ago• Security experts agree that the number of attacks and their level of sophistication will continue to grow View slide
  • Source: NIST Special Publication 800-144, Jan 2011
  • Service Models Software Platform InfrastructureDeployment Models as a Service as a Service as a Service (SaaS) (PaaS) (IaaS) Private X X Hybrid X X X Public X X X Community X X X Source: NIST Special Publication 800-144, Jan 2011
  • Cloud Solutions
  • “Cloud Servicesmarket to grow to$42B by 2012.”- IDC Source: ZDNet Blogs
  • Cloud Security Reference Model Source: Cloud Security Alliance
  • Dimensions of Cloud Security• Security and Privacy – Data protection – Identity management – Physical and personnel security – Availability – Application security – Privacy Source: "Cloud Security Front and Center,” Forrester Research, 2009.
  • Dimensions of Cloud Security• Compliance – Business continuity and data recovery – Logs and audit trails – Unique compliance requirements Source: "Cloud Security Front and Center,” Forrester Research, 2009.
  • Dimensions of Cloud Security• Legal or Contractual Issues – Public records Source: "Cloud Security Front and Center,” Forrester Research, 2009.
  • Security Risks1. Privileged user access2. Regulatory compliance3. Data location4. Data segregation5. Recovery6. Investigative support7. Long-term viability Source: “Assessing the Security Risks of Cloud Computing,” Gartner, 2008.
  • Critical Areas• Cloud Architecture – Cloud Computing Architectural FrameworkSource: "Security Guidance for Critical Areas of Focus in Cloud Computing V2.1,” CSA, 2009.
  • Critical Areas• Governing in the Cloud – Governance and Enterprise Risk Management – Legal and Electronic Discovery – Compliance and Audit – Information Lifecycle Management – Portability and InteroperabilitySource: "Security Guidance for Critical Areas of Focus in Cloud Computing V2.1,” CSA, 2009.
  • Critical Areas• Operating in the Cloud – Traditional Security, Business Continuity, and Disaster Recovery – Data Center Operations – Incident Response, Notification, and Remediation – Application Security – Encryption and Key Management – Identity and Access Management – VirtualizationSource: "Security Guidance for Critical Areas of Focus in Cloud Computing V2.1,” CSA, 2009.
  • Recommendations Trust (4) Transnational Data Flows (4) Transparency (2) Transformation (4) Source: “CLOUD2 Summary Report,” TechAmerica, 2011.
  • Approaches to Reduce RiskTrust1. (Security & Assurance Frameworks): Industry and government should support and participate in the development and implementation of international, standardized frameworks for securing, assessing, certifying and accrediting cloud solutions. Source: “CLOUD2 Summary Report,” TechAmerica, 2011.
  • Approaches to Reduce RiskTrust2. (Identity Management): Should accelerate the development of a private sector-led identity management ecosystem as envisioned by the National Strategy for Trusted Identities in Cyberspace (NSTIC) to facilitate the adoption of strong authentication technologies and enable users to gain secure access to cloud services and websites. Source: “CLOUD2 Summary Report,” TechAmerica, 2011.
  • Approaches to Reduce RiskTrust3. (Responses to Data Breaches): Government should enact a national data breach law to clarify breach notification responsibilities and commitments of companies to their customers, and also update and strengthen criminal laws against those who attack computer systems and networks, including cloud computing services. Source: “CLOUD2 Summary Report,” TechAmerica, 2011.
  • Approaches to Reduce RiskTrust4. (Research): Government, industry, and academia should develop and execute a joint cloud computing research agenda. Source: “CLOUD2 Summary Report,” TechAmerica, 2011.
  • Approaches to Reduce RiskTransnational Data Flows5. (Privacy): The U.S. government and industry should promote a comprehensive, technology-neutral privacy framework, consistent with commonly accepted privacy and data protection principles-based frameworks such as the OECD principles and/or APEC privacy frameworks. Source: “CLOUD2 Summary Report,” TechAmerica, 2011.
  • Approaches to Reduce RiskTransnational Data Flows6. (Government/Law Enforcement Access to Data): The U.S. government should demonstrate leadership in identifying and implementing mechanisms for lawful access by law enforcement or government to data stored in the cloud. Source: “CLOUD2 Summary Report,” TechAmerica, 2011.
  • Approaches to Reduce RiskTransnational Data Flows7. (E-Discovery and Forensics): Government and industry should enable effective practices for collecting information from the cloud to meet forensic or e-discovery needs in ways that fully support legal due process while minimizing impact on cloud provider operations. Source: “CLOUD2 Summary Report,” TechAmerica, 2011.
  • Approaches to Reduce RiskTransnational Data Flows8. (Lead by Example): The U.S. government should demonstrate its willingness to trust cloud computing environments in other countries for appropriate government workloads. Source: “CLOUD2 Summary Report,” TechAmerica, 2011.
  • Approaches to Reduce RiskTransparency9. (Transparency): Industry should publicly disclose information about relevant operational aspects of their cloud services, including portability, interoperability, security, certifications, performance and reliability. Source: “CLOUD2 Summary Report,” TechAmerica, 2011.
  • Approaches to Reduce RiskTransparency10. (Data Portability): Cloud providers should enable portability of user data through documents, tools, and support for agreed- upon industry standards and best practices. Source: “CLOUD2 Summary Report,” TechAmerica, 2011.
  • Approaches to Reduce RiskTransformation11. (Federal Acquisition and Budgeting): Agencies should demonstrate flexibility in adapting existing procurement models to facilitate acquisition of cloud services and solutions. Congress and OMB should demonstrate flexibility in changing budget models to help agencies acquire cloud services and solutions. Source: “CLOUD2 Summary Report,” TechAmerica, 2011.
  • Approaches to Reduce RiskTransformation12. (Incentives): Government should establish policies and processes for providing fiscal incentives, rewards and support for agencies as they take steps towards implementing cloud deployments. Source: “CLOUD2 Summary Report,” TechAmerica, 2011.
  • Approaches to Reduce RiskTransformation13. (Improve Infrastructure): Government and industry should embrace the modernization of broadband infrastructure and the current move to IPv6 to improve the bandwidth and reliable connectivity necessary for the growth of cloud services. Source: “CLOUD2 Summary Report,” TechAmerica, 2011.
  • Approaches to Reduce RiskTransformation14. (Education/Training): Government, industry, and academia should develop and disseminate resources for major stakeholder communities to be educated on the technical, business, and policy issues around acquisition, deployment and operation of cloud services. Source: “CLOUD2 Summary Report,” TechAmerica, 2011.
  • Key Takeaways1 • Cloud security continues to evolve • Security issues are global and impact providers2 and customers • Cloud security requires action for government,3 industry and academia • Data owner must implement traditional layered4 security approach • Data owner must segregate data from5 application
  • Recommended AFCOM Sessions1. "DCM18: Securing the Virtualized Environment,” Robert Klotz, Akibia, 2011.2. "DCP10: How Social Media and the Cloud Impact Data Center Security,” James Danburg, SA2, 2011.3. "Cloud07: Managing the Transition Cloud,” Brent Eubanks, Latisys, 2011.4. "Cloud04: The Ins and Outs of Virtual Private Clouds,” Sundar Raghavan, Skytap, 2011.
  • Recommended Reading1. “Assessing the Security Risks of Cloud Computing,” Gartner, 3 June 2008.2. "Cloud Security Front and Center,” Forrester Research, 18 Nov 2009.3. "Security Guidance for Critical Areas of Focus in Cloud Computing V2.1,” Cloud Security Alliance, 2009.4. “Guidelines on Security and Privacy in Public Cloud Computing, NIST Special Publication 800-144, Jan 2011.5. “Summary Report of the Commission on the Leadership Opportunity in U.S. Deployment of the Cloud,” TechAmerica Foundation, July 2011.
  • Join My Professional Network!Hector Del Castillo, PMP, CPM, CPMM linkd.in/hdelcastillo hmdelcastillo@aipmm.com