• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
Cloud Computing: Let’s Clear the Air
 

Cloud Computing: Let’s Clear the Air

on

  • 1,465 views

 

Statistics

Views

Total Views
1,465
Views on SlideShare
1,464
Embed Views
1

Actions

Likes
0
Downloads
65
Comments
0

1 Embed 1

http://mstanislav.posterous.com 1

Accessibility

Categories

Upload Details

Uploaded via as Apple Keynote

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n

Cloud Computing: Let’s Clear the Air Cloud Computing: Let’s Clear the Air Presentation Transcript

  • CLOUD COMPUTING Let’s Clear the Air...
  • ME
  • MESenior Linux System Administrator for MNX Solutions; MSP in Monroe
  • MESenior Linux System Administrator for MNX Solutions; MSP in MonroeBuilt/taught Linux curriculum for Eastern Michigan University
  • MESenior Linux System Administrator for MNX Solutions; MSP in MonroeBuilt/taught Linux curriculum for Eastern Michigan UniversityPreviously the cloud computing subject matter expert for ePrize
  • MESenior Linux System Administrator for MNX Solutions; MSP in MonroeBuilt/taught Linux curriculum for Eastern Michigan UniversityPreviously the cloud computing subject matter expert for ePrize Deployed multi-cloud provider scalable infrastructure to handle Super Bowl advertising traffic for two digital promotions in 2010
  • MESenior Linux System Administrator for MNX Solutions; MSP in MonroeBuilt/taught Linux curriculum for Eastern Michigan UniversityPreviously the cloud computing subject matter expert for ePrize Deployed multi-cloud provider scalable infrastructure to handle Super Bowl advertising traffic for two digital promotions in 2010Hold the Certificate of Cloud Security Knowledge (CCSK) from theCloud Security Alliance
  • MESenior Linux System Administrator for MNX Solutions; MSP in MonroeBuilt/taught Linux curriculum for Eastern Michigan UniversityPreviously the cloud computing subject matter expert for ePrize Deployed multi-cloud provider scalable infrastructure to handle Super Bowl advertising traffic for two digital promotions in 2010Hold the Certificate of Cloud Security Knowledge (CCSK) from theCloud Security AlliancePresent at events on configuration management & scalability in cloudcomputing and other elastic infrastructure
  • GIANT MISCONCEPTION
  • GIANT MISCONCEPTIONWhen someone says they are ‘going to the cloud’ that may not mean they are utilizing ‘cloud computing’
  • GIANT MISCONCEPTIONWhen someone says they are ‘going to the cloud’ that may not mean they are utilizing ‘cloud computing’ if that was true...
  • GIANT MISCONCEPTIONWhen someone says they are ‘going to the cloud’ that may not mean they are utilizing ‘cloud computing’ if that was true...Everything outside of your own data closets and on- site data centers would be cloud computing
  • GIANT MISCONCEPTIONWhen someone says they are ‘going to the cloud’ that may not mean they are utilizing ‘cloud computing’ if that was true...Everything outside of your own data closets and on- site data centers would be cloud computing cloud still means Internet...
  • GIANT MISCONCEPTIONWhen someone says they are ‘going to the cloud’ that may not mean they are utilizing ‘cloud computing’ if that was true...Everything outside of your own data closets and on- site data centers would be cloud computing cloud still means Internet... Going to ‘the cloud’ may just mean ‘I am not using a server I can physically see 24x7 anymore’
  • Cloud Computing Involves...On-demand self-serviceBroad network accessResource poolingRapid elasticityMeasured Service
  • On-demand self-service
  • On-demand self-service“A consumer can unilaterally provision computing capabilities,such as server time and network storage, as needed automaticallywithout requiring human interaction with each service’sprovider.”
  • On-demand self-service“A consumer can unilaterally provision computing capabilities,such as server time and network storage, as needed automaticallywithout requiring human interaction with each service’sprovider.”Consider an API (Application Programming Interface) or webconsole that allows you, the consumer, to take resources as youdesire them without calling a company and asking for a quote toget something in two or three days
  • Broad network access
  • Broad network access“Capabilities are available over the network and accessedthrough standard mechanisms that promote use byheterogeneous thin or thick client platforms (e.g., mobilephones, laptops, and PDAs).”
  • Broad network access“Capabilities are available over the network and accessedthrough standard mechanisms that promote use byheterogeneous thin or thick client platforms (e.g., mobilephones, laptops, and PDAs).”The cloud should be accessible without regard to your method ofaccess. The consumer should determine the use-case and scopeof network access to services, not the provider.
  • Resource pooling
  • Resource pooling“The provider’s computing resources are pooled to servemultiple consumers using a multi-tenant model, with differentphysical and virtual resources dynamically assigned andreassigned according to consumer demand. There is a sense oflocation independence in that the customer generally has nocontrol or knowledge over the exact location of the providedresources but may be able to specify location at a higher level ofabstraction.”
  • Resource pooling“The provider’s computing resources are pooled to servemultiple consumers using a multi-tenant model, with differentphysical and virtual resources dynamically assigned andreassigned according to consumer demand. There is a sense oflocation independence in that the customer generally has nocontrol or knowledge over the exact location of the providedresources but may be able to specify location at a higher level ofabstraction.”Consumers want resources; they don’t want hardware. A cloudprovider should provide as much or little resource allocation asthe consumer requests -- whichever resource they want.
  • Rapid elasticity
  • Rapid elasticity“Capabilities can be rapidly and elastically provisioned, in somecases automatically, to quickly scale out, and rapidly released toquickly scale in. To the consumer, the capabilities available forprovisioning often appear to be unlimited and can be purchasedin any quantity at any time.”
  • Rapid elasticity“Capabilities can be rapidly and elastically provisioned, in somecases automatically, to quickly scale out, and rapidly released toquickly scale in. To the consumer, the capabilities available forprovisioning often appear to be unlimited and can be purchasedin any quantity at any time.”Adding more cloud resources should not be an arduous processfor the consumer. Further, the provider should allow theconsumer to dictate circumstances which automatically addresources to meet demand before an absence of resource canoccur
  • Measured Service
  • Measured Service“Cloud systems automatically control and optimize resource useby leveraging a metering capability at some level of abstractionappropriate to the type of service. Resource usage can bemonitored, controlled, and reported, providing transparency forboth the provider and consumer of the utilized service.”
  • Measured Service“Cloud systems automatically control and optimize resource useby leveraging a metering capability at some level of abstractionappropriate to the type of service. Resource usage can bemonitored, controlled, and reported, providing transparency forboth the provider and consumer of the utilized service.”Consumers in the cloud should pay for what they are using in amore structured manner than traditional resource servicemodels. For instance, if I have a ‘server’ in the cloud, I only payfor it when it’s turned out; not a monthly flat fee.
  • Typical Cloud Confusion
  • Typical Cloud ConfusionUtilizing virtualization and providing it to a consumer is not necessarilya cloud service. You will often see virtualization as a means-to-an-end toprovide multi-tenant infrastructure for cloud service but it is notrequired to be a cloud computing service
  • Typical Cloud ConfusionUtilizing virtualization and providing it to a consumer is not necessarilya cloud service. You will often see virtualization as a means-to-an-end toprovide multi-tenant infrastructure for cloud service but it is notrequired to be a cloud computing serviceA lot of things are (by definition) cloud computing because of Softwareas a Service (SaaS).Basically any piece of software that you can accesson the Internet which performs a task that may otherwise occur on yourdesktop (e.g. GMail, Dropbox)
  • Typical Cloud ConfusionUtilizing virtualization and providing it to a consumer is not necessarilya cloud service. You will often see virtualization as a means-to-an-end toprovide multi-tenant infrastructure for cloud service but it is notrequired to be a cloud computing serviceA lot of things are (by definition) cloud computing because of Softwareas a Service (SaaS).Basically any piece of software that you can accesson the Internet which performs a task that may otherwise occur on yourdesktop (e.g. GMail, Dropbox)Many people are talking about Infrastructure as a Service (IaaS) whenreferring to cloud computing, but this is not the only part of the cloud
  • Software as a Service (SaaS)
  • Software as a Service (SaaS)“The capability provided to the consumer is to use the provider’sapplications running on a cloud infrastructure. The applications areaccessible from various client devices through a thin client interfacesuch as a web browser.”
  • Software as a Service (SaaS)“The capability provided to the consumer is to use the provider’sapplications running on a cloud infrastructure. The applications areaccessible from various client devices through a thin client interfacesuch as a web browser.”GMail is a SaaS offering because it provides you an application tointeract with e-mail systems without having to have an e-mail client onyour personal device; merely a web browser
  • Software as a Service (SaaS)“The capability provided to the consumer is to use the provider’sapplications running on a cloud infrastructure. The applications areaccessible from various client devices through a thin client interfacesuch as a web browser.”GMail is a SaaS offering because it provides you an application tointeract with e-mail systems without having to have an e-mail client onyour personal device; merely a web browserDropbox provides online storage through a web interface that you canupload/share/download files. They also have a desktop client tosynchronize. If you had to use the desktop client, it wouldn’t be a SaaSanymore. The online storage offered is a component of IaaS.
  • Platform as a Service (PaaS)
  • Platform as a Service (PaaS)“The capability provided to the consumer is to deploy onto the cloudinfrastructure consumer-created or acquired applications createdusing programming languages and tools supported by the provider.”
  • Platform as a Service (PaaS)“The capability provided to the consumer is to deploy onto the cloudinfrastructure consumer-created or acquired applications createdusing programming languages and tools supported by the provider.”Microsoft Azure can provide you the ability to run your application ontheir cloud infrastructure without having to buy a server or worryabout setting up a web server
  • Platform as a Service (PaaS)“The capability provided to the consumer is to deploy onto the cloudinfrastructure consumer-created or acquired applications createdusing programming languages and tools supported by the provider.”Microsoft Azure can provide you the ability to run your application ontheir cloud infrastructure without having to buy a server or worryabout setting up a web serverPHPFog combines a caching engine, load balancer, application server,and database server into one service that allows you to deploy yourPHP application without the hassle of managing those components
  • Infrastructure as a Service (IaaS)
  • Infrastructure as a Service (IaaS)“The capability provided to the consumer is to provision processing,storage, networks, and other fundamental computing resources wherethe consumer is able to deploy and run arbitrary software, which caninclude operating systems and applications.”
  • Infrastructure as a Service (IaaS)“The capability provided to the consumer is to provision processing,storage, networks, and other fundamental computing resources wherethe consumer is able to deploy and run arbitrary software, which caninclude operating systems and applications.”Generally people reference this in terms of deploying an OperatingSystem such as Linux or Windows onto a provider’s multi-tenanthardware. This is often accomplished using virtualization technology.
  • Infrastructure as a Service (IaaS)“The capability provided to the consumer is to provision processing,storage, networks, and other fundamental computing resources wherethe consumer is able to deploy and run arbitrary software, which caninclude operating systems and applications.”Generally people reference this in terms of deploying an OperatingSystem such as Linux or Windows onto a provider’s multi-tenanthardware. This is often accomplished using virtualization technology.Can also be related to online storage; you don’t control the hard driveor necessarily the location but you control what data you put online.Because it’s just a resource and not “software”, it’s IaaS not SaaS.
  • Typical Cloud Deployments
  • Typical Cloud DeploymentsPrivate Cloud: Your resources look like traditional cloudcomputing due (elastic, on-demand, etc.) but usually deployedon-site or heavily controlled and segregated from other people
  • Typical Cloud DeploymentsPrivate Cloud: Your resources look like traditional cloudcomputing due (elastic, on-demand, etc.) but usually deployedon-site or heavily controlled and segregated from other peoplePublic Cloud: Your resources are being placed within the samehardware, network, and storage as other people.You have littlecontrol to say where the data is or how the underlying aspects ofyour environment are created and managed.
  • Typical Cloud DeploymentsPrivate Cloud: Your resources look like traditional cloudcomputing due (elastic, on-demand, etc.) but usually deployedon-site or heavily controlled and segregated from other peoplePublic Cloud: Your resources are being placed within the samehardware, network, and storage as other people.You have littlecontrol to say where the data is or how the underlying aspects ofyour environment are created and managed.Hybrid Cloud: Some resources are public, some are private.
  • To Put This Another Way...
  • To Put This Another Way... You don’t control anything except how SaaS you use a service and what data you put into the service. Someone else controls the OS, network, hardware, storage, etc.
  • To Put This Another Way... You don’t control anything except how SaaS you use a service and what data you put into the service. Someone else controls the OS, network, hardware, storage, etc. You don’t necessarily interact with a software package but a building block to PaaS which you can architect software from or manage software that you will integrate with to provide functionality.
  • To Put This Another Way... You don’t control anything except how SaaS you use a service and what data you put into the service. Someone else controls the OS, network, hardware, storage, etc. You don’t necessarily interact with a software package but a building block to PaaS which you can architect software from or manage software that you will integrate with to provide functionality. You don’t control the hardware, IaaS network, or storage but you do get to say how much of it you leverage and the software on top of the stack you want.
  • Fear and Loathing in the Cloud
  • Fear and Loathing in the Cloud “Cloud Computing is unproven”
  • Fear and Loathing in the Cloud “Cloud Computing is unproven”Cloud computing at its core are old services provided in a new way
  • Fear and Loathing in the Cloud “Cloud Computing is unproven”Cloud computing at its core are old services provided in a new way If you run a web site on a cloud provider, you’re not somehow less safe than if you were to use a traditional ‘shared hosting’ web provider. Your data, network traffic, and applications are still being placed on the same resources as hundreds of other people.
  • Fear and Loathing in the Cloud “Cloud Computing is unproven”Cloud computing at its core are old services provided in a new way If you run a web site on a cloud provider, you’re not somehow less safe than if you were to use a traditional ‘shared hosting’ web provider. Your data, network traffic, and applications are still being placed on the same resources as hundreds of other people. We’ve all been using Hotmail, Yahoo! Mail, and other SaaS offerings for years now. There have been security issues but generally related to singular accounts rather than the entire service offering.
  • Fear and Loathing in the Cloud
  • Fear and Loathing in the Cloud“Amazon Web Services doesn’t meet industry requirements”
  • Fear and Loathing in the Cloud“Amazon Web Services doesn’t meet industry requirements”Amazon Web Services are...
  • Fear and Loathing in the Cloud“Amazon Web Services doesn’t meet industry requirements”Amazon Web Services are... ISO 27001 SAS 70 Type II PCI DSS Level 1 HIPPA ...compliant.
  • Fear and Loathing in the Cloud
  • Fear and Loathing in the Cloud “If I go to the cloud, my data will be stolen”
  • Fear and Loathing in the Cloud “If I go to the cloud, my data will be stolen”Sharing storage does not mean that your data is available just becausesomeone else has bits on the same hard drive
  • Fear and Loathing in the Cloud “If I go to the cloud, my data will be stolen”Sharing storage does not mean that your data is available just becausesomeone else has bits on the same hard driveSharing networking does not mean all of your traffic is viewable by othertenants of the network in a passive way (or even through commonnetwork attacks)
  • Fear and Loathing in the Cloud “If I go to the cloud, my data will be stolen”Sharing storage does not mean that your data is available just becausesomeone else has bits on the same hard driveSharing networking does not mean all of your traffic is viewable by othertenants of the network in a passive way (or even through commonnetwork attacks)Virtualization is actually a fantastic security mechanism inherently dueto the implementation of separation of resources you probably didn’thave at your last web hosting provider
  • Fear and Loathing in the Cloud
  • Fear and Loathing in the Cloud “I can’t trust XYZ provider’s people”
  • Fear and Loathing in the Cloud “I can’t trust XYZ provider’s people”Cloud computing means that people at a company have access to yourservers, network, storage, and potentially your data
  • Fear and Loathing in the Cloud “I can’t trust XYZ provider’s people”Cloud computing means that people at a company have access to yourservers, network, storage, and potentially your dataColocation, dedicated hosting, shared hosting, virtual private serversand all other off-site hardware and software means that....
  • Fear and Loathing in the Cloud “I can’t trust XYZ provider’s people”Cloud computing means that people at a company have access to yourservers, network, storage, and potentially your dataColocation, dedicated hosting, shared hosting, virtual private serversand all other off-site hardware and software means that.... See above.
  • Fear and Loathing in the Cloud “I can’t trust XYZ provider’s people”Cloud computing means that people at a company have access to yourservers, network, storage, and potentially your dataColocation, dedicated hosting, shared hosting, virtual private serversand all other off-site hardware and software means that.... See above.The situation does not change. I’d trust Amazon with my data before arandom data center in Michigan who has been around a few months.
  • The cloud can be nasty, though.
  • The cloud can be nasty, though. Consider this scenario:
  • The cloud can be nasty, though. Consider this scenario: A criminal has access to 10,000 stolen credit cards
  • The cloud can be nasty, though. Consider this scenario: A criminal has access to 10,000 stolen credit cards Aforementioned criminal posses basic programming skills
  • The cloud can be nasty, though. Consider this scenario: A criminal has access to 10,000 stolen credit cards Aforementioned criminal posses basic programming skills API calls are sent to create 20 ‘server instances’ per credit card at 10 different cloud providers
  • The cloud can be nasty, though. Consider this scenario: A criminal has access to 10,000 stolen credit cards Aforementioned criminal posses basic programming skills API calls are sent to create 20 ‘server instances’ per credit card at 10 different cloud providers Criminal now has 2 million servers to conduct attacks, distribute piracy, spam people, or attempt to dilute available resources for potential legit customers
  • Bot-nets used to take effort!
  • Bot-nets used to take effort!Old bot nets were handfuls of Grandparent’s slow computersrunning 56k modems on AOL and infected with spyware
  • Bot-nets used to take effort!Old bot nets were handfuls of Grandparent’s slow computersrunning 56k modems on AOL and infected with spywareNew bot nets can be created on-demand with sizes beingdetermined by the number of cloud computing (IaaS) providerswho accept a credit card/PayPal account and will automaticallyprovide resources without even so much as a phone call
  • Bot-nets used to take effort!Old bot nets were handfuls of Grandparent’s slow computersrunning 56k modems on AOL and infected with spywareNew bot nets can be created on-demand with sizes beingdetermined by the number of cloud computing (IaaS) providerswho accept a credit card/PayPal account and will automaticallyprovide resources without even so much as a phone callCloud bot nets allow criminals to rent high-capacity computingresources on amazing network connections with no existing‘infections’ needed
  • It’s not all bad, though.
  • It’s not all bad, though.Companies such as Rackspace or Amazon are well staffed and trained todeal with cyber criminals by deploying fraud and abuse detectionsystems to help react quickly to negative situations
  • It’s not all bad, though.Companies such as Rackspace or Amazon are well staffed and trained todeal with cyber criminals by deploying fraud and abuse detectionsystems to help react quickly to negative situationsIt’s easier for a large cloud provider to shutdown rogue accounts, blockstolen credit cards, and provide law enforcement with evidence than aMom-and-Pop web hosting provider or a random teenager’s computerthat has been infected with a trojan
  • It’s not all bad, though.Companies such as Rackspace or Amazon are well staffed and trained todeal with cyber criminals by deploying fraud and abuse detectionsystems to help react quickly to negative situationsIt’s easier for a large cloud provider to shutdown rogue accounts, blockstolen credit cards, and provide law enforcement with evidence than aMom-and-Pop web hosting provider or a random teenager’s computerthat has been infected with a trojanSome providers like Amazon require account creation to involve simpleadditional hoops such as phone call verification to an automated service;not a fix but it definitely makes would-be criminals work harder
  • Cloud Security Practices
  • Cloud Security PracticesCryptography everywhere you can...
  • Cloud Security PracticesCryptography everywhere you can... Data that is sitting on random disks across data centers you don’t know the location of should be encrypted so that if hard drive(s) were stolen, your data would still be reasonably safe
  • Cloud Security PracticesCryptography everywhere you can... Data that is sitting on random disks across data centers you don’t know the location of should be encrypted so that if hard drive(s) were stolen, your data would still be reasonably safe Transport encryption (SSL/TLS) should be applied for any sensitive traffic between cloud servers to each other as well as cloud servers to general end-users (e.g. webmail users utilizing your SaaS)
  • Cloud Security PracticesCryptography everywhere you can... Data that is sitting on random disks across data centers you don’t know the location of should be encrypted so that if hard drive(s) were stolen, your data would still be reasonably safe Transport encryption (SSL/TLS) should be applied for any sensitive traffic between cloud servers to each other as well as cloud servers to general end-users (e.g. webmail users utilizing your SaaS) No customer PII, PHI, or otherwise sensitive information should be accessible in a cleartext format without previously having to enter a passphrase or utilize a private key to decrypt said information
  • Cloud Security Practices
  • Cloud Security PracticesAudit your resources against either traditional compliance standards(PCI, HIPPA, SOX, etc.) or with your company’s own guiding practices
  • Cloud Security PracticesAudit your resources against either traditional compliance standards(PCI, HIPPA, SOX, etc.) or with your company’s own guiding practicesEnsure strong network filtering when able to do so. Amazon for instanceallows a network-based inbound firewall ruleset; stack that with a host-based firewall on each instance to ensure no gaps exist if one fails
  • Cloud Security PracticesAudit your resources against either traditional compliance standards(PCI, HIPPA, SOX, etc.) or with your company’s own guiding practicesEnsure strong network filtering when able to do so. Amazon for instanceallows a network-based inbound firewall ruleset; stack that with a host-based firewall on each instance to ensure no gaps exist if one failsUtilize multi-factor authentication at an account level (Amazon hastoken integration) and also at your service level (IaaS, SaaS)
  • Cloud Security PracticesAudit your resources against either traditional compliance standards(PCI, HIPPA, SOX, etc.) or with your company’s own guiding practicesEnsure strong network filtering when able to do so. Amazon for instanceallows a network-based inbound firewall ruleset; stack that with a host-based firewall on each instance to ensure no gaps exist if one failsUtilize multi-factor authentication at an account level (Amazon hastoken integration) and also at your service level (IaaS, SaaS) Ann Arbor-based Duo Security for Linux/Juniper/Cisco MFA
  • Cloud Security Practices
  • Cloud Security PracticesTry to mitigate the sensitive information you store in the cloud; keepthat data in-house/on-site if at all possible
  • Cloud Security PracticesTry to mitigate the sensitive information you store in the cloud; keepthat data in-house/on-site if at all possibleImplement host-based intrusion detection systems (OSSEC, Tripwire)
  • Cloud Security PracticesTry to mitigate the sensitive information you store in the cloud; keepthat data in-house/on-site if at all possibleImplement host-based intrusion detection systems (OSSEC, Tripwire)Use strong passwords on all accounts and try to reduce password reuse
  • Cloud Security PracticesTry to mitigate the sensitive information you store in the cloud; keepthat data in-house/on-site if at all possibleImplement host-based intrusion detection systems (OSSEC, Tripwire)Use strong passwords on all accounts and try to reduce password reuseEnsure the cloud provider you utilize meets industry standardcompliance for required certifications relevant to your business
  • Cloud Security PracticesTry to mitigate the sensitive information you store in the cloud; keepthat data in-house/on-site if at all possibleImplement host-based intrusion detection systems (OSSEC, Tripwire)Use strong passwords on all accounts and try to reduce password reuseEnsure the cloud provider you utilize meets industry standardcompliance for required certifications relevant to your businessDiscuss legal concerns with your counsel or the cloud provider beforejumping in and looking back realizing it’s too late to be proactive
  • Other Cloud Practices
  • Other Cloud PracticesHave detailed documentation on how your cloud infrastructure is setupso that if you had to migrate from one provider to another, youwouldn’t have to scramble to figure out how to
  • Other Cloud PracticesHave detailed documentation on how your cloud infrastructure is setupso that if you had to migrate from one provider to another, youwouldn’t have to scramble to figure out how toConfiguration management tools (Puppet, Chef, CFEngine) can allowfor rapid deployment of infrastructure by treating components(services, software, configuration) as code and allowing it to beversioned and managed easily
  • Other Cloud PracticesHave detailed documentation on how your cloud infrastructure is setupso that if you had to migrate from one provider to another, youwouldn’t have to scramble to figure out how toConfiguration management tools (Puppet, Chef, CFEngine) can allowfor rapid deployment of infrastructure by treating components(services, software, configuration) as code and allowing it to beversioned and managed easilyIf you have a server in the cloud that cannot fail, you probably need tore-think how you’ve deployed your infrastructure or application
  • Other Cloud PracticesHave detailed documentation on how your cloud infrastructure is setupso that if you had to migrate from one provider to another, youwouldn’t have to scramble to figure out how toConfiguration management tools (Puppet, Chef, CFEngine) can allowfor rapid deployment of infrastructure by treating components(services, software, configuration) as code and allowing it to beversioned and managed easilyIf you have a server in the cloud that cannot fail, you probably need tore-think how you’ve deployed your infrastructure or applicationTreat your IaaS as ephemeral and plan for failure; be resilient!
  • Does this all sound familiar?
  • Does this all sound familiar?Cloud practices are not very different in most cases than regularinformation security practices
  • Does this all sound familiar?Cloud practices are not very different in most cases than regularinformation security practices Cloud computing is still the same technology that we’ve been securing just with new applications and some bells & whistles
  • Does this all sound familiar?Cloud practices are not very different in most cases than regularinformation security practices Cloud computing is still the same technology that we’ve been securing just with new applications and some bells & whistlesDon’t complicate cloud security practices with fancy new products: stickto standard cryptography, strong passwords, separation of privilege,multi-factor authentication, and limit your stored sensitive data
  • Does this all sound familiar?Cloud practices are not very different in most cases than regularinformation security practices Cloud computing is still the same technology that we’ve been securing just with new applications and some bells & whistlesDon’t complicate cloud security practices with fancy new products: stickto standard cryptography, strong passwords, separation of privilege,multi-factor authentication, and limit your stored sensitive dataFace your fears in your existing environment before going to the cloud!Things will not magically change by going to a IaaS, PaaS, or SaaS.
  • What should I do differently?
  • What should I do differently?When our source-code is hidden there’s typically a harder time toexploit it; that doesn’t mean it’s necessarily safe!
  • What should I do differently?When our source-code is hidden there’s typically a harder time toexploit it; that doesn’t mean it’s necessarily safe! When our servers are on-site, there’s typically a harder time to exploit them; that doesn’t mean they are necessarily safe!
  • What should I do differently?When our source-code is hidden there’s typically a harder time toexploit it; that doesn’t mean it’s necessarily safe! When our servers are on-site, there’s typically a harder time to exploit them; that doesn’t mean they are necessarily safe!Implement the best practices you should be already doing and don’tskimp on follow-through; be aggressive with your security.
  • What should I do differently?When our source-code is hidden there’s typically a harder time toexploit it; that doesn’t mean it’s necessarily safe! When our servers are on-site, there’s typically a harder time to exploit them; that doesn’t mean they are necessarily safe!Implement the best practices you should be already doing and don’tskimp on follow-through; be aggressive with your security.Going from a data center cage that you have keys to into a cloudprovider’s cluster of computing resources does take a leap of faith so beready to let go of some safety-nets you’re used to.
  • Why NOT to go to the cloud...
  • Why NOT to go to the cloud...If you’re PCI DSS Level 1, it’s not impossible to do so in the cloud butyou’re going to have to find the right QSA :)
  • Why NOT to go to the cloud...If you’re PCI DSS Level 1, it’s not impossible to do so in the cloud butyou’re going to have to find the right QSA :) 2013 is next PCI council revision; things may change then
  • Why NOT to go to the cloud...If you’re PCI DSS Level 1, it’s not impossible to do so in the cloud butyou’re going to have to find the right QSA :) 2013 is next PCI council revision; things may change thenIf you don’t architect for failure, that’s exactly what you will have
  • Why NOT to go to the cloud...If you’re PCI DSS Level 1, it’s not impossible to do so in the cloud butyou’re going to have to find the right QSA :) 2013 is next PCI council revision; things may change thenIf you don’t architect for failure, that’s exactly what you will have Some companies did have AWS failures recently on a grand scale; other companies survived the AWS outage...
  • Why NOT to go to the cloud...If you’re PCI DSS Level 1, it’s not impossible to do so in the cloud butyou’re going to have to find the right QSA :) 2013 is next PCI council revision; things may change thenIf you don’t architect for failure, that’s exactly what you will have Some companies did have AWS failures recently on a grand scale; other companies survived the AWS outage...If you fail (architecture or security) plan on being in the news quickly;it’s very popular to bash the cloud!
  • References/Appendixhttp://csrc.nist.gov/publications/drafts/800-145/Draft-SP-800-145_cloud-definition.pdfhttp://cloudsecurityalliance.org/http://aws.amazon.com/security/http://www.duosecurity.com/http://cseweb.ucsd.edu/~hovav/dist/cloudsec.pdfhttp://sites.google.com/site/detroitcloudgroup/http://clouddevday.com/
  • Thank You! Questions?mark.stanislav@gmail.com@markstanislavuncompiled.com