Predicting The Future: Security and Compliance in the Cloud Age


Published on

The emergence of the Infrastructure-as-a-Service (IaaS) and Platform-as-a-Service (PaaS) models are just two of many inflection points as IT migrates away from the traditional data centers and into the cloud, shifting more control over security from the enterprise to the service provider. How will your security and compliance strategy change when this transformation is complete? This presentation will explore technologies and strategies you need to adopt today to prepare to support security and compliance in the cloud age.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Predicting The Future: Security and Compliance in the Cloud Age

  1. 1. Predicting the Future: Security and Compliance in the Cloud Age<br />
  2. 2. Introduction<br />Misha Govshteyn – CTO, Alert Logic<br />Work in security and web-scale architecture; operate high performance LAMP environment and Erlang-based compute grid<br />Help hosting/cloud service providers deliver security services<br />Secure Cloud Review blog -> <br />What we do at Alert Logic<br />
  3. 3. About this session<br />Objective:Help you make security & compliance decisions that prepare your company for the future<br />This presentation addresses a broad trend of consuming IT as a service<br />Cloud in this context includes <br />IaaS<br />PaaS<br />SaaS<br />Why take such a broad view? Because each of these models has potential to significantly alter the way you protect your most critical assets<br />
  4. 4. Putting 2010 questions in perspective<br />Questions of today are less important than this fact : IT is increasingly delivered as a service<br />Your IT footprint is already changing…<br />probably adopting some form of cloud services<br />network is already becoming decentralized<br />Some of your data may already be off-premise<br />IaaS? PaaS? SaaS?<br />Private vs Public?<br />IT vs Cloud?<br />
  5. 5. Formulating a Security Strategy<br />
  6. 6. Your Enterprise in 2015<br />platform<br />ISV<br />virtualdesktop<br />saas<br /><br /><br /><br /><br />burst<br />private<br />HR<br />CRM<br />Finance<br />POS<br />web storefront<br />Cloud Enabled Functions<br />Enterprise Software<br />Enterprise Platforms<br />
  7. 7. Cloud questions today and tomorrow<br />
  8. 8. Your enterprise 5 years from now<br />Perimeter is less important than ever<br />More than 50% of your critical data is offsite<br />Some in environments you do not control<br />Some users don’t need your VPN to do their jobs <br />Securing the enterprise will be characterized by<br />Continuous transfer of security responsibility to service providers of all types<br />Application/protocol level attacks<br />Even more compliance requirements than today<br />
  9. 9. Security trends in next 5 years<br /><ul><li>Governance and compliance efforts will extend to private and public cloud environments</li></ul>Cloud providers will use security as a differentiator<br />Become increasingly more transparent<br />Provide automated attestation and auditing of key controls, including access to logs<br />Native data encryption available & heavily promoted, but sparingly used<br />Most will offer enterprise-level Security-as-a-Service within 2-3 years<br />Changes in security industry<br />Identity management is likely to become the first cloud sec “killer app”<br />Netsec vendors, less strategic to enterprises, will focus on CSPs<br />Application/protocol security and Data Leak Prevention are likely to become increasingly important due to PCI mandates<br />
  10. 10. Cloud impact on network security<br />Most network security products are unable to deal with complexity of CSP networks<br />Big pipes: CSPs already see speeds well in excess of 50gbps<br />Small customers: thousands of customers, some with very little traffic (no native multi-tenancy)<br />Rapid elasticity – changing topology, new IP allocations, new VLANS, more traffic flows<br />Today’s notions of trusted users, networks and computing resources will need to be re-thought<br /><ul><li>Cloud Service Providers will begin to control an increasing share of the network, rather than Enterprise IT</li></li></ul><li>The Evolving perimeter<br /><ul><li>Traditional notion of perimeter will change dramatically as data migrates into the cloud
  11. 11. Network firewalls will fade in importance as perimeter disappears
  12. 12. Network security functions subsumed by service providers
  13. 13. Increasingly offered as a service
  14. 14. Become embedded in CSP and NSP network fabric
  15. 15. New security focus:
  16. 16. Applications
  17. 17. Protocols
  18. 18. Endpoints</li></li></ul><li>Delivered by<br />Cloud Service Providers (CSPs) <br />Network Service Providers (NSPs) <br />Direct to enterprise by pure-play Security SaaS providers<br />terminals<br />mobile devices<br />remote users<br />laptops<br />Emerging cloud security services<br />cloud<br />security saas<br />security saas<br />IPS<br />VA<br />Web<br />AV<br />IDM<br />Logs<br />VPN<br />Mail<br />App<br />WAF<br />
  19. 19. CSP vs Customer responsibility<br />Customer /Managed Service<br />Cloud Service Provider<br />
  20. 20. Compliance in the cloud<br />Requires a robust set of enterprise-grade security capabilities and services from CSPs<br />Automated cloud auditability:<br /><ul><li>Attestation
  21. 21. Auditing of key controls
  22. 22. Activity reporting
  23. 23. Log availability</li></ul>Emerging standard: CloudAudit/A6<br />
  24. 24. X-Factor: the Auditors<br />Passing a compliance audit in the cloud in next 5 years will require equal parts luck and planning<br />Improving your chances<br />Distant future: find an auditor that understands and has experience in cloud environments<br />Today: help your auditor understand your environment<br />API? CSA? XML? A6? Hadoop? EC2? VPC? XEN?<br />
  25. 25. First steps<br />Engage with your IT security and auditors<br />Build a roadmap for dealing with the dissolving perimeter and set realistic goals for your team<br />Understand how Security SaaS fits into your current and future strategy<br />Explore technologies/efforts important to secure cloud adoption: IDM, OWASP, WAF, CSA, A6<br />Choose cloud environments that understand and plan to address your evolving security needs <br />
  26. 26. Alert Logic<br /> <br />Secure Cloud Review Blog<br /><br />Email:<br />Twitter: @CToMG<br />