Three imperatives for today¹s Cisco data center


Published on

As a concept, cloud is the one that most interested our audience today. We are seeing heavily virtualized data centers with private clouds, cloud attached data centers that leverage Infrastructure as a Service (IaaS) facilities for rapid service deployment or capacity management, and hybrid clouds that mix/match based on implementation needs. Most of our customers have embraced one of the above models

Published in: Technology, Education

Comments are closed

  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • Introduction: Evelyn introduces Rich and Evelyn – explains the purpose of the series – and why we are partnering with Accenture and Rich specifically on this webcast.Brief overview of audience attending and how they can interact with us on this webcast and ask questions – we will also poll them during the webcast to see where they stand on certain issues?
  • Evelyn to ask Rich how he is seeing cloud and mobility as a nexus of forces impacting businessAnswer: Cloud and mobile have extended the enterprise to the point where perimeter and endpoint control are more ‘nice to haves’ vs. ‘must haves’.All of you are aware of how cloud and mobility are changing the market and impacting your businesses. There are critical changes happening in the threat landscape that are as massive as cloud and mobility.These customer centric market dynamics require an end to end security architecture.
  • Evelyn to ask Rich what he is seeing Answer: As a concept, cloud is really the notion of ‘instant’ service provisioning – and its prolific. Heavily virtualized data centers with private clouds, cloud attached data centers that leverage IaaS facilities for rapid service deployment or capacity management, and hybrid clouds that mix/match based on implementation needs.Customer perspective. What do customers need. How do their data centers change. As customer goes through this journey step functions we bring to market new products for each movement forward. Virtualization resiliency and capacity for greater workloadsPrivate clouds greater agility and automation but not yet confident to move to public Customers anywhere along this animation. Important to understand where customer is and understand motivators and business problems they are facing and our portfolio of solutions that can help get them to this next point,
  • SOURCES: - Gartner: ‘Forecast: Public Cloud Services, Worldwide, 2010-2016, 3Q12 Update’ - Gartner: ‘Peer Practices: What Are Other Customers Doing in Cloud Security?’ --SLIDE THEME CONSIDERATIONS: - How is Data Center Security impacted by Cloud? - There is a Transformation message here… - There is a Standardization theme here… - Stage the problem and the fundamentals leading to ‘containment’ (enabling measurement)... - Stage ‘Verify, then Trust’ vs. ‘Trust, then Verify’. --SLIDE NARRATIVE:Cloud and mobility have fundamentally changed the means by which contemporary businesses operate. Though possible, rare is the organization that does not leverage a combination of IaaS/PaaS/SaaS and/or mobile capabilities today. Given the cloud has extended compute and infrastructure resourcing capabilities beyond the bounds of the data center, I’ll be exclusively speaking to the ‘Extended Enterprise’ concept from this point forward. Though there are a handful of examples of strategic cloud deployments that could be raised – e.g. SalesForce/ or AWS EC2/Elastic Beanstalk for rapid product delivery – it is arguable that most cloud use was consumer driven and opportunistic (consider Google Apps, dropbox, and Evernote) based on ease or need. To this latter point, it is really only when ‘critical mass’ was hit (or a security event at a known CSP was announced) that cloud services were recognized and addressed by IT and InfoSec (if only in acquiescence to user demand).Given the number of cloud service providers there are right now, and the explosive growth of entrants within the segment (I’ve been told that ~100 new cloud services are created a month), if modern data centers are not ‘cloud attached’ in one form or another they very soon will be. Even more, Gartner predicts with market maturity that enterprises will increase migration of *mission-critical* functions to *public* cloud services over the next 3-5 years. Enterprises then, and the data centers which support them, are in the midst of transformation - if of course they weren’t already founded within the cloud that is. So as I mentioned earlier, control within the extended enterprise – speaking specifically to perimeter and endpoint control – are no longer must haves. As such, IT and InfoSec must adapt and consider an alternative means to maintain the confidentiality, integrity, and availability of their business services, data, and users. Said a different way, to remain relevant to the business, the CIO and CISO must fully embrace cloud (which is different from passively letting it happen) and use it as a means to not only become strategic business leaders, but to establish a means to manage the risks and threats cloud presents to the enterprise.It could be said that ‘cloud’ is effectively distributed computing without hierarchical, organizational, or geographic constraint. For the ‘extended enterprise’ to operate effectively then, there must be standardization of access control and data exchange between cloud service providers (CSP). As such, implementing a Cloud Services Brokerage (CSB) – whether internally or externally, utilizing private/public/hybrid clouds – to accelerate service implementation and integration while introducing a means by which visibility can be established and policy decisions made. Consider the IaaS use case…development and engineering are attracted to the notion of instant provision of compute resources. Typically because it is believed that sourcing and provisioning lead times are ‘too long’ and that network and endpoint controls are ‘too restrictive’. So if provided an IT/InfoSec approved means of immediately self-provisioning a platform with any OS, within a private *or* public cloud space, would they use it? Perhaps with the added incentive that if done via the ‘corporate’ portal, then all PMO and administrative ‘paperwork’ is eliminated…would they do it? If provided a path of least resistance (which of course varies with each corporate culture), why not? Of course the point is not to create chaos, but to funnel user demand and bake in a minimal control footprint via self-service provisioning – one that provides visibility to what (service/data) is being done by who (user/system) with whom (CSP).
  • SOURCES: - Gartner: ‘Peer Practices: What Are Other Customers Doing in Cloud Security?’ - Gartner: ‘Identity Management (Reference Architecture and List)’ - Gartner: ‘Data Management (Reference List)’ --SLIDE THEME CONSIDERATIONS: - Acting as a CSB enables performance metric collection… - Key element: Digital Identity (User, Device, System, Service) - Key element: Data Assets (unstructured vs. structured) - Not all risk data can be derived, CSPs must be governed… - This slide reinforces the strategic role of the CIO and CISO… - This slide should stage spend to (a) enable a CSB (e.g. IDM, TrustSec, LanCOPE) and (b) the build of a CSB proper (e.g. Cloupia)...--SLIDE NARRATIVE:Metrics are a tricky business. From a management perspective, consistent demonstration of progress, in terms that are both understandable and actionable, is critical to success (i.e. continued project funding). Through conversations with CIO and CISO in industry (and in my own experience), operational data is the mainstay of our metrics – e.g. network flows, access/authentication traffic, system events, change tickets. Specific to InfoSec, these metrics are typically presented as compliance (e.g. access approvals, threat/vulnerability counts, audit findings) and incident (e.g. service impacting events, investigations) measures with the aim to identify and minimize* (as cost avoidance or reduction proposals) operational risk to the business. So for the cloud attached (or entirely cloud based) data center then, wherein operational data is not readily available (though the Cloud Security Alliance is working to change that), how and what can the CISO present to the business in regards to risk? Again, ‘who’ (in terms of user context) and ‘what’ (in terms of digital assets) with ‘whom’ (the CSP) are fundamentally required for any CSP workflow to function correctly. Focusing then on the point of service interconnects (minimally user and service attributes are exposed) between CSPs are managed, performance metrics of users and service volumes against time and service providers can be derived. Coupled with the security data bound within the data center already, security policy decisions – specific to user/systems access and data management/security – can be enabled. However, this only addresses a subset of what is needed to manage operating risk. Given the distributed ownership of business function within a cloud attached data center, the following must also be considered:multi-tenant recovery risks – in case of an incident, what is the prioritization of restoration? what is the extent of liability coverage? (leading to)distributed ownership risks – how are the components of any given attack or incident chain resolved? more importantly, how is remediation managed across CSPs? (leading to) target risks – multi-tenant CSP inevitably become attack targets, so how are threats/vulnerabilities identified/mitigated/managed? what is reported to the enterprise?Reporting and remediation of individual issues is clearly owned by the CSP, but it is the responsibility of the business – often falling to the CIO and CISO in cases of service impact – to manage the holistic risks against the enterprise. To do so successfully, it is imperative for the CIO and/or CISO to:act as the central point of CSP governance – driving for quantified and qualified operational data so that risk can be assessed; and,act as the enterprise governance lead – partnering with stakeholders, Legal, and Procurement to prioritize and drive mitigation across the new ‘extended enterprise’.As mentioned earlier, the data exposed by CSPs varies – not all are mature enough to expose usable data or many believe that full transparency (exposing realization of the risks above) would damage the business. That said, the risk of ‘bad in, bad out’ is also one to contend with. That aside, metrics – so long as they are consistent and tied to the business – are essential to Risk Management. And Risk Management is only effective within a forum wherein stakeholders are engaged and actively participating with the CIO and CISO to mitigate/remediate qualified threats.
  • SOURCES: - N/A--SLIDE THEME CONSIDERATIONS: - This slide closes on the strategic role of the CIO and CISO… - This slide should stage spend on (a) Cisco capabilities (e.g. TrustSec, Cisco UCS Director, LanCOPE) and (b) Accenture capabilities (e.g. the heavy lifting)--SLIDE NARRATIVE:The mechanics of project budgeting and execution – building Business Cases, clearing MSA/MCSA/EULA with Legal, clearing contracts with Procurement – are difficult but straightforward. Sellingprojects – especially security ones, is entirely different, and nigh impossible when against any project originating out of the front office (e.g. Sales, product Management/Engineering). I’m raising this to re-iterate the criticality of changing our messaging approach from a ‘if we don’t do this, this bad thing will happen’ to a ‘let’s help the business do more by giving them what they want’ type pitch. That said, there is no single proposal or program that universally applies to all companies across all industry segments. However based on ‘where’ you are in state of your data center spectrum and the progressiveness of your organization with cloud adoption/migration, any of the following projects are worth considering:Cloud Service Brokering – Build or implementself-service provisioning portal for SaaS/PaaS/IaaS platforms, focused on establishing standardized usage profiles based on user roles and data/system access requirements. Program threads would include: IDM/OpenID/OAuth Standardization, CSP Rationalization, CSP Provisioning Workflow Engine (Cisco UCS Director), Usage Analytics. Cloud Security Metrics – Build or implement a CSP metrics analysis platform for policy decisioning. Program threads would include: CSP Traffic Aggregation, CSP Analysis Platform (Lancope), Application::Service Rationalization, Account Compromise/Abuse Analytics. Cloud Risk Governance – Establishment of executive forum reviewing CSP Compliance and Risk. Program threads would include: Cloud GRC Monitoring and Reporting Platform (auditing), Cloud Risk Management Council, Standardized Legal/Procurement CSP Acquisition Procedures/Workflows, Standardized CSP Compliance Monitoring and SLA Enforcement Procedures.And of course, if you already have established security metrics tied to your business implementations of cloud – then your budget proposals should be directed at mitigating/remediating the risks that you or your business leaders qualify as critical. And of course, if you are at this stage of maturity then I hope you are able to share your experiences and lessons learned with all of us.
  • Three imperatives for today¹s Cisco data center

    1. 1. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 1Cisco Confidential 1© 2013 Cisco and/or its affiliates. All rights reserved. Rich Noguera Senior Manager, Security Strategy & Risk Management, Accenture Evelyn de Souza Senior Data Center Security Strategist, Cisco July 16, 2013
    2. 2. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2 2 New Forces Shaping Data Center Security Imperative 2: Business-driven security and risk metrics Imperative 1: Enabling IT security to play a more strategic role Imperative 3: Balancing investments in key technology areas
    3. 3. MOBILITY CLOUD INTERNET SPEED Nexus of Forces Impacting Data Center Security
    4. 4. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 4 Virtualization Cloud Traditional Data Center Virtualized Data Center (VDC) Virtualized Desktops Internal, Private Clouds Virtual Private Clouds (VPC) Public Clouds Consolidate Assets Virtualize the Environment Automate Service Delivery Standardize Operations WHERE ARE YOU NOW? WHERE DO YOU WANT TO BE?
    5. 5. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 5 Gartner predicts 17.9% CAGR in cloud services usage through 2016 5 Shift: Verify then Trust versus Trust then Verify
    6. 6. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 6 Test-ACL Business Policy Source Destination VPN HR User IT Ops Test Server HR Database Prod CRM Storage X VD HR Users X X X X X User and Devices Resources and Demands Dynamic Context Focus on what matters most!
    7. 7. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 7 Correlating business risk against threat vectors Security data analytics Discover compromised systems visibility of data infiltration/exfiltration Threat Context Data Identity, Device, Application, Data Internal Network and Borders
    8. 8. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 8 Get engaged with your your peers to adapt security standards for the cloud at the Cloud Security Alliance Continue this discussion with us on LinkedIn by joining Secure Data Center Trends Follow us on Twitter @SecDatacenter Download these slides at our Cisco Ask the Data Center Security Blog Contact Richard.Noguera@accenture.coom to learn how Accenture can help you securely embrace cloud adoption
    9. 9. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 9 Thank you.