Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

CIS13: Security's New Normal: Is Cloud the Answer?


Published on

Sally Hudson, Research Director, Security Products and Services, IDC
This session will look at cloud benefits and challenges from a security standpoint and present customer trends and concerns from IDC's demand-side research programs. Special emphasis will be placed on identity issues as they relate to cloud, social and mobile concerns and how they map to the agendas, policies and budgets of the IT enterprise.

Published in: Technology, Business
  • Be the first to comment

  • Be the first to like this

CIS13: Security's New Normal: Is Cloud the Answer?

  1. 1. Security’s New Normal: Is Cloud the Answer? Prepared by IDC for: Cloud Identity Summit July 2013 Sally J. Hudson Research Director Identity and Access Management BuyerPulse
  2. 2. Security Perimeters: New Normal
  3. 3. 3rd Platform Built on Four Pillars
  4. 4. Four Pillars of 3rd Platform: §  Mobile – Creates need for stronger access controls and authentication. Expect more partnerships, acquisitions and innovations in the mobile space. §  Cloud – driving need for FSSO and authentication, user provisioning, privileged id management §  Social Networking – companies want to leverage this, but are cautious due to security concerns. Authentication and federation. §  Big Data – in conjunction with security, rich identity profiles and threat prevention and fraud detection
  5. 5. 3rd Platform Customer Requirements Fixed §  Global consumer & corporate privacy & security regulations (civil law) §  Law enforcement ( criminal law) §  Instantaneous, & assured communications with negligible downtime §  Revenue creation and profitability §  Apps (write once, test everywhere) Fluid §  Communities of shared interest & social pressures (good, bad, gray), §  Control issues (risk, acceptable speech, reputation, privacy, & trust ) §  Under-web of sensors & monitoring §  Services-based approach vs. client-orientation
  6. 6. §  Consolidate §  Virtualize §  Automate §  Optimize §  Host/Outsource Consolidate §  Biz Efficiency §  Innovate §  Modernize §  Mobile/Social §  Biz Analytics Collaborate §  Actuarial Data §  Predictable Operational Expenses §  Risk §  Compliance Calculate COO’s New Normal: Issues in 2013
  7. 7. Consolidate: Old Issues & New Solutions §  New q  Worldwide core controls that minimize differences q  Auditors collaborate with IT to help design compliance dashboard for a variety of non- IT groups q  Common worldwide controls that are cloud-based §  Old q  Company siloed by business units and geography q  Custom controls q  Auditors were the enemy q  Senior management confused about corporate-wide polices q  Little anticipation or planning for pending regulations
  8. 8. Shifting IT Spend: Private Cloud is near term cloud strategy Q. Please estimate how much of your company's IT budget will be allocated to buying and managing these different types of IT services 49% 37% 16% 16% 13% 19% 11% 15% 11% 13% 0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100% Today 24 Months Public Cloud Private cloud - Hosted Private Cloud Inhouse Outsourced IT Traditional IT §  Enterprises see private cloud as the onramp to cloud for the next 24 months §  Automation and elasticity will become the mantra §  Pre-integrated modularity will become critical Source: IDC’s Cloud Computing Survey, January 2011 n=603
  9. 9. Cloud Providers: Can You Trust Them? §  SLAs can offer complete visibility and “partnership” with the Cloud provider §  Capex à Opex expense = Making friends with the CEO and CFO again §  Defensible posture and extensible “modular” architecture §  Pay as you go §  And more…
  10. 10. Cloud Benefits and Challenges -80% -60% -40% -20% 0% 20% 40% 60% 80% Pay-as-you-go (opex) Easy/fast to deploy to end-users Pay only for what you use Allows us to reduce IT headcount Makes sharing with partners simpler Encourages standard systems More sourcing choices Faster deployment of new services Regulatory requirement restrictions Performance/response times Availability/service provider uptime Not robust enough for critical apps Not enough ability to customize Hard to integrate, manage w/in-house IT May cost more Security Reliability Availability, Security, Total Cost Time to deploy Pay for Use Collaboration
  11. 11. Cloud Security & Compliance: Tablestakes for Enterprise Clouds Q.  Rate  these  statement  about  cloud  security   % sample rating 4 & 5 §  Issue: Security & compliance §  Data in motion more important than data at rest §  Key management stays with customer §  Issue: Metrics §  Risk guarantees §  Threats/Attacks §  Breaches §  Privileged & Customer Access §  Continuous Compliance
  12. 12. Indemnification is Explicit “You agree to indemnify and hold Yahoo! and its subsidiaries, affiliates, officers, agents, employees, partners and licensors harmless from any claim or demand….” Data Locality Cannot be Guaranteed “Personal information collected by Google may be stored and processed in the United States or any other country in which Google Inc. or its agents maintain facilities. By using the Service, you consent to any such transfer of information outside of your country….” Service Interruption is Permissible “Yahoo! reserves the right at any time and from time to time to modify or discontinue, temporarily or permanently, the Yahoo! Services (or any part thereof) with or without notice. You agree that Yahoo! shall not be liable to you or to any third party for any modification, suspension or discontinuance of the Yahoo! Services (or any part thereof).….” Intellectual Property Rights are Abdicated to Providers “By submitting, posting or displaying Content on or through Google services which are intended to be available to the members of the public, you grant Google a worldwide, non-exclusive, royalty-free license to reproduce, publish and distribute such Content on Google services for the purpose of displaying and distributing Google services.….” Cloud Security & Compliance: Consumer Cloud T’s & C’s excludes Security §  Lack of security in consumer clouds today is explicitly stated §  Data is an organizations most valuable asset §  Large providers become a target and a single point of failure
  13. 13. Cloud Mobile Social Networks Big Data (Threat Intelligence) Predictive Privileged Access Management, Federated Identity, Multi-factor Authentication, Data Protection, & Vulnerability Assessment Strong Authentication, Data Protection, & Granular Access Controls Data Loss prevention with data protection & justification for violations. Raw and analyzed threat feeds from multiple sources integrated with all management consoles Proactive VPN, Single Sign-On, & Strong Passwords Mobile Device Management Keyword-based monitoring & logging Network monitoring and SIEM Reactive Access control Device Password Acceptable Use Policy Signature-based detection Goals: 1) Timely remediation of existing breaches. 2) Early detection & mitigation of advanced, targeted, attacks. 3) Policy monitoring & enforcement of internal and external regulations. Essential Guidance: New Normal & Securing 3rd Platform
  14. 14. Essential Guidance §  Cloud offerings should allow you to examine your IT investments strategically and avoid point solution thinking §  Make sure your services firm can clearly articulate their differentiated offers, methodologies, tools and processes, certifications and domain expertise before embarking on a major IT transformation or initiative
  15. 15. Email me at: Follow me at: Contact Information