Cloud is not an option, but is security?


Published on

A "cloudless" computing environment in your enterprise is not an option, due to the coming wave of the Cloud. Cloud Security is an option of course. Spend an hour with one of the industries top cloud security consultants, Graham Silver.

Webinar / Discussion / Q&A

- Common understanding of Cloud
- Look at Cloud Computing Trends
- Examine Cloud Security Concerns
- Introduce Cloud Life Cycle
- Cloud Security Assessment

  • Be the first to comment

  • Be the first to like this

Cloud is not an option, but is security?

  1. 1. Graham SilverJanuary 18, 2013
  2. 2. 1. Common understanding of Cloud2. Look at Cloud Computing Trends3. Examine Cloud Security Concerns4. Introduce Cloud Life Cycle5. Cloud Security Assessment222
  3. 3. 3The global market for ―CloudComputing‖ is going to increasefrom about $41 billion in 2011 to$241 billion in 2020 (Forrester’s forecast)The biggest growth will come frombusiness and government moving tothe Cloud
  4. 4.  Answers:A. None – No planB. None – Plan to in near futureC. Yes – Public CloudD. Yes – Private CloudE. Yes – Hybrid CloudF. Don’t know?4
  5. 5.  Earliest Cloud work by Amazon and Google◦ First Cloud was Amazon EC2 and was released inOctober 2006 SaaS was earlier with Salesforce and NetSuite555 Is there one common definition? Observations◦ Vendors seem to have owndefinition to sell their wares◦ Each organization seems to havetheir own definition
  6. 6.  Cloud computing is a model for enabling convenient, on-demand network access to a shared pool of configurablecomputing resources (e.g., networks, servers, storage,applications, and services) that can be rapidly provisionedand released with minimal management effort or serviceprovider interaction. This cloud model promotes availability and is composed offive essential characteristics, three service models, andfour deployment models.666The NIST Definition of Cloud ComputingAuthors: Peter Mell and Tim GranceVersion 15, 10-7-09
  7. 7. 1. On-demand self-service Provision compute capacity without human interaction2. Broad network access Access systems via heterogeneous thin or thick clientplatforms3. Resource pooling Serve multiple customers using a multi-tenant model4. Rapid elasticity Quickly scale resources in or out based on demand5. Measured service Monitor resource usage and report777The NIST Definition of Cloud Computing
  8. 8.  Software as a Service (SaaS) – Salesforce◦ Use provider’s applications over a network Platform as a Service (PaaS) – Microsoft Azure◦ Deploy customer-created applications to a cloud Infrastructure as a Service (IaaS) – Amazon AWS◦ Rent processing, storage, network capacity, and otherfundamental computing resources To be considered “cloud” they must be deployed ontop of cloud infrastructure that has the keycharacteristics888The NIST Definition of Cloud Computing
  9. 9.  Public cloud◦ Sold to the public, mega-scale infrastructure Private cloud◦ Enterprise owned, leased or managed Hybrid cloud◦ Composition of two or more clouds Community cloud◦ Shared infrastructure for specific community999The NIST Definition of Cloud Computing
  10. 10. 101010What is needed Self Service Portal Service Catalog Virtualized environment Standardization Streamlined servicemanagement Advanced workflow andautomated resource engine Enhanced monitoring, assetand license management Re-engineered processes Security Chargeback system
  11. 11. 111111Savings$40 millionover 5 yearsSource:,000 Physical Servers – 20,000 VMs80% Virtualization with Target of 100%
  12. 12. 121212• ~ 500,000 VMs• 25x Cisco• Avg server cost12% of CiscoLargest Public Clouds are Much MoreEfficient than Private Clouds
  13. 13. A. NoB. LimitedC. MostD. All13
  14. 14.  Coupa’s Software-as-a-Service (SaaS) and Amazon public cloud servicesbeing used to deliver spend management. Amazon Web Services to house its procurement data, invoice records, andother critical information essential for running day to day operations. Coupa is integrating its cloud-based solution with the world’s leadingfood distributors, such as Sysco and US Foods & the Subway EDI network. Supports mobile devices—tablets and smartphones— to place orders andcheck records from any location inside their franchises or elsewhere. When the network is fully deployed, it will handle 30,000-60,000purchase orders a week, & thousands in minutes along with a 99.9% SLA. SUBWAY chose the Cloud-based system because of its intuitive user-interface, which its highly diverse population of workers can adopt easilyand quickly with minimal training.14141414Source:
  15. 15.  City serves 425,000 citizens Challenge to improve applications that use more powerful mappingtechnology◦ With shrinking IT budget and personnel◦ Reduce IT maintenance costs◦ Faster time to market◦ Improve service offerings to citizens◦ Provide cost-effective disaster recovery Delivered a 311 application for citizen non-emergency requests (eg.potholes, illegal dumping, missed garbage collection …) Mobile device support for Windows and iPhone Demonstrated benefits using Cloud with Microsoft Azure151515Case Study:
  16. 16.  Reported annual savings of $14.4 billion in year one of the program Feds spend $35.7 billion annually supporting legacy applications 67% of Fed CIOs see Cloud reducing costs and improving service 64% of Fed CIOs think Cloud expands mandated telework and mobilityoptions Email was the first application moved to the Cloud Chief impediments to implementing cloud services◦ Security with 85% of responses and Agency culture was next with 38%161616Source: MeriTalk
  17. 17. 17Source: Ovum Study
  18. 18.  2012 Trend Micro Cloud Security Global Survey◦ Overall Cloud adoption was 59%◦ 20% are using Private Clouds◦ 19% are using Public Clouds◦ 13% are using Hybrid Clouds Cisco Study forecasts 62% production in the Cloudby 201618
  19. 19. 19
  20. 20.  Fortune 1000 Companies are using iPADs with SaaS boardportals for managing board materials◦ e-book makes it intuitive and easy to use◦ Directors can access their information anywhere Top two SaaS vendors address 74% of them◦ #1: BoardVantage with 50% and #2: BoardBooks with 24% These vendors have stringent security◦ Access controls, meet industry certifications and conduct audits Board members don’t understand reluctance by IT to useCloud. They want to see faster adoption and achieving morebenefits. Industry security challenge because most Cloud providers arenot as mature.20
  21. 21.  HP Study: Business and IT on different trajectories to Cloud◦ Business is adopting cloud 5x faster than IT Drivers: speed, flexibility, economics◦ CIOs are concerned about risk Vendor lock-in Guarantees for performance and availability Security top of mind Prefer integration of cloud and on-premises IT services Stanford Technology Law Review◦ Comprehensive research of Cloud contracts including interviews ofboth legal and technical teams 50% of IT and IT Security Operations not aware of all Cloud computing resourcesdeployed in organization21
  22. 22. A. SecurityB. Data privacy and confidentialityC. ComplianceD. Vendor lock-inE. GovernanceF. Loss of IT control and ownershipG. Business continuityH. Other (specify)22
  23. 23. 23
  24. 24.  Results from 2012 Trend Micro Cloud Security Global Survey(1,400 respondents from seven countries)Question: Has your organization experienced a data security lapse or issue with the Cloud Service yourcompany is using within the last 12 months?Answer:24Source :
  25. 25. 1. Data loss or leakages2. Insecure application programming interfaces3. Malicious insiders4. Account, service and traffic hijacking5. Abuse and nefarious use of cloud computing6. Unknown risk profile7. Shared technology vulnerabilities8. Distributed Denial of Service (DDoS)25Source: Top Threats to Cloud Computing Survey Results 2012
  26. 26. 26
  27. 27.  Review existing security controls andapproaches With Cloud do they need to change? What about BYOD and borderlessdevices? Security compliance processes,procedures and policies? How do you guarantee, enforce orvalidate your security posture? Logical and physical control27
  28. 28.  What are the providers’ security measures?◦ Pre-contractual audit Whose security policy? Certifications? Pre-contractual penetration testing allowed? What are the on going audit rights?◦ Customer◦ Financial auditors◦ Regulators How are security breaches communicated?28
  29. 29.  Some businesses assume thatonce they opt to store data onoutside servers they no longerhave to concern themselveswith safeguarding thatinformation. The biggest threat to datastored remotely, it turns out,may be the failure tounderstand who’s responsiblefor keeping it protected.29292929292929Joe Coyle, CTO of Capgemini North AmericaBySarah Frier on April 03, 2012Click-through Cloud servicesdoes not mean risk free
  30. 30.  Security of key management infrastructure◦ Compromised key means compromised data Separation of duties◦ ACL so admins can backup files but not view sensitive data Availability◦ If your key is lost, your data is cryptographically destroyed Legal issues◦ Hidden law enforcement requests for keys and data◦ CIOs need to now when requests are made30
  31. 31. 31
  32. 32.  Policies, Processes, and Procedures◦ Standardize, understand and educate◦ Governance and regulatory requirements◦ Continuously improve Alignment◦ Business unit, identify business unit stewards◦ Project based or methodologies◦ Annual and quarterly goal mapping◦ SLA’s to the business unit◦ Reporting and validating back to IT management32
  33. 33. 333333External 3rdparty audit forcomplianceSource:
  34. 34. 34
  35. 35.  Data types (classification) and monitoring Role based access controls Authentication, authorization and accounting Data transit and at rest Location and proximity of data Work force mobility and borderless end points Global networks need to find the weakest link35
  36. 36.  Technology◦ Leverage the OSI Model layer to layer technologies◦ Diversity in defense◦ Dashboard reporting◦ Validate compliance Audits◦ Internal◦ External◦ Scorecard◦ Create new policies and procedures36
  37. 37.  Cloud is an evolution over time. It is not a one timeevent. After an organization has standardized and isfamiliar with virtualization, it takes 3 to 5 years toimplement their first private cloud. Organizations pass through four stages of theCloud Life Cycle.3737
  38. 38. 38Prepare Experience Pilot Validate Revise Skills readiness Risk assessment Implementation plan Application Platform Infrastructure Security Service catalog Self service provisioningportal Virtualization infrastructureand management Workflow and orchestration Re-engineer processes Creating a program Governance Contract negotiationsEngage Manage Service delivery Service desk SLAs Vendor management Contract Configuration and changemanagement Monitoring and security Asset and software licensemanagement Chargeback system Capacity management Performance management Life cycle managementClient Reps & IBMGLS Strategy Assessment Identify right Cloud Serviceand Deployment Models Architect Cloud adoption roadmap Vendor identification andselection TCO Analysis Budget preparation
  39. 39. A. PrepareB. ExperienceC. EngageD. ManageE. Still deciding/not started39
  40. 40.  Baseline where you are What are your security threats? Do you understand all your external Cloud contracts? Do you want to control or flag Cloud purchases oncredit cards? Perform GAP analysis Create security roadmap and program Establish periodic audits40
  41. 41. 4141
  42. 42. A. Disaster recoveryB. ComplianceC. Cloud managementD. Cloud burstingE. Other (specify)42
  43. 43.  Wishing you success insecuring your Cloud For more information or aCloud Security Assessmentcontact www.aliadocorp.com43