FBI Symposium on Cloud Computing and Security v2

1,722 views

Published on

Published in: Technology, Business
0 Comments
3 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
1,722
On SlideShare
0
From Embeds
0
Number of Embeds
18
Actions
Shares
0
Downloads
37
Comments
0
Likes
3
Embeds 0
No embeds

No notes for slide

FBI Symposium on Cloud Computing and Security v2

  1. 1. Cloud Computing and Security:Assessing the Risks Kevin L. Jackson Vice President & General Manager NJVC Cloud Services March 21, 2012 NJVC Proprietary - Do Not Release
  2. 2. NJVC Proprietary - Do Not Release
  3. 3. NJVC Proprietary - Do Not Release
  4. 4. NJVC Proprietary - Do Not Release
  5. 5. The New IT Era IDC September 2008 NJVC Proprietary - Do Not Release rev date 3/21/2012
  6. 6. Data Processing Explosion NJVC Proprietary - Do Not Release
  7. 7. Cloud Computing Not a new technology but a new approach in the provisioning and consumption of information technology A services oriented architecture (SOA) implemented typically on a virtualized infrastructure (compute, storage, networks) using commodity components coupled with highly automated controls enable the five essential characteristics of cloud computing. Key Benefits Key Concerns  Significant cost reductions  Standards  Reduced time to capability  Portability  Increased flexibility  Control/Availability  Elastic scalability  Security  Increase service quality  IT Policy  Increased security  Management / Monitoring  Ease of technology refresh  Ecosystem  Ease of collaboration  Increased efficiency NJVC Proprietary - Do Not Release
  8. 8. Cloud Computing: Value andCapabilities Time  Reduce time to deliver/execute mission  Increased responsiveness/flexibility/availability Cost  Optimizing cost to deliver/execute mission  Optimizing cost of ownership (lifecycle cost)  Increased efficiencies in capital/operational expenditures Quality  Environmental improvements  Experiential improvements NJVC Proprietary - Do Not Release
  9. 9. Relational Databases and the Cloud German, BMW, Truck Truck The economics of data storage led to the use of German, BMW, BMW Car content addressable storage, Car SUV flat storage architectures and German, BMW, Germany … internet scaling. SUV Volkswagen … German Volkswagen, Truck Audi … Search … ToyotaCountry Japan Honda … Mazda Database design, Ford … database tuning no US Chrysler longer required with GM … infinite scalability and … consistent responsiveness US, GM, SUV 3t 1t 9 NJVC Proprietary - Do Not Release
  10. 10. Traditional Analytics Traditionally, lexical searches, filtering or••••••••••• Boolean search attributes are used to reduce data to a “working set”. Analytical tools are then applied to this “working••••••••••• set”.••••••••••••••••••••••••••••••••• Tools/Analysis Reports/Conclusions••••••••••• All Data Sources / Types 1 NJVC Proprietary - Do Not Release
  11. 11. Cloud Enables Searching All the Data,All the Time••••••••••••••••••••••••••••••••••••••••••••••••••••••• Reports/Conclusions••••••••••• 1 NJVC Proprietary - Do Not Release
  12. 12. Survey NJVC Proprietary - Do Not Release
  13. 13. Security Concerns NJVC Proprietary - Do Not Release
  14. 14. Computing Malicious Insiders Data Loss or Leakage Unknown Risk Profile Shared Technology Issues Insecure Interfaces and APIs Account or Service Hijacking Abuse and Nefarious Use of Cloud Top Threats to Cloud Computing Governance and Enterprise Risk Management Legal and Electronic Discovery Compliance and Audit Governance Information Lifecycle Management Portability and Interoperability Traditional Security, Business Continuity, Data Center and Disaster RecoveryNJVC Proprietary - Do Not Release Operations Incident Response, Notification and Remediation Application Security Operational Encryption and Key Management Identity and Access Management Virtualization
  15. 15. Sli deNJVC Proprietary - Do Not Release 15
  16. 16. Sli deNJVC Proprietary - Do Not Release 16
  17. 17. Sli deNJVC Proprietary - Do Not Release 17
  18. 18. Sli deNJVC Proprietary - Do Not Release 18
  19. 19. Overview Sli de NJVC Proprietary - Do Not Release 19
  20. 20. C&A vs FedRAMPStandard Certification & Authorization  100% of required agency controls  60-90 days to complete  $80k-$300K  Repeat with each new agency: 5 agency cost $400K-$1.5M FedRAMP (290 Controls)  80% of required agency controls  60 days to complete  $65-$240K  Agency specific controls for new implementations: 5 agency cost $65K-$365K Slide 20 NJVC Proprietary - Do Not Release
  21. 21. Sli deNJVC Proprietary - Do Not Release 21
  22. 22. Sli deNJVC Proprietary - Do Not Release 22
  23. 23. Sli deNJVC Proprietary - Do Not Release 23
  24. 24. Sli deNJVC Proprietary - Do Not Release 24
  25. 25. Sli deNJVC Proprietary - Do Not Release 25
  26. 26. Continuous Monitoring DeliverablesVulnerability/Patch Management Scanning and ReportingConfiguration Scanning and ReportingIncident Response Planning and ResponsePOA&M Mitigation and RemediationChange Management and ControlPenetration TestingA&A Documentation MaintenanceContingency Plan Testing NJVC Proprietary - Do Not Release
  27. 27. NIST Cloud Computinghttp://collaborate.nist.gov/twiki-cloud-computing NJVC Proprietary - Do Not Release
  28. 28. My Advice Remember – Cloud computing is an emerging disciplineLearn about it. Don’t run awayThis is not a new technology but extensive automation of what you’re already used toSame threat vectors. Same attacks but faster, broader and automated using “resource concentration”Cloud will save you, not hurt you.Be careful out there !! NJVC Proprietary - Do Not Release
  29. 29. Thank You !Kevin L. JacksonVice PresidentGeneral MangerNJVC Cloud Services(703) 335-0830Kevin.jackson@NJVC.comhttp://www.NJVC.comhttp://kevinljackson.blogspot.comhttp://govcloud.ulitzer.com NJVC Proprietary - Do Not Release

×