Securing Cloud Services


Published on

HP Technology Forum, June 2009, Las Vegas

Published in: Technology
1 Like
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • A Break in the Clouds: Towards a Cloud Definition  L.M. Vaquero, L. Rodero-Merino, J. Cáceres, M. Lindner. ACM Computer Communication Reviews. 2009
  • Application Platform Virtualisation Physical Colocation
  • Security Solutions - Require industry-leading technology, products, partnerships and services. We reduce complexity, risk, and cost by combining expert knowledge, proven methodologies and global resources to achieve better business outcomes Security Innovation- Leader in financial interchange and critical infrastructure security, policy management, encryption, Key Management, and risk mitigation Global Scale & Reach - Ability to provide low-cost/high-quality solution delivery offerings across the world Flexible Technology - The industry’s broadest portfolio of products, services and solutions Collaborative Expertise - Talented people with deep security knowledge and decades of technical experience HP Security solutions include HP products, selected partner products and HP services. These product offerings extend the value of your enterprise and enable business outcomes for your business. Examples include continuity of your manufacturing, your insurance and banking business operations, and being able pass your SOX or GLBA or PCI audits for compliance. Protect resources: - HP has multiple OS platforms with the highest level of certification providing maximum pro-active protection - HP Software’s Configuration and patch management provide continuous protection in changing environment - Enterprise Log Management collects and monitors the IT infrastructure for security issues and provides forensic evidence in the case of problems Protect data - Encryption of critical data at rest, in use or in motion increases protection - Examples of data protection include encryption in HP-UX, HP StorageWorks LT-O4 Tape, and use of our HP Compliance Log Warehouse product for proactive security management (to alert on data issues), and our linkage to selected partners This capability extends from servers to desktops and printers, with focused Key Management Provide validation - Validation at necessary audit points enables audit trails for compliance to industry regulations - Example : HP Compliance Log Warehouse provides compliance reports for a wide range of regulatory requirements, SOX, GLBA, HIPAA, PCI - Future integration of encryption and Key Management across an organization will provide end-to-end protection These technologies and the HP Services Information Security Service Management methodology based on industry standards are used to deliver a solution that includes HP Products, Partner products and incorporates a customer’s people and process needs into a complete solution. Protecting the security of your gear and your data should be as simple as using an ATM card. Basic principles HP learned a long time ago in protecting PINS and information about money moving through networks, now protect your health data, your systems and your future. Choose the right solution from HP’s broad portfolio—from desktop to data center With HP’s proven innovation: Protect your resources Protect all your data Provide validation and stay compliant
  • HP is uniquely positioned to deliver Cloud Assure due to our experience and success delivering SaaS. We have learned quite a few lessons as a SaaS provider over 9 years to more than 700 customers around the correct practices to ensure our customer’s experience, that are reflected in our architecture, application, and processes. Our Cloud Assure offering leverages HP’s industry-leading portfolio covering security, performance, and availability while delivering on the industry’s leading SLAs for SaaS. HP SaaS has also developed a unique expertise as well in providing guidance to our customers to ensure their end-user’s experience, with a special expertise around web applications built over more then a decade.
  • Securing Cloud Services

    1. 1. Securing Cloud Services John Rhoton Distinguished Technologist HP EDS CTO Office June 2009
    2. 2. <ul><li>Overview of Cloud </li></ul><ul><li>Security benefits </li></ul><ul><li>Security challenges </li></ul><ul><li>HP Solutions </li></ul>Agenda
    3. 3. <ul><li>Overview of Cloud </li></ul><ul><li>Security benefits </li></ul><ul><li>Security challenges </li></ul><ul><li>HP Solutions </li></ul>Agenda
    4. 4. So, What is Cloud Computing? <ul><li>The 451 Group: “The cloud is IT as a Service, delivered by IT resources that are independent of location” </li></ul><ul><li>Gartner: “Cloud computing is a style of computing where massively scalable IT-related capabilities are provided ‘as a service’ across the Internet to multiple external customers” </li></ul><ul><li>Forrester: “A pool of abstracted, highly scalable, and managed infrastructure capable of hosting end-customer applications and billed by consumption” </li></ul><ul><li>Wikipedia: “A style of computing in which dynamically scalable and often virtualized resources are provided as a service over the Internet. Users need not have knowledge of, expertise in, or control over the technology infrastructure &quot;in the cloud&quot; that supports them. ” </li></ul>“ A large pool of easily usable and accessible virtualized resources (such as hardware, development platforms and/or services). These resources can be dynamically reconfigured to adjust to a variable load (scale), allowing also for an optimum resource utilization. This pool of re-sources is typically exploited by a pay-per-use model in which guarantees are offered by the Infrastructure Provider by means of customized SLAs.” Vaquero, Rodero-Merino, Caceres, Lindner
    5. 5. Cloud Attributes <ul><li>Off-premise </li></ul><ul><li>Outside Firewall </li></ul><ul><li>Delivered over Internet </li></ul><ul><li>Available on Demand </li></ul><ul><li>Scalable </li></ul><ul><li>Elastic </li></ul><ul><li>Utility billed </li></ul><ul><li>Multi-tenant </li></ul><ul><li>Virtualised </li></ul><ul><li>Available as Service </li></ul><ul><li>Location independent </li></ul><ul><li>SOA? </li></ul><ul><li>Grid? </li></ul><ul><li>Web 2.0? </li></ul>Private versus Public Cloud
    6. 6. Innovation & Impact <ul><li>Innovation </li></ul><ul><ul><li>Incremental </li></ul></ul><ul><ul><li>Individually not impressive or not recent </li></ul></ul><ul><ul><li>Compare Internet </li></ul></ul><ul><ul><ul><li>TCP/IP, HTTP, HTML, PC </li></ul></ul></ul><ul><li>Impact </li></ul><ul><ul><li>IT: New platforms, Service delivery models </li></ul></ul><ul><ul><li>Business: Capex, Opex, Agility </li></ul></ul><ul><ul><li>Economic: Entry barriers, Startup speed, Startup numbers </li></ul></ul><ul><ul><li>Political: Regulation, Compliance </li></ul></ul>June 19, 2009
    7. 7. Massive Scale-out and the Cloud 17 Decmeber 2008 <ul><ul><li>2938: The Value of Cloud in the Business Technology Ecosystem </li></ul></ul>Enterprise Class Global class On-premise Hybrid/off-premise 100s -1000s of nodes 10,000+ nodes Proprietary Commodity HW resiliency SW resiliency Max performance Max efficiency Silo’ed Resources Shared Resources Cost-Center Clusters Grids/Cloud Value/ Revenue-Center Static Elastic Shared storage Replicated storage Facility costs Power Usage Efficiency
    8. 8. Market context A service-centric perspective sheds light on all value chain constituents S S S External services In-house services Cloud services Massive scale-out infrastructure Global-class software Enterprise-class software Dedicated and shared infrastructure Enterprise-class software Dedicated and shared infrastructure <ul><ul><li>2938: The Value of Cloud in the Business Technology Ecosystem </li></ul></ul>Business users Cloud service provider Hosted / outsourced service provider IT organization internal service provider Business outcome
    9. 9. Cloud Model Integration Operation Governance Hardware Computation Storage Memory Colocation Real Estate Cooling Power Bandwidth Virtualisation Provisioning Billing Virtualisation Platform Programming Language Development Environment APIs Application CRM UC Email ....... .......
    10. 10. Cloud Landscape Governance Operation Integration Infrastructure Platform Software
    11. 11. Why Cloud Computing? <ul><li>Cost reduction </li></ul><ul><ul><li>Benefit from economies of scale and experience curve </li></ul></ul><ul><ul><li>Predictability of spend </li></ul></ul><ul><ul><li>Avoids cost of over-provisioning </li></ul></ul><ul><ul><li>Reduction in up-front investment </li></ul></ul><ul><li>Risk reduction </li></ul><ul><ul><li>Offload risk or running the data-centre, data protection, and disaster recovery </li></ul></ul><ul><ul><li>Reduces risk of under-provisioning </li></ul></ul><ul><li>Focus on core competency </li></ul><ul><ul><li>Reduce effort and administration related to IT </li></ul></ul><ul><ul><li>Automatic service evolution </li></ul></ul><ul><li>Flexibility </li></ul><ul><ul><li>Roll-out new services, retire old </li></ul></ul><ul><ul><li>Scale up and down as needed; quickly </li></ul></ul><ul><ul><li>Faster time to market: Lower barriers to innovation </li></ul></ul><ul><ul><li>Access from any place, any device, any time </li></ul></ul>
    12. 12. <ul><li>Overview of Cloud </li></ul><ul><li>Security benefits </li></ul><ul><li>Security challenges </li></ul><ul><li>HP Solutions </li></ul>Agenda
    13. 13. Security Benefits and Opportunities <ul><li>Cloud providers undergo rigorous audits </li></ul><ul><li>Isolation of customer and employee data </li></ul><ul><li>Disaster Recovery extensions </li></ul><ul><li>Centralised monitoring </li></ul><ul><li>Forensic readiness </li></ul><ul><li>Password assurance testing </li></ul><ul><li>Pre-hardened builds </li></ul><ul><li>Security testing </li></ul><ul><li>Obfuscation of physical infrastructure </li></ul>June 19, 2009
    14. 14. <ul><li>Overview of Cloud </li></ul><ul><li>Security benefits </li></ul><ul><li>Security challenges </li></ul><ul><li>HP Solutions </li></ul>Agenda
    15. 15. Challenges <ul><li>Governance </li></ul><ul><li>Compliance </li></ul><ul><li>Data Privacy </li></ul><ul><li>Service Availability </li></ul><ul><ul><li>Vendor Lock-in </li></ul></ul><ul><ul><li>Latency </li></ul></ul><ul><li>Identity Management </li></ul><ul><li>Lock-in </li></ul><ul><li>Rogue Clouds </li></ul>June 19, 2009
    16. 16. Governance June 19, 2009
    17. 17. Compliance <ul><li>Sarbanes Oxley </li></ul><ul><li>HIPAA </li></ul><ul><li>FDA </li></ul><ul><li>Basel II </li></ul><ul><li>PCI </li></ul><ul><li>FISMA </li></ul><ul><li>GLBA </li></ul><ul><li>OSHA </li></ul><ul><li>ISO 27002 </li></ul>June 19, 2009
    18. 18. Data Privacy June 19, 2009
    19. 19. Resilience <ul><li>Service Availability </li></ul><ul><li>Integration risks </li></ul><ul><li>Business Continuity </li></ul><ul><li>Latency </li></ul><ul><li>Fault Tolerance </li></ul>June 19, 2009
    20. 20. Identity Management <ul><li>Authentication </li></ul><ul><li>Authorisation </li></ul><ul><ul><li>Access rights </li></ul></ul><ul><li>Federation </li></ul><ul><ul><li>Interoperability </li></ul></ul><ul><ul><li>Standards </li></ul></ul><ul><ul><ul><li>XACML, SAML </li></ul></ul></ul><ul><li>Rapid provisioning </li></ul><ul><ul><li>Immediate de-provisioning </li></ul></ul><ul><li>Identity theft </li></ul>June 19, 2009
    21. 21. Cloud Computing: Models Enterprise Data Storage Service Office Apps On Demand CPUs Printing Service Cloud Provider #1 Cloud Provider #2 Internal Cloud CRM Service … Service 3 Backup Service ILM Service Service Service Service Business Apps/Service Employee User … … … The Internet
    22. 22. Identity in the Cloud: Enterprise Case Enterprise Data Storage Service Office Apps On Demand CPUs Printing Service Cloud Provider #1 Cloud Provider #2 Internal Cloud CRM Service … Service 3 Backup Service ILM Service Service Service Service Business Apps/Service Employee … … … The Internet Identity & Credentials Identity & Credentials Identity & Credentials Identity & Credentials Identity & Credentials Identity & Credentials Identity & Credentials Authentication Authorization Audit Authentication Authorization Audit Authentication Authorization Audit Authentication Authorization Audit User Account Provisioning/ De-provisioning User Account Provisioning/ De-provisioning User Account Provisioning/ De-provisioning User Account Provisioning/ De-provisioning PII Data & Confidential Information PII Data & Confidential Information PII Data & Confidential Information PII Data & Confidential Information IAM Capabilities and Services Can be Outsourced in The Cloud …
    23. 23. Lock-in <ul><li>IaaS </li></ul><ul><ul><li>Standard Hardware, Software </li></ul></ul><ul><ul><li>Low Risk </li></ul></ul><ul><li>PaaS </li></ul><ul><ul><li>Programming Language, </li></ul></ul><ul><ul><li>APIs </li></ul></ul><ul><ul><li>Data Extraction </li></ul></ul><ul><li>SaaS </li></ul><ul><ul><li>Data Extraction </li></ul></ul><ul><ul><li>Functionality, User retraining </li></ul></ul><ul><li>Assess Vendor viability </li></ul>June 19, 2009
    24. 24. Rogue Clouds <ul><li>Shadow IT may circumvent Central IT </li></ul><ul><li>Suboptimal Resource allocation </li></ul><ul><li>Disregard Compliance </li></ul><ul><li>Compromise Information Security </li></ul>June 19, 2009
    25. 25. Cloud Security Activity and Standards <ul><li>Cloud Security Alliance </li></ul><ul><li>ENISA (European Network and Information Security Agency) </li></ul><ul><ul><li>Cloud Risk Assessment </li></ul></ul><ul><li>Open Group </li></ul><ul><ul><li>Jericho Forum </li></ul></ul><ul><li>SAS 70 </li></ul><ul><li>NIST Special Publication 853 </li></ul><ul><li>FIPS 199/200 </li></ul>June 19, 2009
    26. 26. <ul><li>Overview of Cloud </li></ul><ul><li>Security benefits </li></ul><ul><li>Security challenges </li></ul><ul><li>HP Solutions </li></ul>Agenda
    27. 27. An infrastructure utility underpins both dedicated and “as a service” applications Business outcomes Technology-enabled services Internally hosted <ul><ul><li>2938: The Value of Cloud in the Business Technology Ecosystem </li></ul></ul>Externally hosted Infrastructure as a service Business outcome Cloud Infrastructure Utility Enterprise Infrastructure Utility Enterprise-class applications Global-class cloud services
    28. 28. HP delivers on the Business Technology Ecosystem A sampling of HP product and services Business outcomes Technology-enabled services <ul><ul><li>2938: The Value of Cloud in the Business Technology Ecosystem </li></ul></ul>Business outcome Externally hosted Infrastructure as a service Infrastructure Utility homogeneous, centralized design Infrastructure Utility heterogeneous, distributed design Enterprise-class applications Global-class cloud services EDS Application Services Performance / Quality Center Security Center Service Manager Catalog Business Service Automation Insight Orchestration Business Service Management Proliant / Integrity ProCurve Storage Works Insight Dynamics - VSE Proliant BL2x220c StorageWorks ExDS9100 Portable Optimized Datacenter Snapfish, BookPrep, MagCloud Business Availability Center Quality and Security Centers Cloud Assure Concierge Services Project & Portfolio Management
    29. 29. HP delivers value across the business technology ecosystem Jun 19, 2009 We build it Leading data center design company We power it With leading servers, storage and networking We design it Expertise in application architecture & frameworks We automate it With virtualization and management software We secure it Through HP Secure Advantage program We support it With tens of thousands of IT professionals We govern it HP wrote the books on service management We measure it HP can measure the fiscal impact of services We deliver it Through purchased, financed, outsourced, cloud <ul><ul><li>2938: The Value of Cloud in the Business Technology Ecosystem </li></ul></ul>
    30. 30. HP Secure Advantage: Making security a business enabler June 19, 2009 Business Outcomes People and process The secure end-to-end business advantage <ul><ul><li>3296 HP Secure Advantage </li></ul></ul>Products –– Partners –– Solutions Protect resources Protect data Provide validation Technology <ul><li>Reduce Cost </li></ul><ul><li>Virtualized </li></ul><ul><li>Efficient </li></ul><ul><li>Pre-packaged </li></ul><ul><li>Scalable </li></ul>HP provides low-cost/high-quality solution delivery combining expert knowledge and security products from the desktop to the data center using proven methodologies with global resources. Reduce Complexity Standardized • Integrated • Consulting • Managed • In/Outsourced • Pre-integrated solutions with major security players , & the HP Secure Advantage portfolio, along with the flexibility to leverage services globally to consult, deploy or manage these solutions, reduces complexity for our customers. Reduce Risk HP uses its internal best practices, developed in HP Labs and HP Services to create and commercialize security solutions and services for customers across the world.
    31. 31. HP Secure Advantage services portfolio Enablement to Management services from Desktop to Datacenter. Endpoint Security Network Security Data Center Security Security Operations Business Continuity & Recovery Risk Management & Compliance Infrastructure Security Governance, Risk & Compliance Mgmt Data Protection & Privacy Mgmt Identity & Access Management Identity & Access Mgmt Data Security Content Security Application Security <ul><ul><li>3296 HP Secure Advantage </li></ul></ul>Provide validation Protect data Governance, Risk & Compliance Management Infrastructure Security Identity & Access Management Data Protection & Privacy Management Protect resources
    32. 32. HP Secure Advantage- Product Portfolio -1 <ul><ul><li>3296 HP Secure Advantage </li></ul></ul>Categories Domains HP Secure Advantage Products Infrastructure Security Network Security HP ProCurve Network Access Control HP ProCurve Network Immunity Manager HP ProCurve ONE network security solutions Endpoint Security HP ProtectTools HP Business Service Automation - Client Automation Center HP Secure Document Advantage Family Data Center Security HP Insight Dynamics - VSE HP NetTop HP-UX 11i (CC EAL4+, HIDS) HP Linux (CC EAL4+) HP OpenVMS HP NonStop Safeguard HP Neoview Security Data Protection & Privacy Management Data Security HP Secure Key Manager HP Atalla Key Block, NSP HP ProtectTools Drive Encryption HP Storage Media Encryption Fabric Switch HP XP Disk Array Encryption HP LTO-4 Tape Encryption HP Data Protector HP-UX EVFS HP NonStop Volume Level Encryption HP Medical Archive Solution Content Security HP BladeSystem content security solutions Application Security HP Application Security Center
    33. 33. HP Secure Advantage – Product Portfolio - 2 <ul><ul><li>3296 HP Secure Advantage </li></ul></ul>Categories Domains HP Secure Advantage Products Governance Risk & Compliance Mgmt Risk Management & Compliance HP Compliance Log Warehouse HP TRIM (e-Discovery) HP Integrated Archival Platform (ILM/archiving for Email, Database, File) HP Business Service Automation - Data Center Automation Center (Server Automation, Network Automation) HP Medical Archive Solution HP Dragon HP Application Security Center Security Operations HP Business Service Automation - Data Center Automation Center (Server Automation, Network Automation, Live Network, Release Control) and Client Automation Center HP IT Service Management (Asset Manager, Decision Center etc) HP UCMDB, DDM HP Proliant Essentials Vulnerability & Patch Management Pack HP Systems Insight Manager HP Compliance Log Warehouse Business Continuity& Recovery HP Business Service Management Identity & Access Management Identity & Access Management HP ProCurve Identity Driven Manager HP Icewall HP-UX, Linux, NonStop etc
    34. 34. HP Secure Advantage Solutions HP Servers, Storage, Networking, PC’s, Printers HP Software – HP Application Center, Business Service Automation, Change Management Services and Support Assessment, Deployment, hosting, managed services HP Secure Advantage Comprehensive solutions consisting of HP hardware, software, services and expertise to mitigate risk Better business outcomes 06/19/09 © 2009 Hewlett-Packard Development Company, L.P. Leveraging 37 years’ experience of delivering secure transactions across the world for 1000s of customers <ul><ul><li>3296 HP Secure Advantage </li></ul></ul>
    35. 35. Practical advice <ul><li>Plan! Prepare! </li></ul><ul><li>Assess risks </li></ul><ul><li>Application audit/inventory </li></ul><ul><li>Begin with non-sensitive data </li></ul><ul><li>Consider disaster-recovery extensions </li></ul><ul><li>Encrypt sensitive data </li></ul>June 19, 2009
    36. 36. Summary <ul><li>„ Cloud Computing“ means different things to different people </li></ul><ul><ul><li>That doesn‘t stop us from implementing it </li></ul></ul><ul><li>Cloud Computing has many benefits </li></ul><ul><ul><li>Some Enterprise advantages can also be covered through Private Clouds </li></ul></ul><ul><li>There are security challenges around Cloud Computing </li></ul><ul><ul><li>But also some benefits </li></ul></ul><ul><li>Cloud Computing is still work-in-progress </li></ul><ul><ul><li>Privacy, Service-levels, Interoperabilty </li></ul></ul><ul><li>It‘s possible to get started in the Enteprise today </li></ul><ul><ul><li>The most critical challenge is to make the existing environment future-proof </li></ul></ul>
    37. 37. More information <ul><li>Presentation will be posted to: </li></ul><ul><ul><li> </li></ul></ul><ul><li>Additional Resources </li></ul><ul><ul><li> </li></ul></ul><ul><ul><li> </li></ul></ul><ul><li>Any other questions? </li></ul><ul><ul><li> </li></ul></ul>