SlideShare a Scribd company logo

APIsecure 2023 - Approaching Multicloud API Security USing Metacloud, David Linthicum (Deloitte Consulting)

apidays
apidays

This document discusses approaching API security for multicloud environments using an abstraction called "Metacloud." It notes that as cloud deployments become more complex with multiple APIs, security risks increase. The document proposes addressing this by abstracting resources across clouds to reduce complexity and enable common security practices. This involves automating API access, data processing, services, and platforms to create a unified "Metacloud" or "Supercloud." The goal is to orchestrate security, observability, access management and other functions to help manage risk at scale across multiple cloud providers.

Internet
1 of 32
Download to read offline
Approaching Multicloud API Security Using “Metacloud.” David S. Linthicum dlinthicum@deloitte.com
NewBook
Why Are We Here?
Multicloud Interoperability is Crucial 36% 56% Fully Interoperable "Some Level" of Interoperability Respondents Report on their Cloud Interoperability Source: 2022 Enterprise Cloud Index, which is based on a survey of 1,700 IT decision makers globally. 87% Respondents agree multiclouds require simpler cross-platform tools, dashboard and configuration approaches What are the Top Multicloud Challenges? 38% 38% 42% 43% 49% 49% Capacity Planning Across Infrastructures Application Mobility Performance Across Network Overlays Cost Data Integration Security
KeyDriversforaMulticloudEnvironment An IDC study found that 86% of enterprises predict that they will need a Multicloud approach to support their solutions within the next two years Multicloud Adoption Drivers Multicloud Environment Benefits Reduce cloud spend through competitive negotiation Increase business agility through greater access to the latest technologies across multiple providers Meet current and future requirements of governance, security, privacy, risk management and compliance regulations Reduce vulnerability risk by limiting blast radius with multiple Cloud Service Providers Reduce latency caused by exploding data volume on single cloud service provider platform Reduce operating cost with more competitive price Offers true flexibility to implement solutions that best fit each business workload to optimize performance Adopt the latest technologies from different leading service providers Improve geographic presence and disaster recovery in response to outages Business Continuity Technology Innovation Data Gravity Reduction Service Flexibility Cost Reduction Vulnerability Mitigation Gain autonomy by minimizing vendor lock-in Improve resiliency and reliability by distributing workloads across multiple cloud service providers Optimize the best of breed of cloud computing solutions across the various Cloud Service Providers
Business Innovation Supported Leveraging Best-Of-Breed Technology Available Business Value Created Need for Innovation Innovationis the driver. Business Innovation Supported Leveraging Best-Of-Breed Technology Available Business Value Created Need for Innovation
The General Issue
Thebasicideabehindmulticloudsecurity. PROTECT DETECT RESPOND TRACK
Multicloud/cloudAPIsecurityrisks Broken object-level authorization. BOLA occurs when a request can access or modify data the requestor shouldn't have access to, such as being able to access another user's account by tampering with an identifier in the request. Broken function-level authorization. This arises when the principle of least privilege (POLP) isn't implemented, often as a result of overly complex access control policies. It results in an attacker being able to execute sensitive commands or access endpoints intended for privileged accounts. Broken user authentication. Like BOLA, if the authentication process can be compromised, an attacker can pose as another user on a one- time or even permanent basis. Excessive data exposure. API responses to a request often return more data than is relevant or necessary. Even though the data may not be displayed to the user, it can be easily examined and may lead to a potential exposure of sensitive information. Improper asset management. API development and deployment is usually fast- paced, and thorough documentation is often omitted in the rush to release new or updated APIs. This leads to exposed and ghost endpoints, as well as a poor understanding of how older APIs work and need to be implemented. Lack of resources and rate limiting. API endpoints are usually open to the internet and, if there are no restrictions on the number or size of requests, are open to DoS and brute- force attacks. Injection flaws. If request data isn't parsed and validated correctly, an attacker can potentially launch a command or SQL injection attack to access it or execute malicious commands without authorization. Mass assignment. Software development frameworks often proved the functionality to insert all the data received from an online form into a database or object with just one line of code -- known as mass assignment -- removing the need to write repetitive lines of form- mapping code. If this is done without specifying what data is acceptable, it opens a variety of attack vectors. Source: https://www.techtarget.com/searchapparchitecture/tip/10-API-security-guidelines-and-best-practices
Data Orchestration Service/API Management & Development Network Management Logical Abstracted Storage and Data Resource Management Logical Abstracted Services Management Devices Applications Cloud- Based Databases Consumer/Producer Pool Partner Clouds Virtual Databases (Abstraction) OLTP Analytical Common Storage Services Special Purpose Management/Monitoring/CloudOps/Complexity Management Security and Governance/SecOps&GovOps Cloud Service Brokering Data Focused Multicloud Service Focused Multicloud Applications Abstracted Compute Orchestration and Process Native APIs Application Services/Microservices Data Integration Public Clouds Private Clouds Legacy Infrastructure Management Cost Governance Multicloud is not complex…oh wait.
Security Risk and Costs Growth of Complexity Three Clouds Two Clouds Start N Clouds Complexity = API Security Risk
Number of Cloud-Based Systems Complexity Number of Traditional Systems Star t Tipping Point Hitting the “API Complexity Wall”
Cost Complexity Star t Negative Value Finding “Negative Value.”
Multicloud API security issues Authentication and Authorization Data Protection API Gateway Security Compliance Visibility and Monitoring
The Solution
Movingfromsingleclouddeployments Cloud A Storage Database APIs Database A Database B Compute Platform APIs Platform A Platform B Misc. cloud services APIs AI Development Operations Governance Security
Data Orchestration Service/API Management & Development Network Management Logical Abstracted Storage and Data Resource Management Logical Abstracted Services Management Devices Applications Cloud- Based Databases Consumer/Producer Pool Partner Clouds Virtual Databases (Abstraction) OLTP Analytical Common Storage Services Special Purpose Management/Monitoring/CloudOps/Complexity Management Security and Governance/SecOps&GovOps Cloud Service Brokering Data Focused Multicloud Service Focused Multicloud Applications Abstracted Compute Orchestration and Process Native APIs Application Services/Microservices Data Integration Public Clouds Private Clouds Legacy Infrastructure Management Cost Governance Deployed multicloud – abstraction and automation is key Abstract to remove complexity
Why abstraction and automation? • A reaction to the fact that cloud API implementations are becoming more complex. • The increased API complexity is causing some negative value for cloud deployments. • The movement to hybrid and multicloud is only accelerating.
Solutions in a nutshell Cross Cloud API Security Automation/abstraction API Data Movement API Data Processing API Service Processing Abstraction/automation API Data API Services API Platforms API Knowledge/AI API Security API Development API Etc. Cloud A Cloud B Cloud C
Example: Service Abstraction • Heterogenous Services Complex Services and Microservices • Service Virtualization Abstract Services Applications Humans
• The trick of building composable services is building at the right level of granularity • Challenges • Engraining business logic into code • Decomposing legacy services that are not fine-grained enough • Method • Top-down process decomposition, vs. bottom-up service development • Must be iterative Challenge:ServiceGranularity
The Approach: Automation of Abstract Resources Step 1 • Service/API invocation 1 • Oracle Database Step 2 • Service/API invocation 2 • Windows NT Step 3 • Service/API invocation 3 • Linux system Orchestration Common Security
Cloud A Storage Database A Database B Compute Platform A Platform B AI Development Cloud B Storage Database A Database B Compute Platform A Platform B AI Development Cloud C Storage Database A Database B Compute Platform A Platform B AI Development API Secuirty API Security API Security To multicloud deployments
Common API security Cloud A Storage Database A Database B Compute Platform A Platform B AI Development Cloud B Storage Database A Database B Compute Platform A Platform B AI Development Cloud C Storage Database A Database B Compute Platform A Platform B AI Development Complexity in a domain Job 1: Reduce Complexity
Cross-Cloud Services: Operations, API Security, Governance, Development, Deployment, Service Management, Services Brokerage, Integrated AI, Data Integration, Etc. Cloud A Storage Database A Database B Compute Platform A Platform B AI Dev Cloud B Storage Database A Database B Compute Platform A Platform B AI Dev Cloud C Storage Database A Database B Compute Platform A Platform B AI Dev Rise of the ”Supercloud” or ”Metacloud”
Cloud A Security Storage Database A Database B Compute Platform A Platform B AI Developme nt Cloud B Security Storage Database A Database B Compute Platform A Platform B AI Developme nt Cloud C Security Storage Database A Database B Compute Platform A Platform B AI Developme nt Security Orchestration, Observability, Access Management, Directory Services, API Secuirty, Etc. Modern Cross-Cloud Security Approaches
Observability and Security What's happening? What's likely to happen? How will it happen? How to defend? How can we stop this from happening in the future? Security Observability is Key
I'm going to breach cloud data. I've found an attack vector. Breach attempt. Attempt detected and analyzed. Learning data generated. Defensive posture adjusted. Repeat Leveraging AI as a Security Weapon
Approaching the Problem
Key Considerations Modernization Migration Security and Privacy Monitoring Complexity Management Innovation Use Cases Deployments DevOps & Agile Financial Management 7. Migrate Code Migration Migration Verification Operations Planning 5. Cloud Complexity Management (abstraction, automation, complexity mediation, complexity in domains) 6. Skills Gap Analysis and Augmentation Planning 1. Plan & Assessment 4. Common Services 3. Operations Planning 2. Target Solution Planning Common Security Services (data protection, identity, access, MFA, monitoring, scanning, encryption, compliance, SecOps) Common Governance Services (services, cost, compliance, resource, GovOps) Common Cognitive Services (machine and deep Learning) Common Management and Monitoring (AIOps, CloudOps) Data Center Special Systems (e.g., factory robotics) Colo/MSP In Process / Net New Multi-cloud Public Clouds Private Clouds IoT/Edge DevOps Chain Planning Colo/MSP Performance Security BC / DR Governance Cost Management Abstraction Automation 8. Operate Data Migration Resource Migration Security Migration Governance Migration DevOps Integration SecOps Monitoring and Metrics Plan Legacy/Cloud Operations GovOps PerfOps DevOps Planning Migrate Operate FrameworkforMulticloudExecution
RevisingtheOperatingModelinAnticipationofMulticloud Roll out of cloud operating model can be iterative and continue to evolve over time. It can start with establishing a Minimum Viable Operating Model leveraging 3-5 scenarios per LOB as pilots, and evolve into a fully integrated set of cloud with business focus. As part of the cloud transformation program, an organization needs to evolve its existing IT Operating Model processes, workflows, roles, and governance to support the agile nature of cloud, and transform how services are delivered in efficient manner. Cloud Operating Model Maturity Time 360 Days Cloud 0: Assess current state of Operating model using the diagnostic tool across the 8 key categories, current state competency assessment Cloud 1.0: Identify gaps, new roles / capabilities, key procedures, tools, KPIs and standards and policies across all 8 categories Cloud 2.0: Design and formulate teams, define processes, frameworks and test plans to implement changes identified in the assessment process 180 Days 90 Days Today Business inputs are increasingly delivered through ongoing iterations of cloud services Cloud 4.0: Achieve end state maturity with optimized model. Fully-integrated capabilities aligned with cloud organization; Frictionless governance and control policies in place; and automated operations Operating model continues to evolve and be refined 270 Days Cloud 3.0: Enhance operating model, incorporate feedback, iterate and automate workflows and processes Moving to multicloud increases an organization’s need to focus on maturing the operating model in response to cloud
Thank you

Recommended

APIsecure 2023 - Learning from a decade of API breaches and why application-c...
APIsecure 2023 - Learning from a decade of API breaches and why application-c...APIsecure 2023 - Learning from a decade of API breaches and why application-c...
APIsecure 2023 - Learning from a decade of API breaches and why application-c...
apidays
 
APIsecure 2023 - Exploring Advanced API Security Techniques and Technologies,...
APIsecure 2023 - Exploring Advanced API Security Techniques and Technologies,...APIsecure 2023 - Exploring Advanced API Security Techniques and Technologies,...
APIsecure 2023 - Exploring Advanced API Security Techniques and Technologies,...
apidays
 
Zero trust Architecture
Zero trust Architecture Zero trust Architecture
Zero trust Architecture
AddWeb Solution Pvt. Ltd.
 
Istio service mesh introduction
Istio service mesh introductionIstio service mesh introduction
Istio service mesh introduction
Kyohei Mizumoto
 
Architecture: Microservices
Architecture: MicroservicesArchitecture: Microservices
Architecture: Microservices
Amazon Web Services
 
Service Mesh - Observability
Service Mesh - ObservabilityService Mesh - Observability
Service Mesh - Observability
Araf Karsh Hamid
 
Zero Trust Enterprise Network at Adobe
Zero Trust Enterprise Network at AdobeZero Trust Enterprise Network at Adobe
Zero Trust Enterprise Network at Adobe
Vishwas Manral
 
The Architecture of an API Platform
The Architecture of an API PlatformThe Architecture of an API Platform
The Architecture of an API Platform
Johannes Ridderstedt
 

Recommended

APIsecure 2023 - Learning from a decade of API breaches and why application-c...
APIsecure 2023 - Learning from a decade of API breaches and why application-c...APIsecure 2023 - Learning from a decade of API breaches and why application-c...
APIsecure 2023 - Learning from a decade of API breaches and why application-c...
apidays
 
APIsecure 2023 - Exploring Advanced API Security Techniques and Technologies,...
APIsecure 2023 - Exploring Advanced API Security Techniques and Technologies,...APIsecure 2023 - Exploring Advanced API Security Techniques and Technologies,...
APIsecure 2023 - Exploring Advanced API Security Techniques and Technologies,...
apidays
 
Zero trust Architecture
Zero trust Architecture Zero trust Architecture
Zero trust Architecture
AddWeb Solution Pvt. Ltd.
 
Istio service mesh introduction
Istio service mesh introductionIstio service mesh introduction
Istio service mesh introduction
Kyohei Mizumoto
 
Architecture: Microservices
Architecture: MicroservicesArchitecture: Microservices
Architecture: Microservices
Amazon Web Services
 
Service Mesh - Observability
Service Mesh - ObservabilityService Mesh - Observability
Service Mesh - Observability
Araf Karsh Hamid
 
Zero Trust Enterprise Network at Adobe
Zero Trust Enterprise Network at AdobeZero Trust Enterprise Network at Adobe
Zero Trust Enterprise Network at Adobe
Vishwas Manral
 
The Architecture of an API Platform
The Architecture of an API PlatformThe Architecture of an API Platform
The Architecture of an API Platform
Johannes Ridderstedt
 
Container Security
Container SecurityContainer Security
Container Security
Amazon Web Services
 
Azure Security Overview
Azure Security OverviewAzure Security Overview
Azure Security Overview
Allen Brokken
 
APIsecure 2023 - Security Considerations for API Gateway Aggregation, Yoshiyu...
APIsecure 2023 - Security Considerations for API Gateway Aggregation, Yoshiyu...APIsecure 2023 - Security Considerations for API Gateway Aggregation, Yoshiyu...
APIsecure 2023 - Security Considerations for API Gateway Aggregation, Yoshiyu...
apidays
 
API Security Best Practices & Guidelines
API Security Best Practices & GuidelinesAPI Security Best Practices & Guidelines
API Security Best Practices & Guidelines
Prabath Siriwardena
 
Introduction to microservices
Introduction to microservicesIntroduction to microservices
Introduction to microservices
Paulo Gandra de Sousa
 
kubectl apply -f cloud-Infrastructure.yaml mit Crossplane et al.pdf
kubectl apply -f cloud-Infrastructure.yaml mit Crossplane et al.pdfkubectl apply -f cloud-Infrastructure.yaml mit Crossplane et al.pdf
kubectl apply -f cloud-Infrastructure.yaml mit Crossplane et al.pdf
QAware GmbH
 
Best Practices with Azure Kubernetes Services
Best Practices with Azure Kubernetes ServicesBest Practices with Azure Kubernetes Services
Best Practices with Azure Kubernetes Services
QAware GmbH
 
Data Protection in Transit and at Rest
Data Protection in Transit and at RestData Protection in Transit and at Rest
Data Protection in Transit and at Rest
Amazon Web Services
 
CLOUD NATIVE SECURITY
CLOUD NATIVE SECURITYCLOUD NATIVE SECURITY
CLOUD NATIVE SECURITY
Maganathin Veeraragaloo
 
2022 APIsecure_Shift Left API Security - The Right Way
2022 APIsecure_Shift Left API Security - The Right Way2022 APIsecure_Shift Left API Security - The Right Way
2022 APIsecure_Shift Left API Security - The Right Way
APIsecure_ Official
 
Azure Identity and access management
Azure Identity and access managementAzure Identity and access management
Azure Identity and access management
Dinusha Kumarasiri
 
A Self-Service API Portal for Developers
A Self-Service API Portal for DevelopersA Self-Service API Portal for Developers
A Self-Service API Portal for Developers
CA Technologies
 
Microservices architecture
Microservices architectureMicroservices architecture
Microservices architecture
Faren faren
 
AWS Account Best Practices
AWS Account Best PracticesAWS Account Best Practices
AWS Account Best Practices
Amazon Web Services
 
Building an API Security Strategy
Building an API Security StrategyBuilding an API Security Strategy
Building an API Security Strategy
SmartBear
 
APIsecure 2023 - API orchestration: to build resilient applications, Cherish ...
APIsecure 2023 - API orchestration: to build resilient applications, Cherish ...APIsecure 2023 - API orchestration: to build resilient applications, Cherish ...
APIsecure 2023 - API orchestration: to build resilient applications, Cherish ...
apidays
 
Introduction to Microservices
Introduction to MicroservicesIntroduction to Microservices
Introduction to Microservices
Amazon Web Services
 
Zero Trust Model Presentation
Zero Trust Model PresentationZero Trust Model Presentation
Zero Trust Model Presentation
Gowdhaman Jothilingam
 
API Security Lifecycle
API Security LifecycleAPI Security Lifecycle
API Security Lifecycle
Apigee | Google Cloud
 
Azure role based access control (rbac)
Azure role based access control (rbac)Azure role based access control (rbac)
Azure role based access control (rbac)
Srikanth Kappagantula
 
Cloud Security Primer - F5 Networks
Cloud Security Primer - F5 NetworksCloud Security Primer - F5 Networks
Cloud Security Primer - F5 Networks
Harry Gunns
 
Data Services and the Modern Data Ecosystem (ASEAN)
Data Services and the Modern Data Ecosystem (ASEAN)Data Services and the Modern Data Ecosystem (ASEAN)
Data Services and the Modern Data Ecosystem (ASEAN)
Denodo
 

More Related Content

What's hot

kubectl apply -f cloud-Infrastructure.yaml mit Crossplane et al.pdf
kubectl apply -f cloud-Infrastructure.yaml mit Crossplane et al.pdfkubectl apply -f cloud-Infrastructure.yaml mit Crossplane et al.pdf
kubectl apply -f cloud-Infrastructure.yaml mit Crossplane et al.pdf
QAware GmbH
 

What's hot (20)

Container Security
Container SecurityContainer Security
Container Security
 
Azure Security Overview
Azure Security OverviewAzure Security Overview
Azure Security Overview
 
APIsecure 2023 - Security Considerations for API Gateway Aggregation, Yoshiyu...
APIsecure 2023 - Security Considerations for API Gateway Aggregation, Yoshiyu...APIsecure 2023 - Security Considerations for API Gateway Aggregation, Yoshiyu...
APIsecure 2023 - Security Considerations for API Gateway Aggregation, Yoshiyu...
 
API Security Best Practices & Guidelines
API Security Best Practices & GuidelinesAPI Security Best Practices & Guidelines
API Security Best Practices & Guidelines
 
Introduction to microservices
Introduction to microservicesIntroduction to microservices
Introduction to microservices
 
kubectl apply -f cloud-Infrastructure.yaml mit Crossplane et al.pdf
kubectl apply -f cloud-Infrastructure.yaml mit Crossplane et al.pdfkubectl apply -f cloud-Infrastructure.yaml mit Crossplane et al.pdf
kubectl apply -f cloud-Infrastructure.yaml mit Crossplane et al.pdf
 
Best Practices with Azure Kubernetes Services
Best Practices with Azure Kubernetes ServicesBest Practices with Azure Kubernetes Services
Best Practices with Azure Kubernetes Services
 
Data Protection in Transit and at Rest
Data Protection in Transit and at RestData Protection in Transit and at Rest
Data Protection in Transit and at Rest
 
CLOUD NATIVE SECURITY
CLOUD NATIVE SECURITYCLOUD NATIVE SECURITY
CLOUD NATIVE SECURITY
 
2022 APIsecure_Shift Left API Security - The Right Way
2022 APIsecure_Shift Left API Security - The Right Way2022 APIsecure_Shift Left API Security - The Right Way
2022 APIsecure_Shift Left API Security - The Right Way
 
Azure Identity and access management
Azure Identity and access managementAzure Identity and access management
Azure Identity and access management
 
A Self-Service API Portal for Developers
A Self-Service API Portal for DevelopersA Self-Service API Portal for Developers
A Self-Service API Portal for Developers
 
Microservices architecture
Microservices architectureMicroservices architecture
Microservices architecture
 
AWS Account Best Practices
AWS Account Best PracticesAWS Account Best Practices
AWS Account Best Practices
 
Building an API Security Strategy
Building an API Security StrategyBuilding an API Security Strategy
Building an API Security Strategy
 
APIsecure 2023 - API orchestration: to build resilient applications, Cherish ...
APIsecure 2023 - API orchestration: to build resilient applications, Cherish ...APIsecure 2023 - API orchestration: to build resilient applications, Cherish ...
APIsecure 2023 - API orchestration: to build resilient applications, Cherish ...
 
Introduction to Microservices
Introduction to MicroservicesIntroduction to Microservices
Introduction to Microservices
 
Zero Trust Model Presentation
Zero Trust Model PresentationZero Trust Model Presentation
Zero Trust Model Presentation
 
API Security Lifecycle
API Security LifecycleAPI Security Lifecycle
API Security Lifecycle
 
Azure role based access control (rbac)
Azure role based access control (rbac)Azure role based access control (rbac)
Azure role based access control (rbac)
 

Similar to APIsecure 2023 - Approaching Multicloud API Security USing Metacloud, David Linthicum (Deloitte Consulting)

Cloud Security Primer - F5 Networks
Cloud Security Primer - F5 NetworksCloud Security Primer - F5 Networks
Cloud Security Primer - F5 Networks
Harry Gunns
 
Data Services and the Modern Data Ecosystem (ASEAN)
Data Services and the Modern Data Ecosystem (ASEAN)Data Services and the Modern Data Ecosystem (ASEAN)
Data Services and the Modern Data Ecosystem (ASEAN)
Denodo
 
Bluedog white paper - Our WebObjects Web Security Model
Bluedog white paper - Our WebObjects Web Security ModelBluedog white paper - Our WebObjects Web Security Model
Bluedog white paper - Our WebObjects Web Security Model
tom termini
 
Azure Overview Csco
Azure Overview CscoAzure Overview Csco
Azure Overview Csco
rajramab
 
(ENT202) Four Critical Things to Consider When Moving Your Core Business Appl...
(ENT202) Four Critical Things to Consider When Moving Your Core Business Appl...(ENT202) Four Critical Things to Consider When Moving Your Core Business Appl...
(ENT202) Four Critical Things to Consider When Moving Your Core Business Appl...
Amazon Web Services
 
Sukumar Nayak-Agile-DevOps-Cloud Management
Sukumar Nayak-Agile-DevOps-Cloud ManagementSukumar Nayak-Agile-DevOps-Cloud Management
Sukumar Nayak-Agile-DevOps-Cloud Management
Sukumar Nayak
 

Similar to APIsecure 2023 - Approaching Multicloud API Security USing Metacloud, David Linthicum (Deloitte Consulting) (20)

Cloud Security Primer - F5 Networks
Cloud Security Primer - F5 NetworksCloud Security Primer - F5 Networks
Cloud Security Primer - F5 Networks
 
Data Services and the Modern Data Ecosystem (ASEAN)
Data Services and the Modern Data Ecosystem (ASEAN)Data Services and the Modern Data Ecosystem (ASEAN)
Data Services and the Modern Data Ecosystem (ASEAN)
 
A Different Approach to Securing Your Cloud Journey
A Different Approach to Securing Your Cloud JourneyA Different Approach to Securing Your Cloud Journey
A Different Approach to Securing Your Cloud Journey
 
[Cloud Summit 2010] Peter Coffee - Sales Force
[Cloud Summit 2010] Peter Coffee - Sales Force[Cloud Summit 2010] Peter Coffee - Sales Force
[Cloud Summit 2010] Peter Coffee - Sales Force
 
Celera Networks on Cloud Computing
Celera Networks on Cloud Computing Celera Networks on Cloud Computing
Celera Networks on Cloud Computing
 
ICRTITCS-2012 Conference Publication
ICRTITCS-2012 Conference PublicationICRTITCS-2012 Conference Publication
ICRTITCS-2012 Conference Publication
 
AWS Webcast - Top 3 Ways to Improve Web App Security
AWS Webcast - Top 3 Ways to Improve Web App SecurityAWS Webcast - Top 3 Ways to Improve Web App Security
AWS Webcast - Top 3 Ways to Improve Web App Security
 
Top Trends in Cloud Computing for 2023.pptx
Top Trends in Cloud Computing for 2023.pptxTop Trends in Cloud Computing for 2023.pptx
Top Trends in Cloud Computing for 2023.pptx
 
Bluedog white paper - Our WebObjects Web Security Model
Bluedog white paper - Our WebObjects Web Security ModelBluedog white paper - Our WebObjects Web Security Model
Bluedog white paper - Our WebObjects Web Security Model
 
SECURING THE CLOUD DATA LAKES
SECURING THE CLOUD DATA LAKESSECURING THE CLOUD DATA LAKES
SECURING THE CLOUD DATA LAKES
 
International Journal of Computational Engineering Research(IJCER)
International Journal of Computational Engineering Research(IJCER) International Journal of Computational Engineering Research(IJCER)
International Journal of Computational Engineering Research(IJCER)
 
Azure Overview Csco
Azure Overview CscoAzure Overview Csco
Azure Overview Csco
 
Cloud Computing.pptx
Cloud Computing.pptxCloud Computing.pptx
Cloud Computing.pptx
 
talk6securingcloudamarprusty-191030091632.pptx
talk6securingcloudamarprusty-191030091632.pptxtalk6securingcloudamarprusty-191030091632.pptx
talk6securingcloudamarprusty-191030091632.pptx
 
htcia-5-2015
htcia-5-2015htcia-5-2015
htcia-5-2015
 
Cisco Connect 2018 Thailand - Enabling the next gen data center transformatio...
Cisco Connect 2018 Thailand - Enabling the next gen data center transformatio...Cisco Connect 2018 Thailand - Enabling the next gen data center transformatio...
Cisco Connect 2018 Thailand - Enabling the next gen data center transformatio...
 
(ENT202) Four Critical Things to Consider When Moving Your Core Business Appl...
(ENT202) Four Critical Things to Consider When Moving Your Core Business Appl...(ENT202) Four Critical Things to Consider When Moving Your Core Business Appl...
(ENT202) Four Critical Things to Consider When Moving Your Core Business Appl...
 
Sukumar Nayak-Agile-DevOps-Cloud Management
Sukumar Nayak-Agile-DevOps-Cloud ManagementSukumar Nayak-Agile-DevOps-Cloud Management
Sukumar Nayak-Agile-DevOps-Cloud Management
 
EMEA10: Trepidation in Moving to the Cloud
EMEA10: Trepidation in Moving to the CloudEMEA10: Trepidation in Moving to the Cloud
EMEA10: Trepidation in Moving to the Cloud
 
Cloud Application Security --Symantec
Cloud Application Security --Symantec Cloud Application Security --Symantec
Cloud Application Security --Symantec
 

More from apidays

Apidays Helsinki 2024 - What is next now that your organization created a (si...
Apidays Helsinki 2024 - What is next now that your organization created a (si...Apidays Helsinki 2024 - What is next now that your organization created a (si...
Apidays Helsinki 2024 - What is next now that your organization created a (si...
apidays
 

More from apidays (20)

Apidays Helsinki 2024 - What is next now that your organization created a (si...
Apidays Helsinki 2024 - What is next now that your organization created a (si...Apidays Helsinki 2024 - What is next now that your organization created a (si...
Apidays Helsinki 2024 - What is next now that your organization created a (si...
 
Apidays Helsinki 2024 - There’s no AI without API, but what does this mean fo...
Apidays Helsinki 2024 - There’s no AI without API, but what does this mean fo...Apidays Helsinki 2024 - There’s no AI without API, but what does this mean fo...
Apidays Helsinki 2024 - There’s no AI without API, but what does this mean fo...
 
Apidays Helsinki 2024 - Sustainable IT and API Performance - How to Bring The...
Apidays Helsinki 2024 - Sustainable IT and API Performance - How to Bring The...Apidays Helsinki 2024 - Sustainable IT and API Performance - How to Bring The...
Apidays Helsinki 2024 - Sustainable IT and API Performance - How to Bring The...
 
Apidays Helsinki 2024 - Security Vulnerabilities in your APIs by Lukáš Ďurovs...
Apidays Helsinki 2024 - Security Vulnerabilities in your APIs by Lukáš Ďurovs...Apidays Helsinki 2024 - Security Vulnerabilities in your APIs by Lukáš Ďurovs...
Apidays Helsinki 2024 - Security Vulnerabilities in your APIs by Lukáš Ďurovs...
 
Apidays Helsinki 2024 - Data, API’s and Banks, with AI on top by Sergio Giral...
Apidays Helsinki 2024 - Data, API’s and Banks, with AI on top by Sergio Giral...Apidays Helsinki 2024 - Data, API’s and Banks, with AI on top by Sergio Giral...
Apidays Helsinki 2024 - Data, API’s and Banks, with AI on top by Sergio Giral...
 
Apidays Helsinki 2024 - Data Ecosystems Driving the Green Transition by Olli ...
Apidays Helsinki 2024 - Data Ecosystems Driving the Green Transition by Olli ...Apidays Helsinki 2024 - Data Ecosystems Driving the Green Transition by Olli ...
Apidays Helsinki 2024 - Data Ecosystems Driving the Green Transition by Olli ...
 
Apidays Helsinki 2024 - Bridging the Gap Between Backend and Frontend API Tes...
Apidays Helsinki 2024 - Bridging the Gap Between Backend and Frontend API Tes...Apidays Helsinki 2024 - Bridging the Gap Between Backend and Frontend API Tes...
Apidays Helsinki 2024 - Bridging the Gap Between Backend and Frontend API Tes...
 
Apidays Helsinki 2024 - API Compliance by Design by Marjukka Niinioja, Osaango
Apidays Helsinki 2024 - API Compliance by Design by Marjukka Niinioja, OsaangoApidays Helsinki 2024 - API Compliance by Design by Marjukka Niinioja, Osaango
Apidays Helsinki 2024 - API Compliance by Design by Marjukka Niinioja, Osaango
 
Apidays Helsinki 2024 - ABLOY goes API economy – Transformation story by Hann...
Apidays Helsinki 2024 - ABLOY goes API economy – Transformation story by Hann...Apidays Helsinki 2024 - ABLOY goes API economy – Transformation story by Hann...
Apidays Helsinki 2024 - ABLOY goes API economy – Transformation story by Hann...
 
Apidays New York 2024 - The subtle art of API rate limiting by Josh Twist, Zuplo
Apidays New York 2024 - The subtle art of API rate limiting by Josh Twist, ZuploApidays New York 2024 - The subtle art of API rate limiting by Josh Twist, Zuplo
Apidays New York 2024 - The subtle art of API rate limiting by Josh Twist, Zuplo
 
Apidays New York 2024 - RESTful API Patterns and Practices by Mike Amundsen, ...
Apidays New York 2024 - RESTful API Patterns and Practices by Mike Amundsen, ...Apidays New York 2024 - RESTful API Patterns and Practices by Mike Amundsen, ...
Apidays New York 2024 - RESTful API Patterns and Practices by Mike Amundsen, ...
 
Apidays New York 2024 - Putting AI into API Security by Corey Ball, Moss Adams
Apidays New York 2024 - Putting AI into API Security by Corey Ball, Moss AdamsApidays New York 2024 - Putting AI into API Security by Corey Ball, Moss Adams
Apidays New York 2024 - Putting AI into API Security by Corey Ball, Moss Adams
 
Apidays New York 2024 - Prototype-first - A modern API development workflow b...
Apidays New York 2024 - Prototype-first - A modern API development workflow b...Apidays New York 2024 - Prototype-first - A modern API development workflow b...
Apidays New York 2024 - Prototype-first - A modern API development workflow b...
 
Apidays New York 2024 - Post-Quantum API Security by Francois Lascelles, Broa...
Apidays New York 2024 - Post-Quantum API Security by Francois Lascelles, Broa...Apidays New York 2024 - Post-Quantum API Security by Francois Lascelles, Broa...
Apidays New York 2024 - Post-Quantum API Security by Francois Lascelles, Broa...
 
Apidays New York 2024 - Increase your productivity with no-code GraphQL mocki...
Apidays New York 2024 - Increase your productivity with no-code GraphQL mocki...Apidays New York 2024 - Increase your productivity with no-code GraphQL mocki...
Apidays New York 2024 - Increase your productivity with no-code GraphQL mocki...
 
Apidays New York 2024 - Driving API & EDA Success by Marcelo Caponi, Danone
Apidays New York 2024 - Driving API & EDA Success by Marcelo Caponi, DanoneApidays New York 2024 - Driving API & EDA Success by Marcelo Caponi, Danone
Apidays New York 2024 - Driving API & EDA Success by Marcelo Caponi, Danone
 
Apidays New York 2024 - Build a terrible API for people you hate by Jim Benne...
Apidays New York 2024 - Build a terrible API for people you hate by Jim Benne...Apidays New York 2024 - Build a terrible API for people you hate by Jim Benne...
Apidays New York 2024 - Build a terrible API for people you hate by Jim Benne...
 
Apidays New York 2024 - API Secret Tokens Exposed by Tristan Kalos and Antoin...
Apidays New York 2024 - API Secret Tokens Exposed by Tristan Kalos and Antoin...Apidays New York 2024 - API Secret Tokens Exposed by Tristan Kalos and Antoin...
Apidays New York 2024 - API Secret Tokens Exposed by Tristan Kalos and Antoin...
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
 

Recently uploaded

Article writing on excessive use of internet.pptx
Article writing on excessive use of internet.pptxArticle writing on excessive use of internet.pptx
Article writing on excessive use of internet.pptx
abhinandnam9997
 
1.Wireless Communication System_Wireless communication is a broad term that i...
1.Wireless Communication System_Wireless communication is a broad term that i...1.Wireless Communication System_Wireless communication is a broad term that i...
1.Wireless Communication System_Wireless communication is a broad term that i...
JeyaPerumal1
 
一比一原版UTS毕业证悉尼科技大学毕业证成绩单如何办理
一比一原版UTS毕业证悉尼科技大学毕业证成绩单如何办理一比一原版UTS毕业证悉尼科技大学毕业证成绩单如何办理
一比一原版UTS毕业证悉尼科技大学毕业证成绩单如何办理
aagad
 

Recently uploaded (12)

The+Prospects+of+E-Commerce+in+China.pptx
The+Prospects+of+E-Commerce+in+China.pptxThe+Prospects+of+E-Commerce+in+China.pptx
The+Prospects+of+E-Commerce+in+China.pptx
 
Multi-cluster Kubernetes Networking- Patterns, Projects and Guidelines
Multi-cluster Kubernetes Networking- Patterns, Projects and GuidelinesMulti-cluster Kubernetes Networking- Patterns, Projects and Guidelines
Multi-cluster Kubernetes Networking- Patterns, Projects and Guidelines
 
ER(Entity Relationship) Diagram for online shopping - TAE
ER(Entity Relationship) Diagram for online shopping - TAEER(Entity Relationship) Diagram for online shopping - TAE
ER(Entity Relationship) Diagram for online shopping - TAE
 
History+of+E-commerce+Development+in+China-www.cfye-commerce.shop
History+of+E-commerce+Development+in+China-www.cfye-commerce.shopHistory+of+E-commerce+Development+in+China-www.cfye-commerce.shop
History+of+E-commerce+Development+in+China-www.cfye-commerce.shop
 
The AI Powered Organization-Intro to AI-LAN.pdf
The AI Powered Organization-Intro to AI-LAN.pdfThe AI Powered Organization-Intro to AI-LAN.pdf
The AI Powered Organization-Intro to AI-LAN.pdf
 
How to Use Contact Form 7 Like a Pro.pptx
How to Use Contact Form 7 Like a Pro.pptxHow to Use Contact Form 7 Like a Pro.pptx
How to Use Contact Form 7 Like a Pro.pptx
 
Article writing on excessive use of internet.pptx
Article writing on excessive use of internet.pptxArticle writing on excessive use of internet.pptx
Article writing on excessive use of internet.pptx
 
1.Wireless Communication System_Wireless communication is a broad term that i...
1.Wireless Communication System_Wireless communication is a broad term that i...1.Wireless Communication System_Wireless communication is a broad term that i...
1.Wireless Communication System_Wireless communication is a broad term that i...
 
Stay Ahead with 2024's Top Web Design Trends
Stay Ahead with 2024's Top Web Design TrendsStay Ahead with 2024's Top Web Design Trends
Stay Ahead with 2024's Top Web Design Trends
 
The Use of AI in Indonesia Election 2024: A Case Study
The Use of AI in Indonesia Election 2024: A Case StudyThe Use of AI in Indonesia Election 2024: A Case Study
The Use of AI in Indonesia Election 2024: A Case Study
 
一比一原版UTS毕业证悉尼科技大学毕业证成绩单如何办理
一比一原版UTS毕业证悉尼科技大学毕业证成绩单如何办理一比一原版UTS毕业证悉尼科技大学毕业证成绩单如何办理
一比一原版UTS毕业证悉尼科技大学毕业证成绩单如何办理
 
The Best AI Powered Software - Intellivid AI Studio
The Best AI Powered Software - Intellivid AI StudioThe Best AI Powered Software - Intellivid AI Studio
The Best AI Powered Software - Intellivid AI Studio
 

APIsecure 2023 - Approaching Multicloud API Security USing Metacloud, David Linthicum (Deloitte Consulting)

  • 1. Approaching Multicloud API Security Using “Metacloud.” David S. Linthicum dlinthicum@deloitte.com
  • 3. Why Are We Here?
  • 4. Multicloud Interoperability is Crucial 36% 56% Fully Interoperable "Some Level" of Interoperability Respondents Report on their Cloud Interoperability Source: 2022 Enterprise Cloud Index, which is based on a survey of 1,700 IT decision makers globally. 87% Respondents agree multiclouds require simpler cross-platform tools, dashboard and configuration approaches What are the Top Multicloud Challenges? 38% 38% 42% 43% 49% 49% Capacity Planning Across Infrastructures Application Mobility Performance Across Network Overlays Cost Data Integration Security
  • 5. KeyDriversforaMulticloudEnvironment An IDC study found that 86% of enterprises predict that they will need a Multicloud approach to support their solutions within the next two years Multicloud Adoption Drivers Multicloud Environment Benefits Reduce cloud spend through competitive negotiation Increase business agility through greater access to the latest technologies across multiple providers Meet current and future requirements of governance, security, privacy, risk management and compliance regulations Reduce vulnerability risk by limiting blast radius with multiple Cloud Service Providers Reduce latency caused by exploding data volume on single cloud service provider platform Reduce operating cost with more competitive price Offers true flexibility to implement solutions that best fit each business workload to optimize performance Adopt the latest technologies from different leading service providers Improve geographic presence and disaster recovery in response to outages Business Continuity Technology Innovation Data Gravity Reduction Service Flexibility Cost Reduction Vulnerability Mitigation Gain autonomy by minimizing vendor lock-in Improve resiliency and reliability by distributing workloads across multiple cloud service providers Optimize the best of breed of cloud computing solutions across the various Cloud Service Providers
  • 6. Business Innovation Supported Leveraging Best-Of-Breed Technology Available Business Value Created Need for Innovation Innovationis the driver. Business Innovation Supported Leveraging Best-Of-Breed Technology Available Business Value Created Need for Innovation
  • 9. Multicloud/cloudAPIsecurityrisks Broken object-level authorization. BOLA occurs when a request can access or modify data the requestor shouldn't have access to, such as being able to access another user's account by tampering with an identifier in the request. Broken function-level authorization. This arises when the principle of least privilege (POLP) isn't implemented, often as a result of overly complex access control policies. It results in an attacker being able to execute sensitive commands or access endpoints intended for privileged accounts. Broken user authentication. Like BOLA, if the authentication process can be compromised, an attacker can pose as another user on a one- time or even permanent basis. Excessive data exposure. API responses to a request often return more data than is relevant or necessary. Even though the data may not be displayed to the user, it can be easily examined and may lead to a potential exposure of sensitive information. Improper asset management. API development and deployment is usually fast- paced, and thorough documentation is often omitted in the rush to release new or updated APIs. This leads to exposed and ghost endpoints, as well as a poor understanding of how older APIs work and need to be implemented. Lack of resources and rate limiting. API endpoints are usually open to the internet and, if there are no restrictions on the number or size of requests, are open to DoS and brute- force attacks. Injection flaws. If request data isn't parsed and validated correctly, an attacker can potentially launch a command or SQL injection attack to access it or execute malicious commands without authorization. Mass assignment. Software development frameworks often proved the functionality to insert all the data received from an online form into a database or object with just one line of code -- known as mass assignment -- removing the need to write repetitive lines of form- mapping code. If this is done without specifying what data is acceptable, it opens a variety of attack vectors. Source: https://www.techtarget.com/searchapparchitecture/tip/10-API-security-guidelines-and-best-practices
  • 10. Data Orchestration Service/API Management & Development Network Management Logical Abstracted Storage and Data Resource Management Logical Abstracted Services Management Devices Applications Cloud- Based Databases Consumer/Producer Pool Partner Clouds Virtual Databases (Abstraction) OLTP Analytical Common Storage Services Special Purpose Management/Monitoring/CloudOps/Complexity Management Security and Governance/SecOps&GovOps Cloud Service Brokering Data Focused Multicloud Service Focused Multicloud Applications Abstracted Compute Orchestration and Process Native APIs Application Services/Microservices Data Integration Public Clouds Private Clouds Legacy Infrastructure Management Cost Governance Multicloud is not complex…oh wait.
  • 11. Security Risk and Costs Growth of Complexity Three Clouds Two Clouds Start N Clouds Complexity = API Security Risk
  • 14. Multicloud API security issues Authentication and Authorization Data Protection API Gateway Security Compliance Visibility and Monitoring
  • 16. Movingfromsingleclouddeployments Cloud A Storage Database APIs Database A Database B Compute Platform APIs Platform A Platform B Misc. cloud services APIs AI Development Operations Governance Security
  • 17. Data Orchestration Service/API Management & Development Network Management Logical Abstracted Storage and Data Resource Management Logical Abstracted Services Management Devices Applications Cloud- Based Databases Consumer/Producer Pool Partner Clouds Virtual Databases (Abstraction) OLTP Analytical Common Storage Services Special Purpose Management/Monitoring/CloudOps/Complexity Management Security and Governance/SecOps&GovOps Cloud Service Brokering Data Focused Multicloud Service Focused Multicloud Applications Abstracted Compute Orchestration and Process Native APIs Application Services/Microservices Data Integration Public Clouds Private Clouds Legacy Infrastructure Management Cost Governance Deployed multicloud – abstraction and automation is key Abstract to remove complexity
  • 18. Why abstraction and automation? • A reaction to the fact that cloud API implementations are becoming more complex. • The increased API complexity is causing some negative value for cloud deployments. • The movement to hybrid and multicloud is only accelerating.
  • 19. Solutions in a nutshell Cross Cloud API Security Automation/abstraction API Data Movement API Data Processing API Service Processing Abstraction/automation API Data API Services API Platforms API Knowledge/AI API Security API Development API Etc. Cloud A Cloud B Cloud C
  • 20. Example: Service Abstraction • Heterogenous Services Complex Services and Microservices • Service Virtualization Abstract Services Applications Humans
  • 21. • The trick of building composable services is building at the right level of granularity • Challenges • Engraining business logic into code • Decomposing legacy services that are not fine-grained enough • Method • Top-down process decomposition, vs. bottom-up service development • Must be iterative Challenge:ServiceGranularity
  • 22. The Approach: Automation of Abstract Resources Step 1 • Service/API invocation 1 • Oracle Database Step 2 • Service/API invocation 2 • Windows NT Step 3 • Service/API invocation 3 • Linux system Orchestration Common Security
  • 23. Cloud A Storage Database A Database B Compute Platform A Platform B AI Development Cloud B Storage Database A Database B Compute Platform A Platform B AI Development Cloud C Storage Database A Database B Compute Platform A Platform B AI Development API Secuirty API Security API Security To multicloud deployments
  • 24. Common API security Cloud A Storage Database A Database B Compute Platform A Platform B AI Development Cloud B Storage Database A Database B Compute Platform A Platform B AI Development Cloud C Storage Database A Database B Compute Platform A Platform B AI Development Complexity in a domain Job 1: Reduce Complexity
  • 25. Cross-Cloud Services: Operations, API Security, Governance, Development, Deployment, Service Management, Services Brokerage, Integrated AI, Data Integration, Etc. Cloud A Storage Database A Database B Compute Platform A Platform B AI Dev Cloud B Storage Database A Database B Compute Platform A Platform B AI Dev Cloud C Storage Database A Database B Compute Platform A Platform B AI Dev Rise of the ”Supercloud” or ”Metacloud”
  • 26. Cloud A Security Storage Database A Database B Compute Platform A Platform B AI Developme nt Cloud B Security Storage Database A Database B Compute Platform A Platform B AI Developme nt Cloud C Security Storage Database A Database B Compute Platform A Platform B AI Developme nt Security Orchestration, Observability, Access Management, Directory Services, API Secuirty, Etc. Modern Cross-Cloud Security Approaches
  • 27. Observability and Security What's happening? What's likely to happen? How will it happen? How to defend? How can we stop this from happening in the future? Security Observability is Key
  • 28. I'm going to breach cloud data. I've found an attack vector. Breach attempt. Attempt detected and analyzed. Learning data generated. Defensive posture adjusted. Repeat Leveraging AI as a Security Weapon
  • 30. Key Considerations Modernization Migration Security and Privacy Monitoring Complexity Management Innovation Use Cases Deployments DevOps & Agile Financial Management 7. Migrate Code Migration Migration Verification Operations Planning 5. Cloud Complexity Management (abstraction, automation, complexity mediation, complexity in domains) 6. Skills Gap Analysis and Augmentation Planning 1. Plan & Assessment 4. Common Services 3. Operations Planning 2. Target Solution Planning Common Security Services (data protection, identity, access, MFA, monitoring, scanning, encryption, compliance, SecOps) Common Governance Services (services, cost, compliance, resource, GovOps) Common Cognitive Services (machine and deep Learning) Common Management and Monitoring (AIOps, CloudOps) Data Center Special Systems (e.g., factory robotics) Colo/MSP In Process / Net New Multi-cloud Public Clouds Private Clouds IoT/Edge DevOps Chain Planning Colo/MSP Performance Security BC / DR Governance Cost Management Abstraction Automation 8. Operate Data Migration Resource Migration Security Migration Governance Migration DevOps Integration SecOps Monitoring and Metrics Plan Legacy/Cloud Operations GovOps PerfOps DevOps Planning Migrate Operate FrameworkforMulticloudExecution
  • 31. RevisingtheOperatingModelinAnticipationofMulticloud Roll out of cloud operating model can be iterative and continue to evolve over time. It can start with establishing a Minimum Viable Operating Model leveraging 3-5 scenarios per LOB as pilots, and evolve into a fully integrated set of cloud with business focus. As part of the cloud transformation program, an organization needs to evolve its existing IT Operating Model processes, workflows, roles, and governance to support the agile nature of cloud, and transform how services are delivered in efficient manner. Cloud Operating Model Maturity Time 360 Days Cloud 0: Assess current state of Operating model using the diagnostic tool across the 8 key categories, current state competency assessment Cloud 1.0: Identify gaps, new roles / capabilities, key procedures, tools, KPIs and standards and policies across all 8 categories Cloud 2.0: Design and formulate teams, define processes, frameworks and test plans to implement changes identified in the assessment process 180 Days 90 Days Today Business inputs are increasingly delivered through ongoing iterations of cloud services Cloud 4.0: Achieve end state maturity with optimized model. Fully-integrated capabilities aligned with cloud organization; Frictionless governance and control policies in place; and automated operations Operating model continues to evolve and be refined 270 Days Cloud 3.0: Enhance operating model, incorporate feedback, iterate and automate workflows and processes Moving to multicloud increases an organization’s need to focus on maturing the operating model in response to cloud