SlideShare a Scribd company logo

Cloud Computing: Security, Privacy and Trust Aspects across Public and Private Sectors

Download as PPTX, PDF
M
Marco Casassa Mont

This document discusses cloud computing and related security issues. It provides background on cloud computing models and services. It discusses how cloud computing impacts enterprise security lifecycle management and control. Current trends of increasing cloud services adoption and consumerization of enterprise IT are described. Requirements for cloud computing like identity management, assurance, compliance and privacy are outlined. Initiatives to develop best practices for cloud security are also mentioned. Potential future research directions around trusted infrastructure, security analytics, economics of cloud stewardship and privacy management are proposed.

Presentations & Public Speaking
1 of 51
© Copyright 2010 Hewlett-Packard Development Company, L.P.1 © Copyright 2010 Hewlett-Packard Development Company, L.P.1 Marco Casassa Mont (marco.casassa-mont@hp.com) Senior Researcher Systems Security Lab, HP Labs, Bristol Cloud Computing: Security, Privacy and Trust Aspects across Public and Private Sectors Industry Perspective RAND Europe – Cloud Computing 2010 10 September 2010
© Copyright 2010 Hewlett-Packard Development Company, L.P.2 Outline • Background on Cloud Computing • Impact on Enterprise’s Security Lifecycle Management • Current Trends, Requirements and Cloud Computing Initiatives • Future Directions: related R&D Work by HP Labs • Conclusions
© Copyright 2010 Hewlett-Packard Development Company, L.P.3 Outline • Background on Cloud Computing • Impact on Enterprise’s Security Lifecycle Management • Current Trends, Requirements and Cloud Computing Initiatives • Future Directions: related R&D Work by HP Labs • Conclusions
© Copyright 2010 Hewlett-Packard Development Company, L.P.4 Cloud Computing: Definition – No Unique Definition or General Consensus about what Cloud Computing is … – Different Perspectives & Focuses (Platform, SW, Service Levels…) – Flavours: • Computing and IT Resources Accessible Online • Dynamically Scalable Computing Power • Virtualization of Resources • Access to (potentially) Composable & Interchangeable Services • Abstraction of IT Infrastructure  No need to understand its implementation: use Services & their APIs • Related “Buzzwords”: Iaas, PaaS, SaaS, EaaS, … • Some current players, at the Infrastructure & Service Level: Salesfoce.com, Google Apps, Amazon, Yahoo, Microsoft, IBM, HP, etc.
© Copyright 2010 Hewlett-Packard Development Company, L.P.5 Cloud Service Layers Cloud Infrastructure Services (IaaS) Cloud Platform Services (PaaS) Cloud End-User Services (SaaS) Physical Infrastructure Service Users Source: HP Labs, Automated Infrastructure Lab (AIL), Bristol, UK - Peter Toft Cloud Providers Service Providers
© Copyright 2010 Hewlett-Packard Development Company, L.P.6 Cloud Computing: Models Enterprise Data Storage Service Office Apps On Demand CPUsPrinting Service Cloud Provider #1 Cloud Provider #2 Internal Cloud CRM Service … Service 3 Backup Service ILM ServiceService Service Service Business Apps/Service Employee User … … … The Internet
© Copyright 2010 Hewlett-Packard Development Company, L.P.7 Outline • Background on Cloud Computing • Impact on Enterprise’s Security Lifecycle Management • Current Trends, Requirements and Cloud Computing Initiatives • Future Directions: related R&D Work by HP Labs • Conclusions
© Copyright 2010 Hewlett-Packard Development Company, L.P.8 Today Security Management Lifecycle Vulnerability Disclosed Exploit Available Malware Patch Available Test Solution Patch Deployment Vulnerability Assessment Accelerated Patching Emergency Patching Exposed? Early Mitigation? Y Malware Reports? N Accelerate? N Patch Available? Workaround Available? Implement Workaround Y Y N Y Y Deploy Mitigation Y Risk reduced window (from disclosure time) across all vulnerabilities 0 0.05 0.1 0.15 0.2 0.25 0.3 0.35 timeline Proportionofvulnerabilities Trusted Infrastructure Policy, process, people, technology & operations Assurance & Situational Awareness Security Analytics Economics/ Threats/ Investments
© Copyright 2010 Hewlett-Packard Development Company, L.P.9 Stewardship in the Cloud Ecosystem Implications Service Consumer SaaS Provider IaaS Provider Source: HP Labs, Systems Security Lab (SSL), Bristol, UK – Simon Shiu, Adrian Baldwin
© Copyright 2010 Hewlett-Packard Development Company, L.P.10 The Enterprise Cloud Consumer Business IT Dept CISO/CIO staff infrastructure Fulfill need Public Cloud Private/ Community Cloud Source: HP Labs, Systems Security Lab (SSL), Bristol, UK – Simon Shiu, Adrian Baldwin
© Copyright 2010 Hewlett-Packard Development Company, L.P.11 Cloud Computing: Implications – Enterprise: Paradigm Shift from “Close & Controlled” IT Infrastructures and Services to Externally Provided Services and IT Infrastructures – Private User: Paradigm Shift from Accessing Static Set of Services to Dynamic & Composable Services – General Issues: • Assurance (and Trust) about Security and Business Practices • Potential Loss of Control (on Data, Infrastructure, Processes, etc.) • Data & Confidential Information Stored in The Clouds • Management of Identities and Access (IAM) in the Cloud • Compliance to Security Practice and Legislation • Privacy Management (Control, Consent, Revocation, etc.) • New Threat Environments • Reliability and Longevity of Cloud & Service Providers
© Copyright 2010 Hewlett-Packard Development Company, L.P.12 Outline • Background on Cloud Computing • Impact on Enterprise’s Security Lifecycle Management • Current Trends, Requirements and Cloud Computing Initiatives • Future Directions: related R&D Work by HP Labs • Conclusions
© Copyright 2010 Hewlett-Packard Development Company, L.P.13 Current Trends of Relevance 1. Increasing Adoption of Services in the Cloud 2. (IT) Consumerisation of the Enterprise
© Copyright 2010 Hewlett-Packard Development Company, L.P.1414 © Copyright 2010 Hewlett-Packard Development Company, L.P. Adoption of Services in the Cloud
© Copyright 2010 Hewlett-Packard Development Company, L.P.15 Services in the Cloud [1/2] • Growing adoption of IT Cloud Services by People and Companies, in particular SMEs (cost saving, etc.) • Includes: • Datacentre consolidation and IT Outsourcing • Private Cloud/Cloud Services • Public Cloud Services - Amazon, Google, Salesforce, … • Gartner predictions about Value of Cloud Computing Services: • 2008 : $46.41 billion • 2009 : $56.30 billion • 2013 : $150.1 billion (projected) • NOTE: these Trends are less obvious for Medium-Large Organisations and Gov Agencies Cloud Computing Services Org Org Org
© Copyright 2010 Hewlett-Packard Development Company, L.P.16 Services in the Cloud [2/2] • Some statistics about SME’s usage of Cloud Services (Source: SpiceWorks): • Cloud initiatives from Governments  see UK g-Cloud Initiative http://johnsuffolk.typepad.com/john-suffolk---government-cio/2009/06/government-cloud.html Data Backup : 16% Email : 21.2% Application : 11.1% VOIP : 8.5% Security : 8.5% CRM : 6.2% Web Hosting : 25.4% eCommerce : 6.4% Logistics : 3.6% Do not use : 44.1% Cloud Computing Services Org Org Org
© Copyright 2010 Hewlett-Packard Development Company, L.P.17 Personal Cloud Services • User-driven, Personal Cloud Services: - Multiple Interconnected Devices - Multiple Online Services - Multiple Data Sources and Stores • Forrester’s Prediction (by Frank Gillet): - Growing role of Personal Cloud Services and Decreasing Relevance of traditional Operating Systems …
© Copyright 2010 Hewlett-Packard Development Company, L.P.18 Opportunities and Threats • Opportunities: • Cost cutting • Further enabler of IT Outsourcing (medium-large organisations) • Better & cheaper services • No lock-in situation with a service provider • … • Threats: • Potential lack of control on Data and Processes • Proliferation of data and PII information • Reliability and Survivability Issues • Data protection and Privacy • Reliance on third party …
© Copyright 2010 Hewlett-Packard Development Company, L.P.1919 © Copyright 2010 Hewlett-Packard Development Company, L.P. (IT) Consumerisation of the Enterprise
© Copyright 2010 Hewlett-Packard Development Company, L.P.20 Traditional (IT) Enterprise Model • Key role of CIOs/CISOs, Legal Departments, etc. in defining Policies and Guidelines • Controlled and Centralised IT Provisioning • IT Infrastructures, Services and Devices Managed by the Organisation IT Services Storage ServersCorporate Devices Corporate IT (security) Policies, Provisioning & Management Enterprise
© Copyright 2010 Hewlett-Packard Development Company, L.P.21 Towards Consumerization of (IT) Enterprise New Driving Forces: • IT Outsourcing • Employees using their own Devices at work • Adoption of Cloud Services by Employees and the Organization • Blurring Boundaries between Work and Personal Life • Local Decision Making … Enterprise IT Services Storage Servers Personal Devices Storage Servers ServicesCloud Services
© Copyright 2010 Hewlett-Packard Development Company, L.P.22 Opportunities and Threats • Opportunities for Employees and Organisations: • Empowering users • Seamless experience between work and private life • Cost cutting • Better service offering •Transformation of CIO/CISO roles … • Threats: • Enterprise data stored all over the places: Potential Data losses … • Lack of control by organisation on users’ devices: potential security threats • …
© Copyright 2010 Hewlett-Packard Development Company, L.P.23 Cloud Computing: Requirements – Simplified Management of Identities and Credentials – Need for Assurance and Transparency about: • (Outsourced) Processes • Security & Privacy Practices • Data Lifecycle Management – Compliance to Regulation, Policies and Best Practice • Need to redefine what Compliance means in The Cloud – Accountability – Privacy Management: Control on Data Usage & Flows – Reputation Management
© Copyright 2010 Hewlett-Packard Development Company, L.P.24 Cloud Computing: Initiatives Recent General Initiatives aiming at Shaping Cloud Computing: – Open Cloud Manifesto • Making the case for an Open Cloud – Cloud Security Alliance • Promoting Best Security Practices for the Cloud – Jericho Forum • Cloud Cube Model: Recommendations & (Security) Evaluation Framework – …
© Copyright 2010 Hewlett-Packard Development Company, L.P.25 Outline • Background on Cloud Computing • Impact on Enterprise’s Security Lifecycle Management • Current Trends, Requirements and Cloud Computing Initiatives • Future Directions: related R&D Work by HP Labs • Conclusions
© Copyright 2010 Hewlett-Packard Development Company, L.P.26 Some Future Directions • Trusted Infrastructure • Security Analytics • Cloud Stewardship Economics • Privacy Management
© Copyright 2010 Hewlett-Packard Development Company, L.P.2727 © Copyright 2010 Hewlett-Packard Development Company, L.P. Trusted Infrastructure
© Copyright 2010 Hewlett-Packard Development Company, L.P.28 Trusted Infrastructure Enterprise Data Storage Service Office Apps On Demand CPUsPrinting Service Cloud Provider #1 Cloud Provider #2 Internal Cloud CRM Service … Service 3 Backup Service ILM ServiceService Service Service Business Apps/Service Employee User … … … The Internet Trusted Client Devices Trusted Client Infrastructure Trusted Client Infrastructure Trusted Client Infrastructure • Ensuring that the Infrastructural IT building blocks of the Enterprise and the Cloud are secure, trustworthy and compliant with security best practice • Trusted Computing Group (TCG) / • Impact of Virtualization TCG: http://www.trustedcomputinggroup.org
© Copyright 2010 Hewlett-Packard Development Company, L.P.29 Trusted Infrastructure: Trusted Virtualized Platform Personal Environment Win/Lx/OSX Corporate Productivity OS Remote IT Mgmt Home Banking Corporate Production Environment OS E-Govt Intf. Corp. Soft Phone Trusted Hypervisor Secure Corporate (Government) Client Persona Personal Client Persona Trusted Corporate Client Appliance Trusted Personal Client Appliances online (banking, egovt) or local (ipod) Services managed from cloud HP Labs: Applying Trusted Computing to Virtualization
© Copyright 2010 Hewlett-Packard Development Company, L.P.30 Paradigm Shift: Identities/Personae as “Virtualised Environment” in the Cloud Trusted Hypervisor End-User Device MyPersona1+ Virtualised Environment1 MyPersona2+ Virtualised Environment2 Bank Gaming Community Services … Using Virtualization to push Control from the Cloud/Service back to the Client Platform •User’s Persona is defined by the Service Interaction Context •User’s Persona & Identity are “tight” to the Virtualised Environment •Persona defined by User or by Service Provider •Potential Mutual attestation of Platforms and Integrity Trusted Domain
© Copyright 2010 Hewlett-Packard Development Company, L.P.3232 © Copyright 2010 Hewlett-Packard Development Company, L.P. Security Analytics
© Copyright 2010 Hewlett-Packard Development Company, L.P.33 Security Analytics Putting the Science into Security Management
© Copyright 2010 Hewlett-Packard Development Company, L.P.34 Complexity, Costs, Threats and Risks are All Increasing Trying harder is not enough – we have to get smarter
© Copyright 2010 Hewlett-Packard Development Company, L.P.35 Problems with Security Investments – Security Investments affect multiple outcomes: budget, confidentiality, integrity, availability, … – In most situations these outcomes can only be predicted with high degrees of uncertainty – Often the outcomes are inter-related (trade-off) and the link to investments is poorly understood – Classical business justification/due diligence (Return on Security Investment, cost benefit analysis) encourages these points to be glossed over
© Copyright 2010 Hewlett-Packard Development Company, L.P.36 Security Analytics – Providing Strategic Decision Support to Decision Makers (e.g. CIOs, CISOs, etc.) – Using Modelling and Simulation to Represent Process, IT Systems, Interactions, Human Behaviours and their Impact on Aspects of Relevance: Security Risks, Productivity, Costs – Carry out “What-If” Analysis and Make Predictions, based on Alternative Investments, Threat Environments, etc.
© Copyright 2010 Hewlett-Packard Development Company, L.P.37 Security Analytics: Integrating Scientific Knowledge Economic Theory (utility, trade offs, externalities, information asymmetry, incentives) Applied Mathematics (probability theory, queuing theory, process algebra, model checking) Experiment and Prediction (Discrete event modelling and simulation) Empirical Studies (Grounded theory, discourse analysis, cognitive science) CISO / CIO / Business Security/Systems Domain knowledge Business Knowledge
© Copyright 2010 Hewlett-Packard Development Company, L.P.38 PACKAGED SECURITY ANALYTICS Transforming security management to one based on scientific rigor – Launched at Infosec 2010 as part of Security Business Intelligence – Based on VTM/IAM case studies – Iterative engagement approach to define the problem and explore possible solutions and their tradeoffs – Generation of full report  Application of Security Analytics to Cloud Stewardship Economics
© Copyright 2010 Hewlett-Packard Development Company, L.P.3939 © Copyright 2010 Hewlett-Packard Development Company, L.P. Cloud Stewardship Economics
© Copyright 2010 Hewlett-Packard Development Company, L.P.40 UK Government Founded Collaborative Initiative – Cloud Stewardship Economics: • Economics & System Modelling -> Cloud Eco-Systems • Aberdeen University, Bath University, IISP, Lloyds of London, Marmalade Box, Sapphire, Validsoft Source & Contacts: HP Labs, Systems Security Lab (SSL), Bristol, UK – Simon Shiu, Adrian Baldwin
© Copyright 2010 Hewlett-Packard Development Company, L.P.41 The Cloud Ecosystem Consumer Small Business Enterprise Government Department CRM aa Service Bundled Portal aa Service Comms aa Service CPU Service Infrastructur e Service Secure Archive Storage Service 24*7 Available Storage Service Pure Service Consumers Pure Service Providers Service Consumer/ Providers
© Copyright 2010 Hewlett-Packard Development Company, L.P.42 Stewardship in the Cloud Ecosystem Consumer Small Business Enterprise Government Department CRM aa Service Bundled Portal aa ServiceComms aa Service CPU Service Infrastructure Service Secure Archive Storage Service 24*7 Available Storage Service Confidentiality Integrity Availability requirements expectations Obligations preferences incentives Procurement & Consuming Procurement & Consuming
© Copyright 2010 Hewlett-Packard Development Company, L.P.43 Summary of Cloud Stewardship Issues – Cloud • Multiple stakeholders • Complex Supply Chains • Procurement Challenges – Stewardship • Where information is • Who is accountable, and responsible • Who can see or change information • Assurance • Liability (with longevity)
© Copyright 2010 Hewlett-Packard Development Company, L.P.44 Cloud Ecosystem Economics Key ideas that are guiding our empirical work – Micro Economics • Information Asymmetry – As the service provider I know more about the costs and risks of handling your data than you or any regulator • Externalities; Public/Club Goods – Being secure costs me more than I gain, even though others in the community gain too. • Heterogeneity of services & users – How do we value bundled security characteristics & develop associated product and pricing strategies – Macro Economics • Aggregate drivers and effects – … As well as applying preference, utility, system modelling to this context
© Copyright 2010 Hewlett-Packard Development Company, L.P.4545 © Copyright 2010 Hewlett-Packard Development Company, L.P. Privacy Management
© Copyright 2010 Hewlett-Packard Development Company, L.P.46 Privacy Management TSB EnCoRe Project - EnCoRe: Ensuring Consent and Revocation UK Government Collaborative Project – http://www.encore-project.info/ “EnCoRe is a multi-disciplinary research project, spanning across a number of IT and social science specialisms, that is researching how to improve the rigour and ease with which individuals can grant and, more importantly, revoke their consent to the use, storage and sharing of their personal data by others” - Problem: Management of Personal Data (PII) and Confidential Information driven by Consent & Revocation Contact: HP Labs, Systems Security Lab (SSL), Bristol, UK – Pete Bramhall
© Copyright 2010 Hewlett-Packard Development Company, L.P.47 EnCoRe: Enabling the Flow of Identity Data + Consent/Revocation Data Storage Service Office Apps On Demand CPUs Printing Service Cloud Provider #1 Cloud Provider #2 CRM Service Delivery Service Service 3 Backup Service ILM Service User … … …The Internet Identity Data & Credentials + Consent/Revocation Identity Data & Credentials + Consent/Revocation Identity Data & Credentials + Consent/Revocation Enterprise Enterprise
© Copyright 2010 Hewlett-Packard Development Company, L.P.48 Data Storage Service Office Apps On Demand CPUsPrinting Service Cloud Provider #1 Cloud Provider #2 CRM Service … Service 3 Backup Service ILM Service User … … … The Internet EnCoRe Toolbox EnCoRe ToolBox EnCoRe ToolBox EnCoRe ToolBox EnCoRe ToolBox EnCoRe: Explicit Management of Consent and Revocation Enterprise Enterprise EnCoRe ToolBox
© Copyright 2010 Hewlett-Packard Development Company, L.P.49 EnCoRe Project – Various Case Study: • Enterprise Data • Biobank • Assisted Living – Press Event: 29/06/2010 http://www.v3.co.uk/v3/news/2265665/hp-working-privacy-tool http://finchannel.com/Main_News/B_Schools/66174_LSE%3A_Turning_off_the_tap_for_online_personal_data_- _prototype_system_unveiled_by_EnCoRe_/ – Technical Architecture and Solutions available online: http://www.encore-project.info/
© Copyright 2010 Hewlett-Packard Development Company, L.P.50 Outline • Background on Cloud Computing • Impact on Enterprise’s Security Lifecycle Management • Current Trends, Requirements and Cloud Computing Initiatives • Future Directions: related R&D Work by HP Labs • Conclusions
© Copyright 2010 Hewlett-Packard Development Company, L.P.51 Conclusions – Cloud Computing is Happening Now – Different Drivers and Needs – but Cost Cutting is currently Dominating – Different attitudes and risk exposures based on type of Companies (SMEs, Medium-large Enterprise, Government Agencies) – It is not really a Matter of Technology – Little understanding of the overall Security, Trust and Privacy Implications – Need for more Assurance, Accountability and Transparency
© Copyright 2010 Hewlett-Packard Development Company, L.P.52 Q&A More Information: Marco Casassa Mont, HP Labs, marco.casassa-mont@hp.com http://www.hpl.hp.com/personal/Marco_Casassa_Mont/

Recommended

Big Data for Security - DNS Analytics
Big Data for Security - DNS AnalyticsBig Data for Security - DNS Analytics
Big Data for Security - DNS Analytics
Marco Casassa Mont
 
Ultralight Data Movement for IoT with SDC Edge
Ultralight Data Movement for IoT with SDC EdgeUltralight Data Movement for IoT with SDC Edge
Ultralight Data Movement for IoT with SDC Edge
DataWorks Summit
 
Operating a secure big data platform in a multi-cloud environment
Operating a secure big data platform in a multi-cloud environmentOperating a secure big data platform in a multi-cloud environment
Operating a secure big data platform in a multi-cloud environment
DataWorks Summit
 
Big Data for Security - DNS Analytics
Big Data for Security - DNS AnalyticsBig Data for Security - DNS Analytics
Big Data for Security - DNS Analytics
Marco Casassa Mont
 
Big Data (security Issue)
Big Data (security Issue)Big Data (security Issue)
Big Data (security Issue)
Export Promotion Bureau
 
Not Just a necessary evil, it’s good for business: implementing PCI DSS contr...
Not Just a necessary evil, it’s good for business: implementing PCI DSS contr...Not Just a necessary evil, it’s good for business: implementing PCI DSS contr...
Not Just a necessary evil, it’s good for business: implementing PCI DSS contr...
DataWorks Summit
 
A Trusted TPA Model, to Improve Security & Reliability for Cloud Storage
A Trusted TPA Model, to Improve Security & Reliability for Cloud StorageA Trusted TPA Model, to Improve Security & Reliability for Cloud Storage
A Trusted TPA Model, to Improve Security & Reliability for Cloud Storage
IRJET Journal
 
Breaking the Silos: Storage for Analytics & AI
Breaking the Silos: Storage for Analytics & AIBreaking the Silos: Storage for Analytics & AI
Breaking the Silos: Storage for Analytics & AI
DataWorks Summit
 

Recommended

Big Data for Security - DNS Analytics
Big Data for Security - DNS AnalyticsBig Data for Security - DNS Analytics
Big Data for Security - DNS Analytics
Marco Casassa Mont
 
Ultralight Data Movement for IoT with SDC Edge
Ultralight Data Movement for IoT with SDC EdgeUltralight Data Movement for IoT with SDC Edge
Ultralight Data Movement for IoT with SDC Edge
DataWorks Summit
 
Operating a secure big data platform in a multi-cloud environment
Operating a secure big data platform in a multi-cloud environmentOperating a secure big data platform in a multi-cloud environment
Operating a secure big data platform in a multi-cloud environment
DataWorks Summit
 
Big Data for Security - DNS Analytics
Big Data for Security - DNS AnalyticsBig Data for Security - DNS Analytics
Big Data for Security - DNS Analytics
Marco Casassa Mont
 
Big Data (security Issue)
Big Data (security Issue)Big Data (security Issue)
Big Data (security Issue)
Export Promotion Bureau
 
Not Just a necessary evil, it’s good for business: implementing PCI DSS contr...
Not Just a necessary evil, it’s good for business: implementing PCI DSS contr...Not Just a necessary evil, it’s good for business: implementing PCI DSS contr...
Not Just a necessary evil, it’s good for business: implementing PCI DSS contr...
DataWorks Summit
 
A Trusted TPA Model, to Improve Security & Reliability for Cloud Storage
A Trusted TPA Model, to Improve Security & Reliability for Cloud StorageA Trusted TPA Model, to Improve Security & Reliability for Cloud Storage
A Trusted TPA Model, to Improve Security & Reliability for Cloud Storage
IRJET Journal
 
Breaking the Silos: Storage for Analytics & AI
Breaking the Silos: Storage for Analytics & AIBreaking the Silos: Storage for Analytics & AI
Breaking the Silos: Storage for Analytics & AI
DataWorks Summit
 
Shaping a Digital Vision
Shaping a Digital VisionShaping a Digital Vision
Shaping a Digital Vision
DataWorks Summit/Hadoop Summit
 
Data Science Driven Malware Detection
Data Science Driven Malware DetectionData Science Driven Malware Detection
Data Science Driven Malware Detection
VMware Tanzu
 
Continuous Data Ingestion pipeline for the Enterprise
Continuous Data Ingestion pipeline for the EnterpriseContinuous Data Ingestion pipeline for the Enterprise
Continuous Data Ingestion pipeline for the Enterprise
DataWorks Summit
 
How big data and AI saved the day: critical IP almost walked out the door
How big data and AI saved the day: critical IP almost walked out the doorHow big data and AI saved the day: critical IP almost walked out the door
How big data and AI saved the day: critical IP almost walked out the door
DataWorks Summit
 
Data Integrity proofs in cloud storage
Data Integrity proofs in cloud storageData Integrity proofs in cloud storage
Data Integrity proofs in cloud storage
Sameer Mohd
 
Security Framework for Multitenant Architecture
Security Framework for Multitenant ArchitectureSecurity Framework for Multitenant Architecture
Security Framework for Multitenant Architecture
DataWorks Summit
 
Security and Audit for Big Data
Security and Audit for Big DataSecurity and Audit for Big Data
Security and Audit for Big Data
Nicolas Morales
 
On the Application of AI for Failure Management: Problems, Solutions and Algo...
On the Application of AI for Failure Management: Problems, Solutions and Algo...On the Application of AI for Failure Management: Problems, Solutions and Algo...
On the Application of AI for Failure Management: Problems, Solutions and Algo...
Jorge Cardoso
 
IT_RFO10-14-ITS_AppendixA_20100513
IT_RFO10-14-ITS_AppendixA_20100513IT_RFO10-14-ITS_AppendixA_20100513
IT_RFO10-14-ITS_AppendixA_20100513
Alexander Doré
 
Building the High Speed Cybersecurity Data Pipeline Using Apache NiFi
Building the High Speed Cybersecurity Data Pipeline Using Apache NiFiBuilding the High Speed Cybersecurity Data Pipeline Using Apache NiFi
Building the High Speed Cybersecurity Data Pipeline Using Apache NiFi
DataWorks Summit
 
Multi-tenant Hadoop - the challenge of maintaining high SLAS
Multi-tenant Hadoop - the challenge of maintaining high SLASMulti-tenant Hadoop - the challenge of maintaining high SLAS
Multi-tenant Hadoop - the challenge of maintaining high SLAS
DataWorks Summit
 
Enabling data dynamic and indirect mutual trust for cloud computing storage s...
Enabling data dynamic and indirect mutual trust for cloud computing storage s...Enabling data dynamic and indirect mutual trust for cloud computing storage s...
Enabling data dynamic and indirect mutual trust for cloud computing storage s...
IEEEFINALYEARPROJECTS
 
3 guiding priciples to improve data security
3 guiding priciples to improve data security3 guiding priciples to improve data security
3 guiding priciples to improve data security
Keith Braswell
 
Ciso round table on effective implementation of dlp & data security
Ciso round table on effective implementation of dlp & data securityCiso round table on effective implementation of dlp & data security
Ciso round table on effective implementation of dlp & data security
Priyanka Aash
 
Lessons learned from over 25 Data Virtualization implementations
Lessons learned from over 25 Data Virtualization implementationsLessons learned from over 25 Data Virtualization implementations
Lessons learned from over 25 Data Virtualization implementations
Denodo
 
Cloud computing - Risks and Mitigation - GTS
Cloud computing - Risks and Mitigation - GTSCloud computing - Risks and Mitigation - GTS
Cloud computing - Risks and Mitigation - GTS
Anchises Moraes
 
Hybrid Cloud Strategy for Big Data and Analytics
Hybrid Cloud Strategy for Big Data and Analytics Hybrid Cloud Strategy for Big Data and Analytics
Hybrid Cloud Strategy for Big Data and Analytics
DataWorks Summit/Hadoop Summit
 
It's All about Insight: Unlocking Effective Risk Management for Your Unstruct...
It's All about Insight: Unlocking Effective Risk Management for Your Unstruct...It's All about Insight: Unlocking Effective Risk Management for Your Unstruct...
It's All about Insight: Unlocking Effective Risk Management for Your Unstruct...
Veritas Technologies LLC
 
Open Source Data Management for Industry 4.0
Open Source Data Management for Industry 4.0Open Source Data Management for Industry 4.0
Open Source Data Management for Industry 4.0
DataWorks Summit
 
IRJET-Auditing and Resisting Key Exposure on Cloud Storage
IRJET-Auditing and Resisting Key Exposure on Cloud StorageIRJET-Auditing and Resisting Key Exposure on Cloud Storage
IRJET-Auditing and Resisting Key Exposure on Cloud Storage
IRJET Journal
 
IBM Private Cloud Platform - Setting Foundation for Hybrid (JUKE, 2015)
IBM Private Cloud Platform - Setting Foundation for Hybrid (JUKE, 2015)IBM Private Cloud Platform - Setting Foundation for Hybrid (JUKE, 2015)
IBM Private Cloud Platform - Setting Foundation for Hybrid (JUKE, 2015)
Denny Muktar
 
EMEA10: Trepidation in Moving to the Cloud
EMEA10: Trepidation in Moving to the CloudEMEA10: Trepidation in Moving to the Cloud
EMEA10: Trepidation in Moving to the Cloud
CompTIA UK
 

More Related Content

What's hot

Shaping a Digital Vision
Shaping a Digital VisionShaping a Digital Vision
Shaping a Digital Vision
DataWorks Summit/Hadoop Summit
 
Data Science Driven Malware Detection
Data Science Driven Malware DetectionData Science Driven Malware Detection
Data Science Driven Malware Detection
VMware Tanzu
 
Continuous Data Ingestion pipeline for the Enterprise
Continuous Data Ingestion pipeline for the EnterpriseContinuous Data Ingestion pipeline for the Enterprise
Continuous Data Ingestion pipeline for the Enterprise
DataWorks Summit
 
How big data and AI saved the day: critical IP almost walked out the door
How big data and AI saved the day: critical IP almost walked out the doorHow big data and AI saved the day: critical IP almost walked out the door
How big data and AI saved the day: critical IP almost walked out the door
DataWorks Summit
 
Data Integrity proofs in cloud storage
Data Integrity proofs in cloud storageData Integrity proofs in cloud storage
Data Integrity proofs in cloud storage
Sameer Mohd
 
Security Framework for Multitenant Architecture
Security Framework for Multitenant ArchitectureSecurity Framework for Multitenant Architecture
Security Framework for Multitenant Architecture
DataWorks Summit
 
Security and Audit for Big Data
Security and Audit for Big DataSecurity and Audit for Big Data
Security and Audit for Big Data
Nicolas Morales
 
On the Application of AI for Failure Management: Problems, Solutions and Algo...
On the Application of AI for Failure Management: Problems, Solutions and Algo...On the Application of AI for Failure Management: Problems, Solutions and Algo...
On the Application of AI for Failure Management: Problems, Solutions and Algo...
Jorge Cardoso
 
IT_RFO10-14-ITS_AppendixA_20100513
IT_RFO10-14-ITS_AppendixA_20100513IT_RFO10-14-ITS_AppendixA_20100513
IT_RFO10-14-ITS_AppendixA_20100513
Alexander Doré
 
Building the High Speed Cybersecurity Data Pipeline Using Apache NiFi
Building the High Speed Cybersecurity Data Pipeline Using Apache NiFiBuilding the High Speed Cybersecurity Data Pipeline Using Apache NiFi
Building the High Speed Cybersecurity Data Pipeline Using Apache NiFi
DataWorks Summit
 
Multi-tenant Hadoop - the challenge of maintaining high SLAS
Multi-tenant Hadoop - the challenge of maintaining high SLASMulti-tenant Hadoop - the challenge of maintaining high SLAS
Multi-tenant Hadoop - the challenge of maintaining high SLAS
DataWorks Summit
 
Enabling data dynamic and indirect mutual trust for cloud computing storage s...
Enabling data dynamic and indirect mutual trust for cloud computing storage s...Enabling data dynamic and indirect mutual trust for cloud computing storage s...
Enabling data dynamic and indirect mutual trust for cloud computing storage s...
IEEEFINALYEARPROJECTS
 
3 guiding priciples to improve data security
3 guiding priciples to improve data security3 guiding priciples to improve data security
3 guiding priciples to improve data security
Keith Braswell
 
Ciso round table on effective implementation of dlp & data security
Ciso round table on effective implementation of dlp & data securityCiso round table on effective implementation of dlp & data security
Ciso round table on effective implementation of dlp & data security
Priyanka Aash
 
Lessons learned from over 25 Data Virtualization implementations
Lessons learned from over 25 Data Virtualization implementationsLessons learned from over 25 Data Virtualization implementations
Lessons learned from over 25 Data Virtualization implementations
Denodo
 
Cloud computing - Risks and Mitigation - GTS
Cloud computing - Risks and Mitigation - GTSCloud computing - Risks and Mitigation - GTS
Cloud computing - Risks and Mitigation - GTS
Anchises Moraes
 
Hybrid Cloud Strategy for Big Data and Analytics
Hybrid Cloud Strategy for Big Data and Analytics Hybrid Cloud Strategy for Big Data and Analytics
Hybrid Cloud Strategy for Big Data and Analytics
DataWorks Summit/Hadoop Summit
 
It's All about Insight: Unlocking Effective Risk Management for Your Unstruct...
It's All about Insight: Unlocking Effective Risk Management for Your Unstruct...It's All about Insight: Unlocking Effective Risk Management for Your Unstruct...
It's All about Insight: Unlocking Effective Risk Management for Your Unstruct...
Veritas Technologies LLC
 
Open Source Data Management for Industry 4.0
Open Source Data Management for Industry 4.0Open Source Data Management for Industry 4.0
Open Source Data Management for Industry 4.0
DataWorks Summit
 
IRJET-Auditing and Resisting Key Exposure on Cloud Storage
IRJET-Auditing and Resisting Key Exposure on Cloud StorageIRJET-Auditing and Resisting Key Exposure on Cloud Storage
IRJET-Auditing and Resisting Key Exposure on Cloud Storage
IRJET Journal
 

What's hot (20)

Shaping a Digital Vision
Shaping a Digital VisionShaping a Digital Vision
Shaping a Digital Vision
 
Data Science Driven Malware Detection
Data Science Driven Malware DetectionData Science Driven Malware Detection
Data Science Driven Malware Detection
 
Continuous Data Ingestion pipeline for the Enterprise
Continuous Data Ingestion pipeline for the EnterpriseContinuous Data Ingestion pipeline for the Enterprise
Continuous Data Ingestion pipeline for the Enterprise
 
How big data and AI saved the day: critical IP almost walked out the door
How big data and AI saved the day: critical IP almost walked out the doorHow big data and AI saved the day: critical IP almost walked out the door
How big data and AI saved the day: critical IP almost walked out the door
 
Data Integrity proofs in cloud storage
Data Integrity proofs in cloud storageData Integrity proofs in cloud storage
Data Integrity proofs in cloud storage
 
Security Framework for Multitenant Architecture
Security Framework for Multitenant ArchitectureSecurity Framework for Multitenant Architecture
Security Framework for Multitenant Architecture
 
Security and Audit for Big Data
Security and Audit for Big DataSecurity and Audit for Big Data
Security and Audit for Big Data
 
On the Application of AI for Failure Management: Problems, Solutions and Algo...
On the Application of AI for Failure Management: Problems, Solutions and Algo...On the Application of AI for Failure Management: Problems, Solutions and Algo...
On the Application of AI for Failure Management: Problems, Solutions and Algo...
 
IT_RFO10-14-ITS_AppendixA_20100513
IT_RFO10-14-ITS_AppendixA_20100513IT_RFO10-14-ITS_AppendixA_20100513
IT_RFO10-14-ITS_AppendixA_20100513
 
Building the High Speed Cybersecurity Data Pipeline Using Apache NiFi
Building the High Speed Cybersecurity Data Pipeline Using Apache NiFiBuilding the High Speed Cybersecurity Data Pipeline Using Apache NiFi
Building the High Speed Cybersecurity Data Pipeline Using Apache NiFi
 
Multi-tenant Hadoop - the challenge of maintaining high SLAS
Multi-tenant Hadoop - the challenge of maintaining high SLASMulti-tenant Hadoop - the challenge of maintaining high SLAS
Multi-tenant Hadoop - the challenge of maintaining high SLAS
 
Enabling data dynamic and indirect mutual trust for cloud computing storage s...
Enabling data dynamic and indirect mutual trust for cloud computing storage s...Enabling data dynamic and indirect mutual trust for cloud computing storage s...
Enabling data dynamic and indirect mutual trust for cloud computing storage s...
 
3 guiding priciples to improve data security
3 guiding priciples to improve data security3 guiding priciples to improve data security
3 guiding priciples to improve data security
 
Ciso round table on effective implementation of dlp & data security
Ciso round table on effective implementation of dlp & data securityCiso round table on effective implementation of dlp & data security
Ciso round table on effective implementation of dlp & data security
 
Lessons learned from over 25 Data Virtualization implementations
Lessons learned from over 25 Data Virtualization implementationsLessons learned from over 25 Data Virtualization implementations
Lessons learned from over 25 Data Virtualization implementations
 
Cloud computing - Risks and Mitigation - GTS
Cloud computing - Risks and Mitigation - GTSCloud computing - Risks and Mitigation - GTS
Cloud computing - Risks and Mitigation - GTS
 
Hybrid Cloud Strategy for Big Data and Analytics
Hybrid Cloud Strategy for Big Data and Analytics Hybrid Cloud Strategy for Big Data and Analytics
Hybrid Cloud Strategy for Big Data and Analytics
 
It's All about Insight: Unlocking Effective Risk Management for Your Unstruct...
It's All about Insight: Unlocking Effective Risk Management for Your Unstruct...It's All about Insight: Unlocking Effective Risk Management for Your Unstruct...
It's All about Insight: Unlocking Effective Risk Management for Your Unstruct...
 
Open Source Data Management for Industry 4.0
Open Source Data Management for Industry 4.0Open Source Data Management for Industry 4.0
Open Source Data Management for Industry 4.0
 
IRJET-Auditing and Resisting Key Exposure on Cloud Storage
IRJET-Auditing and Resisting Key Exposure on Cloud StorageIRJET-Auditing and Resisting Key Exposure on Cloud Storage
IRJET-Auditing and Resisting Key Exposure on Cloud Storage
 

Similar to Cloud Computing: Security, Privacy and Trust Aspects across Public and Private Sectors

IBM Private Cloud Platform - Setting Foundation for Hybrid (JUKE, 2015)
IBM Private Cloud Platform - Setting Foundation for Hybrid (JUKE, 2015)IBM Private Cloud Platform - Setting Foundation for Hybrid (JUKE, 2015)
IBM Private Cloud Platform - Setting Foundation for Hybrid (JUKE, 2015)
Denny Muktar
 
EMEA10: Trepidation in Moving to the Cloud
EMEA10: Trepidation in Moving to the CloudEMEA10: Trepidation in Moving to the Cloud
EMEA10: Trepidation in Moving to the Cloud
CompTIA UK
 
Digital Business Transformation for Energy & Utility company
Digital Business Transformation for Energy & Utility companyDigital Business Transformation for Energy & Utility company
Digital Business Transformation for Energy & Utility company
Ilham Ahmed
 
Boston Cloud Dinner/Discussion November 2010
Boston Cloud Dinner/Discussion November 2010Boston Cloud Dinner/Discussion November 2010
Boston Cloud Dinner/Discussion November 2010
Ness Technologies
 
Cover Your Apps! Surviving in the Age of the Hyperscale Public Clouds
Cover Your Apps! Surviving in the Age of the Hyperscale Public CloudsCover Your Apps! Surviving in the Age of the Hyperscale Public Clouds
Cover Your Apps! Surviving in the Age of the Hyperscale Public Clouds
Zenoss
 
Developing a cloud strategy - Presentation Nexon ABC Event
Developing a cloud strategy - Presentation Nexon ABC EventDeveloping a cloud strategy - Presentation Nexon ABC Event
Developing a cloud strategy - Presentation Nexon ABC Event
Nexon Asia Pacific
 
Piloting The Cloud: Acting on OMB's Mandate - RightNow Technologies
Piloting The Cloud: Acting on OMB's Mandate - RightNow TechnologiesPiloting The Cloud: Acting on OMB's Mandate - RightNow Technologies
Piloting The Cloud: Acting on OMB's Mandate - RightNow Technologies
Nitin Badjatia
 
CRTC Cloud- Scott Sadler
CRTC Cloud- Scott SadlerCRTC Cloud- Scott Sadler
CRTC Cloud- Scott Sadler
KrisValerio
 
Cloud Computing Architecture Primer
Cloud Computing Architecture PrimerCloud Computing Architecture Primer
Cloud Computing Architecture Primer
Ilham Ahmed
 
Aitp presentation ed holub - october 23 2010
Aitp presentation ed holub - october 23 2010Aitp presentation ed holub - october 23 2010
Aitp presentation ed holub - october 23 2010
AITPHouston
 
GraphTalks - Einführung
GraphTalks - EinführungGraphTalks - Einführung
GraphTalks - Einführung
Neo4j
 
Cloud computing insights from110 implementation projects
Cloud computing insights from110 implementation projectsCloud computing insights from110 implementation projects
Cloud computing insights from110 implementation projects
IBM India Smarter Computing
 
Pistoia Alliance USA Conference 2016
Pistoia Alliance USA Conference 2016Pistoia Alliance USA Conference 2016
Pistoia Alliance USA Conference 2016
Pistoia Alliance
 
Cloud,beyond the hype, looking at the journey to Cloud
Cloud,beyond the hype, looking at the journey to CloudCloud,beyond the hype, looking at the journey to Cloud
Cloud,beyond the hype, looking at the journey to Cloud
Christian Verstraete
 
Intel and Cloudera: Accelerating Enterprise Big Data Success
Intel and Cloudera: Accelerating Enterprise Big Data SuccessIntel and Cloudera: Accelerating Enterprise Big Data Success
Intel and Cloudera: Accelerating Enterprise Big Data Success
Cloudera, Inc.
 
Security Analytics & Security Intelligence-as-a-Service
Security Analytics & Security Intelligence-as-a-ServiceSecurity Analytics & Security Intelligence-as-a-Service
Security Analytics & Security Intelligence-as-a-Service
Marco Casassa Mont
 
Protecting What Matters...An Enterprise Approach to Cloud Security
Protecting What Matters...An Enterprise Approach to Cloud SecurityProtecting What Matters...An Enterprise Approach to Cloud Security
Protecting What Matters...An Enterprise Approach to Cloud Security
InnoTech
 
Incorporating cloud computing for enhanced communication v2
Incorporating cloud computing for enhanced communication v2Incorporating cloud computing for enhanced communication v2
Incorporating cloud computing for enhanced communication v2
Christian Verstraete
 
Engineering Systems For The Cloud
Engineering Systems For The CloudEngineering Systems For The Cloud
Engineering Systems For The Cloud
Trevor Warren
 
Transform IT Service Delivery Helion
Transform IT Service Delivery Helion Transform IT Service Delivery Helion
Transform IT Service Delivery Helion
Andrey Karpov
 

Similar to Cloud Computing: Security, Privacy and Trust Aspects across Public and Private Sectors (20)

IBM Private Cloud Platform - Setting Foundation for Hybrid (JUKE, 2015)
IBM Private Cloud Platform - Setting Foundation for Hybrid (JUKE, 2015)IBM Private Cloud Platform - Setting Foundation for Hybrid (JUKE, 2015)
IBM Private Cloud Platform - Setting Foundation for Hybrid (JUKE, 2015)
 
EMEA10: Trepidation in Moving to the Cloud
EMEA10: Trepidation in Moving to the CloudEMEA10: Trepidation in Moving to the Cloud
EMEA10: Trepidation in Moving to the Cloud
 
Digital Business Transformation for Energy & Utility company
Digital Business Transformation for Energy & Utility companyDigital Business Transformation for Energy & Utility company
Digital Business Transformation for Energy & Utility company
 
Boston Cloud Dinner/Discussion November 2010
Boston Cloud Dinner/Discussion November 2010Boston Cloud Dinner/Discussion November 2010
Boston Cloud Dinner/Discussion November 2010
 
Cover Your Apps! Surviving in the Age of the Hyperscale Public Clouds
Cover Your Apps! Surviving in the Age of the Hyperscale Public CloudsCover Your Apps! Surviving in the Age of the Hyperscale Public Clouds
Cover Your Apps! Surviving in the Age of the Hyperscale Public Clouds
 
Developing a cloud strategy - Presentation Nexon ABC Event
Developing a cloud strategy - Presentation Nexon ABC EventDeveloping a cloud strategy - Presentation Nexon ABC Event
Developing a cloud strategy - Presentation Nexon ABC Event
 
Piloting The Cloud: Acting on OMB's Mandate - RightNow Technologies
Piloting The Cloud: Acting on OMB's Mandate - RightNow TechnologiesPiloting The Cloud: Acting on OMB's Mandate - RightNow Technologies
Piloting The Cloud: Acting on OMB's Mandate - RightNow Technologies
 
CRTC Cloud- Scott Sadler
CRTC Cloud- Scott SadlerCRTC Cloud- Scott Sadler
CRTC Cloud- Scott Sadler
 
Cloud Computing Architecture Primer
Cloud Computing Architecture PrimerCloud Computing Architecture Primer
Cloud Computing Architecture Primer
 
Aitp presentation ed holub - october 23 2010
Aitp presentation ed holub - october 23 2010Aitp presentation ed holub - october 23 2010
Aitp presentation ed holub - october 23 2010
 
GraphTalks - Einführung
GraphTalks - EinführungGraphTalks - Einführung
GraphTalks - Einführung
 
Cloud computing insights from110 implementation projects
Cloud computing insights from110 implementation projectsCloud computing insights from110 implementation projects
Cloud computing insights from110 implementation projects
 
Pistoia Alliance USA Conference 2016
Pistoia Alliance USA Conference 2016Pistoia Alliance USA Conference 2016
Pistoia Alliance USA Conference 2016
 
Cloud,beyond the hype, looking at the journey to Cloud
Cloud,beyond the hype, looking at the journey to CloudCloud,beyond the hype, looking at the journey to Cloud
Cloud,beyond the hype, looking at the journey to Cloud
 
Intel and Cloudera: Accelerating Enterprise Big Data Success
Intel and Cloudera: Accelerating Enterprise Big Data SuccessIntel and Cloudera: Accelerating Enterprise Big Data Success
Intel and Cloudera: Accelerating Enterprise Big Data Success
 
Security Analytics & Security Intelligence-as-a-Service
Security Analytics & Security Intelligence-as-a-ServiceSecurity Analytics & Security Intelligence-as-a-Service
Security Analytics & Security Intelligence-as-a-Service
 
Protecting What Matters...An Enterprise Approach to Cloud Security
Protecting What Matters...An Enterprise Approach to Cloud SecurityProtecting What Matters...An Enterprise Approach to Cloud Security
Protecting What Matters...An Enterprise Approach to Cloud Security
 
Incorporating cloud computing for enhanced communication v2
Incorporating cloud computing for enhanced communication v2Incorporating cloud computing for enhanced communication v2
Incorporating cloud computing for enhanced communication v2
 
Engineering Systems For The Cloud
Engineering Systems For The CloudEngineering Systems For The Cloud
Engineering Systems For The Cloud
 
Transform IT Service Delivery Helion
Transform IT Service Delivery Helion Transform IT Service Delivery Helion
Transform IT Service Delivery Helion
 

More from Marco Casassa Mont

Big Data for Security - Threat Analytics
Big Data for Security - Threat AnalyticsBig Data for Security - Threat Analytics
Big Data for Security - Threat Analytics
Marco Casassa Mont
 
Big Data for Security - DNS Analytics
Big Data for Security - DNS AnalyticsBig Data for Security - DNS Analytics
Big Data for Security - DNS Analytics
Marco Casassa Mont
 
Security intelligence using big data presentation (engineering seminar)
Security intelligence using big data presentation (engineering seminar)Security intelligence using big data presentation (engineering seminar)
Security intelligence using big data presentation (engineering seminar)
Marco Casassa Mont
 
Policy Management: An Overview
Policy Management: An OverviewPolicy Management: An Overview
Policy Management: An Overview
Marco Casassa Mont
 
Big Data for Security
Big Data for SecurityBig Data for Security
Big Data for Security
Marco Casassa Mont
 
Cyber security within Organisations: A sneaky peak of current status, trends,...
Cyber security within Organisations: A sneaky peak of current status, trends,...Cyber security within Organisations: A sneaky peak of current status, trends,...
Cyber security within Organisations: A sneaky peak of current status, trends,...
Marco Casassa Mont
 

More from Marco Casassa Mont (6)

Big Data for Security - Threat Analytics
Big Data for Security - Threat AnalyticsBig Data for Security - Threat Analytics
Big Data for Security - Threat Analytics
 
Big Data for Security - DNS Analytics
Big Data for Security - DNS AnalyticsBig Data for Security - DNS Analytics
Big Data for Security - DNS Analytics
 
Security intelligence using big data presentation (engineering seminar)
Security intelligence using big data presentation (engineering seminar)Security intelligence using big data presentation (engineering seminar)
Security intelligence using big data presentation (engineering seminar)
 
Policy Management: An Overview
Policy Management: An OverviewPolicy Management: An Overview
Policy Management: An Overview
 
Big Data for Security
Big Data for SecurityBig Data for Security
Big Data for Security
 
Cyber security within Organisations: A sneaky peak of current status, trends,...
Cyber security within Organisations: A sneaky peak of current status, trends,...Cyber security within Organisations: A sneaky peak of current status, trends,...
Cyber security within Organisations: A sneaky peak of current status, trends,...
 

Recently uploaded

Why Psychological Safety Matters for Software Teams - ACE 2024 - Ben Linders.pdf
Why Psychological Safety Matters for Software Teams - ACE 2024 - Ben Linders.pdfWhy Psychological Safety Matters for Software Teams - ACE 2024 - Ben Linders.pdf
Why Psychological Safety Matters for Software Teams - ACE 2024 - Ben Linders.pdf
Ben Linders
 
Competition and Regulation in Professions and Occupations – OECD – June 2024 ...
Competition and Regulation in Professions and Occupations – OECD – June 2024 ...Competition and Regulation in Professions and Occupations – OECD – June 2024 ...
Competition and Regulation in Professions and Occupations – OECD – June 2024 ...
OECD Directorate for Financial and Enterprise Affairs
 
Proposal: The Ark Project and The BEEP Inc
Proposal: The Ark Project and The BEEP IncProposal: The Ark Project and The BEEP Inc
Proposal: The Ark Project and The BEEP Inc
Raheem Muhammad
 
Pro-competitive Industrial Policy – OECD – June 2024 OECD discussion
Pro-competitive Industrial Policy – OECD – June 2024 OECD discussionPro-competitive Industrial Policy – OECD – June 2024 OECD discussion
Pro-competitive Industrial Policy – OECD – June 2024 OECD discussion
OECD Directorate for Financial and Enterprise Affairs
 
The Intersection between Competition and Data Privacy – OECD – June 2024 OECD...
The Intersection between Competition and Data Privacy – OECD – June 2024 OECD...The Intersection between Competition and Data Privacy – OECD – June 2024 OECD...
The Intersection between Competition and Data Privacy – OECD – June 2024 OECD...
OECD Directorate for Financial and Enterprise Affairs
 
The Intersection between Competition and Data Privacy – COLANGELO – June 2024...
The Intersection between Competition and Data Privacy – COLANGELO – June 2024...The Intersection between Competition and Data Privacy – COLANGELO – June 2024...
The Intersection between Competition and Data Privacy – COLANGELO – June 2024...
OECD Directorate for Financial and Enterprise Affairs
 
Pro-competitive Industrial Policy – LANE – June 2024 OECD discussion
Pro-competitive Industrial Policy – LANE – June 2024 OECD discussionPro-competitive Industrial Policy – LANE – June 2024 OECD discussion
Pro-competitive Industrial Policy – LANE – June 2024 OECD discussion
OECD Directorate for Financial and Enterprise Affairs
 
怎么办理(lincoln学位证书)英国林肯大学毕业证文凭学位证书原版一模一样
怎么办理(lincoln学位证书)英国林肯大学毕业证文凭学位证书原版一模一样怎么办理(lincoln学位证书)英国林肯大学毕业证文凭学位证书原版一模一样
怎么办理(lincoln学位证书)英国林肯大学毕业证文凭学位证书原版一模一样
kekzed
 
Competition and Regulation in Professions and Occupations – ROBSON – June 202...
Competition and Regulation in Professions and Occupations – ROBSON – June 202...Competition and Regulation in Professions and Occupations – ROBSON – June 202...
Competition and Regulation in Professions and Occupations – ROBSON – June 202...
OECD Directorate for Financial and Enterprise Affairs
 
Artificial Intelligence, Data and Competition – OECD – June 2024 OECD discussion
Artificial Intelligence, Data and Competition – OECD – June 2024 OECD discussionArtificial Intelligence, Data and Competition – OECD – June 2024 OECD discussion
Artificial Intelligence, Data and Competition – OECD – June 2024 OECD discussion
OECD Directorate for Financial and Enterprise Affairs
 
The Intersection between Competition and Data Privacy – CAPEL – June 2024 OEC...
The Intersection between Competition and Data Privacy – CAPEL – June 2024 OEC...The Intersection between Competition and Data Privacy – CAPEL – June 2024 OEC...
The Intersection between Competition and Data Privacy – CAPEL – June 2024 OEC...
OECD Directorate for Financial and Enterprise Affairs
 
ServiceNow CIS-ITSM Exam Dumps & Questions [2024]
ServiceNow CIS-ITSM Exam Dumps & Questions [2024]ServiceNow CIS-ITSM Exam Dumps & Questions [2024]
ServiceNow CIS-ITSM Exam Dumps & Questions [2024]
SkillCertProExams
 
Artificial Intelligence, Data and Competition – ČORBA – June 2024 OECD discus...
Artificial Intelligence, Data and Competition – ČORBA – June 2024 OECD discus...Artificial Intelligence, Data and Competition – ČORBA – June 2024 OECD discus...
Artificial Intelligence, Data and Competition – ČORBA – June 2024 OECD discus...
OECD Directorate for Financial and Enterprise Affairs
 
XP 2024 presentation: A New Look to Leadership
XP 2024 presentation: A New Look to LeadershipXP 2024 presentation: A New Look to Leadership
XP 2024 presentation: A New Look to Leadership
samililja
 
The Intersection between Competition and Data Privacy – KEMP – June 2024 OECD...
The Intersection between Competition and Data Privacy – KEMP – June 2024 OECD...The Intersection between Competition and Data Privacy – KEMP – June 2024 OECD...
The Intersection between Competition and Data Privacy – KEMP – June 2024 OECD...
OECD Directorate for Financial and Enterprise Affairs
 
Artificial Intelligence, Data and Competition – SCHREPEL – June 2024 OECD dis...
Artificial Intelligence, Data and Competition – SCHREPEL – June 2024 OECD dis...Artificial Intelligence, Data and Competition – SCHREPEL – June 2024 OECD dis...
Artificial Intelligence, Data and Competition – SCHREPEL – June 2024 OECD dis...
OECD Directorate for Financial and Enterprise Affairs
 
Artificial Intelligence, Data and Competition – LIM – June 2024 OECD discussion
Artificial Intelligence, Data and Competition – LIM – June 2024 OECD discussionArtificial Intelligence, Data and Competition – LIM – June 2024 OECD discussion
Artificial Intelligence, Data and Competition – LIM – June 2024 OECD discussion
OECD Directorate for Financial and Enterprise Affairs
 
Using-Presentation-Software-to-the-Fullf.pptx
Using-Presentation-Software-to-the-Fullf.pptxUsing-Presentation-Software-to-the-Fullf.pptx
Using-Presentation-Software-to-the-Fullf.pptx
kainatfatyma9
 
原版制作贝德福特大学毕业证(bedfordhire毕业证)硕士文凭原版一模一样
原版制作贝德福特大学毕业证(bedfordhire毕业证)硕士文凭原版一模一样原版制作贝德福特大学毕业证(bedfordhire毕业证)硕士文凭原版一模一样
原版制作贝德福特大学毕业证(bedfordhire毕业证)硕士文凭原版一模一样
gpww3sf4
 
Carrer goals.pptx and their importance in real life
Carrer goals.pptx and their importance in real lifeCarrer goals.pptx and their importance in real life
Carrer goals.pptx and their importance in real life
artemacademy2
 

Recently uploaded (20)

Why Psychological Safety Matters for Software Teams - ACE 2024 - Ben Linders.pdf
Why Psychological Safety Matters for Software Teams - ACE 2024 - Ben Linders.pdfWhy Psychological Safety Matters for Software Teams - ACE 2024 - Ben Linders.pdf
Why Psychological Safety Matters for Software Teams - ACE 2024 - Ben Linders.pdf
 
Competition and Regulation in Professions and Occupations – OECD – June 2024 ...
Competition and Regulation in Professions and Occupations – OECD – June 2024 ...Competition and Regulation in Professions and Occupations – OECD – June 2024 ...
Competition and Regulation in Professions and Occupations – OECD – June 2024 ...
 
Proposal: The Ark Project and The BEEP Inc
Proposal: The Ark Project and The BEEP IncProposal: The Ark Project and The BEEP Inc
Proposal: The Ark Project and The BEEP Inc
 
Pro-competitive Industrial Policy – OECD – June 2024 OECD discussion
Pro-competitive Industrial Policy – OECD – June 2024 OECD discussionPro-competitive Industrial Policy – OECD – June 2024 OECD discussion
Pro-competitive Industrial Policy – OECD – June 2024 OECD discussion
 
The Intersection between Competition and Data Privacy – OECD – June 2024 OECD...
The Intersection between Competition and Data Privacy – OECD – June 2024 OECD...The Intersection between Competition and Data Privacy – OECD – June 2024 OECD...
The Intersection between Competition and Data Privacy – OECD – June 2024 OECD...
 
The Intersection between Competition and Data Privacy – COLANGELO – June 2024...
The Intersection between Competition and Data Privacy – COLANGELO – June 2024...The Intersection between Competition and Data Privacy – COLANGELO – June 2024...
The Intersection between Competition and Data Privacy – COLANGELO – June 2024...
 
Pro-competitive Industrial Policy – LANE – June 2024 OECD discussion
Pro-competitive Industrial Policy – LANE – June 2024 OECD discussionPro-competitive Industrial Policy – LANE – June 2024 OECD discussion
Pro-competitive Industrial Policy – LANE – June 2024 OECD discussion
 
怎么办理(lincoln学位证书)英国林肯大学毕业证文凭学位证书原版一模一样
怎么办理(lincoln学位证书)英国林肯大学毕业证文凭学位证书原版一模一样怎么办理(lincoln学位证书)英国林肯大学毕业证文凭学位证书原版一模一样
怎么办理(lincoln学位证书)英国林肯大学毕业证文凭学位证书原版一模一样
 
Competition and Regulation in Professions and Occupations – ROBSON – June 202...
Competition and Regulation in Professions and Occupations – ROBSON – June 202...Competition and Regulation in Professions and Occupations – ROBSON – June 202...
Competition and Regulation in Professions and Occupations – ROBSON – June 202...
 
Artificial Intelligence, Data and Competition – OECD – June 2024 OECD discussion
Artificial Intelligence, Data and Competition – OECD – June 2024 OECD discussionArtificial Intelligence, Data and Competition – OECD – June 2024 OECD discussion
Artificial Intelligence, Data and Competition – OECD – June 2024 OECD discussion
 
The Intersection between Competition and Data Privacy – CAPEL – June 2024 OEC...
The Intersection between Competition and Data Privacy – CAPEL – June 2024 OEC...The Intersection between Competition and Data Privacy – CAPEL – June 2024 OEC...
The Intersection between Competition and Data Privacy – CAPEL – June 2024 OEC...
 
ServiceNow CIS-ITSM Exam Dumps & Questions [2024]
ServiceNow CIS-ITSM Exam Dumps & Questions [2024]ServiceNow CIS-ITSM Exam Dumps & Questions [2024]
ServiceNow CIS-ITSM Exam Dumps & Questions [2024]
 
Artificial Intelligence, Data and Competition – ČORBA – June 2024 OECD discus...
Artificial Intelligence, Data and Competition – ČORBA – June 2024 OECD discus...Artificial Intelligence, Data and Competition – ČORBA – June 2024 OECD discus...
Artificial Intelligence, Data and Competition – ČORBA – June 2024 OECD discus...
 
XP 2024 presentation: A New Look to Leadership
XP 2024 presentation: A New Look to LeadershipXP 2024 presentation: A New Look to Leadership
XP 2024 presentation: A New Look to Leadership
 
The Intersection between Competition and Data Privacy – KEMP – June 2024 OECD...
The Intersection between Competition and Data Privacy – KEMP – June 2024 OECD...The Intersection between Competition and Data Privacy – KEMP – June 2024 OECD...
The Intersection between Competition and Data Privacy – KEMP – June 2024 OECD...
 
Artificial Intelligence, Data and Competition – SCHREPEL – June 2024 OECD dis...
Artificial Intelligence, Data and Competition – SCHREPEL – June 2024 OECD dis...Artificial Intelligence, Data and Competition – SCHREPEL – June 2024 OECD dis...
Artificial Intelligence, Data and Competition – SCHREPEL – June 2024 OECD dis...
 
Artificial Intelligence, Data and Competition – LIM – June 2024 OECD discussion
Artificial Intelligence, Data and Competition – LIM – June 2024 OECD discussionArtificial Intelligence, Data and Competition – LIM – June 2024 OECD discussion
Artificial Intelligence, Data and Competition – LIM – June 2024 OECD discussion
 
Using-Presentation-Software-to-the-Fullf.pptx
Using-Presentation-Software-to-the-Fullf.pptxUsing-Presentation-Software-to-the-Fullf.pptx
Using-Presentation-Software-to-the-Fullf.pptx
 
原版制作贝德福特大学毕业证(bedfordhire毕业证)硕士文凭原版一模一样
原版制作贝德福特大学毕业证(bedfordhire毕业证)硕士文凭原版一模一样原版制作贝德福特大学毕业证(bedfordhire毕业证)硕士文凭原版一模一样
原版制作贝德福特大学毕业证(bedfordhire毕业证)硕士文凭原版一模一样
 
Carrer goals.pptx and their importance in real life
Carrer goals.pptx and their importance in real lifeCarrer goals.pptx and their importance in real life
Carrer goals.pptx and their importance in real life
 

Cloud Computing: Security, Privacy and Trust Aspects across Public and Private Sectors

  • 1. © Copyright 2010 Hewlett-Packard Development Company, L.P.1 © Copyright 2010 Hewlett-Packard Development Company, L.P.1 Marco Casassa Mont (marco.casassa-mont@hp.com) Senior Researcher Systems Security Lab, HP Labs, Bristol Cloud Computing: Security, Privacy and Trust Aspects across Public and Private Sectors Industry Perspective RAND Europe – Cloud Computing 2010 10 September 2010
  • 2. © Copyright 2010 Hewlett-Packard Development Company, L.P.2 Outline • Background on Cloud Computing • Impact on Enterprise’s Security Lifecycle Management • Current Trends, Requirements and Cloud Computing Initiatives • Future Directions: related R&D Work by HP Labs • Conclusions
  • 3. © Copyright 2010 Hewlett-Packard Development Company, L.P.3 Outline • Background on Cloud Computing • Impact on Enterprise’s Security Lifecycle Management • Current Trends, Requirements and Cloud Computing Initiatives • Future Directions: related R&D Work by HP Labs • Conclusions
  • 4. © Copyright 2010 Hewlett-Packard Development Company, L.P.4 Cloud Computing: Definition – No Unique Definition or General Consensus about what Cloud Computing is … – Different Perspectives & Focuses (Platform, SW, Service Levels…) – Flavours: • Computing and IT Resources Accessible Online • Dynamically Scalable Computing Power • Virtualization of Resources • Access to (potentially) Composable & Interchangeable Services • Abstraction of IT Infrastructure  No need to understand its implementation: use Services & their APIs • Related “Buzzwords”: Iaas, PaaS, SaaS, EaaS, … • Some current players, at the Infrastructure & Service Level: Salesfoce.com, Google Apps, Amazon, Yahoo, Microsoft, IBM, HP, etc.
  • 5. © Copyright 2010 Hewlett-Packard Development Company, L.P.5 Cloud Service Layers Cloud Infrastructure Services (IaaS) Cloud Platform Services (PaaS) Cloud End-User Services (SaaS) Physical Infrastructure Service Users Source: HP Labs, Automated Infrastructure Lab (AIL), Bristol, UK - Peter Toft Cloud Providers Service Providers
  • 6. © Copyright 2010 Hewlett-Packard Development Company, L.P.6 Cloud Computing: Models Enterprise Data Storage Service Office Apps On Demand CPUsPrinting Service Cloud Provider #1 Cloud Provider #2 Internal Cloud CRM Service … Service 3 Backup Service ILM ServiceService Service Service Business Apps/Service Employee User … … … The Internet
  • 7. © Copyright 2010 Hewlett-Packard Development Company, L.P.7 Outline • Background on Cloud Computing • Impact on Enterprise’s Security Lifecycle Management • Current Trends, Requirements and Cloud Computing Initiatives • Future Directions: related R&D Work by HP Labs • Conclusions
  • 8. © Copyright 2010 Hewlett-Packard Development Company, L.P.8 Today Security Management Lifecycle Vulnerability Disclosed Exploit Available Malware Patch Available Test Solution Patch Deployment Vulnerability Assessment Accelerated Patching Emergency Patching Exposed? Early Mitigation? Y Malware Reports? N Accelerate? N Patch Available? Workaround Available? Implement Workaround Y Y N Y Y Deploy Mitigation Y Risk reduced window (from disclosure time) across all vulnerabilities 0 0.05 0.1 0.15 0.2 0.25 0.3 0.35 timeline Proportionofvulnerabilities Trusted Infrastructure Policy, process, people, technology & operations Assurance & Situational Awareness Security Analytics Economics/ Threats/ Investments
  • 9. © Copyright 2010 Hewlett-Packard Development Company, L.P.9 Stewardship in the Cloud Ecosystem Implications Service Consumer SaaS Provider IaaS Provider Source: HP Labs, Systems Security Lab (SSL), Bristol, UK – Simon Shiu, Adrian Baldwin
  • 10. © Copyright 2010 Hewlett-Packard Development Company, L.P.10 The Enterprise Cloud Consumer Business IT Dept CISO/CIO staff infrastructure Fulfill need Public Cloud Private/ Community Cloud Source: HP Labs, Systems Security Lab (SSL), Bristol, UK – Simon Shiu, Adrian Baldwin
  • 11. © Copyright 2010 Hewlett-Packard Development Company, L.P.11 Cloud Computing: Implications – Enterprise: Paradigm Shift from “Close & Controlled” IT Infrastructures and Services to Externally Provided Services and IT Infrastructures – Private User: Paradigm Shift from Accessing Static Set of Services to Dynamic & Composable Services – General Issues: • Assurance (and Trust) about Security and Business Practices • Potential Loss of Control (on Data, Infrastructure, Processes, etc.) • Data & Confidential Information Stored in The Clouds • Management of Identities and Access (IAM) in the Cloud • Compliance to Security Practice and Legislation • Privacy Management (Control, Consent, Revocation, etc.) • New Threat Environments • Reliability and Longevity of Cloud & Service Providers
  • 12. © Copyright 2010 Hewlett-Packard Development Company, L.P.12 Outline • Background on Cloud Computing • Impact on Enterprise’s Security Lifecycle Management • Current Trends, Requirements and Cloud Computing Initiatives • Future Directions: related R&D Work by HP Labs • Conclusions
  • 13. © Copyright 2010 Hewlett-Packard Development Company, L.P.13 Current Trends of Relevance 1. Increasing Adoption of Services in the Cloud 2. (IT) Consumerisation of the Enterprise
  • 14. © Copyright 2010 Hewlett-Packard Development Company, L.P.1414 © Copyright 2010 Hewlett-Packard Development Company, L.P. Adoption of Services in the Cloud
  • 15. © Copyright 2010 Hewlett-Packard Development Company, L.P.15 Services in the Cloud [1/2] • Growing adoption of IT Cloud Services by People and Companies, in particular SMEs (cost saving, etc.) • Includes: • Datacentre consolidation and IT Outsourcing • Private Cloud/Cloud Services • Public Cloud Services - Amazon, Google, Salesforce, … • Gartner predictions about Value of Cloud Computing Services: • 2008 : $46.41 billion • 2009 : $56.30 billion • 2013 : $150.1 billion (projected) • NOTE: these Trends are less obvious for Medium-Large Organisations and Gov Agencies Cloud Computing Services Org Org Org
  • 16. © Copyright 2010 Hewlett-Packard Development Company, L.P.16 Services in the Cloud [2/2] • Some statistics about SME’s usage of Cloud Services (Source: SpiceWorks): • Cloud initiatives from Governments  see UK g-Cloud Initiative http://johnsuffolk.typepad.com/john-suffolk---government-cio/2009/06/government-cloud.html Data Backup : 16% Email : 21.2% Application : 11.1% VOIP : 8.5% Security : 8.5% CRM : 6.2% Web Hosting : 25.4% eCommerce : 6.4% Logistics : 3.6% Do not use : 44.1% Cloud Computing Services Org Org Org
  • 17. © Copyright 2010 Hewlett-Packard Development Company, L.P.17 Personal Cloud Services • User-driven, Personal Cloud Services: - Multiple Interconnected Devices - Multiple Online Services - Multiple Data Sources and Stores • Forrester’s Prediction (by Frank Gillet): - Growing role of Personal Cloud Services and Decreasing Relevance of traditional Operating Systems …
  • 18. © Copyright 2010 Hewlett-Packard Development Company, L.P.18 Opportunities and Threats • Opportunities: • Cost cutting • Further enabler of IT Outsourcing (medium-large organisations) • Better & cheaper services • No lock-in situation with a service provider • … • Threats: • Potential lack of control on Data and Processes • Proliferation of data and PII information • Reliability and Survivability Issues • Data protection and Privacy • Reliance on third party …
  • 19. © Copyright 2010 Hewlett-Packard Development Company, L.P.1919 © Copyright 2010 Hewlett-Packard Development Company, L.P. (IT) Consumerisation of the Enterprise
  • 20. © Copyright 2010 Hewlett-Packard Development Company, L.P.20 Traditional (IT) Enterprise Model • Key role of CIOs/CISOs, Legal Departments, etc. in defining Policies and Guidelines • Controlled and Centralised IT Provisioning • IT Infrastructures, Services and Devices Managed by the Organisation IT Services Storage ServersCorporate Devices Corporate IT (security) Policies, Provisioning & Management Enterprise
  • 21. © Copyright 2010 Hewlett-Packard Development Company, L.P.21 Towards Consumerization of (IT) Enterprise New Driving Forces: • IT Outsourcing • Employees using their own Devices at work • Adoption of Cloud Services by Employees and the Organization • Blurring Boundaries between Work and Personal Life • Local Decision Making … Enterprise IT Services Storage Servers Personal Devices Storage Servers ServicesCloud Services
  • 22. © Copyright 2010 Hewlett-Packard Development Company, L.P.22 Opportunities and Threats • Opportunities for Employees and Organisations: • Empowering users • Seamless experience between work and private life • Cost cutting • Better service offering •Transformation of CIO/CISO roles … • Threats: • Enterprise data stored all over the places: Potential Data losses … • Lack of control by organisation on users’ devices: potential security threats • …
  • 23. © Copyright 2010 Hewlett-Packard Development Company, L.P.23 Cloud Computing: Requirements – Simplified Management of Identities and Credentials – Need for Assurance and Transparency about: • (Outsourced) Processes • Security & Privacy Practices • Data Lifecycle Management – Compliance to Regulation, Policies and Best Practice • Need to redefine what Compliance means in The Cloud – Accountability – Privacy Management: Control on Data Usage & Flows – Reputation Management
  • 24. © Copyright 2010 Hewlett-Packard Development Company, L.P.24 Cloud Computing: Initiatives Recent General Initiatives aiming at Shaping Cloud Computing: – Open Cloud Manifesto • Making the case for an Open Cloud – Cloud Security Alliance • Promoting Best Security Practices for the Cloud – Jericho Forum • Cloud Cube Model: Recommendations & (Security) Evaluation Framework – …
  • 25. © Copyright 2010 Hewlett-Packard Development Company, L.P.25 Outline • Background on Cloud Computing • Impact on Enterprise’s Security Lifecycle Management • Current Trends, Requirements and Cloud Computing Initiatives • Future Directions: related R&D Work by HP Labs • Conclusions
  • 26. © Copyright 2010 Hewlett-Packard Development Company, L.P.26 Some Future Directions • Trusted Infrastructure • Security Analytics • Cloud Stewardship Economics • Privacy Management
  • 27. © Copyright 2010 Hewlett-Packard Development Company, L.P.2727 © Copyright 2010 Hewlett-Packard Development Company, L.P. Trusted Infrastructure
  • 28. © Copyright 2010 Hewlett-Packard Development Company, L.P.28 Trusted Infrastructure Enterprise Data Storage Service Office Apps On Demand CPUsPrinting Service Cloud Provider #1 Cloud Provider #2 Internal Cloud CRM Service … Service 3 Backup Service ILM ServiceService Service Service Business Apps/Service Employee User … … … The Internet Trusted Client Devices Trusted Client Infrastructure Trusted Client Infrastructure Trusted Client Infrastructure • Ensuring that the Infrastructural IT building blocks of the Enterprise and the Cloud are secure, trustworthy and compliant with security best practice • Trusted Computing Group (TCG) / • Impact of Virtualization TCG: http://www.trustedcomputinggroup.org
  • 29. © Copyright 2010 Hewlett-Packard Development Company, L.P.29 Trusted Infrastructure: Trusted Virtualized Platform Personal Environment Win/Lx/OSX Corporate Productivity OS Remote IT Mgmt Home Banking Corporate Production Environment OS E-Govt Intf. Corp. Soft Phone Trusted Hypervisor Secure Corporate (Government) Client Persona Personal Client Persona Trusted Corporate Client Appliance Trusted Personal Client Appliances online (banking, egovt) or local (ipod) Services managed from cloud HP Labs: Applying Trusted Computing to Virtualization
  • 30. © Copyright 2010 Hewlett-Packard Development Company, L.P.30 Paradigm Shift: Identities/Personae as “Virtualised Environment” in the Cloud Trusted Hypervisor End-User Device MyPersona1+ Virtualised Environment1 MyPersona2+ Virtualised Environment2 Bank Gaming Community Services … Using Virtualization to push Control from the Cloud/Service back to the Client Platform •User’s Persona is defined by the Service Interaction Context •User’s Persona & Identity are “tight” to the Virtualised Environment •Persona defined by User or by Service Provider •Potential Mutual attestation of Platforms and Integrity Trusted Domain
  • 31. © Copyright 2010 Hewlett-Packard Development Company, L.P.3232 © Copyright 2010 Hewlett-Packard Development Company, L.P. Security Analytics
  • 32. © Copyright 2010 Hewlett-Packard Development Company, L.P.33 Security Analytics Putting the Science into Security Management
  • 33. © Copyright 2010 Hewlett-Packard Development Company, L.P.34 Complexity, Costs, Threats and Risks are All Increasing Trying harder is not enough – we have to get smarter
  • 34. © Copyright 2010 Hewlett-Packard Development Company, L.P.35 Problems with Security Investments – Security Investments affect multiple outcomes: budget, confidentiality, integrity, availability, … – In most situations these outcomes can only be predicted with high degrees of uncertainty – Often the outcomes are inter-related (trade-off) and the link to investments is poorly understood – Classical business justification/due diligence (Return on Security Investment, cost benefit analysis) encourages these points to be glossed over
  • 35. © Copyright 2010 Hewlett-Packard Development Company, L.P.36 Security Analytics – Providing Strategic Decision Support to Decision Makers (e.g. CIOs, CISOs, etc.) – Using Modelling and Simulation to Represent Process, IT Systems, Interactions, Human Behaviours and their Impact on Aspects of Relevance: Security Risks, Productivity, Costs – Carry out “What-If” Analysis and Make Predictions, based on Alternative Investments, Threat Environments, etc.
  • 36. © Copyright 2010 Hewlett-Packard Development Company, L.P.37 Security Analytics: Integrating Scientific Knowledge Economic Theory (utility, trade offs, externalities, information asymmetry, incentives) Applied Mathematics (probability theory, queuing theory, process algebra, model checking) Experiment and Prediction (Discrete event modelling and simulation) Empirical Studies (Grounded theory, discourse analysis, cognitive science) CISO / CIO / Business Security/Systems Domain knowledge Business Knowledge
  • 37. © Copyright 2010 Hewlett-Packard Development Company, L.P.38 PACKAGED SECURITY ANALYTICS Transforming security management to one based on scientific rigor – Launched at Infosec 2010 as part of Security Business Intelligence – Based on VTM/IAM case studies – Iterative engagement approach to define the problem and explore possible solutions and their tradeoffs – Generation of full report  Application of Security Analytics to Cloud Stewardship Economics
  • 38. © Copyright 2010 Hewlett-Packard Development Company, L.P.3939 © Copyright 2010 Hewlett-Packard Development Company, L.P. Cloud Stewardship Economics
  • 39. © Copyright 2010 Hewlett-Packard Development Company, L.P.40 UK Government Founded Collaborative Initiative – Cloud Stewardship Economics: • Economics & System Modelling -> Cloud Eco-Systems • Aberdeen University, Bath University, IISP, Lloyds of London, Marmalade Box, Sapphire, Validsoft Source & Contacts: HP Labs, Systems Security Lab (SSL), Bristol, UK – Simon Shiu, Adrian Baldwin
  • 40. © Copyright 2010 Hewlett-Packard Development Company, L.P.41 The Cloud Ecosystem Consumer Small Business Enterprise Government Department CRM aa Service Bundled Portal aa Service Comms aa Service CPU Service Infrastructur e Service Secure Archive Storage Service 24*7 Available Storage Service Pure Service Consumers Pure Service Providers Service Consumer/ Providers
  • 41. © Copyright 2010 Hewlett-Packard Development Company, L.P.42 Stewardship in the Cloud Ecosystem Consumer Small Business Enterprise Government Department CRM aa Service Bundled Portal aa ServiceComms aa Service CPU Service Infrastructure Service Secure Archive Storage Service 24*7 Available Storage Service Confidentiality Integrity Availability requirements expectations Obligations preferences incentives Procurement & Consuming Procurement & Consuming
  • 42. © Copyright 2010 Hewlett-Packard Development Company, L.P.43 Summary of Cloud Stewardship Issues – Cloud • Multiple stakeholders • Complex Supply Chains • Procurement Challenges – Stewardship • Where information is • Who is accountable, and responsible • Who can see or change information • Assurance • Liability (with longevity)
  • 43. © Copyright 2010 Hewlett-Packard Development Company, L.P.44 Cloud Ecosystem Economics Key ideas that are guiding our empirical work – Micro Economics • Information Asymmetry – As the service provider I know more about the costs and risks of handling your data than you or any regulator • Externalities; Public/Club Goods – Being secure costs me more than I gain, even though others in the community gain too. • Heterogeneity of services & users – How do we value bundled security characteristics & develop associated product and pricing strategies – Macro Economics • Aggregate drivers and effects – … As well as applying preference, utility, system modelling to this context
  • 44. © Copyright 2010 Hewlett-Packard Development Company, L.P.4545 © Copyright 2010 Hewlett-Packard Development Company, L.P. Privacy Management
  • 45. © Copyright 2010 Hewlett-Packard Development Company, L.P.46 Privacy Management TSB EnCoRe Project - EnCoRe: Ensuring Consent and Revocation UK Government Collaborative Project – http://www.encore-project.info/ “EnCoRe is a multi-disciplinary research project, spanning across a number of IT and social science specialisms, that is researching how to improve the rigour and ease with which individuals can grant and, more importantly, revoke their consent to the use, storage and sharing of their personal data by others” - Problem: Management of Personal Data (PII) and Confidential Information driven by Consent & Revocation Contact: HP Labs, Systems Security Lab (SSL), Bristol, UK – Pete Bramhall
  • 46. © Copyright 2010 Hewlett-Packard Development Company, L.P.47 EnCoRe: Enabling the Flow of Identity Data + Consent/Revocation Data Storage Service Office Apps On Demand CPUs Printing Service Cloud Provider #1 Cloud Provider #2 CRM Service Delivery Service Service 3 Backup Service ILM Service User … … …The Internet Identity Data & Credentials + Consent/Revocation Identity Data & Credentials + Consent/Revocation Identity Data & Credentials + Consent/Revocation Enterprise Enterprise
  • 47. © Copyright 2010 Hewlett-Packard Development Company, L.P.48 Data Storage Service Office Apps On Demand CPUsPrinting Service Cloud Provider #1 Cloud Provider #2 CRM Service … Service 3 Backup Service ILM Service User … … … The Internet EnCoRe Toolbox EnCoRe ToolBox EnCoRe ToolBox EnCoRe ToolBox EnCoRe ToolBox EnCoRe: Explicit Management of Consent and Revocation Enterprise Enterprise EnCoRe ToolBox
  • 48. © Copyright 2010 Hewlett-Packard Development Company, L.P.49 EnCoRe Project – Various Case Study: • Enterprise Data • Biobank • Assisted Living – Press Event: 29/06/2010 http://www.v3.co.uk/v3/news/2265665/hp-working-privacy-tool http://finchannel.com/Main_News/B_Schools/66174_LSE%3A_Turning_off_the_tap_for_online_personal_data_- _prototype_system_unveiled_by_EnCoRe_/ – Technical Architecture and Solutions available online: http://www.encore-project.info/
  • 49. © Copyright 2010 Hewlett-Packard Development Company, L.P.50 Outline • Background on Cloud Computing • Impact on Enterprise’s Security Lifecycle Management • Current Trends, Requirements and Cloud Computing Initiatives • Future Directions: related R&D Work by HP Labs • Conclusions
  • 50. © Copyright 2010 Hewlett-Packard Development Company, L.P.51 Conclusions – Cloud Computing is Happening Now – Different Drivers and Needs – but Cost Cutting is currently Dominating – Different attitudes and risk exposures based on type of Companies (SMEs, Medium-large Enterprise, Government Agencies) – It is not really a Matter of Technology – Little understanding of the overall Security, Trust and Privacy Implications – Need for more Assurance, Accountability and Transparency
  • 51. © Copyright 2010 Hewlett-Packard Development Company, L.P.52 Q&A More Information: Marco Casassa Mont, HP Labs, marco.casassa-mont@hp.com http://www.hpl.hp.com/personal/Marco_Casassa_Mont/

Editor's Notes

  1. Earlier I said that we want to create a virtualization system that could be attested to, i.e. that we could make a strong statement as to the trustworthiness of it’s current state. So I want to spend a few moments expanding on this. Explain what a chain of trust is. We want to build systems that are immune from s/w attacks. So we build a chain of trust which is anchored in h/w which gives us a resilience to s/w attacks. It starts with the TPM (crypto device) that is bound to the mother board and we guarantee that this device will be in a known state when initially powered on. Associated with this is a Core Root of Trust for Measurement (CRTM), which is the BIOS boot block code; it can’t itself be measured but it is a piece of code which is considered trustworthy. It reliably measures integrity value of other code, and stays unchanged during the lifetime of the platform. CRTM is an extension of normal BIOS, which will be run first to measure other parts of the BIOS block before passing control. The BIOS then measures hardware, and the bootloader and passes control to the bootloader. The bootloader measures VMM kernel and pass control to the VMM and so on. What you end up with is a chain of trust with a measurement value that can be used for attestation. TPM stores measurements and can cryptographically report on those measurements to requesting parties (attestation). Essentially, the TPM signs the measurement (which is a cryptographic hash) so that the one asking for the measurement can know that it was measured by a real TPM. The requestor then checks this measurement against a known good value to determine whether or not this system can be trusted. This is an important feature of these TCG TPMs but one that has yet not been fully exploited. What we are doing within our project is to create an Integrity Measurement and Attestation framework. Specifically designed for measuring the VMM and its supporting security services so that it can attest itself to other platforms that request verification. At its lowest level it will utilize TCG TPM hardware technology and associated CPU / Chipset support such as the Intel (TXT) / AMD (SVM) for DRTM (Dynamic Root of Trust) mechanisms [Grawrock 2006]. Our planned approach diverges from existing integrity measurement systems in regard to its explicit support for the needs of virtualized systems such as chains of trust that can be safely dynamically modified [Cabuk et al. 2008a] and the support for tying the integrity of several VMs together into a single attestable and verifiable entity. TXT allows us, in combination with the TPM, to ensure that either a Measured Launch Environment or Controlled Launch Environments can be started. MLEs allow any code sequence to run, but generate a launch record which is difficult to forge by an alternative startup sequence. Controlled Launch allows us to refuse to start a particular code image unless the hardware has followed an already approved execution path. We have some functional code which demonstrates MLE, and the functionality to enforce CLE is being developed now.
  2. Most security strategy, policy and investments decisions are based on intuition and best practices. Security Analytics is about using scientific methods to make security management rigorous and evidence based.
  3. We believe this is more necessary as information security gets harder. With cloud computing, virtualization, consumerization, more business reliance on IT – and pressure on the IT budget - it gets harder to justify any expenditure, and yet with the burgeoning threat environment this must be done. Yes, we can continue to try harder, but it feels like a change in approach is needed, one where we get smarter – hence security analytics.
  4. Today most security teams have good knowledge about IT and are working hard to align this with business knowledge. We are looking to take this further to make business aligned security decisions based on simulation and prediction. To support this we are using appropriate economic and mathematical tools
  5. This is part of an ongoing ambitious research programme, and our first deliverable is to offer a packaged Security Analytics services engagement, together with the tools and methodology, for both Vulnerability and Threat Management, and also for Identity and Access Management. Starting with an initial workshop to explore your unique security challenges and identify the strategic priorities, appropriate models will be created and explored to determine the possible outcomes of key security decisions which are available to you. At the end of the exercise you will receive a full report documenting the challenges addressed, the options explored and conclusions drawn.