Uploaded bygraywilliams
PDF, PPTX502 views

Peering Through the Cloud Forrester EMEA 2010

The document presents an overview of cloud security concerns and challenges discussed at Forrester's Security Forum EMEA 2010, highlighting the slow adoption of cloud technology by enterprises due to security and control issues. It emphasizes the need for adequate security measures, risk assessments, and understanding of compliance requirements in cloud computing. The document also shares real-world examples and statistics regarding breaches and the increasing sophistication of cyber threats, suggesting a proactive approach to security in cloud environments.

Embed presentation

Download as PDF, PPTX
Peering Through *the Cloud* Presented to Forrester's Security Forum EMEA 2010 By Gray Williams
Introduction Slide Title • Gray Williams ‐ Biography – TATA Communications (GM & Sr Dir PLM; 06 to present) – KillPhish (Founder) – Cybertrust (Dir Prod Mngmnt) – SafeNet (VP/Dir Prod Mngmnt & Marketing) – INS/Lucent Technologies (Sales & Biz Dev) – AT&T (Sales NAM)
-The Business Slide Title the soothing - Pro-Cloud Crowd light at the end of the tunnel… …is it just a freight train comin’ your way? - Metallica - Anti-Cloud HW/SW crowd - Assorted CSO’s
Framing the Debate Slide Title Confidentiality Integrity The APT Business IT/DC Availability CNA SECURITY Efficiency RISK Econom i cs Effectiveness Cost Legal What it is CLOUD Agility Why it is Technical Private Public CONTROL? SOA Compliance VM *aaS NIST ENISA Jericho Forum Tomorrow? CloudAudit/A6 Today Bilons$$ ats ake li t Cloud Security i a t l gr n ech and- ab Alliance
“A model for enabling convenient on-demand network access to a Slide Title shared pool of configurable computing resources that can be rapidly provisioned and released with minimal management effort or service provider interaction.” - NIST Oct 09 1. Illusion of infinite, on-demand resources 2. No upfront capex commit 3. Pay for what you need, as you go - Above the Clouds: A Berkeley View of Cloud Computing Feb 2009 “Everything we think of as a computer today is really just a device that connects to the big computer that we are all collectively building” -Tim O'Reilly
1. Illusion of infinite, on-demand resources 2. No upfront capex commit 3. Pay for what you need, as you go - Above the Clouds: A Berkeley View of Cloud Computing Feb 2009
Enterprise:  Slide Title Slow Adoption – Want ROI on existing investment & time invested making IT a trusted resource – 53% fail to see how cloud can save them money – 57% surveyed said they were not happy to run applications and store data on servers outside their country for security •Single tenancy / reasons Multi-tenancy – 21% think that doing business in the cloud is not a security concern. •Isolated data / co- – 53% are concerned about IP being stored in mingledcloud a public data because of potential security breaches Source: BT's Enterprise Intelligence survey security / •Dedicated – 44% believe they deal with information that is so sensitive it socialist security could never be stored in the cloud. •On-premise / Off- premise
The overall risk profile for cloud compute has  Slide Title not yet come into full view
“Cloud Computing is great™… Slide Title …until it isn’t.” Source: Me
CLOUD SECURITY ISSUES ARE REAL Slide Title Traditional Security Issues: New Challenges: 1. Shared Tech - VM Attacks 1. Privacy 2. Provider Vulnerabilities 2. Nefarious Use (DDoS, 3. Phishing Provider Malware) 4. Expanded Network Attack 3. Effective Authentication Surface 4. Authorization (mashup) 5. Authentication & 3rd party Control: Authorization 1. Due Diligence 6. Forensics Availability: 2. Audit (Geo-Regulated Data) 1. Uptime 3. Contractual Obligations 2. Single Point of Failure 4. Espionage 3. Integrity assurance 5. Data Lock-In - Controlling Data in the Cloud Nov 2009 6. Transitive (Subcontractors)
% of 62 real‐world UK breaches in various  Slide Title levels of PCI‐DSS compliance Source: 7Safe Breach Report Jan 2010
INTERNAL IT SECURITY IS CRASHING & BURNING ISSUES ARE REAL. 120 of 600 surveyed had been victimized by attacks similar to Google 66% said the attacks had harmed company operations 54% said their company had been the subject of infiltration in the last 2 yrs 24% expect a major cybersecurity incident in the next year - McAfee Critical Infrastructure in the age of Cyberwar Feb 2010
Top 3 Objections: Public vs Private 1. SecurityTitle Slide 2. Availability 3. Performance 4. CONTROL Source: IDC
Slide Title Public cloud providers can’t  have their cake and eat it too… Must Have: • Sufficient Security Defenses • Sufficient Monitoring • Adequate Support • Transparency
Slide Title Private Cloud Top 3 Objectives: 1. Preserving confidentiality, integrity and availability 2. Maintaining appropriate levels of identity and access Control 3. Ensuring appropriate audit and compliance capability
Slide Title
Recommendations Slide Title GENERAL: Create policy on acceptable use SPECIFIC: • Identify candidate data/processes/functions • Perform risk assessment on each asset – Explore legal, regulatory and audit issues 1st – Conduct 3rd party internal/external VA and audit – Explore geo-location specific offerings – Demand full subcontracting disclosures, detailed security framework and DR procedures for the whole ecosystem (partner chain) • Map findings to potential deployment models & vendors • Standard risk and governance controls apply (ISO 27001/2 and BS25999; NIST SP 800-70/60/53/37/30/18; FIPS 199/200)
What if…Title Slide • the asset became widely public and widely distributed? • the process or function were manipulated by an outsider? • the process or function failed to provide expected results? • the information/data were unexpectedly changed? • the asset were unavailable for a period of time? • we could not satisfy regulatory/compliance requirements? Source: Cloud Security Alliance
Recommended Reading Slide Title
Special Thanks Slide Title • Chris Hoff rationalsurvivability.com • PARC Richard Chow, Philippe Golle, Markus Jakobsson, Ryusuke Masuoka, Jesus Molina; Fujitsu Elaine Shi, Jessica Staddon • Lisa J. Sotto, Bridget C. Treacy, Melinda L. McLellan Hunton & Williams • Andrew Becherer, Alex Stamos, Nathan Wilcox ISEC Partners • David Linthicum infoworld.com/d/cloud-computing • Paul Murphy blogs.zdnet.com/Murphy • Peter Mell, Tim Grance NIST • Prof Carsten Maple Univ Bedfordshire • Alan Phillips, Ben Morris 7Safe • Gunnar Perterson 1raindrop.typepad.com • Joel Dubin, CISSP • Richard Bejtlich, TaoSecurity.com • ENISA • Cloud Security Forum Source: Chris Hoff
Thank you. Contact Gray Williams +1.000.000.0000 Office location Address line 1 Address line 2 Address line 3
Back‐up Slides & other DVD extras +1.000.000.0000 Office location Address line 1 Address line 2 Address line 3
TCO to Public Cloud 2.4 Xenon Dual Core 16Gb RAM; Slide Title 140GbHD Windows Pro plus Public Install/Support CAPEX Finance Cloud Capex $3,589 Cost of capital 12% Term in months $48 $48 Cost MRC $98 $98 Management & Power $100k per admin 100 servers $83 $83 (Watts*hrs used/1000)x cost kw/hr) $18 $18 TOTAL Monthly Cost $200 $199 $54 100% Utilization during Biz Hrs 160 160 160 Hourly Recurring Charge $1.25 $1.25 $0.34
In Conclusion Slide Title • This is actually something to be really happy about;  people who would not ordinarily think about security  are doing so • While we’re scrambling to adapt, we’re turning over  rocks and shining lights in dark crevices • Sure, Bad Things™ will happen • But, Really Smart People™ are engaging in  meaningful dialog & starting to work on solutions • You’ll find that much of what you have  works...perhaps just differently; setting expectations  is critical
Slide Title • Adopt a risk assessment methodology.  Classify  assets and data and segment. • Interrogate providers; use the same diligence for  outsourced services and focus on resilience/recovery, • SLA’s, confidentiality, privacy and segmentation • Match both business and security requirements  against the various deliver models and define the  gaps
Who has Control? Slide Title
Services likely to be outsourced Slide Title 1. Lack of standards. All clouds are different. Each one must be investigated and analyzed to understand its capabilities and weaknesses. The technical basis for digital trust must be created for each cloud. 2. Lack of portability. Every cloud creates its own processing climate. Any digital trust obtained by one cloud environment does not transfer to any other. 3. Lack of transparency. All clouds are opaque. Neither technology nor process is easily visible. It is almost impossible to generate digital trust when transparency is absent. Source: ENISA
Business Slide TitleDrivers Source: ENISA
Issues Slide Title Source: ENISA
SMB vs Enterprise Slide Title Case Studies
NASDAQ and the New York Times Slide Title • New York Times – Didn’t coordinate with Amazon, used a credit card! – Used EC2 and S3 to convert 15M scanned news articles to PDF (4TB data) – Took 100 Linux computers 24 hours (would have taken months on NYT  computers – “It was cheap experimentation, and the learning curve isn't steep.” – Derrick Gottfrid, Nasdaq • Nasdaq – Uses S3 to deliver historic stock and fund information – Millions of files showing price changes over 10 minute segments – “The expenses of keeping all that data online [in Nasdaq servers] was too  high.” – Claude Courbois, Nasdaq VP – Created lightweight Adobe AIR application to let users view data
Government Use of Public Cloud Slide Title • 5,000+ Public Sector and Nonprofit Customers use Salesforce • President Obama’s Citizen’s Briefing Book Based on   Salesforce.com Ideas application – Concept to Live in Three Weeks – 134,077 Registered Users – 1.4 M Votes  – 52,015 Ideas – Peak traffic of 149 hits per second • US Census Bureau Uses Salesforce.com Cloud Application – Project implemented in under 12 weeks  – 2,500+ partnership agents use Salesforce.com for 2010 decennial census  – Allows projects to scale from 200 to 2,000 users overnight to meet peak periods  with no capital expenditure
“CyberSlide Title crime isn’t conducted by 15-year-olds experimenting with viruses” ”Well-funded…..pursued by professionals with deep financial and technical resources, often with government toleration if not outright support.” “Responsible for billions of dollars in losses…it is growing and becoming more capable.” 60-minutess-secureworks-russian-cybercriminal-goof Source: Eugene Spafford, Purdue; “CyberWarriors”, the Atlantic March 2010
“More than 40 states have developed IO doctrines or capabilities…” and Title Slidethis… "Militaries now have the capability to launch damaging cyber attacks against critical - CSIS, America’s failure to protect cyberspace, 2008 infrastructure, but serious cyber attack independent of a larger military conflict is unlikely.“
“…but the main damage done to date through cyberwar has  involved not theft of military secrets nor acts of electronic  Slide Title sabotage but rather business‐versus‐business spying.”  “A shortcut on the ‘D’ of R&D” - CyberWarriors, The Atlantic, March 2010
New Issues, Same Governance Slide Title Source:
Environment Slide Title Source: 7Safe Breach Report Jan 2010
Attack Sophistication Slide Title
Government Use of Public Cloud Slide Title • New Jersey Transit Wins InfoWorld 100 Award for its  Cloud Computing Project – Use Salesforce.com to run their call center, incident management,  complaint tracking, and service portal – 600% More Inquiries Handled – 0 New Agents Required – 36% Improved Response Time • U.S. Army uses Salesforce CRM for Cloud‐based  Recruiting – U.S. Army needed a new tool to track potential recruits who visited its  Army Experience Center. – Use Salesforce.com to track all core recruitment functions and allows the  Army to save time and resources. 
PCI DSS Dirty Dozen Slide Title
Slide Title - Symantec 2009
SMB: Title Slide – Minimize complexity & cost – Eliminate the need to own – Value outweighs risk, Outsource everything
What businesses were breached: Slide Title Source: 7Safe Breach Report Jan 2010
What information was targeted: Slide Title Source: 7Safe Breach Report Jan 2010
Not an inside job… Slide Title Source: 7Safe Breach Report Jan 2010
Targeted Asset Slide Title Source: 7Safe Breach Report Jan 2010
Exploit Slide Title
OriginTitle Slide
SaaS Division of Responsibilities Slide Title Customer Provider • Compliance with data protection  • Physical support infrastructure (facilities,  law in respect of customer data  rack space, power, cooling, cabling, etc)  collected and processed  • Physical infrastructure security and  • Maintenance of identity  availability (servers, storage, network  management system  bandwidth, etc)  • Management of identity  • OS patch management and hardening  management system  procedures (check also any conflict  • Management of authentication  between customer hardening procedure  platform (including enforcing  and provider security policy)  password policy  • Security platform configuration (Firewall  rules, IDS/IPS tuning, etc)  • Systems monitoring  • Security platform maintenance (Firewall,  Host IDS/IPS, antivirus, packet filtering)  • Log collection and security monitoring Source: ENISA
Reducing Risk Slide Title • Identify what’s most important  • Identify where vulnerabilities exist  • Isolate the probable  • Quantify • Identify the most effective & efficient prevention • Have a pre‐approved incidence response plan   • Test, Evaluate and Improve
Examples
One Proposal for the Here and Now… Slide Title
The best defense is a good offense? Slide Title “We spend more time on the computer network attack business than we do on computer network defense because so many people at very high levels are interested" - Former CNA commander, Air Force Maj. Gen. John Bradley “…but Mr. Obama is expected to say little or nothing about the nation’s offensive capabilities, on which the military and intelligence agencies have been spending billions.”

More Related Content

PDF
Introduction - Trend Micro Deep Security
byAndrew Wong
 
PDF
Trend Micro - Virtualization and Security Compliance
by1CloudRoad.com
 
PPTX
Security assessment for financial institutions
byZsolt Nemeth
 
PDF
Cloud Security: Perception Vs. Reality
byInternap
 
PPT
Trend micro - Your journey to the cloud, where are you
byGlobal Business Events
 
PDF
Empowering the business while efficiently mitigating risks - Eva Chen (Trend ...
byMinh Le
 
PDF
Trend Micro Dec 6 Toronto VMUG
bytovmug
 
PDF
Hakin9 interview w Prof Sood
byZsolt Nemeth
 
Introduction - Trend Micro Deep Security
byAndrew Wong
 
Trend Micro - Virtualization and Security Compliance
by1CloudRoad.com
 
Security assessment for financial institutions
byZsolt Nemeth
 
Cloud Security: Perception Vs. Reality
byInternap
 
Trend micro - Your journey to the cloud, where are you
byGlobal Business Events
 
Empowering the business while efficiently mitigating risks - Eva Chen (Trend ...
byMinh Le
 
Trend Micro Dec 6 Toronto VMUG
bytovmug
 
Hakin9 interview w Prof Sood
byZsolt Nemeth
 

What's hot

PPTX
Trend micro v2
byJD Sherry
 
PDF
Deepsecurity & VDI beveiliging, maximale beveiliging en optimale performance
byUNIT4 IT Solutions
 
PPT
Trend micro real time threat management press presentation
byAndrew Wong
 
PDF
Protecting Data in the Cloud
byNeil Readshaw
 
PPTX
Trend Micro - Targeted attacks: Have you found yours?
byGlobal Business Events
 
PDF
TrendMicro
by1CloudRoad.com
 
PPTX
Trend Micro - 13martie2012
byAgora Group
 
PDF
White Paper: Securing Nomadic Workforce
byCourtland Smith
 
PDF
Cloudsecurity
bydrewz lin
 
PPTX
Winkler Cloud, ORCON, and Mobility
byVic Winkler
 
PDF
Cloud Security Checklist and Planning Guide Summary
byIntel IT Center
 
PDF
Ehc brochure
byEhab El Barbary
 
PDF
Vol13 no2
byfphart
 
PPTX
Smart, Data-Centric Security for the Post-PC Era
byTrend Micro (EMEA) Limited
 
PDF
Wall street journal 22 sept 10 - perspectives on risk it
byMessiernl
 
PPTX
Take Control of End User Security
byanniebrowny
 
PPTX
Cyber Threats & Cybersecurity - Are You Ready? - Jared Carstensen
byjaredcarst
 
Trend micro v2
byJD Sherry
 
Deepsecurity & VDI beveiliging, maximale beveiliging en optimale performance
byUNIT4 IT Solutions
 
Trend micro real time threat management press presentation
byAndrew Wong
 
Protecting Data in the Cloud
byNeil Readshaw
 
Trend Micro - Targeted attacks: Have you found yours?
byGlobal Business Events
 
TrendMicro
by1CloudRoad.com
 
Trend Micro - 13martie2012
byAgora Group
 
White Paper: Securing Nomadic Workforce
byCourtland Smith
 
Cloudsecurity
bydrewz lin
 
Winkler Cloud, ORCON, and Mobility
byVic Winkler
 
Cloud Security Checklist and Planning Guide Summary
byIntel IT Center
 
Ehc brochure
byEhab El Barbary
 
Vol13 no2
byfphart
 
Smart, Data-Centric Security for the Post-PC Era
byTrend Micro (EMEA) Limited
 
Wall street journal 22 sept 10 - perspectives on risk it
byMessiernl
 
Take Control of End User Security
byanniebrowny
 
Cyber Threats & Cybersecurity - Are You Ready? - Jared Carstensen
byjaredcarst
 

Viewers also liked

PDF
payamr rezvan 01
byhadirazavi
 
PDF
Boces november 2010
bymoonb
 
PPT
Postermania
bymoonb
 
PPT
Boces.East.2009
bymoonb
 
PDF
Zeetashop
byVishal Bisht
 
PPT
香港六合彩-六合彩 » SlideShare
bykuwgykrl
 
PPTX
What Can You Do With A Poster
bymoonb
 
PPT
香港六合彩|六合彩 » SlideShare
bykuwgykrl
 
payamr rezvan 01
byhadirazavi
 
Boces november 2010
bymoonb
 
Postermania
bymoonb
 
Boces.East.2009
bymoonb
 
Zeetashop
byVishal Bisht
 
香港六合彩-六合彩 » SlideShare
bykuwgykrl
 
What Can You Do With A Poster
bymoonb
 
香港六合彩|六合彩 » SlideShare
bykuwgykrl
 

Similar to Peering Through the Cloud Forrester EMEA 2010

PPTX
Cloud Computing : Security and Forensics
byGovind Maheswaran
 
PDF
Taiye Lambo - Auditing the cloud
bynooralmousa
 
PDF
Cloud Security - Made simple
bySameer Paradia
 
PPTX
Executive Briefing: Strategic Issues Surrounding Cloud Services
byWhitmeyerTuffin
 
PDF
Info Sec 2010 Possibilities And Security Challenges Of Cloud Computing (Han...
byptaglephd
 
PPT
Cloud Security: Trust and Transformation
byPeter Coffee
 
PPTX
Extending security in the cloud network box - v4
byValencell, Inc.
 
PDF
Ccsw
byVinit Zunjarrao
 
PDF
Who owns security in the cloud
byTrend Micro
 
PPT
Cloudcomputingoct2009 100301142544-phpapp02
byabhisheknayak29
 
PDF
Dr. Michael Valivullah, NASS/USDA - Cloud Computing
byikanow
 
PDF
Security of,for & by cloud
byLakshmi Subramanian
 
PDF
Presd1 10
byNiels Groeneveld
 
PDF
Building a Strong Foundation for Your Cloud with Identity Management
byNishant Kaushik
 
PPTX
Building a Secure Cloud with Identity Management
byOracleIDM
 
KEY
Cloudop security
bywardspan
 
PDF
null Bangalore meet - Cloud Computing and Security
byn|u - The Open Security Community
 
PDF
Cloud computing white paper who do you trust
byArun Gopinath
 
PDF
Ibm cloud security who do you trust thought leadership white paper-ibm
byNone
 
PDF
Himss 2011 securing health information in the cloud -- feisal nanji
byFeisal Nanji
 
Cloud Computing : Security and Forensics
byGovind Maheswaran
 
Taiye Lambo - Auditing the cloud
bynooralmousa
 
Cloud Security - Made simple
bySameer Paradia
 
Executive Briefing: Strategic Issues Surrounding Cloud Services
byWhitmeyerTuffin
 
Info Sec 2010 Possibilities And Security Challenges Of Cloud Computing (Han...
byptaglephd
 
Cloud Security: Trust and Transformation
byPeter Coffee
 
Extending security in the cloud network box - v4
byValencell, Inc.
 
Ccsw
byVinit Zunjarrao
 
Who owns security in the cloud
byTrend Micro
 
Cloudcomputingoct2009 100301142544-phpapp02
byabhisheknayak29
 
Dr. Michael Valivullah, NASS/USDA - Cloud Computing
byikanow
 
Security of,for & by cloud
byLakshmi Subramanian
 
Presd1 10
byNiels Groeneveld
 
Building a Strong Foundation for Your Cloud with Identity Management
byNishant Kaushik
 
Building a Secure Cloud with Identity Management
byOracleIDM
 
Cloudop security
bywardspan
 
null Bangalore meet - Cloud Computing and Security
byn|u - The Open Security Community
 
Cloud computing white paper who do you trust
byArun Gopinath
 
Ibm cloud security who do you trust thought leadership white paper-ibm
byNone
 
Himss 2011 securing health information in the cloud -- feisal nanji
byFeisal Nanji
 

Recently uploaded

PDF
Getting the Best of TrueDEM – January News & Updates
bypanagenda
 
PPTX
Dell poweredge-customer-presentation.pptx
byhungungphu123
 
PDF
How to Build a Crypto Wallet that Excels in 2026.pdf
byimoliviabennett
 
PDF
apidays Australia 2025 | The Strategic Role of APIs in Digital Transformation
byapidays
 
PPTX
Code Like Bro -A guide for better Coding
byMadan Panthi
 
PPTX
Coded Agents – with UiPath SDK + LlamaIndex.pptx
bysuhanisingh58689
 
PPTX
CRM for the Insurance Industry Lessons for Insurance CIOs and Digital Leaders...
byKerry Millar
 
PPTX
API Gateway Architecture - Technical Report 2026
byPowersoft2026
 
PDF
CISO_2027_Playbook: Sovereign AI Resilience & Quantum-Proof Identity
bySaraDavis91
 
PPTX
Apache Kafka 101 for Techies in IT dep.pptx
byamulyareddyk97
 
PDF
Safer’s Picks: Recent FME Enhancements with Big Everyday Impact
bySafe Software
 
PDF
apidays Australia 2025 | User Brainpower vs. AI Blind Spots in API Docs
byapidays
 
PPTX
6G and Non-Terrestrial Networks (NTN) Testing.pptx
byXRComm
 
PPTX
AI Meets DBA Transforming Database Administration with Intelligence
byGeoPITS Global Pvt Ltd
 
PDF
How PayPal Account Verification Works – Complete Guide for Online Businesses
byjhdhj3989
 
PDF
How to Design Premium Health (Public Health) PPT Using AI? Top Strategies
byPublic Health Concern Nepal
 
DOCX
Best Web to Learn About Buying Verified Skrill Accounts (Los Angeles).docx
byhttps://topsellerit.com/product/buy-verified-binance-accounts/
 
PDF
LUXHUB: a detailed look at 2025...and fast forward to 2026
byalexandrekeilmann1
 
PPTX
Advance Computer Architecture Lecture 4.pptx
byBottshikanBottshikan
 
PPTX
Single Cell Protein from Methane or Methanol - Process development research c...
byJohn Downs
 
Getting the Best of TrueDEM – January News & Updates
bypanagenda
 
Dell poweredge-customer-presentation.pptx
byhungungphu123
 
How to Build a Crypto Wallet that Excels in 2026.pdf
byimoliviabennett
 
apidays Australia 2025 | The Strategic Role of APIs in Digital Transformation
byapidays
 
Code Like Bro -A guide for better Coding
byMadan Panthi
 
Coded Agents – with UiPath SDK + LlamaIndex.pptx
bysuhanisingh58689
 
CRM for the Insurance Industry Lessons for Insurance CIOs and Digital Leaders...
byKerry Millar
 
API Gateway Architecture - Technical Report 2026
byPowersoft2026
 
CISO_2027_Playbook: Sovereign AI Resilience & Quantum-Proof Identity
bySaraDavis91
 
Apache Kafka 101 for Techies in IT dep.pptx
byamulyareddyk97
 
Safer’s Picks: Recent FME Enhancements with Big Everyday Impact
bySafe Software
 
apidays Australia 2025 | User Brainpower vs. AI Blind Spots in API Docs
byapidays
 
6G and Non-Terrestrial Networks (NTN) Testing.pptx
byXRComm
 
AI Meets DBA Transforming Database Administration with Intelligence
byGeoPITS Global Pvt Ltd
 
How PayPal Account Verification Works – Complete Guide for Online Businesses
byjhdhj3989
 
How to Design Premium Health (Public Health) PPT Using AI? Top Strategies
byPublic Health Concern Nepal
 
Best Web to Learn About Buying Verified Skrill Accounts (Los Angeles).docx
byhttps://topsellerit.com/product/buy-verified-binance-accounts/
 
LUXHUB: a detailed look at 2025...and fast forward to 2026
byalexandrekeilmann1
 
Advance Computer Architecture Lecture 4.pptx
byBottshikanBottshikan
 
Single Cell Protein from Methane or Methanol - Process development research c...
byJohn Downs
 

Peering Through the Cloud Forrester EMEA 2010

  • 1.
    Peering Through *the Cloud* Presentedto Forrester's Security Forum EMEA 2010 By Gray Williams
  • 2.
    Introduction Slide Title • Gray Williams ‐Biography – TATA Communications (GM & Sr Dir PLM; 06 to present) – KillPhish (Founder) – Cybertrust (Dir Prod Mngmnt) – SafeNet (VP/Dir Prod Mngmnt & Marketing) – INS/Lucent Technologies (Sales & Biz Dev) – AT&T (Sales NAM)
  • 3.
    -The Business Slide Title the soothing - Pro-Cloud Crowd light at the end of the tunnel… …is it just a freight train comin’ your way? - Metallica - Anti-Cloud HW/SW crowd - Assorted CSO’s
  • 4.
    Framing the Debate Slide Title Confidentiality Integrity The APT Business IT/DC Availability CNA SECURITY Efficiency RISK Econom i cs Effectiveness Cost Legal What it is CLOUD Agility Why it is Technical Private Public CONTROL? SOA Compliance VM *aaS NIST ENISA Jericho Forum Tomorrow? CloudAudit/A6 Today Bilons$$ ats ake li t Cloud Security i a t l gr n ech and- ab Alliance
  • 5.
    “A model forenabling convenient on-demand network access to a Slide Title shared pool of configurable computing resources that can be rapidly provisioned and released with minimal management effort or service provider interaction.” - NIST Oct 09 1. Illusion of infinite, on-demand resources 2. No upfront capex commit 3. Pay for what you need, as you go - Above the Clouds: A Berkeley View of Cloud Computing Feb 2009 “Everything we think of as a computer today is really just a device that connects to the big computer that we are all collectively building” -Tim O'Reilly
  • 6.
    1. Illusion ofinfinite, on-demand resources 2. No upfront capex commit 3. Pay for what you need, as you go - Above the Clouds: A Berkeley View of Cloud Computing Feb 2009
  • 7.
    Enterprise:  Slide Title Slow Adoption – Want ROI on existing investment & time invested making IT a trusted resource – 53% fail to see how cloud can save them money – 57% surveyed said they were not happy to run applications and store data on servers outside their country for security •Single tenancy / reasons Multi-tenancy – 21% think that doing business in the cloud is not a security concern. •Isolated data / co- – 53% are concerned about IP being stored in mingledcloud a public data because of potential security breaches Source: BT's Enterprise Intelligence survey security / •Dedicated – 44% believe they deal with information that is so sensitive it socialist security could never be stored in the cloud. •On-premise / Off- premise
  • 8.
  • 9.
    “Cloud Computing isgreat™… Slide Title …until it isn’t.” Source: Me
  • 10.
    CLOUD SECURITY ISSUESARE REAL Slide Title Traditional Security Issues: New Challenges: 1. Shared Tech - VM Attacks 1. Privacy 2. Provider Vulnerabilities 2. Nefarious Use (DDoS, 3. Phishing Provider Malware) 4. Expanded Network Attack 3. Effective Authentication Surface 4. Authorization (mashup) 5. Authentication & 3rd party Control: Authorization 1. Due Diligence 6. Forensics Availability: 2. Audit (Geo-Regulated Data) 1. Uptime 3. Contractual Obligations 2. Single Point of Failure 4. Espionage 3. Integrity assurance 5. Data Lock-In - Controlling Data in the Cloud Nov 2009 6. Transitive (Subcontractors)
  • 11.
  • 12.
    INTERNAL IT SECURITY IS CRASHING & BURNING ISSUES ARE REAL. 120 of 600 surveyed had been victimized by attacks similar to Google 66% said the attacks had harmed company operations 54% said their company had been the subject of infiltration in the last 2 yrs 24% expect a major cybersecurity incident in the next year - McAfee Critical Infrastructure in the age of Cyberwar Feb 2010
  • 13.
    Top 3 Objections: Public vs Private 1. SecurityTitle Slide 2. Availability 3. Performance 4. CONTROL Source: IDC
  • 14.
    Slide Title Public cloud providers can’t  have their cake and eat it too… Must Have: • Sufficient Security Defenses • Sufficient Monitoring • Adequate Support • Transparency
  • 15.
    Slide Title Private CloudTop 3 Objectives: 1. Preserving confidentiality, integrity and availability 2. Maintaining appropriate levels of identity and access Control 3. Ensuring appropriate audit and compliance capability
  • 16.
  • 17.
    Recommendations Slide Title GENERAL:Create policy on acceptable use SPECIFIC: • Identify candidate data/processes/functions • Perform risk assessment on each asset – Explore legal, regulatory and audit issues 1st – Conduct 3rd party internal/external VA and audit – Explore geo-location specific offerings – Demand full subcontracting disclosures, detailed security framework and DR procedures for the whole ecosystem (partner chain) • Map findings to potential deployment models & vendors • Standard risk and governance controls apply (ISO 27001/2 and BS25999; NIST SP 800-70/60/53/37/30/18; FIPS 199/200)
  • 18.
    What if…Title Slide • the asset became widely public and widely distributed? • the process or function were manipulated by an outsider? • the process or function failed to provide expected results? • the information/data were unexpectedly changed? • the asset were unavailable for a period of time? • we could not satisfy regulatory/compliance requirements? Source: Cloud Security Alliance
  • 19.
  • 20.
    Special Thanks Slide Title • Chris Hoff rationalsurvivability.com • PARC Richard Chow, Philippe Golle, Markus Jakobsson, Ryusuke Masuoka, Jesus Molina; Fujitsu Elaine Shi, Jessica Staddon • Lisa J. Sotto, Bridget C. Treacy, Melinda L. McLellan Hunton & Williams • Andrew Becherer, Alex Stamos, Nathan Wilcox ISEC Partners • David Linthicum infoworld.com/d/cloud-computing • Paul Murphy blogs.zdnet.com/Murphy • Peter Mell, Tim Grance NIST • Prof Carsten Maple Univ Bedfordshire • Alan Phillips, Ben Morris 7Safe • Gunnar Perterson 1raindrop.typepad.com • Joel Dubin, CISSP • Richard Bejtlich, TaoSecurity.com • ENISA • Cloud Security Forum Source: Chris Hoff
  • 21.
  • 22.
  • 23.
    TCO to PublicCloud 2.4 Xenon Dual Core 16Gb RAM; Slide Title 140GbHD Windows Pro plus Public Install/Support CAPEX Finance Cloud Capex $3,589 Cost of capital 12% Term in months $48 $48 Cost MRC $98 $98 Management & Power $100k per admin 100 servers $83 $83 (Watts*hrs used/1000)x cost kw/hr) $18 $18 TOTAL Monthly Cost $200 $199 $54 100% Utilization during Biz Hrs 160 160 160 Hourly Recurring Charge $1.25 $1.25 $0.34
  • 24.
    In Conclusion Slide Title • This is actually something to be really happy about;  people who would not ordinarily think about security  are doing so • While we’re scrambling to adapt, we’re turning over  rocks and shining lights in dark crevices • Sure, Bad Things™ will happen • But, Really Smart People™ are engaging in  meaningful dialog & starting to work on solutions • You’ll find that much of what you have  works...perhaps just differently; setting expectations  is critical
  • 25.
    Slide Title • Adopt a risk assessment methodology.  Classify  assets and data and segment. • Interrogate providers; use the same diligence for  outsourced services and focus on resilience/recovery, • SLA’s, confidentiality, privacy and segmentation • Match both business and security requirements  against the various deliver models and define the  gaps
  • 26.
  • 27.
    Services likely tobe outsourced Slide Title 1. Lack of standards. All clouds are different. Each one must be investigated and analyzed to understand its capabilities and weaknesses. The technical basis for digital trust must be created for each cloud. 2. Lack of portability. Every cloud creates its own processing climate. Any digital trust obtained by one cloud environment does not transfer to any other. 3. Lack of transparency. All clouds are opaque. Neither technology nor process is easily visible. It is almost impossible to generate digital trust when transparency is absent. Source: ENISA
  • 28.
  • 29.
    Issues Slide Title Source: ENISA
  • 30.
  • 31.
    NASDAQ and theNew York Times Slide Title • New York Times – Didn’t coordinate with Amazon, used a credit card! – Used EC2 and S3 to convert 15M scanned news articles to PDF (4TB data) – Took 100 Linux computers 24 hours (would have taken months on NYT  computers – “It was cheap experimentation, and the learning curve isn't steep.” – Derrick Gottfrid, Nasdaq • Nasdaq – Uses S3 to deliver historic stock and fund information – Millions of files showing price changes over 10 minute segments – “The expenses of keeping all that data online [in Nasdaq servers] was too  high.” – Claude Courbois, Nasdaq VP – Created lightweight Adobe AIR application to let users view data
  • 32.
    Government Use ofPublic Cloud Slide Title • 5,000+ Public Sector and Nonprofit Customers use Salesforce • President Obama’s Citizen’s Briefing Book Based on   Salesforce.com Ideas application – Concept to Live in Three Weeks – 134,077 Registered Users – 1.4 M Votes  – 52,015 Ideas – Peak traffic of 149 hits per second • US Census Bureau Uses Salesforce.com Cloud Application – Project implemented in under 12 weeks  – 2,500+ partnership agents use Salesforce.com for 2010 decennial census  – Allows projects to scale from 200 to 2,000 users overnight to meet peak periods  with no capital expenditure
  • 33.
    “CyberSlide Title crime isn’t conducted by 15-year-olds experimenting with viruses” ”Well-funded…..pursued by professionals with deep financial and technical resources, often with government toleration if not outright support.” “Responsible for billions of dollars in losses…it is growing and becoming more capable.” 60-minutess-secureworks-russian-cybercriminal-goof Source: Eugene Spafford, Purdue; “CyberWarriors”, the Atlantic March 2010
  • 34.
    “More than 40states have developed IO doctrines or capabilities…” and Title Slidethis… "Militaries now have the capability to launch damaging cyber attacks against critical - CSIS, America’s failure to protect cyberspace, 2008 infrastructure, but serious cyber attack independent of a larger military conflict is unlikely.“
  • 35.
    “…but the main damage done to date through cyberwar has  involved not theft of military secrets nor acts of electronic  Slide Title sabotage but rather business‐versus‐business spying.”  “A shortcut on the ‘D’ of R&D” - CyberWarriors, The Atlantic, March 2010
  • 36.
  • 37.
    Environment Slide Title Source: 7Safe Breach Report Jan 2010
  • 38.
  • 39.
    Government Use ofPublic Cloud Slide Title • New Jersey Transit Wins InfoWorld 100 Award for its  Cloud Computing Project – Use Salesforce.com to run their call center, incident management,  complaint tracking, and service portal – 600% More Inquiries Handled – 0 New Agents Required – 36% Improved Response Time • U.S. Army uses Salesforce CRM for Cloud‐based  Recruiting – U.S. Army needed a new tool to track potential recruits who visited its  Army Experience Center. – Use Salesforce.com to track all core recruitment functions and allows the  Army to save time and resources. 
  • 40.
  • 41.
    Slide Title - Symantec 2009
  • 42.
    SMB: Title Slide –Minimize complexity & cost – Eliminate the need to own – Value outweighs risk, Outsource everything
  • 43.
    What businesses were breached: Slide Title Source: 7Safe Breach Report Jan 2010
  • 44.
    What information was targeted: Slide Title Source: 7Safe Breach Report Jan 2010
  • 45.
    Not an inside job… Slide Title Source: 7Safe Breach Report Jan 2010
  • 46.
    Targeted Asset Slide Title Source: 7Safe Breach Report Jan 2010
  • 47.
  • 48.
  • 50.
    SaaS Division of Responsibilities Slide Title Customer Provider • Compliance with data protection  • Physical support infrastructure (facilities,  law in respect of customer data  rack space, power, cooling, cabling, etc)  collected and processed  • Physical infrastructure security and  • Maintenance of identity  availability (servers, storage, network  management system  bandwidth, etc)  • Management of identity  • OS patch management and hardening  management system  procedures (check also any conflict  • Management of authentication  between customer hardening procedure  platform (including enforcing  and provider security policy)  password policy  • Security platform configuration (Firewall  rules, IDS/IPS tuning, etc)  • Systems monitoring  • Security platform maintenance (Firewall,  Host IDS/IPS, antivirus, packet filtering)  • Log collection and security monitoring Source: ENISA
  • 51.
    Reducing Risk Slide Title • Identify what’s most important  • Identify where vulnerabilities exist  • Isolate the probable  • Quantify • Identify the most effective & efficient prevention • Have a pre‐approved incidence response plan   • Test, Evaluate and Improve
  • 52.
  • 53.
  • 54.
    The best defenseis a good offense? Slide Title “We spend more time on the computer network attack business than we do on computer network defense because so many people at very high levels are interested" - Former CNA commander, Air Force Maj. Gen. John Bradley “…but Mr. Obama is expected to say little or nothing about the nation’s offensive capabilities, on which the military and intelligence agencies have been spending billions.”