Presentation is loading. Please wait.

Presentation is loading. Please wait.

Insert presenter logo here on slide master 1 WHAT IS CLOUD COMPUTING REALLY? Scott Clark Chicago Chapter President Cloud Security Alliance.

Similar presentations


Presentation on theme: "Insert presenter logo here on slide master 1 WHAT IS CLOUD COMPUTING REALLY? Scott Clark Chicago Chapter President Cloud Security Alliance."— Presentation transcript:

1 Insert presenter logo here on slide master 1 WHAT IS CLOUD COMPUTING REALLY? Scott Clark Chicago Chapter President Cloud Security Alliance

2 The Blind Men and the Cloud It was six men of Info Tech To learning much inclined, Who went to see the Cloud (Though all of them were blind), That each by observation Might satisfy his mind 2

3 The Blind Men and the Cloud The First approached the Cloud, So sure that he was boasting I know exactly what this is… This Cloud is simply Hosting. 3

4 The Blind Men and the Cloud The Second grasped within the Cloud, Saying, No its obvious to me, This Cloud is grid computing… Servers working together in harmony! 4

5 The Blind Men and the Cloud The Third, in need of an answer, Cried, "Ho! I know its source of power Its a utility computing solution Which charges by the hour. 5

6 The Blind Men and the Cloud The Fourth reached out to touch it, It was there, but it was not Virtualization, said he. Thats precisely what weve got! 6

7 The Blind Men and the Cloud The Fifth, so sure the rest were wrong Declared Its SaaS you fools, Applications with no installation Its breaking all the rules!" 7

8 The Blind Men and the Cloud The Sixth (whose name was Benioff), Felt the future he did know, He made haste in boldly stating, This *IS* Web

9 The Blind Men and the Cloud And so these men of Info Tech Disputed loud and long, Each in his own opinion Exceeding stiff and strong, Though each was partly in the right, And all were partly wrong! Sam Charrington & Noreen Barczweski © 2009, Appistry, Inc 9

10 Insert presenter logo here on slide master Agenda 10 Introduction to Cloud ComputingWhat is Different in the Cloud?CSA GuidanceAdditional Resources

11 This Cloud is simply Hosting 11

12 12

13 Evolution of Hosting 13 CUSTOM Co-Location COMMODITY Cloud Service Providers

14 Evolution of Data Centers Closest to power plantsGoogle Data Center State of Oregon Columbia River 103 Mega Watt Data Center on 30 acres Near 1.8 GW Hydropower Station 14

15 Data Center is the new Server 15

16 POD Computing 16

17 17

18 Googles low cost commodity server 18

19 Is This New?? Berkeley credited Cluster of Servers Started in

20 20

21 21

22 22

23 23

24 Broadband Network Access 24

25 25

26 Rapid Elasticity 26

27 27

28 Unused resources Measured Service Risk of over-provisioning: underutilization Static data center Demand Capacity Time Resources 28

29 Measured Service Heavy penalty for under-provisioning Lost revenue Lost users Resources Demand Capacity Time (days) 1 23 Resources Demand Capacity Time (days) 1 23 Resources Demand Capacity Time (days)

30 Unused resources Measured Service Pay by use instead of provisioning for peak Static data centerData center in the cloud Demand Capacity Time Resources Demand Capacity Time Resources Source: Above The Clouds

31 31

32 Resource Pooling =Virtualization Hardware Operating System App Traditional Stack Hardware OS App Hypervisor OS Virtualized Stack

33 Server Virtualization 33

34 Storage Virtualization 34

35 Platform-Independent Razor-Thin CapEx SuperioNetwork Virtualization Application ToR Switch Application VMs High CapEx Low Utilization High Complexity Change-Resistant Deploy anywhere Elastic scalability Interfaces with provisioning & orchestration systems Evolves with rapidly changing network architectures Utility licensing model

36 36

37 Case Study Created 10,000 Core- Cluster Leveraged Amazons EC2 Genentech needed a super computer to examine how proteins bind together Using Genentechs resources would have taken weeks or months to gain access & run program 37

38 Completed in 8 Hours! Genentechs Cost = $8,480! Infrastructure: 1250 instances with 8- core / 7-GB RAM Cluster Size: 10,000 cores, 8.75 TB RAM, 2 PB of disk space total Scale: Comparable to #114 of Top 500 Supercomputer list Security: Engineered with HTTPS & 128/256-bit AES encryption User Effort: Single click to start the cluster Start-up Time: Thousands of cores in minutes, full cluster in 45-minutes Up-front Capital Investment/Licensing Fees: $0 Total CycleCloud and Infrastructure Cost: $1,060/hour 38

39 39

40 Delivery Models Utility computing (IaaS) –Why buy machines when you can rent cycles? –Examples: Amazons EC2, GoGrid, AppNexus Platform as a Service (PaaS) –Give me nice API and take care of the implementation –Example: Google App Engine, Force.com Software as a Service (SaaS) –Just run it for me! –Example: Gmail, Salesforce.com and NetSuite Why do it yourself if you can pay someone to do it for you?

41 41

42 Forrester: Cloud Market To Reach $241 Billion By

43 Case Study – Hybrid Cloud June 25, Million visits in 24/hrs Twitter stood still Ticket Master crawled Yahoo! 16.4 million site visitors in 24 hours more that Election Day of 15.1 Sony.com couldnt sell music – 200 sites down 43

44 Private to Public Burst 44

45 45

46 What About Service Oriented Architecture??? 46

47 BREAK 47

48 48

49 Insert presenter logo here on slide master Many concepts in the cloud are similar to concepts in standard outsourcing There are at least four themes which require a different mindset when working on security for cloud services: –Role clarity for security controls –Legal / jurisdictional / cross-border data movement –Virtualization concentration risk –Virtualization network security control parity. 49 What is Different in the Cloud?

50 Insert presenter logo here on slide master What is Different in the Cloud? Role Clarity IaaS Infrastructure as a Service PaaS Platform as a Service SaaS Software as a Service Security ~ YOU Security ~ THEM

51 Insert presenter logo here on slide master What is Different in the Cloud? Legal / Jurisdictional Issues Amplified Cloud Provider Datacenter in San Francisco, USACloud Provider Datacenter in Tokyo, JapanCloud Provider Datacenter in Geneva, SwitzerlandCloud Provider Datacenter in Sao Paolo, BrazilCloud Provider Datacenter in London, U.K. Your Corporate Data?

52 Insert presenter logo here on slide master What is Different in the Cloud? Virtualization Concentration Risks Old Way – Hack a System New Way – Hack a Datacenter Hypervisor

53 Insert presenter logo here on slide master Virtualized N-Tier Control Equivalence What is Different in the Cloud? Current WayNew Way Hypervisor Internet Users Presentation Layer Data Layer How do we ensure control parity? Internet Users FW WAF NIDS / IPS FW WAF NIDS / IPS

54 Insert presenter logo here on slide master Key Cloud Security Problems From CSA Top Threats Research: – Trust: Lack of Provider transparency, impacts Governance, Risk Management, Compliance – Data: Leakage, Loss or Storage in unfriendly geography – Insecure Cloud software – Malicious use of Cloud services – Account/Service Hijacking – Malicious Insiders – Cloud-specific attacks

55 Cloud Security Alliance Guidance 55

56 Insert presenter logo here on slide master Cloud Security Alliance Guidance Available at Governance and Enterprise Risk Management Legal and Electronic Discovery Compliance and Audit Information Lifecycle Management Portability and Interoperability Security, Bus. Cont,, and Disaster Recovery Data Center Operations Incident Response, Notification, Remediation Application Security Encryption and Key Management Identity and Access Management Virtualization Cloud Architecture Operating in the Cloud Governing the Cloud

57 Insert presenter logo here on slide master Defining Cloud On demand provisioning Elasticity Multi-tenancy Key types – Infrastructure as a Service (IaaS): basic O/S & storage – Platform as a Service (PaaS): IaaS + rapid dev – Software as a Service (SaaS): complete application – Public, Private, Community & Hybrid Cloud deployments

58 Insert presenter logo here on slide master Governance and Enterprise Risk Management Due Diligence of providers governance structure and process in addition to security controls. SLAs Due Diligence of providers governance structure and process in addition to security controls. SLAs Risk Assessment approaches between provider and user should be consistent. Consistency in Impact Analysis and definition of likelihood Risk Assessment approaches between provider and user should be consistent. Consistency in Impact Analysis and definition of likelihood Governance and Enterprise Risk Management Legal and Electronic Discovery Compliance and Audit Information Lifecycle Management Portability and Interoperability Security, Bus. Cont,, and Disaster Recovery Data Center Operations Incident Response, Notification, Remediation Application Security Encryption and Key Management Identity and Access Management Virtualization Cloud Architecture Operating in the Cloud Governing the Cloud

59 Insert presenter logo here on slide master Legal and Electronic Discovery Mutual understanding of roles related to litigation, discovery searches and expert testimony Mutual understanding of roles related to litigation, discovery searches and expert testimony Data in custody of provider must receive equivalent guardianship as original owner Data in custody of provider must receive equivalent guardianship as original owner Unified process for responding to subpoenas and service of process, etc Unified process for responding to subpoenas and service of process, etc Governance and Enterprise Risk Management Legal and Electronic Discovery Compliance and Audit Information Lifecycle Management Portability and Interoperability Security, Bus. Cont,, and Disaster Recovery Data Center Operations Incident Response, Notification, Remediation Application Security Encryption and Key Management Identity and Access Management Virtualization Cloud Architecture Operating in the Cloud Governing the Cloud

60 Insert presenter logo here on slide master Compliance and Audit Right to Audit Clause Right to Audit Clause Analyze Impact or Regulations on data security Analyze Impact or Regulations on data security Prepare evidence of how each requirement is being met Prepare evidence of how each requirement is being met Auditor qualification and selection Auditor qualification and selection Governance and Enterprise Risk Management Legal and Electronic Discovery Compliance and Audit Information Lifecycle Management Portability and Interoperability Security, Bus. Cont,, and Disaster Recovery Data Center Operations Incident Response, Notification, Remediation Application Security Encryption and Key Management Identity and Access Management Virtualization Cloud Architecture Operating in the Cloud Governing the Cloud

61 Insert presenter logo here on slide master Information Lifecycle Management How is Integrity maintained? How is Integrity maintained? If compromised how its detected and reported? If compromised how its detected and reported? Identify all controls used during date lifecycle Identify all controls used during date lifecycle Know where you data is! Know where you data is! Understand providers data search capabilities and limitations Understand providers data search capabilities and limitations Governance and Enterprise Risk Management Legal and Electronic Discovery Compliance and Audit Information Lifecycle Management Portability and Interoperability Security, Bus. Cont,, and Disaster Recovery Data Center Operations Incident Response, Notification, Remediation Application Security Encryption and Key Management Identity and Access Management Virtualization Cloud Architecture Operating in the Cloud Governing the Cloud

62 Insert presenter logo here on slide master Portability and Interoperability IaaS - Understand VM capture and porting to new provider especially if different technologies used. IaaS - Understand VM capture and porting to new provider especially if different technologies used. PaaS – Understand how logging, monitoring and audit transfers to another provider PaaS – Understand how logging, monitoring and audit transfers to another provider SaaS – perform regular backups into useable form without SaaS. SaaS – perform regular backups into useable form without SaaS. Governance and Enterprise Risk Management Legal and Electronic Discovery Compliance and Audit Information Lifecycle Management Portability and Interoperability Security, Bus. Cont,, and Disaster Recovery Data Center Operations Incident Response, Notification, Remediation Application Security Encryption and Key Management Identity and Access Management Virtualization Cloud Architecture Operating in the Cloud Governing the Cloud

63 Insert presenter logo here on slide master Security, Business Continuity and Disaster Recovery Conduct an onsite inspection whenever possible Conduct an onsite inspection whenever possible Inspect cloud providers disaster recovery and business continuity plans Inspect cloud providers disaster recovery and business continuity plans Ask for documentation of external and internal security controls – adherence to industry standards? Ask for documentation of external and internal security controls – adherence to industry standards? Governance and Enterprise Risk Management Legal and Electronic Discovery Compliance and Audit Information Lifecycle Management Portability and Interoperability Security, Bus. Cont,, and Disaster Recovery Data Center Operations Incident Response, Notification, Remediation Application Security Encryption and Key Management Identity and Access Management Virtualization Cloud Architecture Operating in the Cloud Governing the Cloud

64 Insert presenter logo here on slide master Data Center Operations Demonstration of Compartmentalization of systems, networks, management, provisioning and personnel Demonstration of Compartmentalization of systems, networks, management, provisioning and personnel Understanding of providers patch management policies and procedures – should be reflected in the contract! Understanding of providers patch management policies and procedures – should be reflected in the contract! Governance and Enterprise Risk Management Legal and Electronic Discovery Compliance and Audit Information Lifecycle Management Portability and Interoperability Security, Bus. Cont,, and Disaster Recovery Data Center Operations Incident Response, Notification, Remediation Application Security Encryption and Key Management Identity and Access Management Virtualization Cloud Architecture Operating in the Cloud Governing the Cloud

65 Insert presenter logo here on slide master Incident Response, Notification and Remediation May have limited involvement in Incident Response, understand prearranged communicated path to providers incident response team May have limited involvement in Incident Response, understand prearranged communicated path to providers incident response team What incident detection and analysis tools used? Will proprietary tools make joint investigations difficult? What incident detection and analysis tools used? Will proprietary tools make joint investigations difficult? Governance and Enterprise Risk Management Legal and Electronic Discovery Compliance and Audit Information Lifecycle Management Portability and Interoperability Security, Bus. Cont,, and Disaster Recovery Data Center Operations Incident Response, Notification, Remediation Application Security Encryption and Key Management Identity and Access Management Virtualization Cloud Architecture Operating in the Cloud Governing the Cloud

66 Insert presenter logo here on slide master Application Security S-P-I creates different trust boundaries in SDLC – account for in dev, test and production S-P-I creates different trust boundaries in SDLC – account for in dev, test and production Obtain contractual permission before performing remote vulnerability and application assessments Obtain contractual permission before performing remote vulnerability and application assessments – provider inability to distinguish testing from an actual attack Governance and Enterprise Risk Management Legal and Electronic Discovery Compliance and Audit Information Lifecycle Management Portability and Interoperability Security, Bus. Cont,, and Disaster Recovery Data Center Operations Incident Response, Notification, Remediation Application Security Encryption and Key Management Identity and Access Management Virtualization Cloud Architecture Operating in the Cloud Governing the Cloud

67 Insert presenter logo here on slide master Encryption and Key Management Separate key management from provider hosting the data creating a chain of separation Separate key management from provider hosting the data creating a chain of separation Understand providers key management lifecycle: how keys are generated, used, stored, backed up, rotated and deleted Understand providers key management lifecycle: how keys are generated, used, stored, backed up, rotated and deleted Ensure encryption adheres to industry and government standards when stipulated in the contract Ensure encryption adheres to industry and government standards when stipulated in the contract Governance and Enterprise Risk Management Legal and Electronic Discovery Compliance and Audit Information Lifecycle Management Portability and Interoperability Security, Bus. Cont,, and Disaster Recovery Data Center Operations Incident Response, Notification, Remediation Application Security Encryption and Key Management Identity and Access Management Virtualization Cloud Architecture Operating in the Cloud Governing the Cloud

68 Insert presenter logo here on slide master Identity and Access Management IAM is a big challenge today in secure cloud computing IAM is a big challenge today in secure cloud computing Identity – avoid providers proprietary solutions unique to cloud provider Identity – avoid providers proprietary solutions unique to cloud provider Local authentication service offered by provider should be OATH compliant Local authentication service offered by provider should be OATH compliant Governance and Enterprise Risk Management Legal and Electronic Discovery Compliance and Audit Information Lifecycle Management Portability and Interoperability Security, Bus. Cont,, and Disaster Recovery Data Center Operations Incident Response, Notification, Remediation Application Security Encryption and Key Management Identity and Access Management Virtualization Cloud Architecture Operating in the Cloud Governing the Cloud

69 Insert presenter logo here on slide master Virtualization Understand internal security controls to VM other than built in Hypervisor isolation – IDS, AV, vulnerability scanning etc. Understand internal security controls to VM other than built in Hypervisor isolation – IDS, AV, vulnerability scanning etc. Understand external security controls to protect administrative interfaces exposed (Web-based, APIs) Understand external security controls to protect administrative interfaces exposed (Web-based, APIs) Reporting mechanisms that provides evidence of isolation and raises alerts if a breach of isolation occurs. Reporting mechanisms that provides evidence of isolation and raises alerts if a breach of isolation occurs. Governance and Enterprise Risk Management Legal and Electronic Discovery Compliance and Audit Information Lifecycle Management Portability and Interoperability Security, Bus. Cont,, and Disaster Recovery Data Center Operations Incident Response, Notification, Remediation Application Security Encryption and Key Management Identity and Access Management Virtualization Cloud Architecture Operating in the Cloud Governing the Cloud

70 Additional Cloud Security Alliance Resources 70

71 Insert presenter logo here on slide master Cloud Security Alliance Initiatives 1.GRC Stack 2.Security Guidance for Critical Areas of Focus in Cloud Computing 3.Cloud Controls Matrix (CCM) 4.Consensus Assessments Initiative 5.Cloud Metrics 6.Trusted Cloud Initiative 7.Top Threats to Cloud Computing 8.CloudAudit 9.Common Assurance Maturity Model 10.CloudSIRT 11.Security as a Service 71

72 Insert presenter logo here on slide master Cloud Controls Matrix Tool Controls derived from guidance Rated as applicable to S-P-I Customer vs Provider role Mapped to COBIT, HIPAA, ISO/IEC , NIST SP and PCI DSS Help bridge the gap for IT & IT auditors

73 Insert presenter logo here on slide master Contact Help us secure cloud computing Cloud Security Alliance, Chicago Chapter LinkedIn:

74 Questions? 74


Download ppt "Insert presenter logo here on slide master 1 WHAT IS CLOUD COMPUTING REALLY? Scott Clark Chicago Chapter President Cloud Security Alliance."

Similar presentations


Ads by Google