Current trends in cloud computingCloud Security Readiness Tool analysis

Frank SimorjaySr. Product manager Trustworthy Computing (TwC)

ATC-B316

TRUSTWORTHY COMPUTINGPRIVACY RELIABILIT

YSECURITY

• Secures against attacks

• Protects confidentiality, integrity, and availability of data and systems

• Helps manage risk

• Protects from unwanted communication

• User choice and control

• Products, online services adhere to fair information principles

• Dependable, available

• Predictable, consistent, responsive service

• Maintainable

• Resilient, easily restored

• Proven, ready

Cloud computing

• 51% of respondents, believe stormy weather can interfere with cloud computing.

• 54% of Americans claim to never use cloud computing.

• 97% are actually using cloud services today via online shopping, banking, social networking and file sharing.

Most Americans confused by cloud computing

1,000 US consumers surveyed by Wakefield research

What is cloud computingBroad Netwo

rk Access

Rapid

Elasticity

Meas

ured

Servi

ce

Self-Service

Resource Pooling Service Model IaaS

PaaSSaaS

Risks and rewards of adoption

BEN

EFI

TS

privacysecurityreliability

scalabilityincreased agility

flexibilityReduced costs

CO

NC

ER

NS

CLOUD PROVIDER

SaaSPaaSIaaSRESPONSIBILITY:

Data classification

Application level controls

Client and end point protection

Network controls

Physical security

Identity and access management

Host security

Provider is your partner

CLOUD CUSTOMER

Cloud Adoption Benefits

57%Time Savings

3XMoney Savings

54%Improved Security

Cloud Adoption Barriers

44%Security Concerns

61%Industry Standards

59%Transparency

What are your

current

IT capabilities?

Can you improve

your people,

processes, and

technologies?

Can cloud reduce

your risks while

reducing cost?

Problem you face

The Cloud Security Readiness Tool

Cloud Security Alliance (CSA)

Global not-for-profit organization Provider, and User Certification Accepted global authority for trust

in the cloud

Cloud Control Matrix (CCM)CCM control Description

DG-01 

Data Governance - Ownership / Stewardship

All data shall be designated with stewardship with assigned responsibilities defined, documented and communicated.

DG-02 

Data Governance - Classification

Data, and objects containing data, shall be assigned a classification based on data type, jurisdiction of origin, jurisdiction domiciled, context, legal constraints, contractual constraints, value, sensitivity, criticality to the organization and third party obligation for retention and prevention of unauthorized disclosure or misuse.

Cloud Security Readiness Tool (CSRT)

Where are you now?

Where will you be?

Can cloud help?

Report

Control standards• Federal Office for Information Security (BSI) Security

Recommendations for Cloud Computing Providers

• European Network and Information Security Agency (ENISA) - Information Assurance Framework (IAF)

• International Organization for Standardization (ISO 27001-2005)

• Payment Card Industry (PCI-DSS v2.0)

• Health Insurance Portability and Accountability Act (HIPAA-HiTech Act)

• National Institute of Standards and Technology (NIST SP800-53)

• American Electric Reliability Corporation (NERC CIP)

CSRT Demo

Cloud Trends

Trends

• Top/Bottom • Government/Military• Non-profit• Regulations most used

• Cloud Security Readiness Tool (CSRT) data between October 2012 and March 2013.  

• Approximately 5700 anonymized answers to CSRT questions

• Margin of error • +/- 1% USA/EUROPE• +/- 10% ASIA

STRONGER

INFORMATION SECURITY

antivirus/antimalware software

clocksynchronizationSECURITY ARCHITECTURE

FACILITY SECURITYcontrolled user access to data

WEAKEROPERATIONS MANAGEMENTeffective equipment maintenance

LEGAL PROTECTIONnondisclosureagreements

INFORMATION SECURITYconsistent incidentreporting

OPERATIONS MANAGEMENT

effective capacityplanning

HUMAN RESOURCES SECURITY

prudent hiring practices

1. Getting Started. Undocumented, ad hoc state. Reactive and incident or event response-driven.

2. Making Progress. Response-driven, following trends, and somewhat repeatable with limited automation in segments.

3. Almost There. Scaled response, using programs. Limited scaling still segmented.

4. Streamlined. Centralized, automated, self-service, and scalable. Can allocate resources automatically.

Four maturity levels

Q1 Q2 Q3 Q4 Q5 Q6 Q7 Q8 Q9 Q10 Q11 Q12 Q13 Q14 Q15 Q16 Q17 Q18 Q19 Q20 Q21 Q22 Q23 Q24 Q25 Q26 Q27-60%

-50%

-40%

-30%

-20%

-10%

0%

10%

20%

-26.9% -26.5% -22.8% -15.7% -41.0% -5.8% -24.0% -24.2% -39.4% -34.9%-52.4% -12.7% -31.6% -25.3%

-9.0%

-31.7% -30.6% -35.6% -42.8% -25.7% -44.3% -28.7% -32.8% -16.4%

14.7%

-12.6%

-0.4%

If the answer was Almost There or Streamlined, a +1 value was assigned for maturity. If the answer was Getting Started or Making Progress, a -1 value was assigned for maturity.

CSRT respondent answers

Getting Started Making Progress Almost There Streamlined0%

20%

40%

60%

80%

100%

Worldwide Asia Europe North America

Q25 Information security – AV and antimalware

Q11 Human resources - Employment agreements

Getting Started Making Progress Almost There Streamlined0%

20%

40%

60%

80%

100%

Worldwide Asia Europe North America

Getting Started Making Progress Almost There Streamlined0%

20%

40%

60%

80%

100%

Worldwide Asia Europe North America

Q21 Operations management - Capacity planning

Getting Started Making Progress Almost There Streamlined0%

20%

40%

60%

80%

100%

Worldwide Asia Europe North America

Q19 Information security - Incident reporting

Industry-based trends for government/military organizations

Government and military – Data classification

Getting Started Making Progress Almost There Streamlined0%

20%

40%

60%

80%

100%

Worldwide North America Europe

Operational management

31.3%

50.0%14.6%

4.2%

40.0%

30.0%20.0%

10.0%

Getting StartedMaking ProgressAlmost ThereStreamlined

Resource planning Equipment maintenance

Industry-based trends for nonprofit organizations

Management program

Getting Started Making Progress Almost There Streamlined0%

20%

40%

60%

80%

100%

Worldwide Europe North America

Equipment location

Getting Started Making Progress Almost There Streamlined0%

20%

40%

60%

80%

100%

Worldwide Europe North America

Equipment power failures

Getting Started Making Progress Almost There Streamlined0%

20%

40%

60%

80%

100%

Worldwide Europe North America

Incident reporting

Getting Started Making Progress Almost There Streamlined0%

20%

40%

60%

80%

100%

Worldwide Europe North America

Regulation distribution

RegulationsUSA/ME/Africa/Australia

HIPAA / HITECH Act ISO/IEC 27001-2005 NIST Guidelines PCI DSS v2.0

Europe/Asia

Enisa NIST Guidelines PCI DSS v2.0

Big Data

• Unscented lotion, Calcium, Zinc• Coupons arrive in the mail• Excellent customer service

http://www.forbes.com/fdc/welcome_mjx.shtml

The better you understand your people, processes, and technologies, the more you will be

able to make informed comparisons and evaluate the benefits of the cloud.

Visit the Trustworthy Computing – Cloud TechCenter and its many resources:

The Cloud Security Readiness Tool

• A free assessment to help you

• evaluate the benefits of the cloud

• create a plan for adoption

• better understand your organization’s capabilities

Additional resources on cloud security, privacy, and reliability

microsoft.com/trustedcloud

What can I do?

Trustworthy Computing ResourcesTrustworthy Computing (TwC) is a long-term, collaborative effort to deliver more secure, private, and reliable computing experiences for everyone. Learn more at:http://microsoft.com/twc

Cloud Security Readiness ToolPass the Hash GuidanceData, Insights and Guidance (Security Intelligence Report, volume 14)

and more…

msdn

Resources for Developers

http://microsoft.com/msdn

Learning

Microsoft Certification & Training Resources

www.microsoft.com/learning

TechNet

Resources

Sessions on Demand

http://channel9.msdn.com/Events/TechEd

Resources for IT Professionals

http://microsoft.com/technet

Complete an evaluation on CommNet and enter to win!

Evaluate this session

Scan this QR code to evaluate this session and be automatically entered in a drawing to win a prize

© 2013 Microsoft. All rights reserved. Microsoft, Windows and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.