Upload
duongkhuong
View
225
Download
0
Embed Size (px)
Citation preview
Securing Data in the
Cloud: Point of View
Presentation by Infosys Limited
www.Infosys.com
2
Agenda
• Data Security challenges & changing compliance
requirements
• Approach to address Cloud Data Security
requirements
• About Infosys Information and Cyber Risk
management practice
3
Your Presenter today • Saju brings in nearly 18 years of experience in IT
consulting and advisory services. He currently heads
Infrastructure and Cloud consulting for Infosys.
• He has been with Infosys for past 13 years and been
instrumental in setting up the cloud business strategy
for Infosys.
• Saju brings in experience in cloud and infrastructure
strategy formulation, cloud technology advisory and
cloud economics.
• Saju has executed several strategic engagements in
technology, business transformation & optimization,
Cloud and Infrastructure transformation, platform
modernization, collaboration and end-user computing.
• He is an active member of partner advisory boards of
product alliance partners and has been on steering
committees with various clients.
Saju Sankaran Kutty Associate Vice President - Cloud
Infrastructure & Security – Infosys Limited
4
The next-generation
technology services company
Founded in Pune, India in 1981
$8.7 billion in revenues
987+ clients
Clients in 50+ countries
85 offices and 100 development centers
179,000+ employees of 115 nationalities
94% are consultants and engineers
97% of staff are university educated
22% with masters degrees or doctorates
35% of employees are women
World’s largest corporate university
1.3% of revenues invested in R&D
More than 300 researchers
Employees trained in Design Thinking
505 patents pending and 204 granted
Transparency, ethics, and respect
$500 million innovation fund
96.6% business is repeat business
2% of avg. net profits over 3 fiscals to Infosys Foundation
Award winning sustainable delivery centers
4 out of top 5 US banks
7 out of top 10 global CPG
8 out of top 10 global pharma
4 out of top 5 global
aerospace & defence
6 out of top 10 communications cos.
Corporate Learning Purpose People Clients
Infosys helps enterprises transform and thrive in a changing world by co-creating
breakthrough solutions that combine strategic insights and execution excellence.
We help them renew themselves while also creating new avenues to generate
value.
5
Infosys – Huawei Partnership
Infosys Huawei
6
The enterprise cloud ecosystem is evolving
Siloed Consolidated
VM VM
Private Cloud
IaaS
VM VM
VM VM
Hybrid IaaS
Private Cloud
PaaS
Enterprise
Apps
IaaS
PaaS
SaaS
Public Cloud Enterprise IT
A hybrid deployment, multi-cloud
consumption model
7
Trends in Cloud adoption today
• 81 % of companies are either using or planning to use mission-critical apps on the cloud in the
next 2 years
• 77 % of companies are using or planning to use IaaS, PaaS or SaaS for a wide range of
business application in the next 2 years
• It takes 3 days for 55% of large enterprises to get new virtual infrastructure from their private or
public Cloud
• 69% of companies are looking for the ability to detect, alert, and self-resolve issues in their
cloud environment
• 77% of companies trust system integrators to be their cloud implementation providers
Infosys Study: Simplify and innovate the way you consume Cloud -
http://www.experienceinfosys.com/cloudstudy
8
Key Data Security challenges for organization’s
leveraging the Cloud
• Available solutions in the market are still silo-based
• Security challenges exist when enterprises integrate private cloud with public cloud for cloud
burst and other on need computing requirements . The challenges cut across 4 key pillars of
security
9
…Resulting in new and evolving requirements for data
security in Cloud
• Cloud Security Alliance (CSA) Cloud control matrix is the comprehensive standard to ensure the data and privacy safety of the cloud environment
• NIST, the U.S. National Institute of Standards and Technology, last year published its Guidelines on Security and Privacy in Public Cloud Computing.
• ENISA has published Procure Secure: A Guide to Monitoring of security service levels in cloud contracts.
• HIPAA Omnibus expands the definition of ‘business associate’ and define cloud service providers (CSPs) as business associates.
• Geo Specific regulations mandates organizations to ensure data eDiscovery capabilities and controls in place while getting into Contract with cloud provider
• Geo Specific and Regulatory requirements mandates organization to ensure that legal hold discussion and agreement is the key part of cloud contract negotiations.
10
…which is driving key trends around Data Security
oriented to Cloud Adoption
Busin
ess &
IT
Obje
ctives
Cloud Adoption Unified approach for protecting Data
in Cloud
No Trust Model
Persistent Data
Encryption
Customer Managed
keys
Data access governance
Privileged Access
Data
Classification
Is Key
Data Disposal
gains
importance
11
..which results in below decisions to make before cloud
adoption
• Legal hold – How to ensure Data availability if the CSP is going out of Business
• eDiscovery- How to ensure that Data in hosted environment is identifiable and discoverable.
• Data Protection/Confidentiality - How to ensure that data confidentiality is being maintained in
Shared cloud environment
• Data Integrity & Usage Governance - How to ensure that data integrity is being maintained
• Compliance & Governance - How to ensure complianceCompliance with Legal and Regulatory
Standards – Including data retention, archive and purge.
12
Solutions can be realized leveraging "Integrated approach” for
Cloud data Security based on traditional building blocks
Presentation
Modality
Presentation
Platform
APIs
Applications
Data
Integration & Middleware
APIs
Hardware
Facilities
Content Metadata
Software as a Service (SaaS)
Platform as a Service (PaaS)
Infrastructure as a Service (IaaS)
Core Connectivity &
Delivery
Abstraction
Cloud Security Alliance Reference
Model
Identity & Access Mgmt.
• Single sign-on / federation
• Adaptive authentication
• Authorization (RBAC, context-based, fine-grained)
• Provisioning access
• Segregation of Duties
Application
Security
Information Systems
Infra Security
Governance,
Risk & Compliance
Data Security
• Secure SDLC
• White/Black box testing
• Penetration testing
Cloud-based Integrated
Security solution
• Endpoint Security
• SIEM
• Perimeter Security
• Platform Security
• Data loss Prevention
• Data Tokenization
• Data Masking
• Information Rights Management
• Data Encryption
• Risk and Enterprise Security framework
• Integrated enforcement & validation of security controls
• Compliance enforcement
• Internal & External Compliance Audits
• Enterprise IT security policies & Procedures
Organization/
Vendor
Cloud Vendor
Security is shared responsibility
13
…..complimented by data centric technology controls to
safeguard the data
Key Tenet Technology Solution Leading product vendors
Data protection/confidentiality • Data Loss Prevention (DLP)
• Data Encryption:
• File/ Folders
• OS
• Application
• Database
• DLP: Websense, McAfee,
Symantec
• Encryption: SafeNet, RSA
Data management Integrity and
usage governance
• Database Activity Monitoring
• File Integrity Management
• Data Rights Management
• DAM: IBM, Imperva
• FIM: McAfee, TrendMicro
• DRM: Microsoft
Compliance with legal and
regulatory standards
• Data Tokenization
• Data Masking
• Key Management
• Security Audits
• Data Protection Agreement
• Tokenization: SafeNet, RSA
• Masking: Informatica
• Key Management: Thales,
SafeNet
14
Infosys approach & methodology for securing data and
services in Cloud
Initiate
Risk Analysis
• Identify cloud model
• Prioritize use cases,
classify information
• Understand Risk &
associated impact,
liability, SLAs, RACI,
etc.
Enable Secure Access
• Single sign-on using
Federation, OpenID, Oauth
• Strong authentication & fine-
grained authorization
• Deploy adaptive / multi-factor
authentication
Secure Integration
• Deploy web security
solutions e.g. IBM
DataPower, Intel
SOAE Integrated Monitoring
• Implement periodic
attestation, continuous
monitoring, integration
with SIEM, etc.
• Adopt compliance &
security
• Automated GRC
Secure virtual
infrastructure
• Deploy network
segregation, virtual
firewalls, IDS, secure OS,
application firewalls, AV,
content security / malware
Secure data & application
• Implement native data
encryption, segregation, PKI
• Data Loss Prevention, in-line
Data Tokenization /
Encryption address in-transit /
at rest / isolation security
concerns
• Leverage claims-based
application security model
• Adopt secure SDLC / testing
Continuous
monitoring
and
validation
15
Infosys Information and Cyber Risk (ICRM) Practice offers a Comprehensive
set of Security Solutions and Services to ensure Secure Cloud Adoption
Enterprise
Security
Security
Operations
Identity & Access
Management
Infra Security
• Perimeter and Network Security
• Endpoint Security
• Platform Security
• Email Security
• Vulnerability Assessment and Penetration Testing
Data Security
• Data Loss Prevention
• Data Masking, Tokenization
• Encryption and PKI
• Information Rights Management
Security Operations
• Security tool administration
• Security monitoring and incident management
Identity & Access Mgmt.
• Directory Services
• Authorization, SSO, Federation, Social
• Coarse / Find grained authorization
• Identity lifecycle Management and Provisioning
Governance Risk and Compliance (GRC)
• Security Framework, Policies and Procedures
• Compliance Audits
• Risk and Security Controls enforcement
• IT GRC tool configuration
Application Security
• Secure SDLC
• White/black box testing
• Gray-box testing
• Penetration testing Cloud-based
Integrated Security
solution
On-premise Integrated
Security solution
CONSULTING INTEGRATION OPERATIONS
16
Contact us
www.Infosys.com
Email: [email protected]
Contact –
Saju Sankaran Kutty
Associate Vice President –
Cloud Infrastructure & Security – Infosys
Limited
Email – [email protected]
Copyright©2015 Huawei Technologies Co., Ltd. All Rights Reserved.
The information in this document may contain predictive statements including, without limitation, statements regarding the
future financial and operating results, future product portfolio, new technology, etc. There are a number of factors that could
cause actual results and developments to differ materially from those expressed or implied in the predictive statements.
Therefore, such information is provided for reference purpose only and constitutes neither an offer nor an acceptance. Huawei
may change the information at any time without notice.