Securing the Cloud: Masterclass 2

  • View
    42

  • Download
    0

Embed Size (px)

DESCRIPTION

Securing the Cloud: Masterclass 2. Lee Newcombe (lee.newcombe@capgemini.com) Infrastructure Services April 2013. Agenda. Introduction. The Future Cloud?. The Perfect Storm – BYOD, Social Media, Big Data, Cloud. Service Management -> Service Orchestration. ?. Identity in the Cloud. - PowerPoint PPT Presentation

Text of Securing the Cloud: Masterclass 2

Title of the presentation

Securing the Cloud: Masterclass 2Lee Newcombe (lee.newcombe@capgemini.com)

Infrastructure ServicesApril 2013

#Copyright Capgemini 2012. All Rights ReservedPresentation Title | Date1

AgendaThe Future Cloud?The Perfect Storm BYOD, Social Media, Big Data, CloudIdentity in the CloudIntroductionConclusionsService Management -> Service Orchestration?

#Copyright Capgemini 2012. All Rights ReservedManaging Security in the Cloud 2

#Copyright Capgemini 2012. All Rights ReservedPresentation Title | DateThe questions you askedHow is the security landscape changing and how must it evolve in the next 5 years?

Howdofast moving trends such as mobile, socialbusiness, BYOD and bring your own cloud complicatesecuritystrategies?

Considering security as an enterprise issue, not simply as a cloud one

Addressing service integration in the cloud

Looking at the future of identity in the cloud: requirements, risks and opportunities

#Copyright Capgemini 2012. All Rights ReservedManaging Security in the Cloud 2

#Copyright Capgemini 2012. All Rights ReservedPresentation Title | Date

AgendaIntroductionThe Perfect Storm BYOD, Social Media, Big Data, CloudIdentity in the CloudThe Future Cloud?ConclusionsService Management -> Service Orchestration?

#Copyright Capgemini 2012. All Rights ReservedManaging Security in the Cloud 2

#Copyright Capgemini 2012. All Rights ReservedPresentation Title | DateThe Future CloudPublic Cloud Providers likely to continue to be subject to rapid amalgamationTerremark bought by VerizonSavvis bought by Century LinkHeroku bought by Salesforce.comNimbula bought by Oracle

Amalgamation will lead to a smaller set of major public cloud providersSmaller players will exist to serve niche markets (e.g. HMG)

Big Outsourcing firms will continue to offer enterprise cloud services Likely to continue to struggle to justify premiums over the likes of AWS

#Copyright Capgemini 2012. All Rights ReservedManaging Security in the Cloud 2

#Copyright Capgemini 2012. All Rights ReservedPresentation Title | DateInteroperability will remain problematicNiche vendors will continue to exist enable cross-cloud operationsRising importance of service brokers and SIAM capabilities

Cloud First" attitude will become standard not just in Government

Compromises will occur. The sky will fall but the cloud paradigm will survive.The Future Cloud

#Copyright Capgemini 2012. All Rights ReservedManaging Security in the Cloud 2

#Copyright Capgemini 2012. All Rights ReservedPresentation Title | DateEvolving Compliance Requirements

The DPA requires the data controller to have a written contract requiring that the data processor is to act only on instructions from the data controller and the data processor will comply with security obligations equivalent to those imposed on the data controller itself.Cloud customers should take care if a cloud provider offers a take it or leave it set of terms and conditions without the opportunity for negotiation. Such contracts may not allow the cloud customer to retain sufficient control over the data in order to fulfil their data protection obligations. Cloud customers must therefore check the terms of service a cloud provider may offer to ensure that they adequately address the risks discussed in this guidance

#Copyright Capgemini 2012. All Rights ReservedManaging Security in the Cloud 2

#Copyright Capgemini 2012. All Rights ReservedPresentation Title | Date

Evolving Compliance RequirementsIts important to note that all cloud services are not created equal. Clear policies and procedures should be agreed between client and cloud provider for all security requirements, and responsibilities for operation, management and reporting should be clearly defined and understood for each requirementWithout adequate segmentation, all clients of the shared infrastructure, as well as the CSP, would need to be verified as being PCI DSS compliant in order for any one client to be assured of the compliance of the environment. This will likely make compliance validation unachievable for the CSP or any of their clients

#Copyright Capgemini 2012. All Rights ReservedManaging Security in the Cloud 2

#Copyright Capgemini 2012. All Rights ReservedPresentation Title | DateRequires details of the system not just the controlsRequires a written statement of assertionAssurance new Standards

SAS70SSAE16

#Copyright Capgemini 2012. All Rights ReservedManaging Security in the Cloud 2

#Copyright Capgemini 2012. All Rights ReservedPresentation Title | DateCloud Security Alliance OCF

https://cloudsecurityalliance.org/research/ocf/

#Copyright Capgemini 2012. All Rights ReservedManaging Security in the Cloud 2

#Copyright Capgemini 2012. All Rights ReservedPresentation Title | DateAWS Changes Evolving Securityhttp://aws.typepad.com/aws/2013/03/aws-trusted-advisor-update-trial-new-features.html

#Copyright Capgemini 2012. All Rights ReservedManaging Security in the Cloud 2

#Copyright Capgemini 2012. All Rights ReservedPresentation Title | DateAWS Changes Evolving Security

Release: Amazon EC2 on 2013-03-11 http://aws.amazon.com/releasenotes/4286407650196705

#Copyright Capgemini 2012. All Rights ReservedManaging Security in the Cloud 2

#Copyright Capgemini 2012. All Rights ReservedPresentation Title | DateNew Cloud ways of thinking for example

#Copyright Capgemini 2012. All Rights ReservedManaging Security in the Cloud 2

#Copyright Capgemini 2012. All Rights ReservedPresentation Title | Date

AgendaIntroductionThe Future Cloud?Identity in the Cloud

The Perfect Storm BYOD, Social Media, Big Data, CloudConclusionsService Management -> Service Orchestration?

#Copyright Capgemini 2012. All Rights ReservedManaging Security in the Cloud 2

#Copyright Capgemini 2012. All Rights ReservedPresentation Title | DateThe Perfect Storm - BYODBring Your Own Disaster Device (BYOD)

BYOD or CYOD?Business driven desire for mobile workingEnd point protection Entry point to your trusted domainHolds your dataDuress?Data Protection Better in the cloud?Encrypted on device?Remote wipe? Of my device?!

Mobile Device Management

#Copyright Capgemini 2012. All Rights ReservedManaging Security in the Cloud 2

#Copyright Capgemini 2012. All Rights ReservedPresentation Title | Date

The Perfect Storm - Social Media Twitter, LinkedIn, Facebook, Google+, etc the Consumer Cloud

Reputation ManagementDamaging Tweets by employeesDamaging comments from customersHacked accounts: Burger King, BBC

Personal vs Business. Identity in the cloud?More later

Data exfiltrationAre you monitoring the data your users send via these channels?

#Copyright Capgemini 2012. All Rights ReservedManaging Security in the Cloud 2

#Copyright Capgemini 2012. All Rights ReservedPresentation Title | DateThe Perfect Storm Big Data Big Data

How Big is Big?NoSQL?PseudonymisationAnonymisationFine so long as you know nothing about your targetFine so long as compute resource remains expensive and exclusive

- https://downloads.cloudsecurityalliance.org/initiatives/bdwg/Big_Data_Top_Ten_v1.pdf

#Copyright Capgemini 2012. All Rights ReservedManaging Security in the Cloud 2

#Copyright Capgemini 2012. All Rights ReservedPresentation Title | DateBig Data (continued)Where is the data coming from?Trust?Validation?Where are you going to put it?NoSQL vs RDBMS?Cloud or on-premise?How are you going to control access to it?ComplianceHow much anonymisation is enough?

http://www.ico.gov.uk/for_organisations/data_protection/topic_guides/~/media/documents/library/Data_Protection/Practical_application/anonymisation_code.ashx

#Copyright Capgemini 2012. All Rights ReservedManaging Security in the Cloud 2

#Copyright Capgemini 2012. All Rights ReservedPresentation Title | DateThe Perfect Storm - Cloud

Cloud is the ANSWER!But what was the question

#Copyright Capgemini 2012. All Rights ReservedManaging Security in the Cloud 2

#Copyright Capgemini 2012. All Rights ReservedPresentation Title | DatePutting it all togetherBig Data Social Media usageResearch and DevelopmentModellingDevice and Data usage (SIEM)

Stored and processed in the cloudNoSQL. Not much security either

Accessed from users personal devices

Anybody see any security issues here?

#Copyright Capgemini 2012. All Rights ReservedManaging Security in the Cloud 2

#Copyright Capgemini 2012. All Rights ReservedPresentation Title | DatePutting it all together to fix it Mobile Device Management DRM? Big Data security See CSA Paper Anonymisation Security Architecture

#Copyright Capgemini 2012. All Rights ReservedManaging Security in the Cloud 2

#Copyright Capgemini 2012. All Rights ReservedPresentation Title | Date

AgendaIntroductionThe Future Cloud?Identity in the Cloud

Service Management -> Service OrchestrationConclusionsThe Perfect Storm BYOD, Social Media, Big Data, Cloud?

#Copyright Capgemini 2012. All Rights ReservedManaging Security in the Cloud 2

#Copyright Capgemini 2012. All Rights ReservedPresentation Title | DateManagement of Infrastructure -owned or client assets

Systems Integrators Service IntegratorsService consolidationOpportunity to leverage service desk and management assets

Service BrokerEnabler of Cloud propositions

Aggregation and orchestration of many cloud-based services

Service OrchestrationService AggregationService IntegrationService