Your Text hereYour Text here
Shahar Maor’s work Copyright 2010 @STKI Do not remove source or attribution from any graphic or portion of graphic 1
Shahar Geiger Maor, CISSP Senior Analyst at STKI
[email protected] www.shaharmaor.blogspot.com
Cloud Computing and
Cloud Security
Your Text hereYour Text here
Shahar Maor’s work Copyright 2010 @STKI Do not remove source or attribution from any graphic or portion of graphic 2
What have we had in mind ?
Your Text hereYour Text here
Shahar Maor’s work Copyright 2010 @STKI Do not remove source or attribution from any graphic or portion of graphic 3
What actually happened? Complexity!
Your Text hereYour Text here
Shahar Maor’s work Copyright 2010 @STKI Do not remove source or attribution from any graphic or portion of graphic 4
10th grade mathematics – reliability chain
99.99%
%99.99
%99.99
%99.97
Aggregated systems = drop in total up-time.99.99% =52.6 downtime minutes a year
10 systems 8.7 downtime hours a year!
Your Text hereYour Text here
Shahar Maor’s work Copyright 2010 @STKI Do not remove source or attribution from any graphic or portion of graphic 5
ERP CRM DataWarehouse
Database
Mail and Messaging
File, Print, Infrastructure
The Converged Datacenter
Cisco UCS
Resource Pool
HP BladeSystem Matrix
IBM CloudBurst
Your Text hereYour Text here
Shahar Maor’s work Copyright 2010 @STKI Do not remove source or attribution from any graphic or portion of graphic 6
Future Datacenter Infrastructure
http://www.sincerelysustainable.com/buildings/google-utilizes-cool-climate-to-cool-its-belgian-data-center
Your Text hereYour Text here
Shahar Maor’s work Copyright 2010 @STKI Do not remove source or attribution from any graphic or portion of graphic 7
Giants Face-Off
Shahar Maor’s work Copyright 2010 @STKI Do not remove source or attribution from any graphic or portion of graphic 7
Your Text hereYour Text here
Shahar Maor’s work Copyright 2010 @STKI Do not remove source or attribution from any graphic or portion of graphic 8
Application Delivery: What is the Pressure?
Globalization: Pushing business process to the network’s edgeCentralization / Consolidation: Compliance, control, Cost cutting, Security, Efficiencies / resource utilizationEnterprise & WebMonster Application: Architectures, Increased adoption of browser-based apps, Rich clients (AJAX), Web 2.0 technologies, SOAService Provider Services Architectures: Next Generation Networks, Video, Messaging
Your Text hereYour Text here
Shahar Maor’s work Copyright 2010 @STKI Do not remove source or attribution from any graphic or portion of graphic 9
Network Operations and Monitoring: What is the Pressure?
Complexity!
Your Text hereYour Text here
Shahar Maor’s work Copyright 2010 @STKI Do not remove source or attribution from any graphic or portion of graphic 10
Solutions???
CLOUD COMPUTING
Your Text hereYour Text here
Shahar Maor’s work Copyright 2010 @STKI Do not remove source or attribution from any graphic or portion of graphic 11
Enterprise
Cloud delivery models
Public Cloud
IT activities/functions are provided “as a service,” over the Internet
• Key features:–Scalability
–Automatic/rapid provisioning–Standardized offerings
–Consumption-based pricing.–Multi-tenancy
Traditional Enterprise
IT
Private Cloud
IT activities/functions are provided “as a service,” over an intranet, within the enterprise and behind the firewall
• Key features include:–Scalability
–Automatic/rapid provisioning–Chargeback ability
–Widespread virtualization
Hybrid Cloud
Internal and external service delivery methods are integrated, with activities/functions allocated to based on security requirements, criticality, architecture and other established policies.
Private CloudPublic Clouds
Hybrid Cloud
Source: IBM Market Insights, Cloud Computing Research, July 2009.
Your Text hereYour Text here
Shahar Maor’s work Copyright 2010 @STKI Do not remove source or attribution from any graphic or portion of graphic 12
The public cloud layers
Source: GS http://blogs.zdnet.com/BTL/?p=28476
Your Text hereYour Text here
Shahar Maor’s work Copyright 2010 @STKI Do not remove source or attribution from any graphic or portion of graphic 13
Enterprise Benefits from Cloud Computing
Server/Storage Utilization 10-20%
Self service None
Test Provisioning Weeks
Change Management Months
Release Management Weeks
Metering/Billing Fixed cost model
Standardization Complex
Payback period for new services Years
70-90%
Unlimited
Minutes
Days/Hours
Minutes
Granular
Self-Service
Months
Legacy environments Cloud enabled enterprise
Cloud accelerates business value across a wide variety of domains.
Capability From To
Source: IBM
Your Text hereYour Text here
Shahar Maor’s work Copyright 2010 @STKI Do not remove source or attribution from any graphic or portion of graphic 14
Requirements for Cloud Services Multitenant. A cloud service must support multiple, organizationally
distant customers. Elasticity. Tenants should be able to negotiate and receive resources/QoS
on-demand. Resource Sharing. Ideally, spare cloud resources should be
transparently applied when a tenant’s negotiated QoS is insufficient, e.g., due to spikes.
Horizontal scaling. It should be possible to add cloud capacity in small increments; this should be transparent to the tenants of the service.
Metering. A cloud service must support accounting that reasonably ascribes operational and capital expenditures to each of the tenants of the service.
Security. A cloud service should be secure in that tenants are not made vulnerable because of loopholes in the cloud.
Availability. A cloud service should be highly available. Operability. A cloud service should be easy to operate, with few
operators. Operating costs should scale linearly or better with the capacity of the service.
Your Text hereYour Text here
Shahar Maor’s work Copyright 2010 @STKI Do not remove source or attribution from any graphic or portion of graphic 15
Security + Cloud Computing
Cloud Security Security in
the Cloud
Your Text hereYour Text here
Shahar Maor’s work Copyright 2010 @STKI Do not remove source or attribution from any graphic or portion of graphic 16
Cloud Security
Source: http://csrc.nist.gov/groups/SNS/cloud-computing/
Your Text hereYour Text here
Shahar Maor’s work Copyright 2010 @STKI Do not remove source or attribution from any graphic or portion of graphic 17
How Does Cloud Computing Affect the “Security Triad”?
Confidentiality
IntegrityAvailability
Your Text hereYour Text here
Shahar Maor’s work Copyright 2010 @STKI Do not remove source or attribution from any graphic or portion of graphic 18
Cloud Risk Assessment Probability
Impact
LOSS OF GOVERNANCE COMPLIANCE
CHALLENGESRISK FROM
CHANGES OF JURISDICTION
ISOLATION FAILURE
CLOUD PROVIDER MALICIOUS INSIDER -
ABUSE OF HIGH PRIVILEGE ROLES
MANAGEMENT INTERFACE COMPROMISE (MANIPULATION,
AVAILABILITY OF INFRASTRUCTURE)
INSECURE OR INEFFECTIVE
DELETION OF DATA
NETWORK MANAGEMENT
http://www.enisa.europa.eu/act/rm/files/deliverables/cloud-computing-risk-assessment/
Your Text hereYour Text here
Shahar Maor’s work Copyright 2010 @STKI Do not remove source or attribution from any graphic or portion of graphic 19
Cloud Regulations & Recommendations
No regulations so far…. Some sources of information and
recommendations:• Security Guidance for Critical Areas of Focus in Cloud
Computing, V2.1• ENISA Cloud Computing Risk Assessment • OECD -Cloud Computing and Public Policy • World Privacy Forum Privacy In The Clouds Report • NIST -Effectively and Securely Using the Cloud • "Cloud Computing Security: Raining On The Trendy New Parade,"
BlackHat • AWS Security Whitepaper
Your Text hereYour Text here
Shahar Maor’s work Copyright 2010 @STKI Do not remove source or attribution from any graphic or portion of graphic 20
Security in the Cloud: Email Security- Israeli Market Positioning 1Q10
Lo
cal S
up
po
rt
Market Presence
Player
This analysis should be used with its supporting documents
Worldwide Leader
Websense
Fast Movement
Microsoft
Hosted/Cloud Solutions:
McAfee
Symantec
Cisco
PineApp
Google (Postini)Symantec (MessageLabs)
Cisco (Ironport)
McAfee (MX Logic)
Microsoft (Forefront)
Mirapoint SafeNet
Trend Micro
Your Text hereYour Text here
Shahar Maor’s work Copyright 2010 @STKI Do not remove source or attribution from any graphic or portion of graphic 21
Secure Web-Gateway- Israeli Market Positioning 1Q10
Lo
cal S
up
po
rt
Market Presence
Player
This analysis should be used with its supporting documents
BlueCoat
Worldwide Leader
Cisco
Websense
FortinetFast Movement
SafeNet
Solutions to Watch:
Microsoft (TMG)
McAfee
Symantec
Zscaler
Trend Micro
Your Text hereYour Text here
Shahar Maor’s work Copyright 2010 @STKI Do not remove source or attribution from any graphic or portion of graphic 22
Secure Web-Gateway (SAAS) -Zscaler
http://www.zscaler.com/how-it-works.html#
Your Text hereYour Text here
Shahar Maor’s work Copyright 2010 @STKI Do not remove source or attribution from any graphic or portion of graphic 23
In Short
The cloud is here to stay
Security is a major
showstopper
…We put our money in the
cloudNo rush!
Your Text hereYour Text here
Shahar Maor’s work Copyright 2010 @STKI Do not remove source or attribution from any graphic or portion of graphic 24
Mail: [email protected] Blog: www.shaharmaor.blogspot.com
Thank You