Upload
cloudtek-university
View
1.302
Download
0
Tags:
Embed Size (px)
Citation preview
NJVC Proprietary - Do Not Release
Cloud Computing and Security:
Assessing the Risks
Kevin L. Jackson
Vice President &
General Manager
NJVC Cloud Services
March 21, 2012
NJVC Proprietary - Do Not Release
Cloud Computing
Not a new technology but a new approach in the provisioning and consumption of
information technology
A services oriented architecture (SOA) implemented typically on a virtualized infrastructure
(compute, storage, networks) using commodity components coupled with highly automated
controls enable the five essential characteristics of cloud computing.
Key Concerns Standards
Portability
Control/Availability
Security
IT Policy
Management / Monitoring
Ecosystem
Key Benefits Significant cost reductions
Reduced time to capability
Increased flexibility
Elastic scalability
Increase service quality
Increased security
Ease of technology refresh
Ease of collaboration
Increased efficiency
NJVC Proprietary - Do Not Release
Cloud Computing: Value and
Capabilities Time
Reduce time to deliver/execute mission
Increased responsiveness/flexibility/availability
Cost
Optimizing cost to deliver/execute mission
Optimizing cost of ownership (lifecycle cost)
Increased efficiencies in capital/operational expenditures
Quality
Environmental improvements
Experiential improvements
NJVC Proprietary - Do Not Release
Relational Databases and the Cloud
Country
Germany
BMW
Truck
Car
SUV
Volkswagen
…
…
…Audi
Japan
Toyota
Honda
Mazda
US
Ford
Chrysler
GM …
9
Search
German, BMW, Truck
German, BMW, Car
German, BMW, SUV
German Volkswagen, Truck
…
…
…
…
US, GM, SUV
3t 1t
The economics of data
storage led to the use of
content addressable storage,
flat storage architectures and
internet scaling.
Database design,
database tuning no
longer required with
infinite scalability and
consistent
responsiveness
NJVC Proprietary - Do Not Release
Traditional Analytics
• • • • • • • • • • •
• • • • • • • • • • •
• • • • • • • • • • •
• • • • • • • • • • •
• • • • • • • • • • •
• • • • • • • • • • •
1
0
Traditionally, lexical searches, filtering or
Boolean search attributes are used to
reduce data to a “working set”. Analytical
tools are then applied to this “working
set”.
All Data Sources / Types
Tools/Analysis Reports/Conclusions
NJVC Proprietary - Do Not Release
Cloud Enables Searching All the Data,
All the Time
1
1
• • • • • • • • • • •
• • • • • • • • • • •
• • • • • • • • • • •
• • • • • • • • • • •
• • • • • • • • • • •
• • • • • • • • • • •
Reports/Conclusions
NJVC Proprietary - Do Not Release
Governance Operational
Top Threats to Cloud Computing
Go
vern
ance
an
dEn
terp
rise
Ris
k M
anag
emen
tLe
gal a
nd
Elec
tro
nic
Dis
cove
ry
Co
mp
lian
ce a
nd
Au
dit
Info
rmat
ion
Life
cycl
e M
anag
emen
t
Po
rtab
ility
an
d
Inte
rop
erab
ility
Trad
itio
nal
Secu
rity
, Bu
sin
ess
Co
nti
nu
ity,
and
Dis
aste
r R
eco
very
Dat
a C
en
ter
Op
erat
ion
s
Inci
den
t R
esp
on
se,
No
tifi
cati
on
an
d
Rem
edia
tio
nA
pp
licat
ion
Secu
rity
Encr
ypti
on
an
dK
ey M
anag
emen
t
Iden
tity
an
dA
cce
ss M
anag
emen
t
Vir
tual
izat
ion
Abuse and Nefarious Use of CloudComputing
Insecure Interfaces and APIs
Malicious Insiders
Shared Technology Issues
Data Loss or Leakage
Account or Service Hijacking
Unknown Risk Profile
NJVC Proprietary - Do Not Release
C&A vs FedRAMP
Standard Certification & Authorization
100% of required agency controls
60-90 days to complete
$80k-$300K
Repeat with each new agency: 5 agency cost $400K-$1.5M
FedRAMP (290 Controls)
80% of required agency controls
60 days to complete
$65-$240K
Agency specific controls for new implementations: 5 agency cost
$65K-$365K
Slide 20
NJVC Proprietary - Do Not Release
Continuous Monitoring Deliverables
Vulnerability/Patch Management Scanning and Reporting
Configuration Scanning and Reporting
Incident Response Planning and Response
POA&M Mitigation and Remediation
Change Management and Control
Penetration Testing
A&A Documentation Maintenance
Contingency Plan Testing
NJVC Proprietary - Do Not Release
NIST Cloud Computinghttp://collaborate.nist.gov/twiki-cloud-computing
NJVC Proprietary - Do Not Release
My Advice Remember – Cloud computing is an emerging discipline
Learn about it. Don’t run away
This is not a new technology but extensive
automation of what you’re already used to
Same threat vectors. Same attacks but faster,
broader and automated using “resource
concentration”
Cloud will save you, not hurt you.
Be careful out there !!
NJVC Proprietary - Do Not Release
Thank You !Kevin L. Jackson
Vice President
General Manger
NJVC Cloud Services
(703) 335-0830
http://www.NJVC.com
http://kevinljackson.blogspot.com
http://govcloud.ulitzer.com