cloud security jean pawluk ewf talk sept 2009
Post on 28-Oct-2014
461 Views
Preview:
DESCRIPTION
TRANSCRIPT
©Jean Pawluk
Cloudy WeatherCloud Computing Security
Jean PawlukChief Architect
Prepared for Executive Women’s Forum
Emerging Technology WorkshopSeptember, 2009
©Jean Pawluk
09/24/2009 Jean Pawluk 2
With great opportunity, comes great risk
©Jean Pawluk
In the Way Back Machine…
Jean Pawluk 3
Think back to the time of "big iron" • Ruled by mainframes and minis• Few mobile devices
Think again about the last few years :
Big changes that occurred with the Internet and mobility of devices
Today’s evolution
• Convergence of the two • Ubiquity of compute power
09/24/2009
©Jean Pawluk
Opportunity to discover …
09/24/2009 Jean Pawluk 4
©Jean Pawluk
Cool Hype…… & lots of confusionConfusion abounds today as several ideas and services are
labeled “cloud computing”A few myths exist:• Cloud computing is new revolution (it’s an old idea)• Cloud computing is just virtualization • Internet and Web are the cloud • Every vendor has different cloud • Everything will be in the cloud (as if)
Nevertheless:Under the hype a very important paradigm shift is occurring that is similar to the move to the Internet
Jean Pawluk 509/24/2009
©Jean Pawluk
09/24/2009 Jean Pawluk 6
You can find the cloud today………
Swarms of connected technologyand business services, which are offered, bought, sold, used, repurposed
On shared worldwide networks of service providers, consumers, aggregators, and brokers
- Creating -
New ways of offering, using, and organizing information and functionality
Examples Social Networks Virtual Worlds Games Blogs Books & Magazines & Newspapers “free” Email Data everywhere / all of the time
Market Research Census Data aggregators
Marketing collateral Video Phone TV Photos Music Virtual desktops Search engines
©Jean Pawluk
So when will we …..
Stop talking about the Internet (which was the “cloud” ) and when will the Cloud be omnipresent
Move from managers of technology to managers of services…
Move from a focus on cost to a focus on value…
Move from overhead to a team that enables growth…
Jean Pawluk 709/24/2009
Next ?
©Jean Pawluk
Jean Pawluk 8
= OPTIMIZED BUSINESS
…allows you to optimize new investments for direct business benefits
=AGILITY + BUSINESS & IT
ALIGNMENT +SERVICE FLEXIBILITY
INDUSTRY STANDARDS+
Cloud-onomics
CLOUD COMPUTING
= Reduced Cost
…leverages virtualization, standardization and automation to free up operational budget for new investment
=VIRTUALIZATION + ENERGY EFFICIENCY +STANDARDIZATION AUTOMATION+
Courtesy and Copyright of IBM09/24/2009
©Jean Pawluk
Cloud Computing Business Drivers Cost
Pay per use No hardware or startup costs Low investment in capital expenditure & time-to-live
Flexibility Use cloud computing services when needed Dynamically grow and shrink services
Simplicity Typically browser based user interfaces
Response Speed to market Fast resourcing - provisioning and de-provisioning processing etc
Availability Many cloud service providers have global, robust network, CPU and
application capability
Jean Pawluk 909/24/2009
©Jean Pawluk
Several Cloud Deployment Models Private Enterprise / Internal Cloud Managed Private Cloud External Public Cloud Hybrid Combination
Jean Pawluk 10
Jericho Cloud Cube Model
09/24/2009
©Jean Pawluk
Public Cloud Computing: From a user perspective
Jean Pawluk
11
• User:– Builds a web application,– Using a standard platform and database– Upload this application to a cloud provider
• Cloud provider– Provisions the services– Scales the application and the database together
• User – Doesn’t care about which servers, which databases, which hardware,
how much memory (the cloud platform handles all of that) – Users are totally free from any technical complexity other than the
service itself
• Cloud provider– Decides how to cache content, how and where to deploy servers
based on demand, performs backups, and even has the ability for the business to distinguish "production" from "staging" deployments
– Has ongoing management and monitoring of the external service
• User: – Only pays for what is used when user needs it– Everything else is a implementation detail
Great idea but where are the data security controls
in this point of view???
09/24/2009
©Jean Pawluk
Evolving Cloud Architectures
Jean Pawluk 12Diagram Courtesy of Chris Hoff
Central architectural concept is XaaS ( everything) as a service:
Core being:
•IAAS (Infrastructure)•PAAS (Platform)•SASS (Software)
Yet - Security is off to the sideThe lower down the stack a Cloud provider stops, the more security you are tactically responsible for implementing & managing yourself
09/24/2009
©Jean Pawluk
Risk - Who controls security?
IaaS
Jean Pawluk 13
PaaS
SaaS
IaaS
You build in your
own
security
You “SLA”
security The lower down the stack a Cloud provider stops,the more security you are tactically responsible for implementing & managing yourself
09/24/2009
©Jean Pawluk
READ the fine print… 72 Security We strive to keep Your Content secure, but cannot guarantee that we will be successful at doing so, given the nature of the Internet Accordingly, without limitation to Section 43 above and Section 115 below, you acknowledge that you bear sole responsibility for adequate security, protection and backup of Your Content and Applications We strongly encourage you, where available and appropriate, to (a) use encryption technology to protect Your Content from unauthorized access, (b) routinely archive Your Content, and (c) keep your Applications or any software that you use or run with our Services current with the latest security patches or updates We will have no liability to you for any unauthorized access or use, corruption, deletion, destruction or loss of any of Your Content or Applications
Source -http://awsamazoncom/agreement/
©Jean Pawluk
What’s ready for the cloud?
When the processes, applications and data are largely independent
When the points of integration are well defined When a lower level of security will work just fine When the core internal enterprise architecture is healthy When the Web is the desired platform When cost is an issue When the applications are new
Courtesy and Copyright of David Linthicum
Jean Pawluk 1509/24/2009
©Jean Pawluk
Cloud Computing Services Players: Infrastructure - Computing infrastructure, typically a platform virtualization
environment, as a service
Full virtualization (GoGrid, Skytap) Grid computing (Sun Grid) Management (RightScale) Compute (Amazon Elastic Compute Cloud)
Platform - The delivery of a computing platform, and/or solution stack as a service
Web application frameworks Ajax (Caspio) Python Django (Google App Engine) Ruby on Rails (Heroku)
Web hosting (Mosso) Proprietary (Azure, Force.com)
Storage - Data storage as a service, billed on a utility basis, eg per gigabyte / month
Database (Amazon SimpleDB, Google App Engine's BigTable datastore) Network attached storage (MobileMe iDisk, CTERA Cloud Attached Storage,
Nirvanix CloudNAS ) Synchronization (Live Mesh Live Desktop component, MobileMe push functions) Web service (Amazon Simple Storage Service, Nirvanix SDN)
Jean Pawluk
1609/24/2009
©Jean Pawluk
Cloud Computing Services Players (more)
Business Services - Interoperable machine-to-machine interaction over a network accessed by other cloud computing components, or directly by end users
Identity (OAuth, OpenID) Integration (Amazon Simple Queue Service) Payments (Amazon Flexible Payments Service, Google Checkout, PayPal) Mapping (Google Maps, Yahoo! Maps) Search (Alexa, Google Custom Search, Yahoo! BOSS) Others (Amazon Mechanical Turk)
Application - Cloud based software, that often eliminates the need for local installation
Peer-to-peer / volunteer computing (Bittorrent, BOINC Projects, Skype) Web application (Facebook) Software as a service (Google Apps, Salesforce) Software plus services (Microsoft Online Services)
Jean Pawluk 1709/24/2009
©Jean Pawluk
What’s not ready for the cloud?
When the processes, applications and data are largely coupled
When the points of integration are not well defined When a high level of security is required When the core internal enterprise architecture needs
work When the application requires a native interface When cost is an issue When the applications are legacy
Jean Pawluk 18
Courtesy and Copyright of David Linthicum
09/24/2009
©Jean Pawluk
What’s not ready for the cloud? (more)
1. Work which depends on sensitive data normally restricted to the Enterprise Employee Information - Not ready to move enterprise info into a public
cloud with high sensitivity of the data Health Care Records – Do not move until the security of the cloud
provider is well established
2. Work composed of multiple, co-dependent services High throughput online transaction processing
3. Work requiring a high level of auditability, accountability and regulation Work subject to Sarbanes-Oxley
4. Work based on 3rd party software which does not have a cloud aware licensing strategy
5. Work requiring detailed chargeback or utilization measurement as required for capacity planning or departmental level billing
6. Work requiring customization (eg customized SaaS)
Jean Pawluk 1909/24/2009
©Jean Pawluk
Jean Pawluk 20
Security Questions – They go on & on …Shared Infrastructure
• As we open up systems, can we expect the same security, reliability, & availability?
• Who are you sharing that server with?
Consumption-based pricing• What happens if you don’t pay
your bill? Do you lose your data?
• How do we control and monitor consumption?
Improved Business Continuity• What infrastructure is the
applications running on?• What protection do we have
against outages?• What legal recourse do we
have?
Massively scalable• Where does our data reside?
In a foreign country?Mobility & Flexibility
• Will vendor relationship management hamper mobility?
• Can any “fly-by-night” coder & service be a cloud?
• Will we see service brokers emerge?
Internet-based & easily accessible
• Will the cloud enable an increase of shadow IT?
09/24/2009
©Jean Pawluk
Cloud Security - Areas of Concern Information lifecycle management Governance and Enterprise Risk Management Compliance & Audit General Legal eDiscovery Encryption and Key Management Identity and Access Management Storage Virtualization Application Security Portability & Interoperability Data Center Operations Management Incident Response, Notification, Remediation "Traditional" Security impact (business continuity, disaster recovery,
physical security)
Jean Pawluk 21
Trust Time Bomb
09/24/2009
©Jean Pawluk
Back to the Future: Co-existing delivery models ?
Jean Pawluk 22
Enterprise
Service Consumers
Service Integration Service Integration
Traditional Enterprise IT
Private Cloud
Services Services
Service Integration
PublicClouds
Services
Mission Critical Packaged Apps High Compliancy
Test Systems Storage Cloud Developer Systems
Variable Storage Software as a Service Web Hosting
SAAS, IAAS & PAAS Public / Private Example
Security Issues will occur crossing between private and public use
09/24/2009
©Jean Pawluk
Summary
Cloud Computing is real and transformationalCloud Computing can be secured but also can carry
increased risk due to aggregation of assetsCloud needs
• Broad governance approach • Tactical fixes
Know that there is “no free lunch”
Jean Pawluk 2309/24/2009
©Jean Pawluk
Bridge the chasm from now to future…
Take the time now to tackle future issues: Practical, technical issues are addressed Security issues are addressed
Confidence will increase as Cloud Computing evolves and mainstreams lifecycle Hype reduces over time
So don’t rush…think and do it right
Jean Pawluk 2409/24/2009
©Jean Pawluk
Cloud Security AllianceCall to Action
Discussions & announcements on LinkedInJoin us, help make our work betterOther research initiatives and events being planned
• www.cloudsecurityalliance.org• info@cloudsecurityalliance.org• Twitter: @cloudsa, #csaguide• LinkedIn: Cloud Security Alliance group
www.linkedin.com/groups?gid=1864210
Jean Pawluk 2509/24/2009
top related