SEC4608Journey to Your Cloud: Governance and Security In Your Cloud Name, Title, Company

2

Disclaimer

This session may contain product features that are currently under development.

This session/overview of the new technology represents no commitment from VMware to deliver these features in any generally available product.

Features are subject to change, and must not be included in contracts, purchase orders, or sales agreements of any kind.

Technical feasibility and market demand will affect final delivery.

Pricing and packaging for any new technologies or features discussed or presented have not been determined.

3

VMware’s Role in the Cloud

VMware provides virtualization and automation technology to over 250,000 customers worldwide. Since 1998, VMware has worked with 25,000 partners to reduce IT costs, increase business agility, and provide the fundamental building blocks for the modern Cloud.

VMware Vision Team member John Steiner, a Business Solution Architect, collaborates with customers to define and communicate their roadmap to a successful virtualization strategy bringing 15 years total IT experience

John brings an in depth combination of both technical knowledge and business experience to help clients design complex, actionable roadmaps for their journey to the cloud. He has been involved in designing and delivering virtualization solutions to the market for over 8 years. Prior to joining the Vmware Vision team as a solution Architect, he was an infrastructure lead and Consulting Architect for Vmware professional field services

4

Agenda Cloud Computing and Security Questions to Ask and Best Practices Creating Your Security and Governance Plan

5

Agenda Cloud Computing and Security Questions to Ask and Best Practices Creating Your Security and Governance Plan

6

Virtualization Paves the Way to a New Era in IT

Mainframe

PC / Client-Server

WebCloud

Cloud Computing will transform the delivery and consumption of IT services

Virtualization

7

Security and Compliance are Key Concerns for CIOs

Employees are not receptive

Business leaders are not receptive

Lack of clear strategy or help from key vendors in adapting their applications

Difficulty measuring ROI

Concerns about the ability to meet enterprise and/or industry standards

Concerns about information governance

Concerns about access to information

Concerns about security

11%

14%

24%

30%

31%

37%

41%

67%

Q.What are the top challenges or barriers to implementing a cloud computing strategy?

Source: 2010 IDG Enterprise Cloud-based Computing Research, November 2010

Top 4 Concerns are on Security and Compliance

8

Security and Compliance Concerns in Detail…..

InfrastructureTeam

Security Operations

TeamCompliance

Officer

Both Security and Proof of Compliance are Required to Build Trust

How do I verify that confidential & regulated data is secure in the cloud? How do I implement compliance audits for resources in the cloud?

How can I manage security policies across virtual desktops, servers and networks?

I have too many VLANs for segmenting traffic, and securing applications. I can’t keep up

10

Fact

A well defined governance and security practice in conjunction with refined process and automation are imperative to the success of YOUR cloud.

What does your enterprise look like from a cloud readiness perspective?

11

Cloud Vision

12

Vision for ITaaS/Cloud

Secured

Secured

Secured

Secured

13

Agenda Cloud Computing and Security Questions to Ask and Best Practices Creating Your Security and Governance Plan

14

Governance and Security in Your Cloud

Traditional• Infrastructure

• Application

• End User

• Development

• Management

New• Virtualization

• Social Media

Core• Security

• Governance

15

Traditional Models

ApplicationsLegacy, Current, & New

What applications are eligible for Cloud?

Will we increase our reliance on virtual networking and security appliances?

Where will my data live? How does my security &

compliance posture affect applications in the cloud?

How will my data be

transported?

16

Traditional Models

ApplicationsLegacy, Current, & New

Very few applications can truly leverage the full potential in

their current state

Virtual security and networking appliances greatly increase agility

in the cloud

Trust, risk & compliance A systematic review

is required for potential policy revision

VPN, extended private cloud

17

Traditional Models

InfrastructureServers, Storage, Networking, Data Center Facilities and Legacy Systems

Do we have a defined, repeatable build process?

What is the current security posture?

Where will my data live?

Will we be able to minimize data center access as a result

of leveraging clould? What data

security regulations

must be considered?

Do we intend to move off of legacy hardware in order to

better leverage the cloud? How will controls be affected?

18

Traditional Models

InfrastructureServers, Storage, Networking, Data Center Facilities and Legacy Systems

Documented build standards assure repeatable,

secure systems

Security should be taking an active role in all

virtualization initiatives

Virtualized,tiered storage

in private and public

Virtualization and cloud computing bring near lights

out Data Centers a realityPCI, HIPPA, NSTISSP,

Sarbanes, FIPS, etc…

Legacy system migration assures reliable, flexible, elastic

computing. Controls must evolve accordingly

19

Traditional ModelsD

evel

opm

ent

Software development life cycle, where is the code at any

given time?

Will Agile development methodologies impact our

current security, compliance and governance processes?

How do we assure self service development appropriately serves the business but does not seed

rogue development efforts?

Can we create a more controlled software code

repository?

Are my developers using cloud based development tools? Do we need to be concerned with

intellectual property?

20

Traditional ModelsD

evel

opm

ent

Code repository should remain in a controlled, managed state

Build policies around acceptable usage of self service resources, show back mechanisms will

permit distributed control

Existing processes should be reviewed to accommodate

new potential impacts

Inventory all development models, create policies to control where development is executed

21

Traditional / New Models

End User Computing

Desktop, Tablet, Mobile Device, Public Device

How will an App Store effect or change authentication and

credential stores?

Have we defined a list of approved access devices or do

we loosely manage what can connect?

How do we secure the data both on the devices

and in transport?

Can we improve desktop and security compliance by moving

our desktops into a cloud model?

How can we protect the desktops of the future from attacks

and viruses?

22

Traditional / New Models

End User Computing

Desktop, Tablet, Mobile Device, Public Device

Build standard processes around acceptable application store development and distro

Create or modify security standards regarding

mobile devices

Categorized by data type, sensitivity and transport

Security and controls can be greatly improved by leveraging

standardized builds in a centralized location

Minimal O/S virtual desktop / app store model

23

New Model

Virtualization

Do we have a virtualization first policy and where does the

sponsorship reside?

Have we made accommodations for virtualization in our existing

process, procedures, security and governance policies?

Should we be leveraging virtualization to realize our

BC/DR RPO/RTO requirements?

24

New Model

Virtualization

A virtualization First policy requires executive governance

to be effectively executed

Review security and governance documentation and augment for a virtual/cloud based infrastructure

Virtualization can dramatically improve BC/DR capabilities and

should be leveraged in any opportunity available to meet

compliance regulations

25

New Models

Will social media play a role in our formal cloud strategy?

Have we looked into the implications of social media and

the potentially positive and/or negative impact it could have to

our organization?

Does a social media policy exist? Has it been

accounted for in any other governance or compliance

documentation?

What is already out on this forum with or without our permission?

Does social media play a role in business critical applications

or procedures?

Soci

al M

edia

26

Soci

al M

edia

New Models

Social Media should be included as a part of your cloud strategy

Socialize and Educate your staff on the opportunities presented

by social media

Create a formal social media policy that meets security and governance

requirements

An inventory of all social media outlets accessed should

be created

Identify any mission critical process that relies on social media and plan appropriately

27

Core ModelsG

overnance

How will cloud computing impact your current governance model?

What is running in the cloud today outside of your enterprise

governing policies?

Can the proper controls be put into place for a

corporate public cloud computing strategy?

Are the current policies broad enough to appropriately govern a self service,

cloud based business model?

Is my staff appropriately educated to fully understand the implications and act on them?

28

Core ModelsG

overnance

Comprehensively review all aspects affected by virtualization

and cloud computing

Inventory and understand all application usage patterns

The controls can be accommodated with proactive planning

and preparation

Understand the business requirements of all service catalog

items, assure existing security policies and procedures can

accommodate the model

Create centers of excellence to appropriately disseminate

information across all teams affected

29

Core ModelsSecurity

Are our scanning and intrusion policies robust enough to for near

real time provisioning?

How will our security access policies and procedures need to

change?

How should our security policies change to

accommodate new data security issues?

What kind of a containment policy should be in place to stop improper

activity should it occur?

Should we consider leveraging virtual routing and firewalls as a

part of our private cloud strategy?

30

Core ModelsSecurity

Scanning process and procedures must move to a higher lever of proactivity

ACL policies most certainly require review and design

enhancement

Stronger enforcement of data encryption to cloud

database entities should exist

Appropriate logging and access control lists must be maintained to

quickly contain and avioid

Virtual security and networking devices are key to cloud, physical controls must be extended to accomodate

31

Core ModelsM

anagement

Is our management infrastructure beyond reactive?

How much additional automation is required to keep up with the rapid provisioning

capabilities of cloud computing?

What is needed to move beyond proactive and into

predictive?

How will we meter resources, provide show back and

manage SLA’s?

32

Core ModelsM

anagement

Enterprise monitoring components must move beyond

reactive to predictiveAutomation must strive to approach 100% which will

require security and compliance to be baked in

Create a reference architecture related to

management infrastructure

Automation is key, architect the solution prior to implementation

33

Agenda Cloud Computing and Security Questions to Ask and Best Practices Creating Your Security and Governance Plan

34

Next Steps

Create a visual representation of your environment and how governance and security will be affected

Create a visual gap analysis for reference which easily identifies key areas of strength and needs for improvement

A holistic view of what is truly required from a governance, compliance and security perspective to safely leverage both a private and public

cloud infrastructure

Build a roadmap to close these gaps

35

Your Cloud Security Architecture

On-Demand Self-ServiceFlexibility, Portability, Elasticity

Governance

Managem

ent

Infrastructure

Applications

Dev

elop

men

t

Virtualization

End User Computing

Security

Soci

al M

edia

36

Your Cloud Security Architecture

On-Demand Self-ServiceFlexibility, Portability, Elasticity

Governance

Managem

ent

Infrastructure

Applications

Dev

elop

men

t

Virtualization

End User Computing

Security

Soci

al M

edia

37

Your Cloud Security Architecture

On-Demand Self-ServiceFlexibility, Portability, Elasticity

Governance

Managem

ent

Infrastructure

Applications

Dev

elop

men

t

Virtualization

End User Computing

Security

Soci

al M

edia

38

Implications of Failure

FAILURE = BAD

Failure to prepare for the rules of this new compute model will result in either an inability for IT to meet business needs or an environment that lacks the controls and measures necessary to appropriately secure the enterprise

39

Final Thoughts

Understand the business drivers before making technology decisions

Heat map your entire IT infrastructure in order to forecast bumps well before you see them in the road

Set reasonable goals in an actionable roadmap

Outline a holistic view of what is truly required from a governance, compliance and security perspective to safely leverage both a private and public cloud infrastructure