UC Cloud Computing Security

Download UC Cloud Computing Security

Post on 30-Nov-2014




1 download

Embed Size (px)


Dean Jones has more than a 24-year track record in understanding technology-business interface, identifying & aligning clients technology needs with products & services, and solving complex problems. He has a successful and diverse background spanning technical, operational management, project delivery, and strategy development disciplines underscores expertise in engaging decision makers and devising winning strategies and solutions.


<ul><li> 1. BDPA DALLASMay 31st Program MeetingUC Cloud ComputingSecurityDean Jones, EngagementManager Infrastructure As A Service (IAAS)</li></ul><p> 2. Discussion Topics Potential Security Breaches &amp; Associated Cost Cloud Computing and Topology SIP UC Cloud / IAAS Topology Case Studies 3. Potential Security Breaches 4. The Cost of Unsecured Hosted and Private UC Environments.One Successful TollFraud Attack $40,000 5. A crisis of complexity. The need for progress is clear.Global Annual Server Spending(IDC)300 Power and cooling costsManagement and admin costs250New system spend200Uncontrolled management150and energy costs100 50 Steady CAPEX spend$0BTo make progress, delivery organizations must address the server, storageand network operating cost problem, not just CAPEX Source: IBM Corporate Strategy analysis of IDC data 5 Cloud Computing 6. Perimeter defense is essential But it doesnt guard data against the human factorLost or Intellectual property exposed to competitorsstolen Sensitive customer data compromiseddevices Competitive information leaked to the mediaExposed Extracts pulled for processing and reportingbusiness Circulating data across organizationsprocesses Workarounds during system outagesMalicious Malware deployed within the networkinsiders Intentional misuse of company information Identity theft and Industrial espionageCareless use Viruses unwittingly downloaded at homeof the Unsecured archives or copies of datacorporate Uncontrolled circulation of classified documents or personal e-mail messagesnetwork 7. Increased collaboration brings increased complexityand increased risk.Foes, Gremlins, andBananaPeelsCoffee ShopHotels HomeBusiness Inadequate, disjointed PartnersSupply technology managementChain 8. Many companies expend resources on thenetwork without achieving the expected results. A piecemeal approach to network security and updates leads to an overly complex infrastructure Time-consuming to pinpoint causes of performance problems, especially for newly added voice and video applications that impact traditional mission-critical applications Difficult to determine the best way to optimize costs and performance Hardto estimate future expenditures and justify current costs Almost impossible to predict capacity requirements accurately Through 2011, enterprises will waste $100 billion buyingthe wrong networking technologies and services3 Unnecessary technologies Excess bandwidth Unwarranted upgrades 3 Gartner, Gartners Top Predictions for IT Organizations and Users, 2007 and Beyond, Daryl C. Plummer and others, December 2006. 9. Ponemon Institutes Security Breach Studies Ponemon Institutes released two separate reports, The First Annual Cost of Cyber CrimeStudy (PDF), which was sponsored by ArcSight, The Leaking Vault (PDF) released today bythe Digital Forensics Association, both showing troubling findings for companies finances: a median cost of $3.8 million for an attack per year, including all costs, from detection,investigation, containment, and recovery to any post-response operations. out of 2,807 publicly disclosed data breaches worldwide during the past five years, the costto the victim firms as well as those whose information was exposed reached $139 billion. nearly half of all of the reported breaches came from a laptop, which in 95 percent of thecases is stolen hacks led to the most stolen records during 2005 to 2009, with 327 million of the 721.9million covered in the report, although hacks represent only about 16 percent of the databreaches Web-borne attacks, malicious code, and malicious insiders are the most costly types ofattacks, making up more than 90 percent of all cybercrime costs per organization per year A Web-based attack costs 143,209 USD; malicious code, 124,083 USD; and malicious insiders,100,300 USD. 10. Cloud Security Breach Examples Google Doc allowed shared permission without userknowledge http://www.google.com/support/forum/p/Google+Docs/thread?tid=2ef115be2ce4fd0e&amp;hl=en Salesforce.com phishing attack led to leak of a customer list;subsequent attacks http://voices.washingtonpost.com/securityfix/2007/11/salesforcecom_acknowledges_dat.html Vasrev.com Webhost hack wipes out data for 100,000 sites http://www.theregister.co.uk/2009/06/08/webhost_attack/ Twitter company files leaked in Cloud Computing securityfailure / http://www.infosecurity-us.com/view/2554/twitter-company-files-leaked-in-cloud-computing-security-failure DDoS attack that downed Twitter also hit Facebook http://www.computerworld.com/s/article/9136340/DDoS_attack_that_downed_Twitter_also_hit_Facebook?source=CTWNLE_nlt_security_ 2009-08-07 11. UCCloud Computing Securityand Topology 12. Cloud: Consumption &amp; Delivery Models Optimized by Workload Cloud is:Cloud enables: A new consumption Self-serviceand delivery modelinspired by consumer Sourcing optionsInternet services. Economies-of-scale Cloud Services Cloud Computing ModelCloud represents:Multiple Types of Clouds will co-exist: The Industrializationof Private, Public and HybridDeliveryfor IT Workload and/orsupported Services Programming Model Specific 15 Cloud Computing 13. Is cloud computing really new? Yes, and No.Cloud computing is a new consumptionand delivery model inspired by consumerInternet services. Cloud computing exhibitsUsage TrackingWeb 2.0the following 5 key characteristics:On-demand self-serviceUbiquitous network accessEnd User FocusedLocation independent resource pooling Service VirtualizationRapid elasticity Automation&amp; SOAPay per useWhile the technology is not new, the enduser focus of self-service, self-managementleveraging these technologies is new. Cloud Computing 14. Today there are three primary delivery models that companies are implementing for cloud Enterprise Public TraditionalPrivateCloudsEnterprise IT CloudHybrid CloudPrivate CloudHybrid CloudPublic CloudIT activities/functions are provided asInternal and externalIT activities/functions are provideda service, over an intranet, within theservice delivery as a service, over the Internetenterprise and behind the firewallmethods areintegrated, with Key features:Key features include:activities/functions Scalability Scalabilityallocated to based on Automatic/rapid provisioning Automatic/rapid provisioning security Standardized offerings Chargeback ability requirements, criticality, Consumption-based pricing. Widespread virtualizationarchitecture and other Multi-tenancyestablished policies.Source: IBM Market Insights, Cloud Computing Research, July 2009.Cloud Computing 15. Security Implications of the Delivery Models 16. Cost savings and faster time to value are theleading reasons why companies consider cloudTo what degree would each of these factors induce you to acquire public cloud services?Pay only for what we use Hardware savingsReducecostsSoftware licenses savings Lower labor and IT 77%support costs Lower outside maintenance costsTake advantage of latest functionality Faster time tovalueSimplify updating/upgrading Speed deployment72% Scale IT resources to meet needs ImproveImprove system reliability reliability Improve system availability 50% Respondents could rate multiple drivers itemsSource: IBM Market Insights, Cloud Computing Research, July 2009. n=1,090 UC Cloud Computing 17. Managing Cloud Adoption Cloud economics can be compelling Small companies will adopt as reliable, easy-to-use services are available Scale economics are within reach of many enterprises Client migration will be work load driven Trade-off is value vs. risk of migration Workload characteristics are critical New workloads will emerge as cloud makes them affordable (e.g. pervasive analytics, Smart Healthcare)21 Cloud Computing 18. Elements that Drive Cloud Efficiency andInfrastructure EconomicsVirtualization ofDrives lower capital Leverage Hardware requirementsUtilization ofVirtualized environments Infrastructure only get benefits of scaleif they are highly utilized Clients who can serveSelf Servicethemselves require lesssupport and get servicesLeverage Labor Automation ofTake repeatable tasks and Management automate Standardization ofMore complexity =Workloads less automation possible= people needed 19. Enterprise Benefits from Cloud ComputingCapability From ToServer/Storage 10-20%Cloud accelerates70-90%Utilization business valueSelf serviceNone across a wide Unlimited variety ofTest ProvisioningWeeks domains. Minutes Change Months Days/Hours ManagementRelease WeeksMinutes ManagementFixed costMetering/Billing GranularmodelStandardization Complex Self-Service Payback periodYears Monthsfor new services Legacy environments Cloud enabled enterpriseCloud Computing 20. Clients told us their implementation strategies public or private Cloud, present or future for 25 specific workloads Analytics Data mining, text mining, or other analytics Data warehouses or data marts Development and testing Transactional databases Development environment Analytics Test environmentDevelopment Business Servicesand Test CRM or Sales Force Automation e-mail ERP applications Industry-specific applications Infrastructure Business Services Application servers Application streaming Collaboration Business continuity/disaster recovery Audio/video/web conferencingInfrastructure Data archiving Unified communications Data backup VoIP infrastructure Data center network capacityCollaboration Security Desktop and devices Servers Desktop Storage Service/help desk Training infrastructure WAN capacityDesktop andDevicesSource: IBM Market Insights, Cloud Computing Research, July 2009. 21. Clients cite "push factors" for and "barriers" against cloud adoption for each workload typeBarriers Higher propensity Data privacy orregulatory and for cloudcompliance issues Fluctuating demandHigh level of Internal Highly standardizedcontrol required applicationsAccessibility and Modular,reliability are a independentconcern applicationsCost is not a concernUnacceptably Lower propensityhigh costs for cloudPush factorsSource: IBM Market Insights, Cloud Computing Research, July 2009. n=1,090 22. IT needs to become smarter about deliveringservices and service management Standardized processes Service management systems provide visibility, control and automation Lower operational costs and higher productivity optimizingworkloads Rate and degree of standardization of IT and business services Complex transaction and information management processes Rapid return-on-investment and productivity gains deploymentchoices New models are emerging for the enterprise Self-service, economies-of-scale, and flexible sourcing options New choices of deployment define these new models Analytics Collaboration Development Desktop and Infrastructure Business and TestDevicesServices 23. Focus on Managing Services End to End Service Management Architectural and process level integration that delivers business aligned Visibility, Control and Automation of all Data Center Elements Modular, Self-Modular, Self-Legacy Environment : contained, ScalableNON IBM Solutionscontained, ScalableWorkload DeliveryRequiring workloadWorkload DeliveryPlatform connectivityPlatformServiceServiceServiceManagement Management ManagementWORKLOAD A WORKLOAD BWORKLOAD C + + ++MobilityFacilities ProductionTechnology CommunicationsInfrastructureInfrastructure InfrastructureInfrastructure Infrastructure 24. 3 options to deploy workloads providing you the choice to meet your business needs! Smart Business Services cloud services delivered. 1. Standardized serviceson the cloud Public Cloud. 2. Private cloud services,built and/or run by Private Cloud. Smart Business Systems purpose-built infrastructure. 3. Integrated Service Delivery PlatformAnalyticsCollaboration Development Desktop andInfrastructure Business and TestDevices Services 25. SIP UC Cloud / IAAS Topology 26. Renovate &amp;Innovate How do we address the immediate pressure to cut costs, reduce risk andcomplexity? How do we Innovate to take advantage of new opportunities?How can we do both at the same time? We focus on delivering services in new ways - lowering cost while increasingspeed and flexibility! 27. Additional Security Concerns The significant security concerns for this typeof deployment are mainly SIP/SCCP/H.323 callcontrol and application level attacks alongwith: Attacks originating from a peering network End user Spam attacks Border control and traversal issues Handling of domain policies 28. High-level Cloud Security concerns Data SecurityLess ControlMigrating workloads to aMany companies and governments shared network andare uncomfortable with the idea of compute infrastructuretheir information located on increases the potential for systems they do not control.Providers must offer a high degreeunauthorized exposure.of security transparency to help Authentication and access put customers at ease. technologies become Reliability increasingly important.High availability will be a key concern. IT departments will worry about a loss of service should outages occur.Mission critical applications may not run in the cloud without strongavailability guarantees. ComplianceComplying with SOX, HIPPA, PCI DSS, FERPA Security ManagementProviders must supply easy,and other regulations may visual controls to manage prohibit the use of cloudsfirewall and security for some applications. settings for applications andComprehensive auditing runtime environments in the capabilities are essential. cloud. 29. Inherent Technology Threats 30. Cloud Security 101: Simple ExampleTODAY TOMORROW? ??? ?We Have Control ?Who Has Control?Its located at X. Where is it located?Its stored in servers Y, Z.Where is it stored?We have backups in place.Who backs it up?Our admins control access. Who has access?Our uptime is sufficient.How resilient is it?The auditors are happy.How do auditors observe?Our security team is engaged.How does our security team engage?Lesson Learned: We have responded to these questions beforeclouds demand fast, responsive, agile answers. 31. SIP Trunk Requirements Contd 32. Key Benefits of UC Cloud ComputingSecurity 33. Case Studies 34. The Cost Benefits of a SIP Deployment 35. Return on Security Investment Return on Security Investment factors Single Loss Expectancy (SLE) Dollar amount assigned to event Annualized Rate of Occurrence (ARO) Estimated frequency of event Annualized Loss Expectancy (ALE) SLE x ARO = ALE 36. Theft of Service Assumptions Large Enterprise with 500 SIP trunks 50% average utilization Without SIP trunk security Billing rate 2 / min Event forces theft of 20% of average utilized trunks SLE = 20% x 250 x 2 = $ 1/min ARO = 365 days x 24 hours x 60 min = events/year ALE = 365 x 24 hours 60 min x $1 = $525,600 With UC Security -protected SIP Trunk VOIP Vulnerability Assessment Best practices Comprehensive UC security 37. Theft of Service Business CaseUnprotected SIP TrunkProtected SIP TrunkItemQty Unit Cost T...</p>