your data center boundaries don’t exist anymore!
DESCRIPTION
In the pre-cloud era, data centers were simpler to define and restrict. As organizations move to public, private, and hybrid clouds, they have to account for internal, industrial, and government compliance initiatives and oversight that impacts data center architecture and information flow. This session describes data center challenges in the Cloud Era and articulates real-life best practices to address those challenges.TRANSCRIPT
1 © Copyright 2012 EMC Corporation. All rights reserved.
Your Data Center Boundaries Don’t Exist Anymore!
Joram Borenstein (CISSP, CISA) Director, Compliance & Risk Management RSA, The Security Division of EMC
2 © Copyright 2012 EMC Corporation. All rights reserved.
Agenda
Boundaries don’t exist … let me prove it to you!
A Cautionary Tale: What This Presentation is NOT About
Proof-Points (aka “Critical Issues in Oversight & Compliance”)
OK, So What’s Going On Here?
Real-Life Best Practices to Mitigate These Challenges
Conclusion: Open Questions
3 © Copyright 2012 EMC Corporation. All rights reserved.
Boundaries
4 © Copyright 2012 EMC Corporation. All rights reserved.
Boundaries: In Our Personal Lives
5 © Copyright 2012 EMC Corporation. All rights reserved.
Boundaries: In Our Devices
6 © Copyright 2012 EMC Corporation. All rights reserved.
Boundaries: Employees’ Access to Cloud
Amazon
VMWare
salesforce.com
Mozy
DropBox
EverNote
… and others
7 © Copyright 2012 EMC Corporation. All rights reserved.
What This Presentation Is NOT About
8 © Copyright 2012 EMC Corporation. All rights reserved.
What This Presentation is NOT About
Using Virtualization for new-fangled Data Center tricks
New Product Announcements
How to re-architect your Data Center
It is about – Compliance – Auditing – Adjustments in organizational culture
9 © Copyright 2012 EMC Corporation. All rights reserved.
Data Center Compliance Challenges Visibility Lack of visibility into servers, storage or network infrastructure
Automation Difficult to validate technical control measurement
Audit No centralized record keeping as audit trail
Virtualization New abstraction layers complicate compliance validation
10 © Copyright 2012 EMC Corporation. All rights reserved.
Proof-Points
11 © Copyright 2012 EMC Corporation. All rights reserved.
Proof: Press & Analyst Community #s
“Morgan Stanley estimates the percentage of IT departments using the public cloud to rise from 28% in 2011 to 51% by 2014.”
– (April 2012 source: http://www.marketwatch.com/story/mozy-expanding-cloud-footprint-within-enterprise-2012-04-10 )
“More Than One-Third of IT Budgets Now Spent on Cloud” – (April 2012, source: http://www.forbes.com/sites/joemckendrick/2012/04/11/more-than-one-third-of-it-
budgets-now-spent-on-cloud-survey/ based on IDG Enterprise Cloud Computing Study (Jan 2012))
“55% ... are using cloud in some capacity today” – (Feb 2012 source:
http://www.thedatachain.com/news/2012/2/mid_size_businesses_lead_the_way_in_cloud_adoption )
12 © Copyright 2012 EMC Corporation. All rights reserved.
Proof: Start-Up Funding No boundaries lead to … lots of concern (risk scenarios)
Thesis: basic security building blocks for clouds
Sample Companies
– CloudSwitch (now VRZN/TRMK)
– enStratus – Vaultive
– PerspecSys – Co3Sys – salesforce.com
(acquiring Navajo
Systems) – Gazzang – High Cloud
Security – Many others …
Some of these are simple email encryption gateway vendors
Some assist with migration from legacy OP to cloud
13 © Copyright 2012 EMC Corporation. All rights reserved.
Proof: An Increasing # of Certifications…
AICPA (American Institute of Certified Public Accountants)
AT 101 = Attest Engagements
3 new reporting designations (“Service Organization Control (SOC) reports”) – SOC 1 – SOC 2 – SOC 3
FYI … SAS-70 = SOC 1 = ISAE-3402
14 © Copyright 2012 EMC Corporation. All rights reserved.
Certifications: General Questions
What does my business do?
Who are my customers?
What are they buying from me?
What sort of customer information do/will I have?
What guarantees/confidence do my customers need from my company?
What certifications do my competitors have?
What IT certifications do my financial auditors recommend I get?
Do I have an IT auditor? Should I? I thought this was only for PII and PHI data such as PCI and HIPAA?
OK, so I chose a SOC 1 … now do I need a Type 1 or a Type 2?
SOC 1 Type 2
?
SOC 2 Type 1
?
SOC 3 ?
15 © Copyright 2012 EMC Corporation. All rights reserved.
Certifications: Data Center–Specific Questions
Am I prepared as an organization to go through an IT audit? – Do I have a consistent set of controls in place?
Can I get my DC provider to answer IT audit questions? – What does my contract allow?
Does my DC provider have its own certifications? – Which one(s)? – Do they suffice?
What is my DC architecture? – Is it still applicable? – Is the IT Auditor going to understand it? Agree with it?
Allow it?
16 © Copyright 2012 EMC Corporation. All rights reserved.
OK, So What’s Going On Here?
17 © Copyright 2012 EMC Corporation. All rights reserved.
Do Your Own People Understand These Issues? “In-The-Trenches” personnel
– Can they articulate the changes?
Your Sales Force – Are they aware of how to talk with customers? – Of how contracts might need to change?
Your Legal Department – Are they aware of new privacy legislation? – Are they aware of new compliance needs?
Senior Management – Do they understand the risks? – Can they articulate a vision to customers, partners, and employees?
Your HR Team – “7/10 think their IT departments need to expand their skills to keep up
with cloud trends.” – (April 2012, source: http://www.forbes.com/sites/joemckendrick/2012/04/11/more-than-one-third-of-it-budgets-now-
spent-on-cloud-survey/ based on IDG Enterprise Cloud Computing Study (Jan 2012))
18 © Copyright 2012 EMC Corporation. All rights reserved.
What Are the Compliance Implications?
Industrial – Consortia – Standards groups
Governmental – Within your own country – In other countries you do business in
Internal – Audit – Compliance
19 © Copyright 2012 EMC Corporation. All rights reserved.
What Are the Regulatory Issues?
Forbidding certain countries
Scoping audits
Virtualization – … make this more complicated for most people
“Elastic” environments
Shared equipment
20 © Copyright 2012 EMC Corporation. All rights reserved.
What Are the Governance Issues?
Are we prepared?
Do we understand the implications?
Do our existing models still work?
Include our service providers within our governance model?
21 © Copyright 2012 EMC Corporation. All rights reserved.
Real-Life Best Practices to Mitigate These Challenges
22 © Copyright 2012 EMC Corporation. All rights reserved.
Real-Life Best Practices to Mitigate These Challenges
1. Educate EVERYONE
2. Re-assess contractual agreements with Service Providers
3. Keep Track of Certifications
4. Keep Track of New Legislation
5. Pick a set of controls which are adaptive
23 © Copyright 2012 EMC Corporation. All rights reserved.
#1: Educate Everyone
Yes … this takes time
Yes … people won’t understand you at first
Especially the executives!! – Helps $ – Helps when escalation occur – Just plain helps to provide transparency
The Legal Team is your friend
Why Is This Important? – You will need these people! – Decisions across functions will be impacted by these realities – These teams will eventually have to adjust
24 © Copyright 2012 EMC Corporation. All rights reserved.
#2: Re-Assess Contracts
With Who? – Data Center providers – Service providers – Customers
Why? – You have new risks to consider! – Contractual language may no longer be applicable – SLAs take on new meaning in new contexts – You (might) need new protections
25 © Copyright 2012 EMC Corporation. All rights reserved.
#3: Keep Track of New Certifications
What do your customers want?
What does your Internal Audit Team demand?
What do your IT Auditors recommend?
What do your financial auditors recommend?
What are you committed to contractually?
26 © Copyright 2012 EMC Corporation. All rights reserved.
#4: Keep Track of New Legislation
Cloud-related legislation is appearing in many places
Here’s one recent example
European Commission (Jan 2012)
Revising the EU’s 1995 Data Protection Directive
“ ... the transfer of data to third countries has become an important factor in daily life. There are no borders online and cloud computing means data may be sent from Berlin to be processed in Boston and stored in Bangalore.” (source: http://ec.europa.eu/justice/newsroom/data-
protection/news/120125_en.htm)
27 © Copyright 2012 EMC Corporation. All rights reserved.
#5: Pick a Control Set(s)
Which adapts as your needs change
Which has industry support
Which makes sense for your organization
Which your customers will respect & support
Keep track of new sets coming out – e.g. HITRUST in the US is not only for healthcare
Re-visit alternative control set(s) regularly
Considering layering them on top of one another
28 © Copyright 2012 EMC Corporation. All rights reserved.
Conclusion: Open Questions
29 © Copyright 2012 EMC Corporation. All rights reserved.
Conclusion:
There are emerging best practices that will help in managing the “data center without boundaries”
– An effective strategy based on governance, controls and visibility is essential.
There are still lots of open questions – What impact will regulatory changes have? – How do you articulate your vision of the data center without boundaries?
Get involved – Participate in working groups from consortia and others – Attend events such as these to hear about new revelations and
innovations – Comment on privacy legislation
30 © Copyright 2012 EMC Corporation. All rights reserved.
Provide Feedback & Win!
125 attendees will receive $100 iTunes gift cards. To enter the raffle, simply complete:
– 5 sessions surveys – The conference survey
Download the EMC World Conference App to learn more: emcworld.com/app
31 © Copyright 2012 EMC Corporation. All rights reserved.