2. Agenda
1. Background
2. Data Security
– Threatscape Evolution
– Data: The New‐new Target
– The Industrialization of Hacking
3. The Cloud – a Primer
4. Eight Steps to Securing Data in the Cloud
5. Q&A
3. Savvis Background
• Headquartered in St. Louis, Missouri
• FY 2009 Revenue of $874 million
• 28 Data Centers extending reach to US, Europe and Asia
• Tier 1 Internet backbone—ranked #4 globally (more than 20%
of the IP traffic traverses our network)*
• 1.4 million square feet of raised floor space
• ~2,200 Employees
• ~2,500 unique Global Enterprise and Government Agencies
*Source: Renesys Blog, http://www.renesys.com/blog/2009/12/a‐bakers‐dozen‐in‐2009.shtml, December 31, 2009
4. Savvis Background
• Savvis has more than 2,500 unique customers
worldwide including:
– 30 of Fortune’s top 100 companies
– 9 of Fortune’s top 15 commercial banks (including all 5 of
the top 5)
– 9 of Fortune’s top 20 telecommunications firms
– 7 of Fortune’s top 10 software companies
– 8 of Fortune’s top 14 securities firms
5. Who is Imperva?
• A Data Security Company
• Founded in 2002 by Check Point Founder
• Headquartered in Redwood Shores CA
• Growing in R&D, Support, Sales/Channel, & PS
• Installed in 50+ Countries
• 5,000+ direct and cloud‐protected customers
– 3 of the top 5 US banks
– 3 of the top 5 Telecoms
– 3 of the top 5 specialty retailers
– 2 of the top 5 food & drug stores
19. With Great Power Comes Great Responsibility
‐ Stan Lee (Spider‐man )
Easier access to multiple targets for attackers
A successful attack can bring down an entire service and can
impact many
Risks around financially motivated attacks are amplified – i.e.
extort many instead of few
More: Digitization | Access | Utility | Locations | Value | Complexity
AS
27. Industrialized Attack Mitigation
Virtual Patching Part I
• Ideally
– Custom code is immediately fixed by programmers and application is redeployed
– Patches for 3rd party components are immediately installed
– Fixes can be applied anywhere at anytime (no freeze period)
– There are never business operations that get in the way of security; the business case is
always clear
• The above is of course a very romantic and unrealistic view of application
development
31. Security Tops Cloud Concerns
Q: Rate the challenges/issues of the ‘cloud’/on‐demand model
(Scale: 1 = Not at all concerned; 5 = Very concerned)
Security 87.5%
Availability 83.3%
Performance 82.9%
On‐demand paym’t model may cost more 81.0%
Lack of interoperability standards 80.2%
Bringing back in‐house may be difficult 79.8%
Hard to integrate within‐house IT 76.8%
Not enough ability to customize 76.0%
(% responding 3, 4, or 5)
Source: IDC eXchange, New IDC IT Cloud Services Survey: Top Benefits and Challenges, (http://blogs.idc.com/ie/?p=730) December 2009
32. What is the Biggest Barrier to Adoption of
Cloud Services?
Cost/benefit unclear (23.69%)
Unknown management headaches (21.89%)
Lack of security (17.07%)
Lack of reliability (6.03%)
No standard way to switch providers (6.43%)
Limited reference cases (6.02%)
Disruption to IT org chart/politics (4.22%)
497 responses Other (13.85%)
Source: Tech Target: Cloud Computing Readership Survey, 2009
33. Not All Clouds Are The Same
Multiple models. Multiple vendors. Multiple policies.
• Each cloud provider takes a different approach to security
• No official security industry‐standard has been ratified
• Some cloud providers do not allow vulnerability scanning
• Some cloud providers are not forthcoming about their
security architectures and policies
• Compliance auditors are wary of the cloud, and are
awaiting guidelines on audit testing procedures
34. What the Industry is Doing
Several initiatives are underway
Cloud Security Alliance
• A non‐profit organization formed to promote the use of standardized practices for
providing security assurance within cloud computing
Center for Internet Security
• A non‐profit enterprise whose mission is to help organizations reduce risk resulting from
inadequate technical security controls
PCI Security Standards Council
• Has created a special interest group (SIG) to help shape requirements for
virtual‐ and cloud‐based cardholder‐data environments
NIST
• The National Institute of Standards and Technology has created a new team to determine
the best way to provide security for agencies that want to adopt cloud computing.
VMware
• Has issued guidelines for secure VM configurations and hardening.
35. Cloud Architectures and Models
ESSENTIAL CHARACTERISTICS
Broad Network Rapid Measured On‐Demand
Access Elasticity Service Self‐Service
Resource Pooling
ARCHITECTURES
Software‐ Platform‐ Infrastructure‐
as‐a‐Service (SaaS) as‐a‐Service (PaaS) as‐a‐Service (IaaS)
DEPLOYMENT MODELS
Public Private Hybrid Community
36. Challenges In Bridging Security Requirements
to the Cloud
Traditional IT Cloud Computing
• Dedicated Compute, • Complex, Shared
Storage & Network Deployment Models
Infrastructure
• Data Location Varies
• Defined Locations for Data
Storage & Backup • Security Controls & Policies
• Proprietary Security Defined by Service Provider
Controls & Policies
• Compliance Standards
• Compliance Standards Must Be Interpreted
Designed For Traditional IT
37. An Eight‐Step Journey To A Secure Cloud
1 Contemplate Your Application’s Suitability
For The Cloud
? ? ? ?
?
Payment
ERP Corporate CRM
Processing
Systems
Company Web Site Test & e‐Commerce
Development
39. An Eight‐Step Journey To A Secure Cloud
3 Determine Cloud Type (Think about applications)
Software‐as‐a‐Service (SaaS)
Infrastructure‐as‐a‐Service (IaaS)
Platform‐as‐a‐Service (PaaS)
40. An Eight‐Step Journey To A Secure Cloud
4 Select a Delivery Model (Think about data classification)
Private: • Self‐Managed
• Outsourced
Public: • Commodity
• Enterprise
Hybrid: • Private + Public
• Private + Exchange
• Private + Customer
• Cloud Bursting
41. An Eight‐Step Journey To A Secure Cloud
5 Specify Platform Architecture
Cloud Customer Customer
Compute Automation
Application
Application Application
VPDC VPDC
Storage & Backup API/System Call
Network & Routing Cloud OS (ex. IaaS)
System Device
Drivers
Virtualization vs.
Dedicated Compute Network Storage
Security
Data Center Ethernet
Fabric
42. An Eight‐Step Journey To A Secure Cloud
6 Specify Security Controls
Firewall
Intrusion Detection/Prevention
Log Management
Application Protection
Database Protection
Identity & Access Management
Encryption
Vulnerability Scanning
43. An Eight‐Step Journey To A Secure Cloud
7 Determine Policy Requirements
Policy Creation and Enforcement
• What are my service provider’s policies?
Can I specify my own? How do they handle
critical events?
Policy “Bursting”
• If I choose a cloud‐bursting model, will my
policies “burst” along with my VMs?
Policy Migration
• If I contract for cloud‐based DR, will my
polices migrate with my VMs?
44. An Eight‐Step Journey To A Secure Cloud
8 Determine Service Provider Requirements
Delivery‐Model Integration
Automation
Scalability
Monitoring
SLAs
Services
Security Controls
Stability
Terms
Compliance
45. Compliance & Outsourced Cloud‐Computing
• Will a “compliant service provider”
make me compliant?
• What will most auditors look for?
• How does making the move
to a hosted cloud‐computing
environment change the way
audits will occur?
46. Journey to The Cloud: Key Considerations
Determine service provider requirements
Determine policy requirements
Specify security controls
Specify platform architecture
Select delivery model
Determine type of cloud
Classify data
Understand your application’s applicability to the cloud