The document discusses cloud computing trends and security concerns. It begins with common definitions of cloud computing and examines growth projections for the cloud market. It then explores various cloud computing models and deployment options. The document also analyzes cloud security risks and recommendations for securing data and applications in the cloud.

1. Graham Silver
January 18, 2013

2. 1. Common understanding of Cloud
2. Look at Cloud Computing Trends
3. Examine Cloud Security Concerns
4. Introduce Cloud Life Cycle
5. Cloud Security Assessment
222

3. 3
The global market for ―Cloud
Computing‖ is going to increase
from about $41 billion in 2011 to
$241 billion in 2020 (Forrester’s forecast)
The biggest growth will come from
business and government moving to
the Cloud

4.  Answers:
A. None – No plan
B. None – Plan to in near future
C. Yes – Public Cloud
D. Yes – Private Cloud
E. Yes – Hybrid Cloud
F. Don’t know?
4

5.  Earliest Cloud work by Amazon and Google
◦ First Cloud was Amazon EC2 and was released in
October 2006
 SaaS was earlier with Salesforce and NetSuite
555
 Is there one common definition?
 Observations
◦ Vendors seem to have own
definition to sell their wares
◦ Each organization seems to have
their own definition

6.  Cloud computing is a model for enabling convenient, on-
demand network access to a shared pool of configurable
computing resources (e.g., networks, servers, storage,
applications, and services) that can be rapidly provisioned
and released with minimal management effort or service
provider interaction.
 This cloud model promotes availability and is composed of
five essential characteristics, three service models, and
four deployment models.
666
The NIST Definition of Cloud Computing
Authors: Peter Mell and Tim Grance
Version 15, 10-7-09

7. 1. On-demand self-service
 Provision compute capacity without human interaction
2. Broad network access
 Access systems via heterogeneous thin or thick client
platforms
3. Resource pooling
 Serve multiple customers using a multi-tenant model
4. Rapid elasticity
 Quickly scale resources in or out based on demand
5. Measured service
 Monitor resource usage and report
777
The NIST Definition of Cloud Computing

8.  Software as a Service (SaaS) – Salesforce
◦ Use provider’s applications over a network
 Platform as a Service (PaaS) – Microsoft Azure
◦ Deploy customer-created applications to a cloud
 Infrastructure as a Service (IaaS) – Amazon AWS
◦ Rent processing, storage, network capacity, and other
fundamental computing resources
 To be considered “cloud” they must be deployed on
top of cloud infrastructure that has the key
characteristics
888
The NIST Definition of Cloud Computing

9.  Public cloud
◦ Sold to the public, mega-scale infrastructure
 Private cloud
◦ Enterprise owned, leased or managed
 Hybrid cloud
◦ Composition of two or more clouds
 Community cloud
◦ Shared infrastructure for specific community
999
The NIST Definition of Cloud Computing

10. 101010
What is needed
 Self Service Portal
 Service Catalog
 Virtualized environment
 Standardization
 Streamlined service
management
 Advanced workflow and
automated resource engine
 Enhanced monitoring, asset
and license management
 Re-engineered processes
 Security
 Chargeback system

11. 111111
Savings
$40 million
over 5 years
Source:https://www.brighttalk.com/webcast/499/35257
8,000 Physical Servers – 20,000 VMs
80% Virtualization with Target of 100%

12. 121212
• ~ 500,000 VMs
• 25x Cisco
• Avg server cost
12% of Cisco
Largest Public Clouds are Much More
Efficient than Private Clouds

13. A. No
B. Limited
C. Most
D. All
13

14.  Coupa’s Software-as-a-Service (SaaS) and Amazon public cloud services
being used to deliver spend management.
 Amazon Web Services to house its procurement data, invoice records, and
other critical information essential for running day to day operations.
 Coupa is integrating its cloud-based solution with the world’s leading
food distributors, such as Sysco and US Foods & the Subway EDI network.
 Supports mobile devices—tablets and smartphones— to place orders and
check records from any location inside their franchises or elsewhere.
 When the network is fully deployed, it will handle 30,000-60,000
purchase orders a week, & thousands in minutes along with a 99.9% SLA.
 SUBWAY chose the Cloud-based system because of its intuitive user-
interface, which its highly diverse population of workers can adopt easily
and quickly with minimal training.
14141414
Source: http://www.datamation.com/cloud-computing/subway-heads-down-the-cloud-computing-highway.html

15.  City serves 425,000 citizens
 Challenge to improve applications that use more powerful mapping
technology
◦ With shrinking IT budget and personnel
◦ Reduce IT maintenance costs
◦ Faster time to market
◦ Improve service offerings to citizens
◦ Provide cost-effective disaster recovery
 Delivered a 311 application for citizen non-emergency requests (eg.
potholes, illegal dumping, missed garbage collection …)
 Mobile device support for Windows and iPhone
 Demonstrated benefits using Cloud with Microsoft Azure
151515
Case Study: http://www.microsoft.com/casestudies/case_study_detail.aspx?casestudyid=4000006568

16.  Reported annual savings of $14.4 billion in year one of the program
 Feds spend $35.7 billion annually supporting legacy applications
 67% of Fed CIOs see Cloud reducing costs and improving service
 64% of Fed CIOs think Cloud expands mandated telework and mobility
options
 Email was the first application moved to the Cloud
 Chief impediments to implementing cloud services
◦ Security with 85% of responses and Agency culture was next with 38%
161616
Source: MeriTalk http://cloudtimes.org/2011/04/18/meritalk-projects-14-4-billion-federal-cloud-savings-opportunity/

17. 17
Source: Ovum Study http://telcocloudforum.wordpress.com/tag/software-as-a-service/

18.  2012 Trend Micro Cloud Security Global Survey
◦ Overall Cloud adoption was 59%
◦ 20% are using Private Clouds
◦ 19% are using Public Clouds
◦ 13% are using Hybrid Clouds
 Cisco Study forecasts 62% production in the Cloud
by 2016
18
http://www.cisco.com/en/US/solutions/collateral/ns341/ns525/ns537/ns
705/ns1175/Cloud_Index_White_Paper.html

19. 19
http://www.cloudtweaks.com/2012/12/cloud-infographic-fresh-insights-into-cloud-adoption-trends/

20.  Fortune 1000 Companies are using iPADs with SaaS board
portals for managing board materials
◦ e-book makes it intuitive and easy to use
◦ Directors can access their information anywhere
 Top two SaaS vendors address 74% of them
◦ #1: BoardVantage with 50% and #2: BoardBooks with 24%
 These vendors have stringent security
◦ Access controls, meet industry certifications and conduct audits
 Board members don’t understand reluctance by IT to use
Cloud. They want to see faster adoption and achieving more
benefits.
 Industry security challenge because most Cloud providers are
not as mature.
20

21.  HP Study: Business and IT on different trajectories to Cloud
◦ Business is adopting cloud 5x faster than IT
 Drivers: speed, flexibility, economics
◦ CIOs are concerned about risk
 Vendor lock-in
 Guarantees for performance and availability
 Security top of mind
 Prefer integration of cloud and on-premises IT services
 Stanford Technology Law Review
◦ Comprehensive research of Cloud contracts including interviews of
both legal and technical teams
 50% of IT and IT Security Operations not aware of all Cloud computing resources
deployed in organization
21

22. A. Security
B. Data privacy and confidentiality
C. Compliance
D. Vendor lock-in
E. Governance
F. Loss of IT control and ownership
G. Business continuity
H. Other (specify)
22

23. 23

24.  Results from 2012 Trend Micro Cloud Security Global Survey
(1,400 respondents from seven countries)
Question: Has your organization experienced a data security lapse or issue with the Cloud Service your
company is using within the last 12 months?
Answer:
24
Source :http://cloudsecurity.trendmicro.com/cloud-content/us/pdfs/about/2012_global_cloud_security_survey_executive_summary.pdf

25. 1. Data loss or leakages
2. Insecure application programming interfaces
3. Malicious insiders
4. Account, service and traffic hijacking
5. Abuse and nefarious use of cloud computing
6. Unknown risk profile
7. Shared technology vulnerabilities
8. Distributed Denial of Service (DDoS)
25
Source: Top Threats to Cloud Computing Survey Results 2012

26. 26

27.  Review existing security controls and
approaches
 With Cloud do they need to change?
 What about BYOD and borderless
devices?
 Security compliance processes,
procedures and policies?
 How do you guarantee, enforce or
validate your security posture?
 Logical and physical control
27

28.  What are the providers’ security measures?
◦ Pre-contractual audit
 Whose security policy?
 Certifications?
 Pre-contractual penetration testing allowed?
 What are the on going audit rights?
◦ Customer
◦ Financial auditors
◦ Regulators
 How are security breaches communicated?
28

29.  Some businesses assume that
once they opt to store data on
outside servers they no longer
have to concern themselves
with safeguarding that
information.
 The biggest threat to data
stored remotely, it turns out,
may be the failure to
understand who’s responsible
for keeping it protected.
29292929292929
Joe Coyle, CTO of Capgemini North America
BySarah Frier on April 03, 2012
Click-through Cloud services
does not mean risk free

30.  Security of key management infrastructure
◦ Compromised key means compromised data
 Separation of duties
◦ ACL so admins can backup files but not view sensitive data
 Availability
◦ If your key is lost, your data is cryptographically destroyed
 Legal issues
◦ Hidden law enforcement requests for keys and data
◦ CIOs need to now when requests are made
30

31. 31

32.  Policies, Processes, and Procedures
◦ Standardize, understand and educate
◦ Governance and regulatory requirements
◦ Continuously improve
 Alignment
◦ Business unit, identify business unit stewards
◦ Project based or methodologies
◦ Annual and quarterly goal mapping
◦ SLA’s to the business unit
◦ Reporting and validating back to IT management
32

33. 333333
External 3rd
party audit for
compliance
Source: http://www.brighttalk.com/channel/499

34. 34

35.  Data types (classification) and monitoring
 Role based access controls
 Authentication, authorization and accounting
 Data transit and at rest
 Location and proximity of data
 Work force mobility and borderless end points
 Global networks need to find the weakest link
35

36.  Technology
◦ Leverage the OSI Model layer to layer technologies
◦ Diversity in defense
◦ Dashboard reporting
◦ Validate compliance
 Audits
◦ Internal
◦ External
◦ Scorecard
◦ Create new policies and procedures
36

37.  Cloud is an evolution over time. It is not a one time
event.
 After an organization has standardized and is
familiar with virtualization, it takes 3 to 5 years to
implement their first private cloud.
 Organizations pass through four stages of the
Cloud Life Cycle.
3737

38. 38
Prepare Experience
 Pilot
 Validate
 Revise
 Skills readiness
 Risk assessment
 Implementation plan
 Application
 Platform
 Infrastructure
 Security
 Service catalog
 Self service provisioning
portal
 Virtualization infrastructure
and management
 Workflow and orchestration
 Re-engineer processes
 Creating a program
 Governance
 Contract negotiations
Engage Manage
 Service delivery
 Service desk
 SLAs
 Vendor management
 Contract
 Configuration and change
management
 Monitoring and security
 Asset and software license
management
 Chargeback system
 Capacity management
 Performance management
 Life cycle management
Client Reps & IBM
GLS
 Strategy
 Assessment
 Identify right Cloud Service
and Deployment Models
 Architect
 Cloud adoption roadmap
 Vendor identification and
selection
 TCO Analysis
 Budget preparation

39. A. Prepare
B. Experience
C. Engage
D. Manage
E. Still deciding/not started
39

40.  Baseline where you are
 What are your security threats?
 Do you understand all your external Cloud contracts?
 Do you want to control or flag Cloud purchases on
credit cards?
 Perform GAP analysis
 Create security roadmap and program
 Establish periodic audits
40

41. 4141

42. A. Disaster recovery
B. Compliance
C. Cloud management
D. Cloud bursting
E. Other (specify)
42

43.  Wishing you success in
securing your Cloud
 For more information or a
Cloud Security Assessment
contact www.aliadocorp.com
43