The document discusses cloud computing trends and security concerns. It begins with common definitions of cloud computing and examines growth projections for the cloud market. It then explores various cloud computing models and deployment options. The document also analyzes cloud security risks and recommendations for securing data and applications in the cloud.
2. 1. Common understanding of Cloud
2. Look at Cloud Computing Trends
3. Examine Cloud Security Concerns
4. Introduce Cloud Life Cycle
5. Cloud Security Assessment
222
3. 3
The global market for ―Cloud
Computing‖ is going to increase
from about $41 billion in 2011 to
$241 billion in 2020 (Forrester’s forecast)
The biggest growth will come from
business and government moving to
the Cloud
4. Answers:
A. None – No plan
B. None – Plan to in near future
C. Yes – Public Cloud
D. Yes – Private Cloud
E. Yes – Hybrid Cloud
F. Don’t know?
4
5. Earliest Cloud work by Amazon and Google
◦ First Cloud was Amazon EC2 and was released in
October 2006
SaaS was earlier with Salesforce and NetSuite
555
Is there one common definition?
Observations
◦ Vendors seem to have own
definition to sell their wares
◦ Each organization seems to have
their own definition
6. Cloud computing is a model for enabling convenient, on-
demand network access to a shared pool of configurable
computing resources (e.g., networks, servers, storage,
applications, and services) that can be rapidly provisioned
and released with minimal management effort or service
provider interaction.
This cloud model promotes availability and is composed of
five essential characteristics, three service models, and
four deployment models.
666
The NIST Definition of Cloud Computing
Authors: Peter Mell and Tim Grance
Version 15, 10-7-09
7. 1. On-demand self-service
Provision compute capacity without human interaction
2. Broad network access
Access systems via heterogeneous thin or thick client
platforms
3. Resource pooling
Serve multiple customers using a multi-tenant model
4. Rapid elasticity
Quickly scale resources in or out based on demand
5. Measured service
Monitor resource usage and report
777
The NIST Definition of Cloud Computing
8. Software as a Service (SaaS) – Salesforce
◦ Use provider’s applications over a network
Platform as a Service (PaaS) – Microsoft Azure
◦ Deploy customer-created applications to a cloud
Infrastructure as a Service (IaaS) – Amazon AWS
◦ Rent processing, storage, network capacity, and other
fundamental computing resources
To be considered “cloud” they must be deployed on
top of cloud infrastructure that has the key
characteristics
888
The NIST Definition of Cloud Computing
9. Public cloud
◦ Sold to the public, mega-scale infrastructure
Private cloud
◦ Enterprise owned, leased or managed
Hybrid cloud
◦ Composition of two or more clouds
Community cloud
◦ Shared infrastructure for specific community
999
The NIST Definition of Cloud Computing
10. 101010
What is needed
Self Service Portal
Service Catalog
Virtualized environment
Standardization
Streamlined service
management
Advanced workflow and
automated resource engine
Enhanced monitoring, asset
and license management
Re-engineered processes
Security
Chargeback system
11. 111111
Savings
$40 million
over 5 years
Source:https://www.brighttalk.com/webcast/499/35257
8,000 Physical Servers – 20,000 VMs
80% Virtualization with Target of 100%
12. 121212
• ~ 500,000 VMs
• 25x Cisco
• Avg server cost
12% of Cisco
Largest Public Clouds are Much More
Efficient than Private Clouds
14. Coupa’s Software-as-a-Service (SaaS) and Amazon public cloud services
being used to deliver spend management.
Amazon Web Services to house its procurement data, invoice records, and
other critical information essential for running day to day operations.
Coupa is integrating its cloud-based solution with the world’s leading
food distributors, such as Sysco and US Foods & the Subway EDI network.
Supports mobile devices—tablets and smartphones— to place orders and
check records from any location inside their franchises or elsewhere.
When the network is fully deployed, it will handle 30,000-60,000
purchase orders a week, & thousands in minutes along with a 99.9% SLA.
SUBWAY chose the Cloud-based system because of its intuitive user-
interface, which its highly diverse population of workers can adopt easily
and quickly with minimal training.
14141414
Source: http://www.datamation.com/cloud-computing/subway-heads-down-the-cloud-computing-highway.html
15. City serves 425,000 citizens
Challenge to improve applications that use more powerful mapping
technology
◦ With shrinking IT budget and personnel
◦ Reduce IT maintenance costs
◦ Faster time to market
◦ Improve service offerings to citizens
◦ Provide cost-effective disaster recovery
Delivered a 311 application for citizen non-emergency requests (eg.
potholes, illegal dumping, missed garbage collection …)
Mobile device support for Windows and iPhone
Demonstrated benefits using Cloud with Microsoft Azure
151515
Case Study: http://www.microsoft.com/casestudies/case_study_detail.aspx?casestudyid=4000006568
16. Reported annual savings of $14.4 billion in year one of the program
Feds spend $35.7 billion annually supporting legacy applications
67% of Fed CIOs see Cloud reducing costs and improving service
64% of Fed CIOs think Cloud expands mandated telework and mobility
options
Email was the first application moved to the Cloud
Chief impediments to implementing cloud services
◦ Security with 85% of responses and Agency culture was next with 38%
161616
Source: MeriTalk http://cloudtimes.org/2011/04/18/meritalk-projects-14-4-billion-federal-cloud-savings-opportunity/
17. 17
Source: Ovum Study http://telcocloudforum.wordpress.com/tag/software-as-a-service/
18. 2012 Trend Micro Cloud Security Global Survey
◦ Overall Cloud adoption was 59%
◦ 20% are using Private Clouds
◦ 19% are using Public Clouds
◦ 13% are using Hybrid Clouds
Cisco Study forecasts 62% production in the Cloud
by 2016
18
http://www.cisco.com/en/US/solutions/collateral/ns341/ns525/ns537/ns
705/ns1175/Cloud_Index_White_Paper.html
20. Fortune 1000 Companies are using iPADs with SaaS board
portals for managing board materials
◦ e-book makes it intuitive and easy to use
◦ Directors can access their information anywhere
Top two SaaS vendors address 74% of them
◦ #1: BoardVantage with 50% and #2: BoardBooks with 24%
These vendors have stringent security
◦ Access controls, meet industry certifications and conduct audits
Board members don’t understand reluctance by IT to use
Cloud. They want to see faster adoption and achieving more
benefits.
Industry security challenge because most Cloud providers are
not as mature.
20
21. HP Study: Business and IT on different trajectories to Cloud
◦ Business is adopting cloud 5x faster than IT
Drivers: speed, flexibility, economics
◦ CIOs are concerned about risk
Vendor lock-in
Guarantees for performance and availability
Security top of mind
Prefer integration of cloud and on-premises IT services
Stanford Technology Law Review
◦ Comprehensive research of Cloud contracts including interviews of
both legal and technical teams
50% of IT and IT Security Operations not aware of all Cloud computing resources
deployed in organization
21
22. A. Security
B. Data privacy and confidentiality
C. Compliance
D. Vendor lock-in
E. Governance
F. Loss of IT control and ownership
G. Business continuity
H. Other (specify)
22
24. Results from 2012 Trend Micro Cloud Security Global Survey
(1,400 respondents from seven countries)
Question: Has your organization experienced a data security lapse or issue with the Cloud Service your
company is using within the last 12 months?
Answer:
24
Source :http://cloudsecurity.trendmicro.com/cloud-content/us/pdfs/about/2012_global_cloud_security_survey_executive_summary.pdf
25. 1. Data loss or leakages
2. Insecure application programming interfaces
3. Malicious insiders
4. Account, service and traffic hijacking
5. Abuse and nefarious use of cloud computing
6. Unknown risk profile
7. Shared technology vulnerabilities
8. Distributed Denial of Service (DDoS)
25
Source: Top Threats to Cloud Computing Survey Results 2012
27. Review existing security controls and
approaches
With Cloud do they need to change?
What about BYOD and borderless
devices?
Security compliance processes,
procedures and policies?
How do you guarantee, enforce or
validate your security posture?
Logical and physical control
27
28. What are the providers’ security measures?
◦ Pre-contractual audit
Whose security policy?
Certifications?
Pre-contractual penetration testing allowed?
What are the on going audit rights?
◦ Customer
◦ Financial auditors
◦ Regulators
How are security breaches communicated?
28
29. Some businesses assume that
once they opt to store data on
outside servers they no longer
have to concern themselves
with safeguarding that
information.
The biggest threat to data
stored remotely, it turns out,
may be the failure to
understand who’s responsible
for keeping it protected.
29292929292929
Joe Coyle, CTO of Capgemini North America
BySarah Frier on April 03, 2012
Click-through Cloud services
does not mean risk free
30. Security of key management infrastructure
◦ Compromised key means compromised data
Separation of duties
◦ ACL so admins can backup files but not view sensitive data
Availability
◦ If your key is lost, your data is cryptographically destroyed
Legal issues
◦ Hidden law enforcement requests for keys and data
◦ CIOs need to now when requests are made
30
32. Policies, Processes, and Procedures
◦ Standardize, understand and educate
◦ Governance and regulatory requirements
◦ Continuously improve
Alignment
◦ Business unit, identify business unit stewards
◦ Project based or methodologies
◦ Annual and quarterly goal mapping
◦ SLA’s to the business unit
◦ Reporting and validating back to IT management
32
35. Data types (classification) and monitoring
Role based access controls
Authentication, authorization and accounting
Data transit and at rest
Location and proximity of data
Work force mobility and borderless end points
Global networks need to find the weakest link
35
36. Technology
◦ Leverage the OSI Model layer to layer technologies
◦ Diversity in defense
◦ Dashboard reporting
◦ Validate compliance
Audits
◦ Internal
◦ External
◦ Scorecard
◦ Create new policies and procedures
36
37. Cloud is an evolution over time. It is not a one time
event.
After an organization has standardized and is
familiar with virtualization, it takes 3 to 5 years to
implement their first private cloud.
Organizations pass through four stages of the
Cloud Life Cycle.
3737
38. 38
Prepare Experience
Pilot
Validate
Revise
Skills readiness
Risk assessment
Implementation plan
Application
Platform
Infrastructure
Security
Service catalog
Self service provisioning
portal
Virtualization infrastructure
and management
Workflow and orchestration
Re-engineer processes
Creating a program
Governance
Contract negotiations
Engage Manage
Service delivery
Service desk
SLAs
Vendor management
Contract
Configuration and change
management
Monitoring and security
Asset and software license
management
Chargeback system
Capacity management
Performance management
Life cycle management
Client Reps & IBM
GLS
Strategy
Assessment
Identify right Cloud Service
and Deployment Models
Architect
Cloud adoption roadmap
Vendor identification and
selection
TCO Analysis
Budget preparation
40. Baseline where you are
What are your security threats?
Do you understand all your external Cloud contracts?
Do you want to control or flag Cloud purchases on
credit cards?
Perform GAP analysis
Create security roadmap and program
Establish periodic audits
40
Barclays Banks on Cloud and Linux to slash development costs by 90% by building private cloud.All major banks building a SAP community portal for delivering inter bank messages