SlideShare une entreprise Scribd logo

110307 cloud security requirements gourley

GovCloud Network
GovCloud Network

This document provides a summary of core security requirements for cloud computing. It discusses the need to plan for security in cloud environments given issues like multi-tenancy, availability, confidentiality, and integrity. Specific requirements mentioned include secure access and separation of resources for multi-tenancy, assurances around availability, strong identity management, encryption of data at rest and in motion, and checks to ensure data integrity. The document emphasizes the importance of independent audits of cloud providers and having clear expectations around security requirements and notifications of any failures to meet requirements.

1  sur  21
Télécharger pour lire hors ligne
Core Requirements for Security In The Cloud Bob Gourley March 2011 Find this brief at http://crucialpointllc.com
About This Presentation •  A focus on requirements users and CIOs are placing for cloud security •  Goal: provide help to users who need to articulate security requirements and provide help to cloud providers who should anticipate those requirements 2
Context on Secure Cloud Computing •  New Reality: Cloud based continuous services that connect to us all and appliance-like connected devices enabling us to interact with these services. •  Including Private Clouds, Public Clouds, Edge Clouds and a spectrum in between. •  Driven by functionality improvements, but also cost, agility and security benefits. •  Security benefits will only come with planning and work. Without planning and work, security becomes a nightmare.
Planning for Cloud Computing Security •  Cyber Security includes all steps required to ensure mission effectiveness- Information confidentiality, integrity, availability. •  These are all made harder in environments that are complex and rapidly changing. •  Cloud computing introduces even more changes to this environment. Without planning, the risk will go up. •  However, if done right, with planning, Cloud Computing holds the potential of dramatically enhancing security. “Complexity Kills: Complexity sucks the life out of users, developers and IT. Complexity makes products difficult to plan, build, test and use. Complexity introduces security challenges. Complexity causes administrator frustration.” – Ray Ozzie at ozzie.net
Security Issues with the Cloud •  Moving to cloud gives you the chance to clean up from the past and prep for the future. So do it! But do it with awareness of security issues •  Security Issues: •  Multi-Tenancy: requires secure access and separation of user allocated cloud resources •  Availability: If you are using a cloud it better be there •  Confidentiality: Will you be putting all your eggs in one discoverable basket? Will you protect data in transit? Will you protect data on the processor? •  Integrity: Will you ensure your data is not changed?
Multi Tenancy •  Multi-Tenancy: requires secure access and separation of user allocated cloud resources •  Clouds have multiple concurrent users from disparate and possibly competitive organizations. •  Even those from all the same organizations may have a need for tight separation, for example, HR and Finance have data that must be protected. •  Development organizations may have software development efforts that could be impacted if secure boundaries are not in place. •  The lack of secure boundaries is slowing cloud adoption and is a key missing feature of most cloud offerings. •  Issues to address: •  Assurance of underlying systems comprising the cloud, including assurance of their proper provisioning and segmentation •  Secure access to and separation of user allocated cloud resources with sign-on and security provided separate from the applications hosted in the cloud
Availability •  Availability: If you are using a cloud it better be there •  Assured comms •  Assured always up servers •  An ability to reach to users at their place of work. •  For many, an ability to reach to users wherever they are. •  There are tight ties to the requirements of confidentiality and integrity, but additional planning is required to ensure always on protected availability in the face of threats and outages. •  Make availability part of your agreement with your cloud provider. And have plans for working through outages that impact your cloud provider.
Confidentiality •  Confidentiality: Will you be putting all your eggs in one discoverable basket? Will you protect data in transit? Will you protect data on the processor? •  Strong identity management that protects and authorizes. •  Knowledge of who in your cloud provider can access your cloud. •  Comms security not only to and from the cloud but within the cloud and between virtual machines. •  Accreditation of deployment such that one can assure your cloud is operating according to business policies and upholding regulated governance (e.g., SOX, HIPAA, FISMA etc). •  Encryption of data in motion and data at rest •  Consider new means of storing/obfuscating stored data, such as Cleversafe •  Understand the type of processors that operate on your data and the mechanisms in place on the servers to ensure no tampering with or monitoring of data while it is being processed. Make this awareness a requirement. Understand how your provider watches for malicious code
Integrity •  Integrity: Will you ensure your data is not changed? •  Of course encryption of data at rest and data in motion •  Backups •  Smart use of checks/hashes/backups to ensure data not tampered with. •  Checks through repeatability: the same operation on the same data should always produce the same results.
Concluding Thoughts •  Seek independent audit of your cloud provider and the many checks they will have in place to ensure your confidentiality, availability, integrity in the face of multi-tenancy. •  ISO27001, SAS70 and similar standards might not be keeping up. But they are a start, since they provide the foundation for third party audit. •  Ask hard questions about all your requirements. What responsibility does the provider have to notify users when a requirement is not met? •  What guarantees do you have? •  If you are a user, articulate your requirements •  If you are a provider, anticipate your requirements
The Meta Requirement The Absence of unmitigatable surprise
Questions/Comments? 12
Please help with your thoughts/input/questions E-mail: bob@crucialpointllc.com Blog: http://ctovision.com Twitter: http://www.twitter.com/bobgourley Facebook, Plaxo, LinkedIn, etc: See the blog.
Disruptive Security Tech Bob Gourley March 2011
Thesis of this Presentation •  Technology really matters –  People and process are critical too, of course, but it is criminal to neglect the technical piece 15
Goal of this Presentation •  Tell you about technologies you might not know about yet –  So I’m not going to talk about those great firms like ArcSight, Netwitness, Symantec. 16
Methodologies Understanding Realities of Enterprise IT Winners of: RSA CTOVision.com SINET Disruptive IT List A list of exemplars in American Security Security Challenge (75 Firms) Tracking R&D of Big IT firms and investment from VC
•  3VR – Video analytics. The Candidates •  Quantum4D - Advanced visual analysis. •  Akamai – Web acceleration and content delivery across the fabric. •  Qynergy – New battery technology. •  AdaptivEnergy – Capture energy from vibrations. •  Rapid7 – Automating security testing including vulnerability testing. •  Appistry - Deploy apps across a grid; Computational Storage •  Recorded Future – Gain knowledge of the future by looking for events mentioned on the net. •  ArcSight - Network and security management. Bought by HP. Still a player in demand. •  SenseNetworks – Dramatic use of location data to create useful information. Consumer apps provide •  Aster Data – Specialized DBMS with built-in MapReduce for high-end analytics. heat maps of cities. Enterprise capabilities provide important analytics. •  Basis Technology - Foreign language document and media exploitation. •  StreamBase – Capture and analyze data in stream. •  Bit9 – New models dramatically enhancing security through application whitelisting •  Sonitus Medical – hear from your teeth. •  Bluecat Networks – Total management and optimization of all things IP. •  SpaceCurve – A new kind of database enabling large scale analytics and effortless indexing (Gourley •  Brightcove – Enhancing, dramatically, how enterprises manage and disseminate video. is on their advisory board). •  Cloudshield – One of only two companies that can protect nets at line rate speeds. •  Spotfire - Enterprise analytics for business intelligence. Analytics for every user in the enterprise. •  Cloudera – Providing support to open source and specialized software that makes Hadoop ready for •  Splunk – Dramatically enhanced IT search. the enterprise. •  Tableau – Great, fast, interactive visualizations. •  Cleversafe – Smart way to save your data in the cloud. Clever and Safe. •  ThingMagic – Advanced RFID solutions. •  Centrifuge Systems – Fast visual analytics via multiple modes. •  Thetus - Knowledge modeling and discovery •  Cipheroptics – network and data encryption •  Touch Table - Interact with data and visualizations by hand •  Destineer Studios – Advanced immersive environments. •  Traction Software - Enterprise hypertext collaboration. •  Endeca - Next-generation information retrieval and analysis through advanced search and guidance •  Triumfant - Enterprise class compliance, reporting, remediation (Gourley is on their advisory board). navigation. •  TSRI - Move legacy code to the future fast. •  Endgame Systems – Cloud-based botnet and malware detection. •  Twiki – Enterprise agility platform. •  EnterpriseDB - Enterprise Postgres. Leader in open source database products/services/support. •  Visible Technologies – Analysis. •  FireEye - Botnet protection. •  Zafesoft – Discover, classify and secure enterprise data with ease of control. Prevent data leaks, •  FMS – Analysis. including leaks by malicious insiders. •  Forterra Systems - Distributed virtual world technologies- for the enterprise. •  Some capabilities under evaluation in our CTOlabs: •  FortiusOne - Next generation intelligent mapping. •  QlikView •  Fortinet - Integration of multiple security technologies. •  Decision Lens •  ForgeRock - Full solution stack based on top quality open source software. The IT Powerhouses •  Fusion-IO – Extremely fast and high capacity SSD •  There are so many things going on at the big companies it is hard to keep track. Also, they all are •  GainSpan – WiFi enablement. looking for innovation and frequently buy to keep the innovation flowing in. So this is a dynamic area •  Geosemble – Map people, places, things using data from RSS feeds and tweets. to say the least. It is also an area very hard to sum up in a few words. But here goes: •  Greenplum – Massively parallel database. High volume SQL transactions for MapReduce •  Adobe - Adobe Acrobat Connect and many related collaborative tools. •  Global Velocity – Hardware based DLP •  Cisco - Far more than networking gear, now a collaboration powerhouse. IRIS. •  Hardcore Computer – Blade server with total liquid submersion technology. •  Citrix - On demand computing, including virtualization of desktops and servers. •  iMove - Imaging and immersive video for wide area and geospatial surveillance. •  EMC - Growing through acquisition and internal innovation. Real powerhouse in grid computing and •  Infinite Power Solutions – Thin-film batteries to power RFID. end to end enterprise solutions. No longer just a storage company. •  Image Tree Corp – Figure out what is growing on the earth. •  HP – Also growing through acquisition and internal R&D/innovation. End to end enterprise solutions •  Invincea – Device protection by wrapping the browser. including automation. Networking. Recently bought ArchSight. •  Janya – Multilingual Semantic Analysis. •  IBM - Continuing to modernize. Will move into the mashup space. Continuing to innovate internally •  Koolspan – High quality mobile voice encryption. and through acquisition. BigFix is a key example. •  KNO – They assert they are for education, but CTOs in enterprises everywhere should watch this •  Intel – The primary business is producing chips (silicon innovation) but they field solutions for many one. other parts of the ecosystem. Recently bought McAfee. •  Liquid Machines - Primarily Enterprise Rights Management. Key product is “Document Control 6.0″ •  Microsoft - Large investments in R&D. Beginning to move to open standards/open source. Win 7 will Others in this area include IBM, EMC, Adobe. Member of SISA alliance. be a huge hit, with enhancements to functionality and security. Now a player in Mobile with Windows •  LensVector – Taking moving parts out of cameras. 7 for Mobile. •  Looxie – Bluetooth Camcorder. Imagine the impact on enterprise business models (and IT). •  Oracle - Innovating by buying the best. Stand by for disruptions by forced integrations resulting in •  Malden Labs – Fast/smart/modern delivery of content and apps to any device. positive forward movement. Services for open source. Currently supporting Solaris and MySQL, but •  MarkLogic – New, smarter ways of storing, searching, acting on and displaying information. many wonder about their commitment to those. •  MetaCarta - Geospatial data extraction and transformation •  SAP (and Business Objects and Inxight) Business intelligence. SAP has not stopped re-inventing •  Network Integrity Systems – Protected Distribution Systems itself and is a SOA leader. •  Nexenta – Open Solaris power and the usability of Linux.Enterprise class storage (ZFS based) •  Symantec - Their core business is security but this is broadly defined as ensuring enterprise •  Narus – Unified IP Management and Security. Bought by Boeing. Still a player. functionality. •  Nicira – Could be the future of network virtualization. •  VMware - Virtualization leader. •  Object Video - Business intelligence from video. •  These companies are also tracked on the CTOvision.com Tech Titan List •  Oculis Labs – Data obfuscation at the user’s screen. Some Open Source Disruptors •  piXlogic - Image segmentation and search. Visual Search Engine. •  Red Hat - with commercially supported Linux •  Perceptive Pixel - Multi-touch interaction with data visualizations. •  Alfresco - Enterprise content management in an open source framework. •  Permabit – Embedded high performance OEM data optimization software. •  Talend – Open Source ETL and data integration. •  Polychromix - Miniature analysis tools for mobile labs. •  Cloudera – Open Source around Hadoop, as well as some key licensable IP. •  Previstar - An Intelligent Resource and Information Management system designed to automate •  ForgeRock - Full solution stack based on top quality open source software. Pure play open source. National Incident Management guidelines for preparedness, response and recovery. •  Nexenta – Open Solaris power and the usability of Linux.Enterprise class storage (ZFS based) •  Proofpoint – Enhanced email security, email archiving and DLP for enteprises.
Disruptive Security Categories Stopping Malware Hardware Based IT Security OS Based IT Security Network Based Security Discovering Bad Actors
Disruptive Security Exemplars Stopping Malware •  Invincea: Winner of RSA security innovator award •  Bit9: New methods of application white listing •  FireEye: Botnet protection Hardware Based IT Security •  Intel vPro: Immediately enhances manageability/security OS Based IT Security •  Windows 7: Upgrade now and enable bit-locker Network Based Security •  Cloudshield: DPI and action over net traffic Other Hot Ones: •  RedSeal Discovering Bad Actors •  Cleversafe •  Endeca: Discovery and iterative examination •  GlobalIDs •  Hadoop: Facebook-scale analytics •  Silvertail •  Veracode
Questions/Comments? Find me at CTOvision.com

Recommandé

Are You Leveraging the Cloud? Or is it Leveraging You?
Are You Leveraging the Cloud? Or is it Leveraging You?Are You Leveraging the Cloud? Or is it Leveraging You?
Are You Leveraging the Cloud? Or is it Leveraging You?Tom Mumford
 
Cloud Computing and Security - ISACA Hyderabad Chapter Presentation
Cloud Computing and Security - ISACA Hyderabad Chapter PresentationCloud Computing and Security - ISACA Hyderabad Chapter Presentation
Cloud Computing and Security - ISACA Hyderabad Chapter PresentationVenkateswar Reddy Melachervu
 
Data security in the cloud
Data security in the cloud Data security in the cloud
Data security in the cloud IBM Security
 
Security Issues of Cloud Computing
Security Issues of Cloud ComputingSecurity Issues of Cloud Computing
Security Issues of Cloud ComputingFalgun Rathod
 
ISACA Cloud Computing Risks
ISACA Cloud Computing RisksISACA Cloud Computing Risks
ISACA Cloud Computing RisksMarc Vael
 
Cloud Computing Security
Cloud Computing SecurityCloud Computing Security
Cloud Computing SecurityNithin Raj
 
SN-Security Architecture for Mobile Computing and IoT
SN-Security Architecture for Mobile Computing and IoTSN-Security Architecture for Mobile Computing and IoT
SN-Security Architecture for Mobile Computing and IoTSukumar Nayak
 
G0314043
G0314043G0314043
G0314043iosrjournals
 

Recommandé

Are You Leveraging the Cloud? Or is it Leveraging You?
Are You Leveraging the Cloud? Or is it Leveraging You?Are You Leveraging the Cloud? Or is it Leveraging You?
Are You Leveraging the Cloud? Or is it Leveraging You?Tom Mumford
 
Cloud Computing and Security - ISACA Hyderabad Chapter Presentation
Cloud Computing and Security - ISACA Hyderabad Chapter PresentationCloud Computing and Security - ISACA Hyderabad Chapter Presentation
Cloud Computing and Security - ISACA Hyderabad Chapter PresentationVenkateswar Reddy Melachervu
 
Data security in the cloud
Data security in the cloud Data security in the cloud
Data security in the cloud IBM Security
 
Security Issues of Cloud Computing
Security Issues of Cloud ComputingSecurity Issues of Cloud Computing
Security Issues of Cloud ComputingFalgun Rathod
 
ISACA Cloud Computing Risks
ISACA Cloud Computing RisksISACA Cloud Computing Risks
ISACA Cloud Computing RisksMarc Vael
 
Cloud Computing Security
Cloud Computing SecurityCloud Computing Security
Cloud Computing SecurityNithin Raj
 
SN-Security Architecture for Mobile Computing and IoT
SN-Security Architecture for Mobile Computing and IoTSN-Security Architecture for Mobile Computing and IoT
SN-Security Architecture for Mobile Computing and IoTSukumar Nayak
 
G0314043
G0314043G0314043
G0314043iosrjournals
 
Security and Audit for Big Data
Security and Audit for Big DataSecurity and Audit for Big Data
Security and Audit for Big DataNicolas Morales
 
Trend micro - Your journey to the cloud, where are you
Trend micro - Your journey to the cloud, where are youTrend micro - Your journey to the cloud, where are you
Trend micro - Your journey to the cloud, where are youGlobal Business Events
 
Infrastructure Security by Sivamurthy Hiremath
Infrastructure Security by Sivamurthy HiremathInfrastructure Security by Sivamurthy Hiremath
Infrastructure Security by Sivamurthy HiremathClubHack
 
Why is DDS the Right Technology for the Industrial Internet?
Why is DDS the Right Technology for the Industrial Internet?Why is DDS the Right Technology for the Industrial Internet?
Why is DDS the Right Technology for the Industrial Internet?Real-Time Innovations (RTI)
 
Cloud Security And Privacy
Cloud Security And PrivacyCloud Security And Privacy
Cloud Security And Privacytmather
 
Cloud security
Cloud securityCloud security
Cloud securityNiharika Varshney
 
Cloud computing security
Cloud computing securityCloud computing security
Cloud computing securityAntonio Sanz Alcober
 
Cloud computing security & forensics (manu)
Cloud computing security & forensics (manu)Cloud computing security & forensics (manu)
Cloud computing security & forensics (manu)ClubHack
 
Chap 6 cloud security
Chap 6 cloud securityChap 6 cloud security
Chap 6 cloud securityRaj Sarode
 
Cloud Security - Security Aspects of Cloud Computing
Cloud Security - Security Aspects of Cloud ComputingCloud Security - Security Aspects of Cloud Computing
Cloud Security - Security Aspects of Cloud ComputingJim Geovedi
 
Cloud security and security architecture
Cloud security and security architectureCloud security and security architecture
Cloud security and security architectureVladimir Jirasek
 
Challenges with Cloud Security by Ken Y Chan
Challenges with Cloud Security by Ken Y ChanChallenges with Cloud Security by Ken Y Chan
Challenges with Cloud Security by Ken Y ChanKen Chan
 
Iia 2012 Spring Conference Philly V Final
Iia 2012 Spring Conference Philly V FinalIia 2012 Spring Conference Philly V Final
Iia 2012 Spring Conference Philly V FinalDanny Miller
 
SOME SECURITY CHALLENGES IN CLOUD COMPUTING
SOME SECURITY CHALLENGES IN CLOUD COMPUTINGSOME SECURITY CHALLENGES IN CLOUD COMPUTING
SOME SECURITY CHALLENGES IN CLOUD COMPUTINGHoang Nguyen
 
Cyber security within Organisations: A sneaky peak of current status, trends,...
Cyber security within Organisations: A sneaky peak of current status, trends,...Cyber security within Organisations: A sneaky peak of current status, trends,...
Cyber security within Organisations: A sneaky peak of current status, trends,...Marco Casassa Mont
 
Shared responsibility - a model for good cloud security
Shared responsibility - a model for good cloud securityShared responsibility - a model for good cloud security
Shared responsibility - a model for good cloud securityAndy Powell
 
security and compliance in the cloud
security and compliance in the cloudsecurity and compliance in the cloud
security and compliance in the cloudAjay Rathi
 
Devsec ops
Devsec opsDevsec ops
Devsec opsVipinYadav257
 
Elastic Software Infrastructure to Support the Industrial Internet
Elastic Software Infrastructure to Support the Industrial InternetElastic Software Infrastructure to Support the Industrial Internet
Elastic Software Infrastructure to Support the Industrial InternetReal-Time Innovations (RTI)
 
Cloud Security
Cloud Security Cloud Security
Cloud Security Hi-Tech College
 
System Security on Cloud
System Security on CloudSystem Security on Cloud
System Security on CloudTu Pham
 
Security Considerations When Using Cloud Infrastructure Services.pdf
Security Considerations When Using Cloud Infrastructure Services.pdfSecurity Considerations When Using Cloud Infrastructure Services.pdf
Security Considerations When Using Cloud Infrastructure Services.pdfCiente
 

Contenu connexe

Tendances

Security and Audit for Big Data
Security and Audit for Big DataSecurity and Audit for Big Data
Security and Audit for Big DataNicolas Morales
 
Trend micro - Your journey to the cloud, where are you
Trend micro - Your journey to the cloud, where are youTrend micro - Your journey to the cloud, where are you
Trend micro - Your journey to the cloud, where are youGlobal Business Events
 
Infrastructure Security by Sivamurthy Hiremath
Infrastructure Security by Sivamurthy HiremathInfrastructure Security by Sivamurthy Hiremath
Infrastructure Security by Sivamurthy HiremathClubHack
 
Why is DDS the Right Technology for the Industrial Internet?
Why is DDS the Right Technology for the Industrial Internet?Why is DDS the Right Technology for the Industrial Internet?
Why is DDS the Right Technology for the Industrial Internet?Real-Time Innovations (RTI)
 
Cloud Security And Privacy
Cloud Security And PrivacyCloud Security And Privacy
Cloud Security And Privacytmather
 
Cloud computing security & forensics (manu)
Cloud computing security & forensics (manu)Cloud computing security & forensics (manu)
Cloud computing security & forensics (manu)ClubHack
 
Chap 6 cloud security
Chap 6 cloud securityChap 6 cloud security
Chap 6 cloud securityRaj Sarode
 
Cloud Security - Security Aspects of Cloud Computing
Cloud Security - Security Aspects of Cloud ComputingCloud Security - Security Aspects of Cloud Computing
Cloud Security - Security Aspects of Cloud ComputingJim Geovedi
 
Cloud security and security architecture
Cloud security and security architectureCloud security and security architecture
Cloud security and security architectureVladimir Jirasek
 
Challenges with Cloud Security by Ken Y Chan
Challenges with Cloud Security by Ken Y ChanChallenges with Cloud Security by Ken Y Chan
Challenges with Cloud Security by Ken Y ChanKen Chan
 
Iia 2012 Spring Conference Philly V Final
Iia 2012 Spring Conference Philly V FinalIia 2012 Spring Conference Philly V Final
Iia 2012 Spring Conference Philly V FinalDanny Miller
 
SOME SECURITY CHALLENGES IN CLOUD COMPUTING
SOME SECURITY CHALLENGES IN CLOUD COMPUTINGSOME SECURITY CHALLENGES IN CLOUD COMPUTING
SOME SECURITY CHALLENGES IN CLOUD COMPUTINGHoang Nguyen
 
Cyber security within Organisations: A sneaky peak of current status, trends,...
Cyber security within Organisations: A sneaky peak of current status, trends,...Cyber security within Organisations: A sneaky peak of current status, trends,...
Cyber security within Organisations: A sneaky peak of current status, trends,...Marco Casassa Mont
 
Shared responsibility - a model for good cloud security
Shared responsibility - a model for good cloud securityShared responsibility - a model for good cloud security
Shared responsibility - a model for good cloud securityAndy Powell
 
security and compliance in the cloud
security and compliance in the cloudsecurity and compliance in the cloud
security and compliance in the cloudAjay Rathi
 
Elastic Software Infrastructure to Support the Industrial Internet
Elastic Software Infrastructure to Support the Industrial InternetElastic Software Infrastructure to Support the Industrial Internet
Elastic Software Infrastructure to Support the Industrial InternetReal-Time Innovations (RTI)
 

Tendances (20)

Security and Audit for Big Data
Security and Audit for Big DataSecurity and Audit for Big Data
Security and Audit for Big Data
 
Trend micro - Your journey to the cloud, where are you
Trend micro - Your journey to the cloud, where are youTrend micro - Your journey to the cloud, where are you
Trend micro - Your journey to the cloud, where are you
 
Infrastructure Security by Sivamurthy Hiremath
Infrastructure Security by Sivamurthy HiremathInfrastructure Security by Sivamurthy Hiremath
Infrastructure Security by Sivamurthy Hiremath
 
Why is DDS the Right Technology for the Industrial Internet?
Why is DDS the Right Technology for the Industrial Internet?Why is DDS the Right Technology for the Industrial Internet?
Why is DDS the Right Technology for the Industrial Internet?
 
Cloud Security And Privacy
Cloud Security And PrivacyCloud Security And Privacy
Cloud Security And Privacy
 
Cloud security
Cloud securityCloud security
Cloud security
 
Cloud computing security
Cloud computing securityCloud computing security
Cloud computing security
 
Cloud computing security & forensics (manu)
Cloud computing security & forensics (manu)Cloud computing security & forensics (manu)
Cloud computing security & forensics (manu)
 
Chap 6 cloud security
Chap 6 cloud securityChap 6 cloud security
Chap 6 cloud security
 
Cloud Security - Security Aspects of Cloud Computing
Cloud Security - Security Aspects of Cloud ComputingCloud Security - Security Aspects of Cloud Computing
Cloud Security - Security Aspects of Cloud Computing
 
Cloud security and security architecture
Cloud security and security architectureCloud security and security architecture
Cloud security and security architecture
 
Challenges with Cloud Security by Ken Y Chan
Challenges with Cloud Security by Ken Y ChanChallenges with Cloud Security by Ken Y Chan
Challenges with Cloud Security by Ken Y Chan
 
Iia 2012 Spring Conference Philly V Final
Iia 2012 Spring Conference Philly V FinalIia 2012 Spring Conference Philly V Final
Iia 2012 Spring Conference Philly V Final
 
SOME SECURITY CHALLENGES IN CLOUD COMPUTING
SOME SECURITY CHALLENGES IN CLOUD COMPUTINGSOME SECURITY CHALLENGES IN CLOUD COMPUTING
SOME SECURITY CHALLENGES IN CLOUD COMPUTING
 
Cyber security within Organisations: A sneaky peak of current status, trends,...
Cyber security within Organisations: A sneaky peak of current status, trends,...Cyber security within Organisations: A sneaky peak of current status, trends,...
Cyber security within Organisations: A sneaky peak of current status, trends,...
 
Shared responsibility - a model for good cloud security
Shared responsibility - a model for good cloud securityShared responsibility - a model for good cloud security
Shared responsibility - a model for good cloud security
 
security and compliance in the cloud
security and compliance in the cloudsecurity and compliance in the cloud
security and compliance in the cloud
 
Devsec ops
Devsec opsDevsec ops
Devsec ops
 
Elastic Software Infrastructure to Support the Industrial Internet
Elastic Software Infrastructure to Support the Industrial InternetElastic Software Infrastructure to Support the Industrial Internet
Elastic Software Infrastructure to Support the Industrial Internet
 
Cloud Security
Cloud Security Cloud Security
Cloud Security
 

Similaire à 110307 cloud security requirements gourley

System Security on Cloud
System Security on CloudSystem Security on Cloud
System Security on CloudTu Pham
 
Security Considerations When Using Cloud Infrastructure Services.pdf
Security Considerations When Using Cloud Infrastructure Services.pdfSecurity Considerations When Using Cloud Infrastructure Services.pdf
Security Considerations When Using Cloud Infrastructure Services.pdfCiente
 
Cloud Security: A matter of trust?
Cloud Security: A matter of trust?Cloud Security: A matter of trust?
Cloud Security: A matter of trust?Mark Williams
 
The most trusted, proven enterprise-class Cloud:Closer than you think
The most trusted, proven enterprise-class Cloud:Closer than you think The most trusted, proven enterprise-class Cloud:Closer than you think
The most trusted, proven enterprise-class Cloud:Closer than you think Uni Systems S.M.S.A.
 
Insurtech, Cloud and Cybersecurity - Chartered Insurance Institute
Insurtech, Cloud and Cybersecurity - Chartered Insurance InstituteInsurtech, Cloud and Cybersecurity - Chartered Insurance Institute
Insurtech, Cloud and Cybersecurity - Chartered Insurance InstituteHenrique Centieiro
 
Extending security in the cloud network box - v4
Extending security in the cloud network box - v4Extending security in the cloud network box - v4
Extending security in the cloud network box - v4Valencell, Inc.
 
Unit 9 Technological trends in Information Technology By Sulav Acharya
Unit 9 Technological trends in Information Technology By Sulav AcharyaUnit 9 Technological trends in Information Technology By Sulav Acharya
Unit 9 Technological trends in Information Technology By Sulav AcharyaAchSulav
 
Unit 9 Technological trends in Information Technology By Sulav Acharya
Unit 9 Technological trends in Information Technology By Sulav AcharyaUnit 9 Technological trends in Information Technology By Sulav Acharya
Unit 9 Technological trends in Information Technology By Sulav AcharyaAchSulav
 
Software Defined Networking in the ATMOSPHERE project
Software Defined Networking in the ATMOSPHERE projectSoftware Defined Networking in the ATMOSPHERE project
Software Defined Networking in the ATMOSPHERE projectATMOSPHERE .
 
Sphere 3D presentation for Credit Suisse technology conference 2014
Sphere 3D presentation for Credit Suisse technology conference 2014Sphere 3D presentation for Credit Suisse technology conference 2014
Sphere 3D presentation for Credit Suisse technology conference 2014Peter Bookman
 
Migrating Critical Applications To The Cloud - ISACA Seattle - Sanitized
Migrating Critical Applications To The Cloud - ISACA Seattle - SanitizedMigrating Critical Applications To The Cloud - ISACA Seattle - Sanitized
Migrating Critical Applications To The Cloud - ISACA Seattle - SanitizedNorm Barber
 
Migrating Critical Applications to the Cloud - isaca seattle - sanitized
Migrating Critical Applications to the Cloud - isaca seattle - sanitizedMigrating Critical Applications to the Cloud - isaca seattle - sanitized
Migrating Critical Applications to the Cloud - isaca seattle - sanitizedUnifyCloud
 
Transforming cloud security into an advantage
Transforming cloud security into an advantageTransforming cloud security into an advantage
Transforming cloud security into an advantageMoshe Ferber
 
Info Sec 2010 Possibilities And Security Challenges Of Cloud Computing (Han...
Info Sec 2010 Possibilities And Security Challenges Of Cloud Computing (Han...Info Sec 2010 Possibilities And Security Challenges Of Cloud Computing (Han...
Info Sec 2010 Possibilities And Security Challenges Of Cloud Computing (Han...ptaglephd
 
Shared responsibility - a model for good cloud security
Shared responsibility - a model for good cloud securityShared responsibility - a model for good cloud security
Shared responsibility - a model for good cloud securityJisc
 
Cloud computing
Cloud computingCloud computing
Cloud computingAmit Kumar
 
Bil Harmer - Myths of Cloud Security Debunked!
Bil Harmer - Myths of Cloud Security Debunked!Bil Harmer - Myths of Cloud Security Debunked!
Bil Harmer - Myths of Cloud Security Debunked!centralohioissa
 
Security & Compliance in the Cloud [2019]
Security & Compliance in the Cloud [2019]Security & Compliance in the Cloud [2019]
Security & Compliance in the Cloud [2019]Tudor Damian
 

Similaire à 110307 cloud security requirements gourley (20)

System Security on Cloud
System Security on CloudSystem Security on Cloud
System Security on Cloud
 
Security Considerations When Using Cloud Infrastructure Services.pdf
Security Considerations When Using Cloud Infrastructure Services.pdfSecurity Considerations When Using Cloud Infrastructure Services.pdf
Security Considerations When Using Cloud Infrastructure Services.pdf
 
Cloud Security: A matter of trust?
Cloud Security: A matter of trust?Cloud Security: A matter of trust?
Cloud Security: A matter of trust?
 
The most trusted, proven enterprise-class Cloud:Closer than you think
The most trusted, proven enterprise-class Cloud:Closer than you think The most trusted, proven enterprise-class Cloud:Closer than you think
The most trusted, proven enterprise-class Cloud:Closer than you think
 
Insurtech, Cloud and Cybersecurity - Chartered Insurance Institute
Insurtech, Cloud and Cybersecurity - Chartered Insurance InstituteInsurtech, Cloud and Cybersecurity - Chartered Insurance Institute
Insurtech, Cloud and Cybersecurity - Chartered Insurance Institute
 
Extending security in the cloud network box - v4
Extending security in the cloud network box - v4Extending security in the cloud network box - v4
Extending security in the cloud network box - v4
 
Unit 9 Technological trends in Information Technology By Sulav Acharya
Unit 9 Technological trends in Information Technology By Sulav AcharyaUnit 9 Technological trends in Information Technology By Sulav Acharya
Unit 9 Technological trends in Information Technology By Sulav Acharya
 
Unit 9 Technological trends in Information Technology By Sulav Acharya
Unit 9 Technological trends in Information Technology By Sulav AcharyaUnit 9 Technological trends in Information Technology By Sulav Acharya
Unit 9 Technological trends in Information Technology By Sulav Acharya
 
Software Defined Networking in the ATMOSPHERE project
Software Defined Networking in the ATMOSPHERE projectSoftware Defined Networking in the ATMOSPHERE project
Software Defined Networking in the ATMOSPHERE project
 
Sphere 3D presentation for Credit Suisse technology conference 2014
Sphere 3D presentation for Credit Suisse technology conference 2014Sphere 3D presentation for Credit Suisse technology conference 2014
Sphere 3D presentation for Credit Suisse technology conference 2014
 
Migrating Critical Applications To The Cloud - ISACA Seattle - Sanitized
Migrating Critical Applications To The Cloud - ISACA Seattle - SanitizedMigrating Critical Applications To The Cloud - ISACA Seattle - Sanitized
Migrating Critical Applications To The Cloud - ISACA Seattle - Sanitized
 
Migrating Critical Applications to the Cloud - isaca seattle - sanitized
Migrating Critical Applications to the Cloud - isaca seattle - sanitizedMigrating Critical Applications to the Cloud - isaca seattle - sanitized
Migrating Critical Applications to the Cloud - isaca seattle - sanitized
 
Transforming cloud security into an advantage
Transforming cloud security into an advantageTransforming cloud security into an advantage
Transforming cloud security into an advantage
 
Info Sec 2010 Possibilities And Security Challenges Of Cloud Computing (Han...
Info Sec 2010 Possibilities And Security Challenges Of Cloud Computing (Han...Info Sec 2010 Possibilities And Security Challenges Of Cloud Computing (Han...
Info Sec 2010 Possibilities And Security Challenges Of Cloud Computing (Han...
 
Shared responsibility - a model for good cloud security
Shared responsibility - a model for good cloud securityShared responsibility - a model for good cloud security
Shared responsibility - a model for good cloud security
 
3.pptx
3.pptx3.pptx
3.pptx
 
Cloud computing
Cloud computingCloud computing
Cloud computing
 
Bil Harmer - Myths of Cloud Security Debunked!
Bil Harmer - Myths of Cloud Security Debunked!Bil Harmer - Myths of Cloud Security Debunked!
Bil Harmer - Myths of Cloud Security Debunked!
 
Datacenter 2014: Trend Micro - Bill MCGee
Datacenter 2014: Trend Micro - Bill MCGeeDatacenter 2014: Trend Micro - Bill MCGee
Datacenter 2014: Trend Micro - Bill MCGee
 
Security & Compliance in the Cloud [2019]
Security & Compliance in the Cloud [2019]Security & Compliance in the Cloud [2019]
Security & Compliance in the Cloud [2019]
 

Plus de GovCloud Network

IaaS Price performance-benchmark
IaaS Price performance-benchmarkIaaS Price performance-benchmark
IaaS Price performance-benchmarkGovCloud Network
 
Cloud computing training what's right for me
Cloud computing training what's right for meCloud computing training what's right for me
Cloud computing training what's right for meGovCloud Network
 
ViON Corporation: Surviving IT Change
ViON Corporation: Surviving IT ChangeViON Corporation: Surviving IT Change
ViON Corporation: Surviving IT ChangeGovCloud Network
 
Staying Safe in Cyberspace
Staying Safe in CyberspaceStaying Safe in Cyberspace
Staying Safe in CyberspaceGovCloud Network
 
Vets 360 Services - Military Dedication - Corporate Success
Vets 360 Services - Military Dedication - Corporate SuccessVets 360 Services - Military Dedication - Corporate Success
Vets 360 Services - Military Dedication - Corporate SuccessGovCloud Network
 
GovCloud Network LLC Overview - June 25, 2014
GovCloud Network LLC Overview - June 25, 2014GovCloud Network LLC Overview - June 25, 2014
GovCloud Network LLC Overview - June 25, 2014GovCloud Network
 
Army PEO EIS Cloud Architecture
Army PEO EIS Cloud Architecture Army PEO EIS Cloud Architecture
Army PEO EIS Cloud Architecture GovCloud Network
 
ICH Agile Cloud Session 1-Highlights /Prospective Svc Offerings Kevin Jackson
ICH Agile Cloud Session 1-Highlights /Prospective Svc Offerings Kevin JacksonICH Agile Cloud Session 1-Highlights /Prospective Svc Offerings Kevin Jackson
ICH Agile Cloud Session 1-Highlights /Prospective Svc Offerings Kevin JacksonGovCloud Network
 
Improving Cybersecurity and Resilience Through Acquisition Emile Monette GSA
Improving Cybersecurity and Resilience Through Acquisition Emile Monette GSAImproving Cybersecurity and Resilience Through Acquisition Emile Monette GSA
Improving Cybersecurity and Resilience Through Acquisition Emile Monette GSAGovCloud Network
 
@AgileCLoud_ICH Presentation - 20140521 US Navy OPNAV - Capt Christopher Page
@AgileCLoud_ICH Presentation - 20140521 US Navy OPNAV - Capt Christopher Page@AgileCLoud_ICH Presentation - 20140521 US Navy OPNAV - Capt Christopher Page
@AgileCLoud_ICH Presentation - 20140521 US Navy OPNAV - Capt Christopher PageGovCloud Network
 
Agile Cloud Conference 2 Introduction - John Brennan
Agile Cloud Conference 2 Introduction - John BrennanAgile Cloud Conference 2 Introduction - John Brennan
Agile Cloud Conference 2 Introduction - John BrennanGovCloud Network
 
DoD Business Capability Lifecycle (BCL) Guide (Draft)
DoD Business Capability Lifecycle (BCL) Guide (Draft)DoD Business Capability Lifecycle (BCL) Guide (Draft)
DoD Business Capability Lifecycle (BCL) Guide (Draft)GovCloud Network
 
GovCloud Network Overview Presentation
GovCloud Network Overview PresentationGovCloud Network Overview Presentation
GovCloud Network Overview PresentationGovCloud Network
 
PM ISE Information Interoperability Presentation -agile sourcing brief
PM ISE Information Interoperability Presentation -agile sourcing briefPM ISE Information Interoperability Presentation -agile sourcing brief
PM ISE Information Interoperability Presentation -agile sourcing briefGovCloud Network
 
Intrusion Detection on Public IaaS - Kevin L. Jackson
Intrusion Detection on Public IaaS - Kevin L. JacksonIntrusion Detection on Public IaaS - Kevin L. Jackson
Intrusion Detection on Public IaaS - Kevin L. JacksonGovCloud Network
 
A Framework for Cloud Computing Adoption in South African Government
A Framework for Cloud Computing Adoption in South African GovernmentA Framework for Cloud Computing Adoption in South African Government
A Framework for Cloud Computing Adoption in South African GovernmentGovCloud Network
 
NCOIC GCC OWS-10 presentation 10 7 2013
NCOIC GCC OWS-10 presentation 10 7 2013NCOIC GCC OWS-10 presentation 10 7 2013
NCOIC GCC OWS-10 presentation 10 7 2013GovCloud Network
 
Tech gate kevin l jackson - 09-21-2013
Tech gate kevin l jackson - 09-21-2013Tech gate kevin l jackson - 09-21-2013
Tech gate kevin l jackson - 09-21-2013GovCloud Network
 
Paving the Way to the Cloud: Cloud Services Brokerage for Highly Secure, Dem...
Paving the Way to the Cloud: Cloud Services Brokerage for Highly Secure, Dem...Paving the Way to the Cloud: Cloud Services Brokerage for Highly Secure, Dem...
Paving the Way to the Cloud: Cloud Services Brokerage for Highly Secure, Dem...GovCloud Network
 
Government cloud deployment lessons learned final (4 4 2013)
Government cloud deployment lessons learned final (4 4 2013)Government cloud deployment lessons learned final (4 4 2013)
Government cloud deployment lessons learned final (4 4 2013)GovCloud Network
 

Plus de GovCloud Network (20)

IaaS Price performance-benchmark
IaaS Price performance-benchmarkIaaS Price performance-benchmark
IaaS Price performance-benchmark
 
Cloud computing training what's right for me
Cloud computing training what's right for meCloud computing training what's right for me
Cloud computing training what's right for me
 
ViON Corporation: Surviving IT Change
ViON Corporation: Surviving IT ChangeViON Corporation: Surviving IT Change
ViON Corporation: Surviving IT Change
 
Staying Safe in Cyberspace
Staying Safe in CyberspaceStaying Safe in Cyberspace
Staying Safe in Cyberspace
 
Vets 360 Services - Military Dedication - Corporate Success
Vets 360 Services - Military Dedication - Corporate SuccessVets 360 Services - Military Dedication - Corporate Success
Vets 360 Services - Military Dedication - Corporate Success
 
GovCloud Network LLC Overview - June 25, 2014
GovCloud Network LLC Overview - June 25, 2014GovCloud Network LLC Overview - June 25, 2014
GovCloud Network LLC Overview - June 25, 2014
 
Army PEO EIS Cloud Architecture
Army PEO EIS Cloud Architecture Army PEO EIS Cloud Architecture
Army PEO EIS Cloud Architecture
 
ICH Agile Cloud Session 1-Highlights /Prospective Svc Offerings Kevin Jackson
ICH Agile Cloud Session 1-Highlights /Prospective Svc Offerings Kevin JacksonICH Agile Cloud Session 1-Highlights /Prospective Svc Offerings Kevin Jackson
ICH Agile Cloud Session 1-Highlights /Prospective Svc Offerings Kevin Jackson
 
Improving Cybersecurity and Resilience Through Acquisition Emile Monette GSA
Improving Cybersecurity and Resilience Through Acquisition Emile Monette GSAImproving Cybersecurity and Resilience Through Acquisition Emile Monette GSA
Improving Cybersecurity and Resilience Through Acquisition Emile Monette GSA
 
@AgileCLoud_ICH Presentation - 20140521 US Navy OPNAV - Capt Christopher Page
@AgileCLoud_ICH Presentation - 20140521 US Navy OPNAV - Capt Christopher Page@AgileCLoud_ICH Presentation - 20140521 US Navy OPNAV - Capt Christopher Page
@AgileCLoud_ICH Presentation - 20140521 US Navy OPNAV - Capt Christopher Page
 
Agile Cloud Conference 2 Introduction - John Brennan
Agile Cloud Conference 2 Introduction - John BrennanAgile Cloud Conference 2 Introduction - John Brennan
Agile Cloud Conference 2 Introduction - John Brennan
 
DoD Business Capability Lifecycle (BCL) Guide (Draft)
DoD Business Capability Lifecycle (BCL) Guide (Draft)DoD Business Capability Lifecycle (BCL) Guide (Draft)
DoD Business Capability Lifecycle (BCL) Guide (Draft)
 
GovCloud Network Overview Presentation
GovCloud Network Overview PresentationGovCloud Network Overview Presentation
GovCloud Network Overview Presentation
 
PM ISE Information Interoperability Presentation -agile sourcing brief
PM ISE Information Interoperability Presentation -agile sourcing briefPM ISE Information Interoperability Presentation -agile sourcing brief
PM ISE Information Interoperability Presentation -agile sourcing brief
 
Intrusion Detection on Public IaaS - Kevin L. Jackson
Intrusion Detection on Public IaaS - Kevin L. JacksonIntrusion Detection on Public IaaS - Kevin L. Jackson
Intrusion Detection on Public IaaS - Kevin L. Jackson
 
A Framework for Cloud Computing Adoption in South African Government
A Framework for Cloud Computing Adoption in South African GovernmentA Framework for Cloud Computing Adoption in South African Government
A Framework for Cloud Computing Adoption in South African Government
 
NCOIC GCC OWS-10 presentation 10 7 2013
NCOIC GCC OWS-10 presentation 10 7 2013NCOIC GCC OWS-10 presentation 10 7 2013
NCOIC GCC OWS-10 presentation 10 7 2013
 
Tech gate kevin l jackson - 09-21-2013
Tech gate kevin l jackson - 09-21-2013Tech gate kevin l jackson - 09-21-2013
Tech gate kevin l jackson - 09-21-2013
 
Paving the Way to the Cloud: Cloud Services Brokerage for Highly Secure, Dem...
Paving the Way to the Cloud: Cloud Services Brokerage for Highly Secure, Dem...Paving the Way to the Cloud: Cloud Services Brokerage for Highly Secure, Dem...
Paving the Way to the Cloud: Cloud Services Brokerage for Highly Secure, Dem...
 
Government cloud deployment lessons learned final (4 4 2013)
Government cloud deployment lessons learned final (4 4 2013)Government cloud deployment lessons learned final (4 4 2013)
Government cloud deployment lessons learned final (4 4 2013)
 

110307 cloud security requirements gourley

  • 1. Core Requirements for Security In The Cloud Bob Gourley March 2011 Find this brief at http://crucialpointllc.com
  • 2. About This Presentation •  A focus on requirements users and CIOs are placing for cloud security •  Goal: provide help to users who need to articulate security requirements and provide help to cloud providers who should anticipate those requirements 2
  • 3. Context on Secure Cloud Computing •  New Reality: Cloud based continuous services that connect to us all and appliance-like connected devices enabling us to interact with these services. •  Including Private Clouds, Public Clouds, Edge Clouds and a spectrum in between. •  Driven by functionality improvements, but also cost, agility and security benefits. •  Security benefits will only come with planning and work. Without planning and work, security becomes a nightmare.
  • 4. Planning for Cloud Computing Security •  Cyber Security includes all steps required to ensure mission effectiveness- Information confidentiality, integrity, availability. •  These are all made harder in environments that are complex and rapidly changing. •  Cloud computing introduces even more changes to this environment. Without planning, the risk will go up. •  However, if done right, with planning, Cloud Computing holds the potential of dramatically enhancing security. “Complexity Kills: Complexity sucks the life out of users, developers and IT. Complexity makes products difficult to plan, build, test and use. Complexity introduces security challenges. Complexity causes administrator frustration.” – Ray Ozzie at ozzie.net
  • 5. Security Issues with the Cloud •  Moving to cloud gives you the chance to clean up from the past and prep for the future. So do it! But do it with awareness of security issues •  Security Issues: •  Multi-Tenancy: requires secure access and separation of user allocated cloud resources •  Availability: If you are using a cloud it better be there •  Confidentiality: Will you be putting all your eggs in one discoverable basket? Will you protect data in transit? Will you protect data on the processor? •  Integrity: Will you ensure your data is not changed?
  • 6. Multi Tenancy •  Multi-Tenancy: requires secure access and separation of user allocated cloud resources •  Clouds have multiple concurrent users from disparate and possibly competitive organizations. •  Even those from all the same organizations may have a need for tight separation, for example, HR and Finance have data that must be protected. •  Development organizations may have software development efforts that could be impacted if secure boundaries are not in place. •  The lack of secure boundaries is slowing cloud adoption and is a key missing feature of most cloud offerings. •  Issues to address: •  Assurance of underlying systems comprising the cloud, including assurance of their proper provisioning and segmentation •  Secure access to and separation of user allocated cloud resources with sign-on and security provided separate from the applications hosted in the cloud
  • 7. Availability •  Availability: If you are using a cloud it better be there •  Assured comms •  Assured always up servers •  An ability to reach to users at their place of work. •  For many, an ability to reach to users wherever they are. •  There are tight ties to the requirements of confidentiality and integrity, but additional planning is required to ensure always on protected availability in the face of threats and outages. •  Make availability part of your agreement with your cloud provider. And have plans for working through outages that impact your cloud provider.
  • 8. Confidentiality •  Confidentiality: Will you be putting all your eggs in one discoverable basket? Will you protect data in transit? Will you protect data on the processor? •  Strong identity management that protects and authorizes. •  Knowledge of who in your cloud provider can access your cloud. •  Comms security not only to and from the cloud but within the cloud and between virtual machines. •  Accreditation of deployment such that one can assure your cloud is operating according to business policies and upholding regulated governance (e.g., SOX, HIPAA, FISMA etc). •  Encryption of data in motion and data at rest •  Consider new means of storing/obfuscating stored data, such as Cleversafe •  Understand the type of processors that operate on your data and the mechanisms in place on the servers to ensure no tampering with or monitoring of data while it is being processed. Make this awareness a requirement. Understand how your provider watches for malicious code
  • 9. Integrity •  Integrity: Will you ensure your data is not changed? •  Of course encryption of data at rest and data in motion •  Backups •  Smart use of checks/hashes/backups to ensure data not tampered with. •  Checks through repeatability: the same operation on the same data should always produce the same results.
  • 10. Concluding Thoughts •  Seek independent audit of your cloud provider and the many checks they will have in place to ensure your confidentiality, availability, integrity in the face of multi-tenancy. •  ISO27001, SAS70 and similar standards might not be keeping up. But they are a start, since they provide the foundation for third party audit. •  Ask hard questions about all your requirements. What responsibility does the provider have to notify users when a requirement is not met? •  What guarantees do you have? •  If you are a user, articulate your requirements •  If you are a provider, anticipate your requirements
  • 11. The Meta Requirement The Absence of unmitigatable surprise
  • 13. Please help with your thoughts/input/questions E-mail: bob@crucialpointllc.com Blog: http://ctovision.com Twitter: http://www.twitter.com/bobgourley Facebook, Plaxo, LinkedIn, etc: See the blog.
  • 14. Disruptive Security Tech Bob Gourley March 2011
  • 15. Thesis of this Presentation •  Technology really matters –  People and process are critical too, of course, but it is criminal to neglect the technical piece 15
  • 16. Goal of this Presentation •  Tell you about technologies you might not know about yet –  So I’m not going to talk about those great firms like ArcSight, Netwitness, Symantec. 16
  • 17. Methodologies Understanding Realities of Enterprise IT Winners of: RSA CTOVision.com SINET Disruptive IT List A list of exemplars in American Security Security Challenge (75 Firms) Tracking R&D of Big IT firms and investment from VC
  • 18. •  3VR – Video analytics. The Candidates •  Quantum4D - Advanced visual analysis. •  Akamai – Web acceleration and content delivery across the fabric. •  Qynergy – New battery technology. •  AdaptivEnergy – Capture energy from vibrations. •  Rapid7 – Automating security testing including vulnerability testing. •  Appistry - Deploy apps across a grid; Computational Storage •  Recorded Future – Gain knowledge of the future by looking for events mentioned on the net. •  ArcSight - Network and security management. Bought by HP. Still a player in demand. •  SenseNetworks – Dramatic use of location data to create useful information. Consumer apps provide •  Aster Data – Specialized DBMS with built-in MapReduce for high-end analytics. heat maps of cities. Enterprise capabilities provide important analytics. •  Basis Technology - Foreign language document and media exploitation. •  StreamBase – Capture and analyze data in stream. •  Bit9 – New models dramatically enhancing security through application whitelisting •  Sonitus Medical – hear from your teeth. •  Bluecat Networks – Total management and optimization of all things IP. •  SpaceCurve – A new kind of database enabling large scale analytics and effortless indexing (Gourley •  Brightcove – Enhancing, dramatically, how enterprises manage and disseminate video. is on their advisory board). •  Cloudshield – One of only two companies that can protect nets at line rate speeds. •  Spotfire - Enterprise analytics for business intelligence. Analytics for every user in the enterprise. •  Cloudera – Providing support to open source and specialized software that makes Hadoop ready for •  Splunk – Dramatically enhanced IT search. the enterprise. •  Tableau – Great, fast, interactive visualizations. •  Cleversafe – Smart way to save your data in the cloud. Clever and Safe. •  ThingMagic – Advanced RFID solutions. •  Centrifuge Systems – Fast visual analytics via multiple modes. •  Thetus - Knowledge modeling and discovery •  Cipheroptics – network and data encryption •  Touch Table - Interact with data and visualizations by hand •  Destineer Studios – Advanced immersive environments. •  Traction Software - Enterprise hypertext collaboration. •  Endeca - Next-generation information retrieval and analysis through advanced search and guidance •  Triumfant - Enterprise class compliance, reporting, remediation (Gourley is on their advisory board). navigation. •  TSRI - Move legacy code to the future fast. •  Endgame Systems – Cloud-based botnet and malware detection. •  Twiki – Enterprise agility platform. •  EnterpriseDB - Enterprise Postgres. Leader in open source database products/services/support. •  Visible Technologies – Analysis. •  FireEye - Botnet protection. •  Zafesoft – Discover, classify and secure enterprise data with ease of control. Prevent data leaks, •  FMS – Analysis. including leaks by malicious insiders. •  Forterra Systems - Distributed virtual world technologies- for the enterprise. •  Some capabilities under evaluation in our CTOlabs: •  FortiusOne - Next generation intelligent mapping. •  QlikView •  Fortinet - Integration of multiple security technologies. •  Decision Lens •  ForgeRock - Full solution stack based on top quality open source software. The IT Powerhouses •  Fusion-IO – Extremely fast and high capacity SSD •  There are so many things going on at the big companies it is hard to keep track. Also, they all are •  GainSpan – WiFi enablement. looking for innovation and frequently buy to keep the innovation flowing in. So this is a dynamic area •  Geosemble – Map people, places, things using data from RSS feeds and tweets. to say the least. It is also an area very hard to sum up in a few words. But here goes: •  Greenplum – Massively parallel database. High volume SQL transactions for MapReduce •  Adobe - Adobe Acrobat Connect and many related collaborative tools. •  Global Velocity – Hardware based DLP •  Cisco - Far more than networking gear, now a collaboration powerhouse. IRIS. •  Hardcore Computer – Blade server with total liquid submersion technology. •  Citrix - On demand computing, including virtualization of desktops and servers. •  iMove - Imaging and immersive video for wide area and geospatial surveillance. •  EMC - Growing through acquisition and internal innovation. Real powerhouse in grid computing and •  Infinite Power Solutions – Thin-film batteries to power RFID. end to end enterprise solutions. No longer just a storage company. •  Image Tree Corp – Figure out what is growing on the earth. •  HP – Also growing through acquisition and internal R&D/innovation. End to end enterprise solutions •  Invincea – Device protection by wrapping the browser. including automation. Networking. Recently bought ArchSight. •  Janya – Multilingual Semantic Analysis. •  IBM - Continuing to modernize. Will move into the mashup space. Continuing to innovate internally •  Koolspan – High quality mobile voice encryption. and through acquisition. BigFix is a key example. •  KNO – They assert they are for education, but CTOs in enterprises everywhere should watch this •  Intel – The primary business is producing chips (silicon innovation) but they field solutions for many one. other parts of the ecosystem. Recently bought McAfee. •  Liquid Machines - Primarily Enterprise Rights Management. Key product is “Document Control 6.0″ •  Microsoft - Large investments in R&D. Beginning to move to open standards/open source. Win 7 will Others in this area include IBM, EMC, Adobe. Member of SISA alliance. be a huge hit, with enhancements to functionality and security. Now a player in Mobile with Windows •  LensVector – Taking moving parts out of cameras. 7 for Mobile. •  Looxie – Bluetooth Camcorder. Imagine the impact on enterprise business models (and IT). •  Oracle - Innovating by buying the best. Stand by for disruptions by forced integrations resulting in •  Malden Labs – Fast/smart/modern delivery of content and apps to any device. positive forward movement. Services for open source. Currently supporting Solaris and MySQL, but •  MarkLogic – New, smarter ways of storing, searching, acting on and displaying information. many wonder about their commitment to those. •  MetaCarta - Geospatial data extraction and transformation •  SAP (and Business Objects and Inxight) Business intelligence. SAP has not stopped re-inventing •  Network Integrity Systems – Protected Distribution Systems itself and is a SOA leader. •  Nexenta – Open Solaris power and the usability of Linux.Enterprise class storage (ZFS based) •  Symantec - Their core business is security but this is broadly defined as ensuring enterprise •  Narus – Unified IP Management and Security. Bought by Boeing. Still a player. functionality. •  Nicira – Could be the future of network virtualization. •  VMware - Virtualization leader. •  Object Video - Business intelligence from video. •  These companies are also tracked on the CTOvision.com Tech Titan List •  Oculis Labs – Data obfuscation at the user’s screen. Some Open Source Disruptors •  piXlogic - Image segmentation and search. Visual Search Engine. •  Red Hat - with commercially supported Linux •  Perceptive Pixel - Multi-touch interaction with data visualizations. •  Alfresco - Enterprise content management in an open source framework. •  Permabit – Embedded high performance OEM data optimization software. •  Talend – Open Source ETL and data integration. •  Polychromix - Miniature analysis tools for mobile labs. •  Cloudera – Open Source around Hadoop, as well as some key licensable IP. •  Previstar - An Intelligent Resource and Information Management system designed to automate •  ForgeRock - Full solution stack based on top quality open source software. Pure play open source. National Incident Management guidelines for preparedness, response and recovery. •  Nexenta – Open Solaris power and the usability of Linux.Enterprise class storage (ZFS based) •  Proofpoint – Enhanced email security, email archiving and DLP for enteprises.
  • 19. Disruptive Security Categories Stopping Malware Hardware Based IT Security OS Based IT Security Network Based Security Discovering Bad Actors
  • 20. Disruptive Security Exemplars Stopping Malware •  Invincea: Winner of RSA security innovator award •  Bit9: New methods of application white listing •  FireEye: Botnet protection Hardware Based IT Security •  Intel vPro: Immediately enhances manageability/security OS Based IT Security •  Windows 7: Upgrade now and enable bit-locker Network Based Security •  Cloudshield: DPI and action over net traffic Other Hot Ones: •  RedSeal Discovering Bad Actors •  Cleversafe •  Endeca: Discovery and iterative examination •  GlobalIDs •  Hadoop: Facebook-scale analytics •  Silvertail •  Veracode