1 / 25

Balancing Security and Risk in a Cloud-Connected Enterprise

Balancing Security and Risk in a Cloud-Connected Enterprise. Anil Karmel Founder and CEO akarmel@c2labs.com. Cloud Forecasts Courtesy of NIST. Vivek Kundra , Federal CIO, Cloud First Policy, 2012. Total worldwide addressable market for cloud computing will reach $ 158.8 B by 2014

payton
Télécharger la présentation

Balancing Security and Risk in a Cloud-Connected Enterprise

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Balancing Security and Risk in a Cloud-Connected Enterprise Anil Karmel Founder and CEO akarmel@c2labs.com

  2. Cloud ForecastsCourtesy of NIST VivekKundra, Federal CIO, Cloud First Policy, 2012 • Total worldwide addressable market for cloud computing will reach $158.8 B by 2014 • An increase of 126.5% from 2011 (paraphrasing Sir Arthur Eddington) “Cloud computing will not just be more innovative than we imagine; it will be more innovative than we can imagine”. GigaOM Gartner • By 2016 cloud will grow to become the bulk of new IT spend

  3. 2013 AdvancedThreat Report Courtesy of FireEye Relative to 2006, cyber crimes increased by 782%: • A malware activity every 3 minutes • 65% of attacks target financial services, healthcare, manufacturing and entertainment • 89% of callback activities were linked with Advanced Persistent Threat (APT) tools made in China or by Chinese hacker groups

  4. NIST Cloud Computing Reference ArchitectureSP500-292 Cloud Consumer Cloud Consumer Cloud Provider Cloud Broker Cloud Orchestration Cloud Service Management SaaS Service Layer Service Intermediation PaaS Business Support Cloud Auditor IaaS Service Aggregation Provisioning/ Configuration Security Audit Resource Abstraction and Control Layer Privacy Impact Audit Physical Resource Layer Portability/ Interoperability Service Arbitrage Hardware Performance Audit Facility Cloud Carrier Cross Cutting Concerns: Security, Privacy, etc

  5. Cloud DemystifiedWhat is a Cloud Ecosystem? Software as a Service Platform as a Service Security / Control Infrastructure as a Service

  6. Distributed Architecture = Split Control / Responsibilities CLOUD ECOSYSTEM Cloud Clients (Browsers, Mobile Apps, etc.) CLOUD ENVIRONMENT Software as a Service (SaaS) (Application , Services) Platform as a Service (PaaS) (APIs, Pre-built components) Infrastructure as a Service (VMs, Load Balancers, DB, etc.) Physical Hardware (Servers, Storage, Networking)

  7. What you can manage… IaaS PaaS SaaS You manage Stack image source: Cloud Security Alliance specification, 2009

  8. Federal Agency ChallengesModernizing IT • Agility • Agencies are struggling to deliver more in a fiscally and resource constrained environment • Flexibility • Existing IT investments are typically problematic to reconfigure or scale to meet new application demands • Transparancy • Difficult to quantify the cost of optimizing legacy infrastructure to support new applications

  9. Federal Agency ChallengesModernizing IT – Physical Systems • Compute • Physical Servers require provisioning systems that require care and feeding • Storage • Stand Alone Storage and SAN environments typically need to be manually reconfigured to meet new application demands • Networks • Firewalls, VPNs, Load Balancers, Routers and Switches all have separate management interfaces that require manual reconfiguration. How does you balance time to market, cost concerns, security, manageability and risk in the move to a cloud-connected enterprise?

  10. Security PerceptionsCloud • On Premise • Legacy Systems • Private Cloud • HybridCloud • Off Premise • IaaS • SaaS • PaaS • Community Cloud

  11. Security PerceptionsMobility • Mobile Devices • Corporate Owned • BYOD • Emerging Devices • Wearable Computing • Internet of Things

  12. How do we revolutionize our data centers?Software-Defined IT • REDEFINE CONTEXT • Who is the user? • What data are they trying to access? • Where is the user and the data? • How are they accessing the information? Context Aware IT Level of assurance of the data defines the required level of trust

  13. New Security RealityCloud and Mobility • On Premise • Legacy Systems • Private Cloud • HybridCloud • Off Premise • IaaS • SaaS • PaaS • Community Cloud • Mobile Devices • Corporate Owned • BYOD • Emerging Devices • Wearable Computing • Internet of Things

  14. DOE YOURcloud: A Cloud of Clouds approach brokering any organization, through any device, to any service respectful of site autonomy Other Gov’t Agency Cloud • INSIGHT • Green & Business IT Smart Meters • PortfolioStat • Enterprise Architecture • Data Center Consolidation • FEATURES • Virtual Desktops & Servers • Enterprise Application Store • Enterprise Certification & Accreditation Services Broker * Powered by On-Premise Cloud NNSA Cloud DOE Cloud Public Cloud DOE Federal Users General Public Users Other Gov’t Agecy Users Support Contractors Laboratory & Plant Users Anil Karmel | Building YOURcloud| 2013

  15. Services Broker Enclaves * Powered by Anil Karmel | Building YOURcloud| 2013 Organization: DOE SITES Public Websites CFO Hypervisor Shared Services Open Science Network On Premise Cloud Public Cloud DOE Cloud VDI Compute Storage Remediation

  16. Cloud BrokerageSoftware-Defined IT PUBLIC Cloud Service Broker PRIVATE

  17. Benefits of a Cloud-Connected EnterpriseJourney to Software-Defined IT • Agility • Spin up new applications with ease • Flexibility • Dynamically scale resources based on application needs • Transparancy • Quantify the costs of IT service delivery across your portfolio of investments

  18. Software-Defined ITBalancing Security, Privacy and Functionality • Technical • Validate that your architecture respects multi-tenancy and scales with an established root of trust • Embrace Identity and Access Management to authenticate and authorize users to context aware applications and systems • Redefine your network perimeter • Build intelligence into your application, not the end point • Fork your logs to multiple entities with a baseline timestamp • Manage your application security while quantifying the risk to the same • Encryption • Compute: In-Memory Encryption • Network: Software Defined Perimeter • Storage: VM and File-Level Encryption

  19. Storage Encryption with Key Management Client Data T Data, Voice, T1 UI Web Application T2 Strct Data UnStrctData DBM KS VM T3, T4 Mngmt T6 Transport, Security T5 T7 VMM Storage Hardware Sec Module Physical Space Dr. Michaela Iorga | NIST

  20. Client Data T Storage Encryption with Key ManagementDifferent Deployment Models Data, Voice, T1 UI Web Application T2 Strct Data UnStrctData T3, T4 T5, T6 DBM Software Sec Module KS KS VM Mngmt Transport, Security T7 VMM Storage Software Sec Module Physical Space Dr. Michaela Iorga | NIST

  21. Client Data T Storage Encryption with Key ManagementDifferent Deployment Models Data, Voice, T1 UI Web Application T2 Strct Data UnStrctData KS T3, T4 DBM VM Software Sec Module Mngmt Transport, Security T5 VMM Storage Physical Space Dr. Michaela Iorga | NIST

  22. Deployment Example Organization: DOE Secure VSA Open Science CloudLink Center YOURcloud Terremark Secure VSA vCenter On Premise Legend VM Process vSphere Client Secure VSA VM Storage Shared Services YOURcloud AWS CloudLink Center EBS Volumes vCenter

  23. Software-Defined ITBalancing Security, Privacy and Functionality • Legal • Establish Clear Contract Terms and Conditions with Cloud Service Providers • Update Policies and Procedures • Understand Jurisdiction for Forensics Analysis • Define your Data Retention Periods

  24. Software-Defined ITBalancing Security, Privacy and Functionality • Organization • Design with the user in mind with security baked in, not bolted on • Redefine your system boundaries • Ensure people that have access to government data have the appropriate clearance level

  25. Thank you! Anil Karmel, CEO akarmel@c2labs.com @anilkarmel

More Related