CS-2 Balancing Security and Risk in a Cloud Connected
advertisement
Balancing Security and Risk in a Cloud-Connected Enterprise Anil Karmel Founder and CEO akarmel@c2labs.com Cloud Forecasts Courtesy of NIST Vivek Kundra, Federal CIO, Cloud First Policy, 2012 (paraphrasing Sir Arthur Eddington) “Cloud computing will not just be more innovative than we imagine; it will be more innovative than we can imagine”. GigaOM • Total worldwide addressable market for cloud computing will reach $158.8 B by 2014 • An increase of 126.5% from 2011 Gartner • By 2016 cloud will grow to become the bulk of new IT spend Command and Control YOUR Cloud 2013 Advanced Threat Report Courtesy of FireEye Relative to 2006, cyber crimes increased by 782%: • A malware activity every 3 minutes • 65% of attacks target financial services, healthcare, manufacturing and entertainment • 89% of callback activities were linked with Advanced Persistent Threat (APT) tools made in China or by Chinese hacker groups Command and Control YOUR Cloud NIST Cloud Computing Reference Architecture SP500-292 Cloud Provider Cloud Consumer Cloud Auditor Security Audit Privacy Impact Audit Cloud Orchestration Cloud Service Management Service Layer SaaS Business Support PaaS Service Intermediation IaaS Consumer Resource Abstraction Cloud and Control Layer Physical Resource Layer Hardware Performance Audit Cloud Broker Provisioning/ Configuration Service Aggregation Portability/ Interoperability Service Arbitrage Facility Cloud Carrier Cross Cutting Concerns: Security, Privacy, etc Command and Control YOUR Cloud Cloud Demystified What is a Cloud Ecosystem? Security / Control Software as a Service Platform as a Service Infrastructure as a Service Command and Control YOUR Cloud Distributed Architecture = Split Control / Responsibilities CLOUD ECOSYSTEM Cloud Clients (Browsers, Mobile Apps, etc.) CLOUD ENVIRONMENT Software as a Service (SaaS) (Application , Services) Platform as a Service (PaaS) (APIs, Pre-built components) Infrastructure as a Service (VMs, Load Balancers, DB, etc.) Physical Hardware (Servers, Storage, Networking) Command and Control YOUR Cloud What you can manage… PaaS You manage IaaS Stack image source: Cloud Security Alliance specification, 2009 Command and Control YOUR Cloud SaaS Federal Agency Challenges Modernizing IT • Agility – Agencies are struggling to deliver more in a fiscally and resource constrained environment • Flexibility – Existing IT investments are typically problematic to reconfigure or scale to meet new application demands • Transparancy – Difficult to quantify the cost of optimizing legacy infrastructure to support new applications Command and Control YOUR Cloud Federal Agency Challenges Modernizing IT – Physical Systems • Compute – Physical Servers require provisioning systems that require care and feeding • Storage – Stand Alone Storage and SAN environments typically need to be manually reconfigured to meet new application demands • Networks – Firewalls, VPNs, Load Balancers, Routers and Switches all have separate management interfaces that require manual reconfiguration. How does you balance time to market, cost concerns, security, manageability and risk in the move to a cloud-connected enterprise? Command and Control YOUR Cloud Security Perceptions Cloud • On Premise • • • Off Premise • • • Legacy Systems Private Cloud • Hybrid Cloud • Community Cloud Functionality Security IaaS SaaS PaaS Privacy Command and Control YOUR Cloud Security Perceptions Mobility • Mobile Devices • Corporate Owned • BYOD • Emerging Devices • Wearable Computing • Internet of Things Functionality Security Privacy Command and Control YOUR Cloud How do we revolutionize our data centers? Software-Defined IT • REDEFINE CONTEXT – – – – Who is the user? What data are they trying to access? Where is the user and the data? How are they accessing the information? Context Aware IT Level of assurance of the data defines the required level of trust Command and Control YOUR Cloud New Security Reality Cloud and Mobility • On Premise • • • Off Premise • • • Legacy Systems Private Cloud • Hybrid Cloud • Community Cloud Functionality • Mobile Devices • Corporate Owned • BYOD IaaS SaaS PaaS • Emerging Devices • Wearable Computing • Internet of Things Security Privacy Command and Control YOUR Cloud DOE YOURcloud: A Cloud of Clouds approach brokering any organization, through any device, to any service respectful of site autonomy DOE Cloud On-Premise Cloud INSIGHT • Green & Business IT Smart Meters • PortfolioStat • Enterprise Architecture • Data Center Consolidation DOE Federal Users NNSA Cloud Other Gov’t Agency Cloud Public Cloud FEATURE S Services Broker • Virtual Desktops & Servers • Enterprise Application Store • Enterprise Certification & Accreditation * Powered by General Public Users Laboratory & Plant Users Other Gov’t Agecy Users Anil Karmel | Building YOURcloud | 2013 Command and Control YOUR Cloud Support Contractors Services Broker Enclaves * Powered by Anil Karmel | Building YOURcloud | 2013 Organization: DOE SITES On Premise Cloud Public Cloud DOE Cloud Public Websites CFO Hypervisor Shared Services Open Science Network VDI Remediation Command and Control YOUR Cloud Compute Storage Cloud Brokerage Software-Defined IT PUBLIC PRIVATE Cloud Service Broker Command and Control YOUR Cloud Benefits of a Cloud-Connected Enterprise Journey to Software-Defined IT • Agility – Spin up new applications with ease • Flexibility – Dynamically scale resources based on application needs • Transparancy – Quantify the costs of IT service delivery across your portfolio of investments Command and Control YOUR Cloud Software-Defined IT Balancing Security, Privacy and Functionality • Technical – Validate that your architecture respects multi-tenancy and scales with an established root of trust – Embrace Identity and Access Management to authenticate and authorize users to context aware applications and systems – Redefine your network perimeter – Build intelligence into your application, not the end point – Fork your logs to multiple entities with a baseline timestamp – Manage your application security while quantifying the risk to the same – Encryption – Compute: In-Memory Encryption – Network: Software Defined Perimeter – Storage: VM and File-Level Encryption Command and Control YOUR Cloud Storage Encryption with Key Management Client Data T Data, Voice, T1 UI Web Applica tion Strct Data UnStrct Data DB M Mngmt KS T2 VM T3, T4 T6 Transport , Security T5 VMM Storage Hardware Sec Module Physical Space Dr. Michaela Iorga | NIST T7 Storage Encryption with Key Management Different Deployment Models Client Data T Data, Voice, T1 UI Web Applica tion Strct Data UnStrct Data DB M KS KS T2 T3, T4 VM T5, T6 Software Sec Module Mngmt Transport , Security T7 VMM Storage Software Sec Module Physical Space Dr. Michaela Iorga | NIST Storage Encryption with Key Management Different Deployment Models Client Data T Data, Voice, T1 UI Web Applica tion Strct Data UnStrct Data DB M T2 T3, T4 Software Sec Module VM Mngmt Transport , Security VMM Storage Physical Space Dr. Michaela Iorga | NIST KS T5 Deployment Example Organization: DOE Open Science CloudLink Center Secure VSA YOURcloud Terremark vCenter Secure VSA On Premise Legend VM Process vSphere Client VM Storage Shared Services YOURcloud AWS CloudLink Center vCenter Command and Control YOUR Cloud Secure VSA EBS Volumes Software-Defined IT Balancing Security, Privacy and Functionality • Legal – Establish Clear Contract Terms and Conditions with Cloud Service Providers – Update Policies and Procedures – Understand Jurisdiction for Forensics Analysis – Define your Data Retention Periods Command and Control YOUR Cloud Software-Defined IT Balancing Security, Privacy and Functionality • Organization – Design with the user in mind with security baked in, not bolted on – Redefine your system boundaries – Ensure people that have access to government data have the appropriate clearance level Command and Control YOUR Cloud Thank you! Anil Karmel, CEO akarmel@c2labs.com @anilkarmel Command and Control YOUR Cloud
