CS-2 Balancing Security and Risk in a Cloud Connected

Report
Balancing Security and Risk in a
Cloud-Connected Enterprise
Anil Karmel
Founder and CEO
[email protected]
Cloud Forecasts
Courtesy of NIST
Vivek Kundra, Federal CIO, Cloud First Policy, 2012
(paraphrasing Sir Arthur Eddington)
“Cloud computing will not just be more innovative than we imagine; it will be more
innovative than we can imagine”.
GigaOM
• Total worldwide addressable market for cloud computing will reach
$158.8 B by 2014
• An increase of 126.5% from 2011
Gartner
• By 2016 cloud will grow to become the bulk of new IT spend
Command and Control YOUR Cloud
2013 Advanced Threat Report
Courtesy of FireEye
Relative to 2006, cyber crimes increased by 782%:
• A malware activity every 3 minutes
• 65% of attacks target financial services, healthcare,
manufacturing and entertainment
• 89% of callback activities were linked with Advanced
Persistent Threat (APT) tools made in China or by Chinese
hacker groups
Command and Control YOUR Cloud
NIST Cloud Computing Reference Architecture
SP500-292
Cloud Provider
Cloud
Consumer
Cloud
Auditor
Security
Audit
Privacy Impact
Audit
Cloud Orchestration
Cloud Service
Management
Service Layer
SaaS
Business
Support
PaaS
Service
Intermediation
IaaS
Consumer
Resource Abstraction Cloud
and Control
Layer
Physical Resource Layer
Hardware
Performance
Audit
Cloud
Broker
Provisioning/
Configuration
Service
Aggregation
Portability/
Interoperability
Service
Arbitrage
Facility
Cloud Carrier
Cross Cutting Concerns: Security, Privacy, etc
Command and Control YOUR Cloud
Cloud Demystified
What is a Cloud Ecosystem?
Security / Control
Software as a Service
Platform as a Service
Infrastructure as a Service
Command and Control YOUR Cloud
Distributed Architecture =
Split Control / Responsibilities
CLOUD ECOSYSTEM
Cloud Clients
(Browsers, Mobile Apps, etc.)
CLOUD ENVIRONMENT
Software as a Service (SaaS)
(Application , Services)
Platform as a Service (PaaS)
(APIs, Pre-built components)
Infrastructure as a Service
(VMs, Load Balancers, DB, etc.)
Physical Hardware
(Servers, Storage, Networking)
Command and Control YOUR Cloud
What you can manage…
PaaS
You manage
IaaS
Stack image source: Cloud Security Alliance specification, 2009
Command and Control YOUR Cloud
SaaS
Federal Agency Challenges
Modernizing IT
• Agility
– Agencies are struggling to deliver more in a fiscally and resource
constrained environment
• Flexibility
– Existing IT investments are typically problematic to reconfigure or
scale to meet new application demands
• Transparancy
– Difficult to quantify the cost of optimizing legacy infrastructure to
support new applications
Command and Control YOUR Cloud
Federal Agency Challenges
Modernizing IT – Physical Systems
• Compute
– Physical Servers require provisioning systems that require care and
feeding
• Storage
– Stand Alone Storage and SAN environments typically need to be
manually reconfigured to meet new application demands
• Networks
– Firewalls, VPNs, Load Balancers, Routers and Switches all have
separate management interfaces that require manual reconfiguration.
How does you balance time to market,
cost concerns, security, manageability
and risk in the move to a cloud-connected
enterprise?
Command and Control YOUR Cloud
Security Perceptions
Cloud
• On Premise
•
•
• Off Premise
•
•
•
Legacy Systems
Private Cloud
• Hybrid Cloud
• Community Cloud
Functionality
Security
IaaS
SaaS
PaaS
Privacy
Command and Control YOUR Cloud
Security Perceptions
Mobility
• Mobile Devices
• Corporate Owned
• BYOD
• Emerging Devices
• Wearable Computing
• Internet of Things
Functionality
Security
Privacy
Command and Control YOUR Cloud
How do we revolutionize our data centers?
Software-Defined IT
• REDEFINE CONTEXT
–
–
–
–
Who is the user?
What data are they trying to access?
Where is the user and the data?
How are they accessing the information?
Context Aware IT
Level of assurance of the data defines the required level of trust
Command and Control YOUR Cloud
New Security Reality
Cloud and Mobility
• On Premise
•
•
• Off Premise
•
•
•
Legacy Systems
Private Cloud
• Hybrid Cloud
• Community Cloud
Functionality
• Mobile Devices
• Corporate Owned
• BYOD
IaaS
SaaS
PaaS
• Emerging Devices
• Wearable Computing
• Internet of Things
Security
Privacy
Command and Control YOUR Cloud
DOE YOURcloud: A Cloud of Clouds approach brokering any
organization, through any device, to any service respectful of site
autonomy
DOE Cloud
On-Premise
Cloud
INSIGHT
• Green & Business
IT Smart Meters
• PortfolioStat
• Enterprise
Architecture
• Data Center
Consolidation
DOE Federal
Users
NNSA Cloud
Other Gov’t
Agency Cloud
Public Cloud
FEATURE
S
Services Broker
• Virtual Desktops &
Servers
• Enterprise
Application Store
• Enterprise
Certification &
Accreditation
* Powered by
General Public
Users
Laboratory &
Plant Users
Other Gov’t
Agecy Users
Anil Karmel | Building YOURcloud | 2013
Command and Control YOUR Cloud
Support
Contractors
Services Broker Enclaves
* Powered by
Anil Karmel | Building YOURcloud | 2013
Organization: DOE
SITES
On Premise Cloud
Public Cloud
DOE Cloud
Public
Websites
CFO
Hypervisor
Shared
Services
Open Science
Network
VDI
Remediation
Command and Control YOUR Cloud
Compute
Storage
Cloud Brokerage
Software-Defined IT
PUBLIC
PRIVATE
Cloud Service
Broker
Command and Control YOUR Cloud
Benefits of a Cloud-Connected Enterprise
Journey to Software-Defined IT
• Agility
– Spin up new applications with ease
• Flexibility
– Dynamically scale resources based on application needs
• Transparancy
– Quantify the costs of IT service delivery across your portfolio of
investments
Command and Control YOUR Cloud
Software-Defined IT
Balancing Security, Privacy and Functionality
• Technical
– Validate that your architecture respects multi-tenancy and scales
with an established root of trust
– Embrace Identity and Access Management to authenticate and
authorize users to context aware applications and systems
– Redefine your network perimeter
– Build intelligence into your application, not the end point
– Fork your logs to multiple entities with a baseline timestamp
– Manage your application security while quantifying the risk to the
same
– Encryption
– Compute: In-Memory Encryption
– Network: Software Defined Perimeter
– Storage: VM and File-Level Encryption
Command and Control YOUR Cloud
Storage Encryption with Key Management
Client Data
T
Data, Voice,
T1
UI
Web
Applica
tion
Strct
Data
UnStrct
Data
DB
M
Mngmt
KS
T2
VM
T3, T4
T6
Transport
, Security
T5
VMM
Storage
Hardware
Sec Module
Physical
Space
Dr. Michaela Iorga | NIST
T7
Storage Encryption with Key Management
Different Deployment Models
Client Data
T
Data, Voice,
T1
UI
Web
Applica
tion
Strct
Data
UnStrct
Data
DB
M
KS
KS
T2
T3, T4
VM
T5, T6
Software
Sec Module
Mngmt
Transport
, Security
T7
VMM
Storage
Software
Sec Module
Physical
Space
Dr. Michaela Iorga | NIST
Storage Encryption with Key Management
Different Deployment Models
Client Data
T
Data, Voice,
T1
UI
Web
Applica
tion
Strct
Data
UnStrct
Data
DB
M
T2
T3, T4
Software
Sec Module
VM
Mngmt
Transport
, Security
VMM
Storage
Physical
Space
Dr. Michaela Iorga | NIST
KS
T5
Deployment Example
Organization: DOE
Open Science
CloudLink Center
Secure VSA
YOURcloud
Terremark
vCenter
Secure VSA
On Premise
Legend
VM
Process
vSphere Client
VM Storage
Shared Services
YOURcloud
AWS
CloudLink Center
vCenter
Command and Control YOUR Cloud
Secure VSA
EBS Volumes
Software-Defined IT
Balancing Security, Privacy and Functionality
• Legal
– Establish Clear Contract Terms and Conditions with Cloud
Service Providers
– Update Policies and Procedures
– Understand Jurisdiction for Forensics Analysis
– Define your Data Retention Periods
Command and Control YOUR Cloud
Software-Defined IT
Balancing Security, Privacy and Functionality
• Organization
– Design with the user in mind with security baked in, not bolted on
– Redefine your system boundaries
– Ensure people that have access to government data have the
appropriate clearance level
Command and Control YOUR Cloud
Thank you!
Anil Karmel, CEO
[email protected]
@anilkarmel
Command and Control YOUR Cloud

similar documents