Mais conteúdo relacionado Semelhante a Cloud security jean pawluk ewf talk sept 2009 (20) Cloud security jean pawluk ewf talk sept 20091. Cloudy Weather
Cloud Computing Security
Jean Pawluk
Chief Architect
Prepared for
Executive Women’s Forum
Emerging Technology Workshop
September, 2009
©Jean Pawluk
3. In the Way Back Machine…
Think back to the time of "big iron"
• Ruled by mainframes and minis
• Few mobile devices
Think again about the last few years :
Big changes that occurred with the
Internet and mobility of devices
Today’s evolution
• Convergence of the two
• Ubiquity of compute power
©Jean Pawluk
09/24/2009 Jean Pawluk 3
5. Cool Hype…… & lots of confusion
Confusion abounds today as several ideas and services are
labeled “cloud computing”
A few myths exist:
• Cloud computing is new revolution (it’s an old idea)
• Cloud computing is just virtualization
• Internet and Web are the cloud
• Every vendor has different cloud
• Everything will be in the cloud (as if)
Nevertheless:
Under the hype a very important paradigm shift is
occurring that is similar to the move to the Internet
©Jean Pawluk
09/24/2009 Jean Pawluk 5
6. You can find the cloud today………
Swarms of connected technology Examples
Social Networks
and business services, which
Virtual Worlds
are offered, bought, sold, used, Games
repurposed Blogs
Books & Magazines & Newspapers
“free” Email
On shared worldwide networks of Data everywhere / all of the time
service providers, consumers, Market Research
aggregators, and brokers Census
Data aggregators
Marketing collateral
- Creating - Video
Phone
TV
New ways of offering, using, and Photos
organizing information and Music
©Jean Pawluk
functionality Virtual desktops
Search engines
09/24/2009 Jean Pawluk 6
7. Next ?
So when will we …..
Stop talking about the Internet (which was the “cloud” ) and when
will the Cloud be omnipresent
Move from managers of technology to managers of services…
Move from a focus on cost to a focus on value…
Move from overhead to a team that enables growth…
©Jean Pawluk
09/24/2009 Jean Pawluk 7
8. Cloud-onomics
CLOUD COMPUTING
AGILITY
+ BUSINESS &
IT
ALIGNMENT + SERVICE
FLEXIBILITY
+ INDUSTRY
STANDARDS
= OPTIMIZED
BUSINESS
…allows you to optimize new investments for direct business benefits
VIRTUALIZATION
+ ENERGY
EFFICIENCY
+ STANDARDIZATION
+ AUTOMATION
= Reduced
Cost
…leverages virtualization, standardization and automation to free up
operational budget for new investment
©Jean Pawluk
Courtesy and Copyright of IBM
09/24/2009 Jean Pawluk 8
9. Cloud Computing Business Drivers
Cost
Pay per use No hardware or startup costs
Low investment in capital expenditure & time-to-live
Flexibility
Use cloud computing services when needed
Dynamically grow and shrink services
Simplicity
Typically browser based user interfaces
Response
Speed to market
Fast resourcing - provisioning and de-provisioning processing etc
Availability
Many cloud service providers have global, robust network, CPU and
application capability
©Jean Pawluk
09/24/2009 Jean Pawluk 9
10. Several Cloud Deployment Models
Private Enterprise / Internal Cloud
Managed Private Cloud
External Public Cloud
Hybrid Combination
©Jean Pawluk
Jericho Cloud Cube Model
09/24/2009 Jean Pawluk 10
11. Public Cloud Computing:
From a user perspective
• User:
– Builds a web application,
– Using a standard platform and database
– Upload this application to a cloud provider
• Cloud provider
– Provisions the services
– Scales the application and the database together
• User
– Doesn’t care about which servers, which databases, which hardware,
how much memory (the cloud platform handles all of that)
– Users are totally free from any technical complexity other than the
service itself
• Cloud provider Great idea but where are
– Decides how to cache content, how and where to deploy servers
based on demand, performs backups, and even has the ability for the the data security controls
business to distinguish "production" from "staging" deployments in this point of view
– Has ongoing management and monitoring of the external service
???
• User:
– Only pays for what is used when user needs it
– Everything else is a implementation detail
©Jean Pawluk
09/24/2009 Jean Pawluk
11
12. Evolving Cloud Architectures
Central architectural
concept is XaaS
( everything) as a
service:
Core being:
•IAAS (Infrastructure)
•PAAS (Platform)
•SASS (Software)
Yet - Security is off to
the side
The lower down the
stack a Cloud provider
stops, the more security
you are tactically
responsible for
implementing &
©Jean Pawluk
managing yourself
Jean Pawluk
09/24/2009 12
Diagram Courtesy of Chris Hoff
13. Risk - Who controls security?
You
“SLA”
security
The lower down the stack a Cloud provider stops,
the more security you are tactically responsible for
implementing & managing yourself
SaaS
You build
in your
IaaS PaaS own
security
IaaS
©Jean Pawluk
09/24/2009 Jean Pawluk 13
14. READ the fine print…
72 Security We strive to keep Your Content secure, but cannot
guarantee that we will be successful at doing so, given the nature of
the Internet Accordingly, without limitation to Section 43 above and
Section 115 below, you acknowledge that you bear sole
responsibility for adequate security, protection and backup of
Your Content and Applications We strongly encourage you,
where available and appropriate, to (a) use encryption technology to
protect Your Content from unauthorized access, (b) routinely archive
Your Content, and (c) keep your Applications or any software that
you use or run with our Services current with the latest security
patches or updates We will have no liability to you for any
unauthorized access or use, corruption, deletion, destruction
or loss of any of Your Content or Applications
©Jean Pawluk
Source -http://awsamazoncom/agreement/
15. What’s ready for the cloud?
When the processes, applications and data are largely
independent
When the points of integration are well defined
When a lower level of security will work just fine
When the core internal enterprise architecture is healthy
When the Web is the desired platform
When cost is an issue
When the applications are new
©Jean Pawluk
Courtesy and Copyright of David Linthicum
09/24/2009 Jean Pawluk 15
16. Cloud Computing Services Players:
Infrastructure - Computing infrastructure, typically a platform virtualization
environment, as a service
Full virtualization (GoGrid, Skytap)
Grid computing (Sun Grid)
Management (RightScale)
Compute (Amazon Elastic Compute Cloud)
Platform - The delivery of a computing platform, and/or solution stack as a service
Web application frameworks
Ajax (Caspio)
Python Django (Google App Engine)
Ruby on Rails (Heroku)
Web hosting (Mosso)
Proprietary (Azure, Force.com)
Storage - Data storage as a service, billed on a utility basis, eg per gigabyte / month
Database (Amazon SimpleDB, Google App Engine's BigTable datastore)
Network attached storage (MobileMe iDisk, CTERA Cloud Attached Storage,
Nirvanix CloudNAS )
Synchronization (Live Mesh Live Desktop component, MobileMe push functions)
Web service (Amazon Simple Storage Service, Nirvanix SDN)
©Jean Pawluk
09/24/2009 Jean Pawluk
16
17. Cloud Computing Services Players (more)
Business Services - Interoperable machine-to-machine interaction over a network
accessed by other cloud computing components, or directly by end users
Identity (OAuth, OpenID)
Integration (Amazon Simple Queue Service)
Payments (Amazon Flexible Payments Service, Google Checkout, PayPal)
Mapping (Google Maps, Yahoo! Maps)
Search (Alexa, Google Custom Search, Yahoo! BOSS)
Others (Amazon Mechanical Turk)
Application - Cloud based software, that often eliminates the need for local installation
Peer-to-peer / volunteer computing (Bittorrent, BOINC Projects, Skype)
Web application (Facebook)
Software as a service (Google Apps, Salesforce)
Software plus services (Microsoft Online Services)
©Jean Pawluk
09/24/2009 Jean Pawluk 17
18. What’s not ready for the cloud?
When the processes, applications and data are largely
coupled
When the points of integration are not well defined
When a high level of security is required
When the core internal enterprise architecture needs
work
When the application requires a native interface
When cost is an issue
When the applications are legacy
Courtesy and Copyright of David Linthicum
©Jean Pawluk
09/24/2009 Jean Pawluk 18
19. What’s not ready for the cloud? (more)
1. Work which depends on sensitive data normally restricted to the Enterprise
Employee Information - Not ready to move enterprise info into a public
cloud with high sensitivity of the data
Health Care Records – Do not move until the security of the cloud
provider is well established
2. Work composed of multiple, co-dependent services
High throughput online transaction processing
3. Work requiring a high level of auditability, accountability and regulation
Work subject to Sarbanes-Oxley
4. Work based on 3rd party software which does not have a cloud aware
licensing strategy
5. Work requiring detailed chargeback or utilization measurement as required
for capacity planning or departmental level billing
6. Work requiring customization (eg customized SaaS) ©Jean Pawluk
09/24/2009 Jean Pawluk 19
20. Security Questions – They go on & on …
Shared Infrastructure Massively scalable
• As we open up systems, can we • Where does our data reside?
expect the same security, In a foreign country?
reliability, & availability? Mobility & Flexibility
• Who are you sharing that server • Will vendor relationship
with? management hamper
Consumption-based pricing mobility?
• What happens if you don’t pay • Can any “fly-by-night” coder
your bill? Do you lose your & service be a cloud?
data? • Will we see service brokers
• How do we control and monitor emerge?
consumption? Internet-based & easily
Improved Business Continuity accessible
• What infrastructure is the • Will the cloud enable an
applications running on? increase of shadow IT?
• What protection do we have
against outages? ©Jean Pawluk
• What legal recourse do we
have?
09/24/2009 Jean Pawluk 20
21. Cloud Security - Areas of Concern
Information lifecycle management
Governance and Enterprise Risk Management
Compliance & Audit
General Legal
eDiscovery
Encryption and Key Management
Identity and Access Management
Storage
Virtualization
Application Security Trust Time Bomb
Portability & Interoperability
Data Center Operations Management
Incident Response, Notification, Remediation
"Traditional" Security impact (business continuity, disaster recovery,
physical security)
©Jean Pawluk
09/24/2009 Jean Pawluk 21
22. Back to the Future:
Co-existing delivery models ?
Security Issues will occur
crossing between private
Service Consumers and public use
Services Services Services
Service Integration Service Integration Service Integration
Traditional Public
Private Cloud
Enterprise IT Clouds
Enterprise
Mission Critical Test Systems Variable Storage
Packaged Apps Storage Cloud Software as a Service
High Compliancy Developer Systems Web Hosting
©Jean Pawluk
SAAS, IAAS & PAAS Public / Private Example
09/24/2009 Jean Pawluk 22
23. Summary
Cloud Computing is real and transformational
Cloud Computing can be secured but also can carry
increased risk due to aggregation of assets
Cloud needs
• Broad governance approach
• Tactical fixes
Know that there is “no free lunch”
©Jean Pawluk
09/24/2009 Jean Pawluk 23
24. Bridge the chasm from now to future…
Take the time now to tackle future issues:
Practical, technical issues are addressed
Security issues are addressed
Confidence will increase as Cloud Computing evolves
and mainstreams lifecycle
Hype reduces over time
So don’t rush…think and do it right
©Jean Pawluk
09/24/2009 Jean Pawluk 24
25. Cloud Security Alliance
Call to Action
Discussions & announcements on LinkedIn
Join us, help make our work better
Other research initiatives and events being planned
• www.cloudsecurityalliance.org
• info@cloudsecurityalliance.org
• Twitter: @cloudsa, #csaguide
• LinkedIn: Cloud Security Alliance group
www.linkedin.com/groups?gid=1864210
©Jean Pawluk
09/24/2009 Jean Pawluk 25