Sikkerhet i skyen
Cloud Computing, eller Nettskyen, kan beskrives som IT-ressurser gjort tilgjengelig via Internett. Nettskyen lover mer effektiv bruk av servere, besparelser i form av driftskostnader, tid, ressurser og økt tilgjengelighet for brukere uavhengig av hvor de måtte befinne seg. Nettskyen har nylig fått mye oppmerksomhet blant private bedrifter og i offentlig sektor. Det økende fokuset på løsninger tuftet på denne teknologien fører til en rekke spørsmål, spesielt med tanke på sikkerhet. Hvordan skal datasikkerhet og personvern håndteres i skyen, og er bedriftens informasjon godt nok beskyttet? Foredraget vil gi et innblikk i nettskyen og sikkerhet i forbindelse med denne.
v/ Ole Tom Seierstad, Chief Security Adviser, Microsoft Norge
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Sikkerhet i skyen v/ Ole Tom Seierstad, Chief Security Adviser, Microsoft Norge
1. SIKKERHET I SKYEN Ole Tom Seierstad Chief Security Advisor Microsoft Norge AS oles@microsoft.com
2.
3. Hva er cloud? Komplette IT løsninger kan kjøres på én sentral tjener og at de tilgjengeliggjøres via internett på en rekke ulike enheter. Dette er hva vi kaller “Cloud Computing”.
4. Cloud computing er en del avløsnigen Skybaserte løsninger gir IT-ressurser, som en tjeneste, på en dynamisk og skalerbar måte over et nettverk. Fem viktige egenskaper Tjenestertilgjenglig for selvbetjening God tilgangtilnettet Delingavressurser (Resource pool) Raskemuligheter for endringer Målingavresultater CLOUD Web Client-Server Mainframe 4
17. ULIKE implementeringer for CLOUD Computing Flytt hele løsningen til skyen Kjør deler av programmvaren i skyen Lagring av data i skyen Lag nye løsninger ved å kombinere ulke Cloud Services Utvikle helt nye skybaserte løsninger
18. Ulike modeller – fra Offentlig til private skyløsninger Pålokaleservere Privat sky Offentlig sky Tilgjenglighetpåulikeenheter
19. Informasjon er under leverandørens kontroll Ikkebegrensetavgeografiogplassering Endringer i IT prosesser Leverandøren kan ha bedre sikkerhets prosesser og rutiner Fysisk sikkerhet vil bli administrert av sky-leverandøren Utfordringer med juridisksuverenitet Sentralisert lagring av data Økonomisk skalerbarhet Attraktiv for kriminelle Personvern utfordringer Forensics/etterforskning Muligheter og utfordringer
21. Compliance is still the duty of the Customer Sound Risk Management encompassing the Cloud is needed Collaboration between Customer and Provider is essential Need of a certain level of Process Transparency Strong Internal Team needed Contract Negotiation Definition of Controls and Metrics Integration of Controls into own processes Compliance and Risk Management Compliance requirements can be fulfilled by a skilled internal team and a certain level of process transparency by the cloud provider(s).
22. Cross-Domain Collaboration requires secure identities People and Devices Based on In-Person Proofing or similar Claims-Based Based on interoperable standards Privacy vs. Authentication has to be balanced Processes have to be able to include several providers Identity and Access Management Any digital identity system for the cloud has to be interoperable across different organisations and cloud providers and based on strong processes.
23. Service Engineering and Development Strong and Transparent Engineering Processes Needed Requirements Design Implementation Verification Release Response Proofed Based on Threat Models or similar Service Integrity The provider should follow a clear, defined, and provable process to integrate security and privacy in the service from the beginning and for the whole lifecycle.
24. Service Delivery Internal processes have to be able to cover multiple provider Security Monitoring Auditing Forensics Incident response Business Continuity Etc. Requirements depend on application and information needs Service Integrity The service delivery capabilities of the provider and the security management and auditing needs of the customer must be aligned.
25. Is part of the delivery chain Often subject to social engineering attacks (and similar) Review today’s processes and policies Endpoint Integrity It is very important to include the end point in any security consideration for cloud-based services.
26. Data Classification is the foundation Requirements Legal Needs Persistent Data Protection needed Encryption/Rights Management Has to cover the whole transaction Data in transit «New» Challenges Data Sovereignty Access to Information Data Partitioning and Processing Information Protection Implemented Data Classification helps to decide which data is ready for the cloud, under which circumstances, and with which controls.
27. Well-Functioning Risk and Compliance Programs are a must Data classification is the base Choose the right Deployment Model (Private, Community, or Public) Strong, cloud trained, Internal Team still needed Process Transparency, Compliance Controls, and Auditability by the Provider Implement a Secure Development Lifecycle and evaluate the Provider and their vendors as well Stronger federated identity and access controls Information Lifecycle Controls Access controls to operate across organisational boundaries without surrendering identity ownership Recommendations
. So what is cloud? Need a broad definition … “An approach to computing that’s about internet scale and connecting to a variety of devices and endpoints”
Been doing this awhile…As we think about how Microsoft is poised to take advantage of the shift to services going forward, let’s step back a minute and just set some context about where we are and where we’ve beenWe been doing business and delivering software through the cloud for over a decadeMost people are surprised to learn about where we’re leading…Our online properties (WL, MSN) see some 600 million unique users every monthThe Xbox guys pushed out some 5 petabytes of content over Xbox Live during the week of ChristmasWe process up to 9.9 billion messages a day via WL MessengerWe have over 500 million active Windows Live IDsThe BPOS guys have a million paying users in 36 countries and regionsEven MS Update/Windows Update … operates at incredible scale - pushes out over a petabyte of updates every month to millions of servers and hundreds of millions of PCsEven back when we pushed out SP2 for Windows XP, over 250 million of those PCs were upgraded with WU – upgrading a desktop operating system is as incredibly sophisticated a cloud service as you will ever see, and we did it at massive scale (hundreds of millions)We’re not new at this…Our breadth of experience spans 30 years w/consumers, over 20 years in the enterprise, and over a decade providing services in the cloudWhen these competencies, these muscles come together – our understanding of enterprise requirements combined w/our ability to scale delivery through the cloud, for example – you get things like MS Online services. The sum of our capabilities ends up greater than the partsOther guys trying to compensate for that via acquisitions – we wish them luckThis breadth of offering extends to our hundreds of thousands of partners as wellFor every $1 in revenue we make, they make $7 – that’s how we built the company – that continues in the cloudWe have more than 7,000 partners reselling BPOS, more than 100 partners join this community each weekWe have nearly 10,000 hosting partnersOur commitment to continuing this path is reflected through the investments we’re making, through the breadth of our offering across all these different businesses we’re in and the investment we’re makingWe’re evolving some of the most successful product franchises the software industry has ever seen – Windows and Office – to the cloud, and we’re not stopping there – our database business, our messaging and collab business – the list goes on and onNot taking this lightlyThis is how we’re going to grow the business – this is the future of MicrosoftNot just products, either – we believe our infrastructure/datacenter investments to be unmatched in the industry (put the onus on GOOG to refute?)700,000+ square foot Chicago and the 300,000+ square foot Dublin, Ireland data centersAmsterdam, Hong Kong, Japan, and Singapore: We announced (November 2009) that we have datacenter capacity in these regional locations//Microsoft sites, including MSN.com and Windows Live Services attract more than 600 million unique users worldwide each month and in 46 markets and 21 languagesMicrosoft sites captured nearly 15% of global internet minutes (up 43% from last year.) 70% of Microsoft’s time comes from Windows Live Messenger.Windows Live Hotmail: More than 369 million active accounts worldwide (Source: comScore WW November 2009), making it the world’s largest web-based email service and is used in nearly every country in the world.Windows Live Messenger:More than 314 million active accounts worldwide (Source: comScore WW November 2009); Customers send up to 9.9 billion messages a day with Windows Live Messenger. (Source: Microsoft internal data, as of October 2009), making it the #1 most used free instant messaging service in the world.
Cost ReductionContinues cost containment and budget optimization amplified by the economy downturn (before - efficiency and waste elimination; now - cost cutting)Focus on internal productivity solutionsGreen ITInterest in environmental sustainability, however, limited evidence of significant investments in “Green IT”Citizen InteractionSteady movement toward increased citizens interaction/ involvement with Government agencies via multiple platforms (portals, call centers, mobile networks)The main value of the Identity management Solution Area is in the areas of efficient access, compliance and e-servicesFrom PlaybookGrowthCustomer wants to extend IT service availability (e.g. email) to users who don’t have dedicated PCs (task workers, deskless workers)Customer wants to consolidate email to a single platformCustomer wants to set up a new data centerCompetitionThere is a threat to replace Microsoft applications with a competitive solution, e.g. Google AppsThere a threat to replace Microsoft infrastructure with a competitive solution, e.g. VMware- or IBM- architected Data CenterCost ManagementReducing datacenter costs is a critical need, e.g. personnel, energy expenseMoving expenditures from CapEx to OpEx is advantageous imperative to CustomerCost puts EA/VL renewal at risk – ‘CALs/Office too costly’Cost puts EA/VL renewal at risk – ‘Servers too costly’Technology OptimizationCustomer needs to modernize data center infrastructureCustomer needs to centralize data center infrastructureCustomer has issues with data center capacity/workload fluctuationOtherCustomer does NOT have Data Center expertise /technical human resourceCustomer has Data Center expertise /technical human resources Customer has a strong need to show leadership on environmental impact reduction, e.g. CO2 emission reduction
Where users work
When they work
How and where Businesses and Governments provide services
Besides classical crime: Loss of Intelectual PropertyThis is causing fear for adoption of the technology by end consumers
Where we initially came from – assets protected by huge walls
The first people working from outside the firewall and vendors and suppliers having access to your data
And today the Internet is your networkYou need the openness in the future to creat ad-hoc collaboration or even established collaboration
Security has to enable all those scenarios
Only a well managed environment is a secure environment – and an inexpensive environment (CoreIO)
Windows Azure, combined with other elements of Microsoft's software plus services offering, enable customers to craft solutions combining the best of on-premises, hosted, and cloud-based applications and services. For example and application money's executes run within the IT data center, but might store large amounts of data in the cloud. Existing exact applications can be extended by securely accessing a variety of cloud-based services. Or new solutions can be created by a combining existing cloud-based services in new and interesting ways.