The document discusses bringing cloud operational benefits to security and privacy. It focuses on public cloud infrastructure as a service and platform as a service. The presentation agenda includes baseline security assumptions, threat analysis for cloud deployments, demonstrations of web application firewalls and securing data in the cloud, and how flexibility benefits security in the cloud.

1. Bringing Cloud operational benefits to the world of security and privacy Gilad Parann-Nissany http://www.porticor.comcontact@porticor.com CSA Congress, November 16th-17th, 2010 12/7/2010 www.porticor.com © PORTICOR 2009, 2010

2. 12/7/2010 www.porticor.com © PORTICOR 2009, 2010 2

3. Goals Focus: public cloud Because its in some ways more challenging than private cloud Focus: IaaS/PaaS SaaS controlled by vendor Agenda Baseline assumptions Threat analysis What’s really new? What’s not? Cloud-deployed security tools Demo: WAF in the cloud Cloud-specific security considerations Demo: securing the data layer Summary: flexibility in the cloud 12/7/2010 www.porticor.com © PORTICOR 2009, 2010 3 “Cloudy” Security

4. NOT “selling cloud” Customer IT has evaluated what they would feel comfortable putting in the cloud Customer IT understands that – in IaaS/PaaS – they still retain some responsibility Customer IT is asking the questions: “how to meet our responsibility, how to do security reasonably, and what are the tools to use?” 12/7/2010 www.porticor.com © PORTICOR 2009, 2010 4 Baseline assumptions for this discussion

5. Shared Technology Vulnerabilities Data Loss/Data Leakage Malicious Insiders Account Service or Hijacking of Traffic Insecure APIs Nefarious Use of Service Unknown Risk Profile 12/7/2010 www.porticor.com © PORTICOR 2009, 2010 5 Threat Analysis: I/PaaS PaaS Platform as a Service IaaS Infrastructure as a Service (*) courtesy “Cloud Security Alliance: Assuring the future of Cloud Computing”: S. Loureiro, 2010

6. Some known concepts translate to cloud with a twist APIs SaaS security Usage of IaaS And of course, there is some pretty new stuff More about this later… 12/7/2010 Copyright 2009, 2010 ©Porticor What’s new? What carries over?

7. 12/7/2010 Copyright 2009, 2010 ©Porticor Translating known concepts to cloud Examples …and more

8. Cloud Data Demo 1 12/7/2010 Confidential ©Porticor Internet Business Compute

9. Secure distributed data storage Keys management Hypervisors and virtual machines Role of encryption changes New data protection measures emerge (i.e. fragmentation) Physical security of cloud environments 12/7/2010 www.porticor.com © PORTICOR 2009, 2010 9 Some new considerations

10. Cloud Demo 2 12/7/2010 Confidential ©Porticor Internet Business Mgmt Site Compute Data

11. Package complex privacy and security technology Get the operations and economics right Pay as you go Privacy and security solutions can be brought up in a reasonable time – not months Privacy and security have proper service level guarantees Backed by proper SLA and/or Warranty 12/7/2010 www.porticor.com © PORTICOR 2009, 2010 11 Elasticity, Flexibility, Management

12. 12/7/2010 Confidential ©Porticor Thank You! Questions ?