IT Governance e Cloud Computing Approccio IBM per la realizzazione di sistemi di Cloud Computing sicuri ed efficaci

Transcription

1 IT Governance e Cloud Computing Approccio IBM per la realizzazione di sistemi di Cloud Computing sicuri ed efficaci Giovanni De Paola Raffaella D Alessandro IBM Senior Consultant Senior Information Security Consultant 17 Maggio 2010

2 2

3 !!"!!# $! # %&! ' Caratteristiche essenziali On-demand self-service: Un utente puo richiedere, allocare e configurare unilateralmente risorse e/o servizi ICT, senza richiedere, o con minima interazione umana con i vari service provider. Broad network access: Le risorse e/o i servizi ICT sono disponibili ed acceduti tramite rete e meccanismi standard che promuovano l uso di client leggeri (es. cellulari, laptop e PDA). Resource pooling: Le risorse ICT sono aggregate per pool e virtualizzate per essere rese disponibili ai richiedenti secondo la domanda. Rapid elasticity: Le risorse ICT a disposizione di un utente possono essere dinamicamente aumentate o diminuite, in modo da apparire illimitate e poter essere richieste in qualsiasi quantità ed in ogni momento. Measured Service: I sistemi Cloud controllano ed ottimizzano l uso delle risorse ICT utilizzando metodi di misurazione a vari livelli di astrazione(es. storage, processing, bandwidth, active user accounts). L utilizzo delle risorse ICT può essere monitorato, controllato e documentato con trasparenza sia per il provider sia per l utente dei servizi ICT. (*) Fonte: The NIST Definition of Cloud Computing v15 10/07/2009 3

4 )*+" (! Industryspecific Processes Employee Benefits Mgmt. Collaboration Business Travel Business Process-as-a-Service Procurement CRM/ERP/HR Non incluso nella definizione NIST ma di attualità Financials Industry Applications Application/Software -as-a-service Middleware Database Web 2.0 Application Runtime Development Tooling Platform-as-a-Service Java Runtime Data Center Servers Networking Storage Fabric Shared virtualized, dynamic provisioning Infrastructure-as-a-Service 4

5 +*+" ( Service Consumers Services Service Integration Services Service Integration Services Service Integration Traditional Enterprise IT Enterprise Private / Hybrid Community Cloud Cloud Public Clouds Esempi Applicazioni Mission-critical Applicazioni pacchettizzate Servizi soggetti ad Altacompliance Sistemi di Test Flexible storage Storage In-house Software as a Service Ambienti di Sviluppo Web hosting Ambienti di business analytics 5

6 ,, Benefici di costo Basso Medio Alto Traditional IT Hybrid Cloud Public Cloud Community Cloud Private Cloud Rischio legato alla sicurezza Alto Medio Basso Basso Medio Alto Benefici sulla qualità del servizio: Rapidità; Scalabilità; Flessibilità; Trasparenza dei costi 6

7 3 -!!( )*+" -./0. 1.0!2 "#$%& '( Minima interazione con l erogatore dei servizi Measured Services Rapid Elasticity Broad Network Acces Resource Pooling e Rapida Configurabilità Disponibilità e Affidabilità On-demand Self Service Attività gestionali minime Demand e Service Portfolio / Catalogue Mgmt Financial Mgmt / Service Level Mgmt Capacity Mgmt Security Configuration Mgmt Change Mgmt / Availability Mgmt Request Fulfillment Release / Deployment Mgmt e Event Mgmt IT Service Strategy IT Service Design IT Service Transition IT Service Operation. Continual Continual Service Service Improvement Improvement 7

8 3 -!!( +*+" Contenuti Livelli di Servizio 8

9 /89:89 34! / -!!( 9

10 Business Architecture Alignment Information Systems Architecture Metadata Data Model Information Transformation Information Placement & Structure Provide a baseline of agreement by educating all stakeholders on the fundamentals of Enterprise Architecture Assess the existing IS Architecture for a selected set of LOBs Develop metadata technical strategy Define the information integration architecture Extend the Information Integration Architecture for placement & structure optimization Document business directions and IT s alignment with them, across the enterprise Establish a cross-functional Information Architecture (Data Administration) team Develop an overall IS enterprise architecture framework to guide the enterprise Pilot Metadata integration with key tools and applications Extend the information integration architecture across the organization & technologies Optimize data & content placement and structure across all LOBs & technology silos Develop and implement enterprise-wide business architecture initiatives Establish data entity naming standards Develop and execute an IS Architecture roadmap across the enterprise Integrate information transformation with common metadata and data cleansing services Document business glossary into metadata repository for some LOBs Integrate data placement with the Information Lifecycle Management implementation Define and document common semantics (business glossary) across LOBs for some subject areas 7,( )! %*+, Determinare il valore atteso dal Cloud Identificare le tipologie di applicazioni adeguate Determinare il modello di erogazione High IT Provider Relationship Profile Provider researches, recommends and implements Enabler technology to enable quantum leap in business capability Provider works with others to develop a Partner service and provide resources/skills necessary to support the service B e n e fit Provider of a quality service at a cost equal to or Utility lower than the competition , Collaboration ICT per missioni all estero Stipendiiali Data Intensive Processing Enterprise Trad IT Private Public Commodity Provider of an adequate service at a cost lower than the competition Database... Hybrid 01. IT Host Resources Cost Analizzare i gap infrastrutturali e di governance High Considerare i vincoli di bilancio En terp ris e A rch ite c ture Costruire la Roadmap 03. IT Storage Resources 04. IT Network Resources M aster D ata M a na ge m e n t 02. IT Distributed Resources Assess current state Enterprise Exploratory Departmental Exclusive Open Integration Scope of services Identify required Develop roadmaps Determine future state capabilities and initiatives Info rm ation In teg ration Phase 1 Phase 1 Phase 2 Phase 2 Phase 3 Phase 3 Phase 4 Phase 4 10

11 3 Specific customer concerns related to security and cloud computing Protection of intellectual property and data Ability to enforce regulatory or contractual obligations Unauthorized use of data Confidentiality of data Availability of data Integrity of data Ability to test or audit a provider s environment Other 30% 21% 15% 12% 9% 8% 6% 3% Source: Deloitte Enterprise@Risk: Privacy and Data Protection Survey 11

12 3 Cloud Security: Simple Example Today s Data Center Tomorrow s Public Cloud??? We Have Control It s located at X. It s stored in server s Y, Z. We have backups in place. Our admins control access. Our uptime is sufficient. The auditors are happy. Our security team is engaged.??? Who Has Control? Where is it located? Where is it stored? Who backs it up? Who has access? How resilient is it? How do auditors observe? How does our security team engage? 12

13 3 Categories of Cloud Computing Risks Control Many companies and governments are uncomfortable with the idea of their information being located on systems they do not control. Data Migrating workloads to a shared network and compute infrastructure increases the potential for unauthorized exposure. Providers must offer a high degree of security transparency to help put customers at ease. Reliability High availability will be a key concern. IT departments will worry about a loss of service should outages occur. Authentication and access as well as protection along the data life-cycle become increasingly important. Compliance Complying with SOX, HIPAA and other regulations may prohibit the use of clouds for some applications. Comprehensive auditing capabilities are essential. Mission-critical applications may not run in the cloud without strong availability guarantees. Security Management Even the simplest of tasks may be behind layers of abstraction or performed by someone else. Providers must supply easy controls to manage security settings for application and runtime environments. 13

14 3 One-size does not fit-all: Different cloud workloads have unique risk profiles. Need for security assurance High Low Training and testing with non-sensitive data Analysis and simulation with public data Mission-critical workloads, personal information Tomorrow s highvalue and high-risk workloads need: Quality of protection adapted to risk Direct visibility and control Significant level of assurance Today s clouds are primarily here: Lower-risk workloads One-size-fits-all approach to data protection No significant assurance Price is key Low-risk Mid-risk High-risk Business risk 14

15 3 Cloud attributes that greatly affect information security: INTERNAL DELIVERY EXTERNAL DELIVERY SINGLE-TENANCY MULTI-TENANCY IT-SERVICE SELF-SERVICE SLOW PROVISIONING RAPID PROVISIONING 15 15

16 3 Coordinating information security is the responsibility of BOTH the provider and the consumer Who is responsible for security at the level? Datacenter Infrastructure Middleware Application Process Collaboration CRM/ERP/HR Financials Industry Applications Software as a Service Provider Consumer Middleware Web 2.0 Application Runtime Java Runtime Database Development Tooling Platform as a Service Provider Consumer Data Center Servers Networking Storage Fabric Shared virtualized, dynamic provisioning Infrastructure as a Service Provider Potential Security Gaps Consumer Challenge: Ensuring the tight integration of provider and subscriber security controls and governance 16

17 3 Gartner s security risks of cloud computing map directly to the IBM Security Framework Privileged User Access Data Segregation Data Recovery Investigative Support Regulatory Compliance Data Location Disaster Recovery Gartner: Assessing the Security Risks of Cloud Computing, June

18 3 Typical client security requirements Governance, Risk Management, Compliance Third-party audit (SAS 70(2), ISO27001, PCI) Client access to tenant-specific log and audit data Effective incident reporting for tenants Insight into change, incident, image management, etc. Flexible service level agreements Support for forensics Application and Process Application security requirements for cloud are phrased in terms of image security Compliance with secure development best practices Physical Monitoring and control of physical access Based on interviews with IT users and various analyst reports People and Identity Privileged user monitoring, including logging activities, physical monitoring and background checking Federated identity / onboarding: Coordinating authentication and authorization with enterprise or third-party systems Standards-based SSO Data and Information Data segregation Client control over geographic location of data Government: Cloud-wide data classification Network, Server, Endpoint Isolation between tenant domains Trusted virtual domains: policy-based security zones Built-in intrusion detection and prevention Vulnerability management Protect machine images from corruption and abuse 18

19 3 Guide to implementing a secure cloud Implement and maintain a security program. Build and maintain a secure cloud infrastructure. Ensure confidential data protection. Implement strong access and identity management. Establish application and environment provisioning. Implement a governance and audit management program. Implement a vulnerability and intrusion management program. Maintain environment testing and validation. 19

20 Grazie Giovanni De Paola Senior Managing Consultant IT Strategy & Architecture IBM Global Technology Services IBM Italia S.p.A. Via Sciangai Roma Tel Mobile Raffaella D Alessandro Senior Information Security Consultant Security & Privacy Services IBM Global Technology Services IBM Italia S.p.A. Via Sciangai Roma Tel Mobile Raffaella.dalessandro@it.ibm.com 20