ETSI -Standards in the cloud Mobile internet and cloud computing. Adam Heywood Senior Director, Europe Technical Sales

Transcription

1 ETSI -Standards in the cloud Mobile internet and cloud computing Adam Heywood Senior Director, Europe Technical Sales

2 Presenter Biography Adam Heywood Adam Heywood is Senior Director of Technical Presales for CA Technologies security management business in EMEA. Adam has worked in the enterprise IT infrastructure market place for over 25 years, most recently he joined CA Technologies through the acquisition of Netegrityand has over 12 years experience in the IT security management marketplace. Internally to CA Adam provides detailed and trusted input to the development and product management organisations, influencing solution directions and plans. Adam also plays an active role in supporting CA Technologies customers and is able to provide honest and constructive input at many levels, from business requirements and drivers, through solution propositions, to technology details. Adam acts as a trusted advisor to many Fortune 100 companies and public sector agencies around their security strategy and technical architecture.

3 Event/Workshop background. As for all major technology shifts, Cloud computing offers a vast array of opportunities and poses a number of questions, from policy, technology, business and usage perspectives. The technology shift ('ubiquitous computing') poses the questions of new value chains and respective roles of market players both in the infrastructure segment as well as for the applications/services segments; The markets currently shaping up pose questions with regards to policy, regulation and standards: how to best enable the emergence of new ecosystems, support innovation while ensuring an adequate level of interoperability and consumer protection? The borderless nature of the cloud ('where is the data?') poses questions with regards to data security, data privacy, jurisdictions and liability. Standards are only part of the equation, but an essential one, because they contribute to creating an interoperable environment of transparency, reliability and accountability and ultimately confidence for all the agents in the process of cloud adoption. Yet cloud computing standards also need to take into account policy and regulatory requirements, which add to the challenge for all stakeholders involved in the process. The EU and the US are both engaged in large scale efforts to devise standards for cloud computing be it at infrastructure, service or application level. In order to support this dialogue, an EU-US event on standards for cloud computing is co-organized by the EC and ETSI in partnership with NIST, EuroCIO and Eurocloud. 3 October 3, 2011 [Insert PPT Name via Insert tab > Header & Footer] Copyright 2011 CA. All rights reserved.

4 Event/Workshop goals. GOALS OF THIS WORKSHOP Drill down the issues of standards for cloud computing from 3 major angles * Policy * Industry and markets (supply and demand side) * Standards and interoperability Gather elements to devise a standards roadmap for EU, including priorities, players and processes EXPECTED OUTCOMES AND DELIVERABLES Inventory of major policy issues and their impact on standards-making Inventory of Industry agenda/requirements Mapping of existing standards landscape Next steps and priorities for an EU/US cooperation on cloud standards WHO SHOULD ATTEND? Policy makers CIOs ITC industry and service companies Standardization strategists Business development leaders Public Affairs managers Minute speaking slot on Mobile internet and cloud computing in Stream #2 Services and Applications 4 October 3, 2011 [Insert PPT Name via Insert tab > Header & Footer] Copyright 2011 CA. All rights reserved.

5 Event/Workshop location The meeting willltake place at CICA 2229, route des Crêtes Valbonne Sophia Antipolis France Access map 5 October 3, 2011 [Insert PPT Name via Insert tab > Header & Footer] Copyright 2011 CA. All rights reserved.

6 Abstract Mobile internet and cloud computing Clearly clouding computing has arrived, impeding its adoption are concerns about security, and more specifically identity & access management; who owns the identity, how is it trusted, what can the identity access, etc. Another clear trend is consumerisationand mobile computing, no longer are access devices managed and wholly trusted, but their use needs to be allowed, understood, and controlled. Is traditional Identity and Access Management still relevant and sufficient to meet the demands of mobile internet and cloud computing? This presentation is intended to discuss these challenged and pose potential opportunities to address them.

7 I am going to discuss the elephant in the room Cloud Security

8 Cloud adoption concerns: *87.5% rate cloud security issues as very significant * IDC Survey

9 #1 area that needs focus for migration to the Cloud? Identity and Access Management (IAM)! The top five critical areas of focus for organizations migrating to the cloud environment Important & very important response for US and Europe combined Identity and access management 50% Business continuity and disaster recovery 47% Procedures for electronic discovery 46% Compliance and audit 40% Encryption and key management 39% 0% 10% 20% 30% 40% 50% Security of Cloud Computing Users A Study of US & EMEA IT Practitioners, Ponemon Institute.

10 Why is Identity and Access Management (IAM), cloud and mobile access more Important than ever? SaaS Adoption Mobile Workforce and IT Consumerisation Nearly 90 percent of organizations surveyed expect to maintain or grow their usage of software as a service (SaaS), citing cost-effectiveness and ease/speed of deployment By the end of 2013 mobile worker population is expected to exceed 75% and to 1.19bn globally. Tablet PCs will outsell Netbooks and Desktops by 2013 (ipads outsold Macs by 2 to 1 in ). Customer Confidence Over 70% people surveyed believe authentication effects the degree of customer trust in the security offered. Increasing ecrime Regulatory Pressures Information Explosion More than 11 million adult consumers became victims of identity fraud in 2009, up from nearly 10 million in The number of fraud victims rose for the second year in a row Organizations that regularly review and maintain regulatory and standards compliance spend about three times less annually than organizations that fall out of compliance. Cloud Data Volumes are increasing Exponentially at a factor of x250 per annum

11 Is Identity and Access Management sufficient for mobile Internet and cloud computing? What do we really mean by Identity and Access Management in a mobile internet and cloud computing context? Identity Management who are you? Do we trust you? Do we believe it is you this time? Does each provider need to have its own identity data/context? Access Management to what? To allow access does this mean we need to have your identity? Do we need to understand where you are? Do we need to understand what device you are using? Can Identity and Access Management deliver what is required of mobile Internet and cloud computing? IAM typically does not take into consideration geo-location/context, or the content of what is actually being accessed.

12 Identity and Access Management for mobile Internet and cloud computing questions Is Identity management in a cloud context sufficient? Does each provider need to maintain identity data? What about geo data compliance? Can Identity, credentials, location, device, be represented by level of trust (Risk score)? Is access management for access to a cloud resource still relevant? At a course level possibly However, the content of what is being accessed is probably more important than where it is located. Can management of Identity and Access be abstracted across all environments and providers?

13 Identity and Access Management for mobile Internet and cloud computing, a possible answer Consider building security frameworks/guidelines/standards: 1. for how identity/context trust is derived, where appropriate leveraging other trust frameworks, including Device Identity Credentials used Geo location Etc That defines level of trust -Risk 2. for how content of what can be accessed is classified - Classification These tools allow of the definition and management of policies that specifies that to access content classified as Secret the level of trust has to be greater than or equal to Security cleared.

14 ETSI -Standards in the cloud Mobile internet and cloud computing Questions