Cloud Service Model The typical

Size: px
Start display at page:

Download "Cloud Service Model The typical"

Transcription

1 Introduction Cloud computing is one of the next significant stage in the Internet s evolution, providing the means through which everything from computing power to computing infrastructure, applications, business processes to personal collaboration can be delivered to you as a service wherever and whenever you need. The cloud in cloud computing can be defined as the set of hardware, networks, storage, services, and interfaces that combine to deliver aspects of computing as a service. Cloud service models are based on three categories; Infrastructure as a Service (IaaS), Platform as a Service (PaaS) and Software as a Service (SaaS). Consumer Cloud Computing services has been well established ever since mainstream Internet. Well known examples are WebMail services and social networking platforms. However the adoption of Cloud Computing within the Enterprise sector has been slow. This slow uptake in Cloud services that promises so much has been primarily influenced by the numerous security risks, concerns and challenges posed within such an environment. Governance, Risk and Compliance factors of Cloud Services need to be fully assessed and evaluated by organizations to provide informed judgments. Data and Information lifecycle, source and origination, transfer, destination, validation and deletion all need to be understood. Transborder data flow across countries with different cyber law jurisdictions need to be carefully considered and any sensitive information leakage resulting in litigation requires the involvement of cyber law legal teams. Periodic rights for 3rd party audit clause, frequent reporting mechanisms of security violations and a clearly defined service level agreement between an organization and the Cloud Service Provider needs to be developed. With Cloud providers utilizing shared pool of resources, virtualization and isolation; capabilities need to be questioned along with identity access control and management frameworks. Encryption key lifecycle of virtualized environments, portability of information if your organization decides to move to another Cloud provider are just some critical factors to consider. This whitepaper introduces a holistic security approach to Cloud Computing and equips CIO s and information security executives to understand the key security drivers, requirements, risks and challenges they are likely to face when considering moving enterprise infrastructure, platform and services to the cloud. Content The whitepaper will address the following topics that are fundamental to any successful migration to the cloud. Assisting your organization to make an informed decision and judgment through due care and diligence; the topics will also provide sufficient information to challenge the requirements to have information security built-in and not bolted-on within the cloud environment whilst understanding and raising security awareness to your organizational cross-functional teams. Cloud Service Models SaaS, PaaS and IaaS Cloud Computing Risk Management Compliance and Audit Control in Cloud Computing environments Information Lifecycle Management in the Cloud Data Portability and Interoperability between Cloud providers Virtualization and Multi-Tenancy environments Application and Hypervisor Security Encryption and Key Management Identity and Access Management Cloud Ready Data Center Operations and Disaster Recovery Planning Cloud Service Model The typical characteristics of any cloud computing environment is based on multiple concepts; rapid provisioning of services, agility of infrastructure, elasticity of computing resources based on demand, high level of scalability, modularity and performance, multi-tenancy through virtualization and compartmentalization and dynamic security. With such ground-breaking definitions that are typically not found in traditional enterprise architectures a shift in the way we think needs to be observed. Cloud computing provides enterprise IT economies of scale; through effective and efficient utilization of a shared pool of resources to perform IT functions; offloading complementary IT functions to a cloud service provider freeing up IT personnel to focus on business critical activities; reducing operational expenditure to manage, maintain and support the IT infrastructure are just a few examples. The Cloud Computing Service Model is based on three primary tenants Infrastructure as a Service (IaaS), Platform as a Service (PaaS) and Software as a Service (SaaS). All IT functions such as applications, networking, security, storage and software work in tandem to provide users with a service based on the client-server model. This exact model of clientserver can be delivered through sharing Infrastructure, Platform and Service that is user transparent. Infrastructure as a Service - The capability provided to the consumer is to provision processing, storage, networks, and other fundamental computing resources where the consumer is able to deploy and run arbitrary software, which can include operating systems and applications. The consumer does not manage or control the underlying cloud infrastructure but has control over operating systems, storage, deployed applications, and possibly limited control of select networking components (e.g., host firewalls). Platform as a Service - The capability provided to the consumer is to deploy onto the cloud infrastructure consumer-created or acquired applications created using programming languages and tools supported by the provider. The consumer does not manage or control the underlying cloud infrastructure including network, servers, operating systems, or storage, but has control over the deployed applications and possibly application hosting environment configurations.

2 Software as a Service - The capability provided to the consumer is to use the provider s applications running on a cloud infrastructure. The applications are accessible from various client devices through a thin client interface such as a web browser (e.g., web-based ). The consumer does not manage or control the underlying cloud infrastructure including network, servers, operating systems, storage, or even individual application capabilities, with the possible exception of limited user-specific application configuration settings. Deployment Models - there are four deployment models for cloud services, with derivative variations that address specific requirements: Public Cloud. The cloud infrastructure is made available to the general public or a large industry group and is owned by an organization selling cloud services. Private Cloud. The cloud infrastructure is operated solely for a single organization. It may be managed by the organization or a third party, and may exist on-premises or off- premises. Community Cloud. The cloud infrastructure is shared by several organizations and supports a specific community that has shared concerns (e.g., mission, security requirements, policy, or compliance considerations). It may be managed by the organizations or a third party and may exist onpremises or off-premises. Hybrid Cloud. The cloud infrastructure is a composition of two or more clouds (private, community, or public) that remain unique entities but are bound together by standardized or proprietary technology that enables data and application portability (e.g., cloud bursting for load-balancing between clouds). Cloud Computing Risk Management Framework Numerous Information Security standards and compliance frameworks have been well established and matured over the last decade ISO27002 ISMS, PCI-DSS, HIPAA, SOX to name a few. Such industry standards have played a vital role in providing organizations and security professionals the ability to measure security in the context of business risk; as the awareness, importance and requirements for securing information assets gain more traction the industry is set to face key challenges when it comes to securing information assets for the cloud. Standardized information security framework specifically for cloud computing does not exist given the uniqueness in how cloud computing operates; ENISA (European Network and Information Security Agency) have developed a Cloud Computing Risk Assessment strategy however global adoption and acceptance has indeed been difficult. Security professionals will undoubtedly face complexities and challenges when it comes to addressing key security requirements for cloud computing. Enterprise IT Risk Management Framework not only needs to be applied in the context of the cloud but numerous other considerations need to be assessed, evaluated and deployed. Managing risk appetite when the information resides out of your organizations control can be problematic and it is imperative Security Services Level Agreements are well defined beforehand with the cloud provider. As a common step towards managing information security risk in the cloud - the following focus areas of risk management should be at the forefront when considering cloud deployment; Identifying the asset for cloud deployment requirements to move to the cloud. Evaluate the asset and measure both the technical and business risks associated with the asset. Correlate the asset to the type of cloud service and deployment model. Identify the potential data flow. Develop audit controls that can be delivered to you as a self-service or on-demand by the cloud provider. Validate information lifecycle for the asset data encryption and decryption, data residency, retention and deletion. Consistency of authorized use of asset by users between existing inhouse and proposed cloud provider services. Ensure no lock-in clause for cloud provider and ability for asset to be portable between cloud providers. Data protection from leakage, data residency and malicious cloud provider administrator. Legal risk and transborder data flow across countries with differing legal jurisdictions. Security Services Level Agreement with cloud provider clearly defined with financial penalty clauses for any violations. Compliance and Audit Control in Cloud Computing environments Managing and maintaining compliance status within your environment is by far simpler and sustainable than ensuring compliance is met in cloud environments. When Infrastructure / Platforms and Services are under the control of the organization, ensuring compliancy through governance is pretty straightforward; roles and responsibilities are clearly defined, compliance controls are designed and implemented with management approval whilst audit of compliance status can easily be tracked and measured. The moment services are migrated to the cloud an organization effectively loses control on how compliance is implemented and maintained and is handed over to the cloud service provider. As part of any compliance requirement a gap analysis must be undertaken to identify how regulatory, legislative and industry compliance can be designed and implemented from day one. It is imperative that any compliance requirements you are obliged to adhere to are validated and certified before migrating to the cloud.

3 Commingling data with other cloud customers. Data especially classified / sensitive data must not be commingled with other customer data without compensating controls while in use, storage, or transit. Mixing or commingling the data will be a challenge when concerns are raised about data security and geo-location. Data backup and recovery schemes for recovery and restoration. Data must be available and data backup and recovery schemes for the cloud must be in place and effective in order to prevent data loss, unwanted data overwrite, and destruction. Don t assume cloud-based data is backed up and recoverable. Data discovery. As the legal system continues to focus on electronic discovery, cloud service providers and data owners will need to focus on discovering data and assuring legal and regulatory authorities that all data requested has been retrieved. In a cloud environment that question is extremely difficult to answer and will require administrative, technical and legal controls when required. Data aggregation and inference. With data in the cloud, there are added concerns of data aggregation and inference that could result in breaching the confidentiality of sensitive and confidential information. Hence practices must be in play to assure the data owner and data stakeholders that the data is still protected from subtle breach when data is commingled and/or aggregated, thus revealing protected information (e.g. medical records containing names and medical information mixed with anonymous data but containing the same crossover field ). The Data Security Lifecycle is different from Information Lifecycle Management, reflecting the different needs of the security audience. The Data Security Lifecycle consists of six phases and careful consideration should be taken for data residing in the cloud; Of the many regulations touching upon information technology with which organizations must comply, few were written with Cloud Computing in mind. Auditors and assessors may not be familiar with Cloud Computing generally or with a given cloud service in particular. That being the case, it falls upon the cloud customer to understand: Regulatory applicability for the use of a given cloud service Division of compliance responsibilities between cloud provider and cloud customer Cloud provider s ability to produce evidence needed for compliance on demand Cloud customer s role in bridging the gap between cloud provider and auditor/assessor The following recommendations should be carefully considered when applying compliance and audit control processes within a cloud environment; Right to Audit Clause the cloud customer should reserve the right to request on demand audit of the services the customer is subscribed to Thorough legal and contractual agreements and terms that addresses compliance needs Analysis on the compliance scope; determining that the compliance regulations the organization is subject to will not be impacted by the use of the cloud services Impact of regulatory compliance for data security and if the data that will move to the cloud is subject to compliance requirements Review cloud service provider partners in certain cases the cloud service provide may subcontract partial functions to another party i.e. data processing Ability to provide on demand evidence of compliance and how each compliance requirement is being met Information Lifecycle Management in the Cloud One of the primary goals of information security is to protect the fundamental data that powers our systems and applications. As we transition to Cloud Computing, our traditional methods of securing data are challenged by cloud-based architectures. Elasticity, multi-tenancy, new physical and logical architectures, and abstracted controls require new data security strategies. With many cloud deployments we are also transferring data to external or even public environments, in ways that would have been unthinkable only a few years ago. Key challenges regarding data lifecycle security in the cloud include the following: Data security. Confidentiality, Integrity, Availability, Authenticity, Authorization, Authentication, and Non-Repudiation. Location of the data. There must be assurance that the data, including all of its copies and backups, is stored only in geographic locations permitted by contract, SLA, and/or regulation. For instance, use of compliant storage as mandated by the European Union for storing electronic health records can be an added challenge to the data owner and cloud service provider. Data remanance or persistence. Data must be effectively and completely removed to be deemed destroyed. Therefore, techniques for completely and effectively locating data in the cloud, erasing/destroying data, and assuring the data has been completely removed or rendered unrecoverable must be available and used when required. CREATE classify and assign rights to data, data labeling techniques, digital rights management and watermarking, user tagging to classify data. STORE data access control based on need to know based on DBMS and document management system, data encryption and decryption to authorized users, content discovery tool such as data loss prevention. USE use of activity monitoring and enforcement using log files, rights management and logical controls using DBMS solutions, data owner notification on change of status. SHARE use of encryption for transit information and signed documents, activity monitoring for shared information, maintaining integrity for transit data. ARCHIVE data residency monitoring within storage environments, asset management and tracking and encryption on backup archived information and for data at rest. Data archived should only be retrieved by data owner. DESTROY removal and secure deletion of information by authorized personnel, validate deletion with content discovery, crypto-shredding and content construction should not be possible. Data Portability and Interoperability between Cloud Providers The Cloud brings new opportunities for enterprises to develop and deploy efficient and compelling services, unlock the potential of the public and private domain data, as well as reduce costs for ICT services. Even for a new technology like Cloud, however, interoperability and portability is a key topic of discussion for policy makers, both as a tool to reduce integration costs, as well as to reduce dependence on large ICT vendors. While systems interoperability becomes the primary domain of the cloud service provider, issues around data interoperability still remain important, and perhaps even critical, as enterprise data becomes increasingly contained with the systems provided through the cloud service provider. Many public cloud networks are configured as closed systems that do not interact with each other. This lack of integration makes it difficult for organizations to consolidate their IT systems in the cloud in order to realize productivity gains and cost savings. The issue of cloud portability is important to any enterprise, as they want to ensure that customers can switch cloud service providers without unreasonable switching costs. Inevitably when a customer changes the cloud service provider, it is reasonable to assume that there will be a certain amount of switching costs. However, from a cloud portability perspective, it also becomes critical that data is sharable between cloud providers, since without the ability to port data, it would become simply impossible to switch cloud service providers at all. Policies need to be crafted around data interoperability related issues to ensure that data interchange between cloud services is un-hindered, as most enterprise users will likely use heterogeneous cloud service providers for their needs. Policy makers will have to focus on data ownership and control issues to ensure that they continue to control the destiny of their own data. To achieve the economies of scale that will make cloud computing successful, common platforms are needed to ensure users can easily navigate between services and applications regardless of where they re coming from, and enable organizations to more cost-effectively transition their IT systems to a services-oriented model. IT personnel want the same types of control they have in the data center in the cloud. When you push data out to the cloud, you outsource availability and security to the cloud vendor which is considered a major weakness.

4 Applications in cloud environments will both impact and be impacted by the following major aspects; Application Security Architecture Consideration must be given to the reality that most applications have dependencies on various other systems. With Cloud Computing, application dependencies can be highly dynamic, even to the point where each dependency represents a discrete third party service provider. Cloud characteristics make configuration management and ongoing provisioning significantly more complex than with traditional application deployment. The environment drives the need for architectural modifications to assure application security. Compliance Compliance clearly affects data, but it also influences applications (for example, regulating how a program implements a particular cryptographic function), platforms (perhaps by prescribing operating system controls and settings) and processes (such as reporting requirements for security incidents). Vulnerabilities These include not only the well-documented and continuously evolving vulnerabilities associated with web apps, but also vulnerabilities associated with machine-tomachine Service-Oriented Architecture (SOA) applications, which are increasingly being deployed into the cloud. Tools and Services Cloud computing introduces a number of new challenges around the tools and services required to build and maintain running applications. These include application management utilities, the coupling to external services, and dependencies on libraries and operating system services, which may originate from cloud providers. Understanding the ramifications of who provides, owns, operates, and assumes responsibility for each of these is fundamental. Virtualization and Multi-Tenancy Environments The ability to provide multi-tenant cloud services at the infrastructure, platform, or software level is often underpinned by the ability to provide some form of virtualization to create economic scale utilization of a shared pool of resources to host multiple tenants. However, use of these technologies brings additional security concerns. While there are several forms of virtualization, by far the most common is the virtualized operating system known as Virtual Machines. If Virtual Machine (VM) technology is being used in the infrastructure of the cloud services, then you must be concerned about compartmentalization, isolation and hardening of those VM systems. The reality of current practices related to management of virtual operating systems is that many of the processes that provide security-by-default are missing, and special attention must be paid to replacing them. The core virtualization technology itself introduces new attack surfaces in the hypervisor and other management components, but more important is the severe impact virtualization has on network security. Virtual machines now communicate over a hardware backplane, rather than a network. As a result, standard network security controls are blind to this traffic and cannot perform monitoring or in-line blocking. These controls need to take a new form to function in the virtual environment. Hypervisor security is the process of ensuring the hypervisor, the software that enables virtualization, is secure throughout its life cycle, including during development, implementation, provisioning, management and de-provisioning. The hypervisor which enables virtualization and the use of VM is a critical component for securing VM assets in the cloud. The hypervisor is the central software that enables VM-to-VM communication and VM to external entity communication and therefore the most critical component in providing security. VM-to-VM communication does not traverse the network infrastructure and remains inside the physical server and therefore traditional network security firewalls cannot be deployed for traffic inspection. It is important to give consideration to hypervisor security in the form of a security virtual appliance. A virtual firewall that operates at the hypervisor level provides security between VM-to-VM and increasing visibility between the communication of authorized VM s without such mechanisms in place you are likely to be susceptible to blind attacks. Interference and commingling of data in centralized services and repositories is another concern. A centralized database as provided by a Cloud Computing service should in theory improve security over data distributed over a vast number and mixture of endpoints. However this is also centralizing risk, increasing the consequences of a breach. Another concern is the commingling of VMs of different sensitivities and security. In Cloud Computing environments, the lowest common denominator of security will be shared by all tenants in the multitenant virtual environment unless new security architecture can be achieved that does not wire in any network dependency for protection. Virtualization technology has been around for many years and many enterprises already have some form of virtualization deployed within their internal data centers; however compare that with a cloud service provider that requires providing virtualization in a multi-tenancy environment the security risks inevitably increase. Application and Hypervisor Security Cloud environments by virtue of their flexibility, openness, and often public availability challenge many fundamental assumptions about application security. Some of these assumptions are well understood; however many are not. Cloud Computing influences security over the lifetime of an application in many ways from design to operations to ultimate decommissioning. It is important that all stakeholders including application designers, security professionals, operations personnel, and technical management understand on how to best mitigate risk and manage assurance within Cloud Computing applications. Cloud Computing is a particular challenge for applications across the layers of Software as a Service (SaaS), Platform as a Service (PaaS) and Infrastructure as a Service (IaaS). Cloud-based software applications require a design rigor similar to applications residing in a classic DMZ. This includes a deep up-front analysis covering all the traditional aspects of managing information confidentiality, integrity, and availability. A common hypervisor security deployment is illustrated in the diagram where the virtualgw product from Juniper Networks is providing security to the individual VM s. Security and compliance concerns are firstorder priorities for virtualized data center and cloud deployments. vgw Virtual Gateway is a comprehensive security solution for virtualized data centers and clouds that is capable of monitoring and protecting virtualized environments while maintaining the highest levels of VM host capacity and performance. vgw includes a high-performance hypervisor-based stateful firewall, integrated intrusion detection (IDS), and virtualization-specific antivirus (AV) protection.

5 Encryption and Key Management Cloud users and providers need to protect against data loss, leakage and theft. Encryption of personal and enterprise data is widely used and in some cases mandated by laws and regulations around the world. Cloud customers want the same level of data encryption services for data at rest and in motion and want their providers to encrypt their data to ensure that it is protected no matter where the data is physically located. Likewise, the cloud provider needs to protect its customers sensitive data to avoid embarrassment and protect its own integrity. Emerging technologies that provide a complete encryption using standardized encryptions algorithms and key management lifecycle have seen significant growth. One emerging technology known as tokenization provides the enterprise customer of the cloud provider the ability to store, retrieve and delete data based on the keys that the enterprise holds. No other co-tenant or the cloud service provider for that matter has access to that data. Any store, retrieve and delete process of the residence data can only be encrypted and decrypted by keys that are owned by the enterprise customer. Tokenization techniques are now being adopted by PCI-DSS compliance standards for the payment card industry. Strong encryption with key management is one of the core mechanisms that Cloud Computing systems should use to protect data. While encryption itself doesn t necessarily prevent data loss, safe harbor provisions in laws and regulations treat lost encrypted data as not lost at all. The encryption provides resource protection while key management enables access to protected resources. One common question that often comes up during cloud computing discussions is where the enterprise data stored. Data sovereignty raises issues for businesses adopting cloud computing for sensitive data. Cloud service providers often store customer data in various geographical locations to ensure scalability, efficiency and resiliency; often on a common platform that is shared by multiple tenants. Your data may not reside within the same country as your business, and privacy laws and jurisdictions may vary dramatically between countries and regions. When moving applications to the cloud, you want to understand not only where your users reside, but also where the data resides in the cloud application if not precisely, at least in which legal jurisdictions. Yet this information can be difficult to determine, as data is constantly in motion in the cloud. Cloud environments are shared with many tenants, and service providers have privileged access to the data in those environments. Thus confidential data hosted in a cloud must be protected using a combination of access control, contractual liability and encryption. Of these, encryption offers the benefits of minimum reliance on the cloud service provider and lack of dependence on detection of operational failures. Encrypting data in transit over networks. There is the utmost need to encrypt multi-use credentials, such as credit card numbers, passwords, and private keys, in transit over the Internet. Although cloud provider networks may be more secure than the open Internet, they are by their very architecture made up of many disparate components, and disparate organizations share the cloud. Therefore it is important to protect this sensitive and regulated information in transit even within the cloud provider s network. Typically this can be implemented with equal ease in SaaS, PaaS, and IaaS environments. Encrypting data at rest. Encrypting data on disk or in a live production database has value, as it can protect against a malicious cloud service provider or a malicious co-tenant as well as against some types of application abuse. For long-term archival storage, some customers encrypt their own data and then send it as ciphertext to a cloud data storage vendor. The customer then controls and holds the cryptographic keys and decrypts the data, if necessary, back on their own premises. Encrypting data at rest is common within IaaS environments, using a variety of provider and third party tools. Encrypting data at rest within PaaS environments is generally more complex, requiring instrumentation of provider offerings or special customization. Encrypting data at rest within SaaS environments is a feature cloud customers cannot implement directly, and need to request from their providers. Tokenization & Data Residency - Tokenization is the process of substituting original (sensitive) data with randomly generated alphanumeric values (tokens). While structurally similar to the original data, these tokens have no mathematic relationship with the original data. The mapping between the original data and tokens is stored in a secure token database, and access to this database is required to reverse the process and retrieve the original data. By retaining original data within the concerned jurisdiction and storing tokens in cloud applications, data residency challenges can be eliminated. Tokenization Eliminates Cloud Data Residency Challenges - Tokenization technology allows customers to replace sensitive information with anonymous values (tokens) that respect field formatting, and preserve all native features and functionality of compatible cloud solutions, such as searching, sorting, and reporting. The token database that stores sensitive information can either be placed behind the enterprise firewall or with a trusted hosting provider in the customers jurisdiction. Additional key characteristics include: Encrypting data on backup media. This can protect against misuse of lost or stolen media. Ideally, the cloud service provider implements it transparently. However, as a customer and provider of data, it is your responsibility to verify that such encryption takes place. One consideration for the encryption infrastructure is dealing with the longevity of the data. Encrypting data on backup media. This can protect against misuse of lost or stolen media. Ideally, the cloud service provider implements it transparently. However, as a customer and provider of data, it is your responsibility to verify that such encryption takes place. One consideration for the encryption infrastructure is dealing with the longevity of the data.

6 Rapid configuration and deployment High-performance architecture with ultra-low latency Support for multiple load-balancing and high-availability deployment topologies to address global customer needs Subscription based pricing that eliminates up-front capital expenditure Centralized logging and auditing of user activities in the cloud Extensible architecture for cross-platform tokenization Federated Identity and Access Management in the Cloud- Managing identities of users and access control for enterprise applications remains one of the greatest challenges facing IT today. While an enterprise may be able to leverage several Cloud Computing services without a good identity and access management strategy, in the long run extending an organization s identity services into the cloud is a necessary precursor towards strategic use of on-demand computing services. Supporting today s aggressive adoption of an admittedly immature cloud ecosystem requires an honest assessment of an organization s readiness to conduct cloud-based Identity and Access Management (IAM), as well as understanding the capabilities of that organization s Cloud Computing providers. Identity Provisioning: One of the major challenges for organizations adopting Cloud Computing services is the secure and timely management of on-boarding (provisioning) and off-boarding (deprovisioning) of users in the cloud. Furthermore, enterprises that have invested in user management processes within an enterprise will seek to extend those processes and practice to cloud services. Authentication: When organizations start to utilize cloud services, authenticating users in a trustworthy and manageable manner is a vital requirement. Organizations must address authentication-related challenges such as credential management, strong authentication (typically defined as multi-factor authentication), delegated authentication, and managing trust across all types of cloud services. Federation: In a Cloud Computing environment, Federated Identity Management plays a vital role in enabling organizations to authenticate their users of cloud services using the organization s chosen identity provider (IdP). In that context, exchanging identity attributes between the service provider (SP) and the IdP in a secure way is also an important requirement. Organizations considering federated identity management in the cloud should understand the various challenges and possible solutions to address those challenges with respect to identity lifecycle management, available authentication methods to protect confidentiality, and integrity; while supporting non-repudiation. Authorization & user profile management: The requirements for user profiles and access control policy vary depending on whether the user is acting on their own behalf (such as a consumer) or as a member of an organization (such as an employer, university, hospital, or other enterprise). The access control requirements in SPI environments include establishing trusted user profile and policy information, using it to control access within the cloud service, and doing this in an auditable way. Federated Identity - Identity federation builds a trust relationship between applications that reflects business affiliations so that employees can remotely access applications with a single sign-on (SSO), regardless of whether or not the applications are locally or remotely located. Identity federation also protects an employee s private information. As a first step towards your cloud initiative it is recommended to use the identity federation solution using an open standard solution, such as Security Assertion Markup Language (SAML), to ensure interoperability in a hybrid cloud environment whilst extending your internal IAM systems into the cloud. SAML addresses one of the key challenges in how to integrate all cloud computing resources with internal enterprise resources in order to deliver a unified service to employees and customers anywhere and anytime while still maintaining a secure environment. In the illustration the user is actually accessing many applications on a hybrid cloud computing environment, which goes beyond the boundary of the enterprise data center. The user s access control must be enforced by the cloud environment, i.e. outside the data center and this creates new challenges for the enterprise when adopting cloud computing and transforming its business. Single Sign-on Challenge - The enterprise typically uses access management to integrate applications in different domains to an application portal, so that the end user can access applications without re-authentication. Access management might work well for the applications within the data center or within the same domain. However, the cloud computing service typically is external to the data center and located within a different domain and shared with multiple other tenants. Security Challenge - Security is another challenge. As an example, let s consider an access control policy change. Typically, the application is associated with a dedicated identity and access management solution. And many applications using this approach create duplicated identity and access management functionality. Therefore, the application s access control policies reside in multiple locations across the network, creating policy management overhead and complexity. Furthermore, an employee often requires multiple roles for different applications, and the duplication of Identity and Access Management (IAM) prevents identity provision and enforcement on demand. Finally, the traditional IAM approach cannot fit into a cloud computing platform, because the enterprise does not control the cloud service provider s IAM practices and has even less influence over strict security practices. Identity Federation is based on two important concepts; The virtual reunion or assembled identity of a person s user information (or principal) which is stored across multiple distinct identity management systems. Typically, the user s name, being a common token, joins the data. A user s authentication process which is integrated across multiple IT systems or even organizations. For example, a traveler could be a flight passenger as well as a hotel guest. If the airline and the hotel use a federated identity management system, this means that they have a contracted mutual trust in each other s user authentication. Initially, the traveler can self-identify as a customer for booking the flight and then this identity can be transferred to hotel reservations. The ultimate goal of identity federation is to enable users of one domain to securely access data or systems of another domain seamlessly, without requiring redundant user administration. The goal requires that all participating systems use the same protocol to be interoperable. Public cloud computing service providers such as Google, Amazon, and Salesforce.com offer their own IAM interface, which by default is not capable of SSO. Private cloud computing service providers may recommend different IAM practices than enterprise customers. To integrate cloud service into an enterprise s access portal with SSO, it is recommended an identity federation open standard such as SAML is used. The SAML protocol decouples both the SAML identity provider and the SAML service provider. This enables the enterprise to have a centralized identity provider that can support many other service providers in a distributed fashion. The SAML identity provider focuses on identity management, access policy management, and security token generation, while SAML service providers receive the remote security token, retrieve credential data, and reinforce user access policies locally.

7 With the SAML protocol, the enterprise can provide services to other enterprises. Identity federation supports cross domain single sign-on (CD SSO) and interchanges access control information with a wide range of partners, reflecting business trust relationships. The SAML protocol is interoperable. Because cloud service providers implement different identity federation protocols or different versions of the same protocol, the enterprise cloud can leverage Security Token Service (STS) to interoperate between these different SSO practices. For example, the SAML assertion token can be converted between SAML 1.1 and SAML 2.0. Identity Authentication Flow Patterns SAML Patterns: SAML identity provider and SAML service provider With the trust partnership, the involved parties can either act as an identity provider, which asserts information about the user, or a service provider, which consumes the assertion provided by the identity provider. In SAML integration, SAML identity provider directly accesses an identity management (IdM) system such as LDAP or Active Directory, while SAML service provider strictly reinforces application access. An SAML integration pattern decouples the access and the authentication, so that the authentication and access can collaborate together within a trust domain over the Internet. Identity authentication patterns reflect authentication flows between the user and IAM. As illustrated below, when accessing supply chain applications, all participants globally are required to log into a common application platform, creating a fan in identity authentication flow to the supply chain applications. Enterprise users log into a portal and then access different applications using SSO, creating a fan out identity authentication flow. During mergers and acquisitions, authentication flows between the two companies involved often spill over, because each company holds partial identity. In all three authentication flows, the IAM is required to handle on demand requests and do so in high volume. As a result, the enterprise IAM often faces challenges concerning performance and on demand capacity in order to meet service-level agreements (SLAs). Identity federation does not change the flow of the identity authentication. However, it decouples the authentication process and access control process such that regulating identity authentication occurs at one site and reinforcing authorization occurs at another. This simplifies the IAM infrastructure. The enterprise can create a centralized identity service with an identity provider that supports SAML for CD SSO; the enterprise can also implement SAML service provider functionality in the private cloud data center with ease using identity management Cloud Ready Data Center Overview Enterprises use identity authentication patterns in the following ways. The enterprise can act as the identity provider, processing employee authentications locally. With identity federation, the employees service requests fan out to the cloud services. The enterprise can build a private cloud data center that hosts services, acting as a service provider. With identity federation, the service requests from different trusted partners fan into this private cloud data center with SSO. For two companies involved in a merger and acquisition (M&A) process, their employees service requests cross over different domains and data centers with SSO. Identity Federation Pattern: Trust Domain The identity federation is about creating a trust domain. This is the trust relationship of identity authentication and authorization that reflects the business relationship. As illustrated below, a trust relationship can transfer trust from one party to another party, creating a trust domain chain. The user can have different credentials in each application or cloud service. When these applications and cloud services are in a chained trust domain, the SAML identity provider can reconcile different identities allowing users to access different applications using their appropriate credentials. In a real life example, a traveler could be a flight passenger as well as a hotel guest. If both the airline and the hotel use a federated identity management system, they have a contracted mutual trust in each other s authentication of the passenger/guest. Initially, the traveler can self-identify as a customer when booking a flight and then be transferred towards a hotel reservation as an identified customer. The enterprise can leverage this pattern to integrate different cloud services into the enterprise remote access portal to improve overall productivity. CIOs are looking for ways to achieve greater IT efficiencies and agility to meet their requirements for an improved user experience and lower costs. Cloud computing represents a new way of meeting these goals by delivering services on a dynamic and shared IT infrastructure. Previously, applications were linked to hardware that was specifically designated for compute and storage. With cloud computing, the functionality of these same software and hardware products is delivered in a more scalable fashion as services over a network. CIOs are looking to apply the lessons of the cloud to their own IT departments to optimize results. However, they are limited because, as application architectures, server virtualization, and storage technology have evolved over time, innovation in the network and security has not kept pace. Because networks and security are the foundation of a cloud-ready data center, businesses need a new network and security solution to unleash the promise of the cloud. Cloud computing can vastly improve the performance, scale, agility and security of applications in any data center. This reduces IT costs while improving the user experience. IT services are delivered by infrastructures that are centrally managed and shared through consolidation and virtualization. Any of the standard data center elements such as servers, appliances, storage, and other networking devices can be contained within a cloud-like architecture. By abstracting the logical from the physical, these elements can be arranged in resource pools that are shared securely across multiple applications, users, departments, suppliers, and customers. The resources in these pools can also be dynamically allocated to accommodate the changing capacity requirements of different applications and improve asset utilization levels. Consequently, cloud infrastructures have proven to simplify management, reduce operating and ownership costs, and allow services to be provisioned with unprecedented speed. The characteristics of the cloud ready data center or also referred to as next generation data center is based on building simplified, scalable, agile, and secure networks with these design objectives. Key Components Success in building a cloud-ready data center network requires three steps: Simplify, Share and Secure. It is also important to automate at each step. Whether you are running your internal IT infrastructure to be cloud-like or plan to connect with public cloud services, designing a cloud-ready data center network involves removing the restrictions related to where you place your resources. This gives you significant operational advantages that can help you lower costs, increase efficiency, and keep your data center agile enough to accommodate any changes in your business or your technology infrastructure. Simplify the architecture - Consolidate siloed systems and collapse inefficient tiers using a network fabric and a single network operating system. This gives you fewer devices, a smaller operational footprint, reduced complexity, easier management operations, and improved application performance. Share the resources - Virtualize network resources to segment the network into simple, logical, and scalable partitions for your various applications and services while using fabric technology to ensure seamless connectivity to those resources regardless of where they are located. Keep privacy, flexibility, high performance, and quality of service (QoS) as primary goals. This sharing enables agility for multiple users, applications, and services.

8 Secure the data flows - Make sure that integrated and dynamic security services are resident in the network to provide security scale, threat visibility, and enforcement. These comprehensive services secure data flows across both physical and virtual environments, while leveraging centralized orchestration to drastically simplify the enforcement of dynamic, application-aware, and identity aware policies, ultimately ensuring better application availability and network performance. Data Center Architectures Evolution The data center infrastructure and security architecture has evolved over the last decade; from a multitiered network and security layer design to consolidated single tier with virtual layers or security zones. This is best represented by the series of diagrams below; legacy data centers typically followed a standardized core, distribution and access three layer topology where different devices performed dedicated functions not only increasing complexity in terms of management and operations but also cost of maintaining the data center. The abstract of the two-tier data center architecture with aggregation and access layer. Security services consolidated at the aggregation layer and providing security zone demarcation across different trust domains. With the use of MPLS/VPLS technology this architecture can be considered semi-perimeterized since such architectures cater for inter-data Center communication within a single entity which may not require security services. Security as a Service in the Cloud Data Center As the data center has evolved with virtualization at the server level; the core, distribution and access layers has also seen major changes and now replaced with consolidation into two layers known as the aggregation and access. Security layers such as DMZ, extranet, perimeters and internal core zones being virtualized at the infrastructure level. Whilst these security zones still exist as they did for the legacy data center where individual devices use to perform dedicated functions such as perimeter external stateful-firewall, external IPS, reverse proxy, Web Application Firewall, internal zone firewall etc the transition to a two layer model of aggregation and access has allowed these security functions to be consolidated and virtualized. The new shift to cloud ready data centers has changed the way network and security infrastructure is designed next generation data centers have a unified control plane known as a fabric. No longer does a network security perimeter exist between different security zones, security needs to be viewed as a deperimeterized function given the very nature of cloud computing that is any to any connectivity with extreme low latency, building trust relationships using federated identity across different entities whilst securing your assets in the cloud where the underlying infrastructure is likely to be shared by hundreds if not thousands of co-tenants. Application of multi-tenancy has also meant that virtualization not only needs to be observed at the server level in the form of a Virtual Machine but also at the infrastructure level; use of virtual switching, virtual routing and virtual firewall/ips and virtualized application delivery control. A single tenant that is under a DDoS attack should not be a source of attack for another tenant and it is these concepts that needs to be understood and countermeasures built in from day one. The abstract of single-tier data center architecture with a unified flat fabric that provides the ability for any-to-any connectivity with extreme low latency. Network and security infrastructures are seen as one logical layer through the fabric and any resource within the cloud can observe its very own security policy. In this architecture the security has completely transformed from a perimeter based architecture to something that has no boundaries and is considered de-perimeterized. Security can be implemented at the hypervisor as discussed previously providing this de-perimeterized security concept. With cloud services ranging from IaaS, PaaS and SaaS; the Security as a Service concept is agnostic to the service model and can be deployed in any form; as an Infrastructure through dedicated hardware, as a Platform in a multi-tenancy environment where you are managing security policies to a Service where the cloud provider is responsible in providing security for your assets in the cloud. About the Author The abstract of the legacy data center with core, distribution and access layer with multiple security devices providing security functions in multi-tiered layer architecture. Security is a very much dedicated function with no consolidation in mind; security management is a severe overhead. Co-Founder and Sr. Security Consultant at DTS Solution Smart Solution for the Smart Business; an innovative and dynamic start-up organization aimed to provide best-in-class network and security solutions in the regional market. A dynamic, astute and professional individual with more than 10 years of industry expertise and experience. Having worked for a Service Provider, System Integrator and multiple Vendors he has extensive knowledge on complete project lifecycle focused around security solutions. Besides this technical expertise and certifications he holds CISSP, CISA, CISM, CRISC and CCSK and is an active member of ISACA and Cloud Security Alliance. shah@dts-solution.com

Managing Cloud Computing Risk

Managing Cloud Computing Risk Managing Cloud Computing Risk Presented By: Dan Desko; Manager, Internal IT Audit & Risk Advisory Services Schneider Downs & Co. Inc. ddesko@schneiderdowns.com Learning Objectives Understand how to identify

More information

Security Issues in Cloud Computing

Security Issues in Cloud Computing Security Issues in Computing CSCI 454/554 Computing w Definition based on NIST: A model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources

More information

Assessing Risks in the Cloud

Assessing Risks in the Cloud Assessing Risks in the Cloud Jim Reavis Executive Director Cloud Security Alliance Agenda Definitions of Cloud & Cloud Usage Key Cloud Risks About CSA CSA Guidance approach to Addressing Risks Research

More information

HIPAA CRITICAL AREAS TECHNICAL SECURITY FOCUS FOR CLOUD DEPLOYMENT

HIPAA CRITICAL AREAS TECHNICAL SECURITY FOCUS FOR CLOUD DEPLOYMENT HIPAA CRITICAL AREAS TECHNICAL SECURITY FOCUS FOR CLOUD DEPLOYMENT A Review List This paper was put together with Security in mind, ISO, and HIPAA, for guidance as you move into a cloud deployment Dr.

More information

NETWORK ACCESS CONTROL AND CLOUD SECURITY. Tran Song Dat Phuc SeoulTech 2015

NETWORK ACCESS CONTROL AND CLOUD SECURITY. Tran Song Dat Phuc SeoulTech 2015 NETWORK ACCESS CONTROL AND CLOUD SECURITY Tran Song Dat Phuc SeoulTech 2015 Table of Contents Network Access Control (NAC) Network Access Enforcement Methods Extensible Authentication Protocol IEEE 802.1X

More information

Concurrent Technologies Corporation (CTC) is an independent, nonprofit, applied scientific research and development professional services

Concurrent Technologies Corporation (CTC) is an independent, nonprofit, applied scientific research and development professional services Concurrent Technologies Corporation (CTC) is an independent, nonprofit, applied scientific research and development professional services organization providing innovative management and technology-based

More information

Cloud Computing Governance & Security. Security Risks in the Cloud

Cloud Computing Governance & Security. Security Risks in the Cloud Cloud Computing Governance & Security The top ten questions you have to ask Mike Small CEng, FBCS, CITP Fellow Analyst, KuppingerCole This Webinar is supported by Agenda What is the Problem? Ten Cloud

More information

nwstor Storage Security Solution 1. Executive Summary 2. Need for Data Security 3. Solution: nwstor isav Storage Security Appliances 4.

nwstor Storage Security Solution 1. Executive Summary 2. Need for Data Security 3. Solution: nwstor isav Storage Security Appliances 4. CONTENTS 1. Executive Summary 2. Need for Data Security 3. Solution: nwstor isav Storage Security Appliances 4. Conclusion 1. EXECUTIVE SUMMARY The advantages of networked data storage technologies such

More information

How To Protect Your Cloud From Attack

How To Protect Your Cloud From Attack A Trend Micro White Paper August 2015 Trend Micro Cloud Protection Security for Your Unique Cloud Infrastructure Contents Introduction...3 Private Cloud...4 VM-Level Security...4 Agentless Security to

More information

GoodData Corporation Security White Paper

GoodData Corporation Security White Paper GoodData Corporation Security White Paper May 2016 Executive Overview The GoodData Analytics Distribution Platform is designed to help Enterprises and Independent Software Vendors (ISVs) securely share

More information

Cloud Computing; What is it, How long has it been here, and Where is it going?

Cloud Computing; What is it, How long has it been here, and Where is it going? Cloud Computing; What is it, How long has it been here, and Where is it going? David Losacco, CPA, CIA, CISA Principal January 10, 2013 Agenda The Cloud WHAT IS THE CLOUD? How long has it been here? Where

More information

INTRODUCTION TO CLOUD COMPUTING CEN483 PARALLEL AND DISTRIBUTED SYSTEMS

INTRODUCTION TO CLOUD COMPUTING CEN483 PARALLEL AND DISTRIBUTED SYSTEMS INTRODUCTION TO CLOUD COMPUTING CEN483 PARALLEL AND DISTRIBUTED SYSTEMS CLOUD COMPUTING Cloud computing is a model for enabling convenient, ondemand network access to a shared pool of configurable computing

More information

Software-Defined Networks Powered by VellOS

Software-Defined Networks Powered by VellOS WHITE PAPER Software-Defined Networks Powered by VellOS Agile, Flexible Networking for Distributed Applications Vello s SDN enables a low-latency, programmable solution resulting in a faster and more flexible

More information

IBM Cloud Security Draft for Discussion September 12, 2011. 2011 IBM Corporation

IBM Cloud Security Draft for Discussion September 12, 2011. 2011 IBM Corporation IBM Cloud Security Draft for Discussion September 12, 2011 IBM Point of View: Cloud can be made secure for business As with most new technology paradigms, security concerns surrounding cloud computing

More information

The cloud - ULTIMATE GAME CHANGER ===========================================

The cloud - ULTIMATE GAME CHANGER =========================================== The cloud - ULTIMATE GAME CHANGER =========================================== When it comes to emerging technologies, there is one word that has drawn more controversy than others: The Cloud. With cloud

More information

Safeguarding the cloud with IBM Dynamic Cloud Security

Safeguarding the cloud with IBM Dynamic Cloud Security Safeguarding the cloud with IBM Dynamic Cloud Security Maintain visibility and control with proven security solutions for public, private and hybrid clouds Highlights Extend enterprise-class security from

More information

Securing The Cloud. Foundational Best Practices For Securing Cloud Computing. Scott Clark. Insert presenter logo here on slide master

Securing The Cloud. Foundational Best Practices For Securing Cloud Computing. Scott Clark. Insert presenter logo here on slide master Securing The Cloud Foundational Best Practices For Securing Cloud Computing Scott Clark Agenda Introduction to Cloud Computing What is Different in the Cloud? CSA Guidance Additional Resources 2 What is

More information

Overview of Cloud Computing and Cloud Computing s Use in Government Justin Heyman CGCIO, Information Technology Specialist, Township of Franklin

Overview of Cloud Computing and Cloud Computing s Use in Government Justin Heyman CGCIO, Information Technology Specialist, Township of Franklin Overview of Cloud Computing and Cloud Computing s Use in Government Justin Heyman CGCIO, Information Technology Specialist, Township of Franklin Best Practices for Security in the Cloud John Essner, Director

More information

Securing Data in the Virtual Data Center and Cloud: Requirements for Effective Encryption

Securing Data in the Virtual Data Center and Cloud: Requirements for Effective Encryption THE DATA PROTECTIO TIO N COMPANY Securing Data in the Virtual Data Center and Cloud: Requirements for Effective Encryption whitepaper Executive Summary Long an important security measure, encryption has

More information

Lecture 02b Cloud Computing II

Lecture 02b Cloud Computing II Mobile Cloud Computing Lecture 02b Cloud Computing II 吳 秀 陽 Shiow-yang Wu T. Sridhar. Cloud Computing A Primer, Part 2: Infrastructure and Implementation Topics. The Internet Protocol Journal, Volume 12,

More information

Data Protection: From PKI to Virtualization & Cloud

Data Protection: From PKI to Virtualization & Cloud Data Protection: From PKI to Virtualization & Cloud Raymond Yeung CISSP, CISA Senior Regional Director, HK/TW, ASEAN & A/NZ SafeNet Inc. Agenda What is PKI? And Value? Traditional PKI Usage Cloud Security

More information

Future of Cloud Computing. Irena Bojanova, Ph.D. UMUC, NIST

Future of Cloud Computing. Irena Bojanova, Ph.D. UMUC, NIST Future of Cloud Computing Irena Bojanova, Ph.D. UMUC, NIST No Longer On The Horizon Essential Characteristics On-demand Self-Service Broad Network Access Resource Pooling Rapid Elasticity Measured Service

More information

AskAvanade: Answering the Burning Questions around Cloud Computing

AskAvanade: Answering the Burning Questions around Cloud Computing AskAvanade: Answering the Burning Questions around Cloud Computing There is a great deal of interest in better leveraging the benefits of cloud computing. While there is a lot of excitement about the cloud,

More information

Cloud Computing for SCADA

Cloud Computing for SCADA Cloud Computing for SCADA Moving all or part of SCADA applications to the cloud can cut costs significantly while dramatically increasing reliability and scalability. A White Paper from InduSoft Larry

More information

Enterprise Governance and Planning

Enterprise Governance and Planning GEORGIA TECHNOLOGY AUTHORITY Title: Enterprise Operational Environment PSG Number: SO-10-003.02 Topical Area: Operations / Performance and Capacity Document Type: Standard Pages: 5 Issue Date: July 15,

More information

Payment Card Industry Data Security Standard

Payment Card Industry Data Security Standard Symantec Managed Security Services support for IT compliance Solution Overview: Symantec Managed Services Overviewview The (PCI DSS) was developed to facilitate the broad adoption of consistent data security

More information

Cloud Computing. Bringing the Cloud into Focus

Cloud Computing. Bringing the Cloud into Focus Cloud Computing Bringing the Cloud into Focus November 2011 Introduction Ken Cochrane CEO, IT/NET Partner, KPGM Performance and Technology National co-leader IT Advisory Services KPMG Andrew Brewin Vice

More information

VALUE PROPOSITION FOR SERVICE PROVIDERS. Helping Service Providers accelerate adoption of the cloud

VALUE PROPOSITION FOR SERVICE PROVIDERS. Helping Service Providers accelerate adoption of the cloud VALUE PROPOSITION FOR SERVICE PROVIDERS Helping Service Providers accelerate adoption of the cloud Partnership with Service Providers Enabling Your Cloud Services in Complex Environments Today s challenge

More information

White Paper on CLOUD COMPUTING

White Paper on CLOUD COMPUTING White Paper on CLOUD COMPUTING INDEX 1. Introduction 2. Features of Cloud Computing 3. Benefits of Cloud computing 4. Service models of Cloud Computing 5. Deployment models of Cloud Computing 6. Examples

More information

Implementing Software- Defined Security with CloudPassage Halo

Implementing Software- Defined Security with CloudPassage Halo WHITE PAPER Implementing Software- Defined Security with CloudPassage Halo Introduction... 2 Implementing Software-Defined Security w/cloudpassage Halo... 3 Abstraction... 3 Automation... 4 Orchestration...

More information

Security & Cloud Services IAN KAYNE

Security & Cloud Services IAN KAYNE Security & Cloud Services IAN KAYNE CloudComponents CLOUD SERVICES Dynamically scalable infrastructure, services and software based on broad network accessibility NETWORK ACCESS INTERNAL ESTATE CloudComponents

More information

Cloud Security Implications for Financial Institutions By Scott Galyk Director of Software Development FIMAC Solutions, LLC

Cloud Security Implications for Financial Institutions By Scott Galyk Director of Software Development FIMAC Solutions, LLC Cloud Security Implications for Financial Institutions By Scott Galyk Director of Software Development FIMAC Solutions, LLC www.fmsinc.org 1 2015 Financial Managers Society, Inc. Cloud Security Implications

More information

Cloud Computing: Risks and Auditing

Cloud Computing: Risks and Auditing IIA Chicago Chapter 53 rd Annual Seminar April 15, 2013, Donald E. Stephens Convention Center @IIAChicago #IIACHI Cloud Computing: Risks Auditing Phil Lageschulte/Partner/KPMG Sailesh Gadia/Director/KPMG

More information

Cloud Computing: A Question of Trust Maintaining Control and Compliance with Data-centric Information Security

Cloud Computing: A Question of Trust Maintaining Control and Compliance with Data-centric Information Security Russ Dietz Vice President & Chief Technology Officer Cloud Computing: A Question of Trust Maintaining Control and Compliance with Data-centric Information Security By Russ Dietz Vice President & Chief

More information

Cloud Computing: What needs to Be Validated and Qualified. Ivan Soto

Cloud Computing: What needs to Be Validated and Qualified. Ivan Soto Cloud Computing: What needs to Be Validated and Qualified Ivan Soto Learning Objectives At the end of this session we will have covered: Technical Overview of the Cloud Risk Factors Cloud Security & Data

More information

Secure Cloud Computing

Secure Cloud Computing Secure Cloud Computing Agenda Current Security Threat Landscape Over View: Cloud Security Overall Objective of Cloud Security Cloud Security Challenges/Concerns Cloud Security Requirements Strategy for

More information

Cloud-Security: Show-Stopper or Enabling Technology?

Cloud-Security: Show-Stopper or Enabling Technology? Cloud-Security: Show-Stopper or Enabling Technology? Fraunhofer Institute for Secure Information Technology (SIT) Technische Universität München Open Grid Forum, 16.3,. 2010, Munich Overview 1. Cloud Characteristics

More information

PROTECTING DATA IN MULTI-TENANT CLOUDS

PROTECTING DATA IN MULTI-TENANT CLOUDS 1 Introduction Today's business environment requires organizations of all types to reduce costs and create flexible business processes to compete effectively in an ever-changing marketplace. The pace of

More information

yvette@yvetteagostini.it yvette@yvetteagostini.it

yvette@yvetteagostini.it yvette@yvetteagostini.it 1 The following is merely a collection of notes taken during works, study and just-for-fun activities No copyright infringements intended: all sources are duly listed at the end of the document This work

More information

Clouds on the Horizon Cloud Security in Today s DoD Environment. Bill Musson Security Analyst

Clouds on the Horizon Cloud Security in Today s DoD Environment. Bill Musson Security Analyst Clouds on the Horizon Cloud Security in Today s DoD Environment Bill Musson Security Analyst Agenda O Overview of Cloud architectures O Essential characteristics O Cloud service models O Cloud deployment

More information

John Essner, CISO Office of Information Technology State of New Jersey

John Essner, CISO Office of Information Technology State of New Jersey John Essner, CISO Office of Information Technology State of New Jersey http://csrc.nist.gov/publications/nistpubs/800-144/sp800-144.pdf Governance Compliance Trust Architecture Identity and Access Management

More information

CoIP (Cloud over IP): The Future of Hybrid Networking

CoIP (Cloud over IP): The Future of Hybrid Networking CoIP (Cloud over IP): The Future of Hybrid Networking An overlay virtual network that connects, protects and shields enterprise applications deployed across cloud ecosystems The Cloud is Now a Critical

More information

THOUGHT LEADERSHIP. Journey to Cloud 9. Navigating a path to secure cloud computing. Alastair Broom Solutions Director, Integralis

THOUGHT LEADERSHIP. Journey to Cloud 9. Navigating a path to secure cloud computing. Alastair Broom Solutions Director, Integralis Journey to Cloud 9 Navigating a path to secure cloud computing Alastair Broom Solutions Director, Integralis March 2012 Navigating a path to secure cloud computing 2 Living on Cloud 9 Cloud computing represents

More information

Kent State University s Cloud Strategy

Kent State University s Cloud Strategy Kent State University s Cloud Strategy Table of Contents Item Page 1. From the CIO 3 2. Strategic Direction for Cloud Computing at Kent State 4 3. Cloud Computing at Kent State University 5 4. Methodology

More information

Cloud computing: benefits, risks and recommendations for information security

Cloud computing: benefits, risks and recommendations for information security Cloud computing: benefits, risks and recommendations for information security Dr Giles Hogben Secure Services Programme Manager European Network and Information Security Agency (ENISA) Goals of my presentation

More information

Enterprise Key Management: A Strategic Approach ENTERPRISE KEY MANAGEMENT A SRATEGIC APPROACH. White Paper February 2010 www.alvandsolutions.

Enterprise Key Management: A Strategic Approach ENTERPRISE KEY MANAGEMENT A SRATEGIC APPROACH. White Paper February 2010 www.alvandsolutions. Enterprise Key Management: A Strategic Approach ENTERPRISE KEY MANAGEMENT A SRATEGIC APPROACH White Paper February 2010 www.alvandsolutions.com Overview Today s increasing security threats and regulatory

More information

A white paper from Fordway on CLOUD COMPUTING. Why private cloud should be your first step on the cloud computing journey - and how to get there

A white paper from Fordway on CLOUD COMPUTING. Why private cloud should be your first step on the cloud computing journey - and how to get there A white paper from Fordway on CLOUD COMPUTING Why private cloud should be your first step on the cloud computing journey - and how to get there PRIVATE CLOUD WHITE PAPER January 2012 www.fordway.com Page

More information

Cloud Computing Security Considerations

Cloud Computing Security Considerations Cloud Computing Security Considerations Roger Halbheer, Chief Security Advisor, Public Sector, EMEA Doug Cavit, Principal Security Strategist Lead, Trustworthy Computing, USA January 2010 1 Introduction

More information

Cloud Computing in the Federal Sector: What is it, what to worry about, and what to negotiate.

Cloud Computing in the Federal Sector: What is it, what to worry about, and what to negotiate. Cloud Computing in the Federal Sector: What is it, what to worry about, and what to negotiate. Presented by: Sabrina M. Segal, USITC, Counselor to the Inspector General, Sabrina.segal@usitc.gov Reference

More information

Architecting and Building a Secure and Compliant Virtual Infrastructure and Private Cloud

Architecting and Building a Secure and Compliant Virtual Infrastructure and Private Cloud Architecting and Building a Secure and Compliant Virtual Infrastructure and Private Cloud Rob Randell, CISSP Principal Systems Engineer Security Specialist Agenda What is the Cloud? Virtualization Basics

More information

How does IBM deliver cloud security? An IBM paper covering SmartCloud Services 1

How does IBM deliver cloud security? An IBM paper covering SmartCloud Services 1 How does IBM deliver cloud security? An IBM paper covering SmartCloud Services 1 2 How does IBM deliver cloud security? Contents 2 Introduction 3 Cloud governance 3 Security governance, risk management

More information

OWASP Chapter Meeting June 2010. Presented by: Brayton Rider, SecureState Chief Architect

OWASP Chapter Meeting June 2010. Presented by: Brayton Rider, SecureState Chief Architect OWASP Chapter Meeting June 2010 Presented by: Brayton Rider, SecureState Chief Architect Agenda What is Cloud Computing? Cloud Service Models Cloud Deployment Models Cloud Computing Security Security Cloud

More information

Cloud Computing Security Issues

Cloud Computing Security Issues Copyright Marchany 2010 Cloud Computing Security Issues Randy Marchany, VA Tech IT Security, marchany@vt.edu Something Old, Something New New: Cloud describes the use of a collection of services, applications,

More information

Solutions for Health Insurance Portability and Accountability Act (HIPAA) Compliance

Solutions for Health Insurance Portability and Accountability Act (HIPAA) Compliance White Paper Solutions for Health Insurance Portability and Accountability Act (HIPAA) Compliance Troy Herrera Sr. Field Solutions Manager Juniper Networks, Inc. 1194 North Mathilda Avenue Sunnyvale, CA

More information

Ensuring security the last barrier to Cloud adoption

Ensuring security the last barrier to Cloud adoption Ensuring security the last barrier to Cloud adoption Publication date: March 2011 Ensuring security the last barrier to Cloud adoption Cloud computing has powerful attractions for the organisation. It

More information

Cloud Computing and Records Management

Cloud Computing and Records Management GPO Box 2343 Adelaide SA 5001 Tel (+61 8) 8204 8773 Fax (+61 8) 8204 8777 DX:336 srsarecordsmanagement@sa.gov.au www.archives.sa.gov.au Cloud Computing and Records Management June 2015 Version 1 Version

More information

Cloud Security considerations for business adoption. Ricci IEONG CSA-HK&M Chapter

Cloud Security considerations for business adoption. Ricci IEONG CSA-HK&M Chapter Cloud Security considerations for business adoption Ricci IEONG CSA-HK&M Chapter What is Cloud Computing? Slide 2 What is Cloud Computing? My Cloud @ Internet Pogoplug What is Cloud Computing? Compute

More information

Vormetric Data Security Securing and Controlling Data in the Cloud

Vormetric Data Security Securing and Controlling Data in the Cloud Vormetric Data Security Securing and Controlling Data in the Cloud Vormetric, Inc. Tel: 888.267.3732 Email: sales@vormetric.com www.vormetric.com Table of Contents Executive Summary.........................................................3

More information

TOP SECRETS OF CLOUD SECURITY

TOP SECRETS OF CLOUD SECURITY TOP SECRETS OF CLOUD SECURITY Protect Your Organization s Valuable Content Table of Contents Does the Cloud Pose Special Security Challenges?...2 Client Authentication...3 User Security Management...3

More information

OVERVIEW Cloud Deployment Services

OVERVIEW Cloud Deployment Services OVERVIEW Cloud Deployment Services Audience This document is intended for those involved in planning, defining, designing, and providing cloud services to consumers. The intended audience includes the

More information

Cloud Assurance: Ensuring Security and Compliance for your IT Environment

Cloud Assurance: Ensuring Security and Compliance for your IT Environment Cloud Assurance: Ensuring Security and Compliance for your IT Environment A large global enterprise has to deal with all sorts of potential threats: advanced persistent threats (APTs), phishing, malware

More information

Validation of a Cloud-Based ERP system, in practice. Regulatory Affairs Conference Raleigh. 8Th September 2014

Validation of a Cloud-Based ERP system, in practice. Regulatory Affairs Conference Raleigh. 8Th September 2014 Validation of a Cloud-Based ERP system, in practice. Regulatory Affairs Conference Raleigh. 8Th September What is the The Cloud Some Definitions The NIST Definition of Cloud computing Cloud computing is

More information

Security in the Cloud: Visibility & Control of your Cloud Service Providers

Security in the Cloud: Visibility & Control of your Cloud Service Providers Whitepaper: Security in the Cloud Security in the Cloud: Visibility & Control of your Cloud Service Providers Date: 11 Apr 2012 Doc Ref: SOS-WP-CSP-0412A Author: Pierre Tagle Ph.D., Prashant Haldankar,

More information

Strategies for assessing cloud security

Strategies for assessing cloud security IBM Global Technology Services Thought Leadership White Paper November 2010 Strategies for assessing cloud security 2 Securing the cloud: from strategy development to ongoing assessment Executive summary

More information

Why You Should Consider Cloud- Based Email Archiving. A whitepaper by The Radicati Group, Inc.

Why You Should Consider Cloud- Based Email Archiving. A whitepaper by The Radicati Group, Inc. . The Radicati Group, Inc. 1900 Embarcadero Road, Suite 206 Palo Alto, CA 94303 Phone 650-322-8059 Fax 650-322-8061 http://www.radicati.com THE RADICATI GROUP, INC. Why You Should Consider Cloud- Based

More information

Guideline on Implementing Cloud Identity and Access Management

Guideline on Implementing Cloud Identity and Access Management CMSGu2013-05 Mauritian Computer Emergency Response Team CERT-MU SECURITY GUIDELINE 2011-02 Enhancing Cyber Security in Mauritius Guideline on Implementing Cloud Identity and Access Management National

More information

See Appendix A for the complete definition which includes the five essential characteristics, three service models, and four deployment models.

See Appendix A for the complete definition which includes the five essential characteristics, three service models, and four deployment models. Cloud Strategy Information Systems and Technology Bruce Campbell What is the Cloud? From http://csrc.nist.gov/publications/nistpubs/800-145/sp800-145.pdf Cloud computing is a model for enabling ubiquitous,

More information

6 Cloud computing overview

6 Cloud computing overview 6 Cloud computing overview 6.1 General ISO/IEC 17788:2014 (E) Cloud Computing Overview Page 1 of 6 Cloud computing is a paradigm for enabling network access to a scalable and elastic pool of shareable

More information

Cisco Unified Network Services: Overcome Obstacles to Cloud-Ready Deployments

Cisco Unified Network Services: Overcome Obstacles to Cloud-Ready Deployments Cisco Unified Network Services: Overcome Obstacles to Cloud-Ready Deployments What You Will Learn Deploying network services in virtual data centers is extremely challenging. Traditionally, such Layer

More information

next generation privilege identity management

next generation privilege identity management next generation privilege identity management Nowadays enterprise IT teams are focused on adopting and supporting newer devices, applications and platforms to address business needs and keep up pace with

More information

Cloud Computing Security Issues And Methods to Overcome

Cloud Computing Security Issues And Methods to Overcome Cloud Computing Security Issues And Methods to Overcome Manas M N 1, Nagalakshmi C K 2, Shobha G 3 MTech, Computer Science & Engineering, RVCE, Bangalore, India 1,2 Professor & HOD, Computer Science &

More information

White Paper. Cloud Vademecum

White Paper. Cloud Vademecum White Paper Cloud Vademecum Cloud is the new IT paradigm this document offers a collection of thoughts, internal and external discussions and information. The goal is to inspire and stimulate the route

More information

journey to a hybrid cloud

journey to a hybrid cloud journey to a hybrid cloud Virtualization and Automation VI015SN journey to a hybrid cloud Jim Sweeney, CTO GTSI about the speaker Jim Sweeney GTSI, Chief Technology Officer 35 years of engineering experience

More information

Secure Multi Tenancy In the Cloud. Boris Strongin VP Engineering and Co-founder, Hytrust Inc. bstrongin@hytrust.com

Secure Multi Tenancy In the Cloud. Boris Strongin VP Engineering and Co-founder, Hytrust Inc. bstrongin@hytrust.com Secure Multi Tenancy In the Cloud Boris Strongin VP Engineering and Co-founder, Hytrust Inc. bstrongin@hytrust.com At-a-Glance Trends Do MORE with LESS Increased Insider Threat Increasing IT spend on cloud

More information

Addressing Cloud Computing Security Considerations

Addressing Cloud Computing Security Considerations Addressing Cloud Computing Security Considerations with Microsoft Office 365 Protect more Contents 2 Introduction 3 Key Security Considerations 4 Office 365 Service Stack 5 ISO Certifications for the Microsoft

More information

ProtectV. Securing Sensitive Data in Virtual and Cloud Environments. Executive Summary

ProtectV. Securing Sensitive Data in Virtual and Cloud Environments. Executive Summary VISIBILITY DATA GOVERNANCE SYSTEM OS PARTITION UNIFIED MANAGEMENT CENTRAL AUDIT POINT ACCESS MONITORING ENCRYPTION STORAGE VOLUME POLICY ENFORCEMENT ProtectV SECURITY SNAPSHOT (backup) DATA PROTECTION

More information

Compliance for the Road Ahead

Compliance for the Road Ahead THE DATA PROTECTION COMPANY CENTRAL CONTROL A NTROL RBAC UNIVERSAL DATA PROTECTION POLICY ENTERPRISE KEY DIAGRAM MANAGEMENT SECURE KEY STORAGE ENCRYPTION SERVICES LOGGING AUDITING Compliance for the Road

More information

Seeing Though the Clouds

Seeing Though the Clouds Seeing Though the Clouds A PM Primer on Cloud Computing and Security NIH Project Management Community Meeting Mark L Silverman Are You Smarter Than a 5 Year Old? 1 Cloud First Policy Cloud First When evaluating

More information

Cisco SAFE: A Security Reference Architecture

Cisco SAFE: A Security Reference Architecture Cisco SAFE: A Security Reference Architecture The Changing Network and Security Landscape The past several years have seen tremendous changes in the network, both in the kinds of devices being deployed

More information

White Paper: Nasuni Cloud NAS. Nasuni Cloud NAS. Combining the Best of Cloud and On-premises Storage

White Paper: Nasuni Cloud NAS. Nasuni Cloud NAS. Combining the Best of Cloud and On-premises Storage Combining the Best of Cloud and On-premises Storage Introduction Organizations rely on corporate data for everything from product design to order processing. Files are the lifeblood of the modern enterprise

More information

The HIPAA Security Rule: Cloudy Skies Ahead?

The HIPAA Security Rule: Cloudy Skies Ahead? The HIPAA Security Rule: Cloudy Skies Ahead? Presented and Prepared by John Kivus and Emily Moseley Wood Jackson PLLC HIPAA and the Cloud In the past several years, the cloud has become an increasingly

More information

Cloud Computing in Higher Education: A Guide to Evaluation and Adoption

Cloud Computing in Higher Education: A Guide to Evaluation and Adoption Cloud Computing in Higher Education: A Guide to Evaluation and Adoption Executive Summary Public cloud computing delivering infrastructure, services, and software on demand through the network offers attractive

More information

Securing The Cloud With Confidence. Opinion Piece

Securing The Cloud With Confidence. Opinion Piece Securing The Cloud With Confidence Opinion Piece 1 Securing the cloud with confidence Contents Introduction 03 Don t outsource what you don t understand 03 Steps towards control 04 Due diligence 04 F-discovery

More information

ITL BULLETIN FOR JUNE 2012 CLOUD COMPUTING: A REVIEW OF FEATURES, BENEFITS, AND RISKS, AND RECOMMENDATIONS FOR SECURE, EFFICIENT IMPLEMENTATIONS

ITL BULLETIN FOR JUNE 2012 CLOUD COMPUTING: A REVIEW OF FEATURES, BENEFITS, AND RISKS, AND RECOMMENDATIONS FOR SECURE, EFFICIENT IMPLEMENTATIONS ITL BULLETIN FOR JUNE 2012 CLOUD COMPUTING: A REVIEW OF FEATURES, BENEFITS, AND RISKS, AND RECOMMENDATIONS FOR SECURE, EFFICIENT IMPLEMENTATIONS Shirley Radack, Editor Computer Security Division Information

More information

Enterprise Data Protection

Enterprise Data Protection PGP White Paper June 2007 Enterprise Data Protection Version 1.0 PGP White Paper Enterprise Data Protection 2 Table of Contents EXECUTIVE SUMMARY...3 PROTECTING DATA EVERYWHERE IT GOES...4 THE EVOLUTION

More information

Cloud Models and Platforms

Cloud Models and Platforms Cloud Models and Platforms Dr. Sanjay P. Ahuja, Ph.D. 2010-14 FIS Distinguished Professor of Computer Science School of Computing, UNF A Working Definition of Cloud Computing Cloud computing is a model

More information

White. Paper. Enterprises Need Hybrid SSO Solutions to Bridge Internal IT and SaaS. January 2013

White. Paper. Enterprises Need Hybrid SSO Solutions to Bridge Internal IT and SaaS. January 2013 White Paper Enterprises Need Hybrid SSO Solutions to Bridge Internal IT and SaaS By Jon Oltsik, Senior Principal Analyst January 2013 This ESG White Paper was commissioned by McAfee. and is distributed

More information

Virtualization Impact on Compliance and Audit

Virtualization Impact on Compliance and Audit 2009 Reflex Systems, LLC Virtualization Impact on Compliance and Audit Michael Wronski, CISSP VP Product Management Reflex Systems Agenda Introduction Virtualization? Cloud? Risks and Challenges? Compliance

More information

Data Protection Act 1998. Guidance on the use of cloud computing

Data Protection Act 1998. Guidance on the use of cloud computing Data Protection Act 1998 Guidance on the use of cloud computing Contents Overview... 2 Introduction... 2 What is cloud computing?... 3 Definitions... 3 Deployment models... 4 Service models... 5 Layered

More information

What Cloud computing means in real life

What Cloud computing means in real life ITU TRCSL Symposium on Cloud Computing Session 2: Cloud Computing Foundation and Requirements What Cloud computing means in real life Saman Perera Senior General Manager Information Systems Mobitel (Pvt)

More information

CLOUD STORAGE SECURITY INTRODUCTION. Gordon Arnold, IBM

CLOUD STORAGE SECURITY INTRODUCTION. Gordon Arnold, IBM CLOUD STORAGE SECURITY INTRODUCTION Gordon Arnold, IBM SNIA Legal Notice The material contained in this tutorial is copyrighted by the SNIA. Member companies and individual members may use this material

More information

Requirements Checklist for Choosing a Cloud Backup and Recovery Service Provider

Requirements Checklist for Choosing a Cloud Backup and Recovery Service Provider Whitepaper: Requirements Checklist for Choosing a Cloud Backup and Recovery Service Provider WHITEPAPER Requirements Checklist for Choosing a Cloud Backup and Recovery Service Provider Requirements Checklist

More information

The Advantages of Cloud Services

The Advantages of Cloud Services Cloud-Based Services: Assure Performance, Availability, and Security What You Will Learn Services available from the cloud offer cost and efficiency benefits to businesses, but until now many customers

More information

Selecting the right Cloud. Three steps for determining the most appropriate Cloud strategy

Selecting the right Cloud. Three steps for determining the most appropriate Cloud strategy Selecting the right Cloud Three steps for determining the most appropriate Cloud strategy Selecting the most appropriate cloud model can be a challenging process for organisations and IT executives tasked

More information

Virginia Government Finance Officers Association Spring Conference May 28, 2014. Cloud Security 101

Virginia Government Finance Officers Association Spring Conference May 28, 2014. Cloud Security 101 Virginia Government Finance Officers Association Spring Conference May 28, 2014 Cloud Security 101 Presenters: John Montoro, RealTime Accounting Solutions Ted Brown, Network Alliance Presenters John Montoro

More information

How to Provide Secure Single Sign-On and Identity-Based Access Control for Cloud Applications

How to Provide Secure Single Sign-On and Identity-Based Access Control for Cloud Applications SOLUTION BRIEF: PROTECTING ACCESS TO THE CLOUD........................................ How to Provide Secure Single Sign-On and Identity-Based Access Control for Cloud Applications Who should read this

More information

How To Protect Your Data From Harm

How To Protect Your Data From Harm Brochure: Comprehensive Agentless Backup and Recovery Software for the Enterprise Comprehensive Agentless Backup and Recovery Software for the Enterprise BROCHURE Your company s single most valuable asset

More information

Information Security: Cloud Computing

Information Security: Cloud Computing Information Security: Cloud Computing Simon Taylor MSc CLAS CISSP CISMP PCIRM Director & Principal Consultant All Rights Reserved. Taylor Baines Limited is a Registered Company in England & Wales. Registration

More information