Trust but Verify. Vincent Campitelli. VP IT Risk Management

Similar documents

Security & Trust in the Cloud

Cloud Computing An Elephant In The Dark

Cloud Computing Technology

Security Issues in Cloud Computing

Strategic Compliance & Securing the Cloud. Annalea Sharack-Ilg, CISSP, AMBCI Technical Director of Information Security

IBM Cloud Security Draft for Discussion September 12, IBM Corporation

The Cloud is Not Enough Why Hybrid Infrastructure is Shaping the Future of Cloud Computing

Cloud Computing; What is it, How long has it been here, and Where is it going?

How to Keep a Cloud Environment Current, Secure and Available October 16, 2014

Oracle Applications and Cloud Computing - Future Direction

Making Leaders Successful Every Day

How To Run A Cloud Computer System

Cloud Computing for SCADA

Architecting the Cloud

Cloud Computing Submitted By : Fahim Ilyas ( ) Submitted To : Martin Johnson Submitted On: 31 st May, 2009

How To Understand Cloud Computing

OWASP Chapter Meeting June Presented by: Brayton Rider, SecureState Chief Architect

RE Think. IT & Business. Invent. IBM SmartCloud Security. Dr. Khaled Negm, SMIEEE, ACM Fellow IBM SW Global Competency Center Leader GCC

CHAPTER 8 CLOUD COMPUTING

Outline. What is cloud computing? History Cloud service models Cloud deployment forms Advantages/disadvantages

A.Prof. Dr. Markus Hagenbuchner CSCI319 A Brief Introduction to Cloud Computing. CSCI319 Page: 1

Cloud Computing and Security Risk Analysis Qing Liu Technology Architect STREAM Technology Lab

Securing the Cloud with IBM Security Systems. IBM Security Systems IBM Corporation IBM IBM Corporation Corporation

Public Clouds. Krishnan Subramanian Analyst & Researcher Krishworld.com. A whitepaper sponsored by Trend Micro Inc.

Cloud Courses Description

Seeing Though the Clouds

Cloud Computing Flying High (or not) Ben Roper IT Director City of College Station

How To Understand Cloud Computing

Performance Management for Cloudbased STC 2012

Top 10 Cloud Risks That Will Keep You Awake at Night

Architectural Implications of Cloud Computing

SECURITY MODELS FOR CLOUD Kurtis E. Minder, CISSP

NATO s Journey to the Cloud Vision and Progress

<Insert Picture Here> Cloud Computing Strategy

White Paper on CLOUD COMPUTING

10/25/2012 BY VORAPOJ LOOKMAIPUN CISSP, CISA, CISM, CRISC, CEH Agenda. Security Cases What is Cloud? Road Map Security Concerns

On Premise Vs Cloud: Selection Approach & Implementation Strategies

CLOUD COMPUTING. A Primer

Cloud Computing: The Next Computing Paradigm

PLATFORM-AS-A-SERVICE: ADOPTION, STRATEGY, PLANNING AND IMPLEMENTATION

Cloud Courses Description

How To Understand Cloud Computing

Success in the Cloud. Mark williams

Cloud Computing Trends

Lecture 02b Cloud Computing II

Essential Characteristics of Cloud Computing: On-Demand Self-Service Rapid Elasticity Location Independence Resource Pooling Measured Service

NCTA Cloud Architecture

CUMULUX WHICH CLOUD PLATFORM IS RIGHT FOR YOU? COMPARING CLOUD PLATFORMS. Review Business and Technology Series

Where in the Cloud are You? Session Thursday, March 5, 2015: 1:45 PM-2:45 PM Virginia (Sheraton Seattle)

Cloud Security. Peter Jopling IBM UK Ltd Software Group Hursley Labs. peterjopling IBM Corporation

Hexaware E-book on Q & A for Cloud BI Hexaware Business Intelligence & Analytics Actionable Intelligence Enabled

Architecting and Building a Secure and Compliant Virtual Infrastructure and Private Cloud

Lecture 02a Cloud Computing I

Fundamental Concepts and Models

Cloud Computing. Chapter 1 Introducing Cloud Computing

Cloud & Security. Dr Debabrata Nayak Debu.nayak@huawei.com

3 Ways to build a SaaS Product. Asteor Software Inc Ram Kumar - Director Product Management

Deploying a Geospatial Cloud

ITIL in the Cloud. Vernon Lloyd.

Cloud models and compliance requirements which is right for you?

SESSION 703 Wednesday, November 4, 9:00am - 10:00am Track: Advancing ITSM

Cloud Computing. Course: Designing and Implementing Service Oriented Business Processes

Cloud Computing. Bringing the Cloud into Focus

Journey to the Cloud and Application Release Automation Shane Pearson VP, Portfolio & Product Management

Hybrid Cloud: Overview of Intercloud Fabric. Sutapa Bansal Sr. Product Manager Cloud and Virtualization Group

Cloud Computing. Cloud computing:

Orchestrating the New Paradigm Cloud Assurance

It s All About Cloud Key Concepts, Players, Platforms And Technologies

Abstract 1. INTRODUCTION

Moving beyond Virtualization as you make your Cloud journey. David Angradi

Session 3. the Cloud Stack, SaaS, PaaS, IaaS

Cloud Computing. Chapter 1 Introducing Cloud Computing

Proactively Secure Your Cloud Computing Platform

BMC Control-M for Cloud. BMC Control-M Workload Automation

Cloud Based Solutions for Media and Entertainment

Introduction to Cloud Computing What is SaaS? Conventional vs. SaaS Methodologies Validation Requirements Change Management Q&A

Security Considerations for Public Mobile Cloud Computing

Fundamental Concepts and Models

Demystifying the Cloud Computing

CLOUD COMPUTING SECURITY CONCERNS

Protec'ng Data and Privacy in a World of Clouds and Third Par'es Vincent Campitelli

Cloud.. Migration? Bursting? Orchestration? Vincent Lavergne SED EMEA, South Gary Newe Sr SEM EMEA, UKISA

Cloud Computing Security Issues

Optimizing Service Levels in Public Cloud Deployments

Building Blocks of the Private Cloud

Private Cloud 201 How to Build a Private Cloud

Converged Infrastructure to Private Cloud

Performance Management for Cloud-based Applications STC 2012

Becoming a Cloud Services Broker. Neelam Chakrabarty Sr. Product Marketing Manager, HP SW Cloud Products, HP April 17, 2013

BUSINESS MANAGEMENT SUPPORT

Transcription:

Trust but Verify Vincent Campitelli VP IT Risk Management McKesson Corporation

Trust but Verify Cloud Security 3

Agenda Cloud Defined Cloud Opportunities Cloud Challenges What s Different? How to Verify Key Takeaways 4

The Cloud defined? 5

Attributes ELASTIC SERVICE DELIVERY MULTI-TENANT ON-DEMAND FLEXIBLE BILLING SELF-SERVICE 6

Cloud Service offerings Software-as-a Service (SaaS) Platform-as-a Service (PaaS) Infrastructure-as a Service (IasS) 7

SaaS Definition Software deployment model in which a Third party owns, hosts and manages the software application and ddelivers it as a service to the end customer Target Market End-user with specific business functionality requirements Examples Salesforce.com, Google Docs, MS Office Live/Online 8

PaaS Definition Target Market Software deployment platform available as a service that supports the end-to-end software development lifecycle, including design,testing and deployment. Software developers and independent software vendors Examples Windows Azure, Google App Engine 9

IaaS Definition Target Market Service-based model for provisioning core computing power - servers, storage and network resources - for deployment and execution of externally hosted applications Software architects, infrastructure groups network/system administrators Examples Amazon EC2/S3, Oracle Coherence 10

Cloud Business Models Public clouds - make resources available dynamically over the Internet from third-party providers - the most commonly described model Private cloud - models deploying advanced use of virtualization technologies inside an enterprise to emulate cloud computing benefits via an internal infrastructure Managed Cloud - provided by designated service providers on a single tenant or multi-tenant operating environment. The physical infrastructure is owned by and /or physically located in the organization s data centers with management and security functions provided by a designated service provider Hybrid cloud - combine features public and private cloud models - (leverage virtualized architecture inside the enterprise to an external, off premise cloud architecture) 11

Cloud Business Models Who manages it? Who owns it? Where is it located? Who has access to it? How is it accessed? 12

Cloud Opportunities 13

Cloud Attractions PERCENT RESPONDING 14

Cloud Challenges 15

FEAR OF UNAUTHORIZED ACCESS/DATA LEAKAGE RE:CUSTOMER DATA FEAR OF UNAUTHORIZED ACCESS/DATA LEAKAGE RE: IP OTHER FEATURES /MATURITY OF TECHNOLOGY UNPREDICTABLE COSTS VENDOR LOCK-IN = PROVIDER SUSTAINABILITY = EMBEDDED SECURITY DEFECTS 16 APPLICATION/SYSTEM PERFORMANCE

WHAT S DIFFERENT? New delivery paradigm New technology abstractions 17

Moving out of the DC OLD Specification, configuration and operation Enterprise policies,procedures, controls Physical / logical access controls Configuration status/monitoring Patch testing / management Data/application controls-linked to physical device Network controls - connected to devices Security Standards Techniques 18 NEW Security Standards Techniques

Moving into the Cloud Virtualization 19

SECURITY IMPLICATIONS INFRASTRUCTURE PROCESS DISCIPLINE ACCESS RIGHTS NEW RISKS 20

Infrastructure Best Practices Network security Segmentation Audit logging 21

Infrastructure Best Practices Platform Hardening Configuration Change Management 22

Infrastructure t Best Practices Reporting Monitoring Automation 23

Access Rights Applications Applications OS Applications OS OS Hypervisor Hardware Hardware 24

New Risks Increased DR complexity Virtual Network Traffic Application of Reg/Stds ( PCI) Software Licensing i Host Server - administration E-discovery 25

How to Verify? PRE-CLOUD 26 In the Cloud

Verification Fundamentals Standards Portability Transparency 27

Cloud customer expectations 1 46 % 46 % 26% 33% 17% 16% 3% 13% 5% 3% PERCENT RESPONDING 1= Information week 2010 Cloud GRC Survey 28

Yes, BUT 29

Solutions Strategic deployment Self-service appliances The Uber Cloud 30

Strategic deployment H PRIVATE CLOUD BUSINESS RISK HYBRID CLOUD PUBLIC CLOUD L CLOUD RISK 31 H

Self Service Configuration Vulnerability Anchoring Audit Log Service Management 32

Uber Cloud Decision Support Automated arrangement coordination Cloud Audit 33

Key Takeaways Define Business Risk Define Cloud Risk Match reward with risk Design assurance program Implement and monitor 34

Thank you!