CLOUD COMPUTING DEMYSTIFIED

Similar documents
Cloud definitions you've been pretending to understand. Jack Daniel, Reluctant CISSP, MVP Community Development Manager, Astaro

Cloud Computing. Course: Designing and Implementing Service Oriented Business Processes


IS PRIVATE CLOUD A UNICORN?

See Appendix A for the complete definition which includes the five essential characteristics, three service models, and four deployment models.

Cloud Computing; What is it, How long has it been here, and Where is it going?

Business Intelligence (BI) Cloud. Prepared By: Pavan Inabathini

Technology & Business Overview of Cloud Computing

The NIST Definition of Cloud Computing (Draft)

6 Cloud computing overview

Kent State University s Cloud Strategy

OVERVIEW Cloud Deployment Services

The NIST Definition of Cloud Computing

Security Issues in Cloud Computing

Securing and Auditing Cloud Computing. Jason Alexander Chief Information Security Officer

OWASP Chapter Meeting June Presented by: Brayton Rider, SecureState Chief Architect

Managing Cloud Computing Risk

Cloud Security Introduction and Overview

White Paper on CLOUD COMPUTING

Perspectives on Moving to the Cloud Paradigm and the Need for Standards. Peter Mell, Tim Grance NIST, Information Technology Laboratory

Cloud for Credit Unions Leveraging New Solutions to Increase Efficiency & Reduce Costs Presented by: Hugh Smallwood, Chief Technology Officer

Validation of a Cloud-Based ERP system, in practice. Regulatory Affairs Conference Raleigh. 8Th September 2014

Strategies for Secure Cloud Computing

Cloud Computing demystified! ISACA-IIA Joint Meeting Dec 9, 2014 By: Juman Doleh-Alomary Office of Internal Audit

Cloud Computing in the Federal Sector: What is it, what to worry about, and what to negotiate.

INTRODUCTION TO CLOUD COMPUTING CEN483 PARALLEL AND DISTRIBUTED SYSTEMS

NCTA Cloud Architecture

ITL BULLETIN FOR JUNE 2012 CLOUD COMPUTING: A REVIEW OF FEATURES, BENEFITS, AND RISKS, AND RECOMMENDATIONS FOR SECURE, EFFICIENT IMPLEMENTATIONS

10/25/2012 BY VORAPOJ LOOKMAIPUN CISSP, CISA, CISM, CRISC, CEH Agenda. Security Cases What is Cloud? Road Map Security Concerns

Cloud Computing: What needs to Be Validated and Qualified. Ivan Soto

Radware Cloud Solutions for Enterprises. How to Capitalize on Cloud-based Services in an Enterprise Environment - White Paper

Cloud Computing Technology

Orchestrating the New Paradigm Cloud Assurance

Cloud Models and Platforms

The Hybrid Cloud: Bringing Cloud-Based IT Services to State Government

Standardizing Cloud Services for Financial Institutions through the provisioning of Service Level Agreements (SLAs)

Cloud Computing and Security Risk Analysis Qing Liu Technology Architect STREAM Technology Lab

Capability Paper. Today, aerospace and defense (A&D) companies find

CSO Cloud Computing Study. January 2012

Cloud Computing Submitted By : Fahim Ilyas ( ) Submitted To : Martin Johnson Submitted On: 31 st May, 2009

East African Information Conference th August, 2013, Kampala, Uganda. Security and Privacy: Can we trust the cloud?

Private & Hybrid Cloud: Risk, Security and Audit. Scott Lowry, Hassan Javed VMware, Inc. March 2012

Private Cloud 201 How to Build a Private Cloud

Bringing the Cloud into Focus. A Whitepaper by CMIT Solutions and Cadence Management Advisors

Clinical Trials in the Cloud: A New Paradigm?

1.1.1 Introduction to Cloud Computing

Topics. Images courtesy of Majd F. Sakr or from Wikipedia unless otherwise noted.

The Magical Cloud. Lennart Franked. Department for Information and Communicationsystems (ICS), Mid Sweden University, Sundsvall.

CLOUD COMPUTING GUIDELINES FOR LAWYERS

SECURITY MODELS FOR CLOUD Kurtis E. Minder, CISSP

Cloud Computing. What is Cloud Computing?

A Strawman Model. NIST Cloud Computing Reference Architecture and Taxonomy Working Group. January 3, 2011

VMware vcloud Powered Services

Cloud Computing Security Issues

An Introduction to Cloud Computing Concepts

Cloud Computing An Elephant In The Dark

The Cloud is Not Enough Why Hybrid Infrastructure is Shaping the Future of Cloud Computing

LEGAL ISSUES IN CLOUD COMPUTING

Key Considerations of Regulatory Compliance in the Public Cloud

Cloud Computing: Opportunities, Challenges, and Solutions. Jungwoo Ryoo, Ph.D., CISSP, CISA The Pennsylvania State University

Enterprise Architecture and the Cloud. Marty Stogsdill, Oracle

IBM Cloud Security Draft for Discussion September 12, IBM Corporation

Cloud Computing. Bringing the Cloud into Focus

The Cloud in Regulatory Affairs - Validation, Risk Management and Chances -

ITSM in the Cloud. An Overview of Why IT Service Management is Critical to The Cloud. Presented By: Rick Leopoldi RL Information Consulting LLC

WHITE PAPER: STRATEGIC IMPACT PILLARS FOR EFFICIENT MIGRATION TO CLOUD COMPUTING IN GOVERNMENT

SCADA Cloud Computing

Cloud Computing in Higher Education: A Guide to Evaluation and Adoption

SURVEY OF ADAPTING CLOUD COMPUTING IN HEALTHCARE

NATO s Journey to the Cloud Vision and Progress

A white paper from Fordway on CLOUD COMPUTING. Why private cloud should be your first step on the cloud computing journey - and how to get there

VMware vcloud Architecture Toolkit Public VMware vcloud Service Definition

Essential Characteristics of Cloud Computing: On-Demand Self-Service Rapid Elasticity Location Independence Resource Pooling Measured Service

Cloud Computing. Chapter 1 Introducing Cloud Computing

PLATFORM & INFRASTRUCTURE AS A SERVICE

Deploying a Geospatial Cloud

Cloud Computing and Standards

Cloud Security considerations for business adoption. Ricci IEONG CSA-HK&M Chapter

Developing a Risk-Based Cloud Strategy

IT Security Risk Management Model for Cloud Computing: A Need for a New Escalation Approach.

Enterprise Architecture and the Cloud. Marty Stogsdill, Oracle

Overview of Cloud Computing and Cloud Computing s Use in Government Justin Heyman CGCIO, Information Technology Specialist, Township of Franklin

CHOOSING THE RIGHT CLOUD COMPUTING SOLUTION FOR YOU

AskAvanade: Answering the Burning Questions around Cloud Computing

Optimizing Service Levels in Public Cloud Deployments

How To Understand Cloud Computing

Cloud Computing/ Semantic Web Initiatives & Tutorial

CLOUD COMPUTING - OPPORTUNITIES

20 th Year of Publication. A monthly publication from South Indian Bank.

Transcription:

CLOUD COMPUTING DEMYSTIFIED Definitions you ve been pretending to understand JACK DANIEL, CCSK, CISSP, MVP ENTERPRISE SECURITY

Definitions Words have meaning, professionals need to understand them. We need to understand that the public, end-users, and the media will get things wrong, and not worry about that. Not much, anyway. There isn t just one cloud, so saying the cloud is wrong. (Yes, I know we ve already lost this battle).

What do we mean by Cloud Security? Securing data in a cloud environment? We will talk about this. Securing a cloud environment? That s out of scope for this webinar. And for most people. Using a cloud service for security? You are already doing this for anti-virus, web and email security. We re still struggling with similar confusion over virtual security.

Who Defines Cloud Computing? A lot of folks claim to, but I ll stick with: NIST, National Institute of Standards and Technology Their Definition of cloud computing and related terminology is good and concise. It is cited frequently in this deck CSA, Cloud Security Alliance

NIST Definition Of Cloud Computing Cloud computing is a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. This cloud model promotes availability and is composed of five essential characteristics, three service models, and four deployment models.

NIST Definition Of Cloud Computing convenient, on-demand network access to a shared pool of configurable computing resources

NIST Definition Of Cloud Computing and is composed of: five essential characteristics three service models and four deployment models.

Alternate Definition Of Cloud Computing Anything on the Internet.

Service Models Software as a Service (SaaS) Platform as a Service (PaaS) Infrastructure as a Service (IaaS)

Software as a Service (SaaS) use the provider s applications running on a cloud infrastructure

Isn t This Just ASP? It is an evolution of Application Service Provider offerings, but SaaS is different. How many ASPs offered: Near instant provisioning? Global scalability? Data portability? REAL cost savings?

SaaS/PaaS/IaaS Matrix LAYER SaaS Control PaaS Control IaaS Control User Data and content Client Software Software Layer Platform Layer Infrastructure layer Load balancers (maybe) Virtualization (maybe) Physical Servers

SaaS/PaaS/IaaS Matrix LAYER SaaS Control PaaS Control IaaS Control User Consumer Data and content Consumer Client Software Consumer Software Layer Provider Platform Layer Provider Infrastructure layer Provider Load balancers (maybe) Provider Virtualization (maybe) Provider Physical Servers Provider

Platform As A Service (PaaS) deploy onto the cloud infrastructure consumer-created or acquired applications* *created using programming languages and tools supported by the provider

SaaS/PaaS/IaaS Matrix LAYER SaaS Control PaaS Control IaaS Control User Consumer Consumer Data and content Consumer Consumer Client Software Consumer Consumer Software Layer Provider Consumer Platform Layer Provider Provider Infrastructure layer Provider Provider Load balancers (maybe) Provider Provider Virtualization (maybe) Provider Provider Physical Servers Provider Provider

Infrastructure as a Service (Iaas) provision processing, storage, networks, and other fundamental computing resources

Infrastructure as a Service (Iaas) control over operating systems, storage, deployed applications, and possibly limited control of select networking components (e.g., host firewalls).

SaaS/PaaS/IaaS Matrix LAYER SaaS Control PaaS Control IaaS Control User Consumer Consumer Consumer Data and content Consumer Consumer Consumer Client Software Consumer Consumer Consumer Software Layer Provider Consumer Consumer Platform Layer Provider Provider Consumer Infrastructure layer Provider Provider Provider Load balancers (maybe) Provider Provider Provider Virtualization (maybe) Provider Provider Provider Physical Servers Provider Provider Provider

SaaS/PaaS/IaaS Matrix LAYER SaaS Control PaaS Control IaaS Control User Consumer Consumer Consumer Who has ultimate responsibility? Data and content Consumer Consumer Consumer Client Software Consumer Consumer Consumer Software Layer Provider Consumer Consumer Platform Layer Provider Provider Consumer Infrastructure layer Provider Provider Provider Load balancers (maybe) Provider Provider Provider Virtualization (maybe) Provider Provider Provider Physical Servers Provider Provider Provider

Anything as a Service? Many more *aas acronyms exist- but we are starting to move beyond this. C: Compute N: Networking S: Storage (but we already have another SaaS ) Anything you can imagine And some things you can t

Deployment Models Public cloud Private cloud Community cloud Hybrid cloud Virtual Private Cloud (VPC)

Public Cloud available to the general public or a large industry group and is owned by an organization selling cloud services.

Private Cloud operated solely for an organization. managed by the organization or a third party. on premise or off.

Community Cloud Is shared by several organizations and supports a specific community that has shared concerns. Mission, security requirements, policy, and compliance considerations, etc. managed by the organizations or a third party. on premise or off.

Hybrid Cloud composition of two or more clouds that remain unique entities but are bound together by technology that enables data and application portability

Virtual Private Cloud* Created by isolating and securing Public Cloud facilities into a Private Cloud configuration. *Not part of the NIST definition, but should be.

Characteristics On-demand self-service Broad network access Resource pooling Rapid elasticity Measured Service

On-demand Self-service A consumer can unilaterally provision computing capabilities automatically without requiring human interaction

Broad Network Access available over the network and accessed through standard mechanisms

Resource Pooling resources are pooled to serve multiple consumers using a multi-tenant model

Who Else Is In The Pool?

Sharing the locker room, too

Resource Pooling customer generally has no control or knowledge over the exact location of the provided resources

Resource Pooling* *This is starting to fade as some providers begin offering dedicated hardware for certain tasks, but resource pooling remains a key cloud concept.

Rapid Elasticity Capabilities can be rapidly and elastically provisioned, in some cases automatically...

Rapid Elasticity the capabilities available for provisioning often appear to be unlimited and can be purchased in any quantity at any time.

Rapid Elasticity

Measured Service Cloud systems automatically control and optimize resource use by leveraging a metering capability

Availability What if you are off the Internet, even briefly? Local copies mean synchronization and reconciliation. No SLA will cover your losses.

And What About Portability and interoperability? Compliance? This is a rabbit hole- What happens as things change? How fast can you re-comply?

Unique Commodities? Sounds like an oxymoron, but it isn t. The unique offerings of cloud service providers are both assets and liabilities to the consumer due to limits imposed on portability. Want to have some fun? Ask cloud providers about their network design and how that enables or restricts your cloud deployment.

Compliance And Audit How does a small department or organization demand SLAs and accountability? That s right, we can t. What about compliance? Audit? Cloud Audit/A6 (now part of CSA)

Network Visibility Network visibility is tricky with virtualization; is it even possible in a cloud? Where do you put the network tap?

Agent Software Since we do not have access to the network or server hardware, we may need to deploy software agents to inspect systems and traffic for us. And we ll have to trust them.

Do not forget the basics Many basics are more critical than ever: Backups Encryption Logging Authentication Access control Monitoring

Disaster Recovery Cloud computing can ease the pain of DR, but can also exacerbate it- especially if you have to redeploy to local resources.

But wait Cloud computing offers many benefits, don t let the dangers scare you away. Assess the risks and rewards, determine what (if anything) is appropriate for moving to a cloud computing platform. Compare providers and choose the best for your needs. Make informed decisions.

Don t be this guy

Feeling left out? Want to play in the clouds, but don t have a budget? Or much time? There are nearly free Amazon micro instances. Cloudshare has a 14-day free trial. CloudSigma has a 7-day free trial. Look around, you will find ways to seed the clouds.

References Primary reference documents for this presentation: NIST Definition of cloud computing and related terminology Cloud Computing Reference Architecture CSA Security Guidance for Critical Areas of Focus in Cloud Computing v 3.0 (new)

References Additional references used in this presentation: Cloud Computing Wiki OpenCrowd Cloud Taxonomy ENISA Cloud Computing: Benefits, Risks and Recommendations for Information Security

References The single best document, from the Australian Defence Signals Directorate: http://www.dsd.gov.au/publications/cloud_ Computing_Security_Considerations.pdf If you read only one thing as a follow up to this webinar, read this document.

Career Study Project A group of us in the security community are researching what makes security professionals tick, and what makes us twitch. Please consider helping with the research by taking about ten minutes to request access and take our current survey. Details are at: http://www.careerstudy.org

THANK YOU! Shameless Self-Promotion: pauldotcom.com www.tenable.com jdaniel@tenable.com twitter.com/jack_daniel blog.uncommonsensesecurity.com

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information