Accelerating Cloud adoption with Security Level Agreements automation, monitoring and industry standards compliance Cirrus Workshop, Vienna, Austria, November 19, 2013 Dr. Said Tabet Senior Technologist and Industry Standards Strategist Corporate Office of the CTO, EMC 2
AGENDA Brief introduction to EMC Overview: Challenges in the industry Cloud Transforms Information technology Trust in the Cloud Standards and Open Frameworks Security SLAs Automation Actionable Agreements and aligned objectives Near real-time monitoring and proactive enforcement Summary
Investing for Growth globally More than 65,000 People Across 85 Countries Cork, Ireland Rotterdam, Netherlands St. Petersburg, Russia Seattle, WA Pleasanton, CA Burlington, Ontario Brentford, UK Pau, France Durham, NC Apex, NC Irvine, CA Duluth, GA Hopkinton, MA Vienna, Austria Roy, UT Global Headquarters Palo Alto, CA Santa Clara, CA Tokyo, Japan Shanghai, China Bedford, MA Franklin, MA Direct Presence Be'er Sheva, Tel Aviv, Israel Israel Cairo, Egypt Seoul, S. Korea Beijing, China Chengdu, China Bangalore, India Cambridge, MA R&D Center Singapore Centers of Excellence Customer Support Center Rio de Janeiro, Brazil Executive Briefing Center Sydney, Australia Melbourne, Australia Manufacturing Center Global Solution and Engineering Center as of October 18, 2011
Mobile Cloud Big Data TRUST Social
Hitting All The Wrong Headlines
When Risks become Costs 59% of Fortune 500 companies experience a minimum of 1.6 hours of downtime per week, which translates into more than $46 million per year [Dunn & Bradstreet]
What is going on in IT? 72% Maintain 28% Invest Source: Forrester Research, Inc., IT Budgets and Priorities 2013, 25 April, 2013
The Business Drivers Increase Revenue Lower Operational Costs Reduce Risk
Cloud Transforms IT Cloud Computing Increase Revenue Lower Operational Costs
Big Data Transforms Business Increase Revenue Lower Operational Costs Big Data
Security SLAs Cloud Risk management and the role of Standards
Trusted IT Means. Ensuring Availability Of Applications, Systems & Data Continuous Availability & Consistency Protecting Data Integrated Backup & Recovery Identifying & Repelling Threats Advanced Security
Why do we need Standards? Use of available technical expertise, enhanced trade Common metrics for service level expectations Essential to the cloud supply chain Open global markets Required by legal and accounting professions Increased automation
Cloud Standardization ISO SC38 ISO SC27 IETF ITU-T CSA OMG Many others NIST, ETSI ENISA,
SC38 Cloud Standards Recommends that any projects on Cloud Computing Security use the cloud computing terms and vocabulary that will appear in ISO/IEC 17788 Recommends that Cloud Computing Security Architecture should use the ISO/IEC 17789 as the base Cloud Computing Reference Architecture New working draft on Cloud SLAs Also discussion for a future SLA metrics repository
SC27 Cloud Standards 27017: Code of practice for information security controls for cloud computing services based on ISO/IEC 27002 27018: Code of practice for PII protection in public clouds acting as PII processors 27036-4: Information security for supplier relationships Part 4: Guidelines for security of cloud services Cloud-adapted Risk Management Framework (CRMF) Security SLAs
Cloud Security Alliance (CSA) Activities CSA Guidance Security Guidance for Critical Areas of Focus in Cloud Computing GRC Stack and Trusted Cloud Initiative Security SLA Working group Security as a Service (SecaaS) CSA Mobile WG CSA STAR and OCF CSA SME and ISC Council
ISO Risk Management Standards ISO/IEC 31000:2009 Risk management Related Standards: ISO Guide 73:2009, Risk management - Vocabulary complements ISO 31000 by providing a collection of terms and definitions relating to the management of risk ISO/IEC 31010:2009, Risk management Risk assessment techniques focuses on risk assessment ISO/IEC 27005:2011 Information technology -- Security techniques -- Information security risk management
Cloud Computing and Risk management Cloud computing roles have differing degrees of control over the computing and data processes Implementation of security requirements becomes a shared responsibility among the cloud computing roles. Cloud computing roles involved in orchestrating cloud computing ecosystems and providing technical services are responsible for ensuring they address the cloud service customers areas of concern
SPECS Secure Provisioning of Cloud Services based on SLA Management
SPECS Core idea Problem Statement: End-User Cloud Security (How to compare CSP?, What they grant? How to improve their security features if they do not grant enough? ) Approach: Security-as-a-Service (SECaaS), a Platform which offers security services. Service Level Agreement (SLA) for Security. End-User and CSP features described through SLAs. The SECaaS granted through the SLA life cycle
SPECS Platform
SLA Management SLA among Users, SPECS and Providers Negotiation Finding the Agreement Monitoring Veryfing the respect of Agreement Enforcement Take Action to grant the Agreement
Cloud Transforms IT Physical Server Virtual Server Virtual Data Center Months / Weeks Days / Hours Minutes / Seconds 1 Standardize Virtualize 2 3 Automate
VM Deployment Now Dominant 25.000.000 Physical Hosts Virtualized Machines 20.000.000 The Tipping Point 15.000.000 10.000.000 5.000.000 0 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 2015 Represents All CPUs (x86, RISC, CISC, EPIC) Source: IDC Server Virtualization MCS, January 2012
Summary Cloud is still facing many challenges the industry is in the middle of its IT transformation Legal/Regulatory/Jurisdictional barriers Need for Guidance, Assurance, and Certification Help application developers and Architects Automation of SLAs and Security SLAs Monitoring Leverage Semantic Technology Data protection and Privacy standardization The legal, regulatory, and operational issues require renewed and strong focus The Cloud supply Chain: Need for transparency and traceability