The Basics of Cloud Computing: From Getting Started to Security- Get All Your Bases Covered

June 27, 2011

Interactivity Tips

1. Ask A Question 2. Download a PDF copy of todays presentation 3. Group Chat 4. Social Networking Tools

Todays Agenda
Moderator: Elliot Markowitz - Vice President of Strategic Content Development - Ziff Davis Enterprise Guy Currier - Executive Director, Research - Ziff Davis Enterprise Joe Leonard - Security Practice Manager Presidio Ric Telford - Vice President - IBM Cloud Services

Cloud Computing and Its Implications: Infrastructure, Operations, and Security

Guy Currier, Senior Editor / Research Guy.Currier@eweek.com

Cloud computing doesnt create a technology vacuum.

Cloud Computing: Why Were Here Today

The buzz around the cloud is quickly moving to system management and integration. For newly adopted cloud environments, how do you:
allocate resources? provide security? integrate existing operations? integrate proliferating new apps, services, and features?

Cloud Computing as a Template Not a Technology

Dissociation of the two halves of computing:
1. the user interface 2. the data and its processing

Versatility:
low cost and high speed of entry and exit particlization broad range of customization

Integration: the key to the whole endeavor

Kind of Cloud, Defined by Control Point (Where the Dissociation Occurs)

Information

Hardware

Software

Interface

User

Storage Cloud Computing Cloud

Have been lumped together as infrastructure as a service, or IaaS But theyre fundamentally distinct
Storage: where to find the information Computing: what to do with it

So there are different offerings for eachyou can use different vendors or solutions for each (More confusion: IaaS also stands for integration as a service, which is actually PaaS )

Key Findings from Our Cloud Research

The attraction of cloud computing isnt costsavings on equipmentits about versatility Concerns about cloud computing deployments hinge upon the loss of control adopters face Infrastructure needs remain, and management and integration needs grow
Modern server, storage, client plant; robust network Application infrastructure Integration platforms and services RISK-MANAGEMENT (security, continuity/backup, compliance)

Both Public and Private Clouds Provide Flexibility, Speed

Top Benefits Expected, Next 2 Years
Increased flexibility/versatility Lower fixed costs for whole organization Increased scalability Reduced demand on IT staff Reduced maintenance/migration costs Reduced demand on hardware Increased data security Increased user productivity Happier users More user access to IT resources Centralization of org.s fixed costs Easier compliance

Public Private

0%

5%

10% 15% 20% 25% 30%

Source: Cloud-Computing Study, Baseline, May 2011 (N=320, 329)

Both Public and Private Clouds Provide Flexibility, Speed

Top Benefits Expected, Next 2 Years
Increased flexibility/versatility Lower fixed costs for whole organization Increased scalability Reduced demand on IT staff Reduced maintenance/migration costs Reduced demand on hardware Increased data security Increased user productivity Happier users More user access to IT resources Centralization of org.s fixed costs Easier compliance

Public Private

0%

5%

10% 15% 20% 25% 30%

Source: Cloud-Computing Study, Baseline, May 2011 (N=320, 329)

The Kinds of Flexibility and Speed You Get with Cloud Computing
Elasticity (scalability up or down)

Scope of service

Ease of entry and exit

Control point: where the cloud begins

Kind of Cloud Service, Defined by Its Scope

The Cloud Computing Template Holds the Seeds of Its Own Destruction
aspect of a cloud solution security verdict

Elasticity (scalability up or down) Ease of entry and exit

Control point: where the cloud begins Scope of service

The Consequences of Elasticity and Ease of Entry

Top Challenges, Next Two Years
Preventing unauthorized data access Risk of occasional data unavailability Preventing data loss Service costs that are rising, or may rise

S S S S Public Private

Uncertainty about cloud vendors future

Handling risk of slow applications Possibility of offshore data storage Less ability to customize Makes compliance more difficult Legal risk of losing document versions Risk of higher migration costs

0%

5%

10% 15% 20% 25% 30%

Source: Cloud-Computing Study, Baseline, May 2011 (N=320, 329)

The Consequences of Flexibility in Control Point and in Scope of Service

Not so widely recognized.

The Consequences of Flexibility in Control Point and in Scope of Service

Information

Hardware

Software

Interface

User

The Consequences of Flexibility in Control Point and in Scope of Service

Risks Opportunities

Uncertainty in data access points Greater variation in system transparency, depending on solution needed

Better balance of security and application investment Ability to pick the cloud scheme that fits with current capabilities

The Consequences of Flexibility in Control Point and in Scope of Service

Risks Opportunity

More complex applications and systems Many more entry points

Function Portal Device

Ability to target security measures granularly even by feature

Really, much much more complex systems!

Connecting the Dots

Cloud computing provides organizations with greater versatility in building out capabilities But it also presents key challenges:
Data loss or security breach (even for private clouds) Lost productivity or other costs related to unavailability, slower performance, poor integration Maintenance and management costs from holding it all together

Organizations still must seek, and can get, the control and performance theyre used tothey just havent demanded it yet.

Presidio Networked Solutions

Breaches are becoming complex and targeted What do we do?
Paired for

Joe Leonard, CISA, CISM, CRISC, CISSP, CCSK, CCSP, CEH Secure Networks Practice Manager June 27, 2011

Agenda Security in the News Security Consulting Portfolio Presidio Typical Assessment Findings Recommendations to protect your organization SANS Consensus Audit Guidelines

23

Security in the News

Organization
RSA

Details
SecureID breach Daily news articles Cost of breach TBD 77M records compromised Network down 1 week Minimum damage estimate $170M Cyber incident Replaced 90,000 SecureID Tokens Economic Espionage Theft of large quantities of data Spear fishing attack (digital insider) Not detected for months 360,000 accounts compromised Hacktivists Multiple attacks Sites inaccessible (DoS)

MAR

APR

MAY

JUN

Sony Network

Lockheed Martin International Monetary Fund Citigroup Sony US Senate CIA

http://www.privacyrights.org/data-breach

24

Security Consulting Portfolio

Portfolio Security Strategy
Security Assessments

Benefits
Design and implement information security program to protect data. Vulnerability Risk Network Virtualization Cloud

Security Integration

Assessments are snapshots security controls in time Implement industry leading

25

Presidio Typical Assessment Findings

Poor patch management Anti-virus software out-of-date Security controls not tested SNMP weaknesses Password management No logging and alerting Hardware vulnerable Reconnaissance (map network) Network available to intruders Poor change control Applications vulnerable to attack No security awareness training
26

Recommendations
Security Strategy - Senior management develop, implement, and enforce a comprehensive information security program that defines security policies, standards and procedures that are part of culture. Education & Training - Educate users on security policies and threats to the organization. Continuous Monitoring - Test systems regularly and perform remediation. (Quarterly and Annual vulnerability assessments use to be recommended, however it is now recommended to perform daily monitoring.) Controls - Deploy strong perimeter controls FW, IPS, Web/Email and Web Application Firewalls.
27

Recommendations (cont.)
Segmentation - Segment sensitive data and systems from the general network. Configuration Management - Develop, implement, and enforce configuration management policies and procedures for all systems. Authentication - Utilize strong authentication for all administrative and remote access connections. Least Privilege - Control user access based on least privilege and need to know. Endpoint security controls Deploy AV/AS/MDM/HIPS Incident Response Plan - Develop and test incident response plan.
28

SANS Consensus Audit Guidelines (CAG)

20 Critical Security Controls
1. Inventory of authorized and unauthorized devices 2. Inventory of authorized and unauthorized software 3. Secure configurations for hardware and software for laptops, workstations and servers 4. Secure configurations for network devices such as firewalls, routers and switches 5. Boundary defense 6. Maintenance, monitoring and analysis of audit logs 7. Application software security 8. Controlled use of administration privileges 9. Controlled access based or need to know 10. Continuous vulnerability assessment and remediation 11. Access monitoring and control 12. Malware defenses 13. Limitation and control of network ports, protocols and services 14. Wireless device control 15. Data Loss Prevention (DLP) 16. Secure networking engineering 17. Penetration tests and red team exercises. 18. Incident response capability 19. Data recovery capability 20. Security skills assessment and appropriate training to fill gaps

Can be automated
Cannot be automated 29

http://www.sans.org/critical-security-controls/

Thank you for joining us today!

Presidio Networked Solutions 7601 Ora Glen Drive jleonard@presidio.com Voice: (301) 313.2058 Mobile (301) 704.5037 30

Basics of Cloud Computing Ric Telford June 27, 2011

2011 IBM Corporation

IBM Institute for Business Value

CIO visionary plans are evolving: business intelligence and analytics remain at the top, with cloud computing moving into the top four
Most important visionary plan elements
(Interviewed CIOs could select as many as they wanted)
Business Intelligence and analytics Mobility solutions Virtualization Cloud computing Business process management Risk management and compliance Self-service portals Collaboration and Social Networking
60% 33% 60% 64% 58% 71% 57% 66% 55% 54% 74% 68%

83% 83%

68%
75%

2009
Source: 2011 CIO Study, Q12: Which visionary plans do you have to increase competitiveness over the next 3 to 5 years?(n=3,018) 32

2011

2011 IBM Corporation

Cloud Computing should be part of overall IT Strategy

Optimize the overall IT environment

Consolidate hardware infrastructure

Appl Appl Appl Appl
SOA
Compress Deduplicate Integrate Archive

Appl Appl

Eliminate redundant software and data

Integrated Service Management

Improve service delivery Modernize the enterprise

33

Visibility Control Automation Manual Tasks

Cloud Computing

Information Automated Process IT Systems

2011 IBM Corporation

Evaluate the IT services you provide for Cloud readiness

Sensitive Data Analytics Infrastructure Storage Industry Applications Collaboration Mature Workloads Workplace, Desktop & Devices Business Processes Development & Test Infrastructure Compute
2011 IBM Corporation

Information Intensive

Highly Customized

Ready for Cloud

Isolated Workloads

Not yet Virtualized 3rd Party SW

May not yet be ready for migration

Complex Processes & Transactions Regulation Sensitive

Pre-Production Systems

Batch Processing

34

Decide which of the Cloud deployment options is right for each IT service
Private Cloud
Enterprise Data Center

Managed Private Cloud

Enterprise Data Center

Hosted Private Cloud

Enterprise

Shared Cloud Services

Enterprises

Public Cloud Services

Users

Third-party operated

Third-party hosted and operated

Free Register Credit Card Click to contract

Private

IT capabilities are provided as a service, over an intranet, within the enterprise and behind the firewall

Public
IT activities / functions are provided as a service, over the Internet

Hybrid
35

Internal and external service delivery methods are integrated

2011 IBM Corporation

Have an architecture for your private cloud

Define the services you will deliver
Business-Process-as-a-Service Software-as-a-Service Platform-as-as-Service Infrastructure-as-a-Service

Cloud Services

Virtualized Infrastructure Server, Storage, Network, Facilities

Define the components of a common delivery platform

Common Cloud Management Platform

BSS
Business Support System

Offering Mgmt Order Mgmt

Customer Mgmt Entitlements

Pricing & Rating Subscriber Mgmt

Accounting & Billing Service Delivery Portal

Contract Mgmt

Invoicing SLA Reporting Metering, Analytics & Reporting

Peering & Settlement Service Offering Catalog

API

OSS
Operational Support System

Service Delivery Catalog Service Templates Service Request Mgmt Provisioning Monitoring & Event Mgmt Service Automation Management Configuration Mgmt Incident, Problem & Change Management IT Asset & License Mgmt Virtualization Mgmt Image Lifecycle Mgmt IT Service Level Mgmt Capacity & Performance Mgmt

2011 IBM Corporation

Have a roadmap for evolving your private cloud services

Yesterday Today Shared Hardware & Virtualized Applications
App MW App MW App MW

Tomorrow

Individual Deployment
Application Middleware Operating System Hardware

Integrated Middleware Platform & Image Management

App App App App Image Management

OS

OS

OS

Integrated Middleware Platform

Shared Hardware

Shared Infrastructure

Benefits Increased utilization of infrastructure Location independent deployment Challenges Low hardware utilization Heavily customized infrastructure Challenges Building images Image proliferation Governance of changes Creation of composite applications Connectivity to legacy and off premises applications

Benefits Standardized middleware Increased utilization of software Improved deployment speed Simplified applications management

37

2011 IBM Corporation

38

2011 IBM Corporation

Thank You,

QUESTIONS?

Attendee Services
Download a copy of todays presentation

Provide your feedback! Please complete our survey.

A recorded version of this seminar will be available at www.eSeminarsLive.com View a calendar of our Upcoming Events