cloud computing: opportunities & challenges for industry neil mcclenney, principal consultant...
TRANSCRIPT
Cloud Computing:Cloud Computing:Opportunities & Challenges for Opportunities & Challenges for IndustryIndustry
5/14/2010 Copyright © VeriScientia, Inc. 2010
What is it?What is it?
Cloud computing is a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction
This cloud model promotes availability and is composed of five essential characteristics, three service models, and four deployment models
5/14/2010 2Copyright © VeriScientia, Inc. 2010
Just One Type?Just One Type? There are different types of clouds essentially
broken down into:
Public – What you generally think about when you think of cloud computing. Infrastructure and applications are owned by the organization selling the service
Private – Essentially mirrors the public cloud service but managed by the internal organization
Hybrid – As the name suggests a combination of the two above
NIST also defines a fourth type, Community which is in effect one of the above only used by multiple organizations in a shared service environment
5/14/2010 3Copyright © VeriScientia, Inc. 2010
Typical Service ModelsTypical Service Models
Software as a Service (SaaS) – Provides end-user software applications delivered as a service instead of being purchased or licensed by the end user
Infrastructure as a Service (IaaS) – Provides the hardware and software for storage, OS, computing, or other infrastructure as a non-dedicated, on demand service
Platform as a Service (PaaS) – Provides an application platform or middleware as a service on which developers can build or deploy custom applications
5/14/2010 4Copyright © VeriScientia, Inc. 2010
CharacteristicsCharacteristics
Usually you will see Cloud Computing described by five characteristics (on-demand, omnipresent network access, rapidly scalable, location independent, metered service)
All of the above represent the characteristics of the cloud
The three key factors to consider are probably more important for this audience
Security
Cost
Flexibility
5/14/2010 5Copyright © VeriScientia, Inc. 2010
What are the Benefits
5/14/2010 6Copyright © VeriScientia, Inc. 2010
What can we gain?What can we gain?
There are many advantages that explain why to migrate to clouds
Security
Cost savings
Faster software deployment / technology implementation
Increased focus on core competencies
5/14/2010 7Copyright © VeriScientia, Inc. 2010
SecuritySecurity
5/14/2010 8Copyright © VeriScientia, Inc. 2010
Gains - SecurityGains - Security
First and foremost – NOT ALL CLOUDS ARE BUILT ALIKE
Five primary advantages
Centralized data
Incident Response / Forensics
Logging
Secure Builds
Security Testing
5/14/2010 9Copyright © VeriScientia, Inc. 2010
Centralized DataCentralized Data
You know where your data is…it’s in the cloud!
If data is not replicated or cached on a local system in usable form, physical security concerns can be substantially reduced
Data is encrypted at rest and in transit
Automated data retention
5/14/2010 10Copyright © VeriScientia, Inc. 2010
Secure Builds and TestingSecure Builds and Testing
Simplification of Compliance Analysis
Cloud computing homogeneity makes auditing and testing easier
Automated security management is easier
In a SaaS model the vendor (who knows the application better than you do) should be in a position to provide better security around the application
Replication of instances means if you get the security right, that model gets replicated
5/14/2010 11Copyright © VeriScientia, Inc. 2010
Incident Response and LoggingIncident Response and Logging
Dedicated Security Team
Greater Investment in Security Infrastructure
On demand security controls
Better forensic capabilities due to better environment understanding
Real-Time Detection of System Tampering
5/14/2010 12Copyright © VeriScientia, Inc. 2010
Gains – Cost SavingsGains – Cost Savings
Meeting variable IT demands
Reducing in-house overhead
Creating operational efficiencies
Enable billing and chargeback by providing clear IT cost metrics…you know what your IT costs are.
5/14/2010 13Copyright © VeriScientia, Inc. 2010
Gains – Faster Deployment / Gains – Faster Deployment / ImplementationImplementation
Less time taken in IT “learning” application needs
Deployment not dependent on your supply chain for purchasing equipment
Implementation of hardware is typically done by replication
Faster qualification / validation times
5/14/2010 14Copyright © VeriScientia, Inc. 2010
What are the Challenges
5/14/2010 15Copyright © VeriScientia, Inc. 2010
What are the challenges?What are the challenges?
With the good also comes challenges
Security
Requirements
Other Risks
5/14/2010 16Copyright © VeriScientia, Inc. 2010
SecuritySecurity
5/14/2010 17Copyright © VeriScientia, Inc. 2010
Double-edged SwordDouble-edged Sword
Yes, security is the one of the biggest benefits you get from the cloud, it is also one of the bigger risks
You may have organizational security requirements that do not fit the cloud model
Understanding the security risks as well as the benefits is critical
5/14/2010 18Copyright © VeriScientia, Inc. 2010
Swamp Computing?Swamp Computing?
Cisco’s CEO, John Chambers:
"You'll have no idea what's in the corporate data center….That is exciting to me as a network player. Boy, am I going to sell a lot of stuff to tie that together….“ However, it is a security nightmare and it can't be handled in traditional ways."
In the same article, author attributes the famous “consider calling it swamp computing as compared to cloud computing” to Ronald Rivest from MIT
5/14/2010 19Copyright © VeriScientia, Inc. 2010
Security challengesSecurity challenges
Security can be intangible, in your own organization you can see what switches have been turned on (or off) anytime you want, or at least anytime your security officer wants to
Traditional networking security policies do not meet the need
Security, cloud based otherwise, only works when it is designed and targeted for the environment, there is no generic approach to security
5/14/2010 20Copyright © VeriScientia, Inc. 2010
RequirementsRequirements
5/14/2010 21Copyright © VeriScientia, Inc. 2010
What do you need?What do you need?
We as an industry are notoriously guilty at poorly defining technical needs
Because you are relying so heavily on IT resources you don’t own, you need to clearly and accurately define what you need
This is a pay as you go model…cost savings will rapidly evaporate if you don’t do the upfront work of defining your requirements
5/14/2010 22Copyright © VeriScientia, Inc. 2010
What do you expect?What do you expect?
In addition to defining your needs from a system perspective you also have to define expectations
Well thought out SLAs are a must!
What type of availability / reliability do you need (if you don’t need >99% uptime then why pay for it
How is performance against the SLA monitored and reported…more importantly who in your organization is responsible
What are the penalties
What are your responsibilities in managing to the SLA
5/14/2010 23Copyright © VeriScientia, Inc. 2010
Other RisksOther Risks
5/14/2010 24Copyright © VeriScientia, Inc. 2010
Risky Business?Risky Business?
Clouds are complex systems of systems
There are many risks that have to be considered beyond security in general and understanding your needs
European Network and Information Security Agency has developed a listing of risks in using cloud computing
5/14/2010 25Copyright © VeriScientia, Inc. 2010
Copyright © VeriScientia, Inc. 2010
Top 10 from the ENISA listTop 10 from the ENISA list
Lock in
Loss of Governance
Isolation Failure
Compliance Risk
Cloud Service Termination
Insecure or Incomplete data deletion
Resource Exhaustion
Data Protection
Malicious Insider
Management Interface Compromise
5/14/2010 26
SummarySummary
Moving to the cloud can have big benefits for the organization
In order for those benefits to be realized, you have to do your homework
The risks are there but can be managed
While there is significant “hype” surrounding cloud computing, the reality is this is the direction you should be looking
GOOD LUCK!
5/14/2010 27Copyright © VeriScientia, Inc. 2010
Copyright © VeriScientia, Inc. 2010
Neil McClenney
VeriScientia, Inc
919.388.5883
5/14/2010 28
ReferencesReferences Peter Mell and Tim Grance, NIST, Information
Technology Laboratory, Computer Security Division, “NIST-cloud computing”
Robert McMillan, Computerworld, “Cloud computing a 'security nightmare says Cisco CEO”, April 2009
Tim Mather, Subra Kumaraswamy, Shahed Latif, Cloud Security and Privacy, Oreilly, 2009.
Tom Nolle, 25 Mar 2009, Gaining cost savings from the cloud, http://searchcloudcomputing.techtarget.com/news/article/0,289142,sid201_gci1355045,00.html
Cloud computing Risk Assessment, ENISA, http://www.enisa.europa.eu/act/rm/files/deliverables/cloud-computing-risk-assessment
5/14/2010 29Copyright © VeriScientia, Inc. 2010