Your Text hereYour Text here

Shahar Maor’s work Copyright 2010 @STKI Do not remove source or attribution from any graphic or portion of graphic 1

Shahar Geiger Maor, CISSP Senior Analyst at STKI

shahar@stki.info www.shaharmaor.blogspot.com

Cloud Computing and

Cloud Security

Your Text hereYour Text here

Shahar Maor’s work Copyright 2010 @STKI Do not remove source or attribution from any graphic or portion of graphic 2

What have we had in mind ?

Your Text hereYour Text here

Shahar Maor’s work Copyright 2010 @STKI Do not remove source or attribution from any graphic or portion of graphic 3

What actually happened? Complexity!

Your Text hereYour Text here

Shahar Maor’s work Copyright 2010 @STKI Do not remove source or attribution from any graphic or portion of graphic 4

10th grade mathematics – reliability chain

99.99%

%99.99

%99.99

%99.97

Aggregated systems = drop in total up-time.99.99% =52.6 downtime minutes a year

10 systems 8.7 downtime hours a year!

Your Text hereYour Text here

Shahar Maor’s work Copyright 2010 @STKI Do not remove source or attribution from any graphic or portion of graphic 5

ERP CRM DataWarehouse

Database

Mail and Messaging

File, Print, Infrastructure

The Converged Datacenter

Cisco UCS

Resource Pool

HP BladeSystem Matrix

IBM CloudBurst

Your Text hereYour Text here

Shahar Maor’s work Copyright 2010 @STKI Do not remove source or attribution from any graphic or portion of graphic 6

Future Datacenter Infrastructure

http://www.sincerelysustainable.com/buildings/google-utilizes-cool-climate-to-cool-its-belgian-data-center

Your Text hereYour Text here

Shahar Maor’s work Copyright 2010 @STKI Do not remove source or attribution from any graphic or portion of graphic 7

Giants Face-Off

Shahar Maor’s work Copyright 2010 @STKI Do not remove source or attribution from any graphic or portion of graphic 7

Your Text hereYour Text here

Shahar Maor’s work Copyright 2010 @STKI Do not remove source or attribution from any graphic or portion of graphic 8

Application Delivery: What is the Pressure?

Globalization: Pushing business process to the network’s edgeCentralization / Consolidation: Compliance, control, Cost cutting, Security, Efficiencies / resource utilizationEnterprise & WebMonster Application: Architectures, Increased adoption of browser-based apps, Rich clients (AJAX), Web 2.0 technologies, SOAService Provider Services Architectures: Next Generation Networks, Video, Messaging

Your Text hereYour Text here

Shahar Maor’s work Copyright 2010 @STKI Do not remove source or attribution from any graphic or portion of graphic 9

Network Operations and Monitoring: What is the Pressure?

Complexity!

Your Text hereYour Text here

Shahar Maor’s work Copyright 2010 @STKI Do not remove source or attribution from any graphic or portion of graphic 10

Solutions???

CLOUD COMPUTING

Your Text hereYour Text here

Shahar Maor’s work Copyright 2010 @STKI Do not remove source or attribution from any graphic or portion of graphic 11

Enterprise

Cloud delivery models

Public Cloud

IT activities/functions are provided “as a service,” over the Internet

• Key features:–Scalability

–Automatic/rapid provisioning–Standardized offerings

–Consumption-based pricing.–Multi-tenancy

Traditional Enterprise

IT

Private Cloud

IT activities/functions are provided “as a service,” over an intranet, within the enterprise and behind the firewall

• Key features include:–Scalability

–Automatic/rapid provisioning–Chargeback ability

–Widespread virtualization

Hybrid Cloud

Internal and external service delivery methods are integrated, with activities/functions allocated to based on security requirements, criticality, architecture and other established policies.

Private CloudPublic Clouds

Hybrid Cloud

Source: IBM Market Insights, Cloud Computing Research, July 2009.

Your Text hereYour Text here

Shahar Maor’s work Copyright 2010 @STKI Do not remove source or attribution from any graphic or portion of graphic 12

The public cloud layers

Source: GS http://blogs.zdnet.com/BTL/?p=28476

Your Text hereYour Text here

Shahar Maor’s work Copyright 2010 @STKI Do not remove source or attribution from any graphic or portion of graphic 13

Enterprise Benefits from Cloud Computing

Server/Storage Utilization 10-20%

Self service None

Test Provisioning Weeks

Change Management Months

Release Management Weeks

Metering/Billing Fixed cost model

Standardization Complex

Payback period for new services Years

70-90%

Unlimited

Minutes

Days/Hours

Minutes

Granular

Self-Service

Months

Legacy environments Cloud enabled enterprise

Cloud accelerates business value across a wide variety of domains.

Capability From To

Source: IBM

Your Text hereYour Text here

Shahar Maor’s work Copyright 2010 @STKI Do not remove source or attribution from any graphic or portion of graphic 14

Requirements for Cloud Services  Multitenant. A cloud service must support multiple, organizationally

distant customers. Elasticity. Tenants should be able to negotiate and receive resources/QoS

on-demand. Resource Sharing. Ideally, spare cloud resources should be

transparently applied when a tenant’s negotiated QoS is insufficient, e.g., due to spikes.

Horizontal scaling. It should be possible to add cloud capacity in small increments; this should be transparent to the tenants of the service.

Metering. A cloud service must support accounting that reasonably ascribes operational and capital expenditures to each of the tenants of the service.

Security. A cloud service should be secure in that tenants are not made vulnerable because of loopholes in the cloud.

Availability. A cloud service should be highly available. Operability. A cloud service should be easy to operate, with few

operators. Operating costs should scale linearly or better with the capacity of the service.

Your Text hereYour Text here

Shahar Maor’s work Copyright 2010 @STKI Do not remove source or attribution from any graphic or portion of graphic 15

Security + Cloud Computing

Cloud Security Security in

the Cloud

Your Text hereYour Text here

Shahar Maor’s work Copyright 2010 @STKI Do not remove source or attribution from any graphic or portion of graphic 16

Cloud Security

Source: http://csrc.nist.gov/groups/SNS/cloud-computing/

Your Text hereYour Text here

Shahar Maor’s work Copyright 2010 @STKI Do not remove source or attribution from any graphic or portion of graphic 17

How Does Cloud Computing Affect the “Security Triad”?

Confidentiality

IntegrityAvailability

Your Text hereYour Text here

Shahar Maor’s work Copyright 2010 @STKI Do not remove source or attribution from any graphic or portion of graphic 18

Cloud Risk Assessment Probability

Impact

LOSS OF GOVERNANCE COMPLIANCE

CHALLENGESRISK FROM

CHANGES OF JURISDICTION

ISOLATION FAILURE

CLOUD PROVIDER MALICIOUS INSIDER -

ABUSE OF HIGH PRIVILEGE ROLES

MANAGEMENT INTERFACE COMPROMISE (MANIPULATION,

AVAILABILITY OF INFRASTRUCTURE)

INSECURE OR INEFFECTIVE

DELETION OF DATA

NETWORK MANAGEMENT

http://www.enisa.europa.eu/act/rm/files/deliverables/cloud-computing-risk-assessment/

Your Text hereYour Text here

Shahar Maor’s work Copyright 2010 @STKI Do not remove source or attribution from any graphic or portion of graphic 19

Cloud Regulations & Recommendations

No regulations so far…. Some sources of information and

recommendations:• Security Guidance for Critical Areas of Focus in Cloud

Computing, V2.1• ENISA Cloud Computing Risk Assessment • OECD -Cloud Computing and Public Policy • World Privacy Forum Privacy In The Clouds Report • NIST -Effectively and Securely Using the Cloud • "Cloud Computing Security: Raining On The Trendy New Parade,"

BlackHat • AWS Security Whitepaper

Your Text hereYour Text here

Shahar Maor’s work Copyright 2010 @STKI Do not remove source or attribution from any graphic or portion of graphic 20

Security in the Cloud: Email Security- Israeli Market Positioning 1Q10

Lo

cal S

up

po

rt

Market Presence

Player

This analysis should be used with its supporting documents

Worldwide Leader

Websense

Fast Movement

Microsoft

Hosted/Cloud Solutions:

McAfee

Symantec

Cisco

PineApp

Google (Postini)Symantec (MessageLabs)

Cisco (Ironport)

McAfee (MX Logic)

Microsoft (Forefront)

Mirapoint SafeNet

Trend Micro

Your Text hereYour Text here

Shahar Maor’s work Copyright 2010 @STKI Do not remove source or attribution from any graphic or portion of graphic 21

Secure Web-Gateway- Israeli Market Positioning 1Q10

Lo

cal S

up

po

rt

Market Presence

Player

This analysis should be used with its supporting documents

BlueCoat

Worldwide Leader

Cisco

Websense

FortinetFast Movement

SafeNet

Solutions to Watch:

Microsoft (TMG)

McAfee

Symantec

Zscaler

Trend Micro

Your Text hereYour Text here

Shahar Maor’s work Copyright 2010 @STKI Do not remove source or attribution from any graphic or portion of graphic 22

Secure Web-Gateway (SAAS) -Zscaler

http://www.zscaler.com/how-it-works.html#

Your Text hereYour Text here

Shahar Maor’s work Copyright 2010 @STKI Do not remove source or attribution from any graphic or portion of graphic 23

In Short

The cloud is here to stay

Security is a major

showstopper

…We put our money in the

cloudNo rush!

Your Text hereYour Text here

Shahar Maor’s work Copyright 2010 @STKI Do not remove source or attribution from any graphic or portion of graphic 24

Mail: shahar@stki.info Blog: www.shaharmaor.blogspot.com

Thank You