PCI DSS, SOX, HIPAA, GLBA, NCUA, FFIEC, NIST, FISMAPCI DSS, SOX, HIPAA, GLBA, NCUA, FFIEC, NIST, FISMA

PCI DSS, SOX, HIPAA, GLBA, NCUA, FFIEC, NIST, FISMAPCI DSS, SOX, HIPAA, GLBA, NCUA, FFIEC, NIST, FISMA

PCI DSS, SOX, HIPAA, GLBA, NCUA, FFIEC, NIST, FISMA

BUILDING A SECURE, COMPLIANT CLOUD FOR THE ENTERPRISE

January 19th, 2011

Adam C. Greenfield

Prioritizing Cloud Computing Key Trend - Prioritization for cloud computing is increasing dramatically.

Q: Has cloud computing been identified as a priority by your organization’s

executive leadership?

2009 2010

Yes 24% 44%

No 61% 43%

Cloud Hosting vs. Physical Servers

• Highly likely – 38%• Somewhat likely – 42%• Unlikely – 15%• Won’t consider it – 5%

Q: When considering a hardware refresh, how likely is it that you will evaluate cloud hosting as an alternative to purchasing physical servers.

4

Security and Compliance Are Pervasive Concerns

Security Hysteria

Some Threats Are NOT Cloud Specific

Building an Enterprise Cloud

A Connected Cloud Emerges

Cloud Management

HIPAA Example

Additional Cloud Use Cases

Security Advantages and Obstacles

Outsourcing Does Not Transfer Responsibility (Culpability)

Q&A

5

Cloud – Security Top ConcernTo your best knowledge, what are the top three obstacles Cloud Computing providers must overcome?

6

Cloud – Top 3 ConcernsTo your best knowledge, what are the top three obstacles Cloud Computing providers must overcome?

Top Cloud Security Concerns

Ranked #1 Characteristic

Ranked Top 3 Characteristics

All Respondents

• Preventing data loss or leakage 26%

• Keeping security up to date 18%

• Protecting against Denial of service 13%

• Preventing data loss or leakage 57%

• Preventing outages 45%• Keeping security up to date

43%

Large Companies

• Meeting regulatory requirements 21%

• Preventing data loss or leakage19%

• Keeping security up to date 18%

• Preventing data loss or leakage 55%

• Meeting regulatory requirements 45%

• Preventing outages 42%

8

Mid-Enterprise and Above – Security Top Concern

Large companies expect higher levels of Security and Control.

Due to their size, larger companies are more frequently the targets of malicious data attacks and have a greater need to protect their assets due to compliancy and regulatory requirements. Types of Cloud Computing solutions they will pursue include: R&D projects, quick promotions, online collaboration, partner integration, social networking , new business ventures (Forrester).

Security Control

250+ Employees 75%58% of all others

45%38% of all others

Geographic Redundancy

• (All respondents / >250 employee respondents)• 42%/48% Very Important• 41%/43% Important• 14%/10% Neutral• 3%/0% Not important

Q: How important is a provider’s ability to offer multi-site, high-availability and redundancy across multiple datacenters in your decision to host with them?

Our respondents gave a clear indication of the importance high-availability holds for them in choosing a hosting provider. 83% of all respondents and 91% of large company respondents indicated that this was either very important or important in their choice of a hosting company.

Not a single large company respondent indicated that this wasn’t important to them. Clearly if a hosting provider isn’t offering these capabilities they simply aren’t even in the game.

Hybrid Offerings Critical• As companies move to cloud based solutions, they are looking to

leverage and integrate with existing infrastructure.• 31% of all companies and 40% of large companies indicated that

integration with their existing infrastructure was a top three characteristic of their hosting provider

• Large and small companies alike ranked integration with their existing infrastructure as the number two obstacle to cloud computing behind security

• Hybrid computing certainly provides the easiest and most cost effective entry point into cloud computing until IT organizations become more comfortable with a pure multi-tenant solution.

When asked what type of cloud solution they would likely deploy, an overwhelming 78% of all and 86% of large companies indicated that they would prefer either a private, single tenant solution or a combined private single tenant/public multi-tenant cloud over a pure multi-tenant solution.

11

Media Hysteria and Technology Quality

Search Results• Dedicated Hosting Outage – 58,300• Managed Hosting Outage – 60,000• Web Hosting Outage –

201,000• Cloud Hosting Outage –

205,000

• Performance Issues Raise Security Concerns• Cloud Outages Can Be Avoided

– Causes Include Poor Cloud Architectures, Outdated Hardware, and Consumer-Grade Technologies

• Technology Quality Still Matters

12

Real Security Threats – Not Isolated to Cloud

Personnel Issues

Physical Security

Privileged and End User Access

Investigative Support

Backup and Recovery

13

BUILDING AN ENTERPRISE CLOUD

Federation• Private Cloud -> Public Cloud

• Burst on demand

• Physical -> Cloud• Resource Load Optimization• Short term workload

• Network Performance will drive Proximity Decisions

• Application Federation will become important in the near future

14

Building an Enterprise Cloud - Federation

Automation• Deployment

• Provisioning automation• Customers don’t want to be

responsible• Resource allocation and adjustment

• Work loads will drive automated resource adjustment

• On demand resources will become part of every transaction

• Visibility to application performance will be linked to automated resource allocation

15

Building an Enterprise Cloud - Automation

Instrumentation• Application performance

• Instead of device performance• Resource utilization

• What is being used by whom• Single “pane” of Glass

• One definitive source of information

• Better access to important information

16

Building an Enterprise Cloud - Instrumentation

17

Pure Cloud – Not Always a Solution

Hybrid Possibly Best RouteExamples Include:

• Regulatory ConcernsUse Dedicated, Colocated or Private Cloud for Client Data and Connect to Cloud Enterprise for Web/Database Needs.

• New ProjectUtilize low end Cloud Services for Test/Development. Launch in a Private/Public Cloud or Dedicated Servers.

• Seasonal SpikeUse Enterprise Cloud Services for Additional Compute Resources - Web, Database, Storage Capacity. Scale Up/Down Instantly.

• Disaster Recovery:Replicate Infrastructure to a Secondary Hosting.com Datacenter for Secure Availability of Mission-Critical Data/Apps

18

Cloud Management: A Compliance Dash Board• Add Security Appliances to Your Cloud Environment– Reports on Vulnerability Scans, Log Management, and

Intrusion Protection and Detection

ExampleAlertLogic

19

Hybrid Solution Example – Meet HIPAA Compliance

Customer ScenarioHIPAA – Electronic Medical Records

SolutionMulti-site Geographic Redundancy

ValueSecure and Accessible Records

20

Emerging Technologies

VMWare’s vShield Offering

21

VMWare vShield Edge

22

VMWare vShield Zones

23

VMWare vShield App

24

ADDITIONAL CLOUD USE CASES

Uses: Standby Machines Replace Hardware Syndication

• Create VM “images” of production machines

• Park Images in cloud• Automate synchronization with

parked images for system state change– As production infrastructure changes

the VM images are adjusted to reflect the change

• No longer need to be concerned with recovery location decision– With cloud oriented resources

workload can be moved with minimal disruption

25

Host to Cloud Data Vaulting

• Vault production data inside cloud to accelerate restoration

• Existing backup software can be used to transfer data– Minimal disruption of existing

processes– Offset traditional tape vaulting

fees– Accelerate recovery by being

closer to on-demand resources

26

Virtualized Desktop

• Two Types of workers– Deskbound

• Call centers, back office operations

– Mobile• Saleforce & leadership

• Virtualized desktops ensure there are no delays in recovery– System images are always

consistent with production• Allow for ultimate portability

– Recover anywhere

27

Fault Tolerance

• An alternative to traditional clusters

• No clustering software required

• Workload adjustments automatically occur when production demand increases

28

Cloud Burst

• Capacity and Performance issues often result in clinical disasters– People usually end up sizing

environment for extreme workloads

• Establish a normal operating level baseline with a private cloud– Optimize your investments & benefit

from virtualization

• Federate with a public cloud to allow for fail-over and capacity bursting at time of excessive load– “Peak shave” your workload and

move the an alternative cloud

29

30

SECURITY ADVANTAGES IN THE CLOUD

Shifting Public Data to an External Cloud Reduces the Exposure of Internal Sensitive Data

Cloud Homogeneity Makes Security Auditing/Testing Simpler

Clouds Enable Automated Security Mgmt

Redundancy/ DR Built Into Solution

31

SECURITY CONSIDERATIONS AND OBSTACLES

Trust in Chosen Vendor’s Security Model

Inability to Respond to Audit Findings

Obtaining Support for Investigations and Inquiries

Indirect Administrator Accountability

Proprietary Implementations Cannot be Examined

32

Q&A

Adam C. Greenfieldadam@hosting.com

http://engineering.hosting.com

Kevin Keelankkeelan@hosting.comDenver, CO