pci dss, sox, hipaa, glba, ncua, ffiec, nist, fisma b uilding a s ecure, c ompliant c loud for the e...
TRANSCRIPT
PCI DSS, SOX, HIPAA, GLBA, NCUA, FFIEC, NIST, FISMAPCI DSS, SOX, HIPAA, GLBA, NCUA, FFIEC, NIST, FISMA
PCI DSS, SOX, HIPAA, GLBA, NCUA, FFIEC, NIST, FISMAPCI DSS, SOX, HIPAA, GLBA, NCUA, FFIEC, NIST, FISMA
PCI DSS, SOX, HIPAA, GLBA, NCUA, FFIEC, NIST, FISMA
BUILDING A SECURE, COMPLIANT CLOUD FOR THE ENTERPRISE
January 19th, 2011
Adam C. Greenfield
Prioritizing Cloud Computing Key Trend - Prioritization for cloud computing is increasing dramatically.
Q: Has cloud computing been identified as a priority by your organization’s
executive leadership?
2009 2010
Yes 24% 44%
No 61% 43%
Cloud Hosting vs. Physical Servers
• Highly likely – 38%• Somewhat likely – 42%• Unlikely – 15%• Won’t consider it – 5%
Q: When considering a hardware refresh, how likely is it that you will evaluate cloud hosting as an alternative to purchasing physical servers.
4
Security and Compliance Are Pervasive Concerns
Security Hysteria
Some Threats Are NOT Cloud Specific
Building an Enterprise Cloud
A Connected Cloud Emerges
Cloud Management
HIPAA Example
Additional Cloud Use Cases
Security Advantages and Obstacles
Outsourcing Does Not Transfer Responsibility (Culpability)
Q&A
5
Cloud – Security Top ConcernTo your best knowledge, what are the top three obstacles Cloud Computing providers must overcome?
6
Cloud – Top 3 ConcernsTo your best knowledge, what are the top three obstacles Cloud Computing providers must overcome?
Top Cloud Security Concerns
Ranked #1 Characteristic
Ranked Top 3 Characteristics
All Respondents
• Preventing data loss or leakage 26%
• Keeping security up to date 18%
• Protecting against Denial of service 13%
• Preventing data loss or leakage 57%
• Preventing outages 45%• Keeping security up to date
43%
Large Companies
• Meeting regulatory requirements 21%
• Preventing data loss or leakage19%
• Keeping security up to date 18%
• Preventing data loss or leakage 55%
• Meeting regulatory requirements 45%
• Preventing outages 42%
8
Mid-Enterprise and Above – Security Top Concern
Large companies expect higher levels of Security and Control.
Due to their size, larger companies are more frequently the targets of malicious data attacks and have a greater need to protect their assets due to compliancy and regulatory requirements. Types of Cloud Computing solutions they will pursue include: R&D projects, quick promotions, online collaboration, partner integration, social networking , new business ventures (Forrester).
Security Control
250+ Employees 75%58% of all others
45%38% of all others
Geographic Redundancy
• (All respondents / >250 employee respondents)• 42%/48% Very Important• 41%/43% Important• 14%/10% Neutral• 3%/0% Not important
Q: How important is a provider’s ability to offer multi-site, high-availability and redundancy across multiple datacenters in your decision to host with them?
Our respondents gave a clear indication of the importance high-availability holds for them in choosing a hosting provider. 83% of all respondents and 91% of large company respondents indicated that this was either very important or important in their choice of a hosting company.
Not a single large company respondent indicated that this wasn’t important to them. Clearly if a hosting provider isn’t offering these capabilities they simply aren’t even in the game.
Hybrid Offerings Critical• As companies move to cloud based solutions, they are looking to
leverage and integrate with existing infrastructure.• 31% of all companies and 40% of large companies indicated that
integration with their existing infrastructure was a top three characteristic of their hosting provider
• Large and small companies alike ranked integration with their existing infrastructure as the number two obstacle to cloud computing behind security
• Hybrid computing certainly provides the easiest and most cost effective entry point into cloud computing until IT organizations become more comfortable with a pure multi-tenant solution.
When asked what type of cloud solution they would likely deploy, an overwhelming 78% of all and 86% of large companies indicated that they would prefer either a private, single tenant solution or a combined private single tenant/public multi-tenant cloud over a pure multi-tenant solution.
11
Media Hysteria and Technology Quality
Search Results• Dedicated Hosting Outage – 58,300• Managed Hosting Outage – 60,000• Web Hosting Outage –
201,000• Cloud Hosting Outage –
205,000
• Performance Issues Raise Security Concerns• Cloud Outages Can Be Avoided
– Causes Include Poor Cloud Architectures, Outdated Hardware, and Consumer-Grade Technologies
• Technology Quality Still Matters
12
Real Security Threats – Not Isolated to Cloud
Personnel Issues
Physical Security
Privileged and End User Access
Investigative Support
Backup and Recovery
13
BUILDING AN ENTERPRISE CLOUD
Federation• Private Cloud -> Public Cloud
• Burst on demand
• Physical -> Cloud• Resource Load Optimization• Short term workload
• Network Performance will drive Proximity Decisions
• Application Federation will become important in the near future
14
Building an Enterprise Cloud - Federation
Automation• Deployment
• Provisioning automation• Customers don’t want to be
responsible• Resource allocation and adjustment
• Work loads will drive automated resource adjustment
• On demand resources will become part of every transaction
• Visibility to application performance will be linked to automated resource allocation
15
Building an Enterprise Cloud - Automation
Instrumentation• Application performance
• Instead of device performance• Resource utilization
• What is being used by whom• Single “pane” of Glass
• One definitive source of information
• Better access to important information
16
Building an Enterprise Cloud - Instrumentation
17
Pure Cloud – Not Always a Solution
Hybrid Possibly Best RouteExamples Include:
• Regulatory ConcernsUse Dedicated, Colocated or Private Cloud for Client Data and Connect to Cloud Enterprise for Web/Database Needs.
• New ProjectUtilize low end Cloud Services for Test/Development. Launch in a Private/Public Cloud or Dedicated Servers.
• Seasonal SpikeUse Enterprise Cloud Services for Additional Compute Resources - Web, Database, Storage Capacity. Scale Up/Down Instantly.
• Disaster Recovery:Replicate Infrastructure to a Secondary Hosting.com Datacenter for Secure Availability of Mission-Critical Data/Apps
18
Cloud Management: A Compliance Dash Board• Add Security Appliances to Your Cloud Environment– Reports on Vulnerability Scans, Log Management, and
Intrusion Protection and Detection
ExampleAlertLogic
19
Hybrid Solution Example – Meet HIPAA Compliance
Customer ScenarioHIPAA – Electronic Medical Records
SolutionMulti-site Geographic Redundancy
ValueSecure and Accessible Records
20
Emerging Technologies
VMWare’s vShield Offering
21
VMWare vShield Edge
22
VMWare vShield Zones
23
VMWare vShield App
24
ADDITIONAL CLOUD USE CASES
Uses: Standby Machines Replace Hardware Syndication
• Create VM “images” of production machines
• Park Images in cloud• Automate synchronization with
parked images for system state change– As production infrastructure changes
the VM images are adjusted to reflect the change
• No longer need to be concerned with recovery location decision– With cloud oriented resources
workload can be moved with minimal disruption
25
Host to Cloud Data Vaulting
• Vault production data inside cloud to accelerate restoration
• Existing backup software can be used to transfer data– Minimal disruption of existing
processes– Offset traditional tape vaulting
fees– Accelerate recovery by being
closer to on-demand resources
26
Virtualized Desktop
• Two Types of workers– Deskbound
• Call centers, back office operations
– Mobile• Saleforce & leadership
• Virtualized desktops ensure there are no delays in recovery– System images are always
consistent with production• Allow for ultimate portability
– Recover anywhere
27
Fault Tolerance
• An alternative to traditional clusters
• No clustering software required
• Workload adjustments automatically occur when production demand increases
28
Cloud Burst
• Capacity and Performance issues often result in clinical disasters– People usually end up sizing
environment for extreme workloads
• Establish a normal operating level baseline with a private cloud– Optimize your investments & benefit
from virtualization
• Federate with a public cloud to allow for fail-over and capacity bursting at time of excessive load– “Peak shave” your workload and
move the an alternative cloud
29
30
SECURITY ADVANTAGES IN THE CLOUD
Shifting Public Data to an External Cloud Reduces the Exposure of Internal Sensitive Data
Cloud Homogeneity Makes Security Auditing/Testing Simpler
Clouds Enable Automated Security Mgmt
Redundancy/ DR Built Into Solution
31
SECURITY CONSIDERATIONS AND OBSTACLES
Trust in Chosen Vendor’s Security Model
Inability to Respond to Audit Findings
Obtaining Support for Investigations and Inquiries
Indirect Administrator Accountability
Proprietary Implementations Cannot be Examined