Securing Data in the Cloud: Point of View

Transcription

1 Securing Data in the Cloud: Point of View Presentation by Infosys Limited

2 Agenda Data Security challenges & changing compliance requirements Approach to address Cloud Data Security requirements About Infosys Information and Cyber Risk management practice 2

3 Your Presenter today Saju brings in nearly 18 years of experience in IT consulting and advisory services. He currently heads Infrastructure and Cloud consulting for Infosys. Saju Sankaran Kutty Associate Vice President - Cloud Infrastructure & Security Infosys Limited He has been with Infosys for past 13 years and been instrumental in setting up the cloud business strategy for Infosys. Saju brings in experience in cloud and infrastructure strategy formulation, cloud technology advisory and cloud economics. Saju has executed several strategic engagements in technology, business transformation & optimization, Cloud and Infrastructure transformation, platform modernization, collaboration and end-user computing. He is an active member of partner advisory boards of product alliance partners and has been on steering committees with various clients. 3

4 The next-generation technology services company Infosys helps enterprises transform and thrive in a changing world by co-creating breakthrough solutions that combine strategic insights and execution excellence. We help them renew themselves while also creating new avenues to generate value. Corporate People Learning Purpose Clients Founded in Pune, India in ,000+ employees of 115 nationalities World s largest corporate university Transparency, ethics, and respect 4 out of top 5 US banks $8.7 billion in revenues 94% are consultants and engineers 1.3% of revenues invested in R&D $500 million innovation fund 7 out of top 10 global CPG 987+ clients 97% of staff are university educated More than 300 researchers 96.6% business is repeat business 8 out of top 10 global pharma Clients in 50+ countries 22% with masters degrees or doctorates Employees trained in Design Thinking 2% of avg. net profits over 3 fiscals to Infosys Foundation 4 out of top 5 global aerospace & defence 85 offices and 100 development centers 35% of employees are women 505 patents pending and 204 granted Award winning sustainable delivery centers 6 out of top 10 communications cos. 4

5 Infosys Huawei Partnership Infosys Huawei 5

6 The enterprise cloud ecosystem is evolving VM VM VM VM IaaS Siloed Consolidated Private Cloud VM VM Private Cloud PaaS IaaS PaaS SaaS A hybrid deployment, multi-cloud consumption model IaaS Enterprise Apps Hybrid Public Cloud Enterprise IT 6

7 Trends in Cloud adoption today 81 % of companies are either using or planning to use mission-critical apps on the cloud in the next 2 years 77 % of companies are using or planning to use IaaS, PaaS or SaaS for a wide range of business application in the next 2 years It takes 3 days for 55% of large enterprises to get new virtual infrastructure from their private or public Cloud 69% of companies are looking for the ability to detect, alert, and self-resolve issues in their cloud environment 77% of companies trust system integrators to be their cloud implementation providers 7 Infosys Study: Simplify and innovate the way you consume Cloud -

8 Key Data Security challenges for organization s leveraging the Cloud Available solutions in the market are still silo-based Security challenges exist when enterprises integrate private cloud with public cloud for cloud burst and other on need computing requirements. The challenges cut across 4 key pillars of security 8

9 Resulting in new and evolving requirements for data security in Cloud Cloud Security Alliance (CSA) Cloud control matrix is the comprehensive standard to ensure the data and privacy safety of the cloud environment NIST, the U.S. National Institute of Standards and Technology, last year published its Guidelines on Security and Privacy in Public Cloud Computing. ENISA has published Procure Secure: A Guide to Monitoring of security service levels in cloud contracts. HIPAA Omnibus expands the definition of business associate and define cloud service providers (CSPs) as business associates. Geo Specific regulations mandates organizations to ensure data ediscovery capabilities and controls in place while getting into Contract with cloud provider Geo Specific and Regulatory requirements mandates organization to ensure that legal hold discussion and agreement is the key part of cloud contract negotiations. 9

10 Business & IT Objectives which is driving key trends around Data Security oriented to Cloud Adoption Data Classification Is Key Privileged Access No Trust Model Persistent Data Encryption Cloud Adoption Unified approach for protecting Data in Cloud Customer Managed keys Data access governance Data Disposal gains importance 10

11 ..which results in below decisions to make before cloud adoption Legal hold How to ensure Data availability if the CSP is going out of Business ediscovery- How to ensure that Data in hosted environment is identifiable and discoverable. Data Protection/Confidentiality - How to ensure that data confidentiality is being maintained in Shared cloud environment Data Integrity & Usage Governance - How to ensure that data integrity is being maintained Compliance & Governance - How to ensure compliancecompliance with Legal and Regulatory Standards Including data retention, archive and purge. 11

12 Solutions can be realized leveraging "Integrated approach for Cloud data Security based on traditional building blocks Cloud Security Alliance Reference Model Software as a Service (SaaS) Presentation Presentation Modality Platform APIs Applications Secure SDLC White/Black box testing Penetration testing Application Security Identity & Access Mgmt. Single sign-on / federation Adaptive authentication Authorization (RBAC, context-based, fine-grained) Provisioning access Segregation of Duties Security is shared responsibility Data Metadata Content Platform as a Service (PaaS) Integration & Middleware Infrastructure as a Service (IaaS) Information Systems Infra Security Endpoint Security SIEM Perimeter Security Platform Security Cloud Vendor Organization/ Vendor APIs Core Connectivity & Delivery Abstraction Hardware Facilities Data loss Prevention Data Tokenization Data Masking Information Rights Management Data Encryption Data Security Governanc e, Risk & Compliance Cloud-based Integrated Security solution Risk and Enterprise Security framework Integrated enforcement & validation of security controls Compliance enforcement Internal & External Compliance Audits Enterprise IT security policies & Procedures 12

13 ..complimented by data centric technology controls to safeguard the data Key Tenet Technology Solution Leading product vendors Data protection/confidentiality Data Loss Prevention (DLP) Data Encryption: File/ Folders OS Application Database DLP: Websense, McAfee, Symantec Encryption: SafeNet, RSA Data management Integrity and usage governance Compliance with legal and regulatory standards Database Activity Monitoring File Integrity Management Data Rights Management Data Tokenization Data Masking Key Management Security Audits Data Protection Agreement DAM: IBM, Imperva FIM: McAfee, TrendMicro DRM: Microsoft Tokenization: SafeNet, RSA Masking: Informatica Key Management: Thales, SafeNet 13

14 Infosys approach & methodology for securing data and services in Cloud Initiate 14 Risk Analysis Identify cloud model Prioritize use cases, classify information Understand Risk & associated impact, liability, SLAs, RACI, etc. Secure virtual infrastructure Deploy network segregation, virtual firewalls, IDS, secure OS, application firewalls, AV, content security / malware Secure data & application Implement native data encryption, segregation, PKI Data Loss Prevention, in-line Data Tokenization / Encryption address in-transit / at rest / isolation security concerns Leverage claims-based application security model Adopt secure SDLC / testing Secure Integration Deploy web security solutions e.g. IBM DataPower, Intel SOAE Enable Secure Access Single sign-on using Federation, OpenID, Oauth Strong authentication & finegrained authorization Deploy adaptive / multi-factor authentication Integrated Monitoring Implement periodic attestation, continuous monitoring, integration with SIEM, etc. Adopt compliance & security Automated GRC Continuous monitoring and validation

15 Infosys Information and Cyber Risk (ICRM) Practice offers a Comprehensive set of Security Solutions and Services to ensure Secure Cloud Adoption CONSULTING INTEGRATION OPERATIONS Infra Security Perimeter and Network Security Endpoint Security Platform Security Security Vulnerability Assessment and Penetration Testing Data Security Data Loss Prevention Data Masking, Tokenization Encryption and PKI Information Rights Management Identity & Access Management Enterprise Security Identity & Access Mgmt. Directory Services Authorization, SSO, Federation, Social Coarse / Find grained authorization Identity lifecycle Management and Provisioning Governance Risk and Compliance (GRC) Security Framework, Policies and Procedures Compliance Audits Risk and Security Controls enforcement IT GRC tool configuration Security Operations Security tool administration Security monitoring and incident management On-premise Integrated Security solution Security Operations Cloud-based Integrated Security solution Application Security Secure SDLC White/black box testing Gray-box testing Penetration testing 15

16 Contact us Contact Saju Sankaran Kutty Associate Vice President Cloud Infrastructure & Security Infosys Limited 16

17 Copyright 2015 Huawei Technologies Co., Ltd. All Rights Reserved. The information in this document may contain predictive statements including, without limitation, statements regarding the future financial and operating results, future product portfolio, new technology, etc. There are a number of factors that could cause actual results and developments to differ materially from those expressed or implied in the predictive statements. Therefore, such information is provided for reference purpose only and constitutes neither an offer nor an acceptance. Huawei may change the information at any time without notice.