Building a Secure and Compliant Cloud Infrastructure Ben Goodman Principal Strategist, Identity, Compliance and Security Novell, Inc.
Why Are We Here? Expanded Enterprise Data access anywhere, anytime Traditional IT perimeters have disappeared New technologies = New complexities = New opportunities Cloud Computing A new frontier New insecurities Stringent regulatory compliance 8-Step Journey to a Secure and Compliant Cloud Determine technology requirements Determine security requirements Determine policy requirements 3
Cloud Insecurity Uptime Seamlessly scalable Shared resources Logical separation Location agnostic Co-located rivals 4 The cloud is a magnet for hackers!
The Cloud Paradigm You see: Hosted applications You don t see: Virtualization Elastic workload Chargeback / billing Audit and log monitoring Continuous compliance Data(base) tenancy High availability 5
Security Tops Cloud Concerns Q: Rate the challenges/issues of the cloud /on-demand model (Scale: 1 = Not at all concerned; 5 = Very concerned) Security Availability Performance On-demand payment model may cost more Lack of interoperability standards Bringing back in-house may be difficult Hard to integrate with in-house IT 87.5% 83.3% 82.9% 81.0% 80.2% 79.8% 76.8% Not enough ability to customize 76.0% (% responding 3, 4, or 5) Source: IDC exchange, New IDC IT Cloud Services Survey: Top Benefits and Challenges, (http://blogs.idc.com/ie/?p=730) December 2009 6
What is the Biggest Barrier to Adoption of Cloud Services? 497 responses 7 Source: Tech Target: Cloud Computing Readership Survey, 2009
Cloud Architectures and Models ESSENTIAL CHARACTERISTICS Broad Network Access Rapid Elasticity Measured Service On-Demand Self-Service Resource Pooling ARCHITECTURES Softwareas-a-Service (SaaS) Platformas-a-Service (PaaS) Infrastructureas-a-Service (IaaS) DEPLOYMENT MODELS Public Private Hybrid Community 8
Bridging Security Requirements to the Cloud Traditional IT Dedicated compute, storage and network infrastructure Defined locations for data storage and backup Proprietary security controls and policies Compliance standards designed for traditional IT Cloud Computing Complex, shared deployment models Varying data location Security controls and policies defined by service provider Interpretation of compliance standards 9
An Eight-Step Journey to a Secure Cloud 1 Determine your application s suitability for the cloud Payment Processing Corporate Systems ERP CRM Company Web Site Test and Development e-commerce 10
An Eight-Step Journey to a Secure Cloud 2 Classify your data Financial Newsfeeds/Blogs Marketing Customer Records Government Healthcare/PHI EU Citizens 11
An Eight-Step Journey to a Secure Cloud 3 Classify your cloud type (Think about applications) Software-as-a-Service (SaaS) Infrastructure-as-a-Service (IaaS) Platform-as-a-Service (PaaS) 12
An Eight-Step Journey to a Secure Cloud 4 Select a delivery model (Think about data classification) Private: Public: Hybrid: Self-managed Outsourced Commodity Enterprise Private + Public Private + Exchange Private + Customer Cloud bursting Public Hybrid Private 13
Security An Eight-Step Journey to a Secure Cloud 5 Specify platform architecture Compute Storage and backup Network and routing System Device Drivers API/ System Call Cloud Automation Application Customer Application VPDC Cloud OS (ex. IaaS) Customer Application VPDC Virtualization vs. dedicated Compute Network Storage Data Center Ethernet Fabric 14
Infrastructure as a Service (IaaS) Platform as a Service (PaaS) Software as a Service (SaaS) Security at the Different Layers Applications Layer Presentation Modality Presentation Platform End Users APIs Applications Management Layer Business Owners Data Metadata Content Integration and Middleware APIs Infrastructure Layer Core Connectivity and Delivery Abstraction IT Administrators Hardware Facilities 15 Source: Cloud Security Alliance specification, 2009
An Eight-Step Journey to a Secure Cloud 6 Specify security controls Firewall Intrusion detection/prevention Log management Application protection Database protection Identity and access management Vulnerability scanning 16
An Eight-Step Journey to a Secure Cloud 7 Determine policy requirements Policy Creation and Enforcement What are my service provider s policies? Can I specify my own? How do they handle critical events? Policy Bursting If I choose a cloud-bursting model, will my policies burst along with my VMs? Policy Migration If I contract for cloud-based DR, will my polices migrate with my VMs? 17
Compliance is a Journey It s Reporting, But It s Also About Managing Risk Drive to Compliance Assurance Manual Processes Spreadsheet driven compliance Manually collected audit logs Achieve Continuous Compliance Compliance Assurance Robust methods for compliance reporting Automated certification and log collection Continuous Compliance Full visibility to IT risks No infrastructure holes or silos Identity and security integration Compatibility with IT GRC management for big picture view 18
An Eight-Step Journey to a Secure Cloud 8 Determine service provider requirements Delivery-model integration Automation Scalability Monitoring SLAs Services Security controls Stability Terms Compliance 19
Journey to The Cloud Key Considerations Determine service provider requirements Determine policy requirements Specify security controls Specify platform architecture Select delivery model Determine type of cloud Classify data Understand your application s applicability to the cloud 20
Infrastructure as a Service (IaaS) Platform as a Service (PaaS) Software as a Service (SaaS) Infrastructure as a Service (IaaS) Platform as a Service (PaaS) Software as a Service (SaaS) Mapping the Model to the Metal Cloud Model Presentation Modality APIs Presentation Platform Security Control Model Applications Data Metadata Content Application Information Compliance Model Integration and Middleware Management PCI APIs SOX Core Connectivity and Delivery Network GLBA Abstraction Trust HIPPA Hardware Storage Facilities Physical 21 Source: Cloud Security Alliance specification, 2009
Unpublished Work of Novell, Inc. All Rights Reserved. This work is an unpublished work and contains confidential, proprietary, and trade secret information of Novell, Inc. Access to this work is restricted to Novell employees who have a need to know to perform tasks within the scope of their assignments. No part of this work may be practiced, performed, copied, distributed, revised, modified, translated, abridged, condensed, expanded, collected, or adapted without the prior written consent of Novell, Inc. Any use or exploitation of this work without authorization could subject the perpetrator to criminal and civil liability. General Disclaimer This document is not to be construed as a promise by any participating company to develop, deliver, or market a product. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. Novell, Inc. makes no representations or warranties with respect to the contents of this document, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. The development, release, and timing of features or functionality described for Novell products remains at the sole discretion of Novell. Further, Novell, Inc. reserves the right to revise this document and to make changes to its content, at any time, without obligation to notify any person or entity of such revisions or changes. All Novell marks referenced in this presentation are trademarks or registered trademarks of Novell, Inc. in the United States and other countries. All third-party trademarks are the property of their respective owners. 2010 Savvis, Inc. All rights reserved. Savvis is the registered trademark of Savvis Communications Corporation.