Cloud computing present

Agenda Review the basics Copyright 2011 The Word & Brown Companies At the “Peak of inflated expectations ” -- Gartner’s Hype Cycle for Emerging Technologies #1 Strategic Technology for 2010 – Technologies You Can’t Afford to Ignore, Gartner So what is it with Cloud Computing? EMC shuts down online cloud storage service Iron Mountain Becomes Third Provider to Exit Public Cloud Storage Market Gartner predicts less than one-third of cloud investments will reach ROI by 2011 60% of IT decision-makers see cloud computing as helpful to the business By 2015 Cloud Computing will make up 17% of all IT expenditure worldwide U.S. Government Adopts “Cloud-first” Policy Fortune 1000 firms shun public cloud Feds Shy Away From Public Cloud, Call For Security

Copyright 2011 The Word & Brown Companies At its most promising, Cloud Computing is about evolving IT to enable greater responsiveness to business needs while at the same time driving greater efficiencies. Successful Cloud computing requires a re-thinking of IT in a way that’s fundamentally different from how we’ve approached IT over the last 30 years. There are some reasons to be cautious and you can’t simply move existing applications to a cloud infrastructure without understanding the significant differences in the environments.

Maturity of Key Elements has made Cloud Computing viable Copyright 2011 The Word & Brown Companies Virtualization Service Oriented Architecture (SOA) Broadband Networks Browser as a Platform Open Source Software Horizontal Scaling/“Fail in place computing”

Copyright 2011 The Word & Brown Companies Reasons to Embrace Cloud Computing Costs – Low start up costs, low cost for sporadic use, moves Capex to Opex Consolidation Scalability, rapid provisioning/deprovisioning Simplification Reliability Ease of management Ubiquity of access/Device and location independence Disaster Recovery Improve Agility/Innovation Security & Compliance

Copyright 2011 The Word & Brown Companies Reason to be Wary of Cloud Computing Costs – especially the predictability of costs Access Performance & Reliability Management Vendor Lock in Ownership Security & Compliance 74% of respondents of a recent survey of senior management, IT operations and security professionals don’t believe the cost savings of cloud computing outweigh the security considerations for their organization* *SOURCE: nCircle Information Security & Compliance Trend Study, 2010

Copyright 2011 The Word & Brown Companies Deployment Models Private Cloud Accessed by a single enterprise (On or Off-premise) Not a commercial offering Private Cloud Accessed by a single entity - on or off premise Operated solely for that entity Public Cloud Open to use by multiple organizations Location of data and resources “unknown” Hybrid Cloud “ Bursting” from Private to Public Split by tier Community Cloud Supports several organizations in a specific community with like interests. e.g. security, policy, compliance

Copyright 2011 The Word & Brown Companies Five Key Characteristics On-demand Self-service Individuals can set themselves up with little of no help Ubiquitous Network Access Available through standard Internet-enabled devices Location Independent Resource Pooling Processing and storage demands are balanced across a common infrastructure, with no particular resource assigned to any individual user Rapid Elasticity Consumers can increase or decrease capacity at will Pay Per Use Consumers are charged fees based on their usage of a combination of computing power, bandwidth use and/or storage

Copyright 2011 The Word & Brown Companies Delivery Models Target: Developers, Sys Admins Server, Storage, Network OS, Virtualization, File system Target: Developers Development tools Database, Middleware Infrastructure software Target: End users Collaborative applications ERM, CRM, Supply chain apps Ops and manufacturing apps Engineering applications Infrastructure as a Service Platform as a Service Software as a Service

Threats 1. Brute force attacks. 2. Buffer overflows. 3. Canonicalization attacks. 4. Cookie manipulation. 5. Cookie replay attacks. 6. Credential theft. 7. Cross-Site Request Forgery (CSRF). 8. Cross-site scripting (XSS). 9. Connection pooling. 10. Data tampering. 11. Denial of service. 12. Dictionary attack. 13. Disclosure of sensitive/confidential data. 14. Elevation of privilege. 15. Encryption. 16. Information disclosure. 17. Luring attacks. 18. Man-in-the-middle attacks. 19. Network eavesdropping. 20. Open Redirects. 21. Password cracking. 22. Repudiation. 23. Session hijacking. 24. Session replay. 25. Session fixation. 26. Spoofing. 27. SQL injection. 28. Throttling Copyright 2011 The Word & Brown Companies . SOURCE: Securing Microsoft's Cloud Infrastructure

Countermeasures 1. Assume all input is malicious. 2. Audit and log activity through all of the application tiers 3. Avoid storing secrets. 4. Avoid storing sensitive data in the Web space 5. Back up and regularly analyze log files. 6. Be able to disable accounts. 7. Be careful with canonicalization issues. 8. Catch exceptions. 9. Centralize your input and data validation. 10. Consider a centralized exception management framework. 11. Consider authorization granularity. 12. Consider identity flow. 13. Constrain input. 14. Constrain, reject, and sanitize your input. 15. Cycle your keys periodically. 16. Disable anonymous access and authenticate every principle. 17. Do not develop your own cryptography. 18. Do not leak information to the client. 19. Do not log private data such as passwords. 20. Do not pass sensitive data using the HTTP-GET protocol. 21. Do not rely on client-side validation. 22. Do not send passwords over the wire in plaintext. 23. Do not store credentials in plaintext. 24. Do not store database connections, passwords, or keys in plaintext 25. Do not store passwords in user stores. 26. Do not store secrets in code. 27. Do not store sensitive data in persistent cookies. 28. Do not trust fields that the client can manipulate. 29. Do not trust HTTP header information 30. Encrypt communication channels to protect authentication tokens 31. Encrypt sensitive cookie state 32. Encrypt the contents of the authentication cookies 33. Encrypt the data or secure the communication channel. 34. Enforce separation of privileges. 35. Enforce unique transactions. 36. Identify malicious behavior. Copyright 2011 The Word & Brown Companies SOURCE: Securing Microsoft's Cloud Infrastructure

Countermeasures – con’t. 37. Keep unencrypted data close to the algorithm. 38. Know what good traffic looks like. 39. Limit session lifetime. 40. Log detailed error messages. 41. Log key events. 42. Maintain separate administration privileges. 43. Make sure that users do not bypass your checks. 44. Pass Forms authentication cookies only over HTTPS connections. 45. Protect authentication cookies. 46. Provide strong access controls on sensitive data stores. 47. Reject known bad input. 48. Require strong passwords . 49. Restrict user access to system-level resources. 50. Retrieve sensitive data on demand. 51. Sanitize input. 52. Secure access to log files. 53. Secure the communication channel for remote administration 54. Secure your configuration store. 55. Secure your encryption keys. 56. Separate public and restricted areas. 57. Store keys in a restricted location. 58. Support password expiration periods. 59. Use account lockout policies for end-user accounts. 60. Use application instrumentation to expose behavior that can be monitored: 61. Use authentication mechanisms that do not require clear text credentials to be passed over the network: 62. Use least privileged accounts. 63. Use least privileged process and service accounts. 64. Use multiple gatekeepers. 65. Use SSL to protect session authentication cookies. 66. Use strong authentication and authorization on administration interfaces. 67. Use structured exception handling. 68. Use the correct algorithm and correct key length. 69. Use tried and tested platform features. 70. Validate all values sent from the client. 71. Validate data for type, length, format, and range . Copyright 2011 The Word & Brown Companies SOURCE: Securing Microsoft's Cloud Infrastructure

Security is a shared responsibility Copyright 2011 The Word & Brown Companies On Premises In The Cloud Physical Network Host Application Data Physical Network Host Application Data Customer Responsibilities Cloud provider Responsibilities

Security – in the Cloud Copyright 2011 The Word & Brown Companies Tenant Instance Tenant Instance Tenant Instance Tenant Instance Tenant Instance Tenant Instance Tenant Instance Network Guest Agent Guest Agent Guest Agent Guest Agent Guest Agent Guest Agent Guest Agent Fabric Controller Root VM Hypervisor Firewall Firewall Firewall Firewall Firewall Firewall VLAN Firewall Packet Filter Packet Filter Firewall Packet Filter Fabric Agent

Cloud Security is a Paradigm Shift Copyright 2011 The Word & Brown Companies Much of the traditional infrastructure security moves to the platform and application layers Network Access Control Lists and Firewalls become host packet filters and virtual firewalls Reduction of attack surface, least privilege, user authentication and input sanitization are key concerns Platform and network level encryption play a role, but the developer has increased responsibility for application encryption design

Copyright 2011 The Word & Brown Companies Concerns about Security Security Advantages of a Public Cloud Lives behind enterprise-class firewall Lives in very secure facility Thieves may not know where your data lives Your gear is not at risk from disgruntled employee You may gain security expertise from your vendor You vendor may have more rigorous practices around patching, updating and data center management You are not alone when defending against DDoS You are protected from hardware failures

Copyright 2011 The Word & Brown Companies Concerns about Security Security Disadvantages of a Public Cloud Access can be granted from anywhere Your data must travel “in the wild” to the cloud You are dependent on responsiveness, whims & quality of vendor You often don’t know where your data resides or how it is comingled with other tenants Attacks on others can have an effect on you You have limited transparency regarding security controls Auditing can be difficult You may be subject to jurisdictional issues There is very little established case law Vendor could shut you down suddenly Cloud computing involves an inherent transfer of control, which creates issues around security and privacy.

Copyright 2011 The Word & Brown Companies Concerns about Security Why a public cloud vendor might shut you down… Decides your customer mailing is spam Goes out of business Is sold off to your competitor Didn’t properly build in disaster recovery Didn’t properly plan for appropriate scaling One of its co-tenants is investigated by the government Sometimes, just that tenant's servers seized Sometimes, all servers on premises seized Because of resource pooling, any seizure could negatively affect you

Copyright 2011 The Word & Brown Companies Organizations are moving forward Question: “ What best describes where Cloud Computing fits into your organization’s IT roadmap?” SOURCE: The Open Group, May 2011

Copyright 2011 The Word & Brown Companies How does a cloud deployment change my risk profile? A cloud computing deployment means you are no longer in complete control of the environment, the data, or the people. A change in control creates a change in risk. Ultimately the data and its sensitivity level will dictate if a cloud model makes sense. What do I need to do to ensure my existing security policy accommodates the cloud model? A shift to a cloud paradigm is an opportunity to improve your overall security posture and your security policies. Ideally you can extend your existing security policies to accommodate this additional platform. Will a cloud deployment compromise my ability to meet regulatory mandates? Cloud deployments shift your risk profile and could affect your ability to meet various regulations. Some cloud applications give you strong reporting and are tailored to meet specific regulatory requirements, others are more generic and cannot or will not meet detailed compliance requirements. Cloud Security: Questions to Ask Before You Jump In

What happens if a breach occurs? How are incidents handled? This is a critical component to your overall agreement with the cloud service provider. The cloud provider (as a service provider), and you as a company may have breach notification policies or regulations you must meet. You must ensure that a cloud provider can support your notification requirements should the need arise. How do I ensure only authorized employees, partners and customers can access data and applications? Identity and access management is an existing security challenge that is amplified by cloud deployments. How are my data and applications hosted, and what security technologies are in place? This information can directly affect an organization's ability to comply with certain regulations. Transparency is necessary for you to make informed decisions. Copyright 2011 The Word & Brown Companies Cloud Security: Questions to Ask Before You Jump In

Copyright 2011 The Word & Brown Companies Some lessons from Amazon's outage (or Microsoft’s or Google’s) Read your cloud provider’s SLA very carefully Amazingly, this almost four-day outage has not breached Amazon’s EC2 (Elastic Compute Cloud) SLA, which “guarantees 99.95% availability of the service within a Region over a trailing 365 period.” Since it has been the EBS (Elastic Block Storage) and RDS (Relational Database Services) rather than EC2 itself that failed the SLA has not been breached, legally speaking. Don’t take your provider’s assurances for granted Many of the affected customers were paying extra to host their instances in more than one Availability Zone (AZ) which are supposed to be physically separate and protect from virtually any failure. Unfortunately, this turned out to be a technical specification rather than a contractual guarantee. There are ways you can supplement a cloud provider’s resilience Decompose resources into independent pools, build in support for quick timeouts and retries, and have interfaces that allow multiple retries of failed requests. Can be difficult if all your experience is in designing tightly-coupled enterprise application stacks that assume a resilient local area network. Successful cloud apps are not your in house apps simply hosted in the cloud .

Copyright 2011 The Word & Brown Companies Some lessons from Amazon's outage (or Microsoft’s or Google’s) Building in extra resilience comes at a cost Choices about the length of outage you can tolerate have cost consequences. Understanding the trade-offs helps you frame what to ask A good question to ask Cloud vendors — “Do you take down production infrastructure to test your failover?” (Amazon apparently didn’t and it didn’t work as expected) Amazon’s lack of transparency made recovery harder Several affected customers complained of the lack of useful information coming from Amazon during the outage - “Our people can’t read from the tea-leaves how to organize our systems for performance, scalability and most importantly disaster recovery. The difference between ‘reasonable’ SLAs and ‘five-9s’ is the difference between improvisation and the complete alignment of our respective operational processes …” Remember - an inherent transfer of control Most customers will still forgive Amazon its failings However badly they’ve been affected, providers have sung Amazon’s praises in recognition of how much it’s helped them run a powerful infrastructure at lower cost and effort. In many cases their businesses might not be able to exist at all without a similar infrastructure.

Cloud computing represents virtualization supercharged by automation, and automation always threatens jobs—especially those of lower-skilled employees. Simply put, cloud computing will displace the jobs of those who perform routine operations tasks. Asking these folks what they think of public cloud computing is like asking a turkey what it thinks of Thanksgiving. How can the CIO justify sticking with an existing system when SaaS and infrastructure alternatives are (or at least appear to business to be) so much cheaper? IT organizations will come under pressure to meet the cost structures of the best-of-breed public providers. Failing to rethink the delivery of services—and the organization necessary to deliver them—poses a threat to the job tenure of even the most senior IT executives. Successful IT executives in the future will be those who recognize that their job is infrastructure management at market rates, not asset ownership. Copyright 2011 The Word & Brown Companies There may be a significant risk in not adopting a Public Cloud model

Cloud computing present

More Related Content

What's hot (20)

Similar to Cloud computing present (20)

More from James Sutter (20)

Recently uploaded (20)

Cloud computing present