WHAT IS CLOUD COMPUTING REALLY Scott Clark Chicago

Скачать презентацию WHAT IS CLOUD COMPUTING REALLY Scott Clark Chicago Скачать презентацию WHAT IS CLOUD COMPUTING REALLY Scott Clark Chicago

53f33ec3b71699b8de49957887930166.ppt

  • Количество слайдов: 74

WHAT IS CLOUD COMPUTING REALLY? Scott Clark Chicago Chapter President Cloud Security Alliance Insert WHAT IS CLOUD COMPUTING REALLY? Scott Clark Chicago Chapter President Cloud Security Alliance Insert presenter logo here on slide master

The Blind Men and the Cloud It was six men of Info Tech To The Blind Men and the Cloud It was six men of Info Tech To learning much inclined, Who went to see the Cloud (Though all of them were blind), That each by observation Might satisfy his mind 2

The Blind Men and the Cloud The First approached the Cloud, So sure that The Blind Men and the Cloud The First approached the Cloud, So sure that he was boasting “I know exactly what this is… This Cloud is simply Hosting. ” 3

The Blind Men and the Cloud The Second grasped within the Cloud, Saying, “No The Blind Men and the Cloud The Second grasped within the Cloud, Saying, “No it’s obvious to me, This Cloud is grid computing… Servers working together in harmony!” 4

The Blind Men and the Cloud The Third, in need of an answer, Cried, The Blind Men and the Cloud The Third, in need of an answer, Cried, "Ho! I know its source of power It’s a utility computing solution Which charges by the hour. ” 5

The Blind Men and the Cloud The Fourth reached out to touch it, It The Blind Men and the Cloud The Fourth reached out to touch it, It was there, but it was not “Virtualization, ” said he. “That’s precisely what we’ve got!” 6

The Blind Men and the Cloud The Fifth, so sure the rest were wrong The Blind Men and the Cloud The Fifth, so sure the rest were wrong Declared “It’s Saa. S you fools, Applications with no installation It’s breaking all the rules!" 7

The Blind Men and the Cloud The Sixth (whose name was Benioff), Felt the The Blind Men and the Cloud The Sixth (whose name was Benioff), Felt the future he did know, He made haste in boldly stating, “This *IS* Web 3. 0. ” 8

The Blind Men and the Cloud And so these men of Info Tech Disputed The Blind Men and the Cloud And so these men of Info Tech Disputed loud and long, Each in his own opinion Exceeding stiff and strong, Though each was partly in the right, And all were partly wrong! Sam Charrington & Noreen Barczweski © 2009, Appistry, Inc 9

Agenda Introduction to Cloud Computing What is Different in the Cloud? CSA Guidance Additional Agenda Introduction to Cloud Computing What is Different in the Cloud? CSA Guidance Additional Resources Insert presenter logo here on slide master

“This Cloud is simply Hosting” 11 “This Cloud is simply Hosting” 11

12 12

Evolution of “Hosting” CUSTOM “Co-Location” COMMODITY “Cloud Service Providers” 13 Evolution of “Hosting” CUSTOM “Co-Location” COMMODITY “Cloud Service Providers” 13

Evolution of Data Centers Closest to power plants Google Data Center • State of Evolution of Data Centers Closest to power plants Google Data Center • State of Oregon • Columbia River • 103 Mega Watt Data Center on 30 acres • Near 1. 8 GW Hydropower Station 14

Data Center is the new “Server” 15 Data Center is the new “Server” 15

POD Computing 16 POD Computing 16

17 17

Google’s low cost commodity server 18 Google’s low cost commodity server 18

Is This New? ? • Berkeley credited • Cluster of Servers • Started in Is This New? ? • Berkeley credited • Cluster of Servers • Started in 1994 19

20 20

21 21

22 22

23 23

Broadband Network Access 24 Broadband Network Access 24

25 25

Rapid Elasticity 26 Rapid Elasticity 26

27 27

Measured Service • Risk of over-provisioning: underutilization Capacity Resources Unused resources Demand Time Static Measured Service • Risk of over-provisioning: underutilization Capacity Resources Unused resources Demand Time Static data center 28

Measured Service Resources • Heavy penalty for under-provisioning 3 Lost revenue Resources Demand 3 Measured Service Resources • Heavy penalty for under-provisioning 3 Lost revenue Resources Demand 3 Demand 2 1 Time (days) Capacity Demand 2 1 Time (days) 3 Lost users 29

Measured Service Resources Capacity Demand Resources • Pay by use instead of provisioning for Measured Service Resources Capacity Demand Resources • Pay by use instead of provisioning for peak Capacity Demand Time Static data center Data center in the cloud Unused resources Source: “Above The Clouds”

31 31

Resource Pooling =Virtualization App App App OS OS OS Operating System Hypervisor Hardware Traditional Resource Pooling =Virtualization App App App OS OS OS Operating System Hypervisor Hardware Traditional Stack Virtualized Stack

Server Virtualization 33 Server Virtualization 33

Storage Virtualization 34 Storage Virtualization 34

Superio. Network Virtualization ü ü To. R Switch Platform-Independent Razor-Thin Cap. Ex To. R Superio. Network Virtualization ü ü To. R Switch Platform-Independent Razor-Thin Cap. Ex To. R Switch Application VMs Application ☒ ☒ High Cap. Ex Low Utilization High Complexity Change-Resistant Application Application Ø Deploy anywhere Ø Elastic scalability Ø Interfaces with provisioning & orchestration systems Ø Evolves with rapidly changing network architectures Ø Utility licensing model

36 36

Case Study • Created 10, 000 Core. Cluster • Leveraged Amazon’s EC 2 • Case Study • Created 10, 000 Core. Cluster • Leveraged Amazon’s EC 2 • Genentech needed a super computer to examine how proteins bind together • Using Genentech’s resources would have taken weeks or months to gain access & run program 37

Completed in 8 Hours! Genentech’s Cost = $8, 480! • • Cluster Size: 10, Completed in 8 Hours! Genentech’s Cost = $8, 480! • • Cluster Size: 10, 000 cores, 8. 75 TB RAM, 2 PB of disk space total • Scale: Comparable to #114 of Top 500 Supercomputer list • Security: Engineered with HTTPS & 128/256 -bit AES encryption • User Effort: Single click to start the cluster • Start-up Time: Thousands of cores in minutes, full cluster in 45 -minutes • Up-front Capital Investment/Licensing Fees: $0 • 38 Infrastructure: 1250 instances with 8 core / 7 -GB RAM Total Cycle. Cloud and Infrastructure Cost: $1, 060/hour

39 39

Delivery Models “Why do it yourself if you can pay someone to do it Delivery Models “Why do it yourself if you can pay someone to do it for you? ” • Utility computing (Iaa. S) – Why buy machines when you can rent cycles? – Examples: Amazon’s EC 2, Go. Grid, App. Nexus • Platform as a Service (Paa. S) – Give me nice API and take care of the implementation – Example: Google App Engine, Force. com • Software as a Service (Saa. S) – Just run it for me! – Example: Gmail, Salesforce. com and Net. Suite

41 41

Forrester: Cloud Market To Reach $241 Billion By 2020 42 Forrester: Cloud Market To Reach $241 Billion By 2020 42

Case Study – Hybrid Cloud • June 25, 2009 • 1 Million visits in Case Study – Hybrid Cloud • June 25, 2009 • 1 Million visits in 24/hrs • Twitter stood still • Ticket Master crawled • Yahoo! 16. 4 million site visitors in 24 hours more that Election Day of 15. 1 • Sony. com couldn’t sell music – 200 sites down 43

Private to Public Burst 44 Private to Public Burst 44

45 45

What About Service Oriented Architecture? ? ? 46 What About Service Oriented Architecture? ? ? 46

BREAK 47 BREAK 47

48 48

What is Different in the Cloud? • Many concepts “in the cloud” are similar What is Different in the Cloud? • Many concepts “in the cloud” are similar to concepts in standard outsourcing • There at least four themes which require a different mindset when working on security for cloud services: – – Role clarity for security controls Legal / jurisdictional / cross-border data movement Virtualization concentration risk Virtualization network security control parity. Insert presenter logo here on slide master

What is Different in the Cloud? Role Clarity Security ~ THEM Saa. S Security What is Different in the Cloud? Role Clarity Security ~ THEM Saa. S Security ~ YOU Software as a Service Iaa. S Infrastructure as a Service Insert presenter logo here on slide master Paa. S Platform as a Service

What is Different in the Cloud? Legal / Jurisdictional Issues Amplified “Cloud” Provider Datacenter What is Different in the Cloud? Legal / Jurisdictional Issues Amplified “Cloud” Provider Datacenter in London, U. K. “Cloud” Provider Datacenter in Geneva, Switzerland “Cloud” Provider Datacenter in Tokyo, Japan “Cloud” Provider Datacenter in San Francisco, USA Insert presenter logo here on slide master Your Corporate Data? “Cloud” Provider Datacenter in Sao Paolo, Brazil

What is Different in the Cloud? Virtualization Concentration Risks “Old Way – Hack a What is Different in the Cloud? Virtualization Concentration Risks “Old Way – Hack a System” “New Way – Hack a Datacenter” Hypervisor Insert presenter logo here on slide master

What is Different in the Cloud? Virtualized N-Tier Control Equivalence “Current Way” “New Way” What is Different in the Cloud? Virtualized N-Tier Control Equivalence “Current Way” “New Way” How do we ensure control parity? Internet Users • FW • WAF • NIDS / IPS Presentation Layer • FW • WAF • NIDS / IPS Data Layer Insert presenter logo here on slide master Internet Users Hypervisor

Key Cloud Security Problems From CSA Top Threats Research: –Trust: Lack of Provider transparency, Key Cloud Security Problems From CSA Top Threats Research: –Trust: Lack of Provider transparency, impacts Governance, Risk Management, Compliance –Data: Leakage, Loss or Storage in unfriendly geography –Insecure Cloud software –Malicious use of Cloud services –Account/Service Hijacking –Malicious Insiders –Cloud-specific attacks Insert presenter logo here on slide master

Cloud Security Alliance Guidance 55 Cloud Security Alliance Guidance 55

Cloud Security Alliance Guidance Cloud Architecture Legal and Electronic Discovery Compliance and Audit Information Cloud Security Alliance Guidance Cloud Architecture Legal and Electronic Discovery Compliance and Audit Information Lifecycle Management Operating in the Cloud Portability and Interoperability Security, Bus. Cont, , and Disaster Recovery Governing the Cloud Governance and Enterprise Risk Management Data Center Operations Incident Response, Notification, Remediation Application Security Encryption and Key Management Identity and Access Management Virtualization Available at http: //www. cloudsecurityalliance. org/Research. html Insert presenter logo here on slide master

Defining Cloud • • On demand provisioning Elasticity Multi-tenancy Key types – Infrastructure as Defining Cloud • • On demand provisioning Elasticity Multi-tenancy Key types – Infrastructure as a Service (Iaa. S): basic O/S & storage – Platform as a Service (Paa. S): Iaa. S + rapid dev – Software as a Service (Saa. S): complete application – Public, Private, Community & Hybrid Cloud deployments Insert presenter logo here on slide master

Governance and Enterprise Risk Management Insert presenter logo here on slide master Cloud Architecture Governance and Enterprise Risk Management Insert presenter logo here on slide master Cloud Architecture Governance and Enterprise Risk Management Legal and Electronic Discovery Compliance and Audit Information Lifecycle Management Portability and Interoperability Operating in the Cloud • Due Diligence of providers governance structure and process in addition to security controls. SLA’s Risk Assessment approaches between provider and user should be consistent. Consistency in Impact Analysis and definition of likelihood Security, Bus. Cont, , and Disaster Recovery Data Center Operations Incident Response, Notification, Remediation Application Security Encryption and Key Management Identity and Access Management Virtualization Governing the Cloud •

Legal and Electronic Discovery • Insert presenter logo here on slide master Cloud Architecture Legal and Electronic Discovery • Insert presenter logo here on slide master Cloud Architecture Governance and Enterprise Risk Management Legal and Electronic Discovery Compliance and Audit Information Lifecycle Management Portability and Interoperability Operating in the Cloud • Mutual understanding of roles related to litigation, discovery searches and expert testimony Data in custody of provider must receive equivalent guardianship as original owner Unified process for responding to subpoenas and service of process, etc Security, Bus. Cont, , and Disaster Recovery Data Center Operations Incident Response, Notification, Remediation Application Security Encryption and Key Management Identity and Access Management Virtualization Governing the Cloud •

Compliance and Audit • Insert presenter logo here on slide master Cloud Architecture Governance Compliance and Audit • Insert presenter logo here on slide master Cloud Architecture Governance and Enterprise Risk Management Legal and Electronic Discovery Compliance and Audit Information Lifecycle Management Portability and Interoperability Operating in the Cloud • Right to Audit Clause Analyze Impact or Regulations on data security Prepare evidence of how each requirement is being met Auditor qualification and selection Security, Bus. Cont, , and Disaster Recovery Data Center Operations Incident Response, Notification, Remediation Application Security Encryption and Key Management Identity and Access Management Virtualization Governing the Cloud • •

Information Lifecycle Management • • • Understand provider’s data search capabilities and limitations Insert Information Lifecycle Management • • • Understand provider’s data search capabilities and limitations Insert presenter logo here on slide master Cloud Architecture Governance and Enterprise Risk Management Legal and Electronic Discovery Compliance and Audit Information Lifecycle Management Portability and Interoperability Operating in the Cloud • How is Integrity maintained? If compromised how its detected and reported? Identify all controls used during date lifecycle Know where you data is! Security, Bus. Cont, , and Disaster Recovery Data Center Operations Incident Response, Notification, Remediation Application Security Encryption and Key Management Identity and Access Management Virtualization Governing the Cloud •

Portability and Interoperability • Insert presenter logo here on slide master Cloud Architecture Governance Portability and Interoperability • Insert presenter logo here on slide master Cloud Architecture Governance and Enterprise Risk Management Legal and Electronic Discovery Compliance and Audit Information Lifecycle Management Portability and Interoperability Operating in the Cloud • Iaa. S - Understand VM capture and porting to new provider especially if different technologies used. Paa. S – Understand how logging, monitoring and audit transfers to another provider Saa. S – perform regular backups into useable form without Saa. S. Security, Bus. Cont, , and Disaster Recovery Data Center Operations Incident Response, Notification, Remediation Application Security Encryption and Key Management Identity and Access Management Virtualization Governing the Cloud •

Security, Business Continuity and Disaster Recovery • Insert presenter logo here on slide master Security, Business Continuity and Disaster Recovery • Insert presenter logo here on slide master Cloud Architecture Governance and Enterprise Risk Management Legal and Electronic Discovery Compliance and Audit Information Lifecycle Management Portability and Interoperability Operating in the Cloud • Conduct an onsite inspection whenever possible Inspect cloud providers disaster recovery and business continuity plans Ask for documentation of external and internal security controls – adherence to industry standards? Security, Bus. Cont, , and Disaster Recovery Data Center Operations Incident Response, Notification, Remediation Application Security Encryption and Key Management Identity and Access Management Virtualization Governing the Cloud •

Data Center Operations Insert presenter logo here on slide master Cloud Architecture Governance and Data Center Operations Insert presenter logo here on slide master Cloud Architecture Governance and Enterprise Risk Management Legal and Electronic Discovery Compliance and Audit Information Lifecycle Management Portability and Interoperability Operating in the Cloud • Demonstration of Compartmentalization of systems, networks, management, provisioning and personnel Understanding of providers patch management policies and procedures – should be reflected in the contract! Security, Bus. Cont, , and Disaster Recovery Data Center Operations Incident Response, Notification, Remediation Application Security Encryption and Key Management Identity and Access Management Virtualization Governing the Cloud •

Incident Response, Notification and Remediation Insert presenter logo here on slide master Cloud Architecture Incident Response, Notification and Remediation Insert presenter logo here on slide master Cloud Architecture Governance and Enterprise Risk Management Legal and Electronic Discovery Compliance and Audit Information Lifecycle Management Portability and Interoperability Operating in the Cloud • May have limited involvement in Incident Response, understand prearranged communicated path to providers incident response team What incident detection and analysis tools used? Will proprietary tools make joint investigations difficult? Security, Bus. Cont, , and Disaster Recovery Data Center Operations Incident Response, Notification, Remediation Application Security Encryption and Key Management Identity and Access Management Virtualization Governing the Cloud •

Application Security – provider inability to distinguish testing from an actual attack Insert presenter Application Security – provider inability to distinguish testing from an actual attack Insert presenter logo here on slide master Cloud Architecture Governance and Enterprise Risk Management Legal and Electronic Discovery Compliance and Audit Information Lifecycle Management Portability and Interoperability Operating in the Cloud • S-P-I creates different trust boundaries in SDLC – account for in dev, test and production Obtain contractual permission before performing remote vulnerability and application assessments Security, Bus. Cont, , and Disaster Recovery Data Center Operations Incident Response, Notification, Remediation Application Security Encryption and Key Management Identity and Access Management Virtualization Governing the Cloud •

Encryption and Key Management • Cloud Architecture Governance and Enterprise Risk Management Legal and Encryption and Key Management • Cloud Architecture Governance and Enterprise Risk Management Legal and Electronic Discovery Understand provider’s key management lifecycle: how keys are generated, used, stored, backed up, rotated and deleted Ensure encryption adheres to industry and government standards when stipulated in the contract Insert presenter logo here on slide master Compliance and Audit Information Lifecycle Management Portability and Interoperability Security, Bus. Cont, , and Disaster Recovery Data Center Operations Incident Response, Notification, Remediation Application Security Encryption and Key Management Identity and Access Management Virtualization Governing the Cloud • Separate key management from provider hosting the data creating a chain of separation Operating in the Cloud •

Identity and Access Management • Insert presenter logo here on slide master Governance and Identity and Access Management • Insert presenter logo here on slide master Governance and Enterprise Risk Management Legal and Electronic Discovery Identity – avoid providers proprietary solutions unique to cloud provider Local authentication service offered by provider should be OATH compliant Cloud Architecture Compliance and Audit Information Lifecycle Management Portability and Interoperability Security, Bus. Cont, , and Disaster Recovery Data Center Operations Incident Response, Notification, Remediation Application Security Encryption and Key Management Identity and Access Management Virtualization Governing the Cloud • IAM is a big challenge today in secure cloud computing Operating in the Cloud •

Virtualization • Understand external security controls to protect administrative interfaces exposed (Web-based, API’s) Reporting Virtualization • Understand external security controls to protect administrative interfaces exposed (Web-based, API’s) Reporting mechanisms that provides evidence of isolation and raises alerts if a breach of isolation occurs. Insert presenter logo here on slide master Cloud Architecture Governance and Enterprise Risk Management Legal and Electronic Discovery Compliance and Audit Information Lifecycle Management Portability and Interoperability Security, Bus. Cont, , and Disaster Recovery Data Center Operations Incident Response, Notification, Remediation Application Security Encryption and Key Management Identity and Access Management Virtualization Governing the Cloud • Understand internal security controls to VM other than built in Hypervisor isolation – IDS, AV, vulnerability scanning etc. Operating in the Cloud •

Additional Cloud Security Alliance Resources 70 Additional Cloud Security Alliance Resources 70

Cloud Security Alliance Initiatives 1. GRC Stack 2. Security Guidance for Critical Areas of Cloud Security Alliance Initiatives 1. GRC Stack 2. Security Guidance for Critical Areas of Focus in Cloud Computing 3. Cloud Controls Matrix (CCM) 4. Consensus Assessments Initiative 5. Cloud Metrics 6. Trusted Cloud Initiative 7. Top Threats to Cloud Computing 8. Cloud. Audit 9. Common Assurance Maturity Model 10. Cloud. SIRT 11. Security as a Service Insert presenter logo here on slide master

Cloud Controls Matrix Tool • Controls derived from guidance • Rated as applicable to Cloud Controls Matrix Tool • Controls derived from guidance • Rated as applicable to S-P-I • Customer vs Provider role • Mapped to COBIT, HIPAA, ISO/IEC 27002 -2005, NIST SP 800 -53 and PCI DSS • Help bridge the gap for IT & IT auditors www. cloudsecurityalliance. org/cm. html Insert presenter logo here on slide master

Contact • • Help us secure cloud computing • • Cloud Security Alliance, Chicago Contact • • Help us secure cloud computing • • Cloud Security Alliance, Chicago Chapter • Linked. In: http: //www. linkedin. com/groups? gid=3755674 www. cloudsecurityalliance. org scott. [email protected] com Insert presenter logo here on slide master

Questions? 74 Questions? 74




  • Мы удаляем страницу по первому запросу с достаточным набором данных, указывающих на ваше авторство. Мы также можем оставить страницу, явно указав ваше авторство (страницы полезны всем пользователям рунета и не несут цели нарушения авторских прав). Если такой вариант возможен, пожалуйста, укажите об этом.