Скачать презентацию WHAT IS CLOUD COMPUTING REALLY Scott Clark Chicago
53f33ec3b71699b8de49957887930166.ppt
- Количество слайдов: 74
WHAT IS CLOUD COMPUTING REALLY? Scott Clark Chicago Chapter President Cloud Security Alliance Insert presenter logo here on slide master
The Blind Men and the Cloud It was six men of Info Tech To learning much inclined, Who went to see the Cloud (Though all of them were blind), That each by observation Might satisfy his mind 2
The Blind Men and the Cloud The First approached the Cloud, So sure that he was boasting “I know exactly what this is… This Cloud is simply Hosting. ” 3
The Blind Men and the Cloud The Second grasped within the Cloud, Saying, “No it’s obvious to me, This Cloud is grid computing… Servers working together in harmony!” 4
The Blind Men and the Cloud The Third, in need of an answer, Cried, "Ho! I know its source of power It’s a utility computing solution Which charges by the hour. ” 5
The Blind Men and the Cloud The Fourth reached out to touch it, It was there, but it was not “Virtualization, ” said he. “That’s precisely what we’ve got!” 6
The Blind Men and the Cloud The Fifth, so sure the rest were wrong Declared “It’s Saa. S you fools, Applications with no installation It’s breaking all the rules!" 7
The Blind Men and the Cloud The Sixth (whose name was Benioff), Felt the future he did know, He made haste in boldly stating, “This *IS* Web 3. 0. ” 8
The Blind Men and the Cloud And so these men of Info Tech Disputed loud and long, Each in his own opinion Exceeding stiff and strong, Though each was partly in the right, And all were partly wrong! Sam Charrington & Noreen Barczweski © 2009, Appistry, Inc 9
Agenda Introduction to Cloud Computing What is Different in the Cloud? CSA Guidance Additional Resources Insert presenter logo here on slide master
“This Cloud is simply Hosting” 11
12
Evolution of “Hosting” CUSTOM “Co-Location” COMMODITY “Cloud Service Providers” 13
Evolution of Data Centers Closest to power plants Google Data Center • State of Oregon • Columbia River • 103 Mega Watt Data Center on 30 acres • Near 1. 8 GW Hydropower Station 14
Data Center is the new “Server” 15
POD Computing 16
17
Google’s low cost commodity server 18
Is This New? ? • Berkeley credited • Cluster of Servers • Started in 1994 19
20
21
22
23
Broadband Network Access 24
25
Rapid Elasticity 26
27
Measured Service • Risk of over-provisioning: underutilization Capacity Resources Unused resources Demand Time Static data center 28
Measured Service Resources • Heavy penalty for under-provisioning 3 Lost revenue Resources Demand 3 Demand 2 1 Time (days) Capacity Demand 2 1 Time (days) 3 Lost users 29
Measured Service Resources Capacity Demand Resources • Pay by use instead of provisioning for peak Capacity Demand Time Static data center Data center in the cloud Unused resources Source: “Above The Clouds”
31
Resource Pooling =Virtualization App App App OS OS OS Operating System Hypervisor Hardware Traditional Stack Virtualized Stack
Server Virtualization 33
Storage Virtualization 34
Superio. Network Virtualization ü ü To. R Switch Platform-Independent Razor-Thin Cap. Ex To. R Switch Application VMs Application ☒ ☒ High Cap. Ex Low Utilization High Complexity Change-Resistant Application Application Ø Deploy anywhere Ø Elastic scalability Ø Interfaces with provisioning & orchestration systems Ø Evolves with rapidly changing network architectures Ø Utility licensing model
36
Case Study • Created 10, 000 Core. Cluster • Leveraged Amazon’s EC 2 • Genentech needed a super computer to examine how proteins bind together • Using Genentech’s resources would have taken weeks or months to gain access & run program 37
Completed in 8 Hours! Genentech’s Cost = $8, 480! • • Cluster Size: 10, 000 cores, 8. 75 TB RAM, 2 PB of disk space total • Scale: Comparable to #114 of Top 500 Supercomputer list • Security: Engineered with HTTPS & 128/256 -bit AES encryption • User Effort: Single click to start the cluster • Start-up Time: Thousands of cores in minutes, full cluster in 45 -minutes • Up-front Capital Investment/Licensing Fees: $0 • 38 Infrastructure: 1250 instances with 8 core / 7 -GB RAM Total Cycle. Cloud and Infrastructure Cost: $1, 060/hour
39
Delivery Models “Why do it yourself if you can pay someone to do it for you? ” • Utility computing (Iaa. S) – Why buy machines when you can rent cycles? – Examples: Amazon’s EC 2, Go. Grid, App. Nexus • Platform as a Service (Paa. S) – Give me nice API and take care of the implementation – Example: Google App Engine, Force. com • Software as a Service (Saa. S) – Just run it for me! – Example: Gmail, Salesforce. com and Net. Suite
41
Forrester: Cloud Market To Reach $241 Billion By 2020 42
Case Study – Hybrid Cloud • June 25, 2009 • 1 Million visits in 24/hrs • Twitter stood still • Ticket Master crawled • Yahoo! 16. 4 million site visitors in 24 hours more that Election Day of 15. 1 • Sony. com couldn’t sell music – 200 sites down 43
Private to Public Burst 44
45
What About Service Oriented Architecture? ? ? 46
BREAK 47
48
What is Different in the Cloud? • Many concepts “in the cloud” are similar to concepts in standard outsourcing • There at least four themes which require a different mindset when working on security for cloud services: – – Role clarity for security controls Legal / jurisdictional / cross-border data movement Virtualization concentration risk Virtualization network security control parity. Insert presenter logo here on slide master
What is Different in the Cloud? Role Clarity Security ~ THEM Saa. S Security ~ YOU Software as a Service Iaa. S Infrastructure as a Service Insert presenter logo here on slide master Paa. S Platform as a Service
What is Different in the Cloud? Legal / Jurisdictional Issues Amplified “Cloud” Provider Datacenter in London, U. K. “Cloud” Provider Datacenter in Geneva, Switzerland “Cloud” Provider Datacenter in Tokyo, Japan “Cloud” Provider Datacenter in San Francisco, USA Insert presenter logo here on slide master Your Corporate Data? “Cloud” Provider Datacenter in Sao Paolo, Brazil
What is Different in the Cloud? Virtualization Concentration Risks “Old Way – Hack a System” “New Way – Hack a Datacenter” Hypervisor Insert presenter logo here on slide master
What is Different in the Cloud? Virtualized N-Tier Control Equivalence “Current Way” “New Way” How do we ensure control parity? Internet Users • FW • WAF • NIDS / IPS Presentation Layer • FW • WAF • NIDS / IPS Data Layer Insert presenter logo here on slide master Internet Users Hypervisor
Key Cloud Security Problems From CSA Top Threats Research: –Trust: Lack of Provider transparency, impacts Governance, Risk Management, Compliance –Data: Leakage, Loss or Storage in unfriendly geography –Insecure Cloud software –Malicious use of Cloud services –Account/Service Hijacking –Malicious Insiders –Cloud-specific attacks Insert presenter logo here on slide master
Cloud Security Alliance Guidance 55
Cloud Security Alliance Guidance Cloud Architecture Legal and Electronic Discovery Compliance and Audit Information Lifecycle Management Operating in the Cloud Portability and Interoperability Security, Bus. Cont, , and Disaster Recovery Governing the Cloud Governance and Enterprise Risk Management Data Center Operations Incident Response, Notification, Remediation Application Security Encryption and Key Management Identity and Access Management Virtualization Available at http: //www. cloudsecurityalliance. org/Research. html Insert presenter logo here on slide master
Defining Cloud • • On demand provisioning Elasticity Multi-tenancy Key types – Infrastructure as a Service (Iaa. S): basic O/S & storage – Platform as a Service (Paa. S): Iaa. S + rapid dev – Software as a Service (Saa. S): complete application – Public, Private, Community & Hybrid Cloud deployments Insert presenter logo here on slide master
Governance and Enterprise Risk Management Insert presenter logo here on slide master Cloud Architecture Governance and Enterprise Risk Management Legal and Electronic Discovery Compliance and Audit Information Lifecycle Management Portability and Interoperability Operating in the Cloud • Due Diligence of providers governance structure and process in addition to security controls. SLA’s Risk Assessment approaches between provider and user should be consistent. Consistency in Impact Analysis and definition of likelihood Security, Bus. Cont, , and Disaster Recovery Data Center Operations Incident Response, Notification, Remediation Application Security Encryption and Key Management Identity and Access Management Virtualization Governing the Cloud •
Legal and Electronic Discovery • Insert presenter logo here on slide master Cloud Architecture Governance and Enterprise Risk Management Legal and Electronic Discovery Compliance and Audit Information Lifecycle Management Portability and Interoperability Operating in the Cloud • Mutual understanding of roles related to litigation, discovery searches and expert testimony Data in custody of provider must receive equivalent guardianship as original owner Unified process for responding to subpoenas and service of process, etc Security, Bus. Cont, , and Disaster Recovery Data Center Operations Incident Response, Notification, Remediation Application Security Encryption and Key Management Identity and Access Management Virtualization Governing the Cloud •
Compliance and Audit • Insert presenter logo here on slide master Cloud Architecture Governance and Enterprise Risk Management Legal and Electronic Discovery Compliance and Audit Information Lifecycle Management Portability and Interoperability Operating in the Cloud • Right to Audit Clause Analyze Impact or Regulations on data security Prepare evidence of how each requirement is being met Auditor qualification and selection Security, Bus. Cont, , and Disaster Recovery Data Center Operations Incident Response, Notification, Remediation Application Security Encryption and Key Management Identity and Access Management Virtualization Governing the Cloud • •
Information Lifecycle Management • • • Understand provider’s data search capabilities and limitations Insert presenter logo here on slide master Cloud Architecture Governance and Enterprise Risk Management Legal and Electronic Discovery Compliance and Audit Information Lifecycle Management Portability and Interoperability Operating in the Cloud • How is Integrity maintained? If compromised how its detected and reported? Identify all controls used during date lifecycle Know where you data is! Security, Bus. Cont, , and Disaster Recovery Data Center Operations Incident Response, Notification, Remediation Application Security Encryption and Key Management Identity and Access Management Virtualization Governing the Cloud •
Portability and Interoperability • Insert presenter logo here on slide master Cloud Architecture Governance and Enterprise Risk Management Legal and Electronic Discovery Compliance and Audit Information Lifecycle Management Portability and Interoperability Operating in the Cloud • Iaa. S - Understand VM capture and porting to new provider especially if different technologies used. Paa. S – Understand how logging, monitoring and audit transfers to another provider Saa. S – perform regular backups into useable form without Saa. S. Security, Bus. Cont, , and Disaster Recovery Data Center Operations Incident Response, Notification, Remediation Application Security Encryption and Key Management Identity and Access Management Virtualization Governing the Cloud •
Security, Business Continuity and Disaster Recovery • Insert presenter logo here on slide master Cloud Architecture Governance and Enterprise Risk Management Legal and Electronic Discovery Compliance and Audit Information Lifecycle Management Portability and Interoperability Operating in the Cloud • Conduct an onsite inspection whenever possible Inspect cloud providers disaster recovery and business continuity plans Ask for documentation of external and internal security controls – adherence to industry standards? Security, Bus. Cont, , and Disaster Recovery Data Center Operations Incident Response, Notification, Remediation Application Security Encryption and Key Management Identity and Access Management Virtualization Governing the Cloud •
Data Center Operations Insert presenter logo here on slide master Cloud Architecture Governance and Enterprise Risk Management Legal and Electronic Discovery Compliance and Audit Information Lifecycle Management Portability and Interoperability Operating in the Cloud • Demonstration of Compartmentalization of systems, networks, management, provisioning and personnel Understanding of providers patch management policies and procedures – should be reflected in the contract! Security, Bus. Cont, , and Disaster Recovery Data Center Operations Incident Response, Notification, Remediation Application Security Encryption and Key Management Identity and Access Management Virtualization Governing the Cloud •
Incident Response, Notification and Remediation Insert presenter logo here on slide master Cloud Architecture Governance and Enterprise Risk Management Legal and Electronic Discovery Compliance and Audit Information Lifecycle Management Portability and Interoperability Operating in the Cloud • May have limited involvement in Incident Response, understand prearranged communicated path to providers incident response team What incident detection and analysis tools used? Will proprietary tools make joint investigations difficult? Security, Bus. Cont, , and Disaster Recovery Data Center Operations Incident Response, Notification, Remediation Application Security Encryption and Key Management Identity and Access Management Virtualization Governing the Cloud •
Application Security – provider inability to distinguish testing from an actual attack Insert presenter logo here on slide master Cloud Architecture Governance and Enterprise Risk Management Legal and Electronic Discovery Compliance and Audit Information Lifecycle Management Portability and Interoperability Operating in the Cloud • S-P-I creates different trust boundaries in SDLC – account for in dev, test and production Obtain contractual permission before performing remote vulnerability and application assessments Security, Bus. Cont, , and Disaster Recovery Data Center Operations Incident Response, Notification, Remediation Application Security Encryption and Key Management Identity and Access Management Virtualization Governing the Cloud •
Encryption and Key Management • Cloud Architecture Governance and Enterprise Risk Management Legal and Electronic Discovery Understand provider’s key management lifecycle: how keys are generated, used, stored, backed up, rotated and deleted Ensure encryption adheres to industry and government standards when stipulated in the contract Insert presenter logo here on slide master Compliance and Audit Information Lifecycle Management Portability and Interoperability Security, Bus. Cont, , and Disaster Recovery Data Center Operations Incident Response, Notification, Remediation Application Security Encryption and Key Management Identity and Access Management Virtualization Governing the Cloud • Separate key management from provider hosting the data creating a chain of separation Operating in the Cloud •
Identity and Access Management • Insert presenter logo here on slide master Governance and Enterprise Risk Management Legal and Electronic Discovery Identity – avoid providers proprietary solutions unique to cloud provider Local authentication service offered by provider should be OATH compliant Cloud Architecture Compliance and Audit Information Lifecycle Management Portability and Interoperability Security, Bus. Cont, , and Disaster Recovery Data Center Operations Incident Response, Notification, Remediation Application Security Encryption and Key Management Identity and Access Management Virtualization Governing the Cloud • IAM is a big challenge today in secure cloud computing Operating in the Cloud •
Virtualization • Understand external security controls to protect administrative interfaces exposed (Web-based, API’s) Reporting mechanisms that provides evidence of isolation and raises alerts if a breach of isolation occurs. Insert presenter logo here on slide master Cloud Architecture Governance and Enterprise Risk Management Legal and Electronic Discovery Compliance and Audit Information Lifecycle Management Portability and Interoperability Security, Bus. Cont, , and Disaster Recovery Data Center Operations Incident Response, Notification, Remediation Application Security Encryption and Key Management Identity and Access Management Virtualization Governing the Cloud • Understand internal security controls to VM other than built in Hypervisor isolation – IDS, AV, vulnerability scanning etc. Operating in the Cloud •
Additional Cloud Security Alliance Resources 70
Cloud Security Alliance Initiatives 1. GRC Stack 2. Security Guidance for Critical Areas of Focus in Cloud Computing 3. Cloud Controls Matrix (CCM) 4. Consensus Assessments Initiative 5. Cloud Metrics 6. Trusted Cloud Initiative 7. Top Threats to Cloud Computing 8. Cloud. Audit 9. Common Assurance Maturity Model 10. Cloud. SIRT 11. Security as a Service Insert presenter logo here on slide master
Cloud Controls Matrix Tool • Controls derived from guidance • Rated as applicable to S-P-I • Customer vs Provider role • Mapped to COBIT, HIPAA, ISO/IEC 27002 -2005, NIST SP 800 -53 and PCI DSS • Help bridge the gap for IT & IT auditors www. cloudsecurityalliance. org/cm. html Insert presenter logo here on slide master
Contact • • Help us secure cloud computing • • Cloud Security Alliance, Chicago Chapter • Linked. In: http: //www. linkedin. com/groups? gid=3755674 www. cloudsecurityalliance. org scott. clark@vyatta. com Insert presenter logo here on slide master
Questions? 74