cis13: security's new normal: is cloud the answer?
Post on 08-Jun-2015
333 Views
Preview:
DESCRIPTION
TRANSCRIPT
Security’s New Normal: Is Cloud the Answer? Prepared by IDC for:
Cloud Identity Summit July 2013
Sally J. Hudson Research Director Identity and Access Management BuyerPulse
Security Perimeters: New Normal
3rd Platform Built on Four Pillars
Four Pillars of 3rd Platform:
§ Mobile – Creates need for stronger access controls and authentication. Expect more partnerships, acquisitions and innovations in the mobile space.
§ Cloud – driving need for FSSO and authentication, user provisioning, privileged id management
§ Social Networking – companies want to leverage this, but are cautious due to security concerns. Authentication and federation.
§ Big Data – in conjunction with security, rich identity profiles and threat prevention and fraud detection
4
3rd Platform Customer Requirements
Fixed § Global consumer & corporate
privacy & security regulations (civil law)
§ Law enforcement ( criminal law)
§ Instantaneous, & assured communications with negligible downtime
§ Revenue creation and profitability
§ Apps (write once, test everywhere)
Fluid § Communities of shared
interest & social pressures (good, bad, gray),
§ Control issues (risk, acceptable speech, reputation, privacy, & trust )
§ Under-web of sensors & monitoring
§ Services-based approach vs. client-orientation
§ Consolidate § Virtualize
§ Automate § Optimize
§ Host/Outsource
Consolidate
§ Biz Efficiency § Innovate
§ Modernize § Mobile/Social
§ Biz Analytics
Collaborate
§ Actuarial Data § Predictable
Operational Expenses
§ Risk § Compliance
Calculate
COO’s New Normal: Issues in 2013
Consolidate: Old Issues & New Solutions
§ New q Worldwide core controls that
minimize differences q Auditors collaborate with IT to
help design compliance dashboard for a variety of non-IT groups
q Common worldwide controls that are cloud-based
§ Old q Company siloed by business
units and geography q Custom controls q Auditors were the enemy q Senior management confused
about corporate-wide polices q Little anticipation or planning
for pending regulations
Shifting IT Spend: Private Cloud is near term cloud strategy
Q. Please estimate how much of your company's IT budget will be allocated to buying and managing these different types of IT services
49% 37%
16%
16%
13% 19%
11% 15%
11% 13%
0% 10% 20% 30% 40% 50% 60% 70% 80% 90%
100%
Today 24 Months
Public Cloud
Private cloud - Hosted
Private Cloud Inhouse
Outsourced IT
Traditional IT
§ Enterprises see private cloud as the onramp to cloud for the next 24 months
§ Automation and elasticity will become the mantra
§ Pre-integrated modularity will become critical
Source: IDC’s Cloud Computing Survey, January 2011 n=603
Cloud Providers: Can You Trust Them?
§ SLAs can offer complete visibility and “partnership” with the Cloud provider
§ Capex à Opex expense = Making friends with the CEO and CFO again
§ Defensible posture and extensible “modular” architecture
§ Pay as you go § And more…
Cloud Benefits and Challenges
-80% -60% -40% -20% 0% 20% 40% 60% 80%
Pay-as-you-go (opex) Easy/fast to deploy to end-users
Pay only for what you use Allows us to reduce IT headcount
Makes sharing with partners simpler Encourages standard systems
More sourcing choices Faster deployment of new services
Regulatory requirement restrictions Performance/response times Availability/service provider uptime Not robust enough for critical apps Not enough ability to customize Hard to integrate, manage w/in-house IT May cost more Security
Reliability Availability,
Security, Total Cost
Time to deploy Pay for Use
Collaboration
Cloud Security & Compliance: Tablestakes for Enterprise Clouds
Q. Rate these statement about cloud security
% sample rating 4 & 5
§ Issue: Security & compliance
§ Data in motion more important than data at rest
§ Key management stays with customer
§ Issue: Metrics § Risk guarantees § Threats/Attacks § Breaches § Privileged & Customer
Access § Continuous Compliance
Indemnification is Explicit “You agree to indemnify and hold Yahoo! and its subsidiaries, affiliates, officers, agents, employees, partners and licensors harmless from any claim or demand….”
Data Locality Cannot be Guaranteed “Personal information collected by Google may be stored and processed in the United States or any other country in which Google Inc. or its agents maintain facilities. By using the Service, you consent to any such transfer of information outside of your country….”
Service Interruption is Permissible “Yahoo! reserves the right at any time and from time to time to modify or discontinue, temporarily or permanently, the Yahoo! Services (or any part thereof) with or without notice. You agree that Yahoo! shall not be liable to you or to any third party for any modification, suspension or discontinuance of the Yahoo! Services (or any part thereof).….”
Intellectual Property Rights are Abdicated to Providers “By submitting, posting or displaying Content on or through Google services which are intended to be available to the members of the public, you grant Google a worldwide, non-exclusive, royalty-free license to reproduce, publish and distribute such Content on Google services for the purpose of displaying and distributing Google services.….”
Cloud Security & Compliance: Consumer Cloud T’s & C’s excludes Security
§ Lack of security in consumer clouds today is explicitly stated
§ Data is an organizations most valuable asset
§ Large providers become a target and a single point of failure
Cloud Mobile Social Networks Big Data (Threat Intelligence)
Predictive Privileged Access
Management, Federated Identity,
Multi-factor Authentication, Data
Protection, & Vulnerability Assessment
Strong Authentication, Data Protection, & Granular Access
Controls
Data Loss prevention with data protection &
justification for violations.
Raw and analyzed threat feeds from multiple sources integrated with all
management consoles
Proactive VPN, Single Sign-On, & Strong Passwords
Mobile Device Management
Keyword-based monitoring & logging
Network monitoring and SIEM
Reactive Access control Device Password Acceptable Use Policy Signature-based detection
Goals: 1) Timely remediation of existing breaches. 2) Early detection & mitigation of advanced, targeted, attacks. 3) Policy monitoring & enforcement of internal and external regulations.
Essential Guidance: New Normal & Securing 3rd Platform
Essential Guidance
§ Cloud offerings should allow you to examine your IT investments strategically and avoid point solution thinking
§ Make sure your services firm can clearly articulate their differentiated offers, methodologies, tools and processes, certifications and domain expertise before embarking on a major IT transformation or initiative
Email me at: sjhudson@idc.com
Follow me at: twitter.com/@sjhudson11
Contact Information
top related