sec4608 journey to your cloud: governance and security in your cloud
DESCRIPTION
SEC4608 Journey to Your Cloud: Governance and Security In Your Cloud . Name, Title, Company. Disclaimer. This session may contain product features that are currently under development. - PowerPoint PPT PresentationTRANSCRIPT
SEC4608Journey to Your Cloud: Governance and Security In Your Cloud Name, Title, Company
2
Disclaimer
This session may contain product features that are currently under development.
This session/overview of the new technology represents no commitment from VMware to deliver these features in any generally available product.
Features are subject to change, and must not be included in contracts, purchase orders, or sales agreements of any kind.
Technical feasibility and market demand will affect final delivery.
Pricing and packaging for any new technologies or features discussed or presented have not been determined.
3
VMware’s Role in the Cloud
VMware provides virtualization and automation technology to over 250,000 customers worldwide. Since 1998, VMware has worked with 25,000 partners to reduce IT costs, increase business agility, and provide the fundamental building blocks for the modern Cloud.
VMware Vision Team member John Steiner, a Business Solution Architect, collaborates with customers to define and communicate their roadmap to a successful virtualization strategy bringing 15 years total IT experience
John brings an in depth combination of both technical knowledge and business experience to help clients design complex, actionable roadmaps for their journey to the cloud. He has been involved in designing and delivering virtualization solutions to the market for over 8 years. Prior to joining the Vmware Vision team as a solution Architect, he was an infrastructure lead and Consulting Architect for Vmware professional field services
4
Agenda Cloud Computing and Security Questions to Ask and Best Practices Creating Your Security and Governance Plan
5
Agenda Cloud Computing and Security Questions to Ask and Best Practices Creating Your Security and Governance Plan
6
Virtualization Paves the Way to a New Era in IT
Mainframe
PC / Client-Server
WebCloud
Cloud Computing will transform the delivery and consumption of IT services
Virtualization
7
Security and Compliance are Key Concerns for CIOs
Employees are not receptive
Business leaders are not receptive
Lack of clear strategy or help from key vendors in adapting their applications
Difficulty measuring ROI
Concerns about the ability to meet enterprise and/or industry standards
Concerns about information governance
Concerns about access to information
Concerns about security
11%
14%
24%
30%
31%
37%
41%
67%
Q.What are the top challenges or barriers to implementing a cloud computing strategy?
Source: 2010 IDG Enterprise Cloud-based Computing Research, November 2010
Top 4 Concerns are on Security and Compliance
8
Security and Compliance Concerns in Detail…..
InfrastructureTeam
Security Operations
TeamCompliance
Officer
Both Security and Proof of Compliance are Required to Build Trust
How do I verify that confidential & regulated data is secure in the cloud? How do I implement compliance audits for resources in the cloud?
How can I manage security policies across virtual desktops, servers and networks?
I have too many VLANs for segmenting traffic, and securing applications. I can’t keep up
10
Fact
A well defined governance and security practice in conjunction with refined process and automation are imperative to the success of YOUR cloud.
What does your enterprise look like from a cloud readiness perspective?
11
Cloud Vision
12
Vision for ITaaS/Cloud
Secured
Secured
Secured
Secured
13
Agenda Cloud Computing and Security Questions to Ask and Best Practices Creating Your Security and Governance Plan
14
Governance and Security in Your Cloud
Traditional• Infrastructure
• Application
• End User
• Development
• Management
New• Virtualization
• Social Media
Core• Security
• Governance
15
Traditional Models
ApplicationsLegacy, Current, & New
What applications are eligible for Cloud?
Will we increase our reliance on virtual networking and security appliances?
Where will my data live? How does my security &
compliance posture affect applications in the cloud?
How will my data be
transported?
16
Traditional Models
ApplicationsLegacy, Current, & New
Very few applications can truly leverage the full potential in
their current state
Virtual security and networking appliances greatly increase agility
in the cloud
Trust, risk & compliance A systematic review
is required for potential policy revision
VPN, extended private cloud
17
Traditional Models
InfrastructureServers, Storage, Networking, Data Center Facilities and Legacy Systems
Do we have a defined, repeatable build process?
What is the current security posture?
Where will my data live?
Will we be able to minimize data center access as a result
of leveraging clould? What data
security regulations
must be considered?
Do we intend to move off of legacy hardware in order to
better leverage the cloud? How will controls be affected?
18
Traditional Models
InfrastructureServers, Storage, Networking, Data Center Facilities and Legacy Systems
Documented build standards assure repeatable,
secure systems
Security should be taking an active role in all
virtualization initiatives
Virtualized,tiered storage
in private and public
Virtualization and cloud computing bring near lights
out Data Centers a realityPCI, HIPPA, NSTISSP,
Sarbanes, FIPS, etc…
Legacy system migration assures reliable, flexible, elastic
computing. Controls must evolve accordingly
19
Traditional ModelsD
evel
opm
ent
Software development life cycle, where is the code at any
given time?
Will Agile development methodologies impact our
current security, compliance and governance processes?
How do we assure self service development appropriately serves the business but does not seed
rogue development efforts?
Can we create a more controlled software code
repository?
Are my developers using cloud based development tools? Do we need to be concerned with
intellectual property?
20
Traditional ModelsD
evel
opm
ent
Code repository should remain in a controlled, managed state
Build policies around acceptable usage of self service resources, show back mechanisms will
permit distributed control
Existing processes should be reviewed to accommodate
new potential impacts
Inventory all development models, create policies to control where development is executed
21
Traditional / New Models
End User Computing
Desktop, Tablet, Mobile Device, Public Device
How will an App Store effect or change authentication and
credential stores?
Have we defined a list of approved access devices or do
we loosely manage what can connect?
How do we secure the data both on the devices
and in transport?
Can we improve desktop and security compliance by moving
our desktops into a cloud model?
How can we protect the desktops of the future from attacks
and viruses?
22
Traditional / New Models
End User Computing
Desktop, Tablet, Mobile Device, Public Device
Build standard processes around acceptable application store development and distro
Create or modify security standards regarding
mobile devices
Categorized by data type, sensitivity and transport
Security and controls can be greatly improved by leveraging
standardized builds in a centralized location
Minimal O/S virtual desktop / app store model
23
New Model
Virtualization
Do we have a virtualization first policy and where does the
sponsorship reside?
Have we made accommodations for virtualization in our existing
process, procedures, security and governance policies?
Should we be leveraging virtualization to realize our
BC/DR RPO/RTO requirements?
24
New Model
Virtualization
A virtualization First policy requires executive governance
to be effectively executed
Review security and governance documentation and augment for a virtual/cloud based infrastructure
Virtualization can dramatically improve BC/DR capabilities and
should be leveraged in any opportunity available to meet
compliance regulations
25
New Models
Will social media play a role in our formal cloud strategy?
Have we looked into the implications of social media and
the potentially positive and/or negative impact it could have to
our organization?
Does a social media policy exist? Has it been
accounted for in any other governance or compliance
documentation?
What is already out on this forum with or without our permission?
Does social media play a role in business critical applications
or procedures?
Soci
al M
edia
26
Soci
al M
edia
New Models
Social Media should be included as a part of your cloud strategy
Socialize and Educate your staff on the opportunities presented
by social media
Create a formal social media policy that meets security and governance
requirements
An inventory of all social media outlets accessed should
be created
Identify any mission critical process that relies on social media and plan appropriately
27
Core ModelsG
overnance
How will cloud computing impact your current governance model?
What is running in the cloud today outside of your enterprise
governing policies?
Can the proper controls be put into place for a
corporate public cloud computing strategy?
Are the current policies broad enough to appropriately govern a self service,
cloud based business model?
Is my staff appropriately educated to fully understand the implications and act on them?
28
Core ModelsG
overnance
Comprehensively review all aspects affected by virtualization
and cloud computing
Inventory and understand all application usage patterns
The controls can be accommodated with proactive planning
and preparation
Understand the business requirements of all service catalog
items, assure existing security policies and procedures can
accommodate the model
Create centers of excellence to appropriately disseminate
information across all teams affected
29
Core ModelsSecurity
Are our scanning and intrusion policies robust enough to for near
real time provisioning?
How will our security access policies and procedures need to
change?
How should our security policies change to
accommodate new data security issues?
What kind of a containment policy should be in place to stop improper
activity should it occur?
Should we consider leveraging virtual routing and firewalls as a
part of our private cloud strategy?
30
Core ModelsSecurity
Scanning process and procedures must move to a higher lever of proactivity
ACL policies most certainly require review and design
enhancement
Stronger enforcement of data encryption to cloud
database entities should exist
Appropriate logging and access control lists must be maintained to
quickly contain and avioid
Virtual security and networking devices are key to cloud, physical controls must be extended to accomodate
31
Core ModelsM
anagement
Is our management infrastructure beyond reactive?
How much additional automation is required to keep up with the rapid provisioning
capabilities of cloud computing?
What is needed to move beyond proactive and into
predictive?
How will we meter resources, provide show back and
manage SLA’s?
32
Core ModelsM
anagement
Enterprise monitoring components must move beyond
reactive to predictiveAutomation must strive to approach 100% which will
require security and compliance to be baked in
Create a reference architecture related to
management infrastructure
Automation is key, architect the solution prior to implementation
33
Agenda Cloud Computing and Security Questions to Ask and Best Practices Creating Your Security and Governance Plan
34
Next Steps
Create a visual representation of your environment and how governance and security will be affected
Create a visual gap analysis for reference which easily identifies key areas of strength and needs for improvement
A holistic view of what is truly required from a governance, compliance and security perspective to safely leverage both a private and public
cloud infrastructure
Build a roadmap to close these gaps
35
Your Cloud Security Architecture
On-Demand Self-ServiceFlexibility, Portability, Elasticity
Governance
Managem
ent
Infrastructure
Applications
Dev
elop
men
t
Virtualization
End User Computing
Security
Soci
al M
edia
36
Your Cloud Security Architecture
On-Demand Self-ServiceFlexibility, Portability, Elasticity
Governance
Managem
ent
Infrastructure
Applications
Dev
elop
men
t
Virtualization
End User Computing
Security
Soci
al M
edia
37
Your Cloud Security Architecture
On-Demand Self-ServiceFlexibility, Portability, Elasticity
Governance
Managem
ent
Infrastructure
Applications
Dev
elop
men
t
Virtualization
End User Computing
Security
Soci
al M
edia
38
Implications of Failure
FAILURE = BAD
Failure to prepare for the rules of this new compute model will result in either an inability for IT to meet business needs or an environment that lacks the controls and measures necessary to appropriately secure the enterprise
39
Final Thoughts
Understand the business drivers before making technology decisions
Heat map your entire IT infrastructure in order to forecast bumps well before you see them in the road
Set reasonable goals in an actionable roadmap
Outline a holistic view of what is truly required from a governance, compliance and security perspective to safely leverage both a private and public cloud infrastructure