©Jean Pawluk

Cloudy WeatherCloud Computing Security

Jean PawlukChief Architect

Prepared for Executive Women’s Forum

Emerging Technology WorkshopSeptember, 2009

©Jean Pawluk

09/24/2009 Jean Pawluk 2

With great opportunity, comes great risk

©Jean Pawluk

In the Way Back Machine…

Jean Pawluk 3

Think back to the time of "big iron" • Ruled by mainframes and minis• Few mobile devices

Think again about the last few years :

Big changes that occurred with the Internet and mobility of devices

Today’s evolution

• Convergence of the two • Ubiquity of compute power

09/24/2009

©Jean Pawluk

Opportunity to discover …

09/24/2009 Jean Pawluk 4

©Jean Pawluk

Cool Hype…… & lots of confusionConfusion abounds today as several ideas and services are

labeled “cloud computing”A few myths exist:• Cloud computing is new revolution (it’s an old idea)• Cloud computing is just virtualization • Internet and Web are the cloud • Every vendor has different cloud • Everything will be in the cloud (as if)

Nevertheless:Under the hype a very important paradigm shift is occurring that is similar to the move to the Internet

Jean Pawluk 509/24/2009

©Jean Pawluk

09/24/2009 Jean Pawluk 6

You can find the cloud today………

Swarms of connected technologyand business services, which are offered, bought, sold, used, repurposed

On shared worldwide networks of service providers, consumers, aggregators, and brokers

- Creating -

New ways of offering, using, and organizing information and functionality

Examples Social Networks Virtual Worlds Games Blogs Books & Magazines & Newspapers “free” Email Data everywhere / all of the time

Market Research Census Data aggregators

Marketing collateral Video Phone TV Photos Music Virtual desktops Search engines

©Jean Pawluk

So when will we …..

Stop talking about the Internet (which was the “cloud” ) and when will the Cloud be omnipresent

Move from managers of technology to managers of services…

Move from a focus on cost to a focus on value…

Move from overhead to a team that enables growth…

Jean Pawluk 709/24/2009

Next ?

©Jean Pawluk

Jean Pawluk 8

= OPTIMIZED BUSINESS

…allows you to optimize new investments for direct business benefits

=AGILITY + BUSINESS & IT

ALIGNMENT +SERVICE FLEXIBILITY

INDUSTRY STANDARDS+

Cloud-onomics

CLOUD COMPUTING

= Reduced Cost

…leverages virtualization, standardization and automation to free up operational budget for new investment

=VIRTUALIZATION + ENERGY EFFICIENCY +STANDARDIZATION AUTOMATION+

Courtesy and Copyright of IBM09/24/2009

©Jean Pawluk

Cloud Computing Business Drivers Cost

Pay per use No hardware or startup costs Low investment in capital expenditure & time-to-live

Flexibility Use cloud computing services when needed Dynamically grow and shrink services

Simplicity Typically browser based user interfaces

Response Speed to market Fast resourcing - provisioning and de-provisioning processing etc

Availability Many cloud service providers have global, robust network, CPU and

application capability

Jean Pawluk 909/24/2009

©Jean Pawluk

Several Cloud Deployment Models Private Enterprise / Internal Cloud Managed Private Cloud External Public Cloud Hybrid Combination

Jean Pawluk 10

Jericho Cloud Cube Model

09/24/2009

©Jean Pawluk

Public Cloud Computing: From a user perspective

Jean Pawluk

11

• User:– Builds a web application,– Using a standard platform and database– Upload this application to a cloud provider

• Cloud provider– Provisions the services– Scales the application and the database together

• User – Doesn’t care about which servers, which databases, which hardware,

how much memory (the cloud platform handles all of that) – Users are totally free from any technical complexity other than the

service itself

• Cloud provider– Decides how to cache content, how and where to deploy servers

based on demand, performs backups, and even has the ability for the business to distinguish "production" from "staging" deployments

– Has ongoing management and monitoring of the external service

• User: – Only pays for what is used when user needs it– Everything else is a implementation detail

Great idea but where are the data security controls

in this point of view???

09/24/2009

©Jean Pawluk

Evolving Cloud Architectures

Jean Pawluk 12Diagram Courtesy of Chris Hoff

Central architectural concept is XaaS ( everything) as a service:

Core being:

•IAAS (Infrastructure)•PAAS (Platform)•SASS (Software)

Yet - Security is off to the sideThe lower down the stack a Cloud provider stops, the more security you are tactically responsible for implementing & managing yourself

09/24/2009

©Jean Pawluk

Risk - Who controls security?

IaaS

Jean Pawluk 13

PaaS

SaaS

IaaS

You build in your

own

security

You “SLA”

security The lower down the stack a Cloud provider stops,the more security you are tactically responsible for implementing & managing yourself

09/24/2009

©Jean Pawluk

READ the fine print… 72 Security We strive to keep Your Content secure, but cannot guarantee that we will be successful at doing so, given the nature of the Internet Accordingly, without limitation to Section 43 above and Section 115 below, you acknowledge that you bear sole responsibility for adequate security, protection and backup of Your Content and Applications We strongly encourage you, where available and appropriate, to (a) use encryption technology to protect Your Content from unauthorized access, (b) routinely archive Your Content, and (c) keep your Applications or any software that you use or run with our Services current with the latest security patches or updates We will have no liability to you for any unauthorized access or use, corruption, deletion, destruction or loss of any of Your Content or Applications

Source -http://awsamazoncom/agreement/

©Jean Pawluk

What’s ready for the cloud?

When the processes, applications and data are largely independent

When the points of integration are well defined When a lower level of security will work just fine When the core internal enterprise architecture is healthy When the Web is the desired platform When cost is an issue When the applications are new

Courtesy and Copyright of David Linthicum

Jean Pawluk 1509/24/2009

©Jean Pawluk

Cloud Computing Services Players: Infrastructure - Computing infrastructure, typically a platform virtualization

environment, as a service

Full virtualization (GoGrid, Skytap) Grid computing (Sun Grid) Management (RightScale) Compute (Amazon Elastic Compute Cloud)

Platform - The delivery of a computing platform, and/or solution stack as a service

Web application frameworks Ajax (Caspio) Python Django (Google App Engine) Ruby on Rails (Heroku)

Web hosting (Mosso) Proprietary (Azure, Force.com)

Storage - Data storage as a service, billed on a utility basis, eg per gigabyte / month

Database (Amazon SimpleDB, Google App Engine's BigTable datastore) Network attached storage (MobileMe iDisk, CTERA Cloud Attached Storage,

Nirvanix CloudNAS ) Synchronization (Live Mesh Live Desktop component, MobileMe push functions) Web service (Amazon Simple Storage Service, Nirvanix SDN)

Jean Pawluk

1609/24/2009

©Jean Pawluk

Cloud Computing Services Players (more)

Business Services - Interoperable machine-to-machine interaction over a network accessed by other cloud computing components, or directly by end users

Identity (OAuth, OpenID) Integration (Amazon Simple Queue Service) Payments (Amazon Flexible Payments Service, Google Checkout, PayPal) Mapping (Google Maps, Yahoo! Maps) Search (Alexa, Google Custom Search, Yahoo! BOSS) Others (Amazon Mechanical Turk)

Application - Cloud based software, that often eliminates the need for local installation

Peer-to-peer / volunteer computing (Bittorrent, BOINC Projects, Skype) Web application (Facebook) Software as a service (Google Apps, Salesforce) Software plus services (Microsoft Online Services)

Jean Pawluk 1709/24/2009

©Jean Pawluk

What’s not ready for the cloud?

When the processes, applications and data are largely coupled

When the points of integration are not well defined When a high level of security is required When the core internal enterprise architecture needs

work When the application requires a native interface When cost is an issue When the applications are legacy

Jean Pawluk 18

Courtesy and Copyright of David Linthicum

09/24/2009

©Jean Pawluk

What’s not ready for the cloud? (more)

1. Work which depends on sensitive data normally restricted to the Enterprise Employee Information - Not ready to move enterprise info into a public

cloud with high sensitivity of the data Health Care Records – Do not move until the security of the cloud

provider is well established

2. Work composed of multiple, co-dependent services High throughput online transaction processing

3. Work requiring a high level of auditability, accountability and regulation Work subject to Sarbanes-Oxley

4. Work based on 3rd party software which does not have a cloud aware licensing strategy

5. Work requiring detailed chargeback or utilization measurement as required for capacity planning or departmental level billing

6. Work requiring customization (eg customized SaaS)

Jean Pawluk 1909/24/2009

©Jean Pawluk

Jean Pawluk 20

Security Questions – They go on & on …Shared Infrastructure

• As we open up systems, can we expect the same security, reliability, & availability?

• Who are you sharing that server with?

Consumption-based pricing• What happens if you don’t pay

your bill? Do you lose your data?

• How do we control and monitor consumption?

Improved Business Continuity• What infrastructure is the

applications running on?• What protection do we have

against outages?• What legal recourse do we

have?

Massively scalable• Where does our data reside?

In a foreign country?Mobility & Flexibility

• Will vendor relationship management hamper mobility?

• Can any “fly-by-night” coder & service be a cloud?

• Will we see service brokers emerge?

Internet-based & easily accessible

• Will the cloud enable an increase of shadow IT?

09/24/2009

©Jean Pawluk

Cloud Security - Areas of Concern Information lifecycle management Governance and Enterprise Risk Management Compliance & Audit General Legal eDiscovery Encryption and Key Management Identity and Access Management Storage Virtualization Application Security Portability & Interoperability Data Center Operations Management Incident Response, Notification, Remediation "Traditional" Security impact (business continuity, disaster recovery,

physical security)

Jean Pawluk 21

Trust Time Bomb

09/24/2009

©Jean Pawluk

Back to the Future: Co-existing delivery models ?

Jean Pawluk 22

Enterprise

Service Consumers

Service Integration Service Integration

Traditional Enterprise IT

Private Cloud

Services Services

Service Integration

PublicClouds

Services

Mission Critical Packaged Apps High Compliancy

Test Systems Storage Cloud Developer Systems

Variable Storage Software as a Service Web Hosting

SAAS, IAAS & PAAS Public / Private Example

Security Issues will occur crossing between private and public use

09/24/2009

©Jean Pawluk

Summary

Cloud Computing is real and transformationalCloud Computing can be secured but also can carry

increased risk due to aggregation of assetsCloud needs

• Broad governance approach • Tactical fixes

Know that there is “no free lunch”

Jean Pawluk 2309/24/2009

©Jean Pawluk

Bridge the chasm from now to future…

Take the time now to tackle future issues: Practical, technical issues are addressed Security issues are addressed

Confidence will increase as Cloud Computing evolves and mainstreams lifecycle Hype reduces over time

So don’t rush…think and do it right

Jean Pawluk 2409/24/2009

©Jean Pawluk

Cloud Security AllianceCall to Action

Discussions & announcements on LinkedInJoin us, help make our work betterOther research initiatives and events being planned

• www.cloudsecurityalliance.org• info@cloudsecurityalliance.org• Twitter: @cloudsa, #csaguide• LinkedIn: Cloud Security Alliance group

www.linkedin.com/groups?gid=1864210

Jean Pawluk 2509/24/2009