Cloud computing arma_nnj
-
Upload
scm24 -
Category
Technology
-
view
776 -
download
0
Transcript of Cloud computing arma_nnj
Cloud Computing
Steven C. Markey, MSIS, PMP, CISSP, CIPP, CISM, CISA, STS-EV, CCSK
Principal, nControl, LLCAdjunct Professor
President, Cloud Security Alliance – Delaware Valley Chapter (CSA-DelVal)
• Presentation Overview– Cloud Overview
• General• Business Case for Cloud Computing• Security Guidance• Selecting a Cloud Service Provider (CSP)• Records & Info Management (RIM) in the Cloud
– Case Studies• e-Discovery IN the Cloud
Cloud Computing
• General Overview– Why should you care about the “cloud”?
Cloud Computing
8
Numbers
80% fortune companies 1000 will pay to use cloud computing services and 30% will pay for infrastructure.Gartner
33% of IT business will be in Cloud Computing
Gartner
Market :42 billon: IDC
95 billion: Merrill Lynch
Numbers around CC are always impressive:
8
At this moment, the 5 major search engines together have 2.000.000computers
Microsoft data centre in Chicago: 610.000 servers
Cloud Computing Trends
Source: Open Group
• What is Cloud Computing?– Re-Branded IT Business Model
• Application Service Provider (ASP)• IT Outsourcing (ITO)
– Formal Characteristics• Resource Pooling• Rapid Elasticity
– Confusion• Hosting• Virtualization• Service Provider
Cloud Computing
Service Delivery Models
Source: Swain Techs
Source: Matthew Gardiner, Computer Associates
Responsibility
SaaS Providers
PaaS Providers
IaaS Providers
Private Cloud
• Dedicated Clouds– Usually Hosted Internally
• Use Chargeback/Shared Services Model
– External Private Clouds Exist
Hosting Providers
Third Parties
• Business Case for Cloud Computing– Time-to-Market– Global Presence– Focus on Core Competency– Elasticity– Cost-Benefit Analysis (CBA)
Cloud Computing
• Partly Cloudy with a Chance of Risk!– The Cloud is Perceived as Risky Business
• Lack of Control• Regulatory Compliance• Hacks, Outages, Disasters….Oh My!
Source: Youtube
Cloud Computing
• Security Guidance– Existing Certifications/Attestations
• SAS 70 Type II/SSAE 16/ISAE 3402• ISO 27001/2, 27036, 15489• BITS Shared Assessments• PCI DSS• HIPAA/HITECH
– Guidance Specifically for the Cloud• CSA Guide v3.0• ENISA Cloud Computing Risk Assessment• NIST SP 800-144 Guidelines Security/Privacy for a Public Cloud
Cloud Computing
• Selecting a CSP– Service Provider/Consumer Process Alignment– Portability/Interoperability– Contractual/Legal Agreements– Industry Tools
Cloud Computing
• Service Provider/Consumer Process Alignment– Change/Configuration Management– Loading/Offloading– Disaster Recovery– Incident Response– Legal Hold/Litigation Response/e-Discovery
• Electronic Discovery Reference Model (EDRM)
– Records and Information Management (RIM)• Generally Accepted Recordkeeping Principles (GARP)• Information Governance Reference Model (IGRM)• Information Lifecycle Management (ILM)
Cloud Computing
• Portability/Interoperability– Software– Data– Third Parties
Cloud Computing
• Contractual/Legal Agreements– Service Level Agreements (SLA)
• Up-Time• Jurisdiction• Data Ownership
– Escrow Data– Include Metadata
• Exit Clause• Testing
– Disaster Recovery– Incident Response– Legal Hold/Litigation Response/e-Discovery
Cloud Computing
• Contractual/Legal Agreements– Service Level Agreements (SLA)
• Right to Audit– Vendor & Vendor’s Vendors– GARP-Specific
Cloud Computing
• Industry Tools– Selection
• Gravitant CloudWiz• VMware Cloud Readiness Self-Assessment Tool
– Brokerage/Management• RightScale• CloudFloor• Skydera• enStratus
Cloud Computing
• Industry Tools– Migration
• Bit Titan MigrationWiz• Layer 2 SharePoint Cloud Connector• Metalogix StoragePoint• AvePoint DocAve Migrator
Cloud Computing
Source: Metalogix StoragePoint
Source: Metalogix StoragePoint
Source: AvePoint DocAve Migrator
• RIM in the Cloud– Process
• Self-Service Provisioning• CSP Brokerage, Monitoring & Metering• CSP Information Governance • CSP Adherence to Standards
– NIST» SP 800-92: Log Management
– ISO» 15489: Records Management» 23081: Records Metadata» 15386: Digital Archive» 30300/303001: RIM Management System» 17024: Conformity Assessment
Cloud Computing
Source: Flickr
• RIM in the Cloud– People
• More Empowered: Shadow IT, Consumerized IT– Millenials Expect Autonomy– Bring Your Own Device (BYOD)– Less Office Time, But Always On
• Increased Roles & Responsibilities• Additional Tech/Analytical Skill-Sets Required
– Technology• Commoditized• CSP Metadata • New Technologies: Non-Relational Database Architectures• New Paradigms: Big Data (Data Lakes & Cloud)
Cloud Computing
• Case Study: e-Discovery FROM the Cloud– Background– Drivers – Technologies– Limitations– Risks– Lessons Learned– Next Steps
Cloud Computing
• Case Study: e-Discovery FROM the Cloud– Background
• Financial Services SMB– Capital Management (PA)
• Recent Project: 2010• IT: Managed Service Provider/Operations, Director
– Drivers• Cost • Compliance
– Technologies• Email: Exchange Server 2007, 2010/Office 365• Discovery: Symantec Enterprise Vault (EV) v8.0/v9.0
Cloud Computing
• Case Study: e-Discovery FROM the Cloud– Limitations
• Budget• Skill-Sets• Resources
– Risks• Software/System Interoperability • Vendor Management: Contractual/SLA Omissions• Disaster Recovery: Datacom• Legacy Email Availability, No More Archiving• Scope Creep
Cloud Computing
• Case Study: e-Discovery FROM the Cloud– Lessons Learned
• Limited Cost Savings– On-Site Exchange Box for Journaling– Upgrade to EV v9.0 to Support Exchange 2010– Exchange Hosted Encryption (EHE)
– Forefront Online Protection for Exchange (FOPE)• Exchange Journaling From the Cloud, Complicated
– Microsoft Federation Gateway (MFG)• Leverage Interim Solution for BlackBerry Services
– Shutdown BlackBerry Enterprise Server (BES)– Leverage AstraSync (Exchange ActiveSync)
Cloud Computing
• Case Study: e-Discovery FROM the Cloud– Next Steps
• Upgrade to EV v10.0– Incorporate Social Media
• Test BCP/DR e-Discovery Functionality• BlackBerry Office 365
– Looking at BES Balance (“Data Boxing”)• Leverage Office 365 for SharePoint, iOS & Android
– Nix AstraSync, Reviewing Hosted AirWatch & MobileIron for MDM• Reviewing Cloud e-Discovery SaaS Solutions
– Symantec Enterprise Vault.cloud– Microsoft Exchange Online Archiving (EOA)
Cloud Computing
Cloud Computing• Presentation Take Aways
– Cloud = Re-Branded Business Model–With New Bells & Whistles (Big Data, etc.)
– Paradigm Shift Towards Empowerment– Strategy & Due Diligence Are VERY Important
–Must Consider the Business Ecosystem
Cloud Computing• References
– CSA Guide: https://cloudsecurityalliance.org/research/security-guidance/– BITS Enterprise Cloud Self-Assessment: http://sharedassessments.org/media/pdf-EnterpriseCloud-SA.pdf– ENISA Risk Assessment: http://www.enisa.europa.eu/act/rm/files/deliverables/cloud-computing-risk-
assessment– NIST SP 800-144: http://csrc.nist.gov/publications/drafts/800-144/Draft-SP-800-144_cloud-computing.pdf– IGRM: http://www.edrm.net/projects/igrm– EDRM: http://www.edrm.net/– MIKE2.0: http://mike2.openmethodology.org/– VMware CRSA: http://getcloudready.vmware.com/crsa/– Bit Titan MigrationWiz: https://www.migrationwiz.com/Secure/Default.aspx– Gravitant cloudWiz: http://www.gravitant.com/cloudwiz-home.html– RightScale: http://www.rightscale.com/– CloudFloor: http://www.cloudfloor.com/– Skydera: http://www.skydera.com/– enStratus: http://enstratus.com/– Layer 2: http://www.layer2.de/en/products/Pages/Cloud-Connector-for-SharePoint-2010-Office365.aspx– Metalogix StoragePoint: http://www.metalogix.com/Products/StoragePoint.aspx– AvePoint DocAve: http://www.avepoint.com/sharepoint-to-sharepoint-migration-docave/
Cloud Computing• Personal References
– PenTest Magazine, "Scanning Your Cloud Environment": http://pentestmag.com/client-side-exploits-pentest-082011/
– ISACA Journal, "Testing Your Incident Response Plan": http://www.isaca.org/Journal/Current-Issue/Pages/default.aspx
– e-Discovery 2.0: In the Cloud: https://s3.amazonaws.com/nControl-Docs/CSA11_Session-SMarkey.ppt– Security in the Cloud: https://s3.amazonaws.com/nControl-Docs/Cloud_Computing-Security.ppt– System Architecture & Engineering for the Cloud:
https://s3.amazonaws.com/nControl-Docs/Cloud_Computing-Architecture_Engineering.ppt– Cloud Computing Primer: https://s3.amazonaws.com/nControl-Docs/Cloud_Computing-Basic.ppt– Cloud Computing - Authentication & Encryption:
https://s3.amazonaws.com/nControl-Docs/Cloud_Computing_Security-Session_II.ppt– Cloud Computing - Application & Virtualization Security:
https://s3.amazonaws.com/nControl-Docs/Cloud_Computing_Security-Session_III.ppt– Securing Your ESI: https://s3.amazonaws.com/nControl-Docs/Securing_Your_ESI_v2.ppt
• Questions?• Contact
– Email: [email protected]– Twitter: @markes1, @csdadelval2011– LI: http://www.linkedin.com/in/smarkey– CSA-DelVal: http://www.csadelval.org/