ETSI - Standards in the

cloud

Mobile internet and

cloud computing

Senior Director, Europe Technical Sales

Adam Heywood

Presenter BiographyAdam Heywood

Adam Heywood is Senior Director of Technical Presales for CA Technologies

security management business in EMEA. Adam has worked in the enterprise IT

infrastructure market place for over 25 years, most recently he joined CA

Technologies through the acquisition of Netegrity and has over 12 years’

experience in the IT security management marketplace. Internally to CA Adam experience in the IT security management marketplace. Internally to CA Adam

provides detailed and trusted input to the development and product

management organisations, influencing solution directions and plans. Adam

also plays an active role in supporting CA Technologies customers and is able

to provide honest and constructive input at many levels, from business

requirements and drivers, through solution propositions, to technology

details. Adam acts as a trusted advisor to many Fortune 100 companies and

public sector agencies around their security strategy and technical

architecture.

As for all major technology shifts, Cloud computing offers a vast array of opportunities and poses a number of

questions, from policy, technology, business and usage perspectives.

— The technology shift ('ubiquitous computing') poses the questions of new value chains and respective roles

of market players both in the infrastructure segment as well as for the applications/services segments;

— The markets currently shaping up pose questions with regards to policy, regulation and standards: how to

best enable the emergence of new ecosystems, support innovation while ensuring an adequate level of

interoperability and consumer protection?

The borderless nature of the cloud ('where is the data?') poses questions with regards to data security, data

privacy, jurisdictions and liability.

Event/Workshop background….

privacy, jurisdictions and liability.

Standards are only part of the equation, but an essential one, because they contribute to creating an

interoperable environment of transparency, reliability and accountability and ultimately confidence for all the

agents in the process of cloud adoption. Yet cloud computing standards also need to take into account policy

and regulatory requirements, which add to the challenge for all stakeholders involved in the process.

The EU and the US are both engaged in large scale efforts to devise standards for cloud computing be it at

infrastructure, service or application level.

In order to support this dialogue, an EU-US event on standards for cloud computing is co-organized by the EC

and ETSI in partnership with NIST, EuroCIO and Eurocloud.

3 [Insert PPT Name via Insert tab > Header & Footer] Copyright © 2011 CA. All rights reserved.October 3, 2011

GOALS OF THIS WORKSHOP

— Drill down the issues of standards for cloud computing from 3 major angles

* Policy

* Industry and markets (supply and demand side)

* Standards and interoperability

— Gather elements to devise a standards roadmap for EU, including priorities, players and processes

EXPECTED OUTCOMES AND DELIVERABLES

— Inventory of major policy issues and their impact on standards-making

— Inventory of Industry agenda/requirements

Event/Workshop goals….

— Inventory of Industry agenda/requirements

— Mapping of existing standards landscape

— Next steps and priorities for an EU/US cooperation on cloud standards

WHO SHOULD ATTEND?

— Policy makers

— CIOs ITC industry and service companies

— Standardization strategists

— Business development leaders

— Public Affairs managers

12-15 Minute speaking slot on “Mobile internet and cloud computing” in

Stream #2 Services and Applications

4 [Insert PPT Name via Insert tab > Header & Footer] Copyright © 2011 CA. All rights reserved.October 3, 2011

The meeting willl take place at CICA

2229, route des Crêtes

06560 Valbonne Sophia Antipolis

France

Access map

Event/Workshop location…

Access map

5 [Insert PPT Name via Insert tab > Header & Footer] Copyright © 2011 CA. All rights reserved.October 3, 2011

Abstract

Mobile internet and cloud computing

Clearly clouding computing has arrived, impeding its adoption are concerns

about security, and more specifically identity & access management; who

owns the identity, how is it trusted, what can the identity access, etc. Another

clear trend is consumerisation and mobile computing, no longer are access

devices managed and wholly trusted, but their use needs to be allowed, devices managed and wholly trusted, but their use needs to be allowed,

understood, and controlled.

Is traditional Identity and Access Management still relevant and sufficient to

meet the demands of mobile internet and cloud computing? This

presentation is intended to discuss these challenged and pose potential

opportunities to address them.

I am going to discuss the elephant in the room…

Cloud Security

Cloud adoption concerns: *87.5% rate cloud security issues as “very significant”

* IDC Survey

#1 area that needs focus for migration to the Cloud?Identity and Access Management (IAM) !

47%

50%

Business continuity and disaster recovery

Identity and access management

The top five critical areas of focus for organizations migrating to

the cloud environment Important & very important response

for US and Europe combined

Security of Cloud Computing Users – A Study of US & EMEA IT Practitioners, Ponemon Institute.

39%

40%

46%

47%

0% 10% 20% 30% 40% 50%

Encryption and key management

Compliance and audit

Procedures for electronic discovery

Business continuity and disaster recovery

Why is Identity and Access Management (IAM), cloud and mobile access more Important than ever?

Nearly 90 percent of organizations surveyed expect t o maintain or grow their usage of software as a servi ce (SaaS), citing cost-effectiveness and ease/speed of deployment

SaaSAdoption

Over 70% people surveyed believe authentication ef fects the degree of customer trust in the security offere d.

Customer Confidence

By the end of 2013 mobile worker population is expe cted to exceed 75% and to 1.19bn globally.Tablet PCs will outsell Netbooks and Desktops by 2 013(iPADS outsold Macs by 2 to 1 in 2010 – 2011).

Mobile Workforce and ITConsumerisation

the degree of customer trust in the security offere d.Confidence

IncreasingeCrime

More than 11 million adult consumers became victims of identity fraud in 2009, up from nearly 10 million i n 2008. The number of fraud victims rose for the secon d year in a row

Regulatory Pressures

Organizations that regularly review and maintain regulatory and standards compliance spend about t hree times less annually than organizations that fall out of compliance .

Information Explosion Cloud Data Volumes are increasing Exponentially at a factor of x250 per annum

What do we really mean by Identity and Access Management in a

mobile internet and cloud computing context?

Is ‘Identity and Access Management’ sufficient for mobile Internet and cloud computing?

Identity Management who are you? Do we trust you? Do we believe it is you this

time? Does each provider need to have its own identity

data/context?

Can Identity and Access Management deliver what is required of

mobile Internet and cloud computing?

IAM typically does not take into consideration geo-location/context, or the

content of what is actually being accessed.

Access Management to what? To allow access does this mean we need to have

your identity? Do we need to understand where you are? Do

we need to understand what device you are using?

— Is ‘Identity management’ in a cloud context sufficient?

− Does each provider need to maintain identity data? What about geo

data compliance?

− Can Identity, credentials, location, device, be represented by ‘level of

trust’ (Risk score) ?

Identity and Access Management for mobile Internet and cloud computing questions…

— Is access management for access to a cloud resource still

relevant?

− At a course level possibly

− However, the content of what is being accessed is probably more

important than where it is located.

—Can management of Identity and Access be abstracted across

all environments and providers?

Consider building security frameworks/guidelines/standards:

1. for how identity/context trust is derived, where appropriate leveraging

other trust frameworks, including

− Device

− Identity

− Credentials used

Identity and Access Management for mobile Internet and cloud computing, a possible answer…

− Credentials used

− Geo location

− Etc…

That defines level of trust - Risk

2. for how content of what can be accessed is classified - Classification

These tools allow of the definition and management of policies that specifies

that to access content classified as ‘Secret’ the level of trust has to be greater

than or equal to ‘Security cleared’.

ETSI - Standards in the

cloud

Mobile internet and

cloud computing

Questions…