Securing Cloud Enabled Business 01 Dec 2011

7/31/2019 Securing Cloud Enabled Business 01 Dec 2011

1/15

2011 Hewlett-Packard Development Company, L.P.The information contained herein is subject to change without notice

Securing Your Cloud Enabled

Business

Narayan Makaram, CISSP

Director, Solutions Marketing


2/15

Cloud computing and IT consumerization are remak

While customers face massive IT shifts

TRADITIONAL STACK SERVICES

Networks

Infrastructure

Databases

Middleware

Applications

Operating System

Devices Connected Devices

Open Cloud Marketplace

Cloud Services

Platform Services

Hybrid Infrastructure

STRUCTURED DATA UNSTRUCTUREDDATA

STRUCTUREDDATA

HYBRID

TRANSFORM

TRANSFORMATION SERV

MANAGEMENT & SECURITY MANAGEMENT & SECU

2 Enterpri se Securi ty HP Confidential


3/15

Security concerns prevent movement to new IT arc

Security is a major CIO challenge

26% more pressing than closestchallenge or barrier to implementation



4/15

Cloud deployment models

PaaS

IaaS

Application

User Activity

Transparent Abstracted


Increasing security responsibilities

Application

Platform

O/S

Network

Physical

O/S

image

Platform

Application

As Cloud Service Providers move

from IaaS to PaaS to SaaS offerings:

Visibility to network and systemactivity decreases

Security responsibilities at the userand application level increases


5/15

Enterprise ITLegacy Cloud

Security model must evolve

User Layer:Local directories, IDMs

Application Layer: lLocal, client- server, legacy

Platform Layer:O/S, software platforms, databases, etc.

Infrastructure Layer:network devices, servers, etc.

User Layer:Cloud directories, virtual user permiss

Application Layer:SaaS, mobile apps

Infrastructure/Platform Layer:Virtualized servers, storage (S3), Proc

(EC2),PaaS, IaaS,, O/S, databases, switche

To meet new cloud deployment architectures


6/15

HP ENTERPRISE SECURITY

HP Enterprise Security Products (ESP)

A newly formed business unit within HP

formed to help organizations mitigate risk in

their hybrid environments and proactively

defend against advanced threats.



7/15

Security Information and Risk Management Solution

HP Enterprise Security

Threat Research

Security Intelligence

RiskManagement

InformationSecurity

NetworkSecurity

ApplicationsSecurity

360 degree security monitoring to detect incidents

Proactive security testing to protect applications

Adaptive network defenses to block attacks

Platform integration to manage risk



8/15

Security Intelligence

Gartner - for optimal security and risk management:

Correlate information and context, especially business context

Correlation technologies

Application security:

Dynamic and static application scanning

Application scanning and inline network security

Operational security:

SIEM and security point solutions

SIEM and IT ops

Automate response actions where possible



9/15

Risk Management

Leverage Security Intelligence to take action

Map IT assets, monitoring and vulnerabilities to

business processes

Use intelligent metrics and heat maps to target

security spending and remediation efforts



10/15

Threats + architecture = new model

Traditional Security Monitoring Hybrid Security Monitoring

10 Enterpr ise Secur ity HP Confidential


11/15

#2: Hybrid security

controls for private clouds

Three ways to secure clouds

ArcSight

#3: Modular sefor cloud insta

SaaS Provider

#1: Secure enterprise use ofSaaS

Cloud IAM

VirtualConnectors

Virtual IPS

IPS



12/15

Follows standard dev/ops process

Select instance size/image to provision

Add security modules

Connectors for log syndication and SIEM

Virtual IPS for network protection

Fortify RTA for run-time app protection

Add compliance controls/reporting

Reports driven by connectors

Controls link to security modules

Cloud controls integrate with legacy

environment security controls

The future is modular



13/15

CISOs path to modern infrastructure

Mitigate todays risks:

Deliver security intelligence: leverage contextual data (user, business valu

Look for opportunities to correlate technologies and automate

Prepare for tomorrows problems:

Approach strategically, starting with quick wins

Start by securing enterprise use of SaaS

Next, establish hybrid controls

Long term, add modular security controls



14/15

Conclusions

Security controls must map to an organizations path to cloud

Some current practices can largely remain the same (e.g.monitoring), others must change (e.g. provisioning)

Deeper understanding of and synergy with dev/ops will smoo

the adoption of cloud security controls


15/15

THANK YOU

Securing Cloud Enabled Business 01 Dec 2011

Documents

Transcript of Securing Cloud Enabled Business 01 Dec 2011