Core Requirements for Security In The Cloud March 2011 Bob Gourley

Find this brief at http://crucialpointllc.com

About This Presentation

•  A focus on requirements users and CIOs are placing for cloud security

•  Goal: provide help to users who need to

articulate security requirements and provide help to cloud providers who should anticipate those requirements

2

Context on Secure Cloud Computing •  New Reality: Cloud based continuous services that connect to

us all and appliance-like connected devices enabling us to interact with these services.

•  Including Private Clouds, Public Clouds, Edge Clouds and a spectrum in between.

•  Driven by functionality improvements, but also cost, agility and security benefits.

•  Security benefits will only come with planning and work. Without planning and work, security becomes a nightmare.

Planning for Cloud Computing Security •  Cyber Security includes all steps required to ensure mission

effectiveness- Information confidentiality, integrity, availability.

•  These are all made harder in environments that are complex and rapidly changing.

•  Cloud computing introduces even more changes to this

environment. Without planning, the risk will go up. •  However, if done right, with planning, Cloud Computing holds

the potential of dramatically enhancing security.

“Complexity Kills: Complexity sucks the life out of users, developers and IT. Complexity makes products difficult to plan, build, test and use. Complexity introduces security challenges. Complexity causes administrator frustration.” – Ray Ozzie at ozzie.net

Security Issues with the Cloud •  Moving to cloud gives you the chance to clean up from the past and prep

for the future. So do it! But do it with awareness of security issues •  Security Issues:

•  Multi-Tenancy: requires secure access and separation of user allocated cloud resources

•  Availability: If you are using a cloud it better be there

•  Confidentiality: Will you be putting all your eggs in one discoverable basket? Will you protect data in transit? Will you protect data on the processor?

•  Integrity: Will you ensure your data is not changed?

Multi Tenancy •  Multi-Tenancy: requires secure access and separation of user allocated

cloud resources •  Clouds have multiple concurrent users from disparate and possibly

competitive organizations. •  Even those from all the same organizations may have a need for tight

separation, for example, HR and Finance have data that must be protected.

•  Development organizations may have software development efforts that could be impacted if secure boundaries are not in place.

•  The lack of secure boundaries is slowing cloud adoption and is a key missing feature of most cloud offerings.

•  Issues to address: •  Assurance of underlying systems comprising the cloud, including

assurance of their proper provisioning and segmentation •  Secure access to and separation of user allocated cloud

resources with sign-on and security provided separate from the applications hosted in the cloud

Availability •  Availability: If you are using a cloud it better be there

•  Assured comms •  Assured always up servers •  An ability to reach to users at their place of work. •  For many, an ability to reach to users wherever they are. •  There are tight ties to the requirements of confidentiality

and integrity, but additional planning is required to ensure always on protected availability in the face of threats and outages.

•  Make availability part of your agreement with your cloud provider. And have plans for working through outages that impact your cloud provider.

Confidentiality

•  Confidentiality: Will you be putting all your eggs in one discoverable basket? Will you protect data in transit? Will you protect data on the processor? •  Strong identity management that protects and authorizes. •  Knowledge of who in your cloud provider can access your cloud. •  Comms security not only to and from the cloud but within the cloud

and between virtual machines. •  Accreditation of deployment such that one can assure your cloud is

operating according to business policies and upholding regulated governance (e.g., SOX, HIPAA, FISMA etc).

•  Encryption of data in motion and data at rest •  Consider new means of storing/obfuscating stored data, such as

Cleversafe •  Understand the type of processors that operate on your data and the

mechanisms in place on the servers to ensure no tampering with or monitoring of data while it is being processed. Make this awareness a requirement. Understand how your provider watches for malicious code

Integrity •  Integrity: Will you ensure your data is not changed?

•  Of course encryption of data at rest and data in motion •  Backups •  Smart use of checks/hashes/backups to ensure data not

tampered with. •  Checks through repeatability: the same operation on the

same data should always produce the same results.

Concluding Thoughts •  Seek independent audit of your cloud provider and the many checks they

will have in place to ensure your confidentiality, availability, integrity in the face of multi-tenancy.

•  ISO27001, SAS70 and similar standards might not be keeping up. But they are a start, since they provide the foundation for third party audit.

•  Ask hard questions about all your requirements. What responsibility does the provider have to notify users when a requirement is not met?

•  What guarantees do you have?

•  If you are a user, articulate your requirements

•  If you are a provider, anticipate your requirements

The Meta Requirement

The Absence of unmitigatable surprise

Questions/Comments?

12

Please help with your thoughts/input/questions E-mail: bob@crucialpointllc.com Blog: http://ctovision.com Twitter: http://www.twitter.com/bobgourley Facebook, Plaxo, LinkedIn, etc: See the blog.

Disruptive Security Tech

March 2011

Bob Gourley

Thesis of this Presentation

•  Technology really matters

– People and process are critical too, of course, but it is criminal to neglect the technical piece

15

Goal of this Presentation

•  Tell you about technologies you might not know about yet

– So I’m not going to talk about those great firms like ArcSight, Netwitness, Symantec.

16

Methodologies

A list of exemplars in Security

CTOVision.com Disruptive IT List

(75 Firms)

Understanding Realities of Enterprise IT

Winners of: RSA

SINET American Security

Challenge

Tracking R&D of Big IT firms and investment

from VC

The Candidates •  3VR – Video analytics. •  Akamai – Web acceleration and content delivery across the fabric. •  AdaptivEnergy – Capture energy from vibrations. •  Appistry - Deploy apps across a grid; Computational Storage •  ArcSight - Network and security management. Bought by HP. Still a player in demand. •  Aster Data – Specialized DBMS with built-in MapReduce for high-end analytics. •  Basis Technology - Foreign language document and media exploitation. •  Bit9 – New models dramatically enhancing security through application whitelisting •  Bluecat Networks – Total management and optimization of all things IP. •  Brightcove – Enhancing, dramatically, how enterprises manage and disseminate video. •  Cloudshield – One of only two companies that can protect nets at line rate speeds. •  Cloudera – Providing support to open source and specialized software that makes Hadoop ready for

the enterprise. •  Cleversafe – Smart way to save your data in the cloud. Clever and Safe. •  Centrifuge Systems – Fast visual analytics via multiple modes. •  Cipheroptics – network and data encryption •  Destineer Studios – Advanced immersive environments. •  Endeca - Next-generation information retrieval and analysis through advanced search and guidance

navigation. •  Endgame Systems – Cloud-based botnet and malware detection. •  EnterpriseDB - Enterprise Postgres. Leader in open source database products/services/support. •  FireEye - Botnet protection. •  FMS – Analysis. •  Forterra Systems - Distributed virtual world technologies- for the enterprise. •  FortiusOne - Next generation intelligent mapping. •  Fortinet - Integration of multiple security technologies. •  ForgeRock - Full solution stack based on top quality open source software. •  Fusion-IO – Extremely fast and high capacity SSD •  GainSpan – WiFi enablement. •  Geosemble – Map people, places, things using data from RSS feeds and tweets. •  Greenplum – Massively parallel database. High volume SQL transactions for MapReduce •  Global Velocity – Hardware based DLP •  Hardcore Computer – Blade server with total liquid submersion technology. •  iMove - Imaging and immersive video for wide area and geospatial surveillance. •  Infinite Power Solutions – Thin-film batteries to power RFID. •  Image Tree Corp – Figure out what is growing on the earth. •  Invincea – Device protection by wrapping the browser. •  Janya – Multilingual Semantic Analysis. •  Koolspan – High quality mobile voice encryption. •  KNO – They assert they are for education, but CTOs in enterprises everywhere should watch this

one. •  Liquid Machines - Primarily Enterprise Rights Management. Key product is “Document Control 6.0″

Others in this area include IBM, EMC, Adobe. Member of SISA alliance. •  LensVector – Taking moving parts out of cameras. •  Looxie – Bluetooth Camcorder. Imagine the impact on enterprise business models (and IT). •  Malden Labs – Fast/smart/modern delivery of content and apps to any device. •  MarkLogic – New, smarter ways of storing, searching, acting on and displaying information. •  MetaCarta - Geospatial data extraction and transformation •  Network Integrity Systems – Protected Distribution Systems •  Nexenta – Open Solaris power and the usability of Linux.Enterprise class storage (ZFS based) •  Narus – Unified IP Management and Security. Bought by Boeing. Still a player. •  Nicira – Could be the future of network virtualization. •  Object Video - Business intelligence from video. •  Oculis Labs – Data obfuscation at the user’s screen. •  piXlogic - Image segmentation and search. Visual Search Engine. •  Perceptive Pixel - Multi-touch interaction with data visualizations. •  Permabit – Embedded high performance OEM data optimization software. •  Polychromix - Miniature analysis tools for mobile labs. •  Previstar - An Intelligent Resource and Information Management system designed to automate

National Incident Management guidelines for preparedness, response and recovery. •  Proofpoint – Enhanced email security, email archiving and DLP for enteprises.

•  Quantum4D - Advanced visual analysis. •  Qynergy – New battery technology. •  Rapid7 – Automating security testing including vulnerability testing. •  Recorded Future – Gain knowledge of the future by looking for events mentioned on the net. •  SenseNetworks – Dramatic use of location data to create useful information. Consumer apps provide

heat maps of cities. Enterprise capabilities provide important analytics. •  StreamBase – Capture and analyze data in stream. •  Sonitus Medical – hear from your teeth. •  SpaceCurve – A new kind of database enabling large scale analytics and effortless indexing (Gourley

is on their advisory board). •  Spotfire - Enterprise analytics for business intelligence. Analytics for every user in the enterprise. •  Splunk – Dramatically enhanced IT search. •  Tableau – Great, fast, interactive visualizations. •  ThingMagic – Advanced RFID solutions. •  Thetus - Knowledge modeling and discovery •  Touch Table - Interact with data and visualizations by hand •  Traction Software - Enterprise hypertext collaboration. •  Triumfant - Enterprise class compliance, reporting, remediation (Gourley is on their advisory board). •  TSRI - Move legacy code to the future fast. •  Twiki – Enterprise agility platform. •  Visible Technologies – Analysis. •  Zafesoft – Discover, classify and secure enterprise data with ease of control. Prevent data leaks,

including leaks by malicious insiders. •  Some capabilities under evaluation in our CTOlabs: •  QlikView •  Decision Lens The IT Powerhouses •  There are so many things going on at the big companies it is hard to keep track. Also, they all are

looking for innovation and frequently buy to keep the innovation flowing in. So this is a dynamic area to say the least. It is also an area very hard to sum up in a few words. But here goes:

•  Adobe - Adobe Acrobat Connect and many related collaborative tools. •  Cisco - Far more than networking gear, now a collaboration powerhouse. IRIS. •  Citrix - On demand computing, including virtualization of desktops and servers. •  EMC - Growing through acquisition and internal innovation. Real powerhouse in grid computing and

end to end enterprise solutions. No longer just a storage company. •  HP – Also growing through acquisition and internal R&D/innovation. End to end enterprise solutions

including automation. Networking. Recently bought ArchSight. •  IBM - Continuing to modernize. Will move into the mashup space. Continuing to innovate internally

and through acquisition. BigFix is a key example. •  Intel – The primary business is producing chips (silicon innovation) but they field solutions for many

other parts of the ecosystem. Recently bought McAfee. •  Microsoft - Large investments in R&D. Beginning to move to open standards/open source. Win 7 will

be a huge hit, with enhancements to functionality and security. Now a player in Mobile with Windows 7 for Mobile.

•  Oracle - Innovating by buying the best. Stand by for disruptions by forced integrations resulting in positive forward movement. Services for open source. Currently supporting Solaris and MySQL, but many wonder about their commitment to those.

•  SAP (and Business Objects and Inxight) Business intelligence. SAP has not stopped re-inventing itself and is a SOA leader.

•  Symantec - Their core business is security but this is broadly defined as ensuring enterprise functionality.

•  VMware - Virtualization leader. •  These companies are also tracked on the CTOvision.com Tech Titan List Some Open Source Disruptors •  Red Hat - with commercially supported Linux •  Alfresco - Enterprise content management in an open source framework. •  Talend – Open Source ETL and data integration. •  Cloudera – Open Source around Hadoop, as well as some key licensable IP. •  ForgeRock - Full solution stack based on top quality open source software. Pure play open source. •  Nexenta – Open Solaris power and the usability of Linux.Enterprise class storage (ZFS based)

Disruptive Security Categories Stopping Malware Hardware Based IT Security OS Based IT Security Network Based Security Discovering Bad Actors

Disruptive Security Exemplars Stopping Malware •  Invincea: Winner of RSA security innovator award •  Bit9: New methods of application white listing •  FireEye: Botnet protection Hardware Based IT Security •  Intel vPro: Immediately enhances manageability/security OS Based IT Security •  Windows 7: Upgrade now and enable bit-locker Network Based Security •  Cloudshield: DPI and action over net traffic Discovering Bad Actors •  Endeca: Discovery and iterative examination •  Hadoop: Facebook-scale analytics

Other Hot Ones: •  RedSeal •  Cleversafe •  GlobalIDs •  Silvertail •  Veracode

Questions/Comments? Find me at CTOvision.com