1 / 38

SEC4608 Journey to Your Cloud: Governance and Security In Your Cloud

SEC4608 Journey to Your Cloud: Governance and Security In Your Cloud . Name, Title, Company. Disclaimer. This session may contain product features that are currently under development.

ira
Download Presentation

SEC4608 Journey to Your Cloud: Governance and Security In Your Cloud

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. SEC4608Journey to Your Cloud: Governance and Security In Your Cloud Name, Title, Company

  2. Disclaimer • This session may contain product features that are currently under development. • This session/overview of the new technology represents no commitment from VMware to deliver these features in any generally available product. • Features are subject to change, and must not be included in contracts, purchase orders, or sales agreements of any kind. • Technical feasibility and market demand will affect final delivery. • Pricing and packaging for any new technologies or features discussed or presented have not been determined.

  3. VMware’s Role in the Cloud VMware provides virtualization and automation technology to over 250,000 customers worldwide. Since 1998, VMware has worked with 25,000 partners to reduce IT costs, increase business agility, and provide the fundamental building blocks for the modern Cloud. VMware Vision Team member John Steiner, a Business Solution Architect, collaborates with customers to define and communicate their roadmap to a successful virtualization strategy bringing 15 years total IT experience John brings an in depth combination of both technical knowledge and business experience to help clients design complex, actionable roadmaps for their journey to the cloud. He has been involved in designing and delivering virtualization solutions to the market for over 8 years. Prior to joining the Vmware Vision team as a solution Architect, he was an infrastructure lead and Consulting Architect for Vmware professional field services

  4. Agenda • Cloud Computing and Security • Questions to Ask and Best Practices • Creating Your Security and Governance Plan

  5. Agenda • Cloud Computing and Security • Questions to Ask and Best Practices • Creating Your Security and Governance Plan

  6. Virtualization Paves the Way to a New Era in IT Virtualization Cloud Web PC / Client-Server Mainframe Cloud Computing will transform the delivery and consumption of IT services

  7. Security and Compliance are Key Concerns for CIOs What are the top challenges or barriers to implementing a cloud computing strategy? Top 4 Concerns are on Security and Compliance Source: 2010 IDG Enterprise Cloud-based Computing Research, November 2010

  8. Security and Compliance Concerns in Detail….. How can I manage security policies across virtual desktops, servers and networks? I have too many VLANs for segmenting traffic, and securing applications. I can’t keep up How do I verify that confidential & regulated data is secure in the cloud? How do I implement compliance audits for resources in the cloud? Security OperationsTeam InfrastructureTeam Compliance Officer Both Security and Proof of Compliance are Required to Build Trust

  9. A well defined governance and security practice in conjunction with refined process and automation are imperative to the success of YOUR cloud. Fact What does your enterprise look like from a cloud readiness perspective?

  10. Cloud Vision

  11. Vision for ITaaS/Cloud Secured Secured Secured Secured

  12. Agenda • Cloud Computing and Security • Questions to Ask and Best Practices • Creating Your Security and Governance Plan

  13. Governance and Security in Your Cloud • Traditional • Infrastructure • Application • End User • Development • Management • New • Virtualization • Social Media • Core • Security • Governance

  14. Traditional Models What applications are eligible for Cloud? Will we increase our reliance on virtual networking and security appliances? How will my data be transported? Applications Legacy, Current, & New Where will my data live? How does my security & compliance posture affect applications in the cloud?

  15. Traditional Models Very few applications can truly leverage the full potential in their current state Virtual security and networking appliances greatly increase agility in the cloud VPN, extended private cloud Applications Legacy, Current, & New Trust, risk & compliance A systematic review is required for potential policy revision

  16. Traditional Models Do we have a defined, repeatable build process? What is the current security posture? Will we be able to minimize data center access as a result of leveraging clould? What data security regulations must be considered? Do we intend to move off of legacy hardware in order to better leverage the cloud? How will controls be affected? Where will my data live? Infrastructure Servers, Storage, Networking, Data Center Facilities and Legacy Systems

  17. Traditional Models Documented build standards assure repeatable, secure systems Security should be taking an active role in all virtualization initiatives Virtualization and cloud computing bring near lights out Data Centers a reality PCI, HIPPA, NSTISSP, Sarbanes, FIPS, etc… Legacy system migration assures reliable, flexible, elastic computing. Controls must evolve accordingly Virtualized, tiered storage in private and public Infrastructure Servers, Storage, Networking, Data Center Facilities and Legacy Systems

  18. Traditional Models Software development life cycle, where is the code at any given time? Will Agile development methodologies impact our current security, compliance and governance processes? Can we create a more controlled software code repository? Development Are my developers using cloud based development tools? Do we need to be concerned with intellectual property? How do we assure self service development appropriately serves the business but does not seed rogue development efforts?

  19. Traditional Models Code repository should remain in a controlled, managed state Existing processes should be reviewed to accommodate new potential impacts Development Inventory all development models, create policies to control where development is executed Build policies around acceptable usage of self service resources, show back mechanisms will permit distributed control

  20. Traditional / New Models How will an App Store effect or change authentication and credential stores? End User Computing Desktop, Tablet, Mobile Device, Public Device Have we defined a list of approved access devices or do we loosely manage what can connect? Can we improve desktop and security compliance by moving our desktops into a cloud model? How can we protect the desktops of the future from attacks and viruses? How do we secure the data both on the devices and in transport?

  21. Traditional / New Models Build standard processes around acceptable application store development and distro End User Computing Desktop, Tablet, Mobile Device, Public Device Create or modify security standards regarding mobile devices Security and controls can be greatly improved by leveraging standardized builds in a centralized location Minimal O/S virtual desktop / app store model Categorized by data type, sensitivity and transport

  22. New Model Have we made accommodations for virtualization in our existing process, procedures, security and governance policies? Should we be leveraging virtualization to realize our BC/DR RPO/RTO requirements? Virtualization Do we have a virtualization first policy and where does the sponsorship reside?

  23. New Model Review security and governance documentation and augment for a virtual/cloud based infrastructure Virtualization can dramatically improve BC/DR capabilities and should be leveraged in any opportunity available to meet compliance regulations Virtualization A virtualization First policy requires executive governance to be effectively executed

  24. New Models Will social media play a role in our formal cloud strategy? Have we looked into the implications of social media and the potentially positive and/or negative impact it could have to our organization? What is already out on this forum with or without our permission? SocialMedia Does social media play a role in business critical applications or procedures? Does a social media policy exist? Has it been accounted for in any other governance or compliance documentation?

  25. New Models Social Media should be included as a part of your cloud strategy Socialize and Educate your staff on the opportunities presented by social media An inventory of all social media outlets accessed should be created SocialMedia Identify any mission critical process that relies on social media and plan appropriately Create a formal social media policy that meets security and governance requirements

  26. Core Models What is running in the cloud today outside of your enterprise governing policies? How will cloud computing impact your current governance model? Are the current policies broad enough to appropriately govern a self service, cloud based business model? Governance Is my staff appropriately educated to fully understand the implications and act on them? Can the proper controls be put into place for a corporate public cloud computing strategy?

  27. Core Models Inventory and understand all application usage patterns Comprehensively review all aspects affected by virtualization and cloud computing Understand the business requirements of all service catalog items, assure existing security policies and procedures can accommodate the model Governance Create centers of excellence to appropriately disseminate information across all teams affected The controls can be accommodated with proactive planning and preparation

  28. Core Models Are our scanning and intrusion policies robust enough to for near real time provisioning? How will our security access policies and procedures need to change? What kind of a containment policy should be in place to stop improper activity should it occur? Security Should we consider leveraging virtual routing and firewalls as a part of our private cloud strategy? How should our security policies change to accommodate new data security issues?

  29. Core Models Scanning process and procedures must move to a higher lever of proactivity ACL policies most certainly require review and design enhancement Appropriate logging and access control lists must be maintained to quickly contain and avioid Security Virtual security and networking devices are key to cloud, physical controls must be extended to accomodate Stronger enforcement of data encryption to cloud database entities should exist

  30. Core Models Is our management infrastructure beyond reactive? How much additional automation is required to keep up with the rapid provisioning capabilities of cloud computing? Management How will we meter resources, provide show back and manage SLA’s? What is needed to move beyond proactive and into predictive?

  31. Core Models Enterprise monitoring components must move beyond reactive to predictive Automation must strive to approach 100% which will require security and compliance to be baked in Management Automation is key, architect the solution prior to implementation Create a reference architecture related to management infrastructure

  32. Agenda • Cloud Computing and Security • Questions to Ask and Best Practices • Creating Your Security and Governance Plan

  33. Next Steps

  34. Your Cloud Security Architecture On-Demand Self-Service Flexibility, Portability, Elasticity End User Computing Applications Management Governance Social Media Security Development Virtualization Infrastructure

  35. Your Cloud Security Architecture On-Demand Self-Service Flexibility, Portability, Elasticity End User Computing Applications Management Governance Social Media Security Development Virtualization Infrastructure

  36. Your Cloud Security Architecture On-Demand Self-Service Flexibility, Portability, Elasticity End User Computing Applications Management Governance Social Media Security Development Virtualization Infrastructure

  37. Implications of Failure FAILURE = BAD Failure to prepare for the rules of this new compute model will result in either an inability for IT to meet business needs or an environment that lacks the controls and measures necessary to appropriately secure the enterprise

  38. Final Thoughts • Understand the business drivers before making technology decisions • Heat map your entire IT infrastructure in order to forecast bumps well before you see them in the road • Set reasonable goals in an actionable roadmap • Outline a holistic view of what is truly required from a governance, compliance and security perspective to safely leverage both a private and public cloud infrastructure

More Related