basics of cloud computing
Post on 17-Oct-2014
4.822 views
DESCRIPTION
Cours donné en décembre 2011 dans le cadre du diplôme en sécurité de l'information INFOSAFE (www.infosafe.be)TRANSCRIPT
Basics management aspects of Cloud Computing
Basics management aspects of Cloud Computing
INFOSAFE 17 décembre 2011
Myth & Facts of Cloud computing
• Myths ▫ Cloud computing will eliminate the need for IT
personnel.
▫ Cloud computing will eliminate IT expense
• Facts▫ Cloud technology is real
▫ This technology should not be ignored
5
What is said:
“Biggest Paradigm Shift in 20 years”
“Game Changers”
“Tremendous Cost Cutting”
“Just On” “Pay As You Go”
Andy Harjanto I’m cloud confused http://www.andyharjanto.com
First, What the heck isCloud Computing
First, what the heck is Cloud Computing?…in simple, plain English please!
Andy Harjanto I’m cloud confused http://www.andyharjanto.com
Let’s use a simple analogy
Say you just moved to a city, and you’re looking for
a place to live
Andy Harjanto I’m cloud confused http://www.andyharjanto.com
You can either
Build a house or
Rent an apartment
Andy Harjanto I’m cloud confused http://www.andyharjanto.com
If you build a house, there are a few
important decisions you have to make…
Andy Harjanto I’m cloud confused http://www.andyharjanto.com
HowHow big big is the is the house? house?
are you planning to grow a large family?
Remodel, addition typically Remodel, addition typically cost a lot more cost a lot more once the house is builtonce the house is built
Andy Harjanto I’m cloud confused http://www.andyharjanto.com
But, you get a chance
to customize it
Roof
windows
lightingAndy Harjanto I’m cloud confused http://www.andyharjanto.com
Once the house is built, you’re responsible for
maintenance Hire Landscaper
Electrician
Plumber
Pay property tax
Water
Gutter CleaningHeating and Cooling House Keeping
Andy Harjanto I’m cloud confused http://www.andyharjanto.com
How about renting?
Consider a builder in your city builds
a massive number of apartment units Andy Harjanto I’m cloud confused http://www.andyharjanto.com
A unit can easily be
converted into a 2,3,4 or more units
Andy Harjanto I’m cloud confused http://www.andyharjanto.com
You make a fewer,
simpler decisionsYou can start with one unit and grow later, ordownsize
Andy Harjanto I’m cloud confused http://www.andyharjanto.com
But…You do not
havea lot of options
to customize your
unit
Andy Harjanto I’m cloud confused http://www.andyharjanto.com
However, builders provide you with very high quality infrastructure
high speed Internet
high capacity electricity
triple pane windowsgreen materials
No need to worry about maintenanceNo need to worry about maintenance
Andy Harjanto I’m cloud confused http://www.andyharjanto.com
Just pay your
rentand utilities
Pay as You Go
Andy Harjanto I’m cloud confused http://www.andyharjanto.com
Let’s translate to
Cloud Computing?
As an end-consumer, believe it or not
you’ve been using Cloud for long times
Andy Harjanto I’m cloud confused http://www.andyharjanto.com
Yes, most of them are
FreeFree
In return, you’re willing to give away...
your information for ads and other purposes
But you’ve been enjoying
High Reliability Service
Unlimited Storage
Connecting, Sharing
(ok, ok, most of them are)
OK, Now tell that to the business owner
Give up your data, thenyou can use this infrastructure for
free
This is how their CEO would feel
My Business Needs…
Security
Privacy
Reliability
High Availability
Building EnterpriseSoftware
Stone WallFire-proofMoatArmy Death Hole
is like…. Building
Medieval Castle
Andy Harjanto I’m cloud confused http://www.andyharjanto.com
Let’s Hire an Army of IT Engineers
Software UpgradeSupport
Backup/RestoreService Pack
Development
Network issues
Andy Harjanto I’m cloud confused http://www.andyharjanto.com
Let’s BuildHuge Data
Center
Capacity Planning
Disaster Plan
Cooling Management
Server Crashes
Andy Harjanto I’m cloud confused http://www.andyharjanto.com
In the mean time,…
Many things have changed Many things have changed
The enterprise world we live in 2010 and beyond
Global Direct, Open CustomersCommunication
TransparencyWork Remotely
Digital Life Convergence
(e.g. Social Media)
(Work and Personal lines are blurring)
(Customers, Resources, IPs are acquired everywhere)
(Mobility Trend)
(Blogs, Social Computing)
Layoffs
2008-2012Economy is upside down
Excess CapacityBankruptcy
Can we bridge the gap?
Requires a New Way
of
Thinking
Leave it the expertswho have a lot of money to spend to build
giant datacenters across the globe
Your data is replicated3 or 4 times in their data
center
High Availability
Adding “Adding “servers”servers” is a click is a click away. away. Running in just minutes, not Running in just minutes, not daysdaysH
igh
Tra
ffic?
It can even load balance your server traffic
Expect your Cloud
Networkis always up
Yes, you can even pick
where your data and “servers” reside
Business Contraction?
Just reduce your computing power, storage
Wait, What is the catch?
Cloud Computing
is a relatively new technology
Only a handful of major playerscan build
this massive infrastructure
Not many software written yet to take advantage of
cloud infrastructure
Sensitive Data in the Cloud?are there yet?
Data at Rest
Data in Motion
Encryption
Yes, you’re loosing some controls
physical security
some configurations
Let’s clear common
confusions
about Cloud Computing
Who is paying whom?
Typical Scenarios
You(Business, Individual)
Software/ServiceProviders
Cloud/InfrastructureProvider
You may also build softwaredirectly on the provider’s platform andpay them directly
Do I have to start over?
In some cases, you could redirect your data to the cloud
Migrate Data to the Cloud
Before
In some cases, you could redirect your data to the cloud
After
However, to take advantage fully,
migrate all or create new apps on the cloud
Employees
Customers
Suppliers
Source: Wikipedia
SO LET’S START TO GO INTO MORE DETAILS
Definition “A style of computing where scalable and elastic IT-related capabilities are provided “as-a-service” using internet technologies to multiple external customers.” (Gartner)
“Cloud computing is a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction.” (National Institute of Standards and Technology)
Cloud Computing in France – A model that will transform companies, Thesis by Cedric Mora, http://www.slideshare.net/cedricmora/cloud-computing-in-france
Who are the players ?
The different players in the Cloud Computing sectors are:
• New entrants: Terremark (USA), Rackspace, GoGrid (USA), LinkByNet (France), Ghandi (France), etc.• Major IT Companies: Microsoft, IBM, SUN, etc.• Telecommunications companies: Orange Business Services (France), COLT Telecom (Europe),British Telecom, etc.• Constructors and software providers: VMWare, EMC, Citrix, etc.• Internet companies: Google (USA), Amazon Web Services (USA), Salesforce (USA), etc.• Consulting firms: Cap Gemini, Gartner, Forrester, IDC, etc.
Cloud Computing in France – A model that will transform companies, Thesis by Cedric Mora, http://www.slideshare.net/cedricmora/cloud-computing-in-france
Five key characteristics, explained by the Gartner (Plummer, et al., 2009) and the National Institute of Standards and Technologies (Mell, et al., 2009):¢ • A service-oriented technology, where consumer concerns are abstracted
from provider concerns, and that is ready-to-use SERVICE BASED;
¢ • Services scale on-demand to add or remove resources as needed RAPID ELASTICITY AND SCALABILITY;
¢ • Services share a pool of resources to build economies of scale SHARED RESOURCES;
¢ • Services are tracked with usage metrics to enable the “pay-as-you-go model” PAY PER USE;
¢ • Services are delivered through use of Web identifiers, standards, formats and protocols and with an identical access UBIQUITOUS NETWORK ACCESS;
Cloud Computing in France – A model that will transform companies, Thesis by Cedric Mora, http://www.slideshare.net/cedricmora/cloud-computing-in-france
3 types of services
Cloud Computing in France – A model that will transform companies, Thesis by Cedric Mora, http://www.slideshare.net/cedricmora/cloud-computing-in-france
Software as a Service (SaaS)
This is the Top most layer of the cloud computing stack - directly consumed by end user .
On-Premise applications are expensive, affordable only to big enterprises.
Why?
Cause On-Premise applications had a very high upfront CapEx (Capital Expenditure); which results in a high TCO (Total Cost of Ownership). On-Premise apps also require a higher number of skilled developers to maintain the application. In its current avatar SaaS is going to be the best bet for SMEs/SMBs (Small & Mid size businesses). Now, they can afford best software solution for their business without investing anything at all on the infrastructure or development platform or skilled manpower. The only requirement for SaaS is a computer with browser, quite basic. SaaS is a recurring subscription based model delivered to customer on demand – Pay as you use.
http://www.techno-pulse.com/
SaaS (Software as a Service) : concerne les applications d’entreprise : CRM, outils collaboratifs, messagerie, BI, ERP,... Le modèle SaaS permet de déporter une application chez un tiers. Ce modèle convient à certaines catégories d’applications qui se doivent d’être globalement identiques pour tout le monde, la standardisation étant un des principes du cloud. Le terme SaaS évoque bien un service dans le sens où le fournisseur vend une fonction opérationnelle, et non des composants techniques requérant une compétence informatique
Software as a service (SAAS) The service provided makes use of the provider’s
applications accessible through a client interface, such as a web browser (ex: Gmail).
The consumer doesn’t manage or control the infrastructure, the network, the servers, the operating system, the storage and cannot add specific development (even if there are limited user specific application configuration settings).
Offers: Billing, Financials, Legal, Sales, Desktop productivity, Human Resources, Content Management, Backup & Recovery, CRM (Customer Relationship Management), Document Management, Collaboration Tools, Social Networks.
Cloud Computing in France – A model that will transform companies, Thesis by Cedric Mora, http://www.slideshare.net/cedricmora/cloud-computing-in-france
Platform as a service (PAAS)
The service provided consists in the deployment of consumercreated applications on the provider’s infrastructure and the use of programming languages and tools supported by the platform (ex: Java or Python available on Google App Engine).
The consumer doesn’t manage or control the infrastructure, the network, the servers, the operating system and the storage but he has control over the deployed applications, and occasionally application hosting environment configurations.
Offers: General purpose, Business intelligence, Integration, Development & Testing, Database.Cloud Computing in France – A model that will transform companies, Thesis by Cedric Mora,
http://www.slideshare.net/cedricmora/cloud-computing-in-france
PaaS (Platform as a Service) : concerne les environnements middleware, de développement, de test,... Le modèle PaaS consiste à mettre à disposition un environnement prêt à l’emploi, l’infrastructure étant masquée. Une plate-forme PaaS permet par exemple d’avoir un environnement de développement immédiatement disponible
Platform as a Service (PaaS)
Now you don’t need to invest millions of $$$ to get that development foundation ready for your developers.
The PaaS provider will deliver the platform on the web, and in most of the cases you can consume the platform using your browser, i.e. no need to download any software.
It has definitely empowered small & mid-size companies or even an individual developer to launch their own SaaS leveraging the power of these platform providers, without any initial investment.
PaaS Examples
Google App Engine and Windows Azure are examples of Cloud OS. OrangesScape & Wolf PaaS are cloud middleware.
http://www.techno-pulse.com/
INFRASTRUCTURE AS A SERVICE (IAAS)
The service provided gives the possibility to rent resources, such as processing, storage or bandwidth, and allows the consumer to deploy and run anysoftware (operating systems and/or applications).
The consumer doesn’t manage and control the infrastructure but he controls the operating system, the storage, the deployed applications, and occasionally networking components (firewall, load balancing).
Some providers offer to manage the application if the latter is not too specific and is compatible with the perimeter of their offer.
o Offers: Storage, Compute, Services Management.
Cloud Computing in France – A model that will transform companies, Thesis by Cedric Mora, http://www.slideshare.net/cedricmora/cloud-computing-in-france
concerne les serveurs, moyens de stockage, réseau, ... Le modèle IaaS consiste à pouvoir disposer d’une infrastructure informatique disponible via un modèle de déploiement cloud computing. L’accès à la ressource est complet et sans restriction, équivalent de fait à la mise à disposition d’une infrastructure physique réelle. Ainsi une entreprise pourra par exemple louer des serveurs Linux, Windows ou autres systèmes, qui tourneront en fait dans une machine virtuelle chez le fournisseur de l’IaaS.
Infrastructure as a Service (IaaS)This is the base layer of the cloud stack.
It serves as a foundation for the other two layers, for their execution. The keyword behind this stack is Virtualization.
Let us try to understand this using Amazon EC2. In Amazon EC2 (Elastic Compute Cloud) your application will be executed on a virtual computer (instance). You have the choice of virtual computer, where you can select a configuration of CPU, memory & storage that is optimal for your application. The whole cloud infrastructure viz. servers, routers, hardware based load-balancing, firewalls, storage & other network equipments are provided by the IaaS provider. The customer buy these resources as a service on a need basis.
http://www.techno-pulse.com/
Qui contrôle quoi ?
71© 2009 IDC
IT Cloud Services TaxonomyIT Cloud Services Taxonomy
Cloud Applications
(Apps-as-a-service)
Cloud(Application) Platforms
(Platform-as-a-Service)
Cloud Infrastructure(Infrastructure-as-a-Service)
App Deploy
IT Cloud Services
App Dev/Test
72© 2009 IDC
All Types of IT Software & HardwareAre or Will Be Offered as Cloud Services…All Types of IT Software & HardwareAre or Will Be Offered as Cloud Services…
Application Development SoftwareApplication Server MiddlewareData Access, Analysis, and DeliveryInformation & Data ManagementIntegration & Process Automation MiddlewareOther Application Dev and DeploymentQuality & Life-Cycle ToolsEnterprise Portals
ServersStorageNetworksClients
System and Network Management SoftwareSecurity SoftwareStorage SoftwareSystem Software
Collaborative ApplicationsContent ApplicationsEnterprise Resource Management ApplicationsSupply Chain Management ApplicationsOperations and Manufacturing ApplicationsEngineering ApplicationsCustomer Relationship Management Applications
Cloud Applications
(Apps-as-a-service)
Cloud(Application)
Platforms(Platform-as-a-Service)
Cloud Infrastructure(Infrastructure-as-a-Service)
App Deploy
IT Cloud Services
App Dev/TestApp Dev &
Deployment
SystemsInfrastructure
Software
SystemsStorage
(So
ftw
are-
as-a
-Ser
vice
)
Applications
CorrespondingPrimary Market IDC IT Product
Taxonomy
…many IT and Network Services will
also be transformed and extended to support the cloud service delivery
model…
73© 2009 IDC
Cloud Services Definition - updatedCloud Services Definition - updated
Consumer and Business products, services and solutions delivered and consumed in real-time over the Internet
Cloud Services
Public - open to a largely unrestricted universe of potential users; designed for a market, not a single enterprise
Private - designed for, and access restricted to, a single enterprise (or extended enterprise); an internal shared resource, not a commercial offering; IT Org is the “vendor” of the shared/std service to its users
DeploymentModels
[Note: large gray zones between these
two broad categories]
Shared, standard service – built for a market (public), not a single customer Solution-packaged – a “turnkey” offering, integrates required resources Self-service – admin, provisioning; may require some “on-boarding” support Elastic scaling – dynamic and fine-grained Use-based pricing – supported by service metering Accessible via the Internet/IP – ubiquitous (authorized) network access Standard UI technologies – browsers, RIA clients and underlying technologies Published service interface/API – e.g., web services APIs
Key Attributes
Different type of cloud
•Public clouds•External private clouds•Private clouds•Hybrid clouds•Community clouds
Cloud Computing in France – A model that will transform companies, Thesis by Cedric Mora, http://www.slideshare.net/cedricmora/cloud-computing-in-france
Public clouds Infrastructures are shared with a “Pay-as-you-go” model. This off-premise virtualized infrastructure is easily accessible and can be managed through a portal of the provider. The provider can make economies of scale: the homogeneous infrastructures are shared with all the consumers and managed and updated by the Cloud provider.Consumer can choose the infrastructure they need, and choose all the security elements and the uptime (SLA).
Cloud Computing in France – A model that will transform companies, Thesis by Cedric Mora, http://www.slideshare.net/cedricmora/cloud-computing-in-france
Cloud Computing in France – A model that will transform companies, Thesis by Cedric Mora, http://www.slideshare.net/cedricmora/cloud-computing-in-france
External private cloud We are also seeing an increase number of External
Private Clouds offerings (off-premises): This provides a way for companies to create a logically
separated set of virtual machines, a secure VPN connection to their own networks (Virtual Private Network is a secure tunnel through the Internet from a corporate network to provider’s servers).
It also enables the use of existing security and management policies.
Cloud Computing in France – A model that will transform companies, Thesis by Cedric Mora, http://www.slideshare.net/cedricmora/cloud-computing-in-france
Private clouds Internal pool of resources inside the Date Centers of a
company. Internal Private Clouds are sometimes seen as a
simple evolution of the classic Information System of an organization but have some characteristics of Public Clouds (they use the virtualization and dynamic provisioning).
Private Clouds are companies who only want to use services that are hosted in-house and do not want to share their infrastructure.
This type of Cloud respect the standard process and security policy of the company but doesn’t not offer as much benefits and flexibility to the CIO: he always have to invest in the hardware and software.
Cloud Computing in France – A model that will transform companies, Thesis by Cedric Mora, http://www.slideshare.net/cedricmora/cloud-computing-in-france
Hybrid cloudCombination of different clouds (for example Public and Private Clouds) that allow for transitive information exchange and possibly application compatibility and portability across disparate Cloud service offerings and providers utilizing standard or proprietary methodologies regardless of ownership or location.
Cloud Computing in France – A model that will transform companies, Thesis by Cedric Mora, http://www.slideshare.net/cedricmora/cloud-computing-in-france
Cloud Computing in France – A model that will transform companies, Thesis by Cedric Mora, http://www.slideshare.net/cedricmora/cloud-computing-in-france
COMMUNITY CLOUD
Infrastructures, shared by several organizations, support a specific community that has shared concerns (e.g., mission, security requirements, policy, and compliance considerations).
The US Government and NASA created a community cloud for all US government agencies.
This type of cloud combines two worlds: Public Cloud (different entities sharing their infrastructure) and Private Cloud (specific organizations use their own Data Centers and know with whom they share their infrastructure).
Cloud Computing in France – A model that will transform companies, Thesis by Cedric Mora, http://www.slideshare.net/cedricmora/cloud-computing-in-france
Impact on the organization
Impact on the organizationStrategy: What are the impacts on the strategy when it goes from controlling an infrastructure to controlling a process? What new strategies are possible now?
• Systems: What happen to the processes of the IT department? (ITIL, Build versus Run, contract management)
• Structure: How can the IT department be aligned with the business strategy? Does a company need a new organization? What happens to the CIO and the decision making?
• Shared values: Can an organization be still working in silos? A key element will be developed in the corporation culture
• Style: Does the managers have to behave differently?
• Staff: What happens to the actual employees? New jobs created?
• Skills: What skills does the employees need in this new model?
Cloud Computing in France – A model that will transform companies, Thesis by Cedric Mora, http://www.slideshare.net/cedricmora/cloud-computing-in-france
QUELQUES CHIFFRES
88© 2009 IDC
IT Cloud Services Forecast Update (preliminary)IT Cloud Services Forecast Update (preliminary)
Applications49%
App Dev/Deploy
10%
Storage9%
Servers12%
Infra-structure Software
20%
Applications38%
App Dev/Deploy
13%
Storage14%
Servers15%
Infra-structure Software
20%
Worldwide IT Cloud Services Revenue* by Product/Service Type
* Includes revenue from delivery of Applications, Application Development & Deployment Software, Systems Infrastructure Software,Server capacity and Disk Storage capacity via the Cloud Services model; AD&D excludes online B2B messaging providers/exchanges
2009
$17.4 billion2013
$44.2 billionSource: IDC, September 2009
89© 2009 IDC
Cloud User Surveys – Adoption AreasCloud User Surveys – Adoption Areas
(Scale: 1 = Very Unlikely 5 = Very Likely)
Q: Rate your likelihood to pursue the cloud model for the following
Source: IDC Enterprise Panel, 3Q09, n = 263, September 2009
48.6%48.6%
49.1%49.1%
49.8%49.8%
50.6%50.6%
51.3%51.3%
52.9%52.9%
54.8%54.8%
55.1%55.1%
55.6%55.6%
59.4%59.4%
66.9%66.9%
67.3%67.3%
0%0% 10%10% 20%20% 30%30% 40%40% 50%50% 60%60% 70%70% 80%80%
IT/Information SecurityIT/Information Security
Application dev/test/deploy platformApplication dev/test/deploy platform
Business Intelligence/AnalyticsBusiness Intelligence/Analytics
Server capacity on demandServer capacity on demand
IT Management softwareIT Management software
Storage capacity on demandStorage capacity on demand
Data/Content Distribution servicesData/Content Distribution services
Personal productivity appsPersonal productivity apps
Business apps (CRM, HR, ERP)Business apps (CRM, HR, ERP)
Data Back-up or Archive servicesData Back-up or Archive services
Web applications/Web servingWeb applications/Web serving
Collaboration applicationsCollaboration applications
90© 2009 IDC
Cloud User Surveys – Vendor RequirementsCloud User Surveys – Vendor Requirements
(Scale: 1 = Not at all important 5 = Very Important)
Q: How important is it that cloud service providers…
Source: IDC Enterprise Panel, 3Q09, n = 263, September 2009
72.9%
78.3%
79.2%
81.0%
82.1%
84.5%
86.0%
87.8%
88.6%
91.6%
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
Have local presence, can come to my offices
Are a technology and business model innovator
Offer both on-premise and public cloud services
Support many of my IT needs
Allow managing on-premise & cloud together
Understand my business and industry
Provide a complete solution
Option to move 'cloud' offerings back on premise
Offer Service Level Agreements (SLAs)
Offer competitive pricing
Is this just Hosting 2.0?
No, they have different architectures
and business model
Cloud Players Hosting Players
Only few can afford billions dollar
investment on data centers
Hundreds of them around
the world
Hosting Players
Often yearly
Your contracts
Cloud Players
Pay As You Go
Pay only what you use
Hosting Players
Reliability, High Availability, Capacity Elasticity
Cloud Players
Built-in Redundancy
Virtually unlimited storage, computing power
You have to manage reliability, fail over yourself
Bring your own or rentservers to increase capacity
Source: Wikipedia
CLOUD BENEFITS
96© 2009 IDC
Cloud User Surveys - BenefitsCloud User Surveys - Benefits
Q: Rate the benefits commonly ascribed to the 'cloud'/on-demand model
Source: IDC Enterprise Panel, 3Q09, n = 263, September 2009
(Scale: 1 = Not at all important 5 = Very Important)
54.0%
63.9%
64.6%
67.0%
68.5%
75.3%
77.7%
77.9%
0% 10% 20% 30% 40% 50% 60% 70% 80% 90%
Seems like the way of the future
Sharing systems with partners simpler
Always offers latest functionality
Requires less in-house IT staff, costs
Encourages standard systems
Monthly payments
Easy/fast to deploy to end-users
Pay only for what you use
97© 2009 IDC
98© 2009 IDC
Cloud Features & Benefits for
Enterprises
Highly virtualized and standardized infrastructures
Massive scalability
Fault tolerant & highly reliable
Intra- & Inter-cloud load balance
Instant application deployment
Simplified, more efficient IT and application management
Deliver more applications to large number of users
Excellent service quality
Higher utilization at reduced cost
Time-to-market
Cloud Features & Benefits for Users
Highly virtualized and standardized infrastructures
Massive scalability
Fault tolerant & highly reliable
Intra- & Inter-cloud load balance
Instant application deployment
No need to install or update SW or HW; access from any browser
Unlimited use
Always on
Access from anywhere
Many services to choose from
Abstraction
Your business should focus on your core competency & should not worry about security, OS, software platform , updates and patches etc. Leave these chores to your provider.
From an end users perspective, you don’t need to care for the OS, the plug-ins, web security or the software platform. Everything should be in place without any worry.
http://www.techno-pulse.com/
Resource SharingResource Sharing is the beauty of Cloud Computing. This is the concept which helps the cloud providers to attain optimum utilization of resources. Say, a company dealing in gifts may require more server resources during festive season. A company dealing in Payroll management may require more resources during the end or beginning of the month.
The cloud architecture is implemented in such a way that it provides you the flexibility to share application as well as other network resources (hardware etc). This will lead to a need based flexible architecture where the resources will expand or contract with a little configuration changes.
http://www.techno-pulse.com/
Les avantages du Cloud Computing du point de vue sécurité & gouvernance (1/2)
Possibilité de mettre les données publiques dans un Cloud et de mieux protéger les données sensibles
Fragmentation et dispersion des données Equipe de sécurité dédiée Plus grand investissement dans l’infrastructure de
sécurité Tolérance aux fautes et fiabilité améliorées Meilleure réaction aux attaques Protection des hyperviseurs contre les attaques réseaux
Gouvernance et Sécurité dans le Cloud Computing : Avantages et Défis. Yves LE ROUX
Les avantages du Cloud Computing du point de vue sécurité & gouvernance (2/2)
Réduction possible des activités de mise en conformité et d’audit Statement on Auditing Standards No. 70: Service Organizations Automated Audit, Assertion, Assessment, and Assurance API (A6)
Données détenues par un tiers impartial Solutions de stockage et de récupération de données à
moindre coût Contrôles de sécurité à la demande Détection en temps réel des falsifications du système
(System Tampering) Reconstitution rapide des services Possibilité accrue de créer des réseaux leurres (honeynet)
La capture d’une machine virtuelle ne compromet pas l’hôte
109
Gouvernance et Sécurité dans le Cloud Computing : Avantages et Défis. Yves LE ROUX
ANALYSE DE RISQUESNEUF RISQUES MAJEURS:
PERTE DE MAÎTRISE DE L’INFRASTRUCTURE ET DES DONNEES
PROBLEMES DE REVERSIBILITE
MAINTIEN DE LA CONFORMITE LEGALE
LOCALISATION DES DONNEES
SECURITE QUANT A L’ISOLEMENT DES DONNEES
MAITRISE DES PERTES ET DESTRUCTIONS DE DONNEES
RECUPERATION DES DONNEES
MALVEILLANCE DE LA PART DES ADMINISTRATEURS DU CLOUD
VOL D’IDENTITE Source: Livre blanc sécurité du Cloud, syntec numérique
LES VERTUS DE LA CERTIFICATION SAS 70
Créée par l'American Institute of Certified Public Accountants, la norme SAS 70 concerne les entreprises qui font appel à des fournisseurs spécialisés pour externaliser leurs services.
Elle se caractérise par des audits indépendants réalisés par des tiers et des vérifications des processus sur site. SAS 70 comporte deux niveaux (Type I et type II).
Le premier porte sur la description des activités de la société et sur la pertinence des contrôles.
Le deuxième niveau évalue leur efficacité à travers des tests dont les résultats sont publiés dans le rapport SAS 70 (type II).
Avantage-clé pour le fournisseur : éviter de multiples audits réalisés régulièrement par ses différents clients. C’est également un moyen important de différenciation commerciale.
Pour les entreprises-clientes, et en particulier celles soumises à la loi Sarbanes-Oxley, la certification SAS 70 garantit notamment la conformité et le « bon ordre » de leurs fournisseurs.
Source: Wikipedia
Les critiques et craintes
Pour aller de l’avant, nous avons tout d’abord besoin de faire un pas en arrière et de nous rappeler que l’objectif fondamental de la
sécurité de l’information, de la gestion des risques et de la gouvernance est d’aligner les objectifs de l’informatique sur ceux
de l’activité de l’entreprise pour protéger les actifs de cette dernière et créer une culture de la responsabilité vis-à-vis de l’information.
C. BiancoVP et General Manager Europe Qualys
http://www.journaldunet.com/solutions/expert/50552/en-2012--la-securite-sera-la-priorite--1-du-cloud-mobile.shtml?utm_source=benchmail&utm_medium=ML5&utm_campaign=E10212871&f_u=1526808
Identity Access Management
Manage Users/GroupsManage security credentialsControl access to applicationsControl access to specific resourcesControl access based on environment variablesCost:zero
110© 2009 IDC
Cloud User Surveys - Challenges Cloud User Surveys - Challenges
(Scale: 1 = Not at all concerned 5 = Very concerned)
Q: Rate the challenges/issues of the 'cloud'/on-demand model
Source: IDC Enterprise Panel, 3Q09, n = 263, September 2009
76.0%
76.8%
79.8%
80.2%
81.0%
82.9%
83.3%
87.5%
0% 10% 20% 30% 40% 50% 60% 70% 80% 90%
Not enough ability to customize
Hard to integrate with in-house IT
Bringing back in-house may be difficult
Lack of interoperability standards
On-demand paym’t model may cost more
Performance
Availability
Security
Cloud Computing in France – A model that will transform companies, Thesis by Cedric Mora, http://www.slideshare.net/cedricmora/cloud-computing-in-france
Domaines critiques à étudier pour la gouvernance
Choc culturel - Résistance au changement Gestion des risques de l’entreprise Problèmes légaux
Fuites de données Accès aux données par les organismes gouvernementaux Protection de la vie privée
Mise en conformité et audit Gestion du cycle de vie de l’information
Création, identification, stockage, utilisation, partage, archivage et destruction
Définition des responsabilités
Portabilité et interopérabilité
Gouvernance et Sécurité dans le Cloud Computing : Avantages et Défis. Yves LE ROUX
Domaines critiques à étudier pour la sécurité
Plan de continuité et de reprise d’activités Opérations du ou des centre(s) informatique(s) Réponse, notifications et traitement des incidents Sécurité des applications Chiffrement et gestion des clés Identités et contrôle d’accès Technologie de virtualisation
Gouvernance et Sécurité dans le Cloud Computing : Avantages et Défis. Yves LE ROUX
Les défis du Cloud Computing du point de vue sécurité & gouvernance
Confiance dans le modèle de sécurité du fournisseur souvent opaque
Réponse par le client aux recommandations des audits Aide aux enquêtes après incidents Responsabilité des administrateurs appartenant au
fournisseur Perte du contrôle physique Gestion de l’isolement des machines virtuelles Présence de multi-location (multi-tenancy) Gestion des versions de logiciels
Gouvernance et Sécurité dans le Cloud Computing : Avantages et Défis. Yves LE ROUX
Les défis du Cloud Computing du point de vue sécurité & gouvernance Protection des données personnelles
Traitement dans l’E.E.E. ou la Suisse, le Canada, l’Argentine, Guernesey, Jersey, Man et le Safe Harbour (US)
Règles internes d’entreprise / Corporate Binding rule Clauses contractuelles types Autorisation de transfert
Droit d’accès des organismes gouvernementaux Patriot Act, Regulation of Investigatory Powers Act,
LOPPSI, etc.
Conservation légale des documents et leur production Garantie de la qualité de service
Gouvernance et Sécurité dans le Cloud Computing : Avantages et Défis. Yves LE ROUX
Les défis du Cloud Computing du point de vue sécurité & gouvernance Attirance des hackers Possibilité d’une panne massive Intégration avec l’informatique interne Besoins de chiffrement
Problèmes légaux (import, export, utilisation) Accès chiffré à l’interface de contrôle du Cloud Accès chiffré aux applications Chiffrement des données stockées
Permanence / rémanence des données Agrégation et inférence des données
Gouvernance et Sécurité dans le Cloud Computing : Avantages et Défis. Yves LE ROUX
Les défis du Cloud Computing du point de vue sécurité & gouvernance
Sécurisation des OS virtuels dans le Cloud Dépendance de la sécurité des hyperviseurs Gestion des identités dans le Cloud
Provisioning / déprovisioning Authentification Fédération Gestion des profils utilisateurs et des autorisations d’accès
Gouvernance et Sécurité dans le Cloud Computing : Avantages et Défis. Yves LE ROUX
Les prédictions de C. Biancohttp://www.journaldunet.com/solutions/expert/50552/en-2012--la-securite-sera-la-priorite--1-du-cloud-mobile.shtml?
utm_source=benchmail&utm_medium=ML5&utm_campaign=E10212871&f_u=1526808
Prolifération des appareils mobiles Connection permanante de ces appareils au Cloud => nouvelles solutions de sécurité proposées par les
fournisseurs de Cloud Externalisation de la sécurité vers le Cloud aujourd’hui la sécurité est mauvaise (enquête Ponemon
Institute) Il faudra donc également vérifier et faire des audit de
sécurité des solutions proposées par les fournisseurs de Cloud
L’espoir fait vivre, mais n’oublions pas que l’espoir n’est pas une stratégie de
sécurité.
Sources & credits Some material adapted from
slides by Christophe Bisciglia, Aaron Kimball, & Sierra Michels-Slettvet, Google Distributed Computing Seminar, 2007
Jimmy Lin, The iSchool, University of Maryland B.Singh, www.technopulse.com http://www.andyharjanto.com Gouvernance et sécurité dans le Cloud Computing : avantages et
défis, Yves LE ROUX, CISSP CISM, Principal Consultant; [email protected] Cloud Computing in France – A model that will transform
companies, Thesis by Cedric Mora, http://www.slideshare.net/cedricmora/cloud-computing-in-france
Architecture for the Cloud : http://www.slideshare.net/AmazonWebServices/2011-aws-tour-australia-architecting-for-the-cloud-demo-and-best-practices-by-simone-brunozzi
Source: Wikipedia
quelques aspects juridiques
Data protection and transfers, new contractual practices and painful international private law issues are the common issues to be
addressed when analysing the phenomenon from a legal point of view. Furthermore, each entity bound by regulatory compliance
constraints has to assess whether "going into the cloud" is wise, or even allowed, taking into account its activities and the data or
processes that it would like to outsource this way. The aim of the conference is to explore the legal contexts of cloud computing
globally, but also from a sector-oriented perspective.
Questions juridiques liées au Cloud Protection des données personnelles Données personnelles localisées dans des pays ne
proposant pas de niveau de sécurité suffisant Aspect contractuels de sous-traitances de traitement de
données personnelles Contrat d’adhésion (signé en ligne sans négociations) ou
contrat négocié aspects de confidentialité et de sécurité responsabilité, indemnisation, garanties intuitu personae (changement de contrôle) propriété intellectuelle
127127
QUESTIONS ?
128128