What an Enterprise Should Look for in a Cloud Computing Provider
Tom CecereDirector, Novell Cloud Security ServiceMarch 23, 2010
© Novell, Inc. All rights reserved.2
Takeaways for Today
• Cloud computing offers the potential for big savings and huge increases in flexibility for enterprise IT
• Large enterprises are telling analysts, researchers and cloud providers that it’s hard to trust cloud-based solutions
• But don’t let that fool you – people are using them like mad, with 20-40% growth in 2009 in some sectors
• Security is a primary concern, but it comes in many guises
• Regulations and finances are driving use and risk, leaving you with security holes you never had before
• Security is the responsibility of both you and your vendors of choice
Cloud Computing:What Is It, Why and How Much Do We Use It?
© Novell, Inc. All rights reserved.4
Forrester Definition:
Cloud Computing: A standardized IT capability (services, software, or infrastructure) delivered via the Internet in a pay-per-use, self-service way
© Novell, Inc. All rights reserved.5
Breaking It Down a Bit
Software-as-a-serviceWeb-based Services
Software-platform-as-a-service
Virtual-infrastructure-as-a-service
Physical-infrastructure-as-a-service
SaaS … Salesforce.com, Netsuite,Ultimate, Taleo, LinkedIn, Facebook
IaaS … Amazon, Go-Grid,OpSource, COLT, etc.
Google App Engine, Azure, Force
Sun, IBM, Azure
Source: Forrester Research. August 2008 “Future View: The New Tech Ecosystems of Cloud, Cloud Services, and Cloud Computing”
© Novell, Inc. All rights reserved.6
Cloud Computing Really Is the Next Big Thing
Source: Tier 1 research “Cloud Infrastructure Services – Managed Hosters”, based on poll of top 50 managed hosters in US and Europe
Gartner predicts that the market for total cloud services will reach $150B by 2013
0% 10% 20% 30% 40% 50% 60%
MID TIER ENTERPRISE
SAAS PROVIDERS
SMB
DEVELOPERS
ENTERPRISE
ISV'S
OTHER PAAS
OTHER
SOHO
FIGURE 12. The two largest users of cloud services
Who are your two largest users of cloud services?
Note: mid-tier sector (250-1000 employees and revenue between $50m and $1b)
© Novell, Inc. All rights reserved.7
Early Cloud Examples
US Army — Testing troop vulnerability application on cloud platform
Eli Lilly — Drug research
Nasdaq — Market Replay service
USA.gov — Public information portal that flexes with traffic fluctuations
Starbucks — My Starbucks Ideas online customer collaboration built on Force.com
Indy500.com — Streams live race footage and statistics
Harvard Medical School — Genetic testing models and simulations
© Novell, Inc. All rights reserved.8
Enterprises Cite Flexibility and On Demand over Cost Reasons for IaaS “How important were the following in your firm's decision to adopt pay-per-use hosting of virtual servers(also known as cloud computing)?”
© Novell, Inc. All rights reserved.9
SaaS Adoption Growing As Model Matures: $8B in ’09 to $14.7B in ‘12
With Customer Relationship Management and Content/Communication and Collaboration leading the way
Source: Gartner Saas Trends 2007-2012
Ok, If It’s So Great, Why Not Use the Cloud for Everything?
© Novell, Inc. All rights reserved.11
Security is the Top Challenge for Customers Moving to Cloud Services
Source: Tier 1 research “Cloud Infrastructure Services – Managed Hosters”, based on poll of top 50 managed hosters in US and Europe
What are the top two most critical challenges for customers looking to move to a utility/cloud?
0% 10% 20% 30% 40% 50%
NERVOUS ABOUT SECURITY
CULTURAL/ORGANIZATIONAL(RESOURCE OWNERSHIP)
ON PREMISE SOFTWARE/LEGACYINFRASTRUCTURE
PRODUCT/SERVICE OPTION AVAILABLE
REGULATION/COMPLIANCE
AVAILABLILITY/UPTIME
SOFTWARE LICENSING
CxO SPONSORSHIP
FIGURE 15. Top challenges for customers moving to cloud services
SHARED RESOURCES
© Novell, Inc. All rights reserved.12
The Two Largest Users of Cloud Services: Mid-tier Enterprise and SaaS Providers
Source: Tier 1 research “Cloud Infrastructure Services – Managed Hosters”, based on poll of top 50 managed hosters in US and Europe
0% 10% 20% 30% 40% 50% 60%
MID TIER ENTERPRISE
SAAS PROVIDERS
SMB
DEVELOPERS
ISV'S
OTHER PAAS
OTHER
SOHO
FIGURE 12. The two largest users of cloud services
Who are your two largest users of cloud services?
ENTERPRISE
Note: mid-tier sector (250-1000 employees and revenue between $50m and $1b)
© Novell, Inc. All rights reserved.13
Security Worries for EnterprisesPhysical Security
• Physical data location• Physical data security
• Identity, compliance• Manageability of resources
in the cloud• Multiple identities to
manage • Compliance enforcement
GRC• Responsive provisioning/de-
provisioning users across multiple services
• How to apply roles / policies across multiple services
• Cloud workload management
• Usable for a broader set of workloads
Manageability
Financial• Audit• Need to rewrite internal
applications• How to leverage existing
investments in the data center
• Software licensing problems• SLAs, proof of 99.99+%
uptime• Intellectual property
concerns• References
Contractual
© Novell, Inc. All rights reserved.14
Security Worries for EnterprisesPhysical Security
• Physical data location• Physical data security
• Identity, compliance• Manageability of resources
in the cloud• Multiple identities to
manage • Compliance enforcement
GRC• Responsive provisioning/de-
provisioning users across multiple services
• How to apply roles / policies across multiple services
• Cloud workload management
• Usable for a broader set of workloads
Manageability
Financial• Audit• Need to rewrite internal
applications• How to leverage existing
investments in the data center
• Software licensing problems• SLAs, proof of 99.99+%
uptime• Intellectual property
concerns• References
Contractual
What Are the Key Risks?
© Novell, Inc. All rights reserved.16
SummaryThe Cloud Amplifies IT Challenges and Opportunities
• Data that is safe for you to store inside your firewall is now outside
• Access to compute resources that your company is paying for is available with simple user name/password authentication
• Your compute jobs may be running on many machines; may be backed up on many storage networks, and may be exported without your knowledge
Identity, authorization and audit for employees, customers, patients and workloads is the future of computing security!
What Do Enterprises Have To Do?
© Novell, Inc. All rights reserved.18
Attach the Same Governance and Access Policies to the Cloud as We Have Internally
ExternalCapacityManaged Outsource ProviderTelcoAmazon EC2
Governance and Compliance
Firewall
Business Service Management
IT Service Management
InternalCapacityLegacy
InternalCapacityAbstracted anddisaggregatedIT resources
Internal Cloud(on-premise)
External Cloud(off-premise)
Softwareas a Service
Platformas a Service
Infrastructureas a Service
© Novell, Inc. All rights reserved.19
Action Items
• Do a Cloud Computing Discovery project– Don’t forget to ask Accounting how many purchase orders and
credit card reimbursements you have to Amazon Web Services!
– Software usage analysis will discover SaaS products being used at your site
• Ask your CISO (or if you are one, your team ☺) to prepare a report card on the security issues we’ve discussed
• Every new cloud computing provider should be evaluated both in terms of positives and in terms of security impact
© Novell, Inc. All rights reserved.20
Sample Cloud Computing Report CardAcme Platform Services
Physical Security• Physical data location• Physical data security
• Identity, compliance• Manageability of
resources in the cloud• Multiple identities to
manage • Compliance enforcement
GRC• Responsive provisioning/
de-provisioning users across multiple services
• How to apply roles/policies across multiple services
• Cloud workload management
• Usable for a broader set of workloads
Manageability
Financial• Audit• Need to rewrite internal
applications• How to leverage existing
investments in the data center
• Software licensing problems
• SLAs, proof of 99.99+% uptime
• Intellectual property concerns
• References
Contractual
© Novell, Inc. All rights reserved.21
Action Items (cont)
• Make a plan to solve the worst 3 problems in 2010
• Prohibit any more cloud providers until their offerings easily snap into YOUR access and governance policies
– Consider a portal where you can control (or even require multiple authentication methods for) access to Cloud resources
• Insist on audit information you can use from your current providers
• Investigate managed clouds from trusted MSPs
What Should I Expect from My Cloud Vendors?
© Novell, Inc. All rights reserved.23
Vendors
SAS 70
Other transparency
Identity protection and user-controlled access/authorization
Audit trail
Trusted Cloud Initiative
© Novell, Inc. All rights reserved.24
SAS 70 Certification
• Created by American Institute of Certified Public Accountants
Represents that a service organization has been through an in-depth audit of their control objectives and control activities, which often include controls over information technology and related processes
• Independent “service auditor” issues opinion on servicer’s controls, useable by servicer and their customers
• Type I: a snapshot on a specific date, self reported• Type II: Opinion delivered about ongoing controls
© Novell, Inc. All rights reserved.25
Other Transparency Issues
• Who can reach data?
• What level of encryption is available? Practical?
• Where is data located?
• Where is computer located?
• SLA terms (Microsoft requires an NDA to even see their SLA model agreement!)
© Novell, Inc. All rights reserved.26
Identity Protection
• What is the process for:
– Provisioning identities?
– Guarding them?
– De-provisioning with role changes?
• Does vendor support multi-factor authentication?
• Do they support standards-based federation?
© Novell, Inc. All rights reserved.27
Audit/GRC
• How do you find out what’s going on inside your vendor’s data center?
• How do you check up on SLA terms?
• Can you reconcile information you do receive with the rest of your GRC inspection regime?
• Is sensitive data moving through scale-out or through backup?
© Novell, Inc. All rights reserved.28
Trusted-Cloud Initiative
Novell/CSA partnership initiative now prominently displayed to CSA members
© Novell, Inc. All rights reserved.29
ResponsibilityPhysical Security
• Physical data location• Physical data security
• Identity creation• Manageability of
resources in the cloud• Simplify identity
management• Compliance enforcement
GRC• Responsive provisioning/
de-provisioning users across multiple services
• How to apply roles/policies across multiple services
• Cloud workload management
• Ability to move workloads to different vendor(s)
Manageability
Financial• Audit• Avoid re-writing internal
applications• Leveraging existing
investments in the data center
• Software licensing problems
• SLAs, proof of 99.99+% uptime
• Intellectual property concerns
• References
Contractual
Vendor
Enterprise
Joint
Questions
Unpublished Work of Novell, Inc. All Rights Reserved.This work is an unpublished work and contains confidential, proprietary, and trade secret information of Novell, Inc. Access to this work is restricted to Novell employees who have a need to know to perform tasks within the scope of their assignments. No part of this work may be practiced, performed, copied, distributed, revised, modified, translated, abridged, condensed, expanded, collected, or adapted without the prior written consent of Novell, Inc. Any use or exploitation of this work without authorization could subject the perpetrator to criminal and civil liability.
General DisclaimerThis document is not to be construed as a promise by any participating company to develop, deliver, or market a product. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. Novell, Inc. makes no representations or warranties with respect to the contents of this document, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. The development, release, and timing of features or functionality described for Novell products remains at the sole discretion of Novell. Further, Novell, Inc. reserves the right to revise this document and to make changes to its content, at any time, without obligation to notify any person or entity of such revisions or changes. All Novell marks referenced in this presentation are trademarks or registered trademarks of Novell, Inc. in the United States and other countries. All third-party trademarks are the property of their respective owners.