what an enterprise should look for in a cloud provider

What an Enterprise Should Look for in a Cloud Computing Provider

Tom CecereDirector, Novell Cloud Security ServiceMarch 23, 2010

© Novell, Inc. All rights reserved.2

Takeaways for Today

• Cloud computing offers the potential for big savings and huge increases in flexibility for enterprise IT

• Large enterprises are telling analysts, researchers and cloud providers that it’s hard to trust cloud-based solutions

• But don’t let that fool you – people are using them like mad, with 20-40% growth in 2009 in some sectors

• Security is a primary concern, but it comes in many guises

• Regulations and finances are driving use and risk, leaving you with security holes you never had before

• Security is the responsibility of both you and your vendors of choice

Cloud Computing:What Is It, Why and How Much Do We Use It?


Forrester Definition:

Cloud Computing: A standardized IT capability (services, software, or infrastructure) delivered via the Internet in a pay-per-use, self-service way


Breaking It Down a Bit

Software-as-a-serviceWeb-based Services

Software-platform-as-a-service

Virtual-infrastructure-as-a-service

Physical-infrastructure-as-a-service

SaaS … Salesforce.com, Netsuite,Ultimate, Taleo, LinkedIn, Facebook

IaaS … Amazon, Go-Grid,OpSource, COLT, etc.

Google App Engine, Azure, Force

Sun, IBM, Azure

Source: Forrester Research. August 2008 “Future View: The New Tech Ecosystems of Cloud, Cloud Services, and Cloud Computing”


Cloud Computing Really Is the Next Big Thing

Source: Tier 1 research “Cloud Infrastructure Services – Managed Hosters”, based on poll of top 50 managed hosters in US and Europe

Gartner predicts that the market for total cloud services will reach $150B by 2013

0% 10% 20% 30% 40% 50% 60%

MID TIER ENTERPRISE

SAAS PROVIDERS

SMB

DEVELOPERS

ENTERPRISE

ISV'S

OTHER PAAS

OTHER

SOHO

FIGURE 12. The two largest users of cloud services

Who are your two largest users of cloud services?

Note: mid-tier sector (250-1000 employees and revenue between $50m and $1b)


Early Cloud Examples

US Army — Testing troop vulnerability application on cloud platform

Eli Lilly — Drug research

Nasdaq — Market Replay service

USA.gov — Public information portal that flexes with traffic fluctuations

Starbucks — My Starbucks Ideas online customer collaboration built on Force.com

Indy500.com — Streams live race footage and statistics

Harvard Medical School — Genetic testing models and simulations


Enterprises Cite Flexibility and On Demand over Cost Reasons for IaaS “How important were the following in your firm's decision to adopt pay-per-use hosting of virtual servers(also known as cloud computing)?”


SaaS Adoption Growing As Model Matures: $8B in ’09 to $14.7B in ‘12

With Customer Relationship Management and Content/Communication and Collaboration leading the way

Source: Gartner Saas Trends 2007-2012

Ok, If It’s So Great, Why Not Use the Cloud for Everything?


Security is the Top Challenge for Customers Moving to Cloud Services


What are the top two most critical challenges for customers looking to move to a utility/cloud?

0% 10% 20% 30% 40% 50%

NERVOUS ABOUT SECURITY

CULTURAL/ORGANIZATIONAL(RESOURCE OWNERSHIP)

ON PREMISE SOFTWARE/LEGACYINFRASTRUCTURE

PRODUCT/SERVICE OPTION AVAILABLE

REGULATION/COMPLIANCE

AVAILABLILITY/UPTIME

SOFTWARE LICENSING

CxO SPONSORSHIP

FIGURE 15. Top challenges for customers moving to cloud services

SHARED RESOURCES


The Two Largest Users of Cloud Services: Mid-tier Enterprise and SaaS Providers


0% 10% 20% 30% 40% 50% 60%

MID TIER ENTERPRISE

SAAS PROVIDERS

SMB

DEVELOPERS

ISV'S

OTHER PAAS

OTHER

SOHO

FIGURE 12. The two largest users of cloud services

Who are your two largest users of cloud services?

ENTERPRISE

Note: mid-tier sector (250-1000 employees and revenue between $50m and $1b)


Security Worries for EnterprisesPhysical Security

• Physical data location• Physical data security

• Identity, compliance• Manageability of resources

in the cloud• Multiple identities to

manage • Compliance enforcement

GRC• Responsive provisioning/de-

provisioning users across multiple services

• How to apply roles / policies across multiple services

• Cloud workload management

• Usable for a broader set of workloads

Manageability

Financial• Audit• Need to rewrite internal

applications• How to leverage existing

investments in the data center

• Software licensing problems• SLAs, proof of 99.99+%

uptime• Intellectual property

concerns• References

Contractual


Security Worries for EnterprisesPhysical Security


• Identity, compliance• Manageability of resources

in the cloud• Multiple identities to


GRC• Responsive provisioning/de-

provisioning users across multiple services

• How to apply roles / policies across multiple services



Manageability




• Software licensing problems• SLAs, proof of 99.99+%

uptime• Intellectual property

concerns• References

Contractual

What Are the Key Risks?


SummaryThe Cloud Amplifies IT Challenges and Opportunities

• Data that is safe for you to store inside your firewall is now outside

• Access to compute resources that your company is paying for is available with simple user name/password authentication

• Your compute jobs may be running on many machines; may be backed up on many storage networks, and may be exported without your knowledge

Identity, authorization and audit for employees, customers, patients and workloads is the future of computing security!

What Do Enterprises Have To Do?


Attach the Same Governance and Access Policies to the Cloud as We Have Internally

ExternalCapacityManaged Outsource ProviderTelcoAmazon EC2

Governance and Compliance

Firewall

Business Service Management

IT Service Management

InternalCapacityLegacy

InternalCapacityAbstracted anddisaggregatedIT resources

Internal Cloud(on-premise)

External Cloud(off-premise)

Softwareas a Service

Platformas a Service

Infrastructureas a Service


Action Items

• Do a Cloud Computing Discovery project– Don’t forget to ask Accounting how many purchase orders and

credit card reimbursements you have to Amazon Web Services!

– Software usage analysis will discover SaaS products being used at your site

• Ask your CISO (or if you are one, your team ☺) to prepare a report card on the security issues we’ve discussed

• Every new cloud computing provider should be evaluated both in terms of positives and in terms of security impact


Sample Cloud Computing Report CardAcme Platform Services

Physical Security• Physical data location• Physical data security

• Identity, compliance• Manageability of

resources in the cloud• Multiple identities to


GRC• Responsive provisioning/

de-provisioning users across multiple services

• How to apply roles/policies across multiple services



Manageability




• Software licensing problems

• SLAs, proof of 99.99+% uptime

• Intellectual property concerns

• References

Contractual


Action Items (cont)

• Make a plan to solve the worst 3 problems in 2010

• Prohibit any more cloud providers until their offerings easily snap into YOUR access and governance policies

– Consider a portal where you can control (or even require multiple authentication methods for) access to Cloud resources

• Insist on audit information you can use from your current providers

• Investigate managed clouds from trusted MSPs

What Should I Expect from My Cloud Vendors?


Vendors

SAS 70

Other transparency

Identity protection and user-controlled access/authorization

Audit trail

Trusted Cloud Initiative


SAS 70 Certification

• Created by American Institute of Certified Public Accountants

Represents that a service organization has been through an in-depth audit of their control objectives and control activities, which often include controls over information technology and related processes

• Independent “service auditor” issues opinion on servicer’s controls, useable by servicer and their customers

• Type I: a snapshot on a specific date, self reported• Type II: Opinion delivered about ongoing controls


Other Transparency Issues

• Who can reach data?

• What level of encryption is available? Practical?

• Where is data located?

• Where is computer located?

• SLA terms (Microsoft requires an NDA to even see their SLA model agreement!)


Identity Protection

• What is the process for:

– Provisioning identities?

– Guarding them?

– De-provisioning with role changes?

• Does vendor support multi-factor authentication?

• Do they support standards-based federation?


Audit/GRC

• How do you find out what’s going on inside your vendor’s data center?

• How do you check up on SLA terms?

• Can you reconcile information you do receive with the rest of your GRC inspection regime?

• Is sensitive data moving through scale-out or through backup?


Trusted-Cloud Initiative

Novell/CSA partnership initiative now prominently displayed to CSA members


ResponsibilityPhysical Security


• Identity creation• Manageability of

resources in the cloud• Simplify identity

management• Compliance enforcement

GRC• Responsive provisioning/

de-provisioning users across multiple services

• How to apply roles/policies across multiple services


• Ability to move workloads to different vendor(s)

Manageability

Financial• Audit• Avoid re-writing internal

applications• Leveraging existing


• Software licensing problems

• SLAs, proof of 99.99+% uptime

• Intellectual property concerns

• References

Contractual

Vendor

Enterprise

Joint

Questions

Unpublished Work of Novell, Inc. All Rights Reserved.This work is an unpublished work and contains confidential, proprietary, and trade secret information of Novell, Inc. Access to this work is restricted to Novell employees who have a need to know to perform tasks within the scope of their assignments. No part of this work may be practiced, performed, copied, distributed, revised, modified, translated, abridged, condensed, expanded, collected, or adapted without the prior written consent of Novell, Inc. Any use or exploitation of this work without authorization could subject the perpetrator to criminal and civil liability.

General DisclaimerThis document is not to be construed as a promise by any participating company to develop, deliver, or market a product. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. Novell, Inc. makes no representations or warranties with respect to the contents of this document, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. The development, release, and timing of features or functionality described for Novell products remains at the sole discretion of Novell. Further, Novell, Inc. reserves the right to revise this document and to make changes to its content, at any time, without obligation to notify any person or entity of such revisions or changes. All Novell marks referenced in this presentation are trademarks or registered trademarks of Novell, Inc. in the United States and other countries. All third-party trademarks are the property of their respective owners.

what an enterprise should look for in a cloud provider

Documents