CONSIDERING CLOUD? LEARN ABOUT CURRENT TRENDS IN CLOUD COMPUTING

(1)

Session ID:

Session Classification:

Jeff Jones ([email protected])

Microsoft – Trustworthy Computing

ARCH-W08

Intermediate

CONSIDERING CLOUD? LEARN

ABOUT CURRENT TRENDS IN

CLOUD COMPUTING

Frank Simorjay ([email protected])

(2)

Presenter Logo #RSAC

• Microsoft Corporation

• Trustworthy Computing group Company

• Director, Trustworthy Computing

• 25-year Security Guy : DoD, TIS, McAfee, PGP, MSFT •Microsoft Security Blog & Trustworthy Computing Blog

• @securityjones Jeff Jones

• Sr. Product Manager, Trustworthy Computing

• Author and designer of CSRT, OSA paper many others

• Work extensively with community -ISSA Distinguished Fellow

• Worked at NFR (small world – Jeff and I both worked with Marcus) Frank Simorjay

(3)

(4)

Session Objectives

►

The reality of security controls in data centers

►

Understand potential cloud adoption benefits

►

Quickly assess your security control

►

Assess the impact of cloud adoption

►

We are data geeks

(5)

(6)

#RSAC

(7)

IaaS

PaaS

SaaS

Measured service Broad network access Rapid elasticity Self-service Resource pooling

(8)

CLOUD PROVIDER

SaaS

PaaS

IaaS

RESPONSIBILITY: Data classification

Application level controls Client and end point protection

Network controls

Physical security

Identity and access management

Host security

(9)

BENEF

ITS

privacy security reliability scalability increased agility flexibility Reduced costs

C

ONCERNS

(10)

Most Individuals

confused by cloud

computing

(11)

#RSAC

Microsoft Cloud Security

Readiness Tool

(12)

(13)

(14)

(15)

(16)

Control

/question

security policies and procedures? security policies review process? security program is updated? personnel background checks? (NDA) requirements? physical access by role?

security policies and procedures? employee change/termination process? physical security access method? equipment support contracts? data classification efforts?

grants access to data? data retention and recovery program?

destroys data?

security policies and procedures?

staging to production requirements?

application testing using customer data? asset inventory program? conducts risk assessments? responds to an incident ? disaster recovery plan? capacity planning efforts?

selects its data center location(s)? redundancy if utility service outages should occur? patch management processes? antivirus efforts? firewalls to protect data?

(17)

(18)

#RSAC

(19)

(20)

#RSAC

(21)

(22)

0% 10% 20% 30% 40% 50% 1 – 4 PCs 5 – 24 PCs 25 – 49 PCs 50 – 249 PCs 250 – 499 PCs 500 – 2999 PCs 3000 – 12499 PCs 12500 – 24999 PCs 25000+ PCs Infrastructure As A Service (IaaS) Platform As A Service (PaaS) Software As A Service (SAAS)

(23)

USA/ME/Africa/Australia

ISO/IEC 27001-2005 NIST Guidelines PCI DSS v2.0

Europe/Asia

(24)

(25)

-26.9% -26.5% -22.8% -15.7% -41.0% -5.8% -24.0% -24.2% -39.4% -34.9% -52.4% -12.7% -31.6% -25.3% -9.0% -31.7% -30.6% -35.6% -42.8% -25.7% -44.3% -28.7% -32.8% -16.4% 14.7% -12.6% -0.4% -60% -50% -40% -30% -20% -10% 0% 10% 20% Q1 Q2 Q3 Q4 Q5 Q6 Q7 Q8 Q9 Q10 Q11 Q12 Q13 Q14 Q15 Q16 Q17 Q18 Q19 Q20 Q21 Q22 Q23 Q24 Q25 Q26 Q27

►

Anti-malware

Incident reporting

►

Employee

agreement

►

.

►

Capacity

planning

Values were assigned to each of the four possible answers for each question:

If the answer was Almost There or Streamlined, a +1 value was assigned for maturity.

(26)

Which of these statements best describes your

organization's antivirus efforts?

(27)

0% 20% 40% 60% 80% 100%

Getting Started Making Progress Almost There Streamlined Worldwide Europe North America

(28)

0% 20% 40% 60% 80% 100%

Getting Started Making Progress Almost There Streamlined Worldwide Europe North America

(29)

Unprotected

Intermittently protected

(30)

Which of these statements best describes your organization's

nondisclosure agreement (NDA) requirements?

(31)

0% 20% 40% 60% 80% 100%

Getting Started Making Progress Almost There Streamlined

(32)

Which of these statements best describes your

organization's capacity planning efforts?

(33)

0% 20% 40% 60% 80% 100%

(34)

0% 5% 10% 15% 20% 25%

(35)

Control

/question

security policies and procedures? security policies review process? security program is updated? personnel background checks? (NDA) requirements? physical access by role?

security policies and procedures? employee change/termination process? physical security access method? equipment support contracts? data classification efforts?

grants access to data? data retention and recovery program?

destroys data?

security policies and procedures?

staging to production requirements?

application testing using customer data? asset inventory program? conducts risk assessments? responds to an incident ? disaster recovery plan? capacity planning efforts?

selects its data center location(s)? redundancy if utility service outages should occur? patch management processes? antivirus efforts? firewalls to protect data?

(36)

Which of these statements best describes how

your organization responds to an incident ?

(37)

0% 20% 40% 60% 80% 100%

(38)

0% 20% 40% 60% 80% 100%

(39)

-26.9% -26.5% -22.8% -15.7% -41.0% -5.8% -24.0% -24.2% -39.4% -34.9% -52.4% -12.7% -31.6% -25.3% -9.0% -31.7% -30.6% -35.6% -42.8% -25.7% -44.3% -28.7% -32.8% -16.4% 14.7% -12.6% -0.4% -60% -50% -40% -30% -20% -10% 0% 10% 20% Q1 Q2 Q3 Q4 Q5 Q6 Q7 Q8 Q9 Q10 Q11 Q12 Q13 Q14 Q15 Q16 Q17 Q18 Q19 Q20 Q21 Q22 Q23 Q24 Q25 Q26 Q27

►

Anti-malware

Incident reporting

►

Employee

agreement

►

.

►

Capacity

planning

Values were assigned to each of the four possible answers for each question:

If the answer was Almost There or Streamlined, a +1 value was assigned for maturity.

(40)

(41)

Thank you!

#RSAC

Jeff Jones

Microsoft Trustworthy Computing [email protected]

Frank Simorjay

Microsoft Trustworthy Computing

(42)

Microsoft Security Blog

& Trustworthy Computing Blog