Sally Hudson, Research Director, Security Products and Services, IDC
This session will look at cloud benefits and challenges from a security standpoint and present customer trends and concerns from IDC's demand-side research programs. Special emphasis will be placed on identity issues as they relate to cloud, social and mobile concerns and how they map to the agendas, policies and budgets of the IT enterprise.
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
CIS13: Security's New Normal: Is Cloud the Answer?
1. Security’s New Normal:
Is Cloud the Answer?
Prepared by IDC for:
Cloud Identity Summit
July 2013
Sally J. Hudson
Research Director
Identity and Access Management
BuyerPulse
4. Four Pillars of 3rd Platform:
§ Mobile – Creates need for stronger access controls
and authentication. Expect more partnerships,
acquisitions and innovations in the mobile space.
§ Cloud – driving need for FSSO and authentication,
user provisioning, privileged id management
§ Social Networking – companies want to leverage
this, but are cautious due to security concerns.
Authentication and federation.
§ Big Data – in conjunction with security, rich identity
profiles and threat prevention and fraud detection
5. 3rd Platform Customer
Requirements
Fixed
§ Global consumer & corporate
privacy & security regulations
(civil law)
§ Law enforcement ( criminal law)
§ Instantaneous, &
assured communications with
negligible downtime
§ Revenue creation and
profitability
§ Apps (write once, test
everywhere)
Fluid
§ Communities of shared
interest & social pressures
(good, bad, gray),
§ Control issues (risk, acceptable
speech, reputation, privacy, &
trust )
§ Under-web of sensors &
monitoring
§ Services-based approach vs.
client-orientation
6. § Consolidate
§ Virtualize
§ Automate
§ Optimize
§ Host/Outsource
Consolidate
§ Biz Efficiency
§ Innovate
§ Modernize
§ Mobile/Social
§ Biz Analytics
Collaborate
§ Actuarial Data
§ Predictable
Operational
Expenses
§ Risk
§ Compliance
Calculate
COO’s New Normal:
Issues in 2013
7. Consolidate: Old Issues &
New Solutions
§ New
q Worldwide core controls that
minimize differences
q Auditors collaborate with IT to
help design compliance
dashboard for a variety of non-
IT groups
q Common worldwide controls
that are cloud-based
§ Old
q Company siloed by business
units and geography
q Custom controls
q Auditors were the enemy
q Senior management confused
about corporate-wide polices
q Little anticipation or planning
for pending regulations
8. Shifting IT Spend: Private Cloud is
near term cloud strategy
Q. Please estimate how much of your company's IT budget will be allocated to
buying and managing these different types of IT services
49%
37%
16%
16%
13%
19%
11%
15%
11% 13%
0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
100%
Today 24 Months
Public Cloud
Private cloud -
Hosted
Private Cloud
Inhouse
Outsourced IT
Traditional IT
§ Enterprises see
private cloud as
the onramp to
cloud for the next
24 months
§ Automation and
elasticity will
become the
mantra
§ Pre-integrated
modularity will
become critical
Source: IDC’s Cloud Computing Survey, January 2011 n=603
9. Cloud Providers: Can You Trust Them?
§ SLAs can offer complete visibility and
“partnership” with the Cloud provider
§ Capex à Opex expense = Making friends with
the CEO and CFO again
§ Defensible posture and extensible “modular”
architecture
§ Pay as you go
§ And more…
10. Cloud Benefits and Challenges
-80% -60% -40% -20% 0% 20% 40% 60% 80%
Pay-as-you-go (opex)
Easy/fast to deploy to end-users
Pay only for what you use
Allows us to reduce IT headcount
Makes sharing with partners simpler
Encourages standard systems
More sourcing choices
Faster deployment of new services
Regulatory requirement restrictions
Performance/response times
Availability/service provider uptime
Not robust enough for critical apps
Not enough ability to customize
Hard to integrate, manage w/in-house IT
May cost more
Security
Reliability
Availability,
Security,
Total Cost
Time to deploy
Pay for Use
Collaboration
11. Cloud Security & Compliance:
Tablestakes for Enterprise Clouds
Q.
Rate
these
statement
about
cloud
security
% sample rating 4 & 5
§ Issue: Security &
compliance
§ Data in motion more
important than data at
rest
§ Key management stays
with customer
§ Issue: Metrics
§ Risk guarantees
§ Threats/Attacks
§ Breaches
§ Privileged & Customer
Access
§ Continuous Compliance
12. Indemnification is Explicit
“You agree to indemnify and hold Yahoo! and its subsidiaries,
affiliates, officers, agents, employees, partners and licensors
harmless from any claim or demand….”
Data Locality Cannot be Guaranteed
“Personal information collected by Google may be stored and
processed in the United States or any other country in which
Google Inc. or its agents maintain facilities. By using the Service, you
consent to any such transfer of information outside of your country….”
Service Interruption is Permissible
“Yahoo! reserves the right at any time and from time to time to modify or
discontinue, temporarily or permanently, the Yahoo! Services (or any
part thereof) with or without notice. You agree that Yahoo! shall not be liable
to you or to any third party for any modification, suspension or discontinuance of
the Yahoo! Services (or any part thereof).….”
Intellectual Property Rights are Abdicated to
Providers
“By submitting, posting or displaying Content on or through Google services which
are intended to be available to the members of the public, you grant Google a
worldwide, non-exclusive, royalty-free license to reproduce, publish and
distribute such Content on Google services for the purpose of displaying and
distributing Google services.….”
Cloud Security & Compliance: Consumer Cloud
T’s & C’s excludes Security
§ Lack of security
in consumer
clouds today is
explicitly stated
§ Data is an
organizations
most valuable
asset
§ Large providers
become a target
and a single
point of failure
13. Cloud Mobile Social Networks
Big Data (Threat
Intelligence)
Predictive
Privileged Access
Management,
Federated Identity,
Multi-factor
Authentication, Data
Protection, &
Vulnerability
Assessment
Strong Authentication,
Data Protection, &
Granular Access
Controls
Data Loss prevention
with data protection &
justification for
violations.
Raw and analyzed
threat feeds from
multiple sources
integrated with all
management consoles
Proactive
VPN, Single Sign-On, &
Strong Passwords
Mobile Device
Management
Keyword-based
monitoring & logging
Network monitoring
and SIEM
Reactive Access control Device Password Acceptable Use Policy
Signature-based
detection
Goals: 1) Timely remediation of existing breaches. 2) Early detection & mitigation of advanced,
targeted, attacks. 3) Policy monitoring & enforcement of internal and external regulations.
Essential Guidance: New Normal &
Securing 3rd Platform
14. Essential Guidance
§ Cloud offerings should allow you to examine
your IT investments strategically and avoid point
solution thinking
§ Make sure your services firm can clearly
articulate their differentiated offers,
methodologies, tools and processes,
certifications and domain expertise before
embarking on a major IT transformation or
initiative