SlideShare a Scribd company logo

Controlling Clouds: Beyond Safety

Download as PPTX, PDF
Gordon Haff
Gordon Haff

As an industry, we’ve mostly moved on from naive notions about cloud computing being inherently “safe” or “risky.” However, more sophisticated discussions require both greater nuance and greater rigor. This presentation takes attendees through frameworks for evaluating and mitigating potential issues in hybrid cloud environments, discusses key risk factors to consider, and describes some of the relevant standards and provider certifications. This is a broad and sometimes complex topic. However, it’s very manageable if individual risk factors are considered systematically and specifically. This session will give IT professionals tools and knowledge to help them make informed decisions.

TechnologyBusiness
1 of 29
CONTROLLING CLOUDS: BEYOND SAFETY GORDON HAFF (@ghaff) CLOUD EVANGELIST NOVEMBER 2013
ABOUT ME Red Hat Cloud Evangelist Twitter: @ghaff Google+: Gordon Haff Email: ghaff@redhat.com Blog: http://bitmason.blogspot.com Flickr: http://www.flickr.com/photos/bitmason/ Formerly: Illuminata (industry analyst), Data General (minicomputers/Unix/NUMA/etc.), shareware developer
IS IT SAFE?
INTEGRITY SAFETY =~ PRIVACY CONTINUITY SECURITY CreditJackman Chiu cc/flickr http://www.flickr.com/photos/lewolf011/7283101824
BUT IN THE WORDS OF INIGO MONTOYO
THE REALITY (IN TWITTER SHORTHAND)
WHAT I’LL COVER What’s new What isn’t new Certifications The broader view—examples from the Cloud Security Alliance
WHAT’S NEW-ISH Shared responsibility model New (higher) levels of abstraction “Rules of the road” still developing
SHARED RESPONSIBILITY: CLOUD PROVIDER VIEW Source: Cloud Security Alliance
ABSTRACTIONS HIDE (BY DESIGN) IaaS PaaS SaaS APPLICATION APPLICATION PLATFORM (JBOSS, PHP, RUBY, ETC) OPERATING SYSTEM (RHEL) VIRTUALIZATION (RHEV) HARDWARE (x86) STORAGE (RHS) Managed and Controlled by Customer (IT, Dev, or User) Automated and Managed by the Public or Private Cloud Offering Increased Control Increased Automation
PERVASIVE SELF-SERVICE CONSUMERIZED EXPECTATIONS SCALE CreditJulie Blaustein, cc/flickr http://www.flickr.com/photos/25138992@N00/4960914218
BROADLY: CLOUD IS SHIFT TO DELIVERY OF SERVICES RATHER THAN INFRASTRUCTURE
BUT MUCH DOESN’T CHANGE If your security practices suck in the physical realm, you’ll be delighted by the surprising lack of change when you move to cloud. Chris Hoff Credit: Michael Rosenstein, cc/flickr http://www.flickr.com/photos/michaelcr/1508784073/
ITIL BEST PRACTICES HIGHLY RELEVANT TO SERVICE DELIVERY THROUGH CLOUD ITIL Service Strategy provides guidance on generating a strategy for a major shift in service delivery ITIL practices can help design cloud computing as appropriate end-to-end services
COST/BENEFIT STILL APPLIES RISK = LIKELIHOOD * IMPACT Source: ENISA
EXAMPLE: COMPLIANCE CHALLENGES
THE NICE THING ABOUT CERTIFICATIONS IS THAT THERE ARE SO MANY OF THEM SAS 70 Specifically created for financial auditors of service organizations ISO/IEC 27001 Information security management system standard published in 2005 PCI DSS For organizations processing credit card transactions FedRAMP Security Controls Framework for US Federal agencies HIPAA US healthcare
SOC 2 AND 3 Report can be issued on one or more Trust Services Principles Security Availability Processing integrity Confidentiality Privacy Type 1: Suitability of design See www.webtrust.org Type 2: Suitability of design and effectiveness SOC 3 is a condensed public version of SOC 2 Mostly in the US today
CSA CLOUD CONTROLS MATRIX 98 “control areas” in 11 categories Example: Security Architecture - Production / NonProduction Environments Each mapped to areas of relevance Examples: IaaS, PaaS, SaaS, corporate governance, and supplier relationships Each mapped to relevant regulations and certifications Examples: NIST, PCI DSS
11 DOMAINS Compliance (CO) Operations Management (OM) Data Governance (DG) Risk Management (RI) Facility Security (FS) Release Management (RM) Human Resources (HR) Resiliency (RS) Information Security (IS) Security Architecture (SA) Legal (LG) Some examples…
COMPLIANCE Audit controls Limitations of third-party auditability can be a concern for public cloud users Regulatory mapping Can be especially important to understand where data resides CreditEvan Long, cc/flickr http://www.flickr.com/photos/clover_1/1178035169/
DATA GOVERNANCE Controls to prevent data leaks in a multi-tenant environment Red Hat uses SELinux as part of Red Hat Enterprise Linux and OpenShift security measures Support for Virtual Private Clouds (VPC) on Amazon Web Services
INFORMATION SECURITY Identity and Access Control Store and manage timely identity information about every person who accesses the cloud resources and determine their level of access Still evolving for cloud use cases, but critical to get it right
SECURITY ARCHITECTURE Multi-factor authentication Card keys+PIN Establishment and implementation of encryption policies Key management User policies for mobile devices
SECURITY ARCHITECTURE Segmentation and restricted connections in network environments “Networks shared with external entities shall have a documented plan detailing the compensating controls used to separate network traffic between organizations” One of the reasons VPCs are interesting to many organizations
BUT IT’S NOT ABOUT BEING AN INHIBITOR Remember the cost/benefit tradeoff Your organization is (almost certainly) using public clouds A private cloud that doesn’t provide cloud agility isn’t a cloud Automation, streamlined process, clearly-defined policy help users and reduce risk
SOURCES FOR A BROADER CLOUD GOVERNANCE VIEW Deloitte Cloud Computing Risk Intelligence Map Cloud Computing Security Risk Assessment CSIS 20 Critical Security Controls Cloud Security Alliance STAR and Cloud Controls Matrix Links: http://www.isaca.org/Groups/Professional-English/cloudcomputing/GroupDocuments/Deloitte%20Risk%20Map%20for%20Cloud%20Computing.pdf http://www.enisa.europa.eu/activities/risk-management/files/deliverables/cloud-computing-risk-assessment http://www.cloudsecurityallia nce.org http://www.sans.org/critical-security-controls/guidelines.php
FOR A GOOD VIEW OF INFOSEC IN A DEVOPS AGE The DevOps revolution is the moment that every information security practitioner has been waiting for. The death spiral can be broken, and this book shows you how. JOSHUA CORMAN
QUESTIONS? THANK YOU. Gordon Haff ghaff@redhat.com Twitter: @ghaff Google+: Gordon Haff Blog: bitmason.blogspot.com

Recommended

Statistics - Top Website Vulnerabilities
Statistics - Top Website VulnerabilitiesStatistics - Top Website Vulnerabilities
Statistics - Top Website VulnerabilitiesJeremiah Grossman
 
Top Ten Hacks of 2007
Top Ten Hacks of 2007Top Ten Hacks of 2007
Top Ten Hacks of 2007Jeremiah Grossman
 
Maintaining Visibility and Control as Workers and Apps Scatter
Maintaining Visibility and Control as Workers and Apps ScatterMaintaining Visibility and Control as Workers and Apps Scatter
Maintaining Visibility and Control as Workers and Apps ScatterForcepoint LLC
 
Cloudy with a Chance of...Visibility, Accountability & Security
Cloudy with a Chance of...Visibility, Accountability & SecurityCloudy with a Chance of...Visibility, Accountability & Security
Cloudy with a Chance of...Visibility, Accountability & SecurityForcepoint LLC
 
Informe final esp
Informe final espInforme final esp
Informe final espwcfgiras
 
Containers: Don't Skeu Them Up (LinuxCon Dublin)
Containers: Don't Skeu Them Up (LinuxCon Dublin)Containers: Don't Skeu Them Up (LinuxCon Dublin)
Containers: Don't Skeu Them Up (LinuxCon Dublin)Gordon Haff
 
Presentacion
PresentacionPresentacion
PresentacionDianafercasak
 
PaaS isn't Just for Developers
PaaS isn't Just for DevelopersPaaS isn't Just for Developers
PaaS isn't Just for DevelopersGordon Haff
 

Recommended

Statistics - Top Website Vulnerabilities
Statistics - Top Website VulnerabilitiesStatistics - Top Website Vulnerabilities
Statistics - Top Website VulnerabilitiesJeremiah Grossman
 
Top Ten Hacks of 2007
Top Ten Hacks of 2007Top Ten Hacks of 2007
Top Ten Hacks of 2007Jeremiah Grossman
 
Maintaining Visibility and Control as Workers and Apps Scatter
Maintaining Visibility and Control as Workers and Apps ScatterMaintaining Visibility and Control as Workers and Apps Scatter
Maintaining Visibility and Control as Workers and Apps ScatterForcepoint LLC
 
Cloudy with a Chance of...Visibility, Accountability & Security
Cloudy with a Chance of...Visibility, Accountability & SecurityCloudy with a Chance of...Visibility, Accountability & Security
Cloudy with a Chance of...Visibility, Accountability & SecurityForcepoint LLC
 
Informe final esp
Informe final espInforme final esp
Informe final espwcfgiras
 
Containers: Don't Skeu Them Up (LinuxCon Dublin)
Containers: Don't Skeu Them Up (LinuxCon Dublin)Containers: Don't Skeu Them Up (LinuxCon Dublin)
Containers: Don't Skeu Them Up (LinuxCon Dublin)Gordon Haff
 
Presentacion
PresentacionPresentacion
PresentacionDianafercasak
 
PaaS isn't Just for Developers
PaaS isn't Just for DevelopersPaaS isn't Just for Developers
PaaS isn't Just for DevelopersGordon Haff
 
Relationships workshop
Relationships workshopRelationships workshop
Relationships workshoplcalgaro
 
What do you do if
What do you do ifWhat do you do if
What do you do ifDianafercasak
 
Can...can´t
Can...can´tCan...can´t
Can...can´tDianafercasak
 
El Querétaro Que Queremos
El Querétaro Que QueremosEl Querétaro Que Queremos
El Querétaro Que QueremosJuan Correa
 
C:\fakepath\More than
C:\fakepath\More thanC:\fakepath\More than
C:\fakepath\More thanDianafercasak
 
How OpenStack is paralleling Linux adoption (and how it isn't)
How OpenStack is paralleling Linux adoption (and how it isn't)How OpenStack is paralleling Linux adoption (and how it isn't)
How OpenStack is paralleling Linux adoption (and how it isn't)Gordon Haff
 
Fail Fast, Fail Often
Fail Fast, Fail OftenFail Fast, Fail Often
Fail Fast, Fail OftenGordon Haff
 
Virtual FOSE
Virtual FOSEVirtual FOSE
Virtual FOSEHeather Hancock
 
How open source is driving DevOps innovation: CloudOpen NA 2015
How open source is driving DevOps innovation: CloudOpen NA 2015How open source is driving DevOps innovation: CloudOpen NA 2015
How open source is driving DevOps innovation: CloudOpen NA 2015Gordon Haff
 
Optimizing the Ops in DevOps
Optimizing the Ops in DevOpsOptimizing the Ops in DevOps
Optimizing the Ops in DevOpsGordon Haff
 
The New Open Distributed Application Architecture
The New Open Distributed Application ArchitectureThe New Open Distributed Application Architecture
The New Open Distributed Application ArchitectureGordon Haff
 
DevOps: Lessons from Manufacturing and Open Source
DevOps: Lessons from Manufacturing and Open SourceDevOps: Lessons from Manufacturing and Open Source
DevOps: Lessons from Manufacturing and Open SourceGordon Haff
 
Manufacturing Plus Open Source Equals DevOps
Manufacturing Plus Open Source Equals DevOpsManufacturing Plus Open Source Equals DevOps
Manufacturing Plus Open Source Equals DevOpsGordon Haff
 
The New Distributed Application Infrastructure
The New Distributed Application InfrastructureThe New Distributed Application Infrastructure
The New Distributed Application InfrastructureGordon Haff
 
Open Source and Security: Engineering Security by Design - Prague, December 2011
Open Source and Security: Engineering Security by Design - Prague, December 2011Open Source and Security: Engineering Security by Design - Prague, December 2011
Open Source and Security: Engineering Security by Design - Prague, December 2011Jeremy Brown
 
Ciso Platform Webcast: Shadow Data Exposed
Ciso Platform Webcast: Shadow Data ExposedCiso Platform Webcast: Shadow Data Exposed
Ciso Platform Webcast: Shadow Data ExposedElastica Inc.
 
Ciphercloud Solutions Overview hsa oct2011
Ciphercloud Solutions Overview hsa oct2011Ciphercloud Solutions Overview hsa oct2011
Ciphercloud Solutions Overview hsa oct2011Ramy Houssaini
 
Cloud Security 2014 AASNET
Cloud Security 2014 AASNETCloud Security 2014 AASNET
Cloud Security 2014 AASNETFarrukh Shahzad
 
McAfee Skyhigh: Elevating Your AWS Security Posture (SEC307-S) - AWS re:Inven...
McAfee Skyhigh: Elevating Your AWS Security Posture (SEC307-S) - AWS re:Inven...McAfee Skyhigh: Elevating Your AWS Security Posture (SEC307-S) - AWS re:Inven...
McAfee Skyhigh: Elevating Your AWS Security Posture (SEC307-S) - AWS re:Inven...Amazon Web Services
 
How Romanian companies are developing secure applications on Azure.pptx
How Romanian companies are developing secure applications on Azure.pptxHow Romanian companies are developing secure applications on Azure.pptx
How Romanian companies are developing secure applications on Azure.pptxRadu Vunvulea
 
SGSB Webcast 3: Smart Grid IT Systems Security
SGSB Webcast 3: Smart Grid IT Systems SecuritySGSB Webcast 3: Smart Grid IT Systems Security
SGSB Webcast 3: Smart Grid IT Systems SecurityAndy Bochman
 
Your clouds must be transparent - an intro to Cloud Security Alliance
Your clouds must be transparent - an intro to Cloud Security AllianceYour clouds must be transparent - an intro to Cloud Security Alliance
Your clouds must be transparent - an intro to Cloud Security AllianceDavid Jones
 

More Related Content

Viewers also liked

Relationships workshop
Relationships workshopRelationships workshop
Relationships workshoplcalgaro
 
El Querétaro Que Queremos
El Querétaro Que QueremosEl Querétaro Que Queremos
El Querétaro Que QueremosJuan Correa
 
C:\fakepath\More than
C:\fakepath\More thanC:\fakepath\More than
C:\fakepath\More thanDianafercasak
 
How OpenStack is paralleling Linux adoption (and how it isn't)
How OpenStack is paralleling Linux adoption (and how it isn't)How OpenStack is paralleling Linux adoption (and how it isn't)
How OpenStack is paralleling Linux adoption (and how it isn't)Gordon Haff
 
Fail Fast, Fail Often
Fail Fast, Fail OftenFail Fast, Fail Often
Fail Fast, Fail OftenGordon Haff
 
How open source is driving DevOps innovation: CloudOpen NA 2015
How open source is driving DevOps innovation: CloudOpen NA 2015How open source is driving DevOps innovation: CloudOpen NA 2015
How open source is driving DevOps innovation: CloudOpen NA 2015Gordon Haff
 
Optimizing the Ops in DevOps
Optimizing the Ops in DevOpsOptimizing the Ops in DevOps
Optimizing the Ops in DevOpsGordon Haff
 
The New Open Distributed Application Architecture
The New Open Distributed Application ArchitectureThe New Open Distributed Application Architecture
The New Open Distributed Application ArchitectureGordon Haff
 
DevOps: Lessons from Manufacturing and Open Source
DevOps: Lessons from Manufacturing and Open SourceDevOps: Lessons from Manufacturing and Open Source
DevOps: Lessons from Manufacturing and Open SourceGordon Haff
 
Manufacturing Plus Open Source Equals DevOps
Manufacturing Plus Open Source Equals DevOpsManufacturing Plus Open Source Equals DevOps
Manufacturing Plus Open Source Equals DevOpsGordon Haff
 
The New Distributed Application Infrastructure
The New Distributed Application InfrastructureThe New Distributed Application Infrastructure
The New Distributed Application InfrastructureGordon Haff
 

Viewers also liked (14)

Relationships workshop
Relationships workshopRelationships workshop
Relationships workshop
 
What do you do if
What do you do ifWhat do you do if
What do you do if
 
Can...can´t
Can...can´tCan...can´t
Can...can´t
 
El Querétaro Que Queremos
El Querétaro Que QueremosEl Querétaro Que Queremos
El Querétaro Que Queremos
 
C:\fakepath\More than
C:\fakepath\More thanC:\fakepath\More than
C:\fakepath\More than
 
How OpenStack is paralleling Linux adoption (and how it isn't)
How OpenStack is paralleling Linux adoption (and how it isn't)How OpenStack is paralleling Linux adoption (and how it isn't)
How OpenStack is paralleling Linux adoption (and how it isn't)
 
Fail Fast, Fail Often
Fail Fast, Fail OftenFail Fast, Fail Often
Fail Fast, Fail Often
 
Virtual FOSE
Virtual FOSEVirtual FOSE
Virtual FOSE
 
How open source is driving DevOps innovation: CloudOpen NA 2015
How open source is driving DevOps innovation: CloudOpen NA 2015How open source is driving DevOps innovation: CloudOpen NA 2015
How open source is driving DevOps innovation: CloudOpen NA 2015
 
Optimizing the Ops in DevOps
Optimizing the Ops in DevOpsOptimizing the Ops in DevOps
Optimizing the Ops in DevOps
 
The New Open Distributed Application Architecture
The New Open Distributed Application ArchitectureThe New Open Distributed Application Architecture
The New Open Distributed Application Architecture
 
DevOps: Lessons from Manufacturing and Open Source
DevOps: Lessons from Manufacturing and Open SourceDevOps: Lessons from Manufacturing and Open Source
DevOps: Lessons from Manufacturing and Open Source
 
Manufacturing Plus Open Source Equals DevOps
Manufacturing Plus Open Source Equals DevOpsManufacturing Plus Open Source Equals DevOps
Manufacturing Plus Open Source Equals DevOps
 
The New Distributed Application Infrastructure
The New Distributed Application InfrastructureThe New Distributed Application Infrastructure
The New Distributed Application Infrastructure
 

Similar to Controlling Clouds: Beyond Safety

Open Source and Security: Engineering Security by Design - Prague, December 2011
Open Source and Security: Engineering Security by Design - Prague, December 2011Open Source and Security: Engineering Security by Design - Prague, December 2011
Open Source and Security: Engineering Security by Design - Prague, December 2011Jeremy Brown
 
Ciso Platform Webcast: Shadow Data Exposed
Ciso Platform Webcast: Shadow Data ExposedCiso Platform Webcast: Shadow Data Exposed
Ciso Platform Webcast: Shadow Data ExposedElastica Inc.
 
Ciphercloud Solutions Overview hsa oct2011
Ciphercloud Solutions Overview hsa oct2011Ciphercloud Solutions Overview hsa oct2011
Ciphercloud Solutions Overview hsa oct2011Ramy Houssaini
 
Cloud Security 2014 AASNET
Cloud Security 2014 AASNETCloud Security 2014 AASNET
Cloud Security 2014 AASNETFarrukh Shahzad
 
McAfee Skyhigh: Elevating Your AWS Security Posture (SEC307-S) - AWS re:Inven...
McAfee Skyhigh: Elevating Your AWS Security Posture (SEC307-S) - AWS re:Inven...McAfee Skyhigh: Elevating Your AWS Security Posture (SEC307-S) - AWS re:Inven...
McAfee Skyhigh: Elevating Your AWS Security Posture (SEC307-S) - AWS re:Inven...Amazon Web Services
 
How Romanian companies are developing secure applications on Azure.pptx
How Romanian companies are developing secure applications on Azure.pptxHow Romanian companies are developing secure applications on Azure.pptx
How Romanian companies are developing secure applications on Azure.pptxRadu Vunvulea
 
SGSB Webcast 3: Smart Grid IT Systems Security
SGSB Webcast 3: Smart Grid IT Systems SecuritySGSB Webcast 3: Smart Grid IT Systems Security
SGSB Webcast 3: Smart Grid IT Systems SecurityAndy Bochman
 
Your clouds must be transparent - an intro to Cloud Security Alliance
Your clouds must be transparent - an intro to Cloud Security AllianceYour clouds must be transparent - an intro to Cloud Security Alliance
Your clouds must be transparent - an intro to Cloud Security AllianceDavid Jones
 
AWS at 2017 FS-ISAC APAC Summit: Move Better, Faster and More Securely: Cloud...
AWS at 2017 FS-ISAC APAC Summit: Move Better, Faster and More Securely: Cloud...AWS at 2017 FS-ISAC APAC Summit: Move Better, Faster and More Securely: Cloud...
AWS at 2017 FS-ISAC APAC Summit: Move Better, Faster and More Securely: Cloud...Amazon Web Services
 
Information protection and compliance
Information protection and complianceInformation protection and compliance
Information protection and complianceDean Iacovelli
 
Identity & Access Management - Securing Your Data in the 21st Century Enterprise
Identity & Access Management - Securing Your Data in the 21st Century EnterpriseIdentity & Access Management - Securing Your Data in the 21st Century Enterprise
Identity & Access Management - Securing Your Data in the 21st Century EnterpriseLance Peterman
 
McAfee - MVISION Cloud (MVC) - Cloud Access Security Broker (CASB)
McAfee - MVISION Cloud (MVC) - Cloud Access Security Broker (CASB)McAfee - MVISION Cloud (MVC) - Cloud Access Security Broker (CASB)
McAfee - MVISION Cloud (MVC) - Cloud Access Security Broker (CASB)Iftikhar Ali Iqbal
 
Top 9 Data Security Trends for 2012
Top 9 Data Security Trends for 2012Top 9 Data Security Trends for 2012
Top 9 Data Security Trends for 2012Imperva
 
Csa about-threats-june-2010-ibm
Csa about-threats-june-2010-ibmCsa about-threats-june-2010-ibm
Csa about-threats-june-2010-ibmSergio Loureiro
 
Cloud data governance, risk management and compliance ny metro joint cyber...
Cloud data governance, risk management and compliance ny metro joint cyber...Cloud data governance, risk management and compliance ny metro joint cyber...
Cloud data governance, risk management and compliance ny metro joint cyber...Ulf Mattsson
 
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)Priyanka Aash
 
Splunk for Security Breakout Session
Splunk for Security Breakout SessionSplunk for Security Breakout Session
Splunk for Security Breakout SessionSplunk
 
Managing Cloud Security Risks in Your Organization
Managing Cloud Security Risks in Your OrganizationManaging Cloud Security Risks in Your Organization
Managing Cloud Security Risks in Your OrganizationCharles Lim
 
Hacker Halted 2014 - Control Quotient: Adaptive Strategies For Gracefully Los...
Hacker Halted 2014 - Control Quotient: Adaptive Strategies For Gracefully Los...Hacker Halted 2014 - Control Quotient: Adaptive Strategies For Gracefully Los...
Hacker Halted 2014 - Control Quotient: Adaptive Strategies For Gracefully Los...EC-Council
 
Control Quotient: Adaptive Strategies For Gracefully Losing Control (Hacker H...
Control Quotient: Adaptive Strategies For Gracefully Losing Control (Hacker H...Control Quotient: Adaptive Strategies For Gracefully Losing Control (Hacker H...
Control Quotient: Adaptive Strategies For Gracefully Losing Control (Hacker H...David Etue
 

Similar to Controlling Clouds: Beyond Safety (20)

Open Source and Security: Engineering Security by Design - Prague, December 2011
Open Source and Security: Engineering Security by Design - Prague, December 2011Open Source and Security: Engineering Security by Design - Prague, December 2011
Open Source and Security: Engineering Security by Design - Prague, December 2011
 
Ciso Platform Webcast: Shadow Data Exposed
Ciso Platform Webcast: Shadow Data ExposedCiso Platform Webcast: Shadow Data Exposed
Ciso Platform Webcast: Shadow Data Exposed
 
Ciphercloud Solutions Overview hsa oct2011
Ciphercloud Solutions Overview hsa oct2011Ciphercloud Solutions Overview hsa oct2011
Ciphercloud Solutions Overview hsa oct2011
 
Cloud Security 2014 AASNET
Cloud Security 2014 AASNETCloud Security 2014 AASNET
Cloud Security 2014 AASNET
 
McAfee Skyhigh: Elevating Your AWS Security Posture (SEC307-S) - AWS re:Inven...
McAfee Skyhigh: Elevating Your AWS Security Posture (SEC307-S) - AWS re:Inven...McAfee Skyhigh: Elevating Your AWS Security Posture (SEC307-S) - AWS re:Inven...
McAfee Skyhigh: Elevating Your AWS Security Posture (SEC307-S) - AWS re:Inven...
 
How Romanian companies are developing secure applications on Azure.pptx
How Romanian companies are developing secure applications on Azure.pptxHow Romanian companies are developing secure applications on Azure.pptx
How Romanian companies are developing secure applications on Azure.pptx
 
SGSB Webcast 3: Smart Grid IT Systems Security
SGSB Webcast 3: Smart Grid IT Systems SecuritySGSB Webcast 3: Smart Grid IT Systems Security
SGSB Webcast 3: Smart Grid IT Systems Security
 
Your clouds must be transparent - an intro to Cloud Security Alliance
Your clouds must be transparent - an intro to Cloud Security AllianceYour clouds must be transparent - an intro to Cloud Security Alliance
Your clouds must be transparent - an intro to Cloud Security Alliance
 
AWS at 2017 FS-ISAC APAC Summit: Move Better, Faster and More Securely: Cloud...
AWS at 2017 FS-ISAC APAC Summit: Move Better, Faster and More Securely: Cloud...AWS at 2017 FS-ISAC APAC Summit: Move Better, Faster and More Securely: Cloud...
AWS at 2017 FS-ISAC APAC Summit: Move Better, Faster and More Securely: Cloud...
 
Information protection and compliance
Information protection and complianceInformation protection and compliance
Information protection and compliance
 
Identity & Access Management - Securing Your Data in the 21st Century Enterprise
Identity & Access Management - Securing Your Data in the 21st Century EnterpriseIdentity & Access Management - Securing Your Data in the 21st Century Enterprise
Identity & Access Management - Securing Your Data in the 21st Century Enterprise
 
McAfee - MVISION Cloud (MVC) - Cloud Access Security Broker (CASB)
McAfee - MVISION Cloud (MVC) - Cloud Access Security Broker (CASB)McAfee - MVISION Cloud (MVC) - Cloud Access Security Broker (CASB)
McAfee - MVISION Cloud (MVC) - Cloud Access Security Broker (CASB)
 
Top 9 Data Security Trends for 2012
Top 9 Data Security Trends for 2012Top 9 Data Security Trends for 2012
Top 9 Data Security Trends for 2012
 
Csa about-threats-june-2010-ibm
Csa about-threats-june-2010-ibmCsa about-threats-june-2010-ibm
Csa about-threats-june-2010-ibm
 
Cloud data governance, risk management and compliance ny metro joint cyber...
Cloud data governance, risk management and compliance ny metro joint cyber...Cloud data governance, risk management and compliance ny metro joint cyber...
Cloud data governance, risk management and compliance ny metro joint cyber...
 
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
 
Splunk for Security Breakout Session
Splunk for Security Breakout SessionSplunk for Security Breakout Session
Splunk for Security Breakout Session
 
Managing Cloud Security Risks in Your Organization
Managing Cloud Security Risks in Your OrganizationManaging Cloud Security Risks in Your Organization
Managing Cloud Security Risks in Your Organization
 
Hacker Halted 2014 - Control Quotient: Adaptive Strategies For Gracefully Los...
Hacker Halted 2014 - Control Quotient: Adaptive Strategies For Gracefully Los...Hacker Halted 2014 - Control Quotient: Adaptive Strategies For Gracefully Los...
Hacker Halted 2014 - Control Quotient: Adaptive Strategies For Gracefully Los...
 
Control Quotient: Adaptive Strategies For Gracefully Losing Control (Hacker H...
Control Quotient: Adaptive Strategies For Gracefully Losing Control (Hacker H...Control Quotient: Adaptive Strategies For Gracefully Losing Control (Hacker H...
Control Quotient: Adaptive Strategies For Gracefully Losing Control (Hacker H...
 

More from Gordon Haff

Artificial Intelligence: Beyond Machine Learning
Artificial Intelligence: Beyond Machine LearningArtificial Intelligence: Beyond Machine Learning
Artificial Intelligence: Beyond Machine LearningGordon Haff
 
Blockchains for Business 101
Blockchains for Business 101Blockchains for Business 101
Blockchains for Business 101Gordon Haff
 
Preserving privacy while sharing data
Preserving privacy while sharing dataPreserving privacy while sharing data
Preserving privacy while sharing dataGordon Haff
 
Lightning Talk: Using Data without Compromising Privacy
Lightning Talk: Using Data without Compromising PrivacyLightning Talk: Using Data without Compromising Privacy
Lightning Talk: Using Data without Compromising PrivacyGordon Haff
 
Free and Open:An Historical Perspective
Free and Open:An Historical PerspectiveFree and Open:An Historical Perspective
Free and Open:An Historical PerspectiveGordon Haff
 
Why do we contribute (to open source)?
Why do we contribute (to open source)?Why do we contribute (to open source)?
Why do we contribute (to open source)?Gordon Haff
 
How do you get started in AI?
How do you get started in AI?How do you get started in AI?
How do you get started in AI?Gordon Haff
 
The good the bad and the ugly: Getting started doing AI
The good the bad and the ugly: Getting started doing AIThe good the bad and the ugly: Getting started doing AI
The good the bad and the ugly: Getting started doing AIGordon Haff
 
Cloud-Native: A New Ecosystem for Putting Containers into Production
Cloud-Native: A New Ecosystem for Putting Containers into ProductionCloud-Native: A New Ecosystem for Putting Containers into Production
Cloud-Native: A New Ecosystem for Putting Containers into ProductionGordon Haff
 
Containers: Don't Skeu Them Up
Containers: Don't Skeu Them UpContainers: Don't Skeu Them Up
Containers: Don't Skeu Them UpGordon Haff
 
Cloud-Native: A New Ecosystem for Putting Containers into Production
Cloud-Native: A New Ecosystem for Putting Containers into ProductionCloud-Native: A New Ecosystem for Putting Containers into Production
Cloud-Native: A New Ecosystem for Putting Containers into ProductionGordon Haff
 
DevSecOps: The Open Source Way for CloudExpo 2018
DevSecOps: The Open Source Way for CloudExpo 2018DevSecOps: The Open Source Way for CloudExpo 2018
DevSecOps: The Open Source Way for CloudExpo 2018Gordon Haff
 
AI: The Good, the Bad, and the Practical for CloudExpo 2018
AI: The Good, the Bad, and the Practical for CloudExpo 2018AI: The Good, the Bad, and the Practical for CloudExpo 2018
AI: The Good, the Bad, and the Practical for CloudExpo 2018Gordon Haff
 
DevSecOps: The Open Source Way
DevSecOps: The Open Source WayDevSecOps: The Open Source Way
DevSecOps: The Open Source WayGordon Haff
 
Ten layers of container security for CloudCamp Nov 2017
Ten layers of container security for CloudCamp Nov 2017Ten layers of container security for CloudCamp Nov 2017
Ten layers of container security for CloudCamp Nov 2017Gordon Haff
 
That's not a metric! Data for cloud-native success
That's not a metric! Data for cloud-native successThat's not a metric! Data for cloud-native success
That's not a metric! Data for cloud-native successGordon Haff
 
The Interesting IoT: Digitizing Operations
The Interesting IoT: Digitizing OperationsThe Interesting IoT: Digitizing Operations
The Interesting IoT: Digitizing OperationsGordon Haff
 
A short history of packaging (Monkigras 2017)
A short history of packaging (Monkigras 2017)A short history of packaging (Monkigras 2017)
A short history of packaging (Monkigras 2017)Gordon Haff
 
Containers: Don't Skeu Them Up. Use Microservices Instead.
Containers: Don't Skeu Them Up. Use Microservices Instead.Containers: Don't Skeu Them Up. Use Microservices Instead.
Containers: Don't Skeu Them Up. Use Microservices Instead.Gordon Haff
 
The New Platform: You Ain't Seen Nothing Yet
The New Platform: You Ain't Seen Nothing YetThe New Platform: You Ain't Seen Nothing Yet
The New Platform: You Ain't Seen Nothing YetGordon Haff
 

More from Gordon Haff (20)

Artificial Intelligence: Beyond Machine Learning
Artificial Intelligence: Beyond Machine LearningArtificial Intelligence: Beyond Machine Learning
Artificial Intelligence: Beyond Machine Learning
 
Blockchains for Business 101
Blockchains for Business 101Blockchains for Business 101
Blockchains for Business 101
 
Preserving privacy while sharing data
Preserving privacy while sharing dataPreserving privacy while sharing data
Preserving privacy while sharing data
 
Lightning Talk: Using Data without Compromising Privacy
Lightning Talk: Using Data without Compromising PrivacyLightning Talk: Using Data without Compromising Privacy
Lightning Talk: Using Data without Compromising Privacy
 
Free and Open:An Historical Perspective
Free and Open:An Historical PerspectiveFree and Open:An Historical Perspective
Free and Open:An Historical Perspective
 
Why do we contribute (to open source)?
Why do we contribute (to open source)?Why do we contribute (to open source)?
Why do we contribute (to open source)?
 
How do you get started in AI?
How do you get started in AI?How do you get started in AI?
How do you get started in AI?
 
The good the bad and the ugly: Getting started doing AI
The good the bad and the ugly: Getting started doing AIThe good the bad and the ugly: Getting started doing AI
The good the bad and the ugly: Getting started doing AI
 
Cloud-Native: A New Ecosystem for Putting Containers into Production
Cloud-Native: A New Ecosystem for Putting Containers into ProductionCloud-Native: A New Ecosystem for Putting Containers into Production
Cloud-Native: A New Ecosystem for Putting Containers into Production
 
Containers: Don't Skeu Them Up
Containers: Don't Skeu Them UpContainers: Don't Skeu Them Up
Containers: Don't Skeu Them Up
 
Cloud-Native: A New Ecosystem for Putting Containers into Production
Cloud-Native: A New Ecosystem for Putting Containers into ProductionCloud-Native: A New Ecosystem for Putting Containers into Production
Cloud-Native: A New Ecosystem for Putting Containers into Production
 
DevSecOps: The Open Source Way for CloudExpo 2018
DevSecOps: The Open Source Way for CloudExpo 2018DevSecOps: The Open Source Way for CloudExpo 2018
DevSecOps: The Open Source Way for CloudExpo 2018
 
AI: The Good, the Bad, and the Practical for CloudExpo 2018
AI: The Good, the Bad, and the Practical for CloudExpo 2018AI: The Good, the Bad, and the Practical for CloudExpo 2018
AI: The Good, the Bad, and the Practical for CloudExpo 2018
 
DevSecOps: The Open Source Way
DevSecOps: The Open Source WayDevSecOps: The Open Source Way
DevSecOps: The Open Source Way
 
Ten layers of container security for CloudCamp Nov 2017
Ten layers of container security for CloudCamp Nov 2017Ten layers of container security for CloudCamp Nov 2017
Ten layers of container security for CloudCamp Nov 2017
 
That's not a metric! Data for cloud-native success
That's not a metric! Data for cloud-native successThat's not a metric! Data for cloud-native success
That's not a metric! Data for cloud-native success
 
The Interesting IoT: Digitizing Operations
The Interesting IoT: Digitizing OperationsThe Interesting IoT: Digitizing Operations
The Interesting IoT: Digitizing Operations
 
A short history of packaging (Monkigras 2017)
A short history of packaging (Monkigras 2017)A short history of packaging (Monkigras 2017)
A short history of packaging (Monkigras 2017)
 
Containers: Don't Skeu Them Up. Use Microservices Instead.
Containers: Don't Skeu Them Up. Use Microservices Instead.Containers: Don't Skeu Them Up. Use Microservices Instead.
Containers: Don't Skeu Them Up. Use Microservices Instead.
 
The New Platform: You Ain't Seen Nothing Yet
The New Platform: You Ain't Seen Nothing YetThe New Platform: You Ain't Seen Nothing Yet
The New Platform: You Ain't Seen Nothing Yet
 

Recently uploaded

Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxOnBoard
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Paola De la Torre
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...shyamraj55
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
Google AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAGGoogle AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAGSujit Pal
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...HostedbyConfluent
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 

Recently uploaded (20)

Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptx
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Google AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAGGoogle AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAG
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 

Controlling Clouds: Beyond Safety

  • 1. CONTROLLING CLOUDS: BEYOND SAFETY GORDON HAFF (@ghaff) CLOUD EVANGELIST NOVEMBER 2013
  • 2. ABOUT ME Red Hat Cloud Evangelist Twitter: @ghaff Google+: Gordon Haff Email: ghaff@redhat.com Blog: http://bitmason.blogspot.com Flickr: http://www.flickr.com/photos/bitmason/ Formerly: Illuminata (industry analyst), Data General (minicomputers/Unix/NUMA/etc.), shareware developer
  • 4. INTEGRITY SAFETY =~ PRIVACY CONTINUITY SECURITY CreditJackman Chiu cc/flickr http://www.flickr.com/photos/lewolf011/7283101824
  • 5. BUT IN THE WORDS OF INIGO MONTOYO
  • 6. THE REALITY (IN TWITTER SHORTHAND)
  • 7. WHAT I’LL COVER What’s new What isn’t new Certifications The broader view—examples from the Cloud Security Alliance
  • 8. WHAT’S NEW-ISH Shared responsibility model New (higher) levels of abstraction “Rules of the road” still developing
  • 9. SHARED RESPONSIBILITY: CLOUD PROVIDER VIEW Source: Cloud Security Alliance
  • 10. ABSTRACTIONS HIDE (BY DESIGN) IaaS PaaS SaaS APPLICATION APPLICATION PLATFORM (JBOSS, PHP, RUBY, ETC) OPERATING SYSTEM (RHEL) VIRTUALIZATION (RHEV) HARDWARE (x86) STORAGE (RHS) Managed and Controlled by Customer (IT, Dev, or User) Automated and Managed by the Public or Private Cloud Offering Increased Control Increased Automation
  • 12. BROADLY: CLOUD IS SHIFT TO DELIVERY OF SERVICES RATHER THAN INFRASTRUCTURE
  • 13. BUT MUCH DOESN’T CHANGE If your security practices suck in the physical realm, you’ll be delighted by the surprising lack of change when you move to cloud. Chris Hoff Credit: Michael Rosenstein, cc/flickr http://www.flickr.com/photos/michaelcr/1508784073/
  • 14. ITIL BEST PRACTICES HIGHLY RELEVANT TO SERVICE DELIVERY THROUGH CLOUD ITIL Service Strategy provides guidance on generating a strategy for a major shift in service delivery ITIL practices can help design cloud computing as appropriate end-to-end services
  • 15. COST/BENEFIT STILL APPLIES RISK = LIKELIHOOD * IMPACT Source: ENISA
  • 17. THE NICE THING ABOUT CERTIFICATIONS IS THAT THERE ARE SO MANY OF THEM SAS 70 Specifically created for financial auditors of service organizations ISO/IEC 27001 Information security management system standard published in 2005 PCI DSS For organizations processing credit card transactions FedRAMP Security Controls Framework for US Federal agencies HIPAA US healthcare
  • 18. SOC 2 AND 3 Report can be issued on one or more Trust Services Principles Security Availability Processing integrity Confidentiality Privacy Type 1: Suitability of design See www.webtrust.org Type 2: Suitability of design and effectiveness SOC 3 is a condensed public version of SOC 2 Mostly in the US today
  • 19. CSA CLOUD CONTROLS MATRIX 98 “control areas” in 11 categories Example: Security Architecture - Production / NonProduction Environments Each mapped to areas of relevance Examples: IaaS, PaaS, SaaS, corporate governance, and supplier relationships Each mapped to relevant regulations and certifications Examples: NIST, PCI DSS
  • 20. 11 DOMAINS Compliance (CO) Operations Management (OM) Data Governance (DG) Risk Management (RI) Facility Security (FS) Release Management (RM) Human Resources (HR) Resiliency (RS) Information Security (IS) Security Architecture (SA) Legal (LG) Some examples…
  • 21. COMPLIANCE Audit controls Limitations of third-party auditability can be a concern for public cloud users Regulatory mapping Can be especially important to understand where data resides CreditEvan Long, cc/flickr http://www.flickr.com/photos/clover_1/1178035169/
  • 22. DATA GOVERNANCE Controls to prevent data leaks in a multi-tenant environment Red Hat uses SELinux as part of Red Hat Enterprise Linux and OpenShift security measures Support for Virtual Private Clouds (VPC) on Amazon Web Services
  • 23. INFORMATION SECURITY Identity and Access Control Store and manage timely identity information about every person who accesses the cloud resources and determine their level of access Still evolving for cloud use cases, but critical to get it right
  • 24. SECURITY ARCHITECTURE Multi-factor authentication Card keys+PIN Establishment and implementation of encryption policies Key management User policies for mobile devices
  • 25. SECURITY ARCHITECTURE Segmentation and restricted connections in network environments “Networks shared with external entities shall have a documented plan detailing the compensating controls used to separate network traffic between organizations” One of the reasons VPCs are interesting to many organizations
  • 26. BUT IT’S NOT ABOUT BEING AN INHIBITOR Remember the cost/benefit tradeoff Your organization is (almost certainly) using public clouds A private cloud that doesn’t provide cloud agility isn’t a cloud Automation, streamlined process, clearly-defined policy help users and reduce risk
  • 27. SOURCES FOR A BROADER CLOUD GOVERNANCE VIEW Deloitte Cloud Computing Risk Intelligence Map Cloud Computing Security Risk Assessment CSIS 20 Critical Security Controls Cloud Security Alliance STAR and Cloud Controls Matrix Links: http://www.isaca.org/Groups/Professional-English/cloudcomputing/GroupDocuments/Deloitte%20Risk%20Map%20for%20Cloud%20Computing.pdf http://www.enisa.europa.eu/activities/risk-management/files/deliverables/cloud-computing-risk-assessment http://www.cloudsecurityallia nce.org http://www.sans.org/critical-security-controls/guidelines.php
  • 28. FOR A GOOD VIEW OF INFOSEC IN A DEVOPS AGE The DevOps revolution is the moment that every information security practitioner has been waiting for. The death spiral can be broken, and this book shows you how. JOSHUA CORMAN
  • 29. QUESTIONS? THANK YOU. Gordon Haff ghaff@redhat.com Twitter: @ghaff Google+: Gordon Haff Blog: bitmason.blogspot.com