What an Enterprise Should Look for in a Cloud Provider

What an Enterprise Should Look for
in a Cloud Computing Provider

Tom Cecere
Director, Novell Cloud Security Service
March 23, 2010

Takeaways for Today

• Cloud computing offers the potential for big savings and huge
increases in flexibility for enterprise IT
• Large enterprises are telling analysts, researchers and
cloud providers that it’s hard to trust cloud-based solutions
• But don’t let that fool you – people are using them like mad,
with 20-40% growth in 2009 in some sectors
• Security is a primary concern, but it comes in many guises
• Regulations and finances are driving use and risk, leaving you
with security holes you never had before
• Security is the responsibility of both you and your vendors of
choice

2 © Novell, Inc. All rights reserved.

Cloud Computing:
What Is It, Why and How Much Do We Use It?

Forrester Definition:

Cloud Computing: A standardized
IT capability (services, software, or
infrastructure) delivered via the
Internet in a pay-per-use,
self-service way


Breaking It Down a Bit

SaaS … Salesforce.com, Netsuite,
Web-based Services Software-as-a-service Ultimate, Taleo, LinkedIn, Facebook

Software-platform-as-a-service Google App Engine, Azure, Force

Virtual-infrastructure-as-a-service Sun, IBM, Azure

IaaS … Amazon, Go-Grid,
Physical-infrastructure-as-a-service OpSource, COLT, etc.

Source: Forrester Research. August 2008 “Future View: The New Tech Ecosystems of Cloud, Cloud Services,
and Cloud Computing”

Cloud Computing
Really Is the Next Big Thing
Who are your two largest users of cloud services?
FIGURE 12. The two largest users of cloud services
MID TIER ENTERPRISE

SAAS PROVIDERS

SMB

DEVELOPERS Note: mid-tier sector
ENTERPRISE (250-1000 employees
and revenue between
ISV'S
$50m and $1b)
OTHER PAAS

OTHER

SOHO

0% 10% 20% 30% 40% 50% 60%

Gartner predicts that the market for total
cloud services will reach $150B by 2013
Source: Tier 1 research “Cloud Infrastructure Services – Managed Hosters”, based on poll of top 50 managed
hosters in US and Europe

Early Cloud Examples

US Army — Testing troop vulnerability
application on cloud platform
Eli Lilly — Drug research
Nasdaq — Market Replay service
USA.gov — Public information portal
that flexes with traffic fluctuations
Starbucks — My Starbucks Ideas
online customer collaboration built on
Force.com
Indy500.com — Streams live race
footage and statistics
Harvard Medical School — Genetic
testing models and simulations

Enterprises Cite Flexibility and On Demand
over Cost Reasons for IaaS
“How important were the following in your firm's decision to adopt pay-per-use hosting of virtual servers
(also known as cloud computing)?”


SaaS Adoption Growing As Model
Matures: $8B in ’09 to $14.7B in ‘12

With Customer Relationship Management and
Content/Communication and Collaboration
leading the way
9 © Novell, Inc. All rights reserved. Source: Gartner Saas Trends 2007-2012

Ok, If It’s So Great,
Why Not Use the Cloud for Everything?

Security is the Top Challenge for
Customers Moving to Cloud Services
What are the top two most critical challenges for customers looking to move to a utility/cloud?

FIGURE 15. Top challenges for customers moving to cloud services

NERVOUS ABOUT SECURITY

CULTURAL/ORGANIZATIONAL
(RESOURCE OWNERSHIP)

ON PREMISE SOFTWARE/LEGACY
INFRASTRUCTURE

PRODUCT/SERVICE OPTION AVAILABLE

SHARED RESOURCES

REGULATION/COMPLIANCE

AVAILABLILITY/UPTIME

SOFTWARE LICENSING

CxO SPONSORSHIP

0% 10% 20% 30% 40% 50%


The Two Largest Users of Cloud Services:
Mid-tier Enterprise and SaaS Providers
Who are your two largest users of cloud services?

FIGURE 12. The two largest users of cloud services

MID TIER ENTERPRISE

SAAS PROVIDERS Note: mid-tier sector
(250-1000 employees
SMB and revenue between
$50m and $1b)
DEVELOPERS

ENTERPRISE

ISV'S

OTHER PAAS

OTHER

SOHO

0% 10% 20% 30% 40% 50% 60%


Security Worries for Enterprises
Physical Security GRC Manageability
• Physical data location • Identity, compliance • Responsive provisioning/de-
• Physical data security • Manageability of resources provisioning users across
in the cloud multiple services
• Multiple identities to • How to apply roles / policies
manage across multiple services
• Compliance enforcement • Cloud workload
management
• Usable for a broader set of
workloads

Financial Contractual
• Audit • Software licensing problems
• Need to rewrite internal • SLAs, proof of 99.99+%
applications uptime
• How to leverage existing • Intellectual property
investments in the data concerns
center • References


Security Worries for Enterprises
• Physical data location • Identity, compliance • Responsive provisioning/de-
• Physical data security • Manageability of resources provisioning users across
in the cloud multiple services
• Multiple identities to • How to apply roles / policies
management
workloads

• Audit • Software licensing problems
• Need to rewrite internal • SLAs, proof of 99.99+%
applications uptime
• How to leverage existing • Intellectual property
investments in the data concerns
center • References


Summary
The Cloud Amplifies IT Challenges and Opportunities

• Data that is safe for you to store inside your firewall is now outside
• Access to compute resources that your company is paying for is
available with simple user name/password authentication
• Your compute jobs may be running on many machines; may be
backed up on many storage networks, and may be exported
without your knowledge

Identity, authorization and audit for employees,
customers, patients and workloads is the future
of computing security!


What Do Enterprises Have To Do?

Attach the Same Governance and Access
Policies to the Cloud as We Have Internally
Internal Cloud External Cloud
(on-premise) (off-premise)

Business Service Management

Software
IT Service Management as a Service

Platform
as a Service
Internal Internal External
Capacity Capacity Capacity Infrastructure
Legacy Abstracted and Managed as a Service
disaggregated Outsource
IT resources Provider
Telco
Amazon EC2

Governance and Compliance

Firewall

Action Items

• Do a Cloud Computing Discovery project
– Don’t forget to ask Accounting how many purchase orders and
credit card reimbursements you have to Amazon Web Services!
– Software usage analysis will discover SaaS products being
used at your site

• Ask your CISO (or if you are one, your team ☺) to
prepare a report card on the security issues we’ve
discussed
• Every new cloud computing provider should be
evaluated both in terms of positives and in terms of
security impact

Sample Cloud Computing Report Card
Acme Platform Services
• Physical data location • Identity, compliance • Responsive provisioning/
• Physical data security • Manageability of de-provisioning users
resources in the cloud across multiple services
• Multiple identities to • How to apply roles/policies
management
workloads

• Audit • Software licensing
• Need to rewrite internal problems
applications • SLAs, proof of 99.99+%
• How to leverage existing uptime
investments in the data • Intellectual property
center concerns
• References


Action Items (cont)

• Make a plan to solve the worst 3 problems in 2010
• Prohibit any more cloud providers until their offerings
easily snap into YOUR access and governance policies
– Consider a portal where you can control (or even require
multiple authentication methods for) access to Cloud resources

• Insist on audit information you can use from your
current providers
• Investigate managed clouds from trusted MSPs


What Should I Expect from
My Cloud Vendors?

Vendors

SAS 70
Other transparency
Identity protection and user-controlled
access/authorization
Audit trail
Trusted Cloud Initiative

SAS 70 Certification

• Created by American Institute of Certified Public
Accountants
Represents that a service organization has been
through an in-depth audit of their control objectives and
control activities, which often include controls over
information technology and related processes
• Independent “service auditor” issues opinion on
servicer’s controls, useable by servicer and their
customers
• Type I: a snapshot on a specific date, self reported
• Type II: Opinion delivered about ongoing controls

Other Transparency Issues

• Who can reach data?

• What level of encryption is available? Practical?

• Where is data located?

• Where is computer located?

• SLA terms (Microsoft requires an NDA to even see
their SLA model agreement!)


Identity Protection

• What is the process for:

– Provisioning identities?

– Guarding them?

– De-provisioning with role changes?

• Does vendor support multi-factor authentication?

• Do they support standards-based federation?


Audit/GRC

• How do you find out what’s going on inside your
vendor’s data center?

• How do you check up on SLA terms?

• Can you reconcile information you do receive with
the rest of your GRC inspection regime?

• Is sensitive data moving through scale-out or
through backup?


Trusted-Cloud Initiative

Novell/CSA partnership
initiative now prominently
displayed to CSA members

Responsibility
• Physical data location • Identity creation • Responsive provisioning/
• Physical data security • Manageability of de-provisioning users
resources in the cloud across multiple services
• Simplify identity • How to apply roles/policies
management across multiple services
management
• Ability to move workloads to
different vendor(s)

• Audit • Software licensing
• Avoid re-writing internal problems Vendor
applications • SLAs, proof of 99.99+%
Enterprise
• Leveraging existing uptime
investments in the data • Intellectual property Joint
center concerns
• References


Unpublished Work of Novell, Inc. All Rights Reserved.
This work is an unpublished work and contains confidential, proprietary, and trade secret information of Novell, Inc.
Access to this work is restricted to Novell employees who have a need to know to perform tasks within the scope
of their assignments. No part of this work may be practiced, performed, copied, distributed, revised, modified,
translated, abridged, condensed, expanded, collected, or adapted without the prior written consent of Novell, Inc.
Any use or exploitation of this work without authorization could subject the perpetrator to criminal and civil liability.

General Disclaimer
This document is not to be construed as a promise by any participating company to develop, deliver, or market a
product. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in
making purchasing decisions. Novell, Inc. makes no representations or warranties with respect to the contents
of this document, and specifically disclaims any express or implied warranties of merchantability or fitness for any
particular purpose. The development, release, and timing of features or functionality described for Novell products
remains at the sole discretion of Novell. Further, Novell, Inc. reserves the right to revise this document and to
make changes to its content, at any time, without obligation to notify any person or entity of such revisions or
changes. All Novell marks referenced in this presentation are trademarks or registered trademarks of Novell, Inc.
in the United States and other countries. All third-party trademarks are the property of their respective owners.

What an Enterprise Should Look for in a Cloud Provider

Empfohlen

Empfohlen

Weitere ähnliche Inhalte

Was ist angesagt?

Was ist angesagt? (20)

Ähnlich wie What an Enterprise Should Look for in a Cloud Provider

Ähnlich wie What an Enterprise Should Look for in a Cloud Provider (20)

Mehr von Novell

Mehr von Novell (20)

What an Enterprise Should Look for in a Cloud Provider