Diese Präsentation wurde erfolgreich gemeldet.
Wir verwenden Ihre LinkedIn Profilangaben und Informationen zu Ihren Aktivitäten, um Anzeigen zu personalisieren und Ihnen relevantere Inhalte anzuzeigen. Sie können Ihre Anzeigeneinstellungen jederzeit ändern.
1 
slideshare.net/chris_dag chris@bioteam.net @chris_dag
Not an expert. 
Not a pundit. 
2 
Just a cynical practitioner 
(with a view inside many 
organizations …)
3 
Today’s Debate Question: 
Heartbleed, Russian hackers, Target, 
HomeDepot, and iCloud breaches - Have the 
recent high ...
4 
My Answer: 
Nope. Not really.
Why 
5 
My $.02 on why I don’t see major cloud roadmap changes 
Same 
Threat 
Abandon 
Hope 
Get Over 
Yourself 
Additiona...
Why 
6 
My $.02 on why I don’t see major cloud roadmap changes 
Same 
Threat 
Abandon 
Hope 
Get Over 
Yourself 
Additiona...
Get Over Yourself 
‣ Warning flags go off in my head whenever I see IT staff demanding 
security controls that they themse...
Additional Capability 
Can you do this in-house across your global R&D infrastructure? 
8 
“Software defined EVERYTHING” o...
Hard. Not impossible. 
‣ The beauty of IaaS cloud platforms is that they provide the basic building 
blocks that we then a...
IaaS Cloud Sobriety 
‣ Any oaf can sell virtual servers and block storage and call it a “cloud” 
‣ A real IaaS environment...
12 slideshare.net/chris_dag chris@bioteam.net @chris_dag
Cloud Security for Life Science R&D
Nächste SlideShare
Wird geladen in …5
×

Cloud Security for Life Science R&D

This is a very short slide deck I did for a 10-minute slot on a http://pistoiaalliance.org/ webinar. The slides do not fully cover what I intend to talk about so if the webinar is recorded and available afterwards I'll update this description with the recording URL.

PDF copy of the slides available upon request ("chris@bioteam.net")

Ähnliche Bücher

Kostenlos mit einer 30-tägigen Testversion von Scribd

Alle anzeigen

Ähnliche Hörbücher

Kostenlos mit einer 30-tägigen Testversion von Scribd

Alle anzeigen
  • Loggen Sie sich ein, um Kommentare anzuzeigen.

Cloud Security for Life Science R&D

  1. 1. 1 slideshare.net/chris_dag chris@bioteam.net @chris_dag
  2. 2. Not an expert. Not a pundit. 2 Just a cynical practitioner (with a view inside many organizations …)
  3. 3. 3 Today’s Debate Question: Heartbleed, Russian hackers, Target, HomeDepot, and iCloud breaches - Have the recent high visibility cases of intrusions and data theft altered your plans to move to the cloud?
  4. 4. 4 My Answer: Nope. Not really.
  5. 5. Why 5 My $.02 on why I don’t see major cloud roadmap changes Same Threat Abandon Hope Get Over Yourself Additional Capability If the adversary is a state actor or backed by sovereign nation resources YOU WILL BE COMPROMISED Location is irrelevant at this threat level IaaS providers run at exa-scale in one of the most hostile environments imaginable. I trust their engineering and operational controls/rigor more than your local stuff (And I’ve seen your local stuff … ) Some cloud environments offer security related capabilities that would be impractical or impossible to deploy in-house The building blocks exist and keep getting better. The design patterns and best practices are coalescing Hard; Not Impossible Heartbleed? Hackers? Malware? Social Engineering? We face these threats in ANY environment (local / cloud)
  6. 6. Why 6 My $.02 on why I don’t see major cloud roadmap changes Same Threat Abandon Hope Get Over Yourself Additional Capability If the adversary is a state actor or backed by sovereign nation resources YOU WILL BE COMPROMISED Location is irrelevant at this threat level IaaS providers run at exa-scale in one of the most hostile environments imaginable. I trust their engineering and operational controls/rigor more than your local stuff (And I’ve seen your local stuff … ) Some cloud environments offer security related capabilities that would be impractical or impossible to deploy in-house The building blocks exist and keep getting better. The design patterns and best practices are coalescing Hard; Not Impossible Heartbleed? Hackers? Malware? Social Engineering? We face these threats in ANY environment (local / cloud)
  7. 7. Get Over Yourself ‣ Warning flags go off in my head whenever I see IT staff demanding security controls that they themselves have been unable to deploy within their own tiny empires. Is that politics, fear or empire preservation that I’m smelling? ‣ 100% virtual and “software defined everything” is a huge advantage when it comes to inventory management, automation, configuration management and systems orchestration – Advantage: cloud provider ‣ I feel comfortable stating that the large IaaS providers have better, broader and more comprehensive security engineering, operational controls, event logging, incident response and configuration management than the rest of us mere mortals who operate at a MUCH smaller scale ‣ Lets talk about Heartbleed as an example … 7 Engineering and Operational Rigor
  8. 8. Additional Capability Can you do this in-house across your global R&D infrastructure? 8 “Software defined EVERYTHING” offers advantages AWS IAM ‣ Ultra fine-grained identity management and role-based access control ‣ Can link or federate IAM IDs to Active Directory etc. ‣ Individual credentials per user, team, application, workflow, pipeline or collaboration ‣ Incredible control over what each credential set is allowed to see / do / AWS CloudTrail ‣ Systemic audit log of every API access call made across your global cloud footprint ‣ Every user, every device, every IP address, every location across the globe ‣ Delivered directly to your log analytics or incident management platform of choice (even off-site) AWS VPC ‣ Software defined subnets allow for role-based logical segmentation ‣ Software defined routing rules and policies control traffic within and between subnets ‣ Software defined ACL and network egress/ingress rules can be applied to VPCs, subnets and even individual services
  9. 9. Hard. Not impossible. ‣ The beauty of IaaS cloud platforms is that they provide the basic building blocks that we then assemble into architectures that perform useful functions ‣ Of course, this means that much of the responsibility for security falls on our shoulders. Can’t blame the provider if we screw up badly enough … ‣ Running securely on IaaS platforms is largely a function of starting with the proper building blocks and gluing them together with proper monitoring, logging, configuration control and operational oversight ‣ Huge risk: Cloud access barrier is so low that we need to watch out for “scientists with departmental credit cards” doing stupid/unsafe things. • The role of IT will change. Instead of being the gatekeepers our new role is going to evolve towards being responsible for cloud architectures and “best practices”. The scientists will control (W)hat, (W)here and (H)ow large 9 We have the technology …
  10. 10. IaaS Cloud Sobriety ‣ Any oaf can sell virtual servers and block storage and call it a “cloud” ‣ A real IaaS environment for secure R&D requires far more building blocks ‣ Quite a few outfits are just slapping marketing lipstick on top of OpenStack or VMWare and excreting hype-filled press releases ‣ In 2014 I generally only work with 2 providers: • Amazon Web Services: By far the largest set of building blocks and still the best environment for undifferentiated / flexible scientific computing environments. Nobody comes close when it comes to the breath and depth of service offerings • Google: Less “general purpose” than Amazon but still the Real Deal. There are significant and compelling engineering, performance, pricing, capability and service offerings that can be very very attractive for R&D and informatics use cases 11
  11. 11. 12 slideshare.net/chris_dag chris@bioteam.net @chris_dag

×