1. Security of, for & by Cloud – A synopsis
LAKSHMI SUBRAMANIAN
A P R I L 2 3 RD, 2 0 1 2

2. Talk Outline
2

3. State of art
3

4. Cloud Computing - Simplified value network
SOURCE: Cloud Computing - Outsourcing 2.0 or a new Business Model for IT Provisioning?, TU Munich 4

5. Cloud computing players
SOURCE: A map of major cloud players, Bessemer Cloudscape, Dec 2011 5

6. Why do we care about Cloud
security?
Security of Cloud
 Cloud security – Current scenario
 Several data breach cases
 Challenges to Cloud security
?
 Comparison between traditional and Cloud security
6

7. Greatest outsourcing concerns (n=200)
SOURCE: Cloud Security Insights for IT Strategic planning, Intel IT Center, Sep 2011 7

8. SOURCE: CompTIA’s 9th Annual Information Security Trends (based on 500 US IT and business executives)
8

9. Several cases of data breaches
9

10. Predicted challenges to Cloud security
Insecure layered
Attractive target Interfaces
Advanced
Persistent threats
Insider attacks Challenges
Resource
sharing issues
Unforeseen risks
Data isolation in
Adoption of BYOD multi tenancy
& cloud computing
10

11. Comparison in terms of security
Traditional networks Cloud networks
Most of the present day security controls apply for both the networks
• who Who does what?
Defined
Single client – His Data isolation
data and applications and life cycle
monitoring?
The more transparency with the
Contractual obligations between Do’s and Don’ts of the
stakeholders – regular process stakeholders – the more better
11

12. What is the approach to provide
security for Cloud?
Security for Cloud
 Cloud security controls – Defense in depth
 Approach to resolve underlying threats
 Revisiting challenges
12

13. Cloud Security Controls – Defense in depth
SOURCE: Cloud security sub-team, Cloud standards customer council, Jan 2012 13

14. Approach to resolving underlying threats
 Cost savings reinvested to improvise security
 CIA – key consideration for any security related issue
 Collaborative governance structure between customers and providers
 Contractually enforcing security requirements
 Compliance and exceptions as required for risk management policies of
companies
 Simulation of incident scenarios and appropriate risk treatment plan
 Defense in depth strategy
 Improving awareness among the cloud users will help them play safe
14

15. Revisiting the challenges
Reinvest Insecure layered
Interfaces
Attractive target
Insider attacks
Advanced Defense
Challenges
persistent threats in depth
& CIA
Compliance, Risk Resource
management, sharing issues
& SLA
Unforeseen risks
Data isolation in
Adoption of BYOD multi tenancy
& cloud computing
Awareness
15

16. How does cloud provide
security?
Security by Cloud
 Security as a Service (SeaaS)
 Future prospects
 SeaaS in cloud for Smartphones
16

17. Security as a service
 Gartner predicts – Cloud based anti-malware, anti-
spyware will generate 60% of the revenue by 2013
 CSA focuses on SeaaS from a service provider point of view
17

18. Possible Cloud based security services
 Identity Management
 Data loss Protection
 Web Security
 Email Security
 IDS/IPS
 Encryption
 Business Continuity and Disaster Recovery
 Network Security
18

19. Future prospects
 Feasibility analysis of the proposed security services
 Framing typical implementation guidelines
 Analysing pros and cons of in-house and cloud based
security services
 Deriving the essence of this aspect in its entirety
19

20. SeaaS in Cloud for Smartphones
20

21. CONCLUSIONS
 CIA will and should remain the key consideration for IT Security
success
 Cloud computing is NOT as ALIEN as it is presumed to be
 DEFENSE in DEPTH is a powerful strategy
 ALL STAKEHOLDERS are in a way RESPONSIBLE for a cloud security
breach
 Understanding WHAT DIFFERENCES cloud adoption could make
specifically is important
 ADDRESSING these issues can help build a SAFE TOMORROW
21

22. THANK YOU
22