Strategies for Landing an Oracle DBA Job as a Fresher
Evaluating Risks of Cloud Based Services
1. Evaluating Risks of Cloud-Based Services
Ronald Poserina
Symantec.cloud - Director, Enterprise & Partners
2. What Does It Take to be Secure?
The Three T’s
• Talent
• Time
• Technology
Evaluating Risks of Cloud-based Services SYMANTEC VISION 2011 2
3. Three T’s: Talent, Time, & Technology
Talent
• Do you have personnel that are knowledgeable on security risks
and can lead your organization in best risk management
practices?
• Are you willing to devote the financial resources to recruitment,
training (initial and on-going), and personnel management?
Evaluating Risks of Cloud-based Services SYMANTEC VISION 2011
4. Three T’s: Talent, Time, & Technology
Time
• Are your security defenses monitored and managed around the
clock?
• Can your security personnel respond with sufficient speed and
effectiveness to new security threats?
• Do you have the financial means to have this time devotion?
Evaluating Risks of Cloud-based Services SYMANTEC VISION 2011
5. Three T’s: Talent, Time, & Technology
Technology
• In today’s and tomorrow’s dynamic and increasingly
sophisticated and stealthy threat environment, do you have the
most up-to-date and optimal mix of security technologies?
• As your organization’s working methods change (e.g., more
distributed, mobile, collaborative, modular), is your security in
synch?
• Time and $$$ again, do you have the resources to stay current
on security innovations, evaluate products, test, and deploy?
Evaluating Risks of Cloud-based Services SYMANTEC VISION 2011
7. Consider the Benefits: Services from the Cloud
• Predictable expense (OPEX)
Lower TCO • Reduced Infrastructure costs (heating, cooling, rack-space, etc)
• Simplifies Your Architecture
Simplification • Simplifies IT Operations and management
• Best-of-breed layered threat protection in real-time
Security • Stops threats before they reach corporate network
Scalability • Able to grow or reduce with your business
• Centralized management consoles and policy control
Ease of use • 24/7 expert support
SYMANTEC VISION 2011
8. Can I Trust Public Clouds?
SYMANTEC VISION 2011 8
9. Top SaaS Concerns (% of respondents)
Public
Private
Source: IDC, Cloud Computing Attitudes, April 2010, n = 255.
Evaluating Risks of Cloud-based Services SYMANTEC VISION 2011 9
10. Common Questions About the Cloud
• Data Locality – Where is my data?
• Data Access – Who can access my data in your company?
• Data Segregation – How is my data segregated from other
customers?
• Regulatory Compliance – What do I need to know?
SYMANTEC VISION 2011 10
11. Data Locality – Which Data Centers?
South Africa
SYMANTEC VISION 2011 11
12. Data Access – What Controls are in Place?
Change Control Processes
Multi-Factor Authentication
Secure data storage
Logging and audit trails
Threat modelling
Tracking code execution
Data path through systems
Ethical Hack/Penetration testing
Hashes used for all passwords
Encryption in motion / Encryption at rest
SYMANTEC VISION 2011 12
13. Physical Security
• Biometrics (palm print, retina scan, fingerprint reader);
numerical entry pad; smart card swipe system; physical locks
• Systems situated in locked cages or suites
• Independent CC TV system within our suites/cages
• All access is logged and tracked and must be pre-scheduled
SYMANTEC VISION 2011 13
14. Data Security
• Developer access restricted to test systems
• Access Entitlement Reviews
• Use ISO 27001 standards for all employee vetting, and controls
• Limited access to physical mail to small monitored population
• Access to production infrastructure is via a secure segregated
management network and encrypted protocols such as SSH and
RDP over TLS
• Access to production systems via two-factor authentication
• controls over access to configuration files, system binaries etc
SYMANTEC VISION 2011 14
16. Availability Concerns
• Do you guarantee system availability?
• In case of a major disaster, what major systems do you have in
place?
SYMANTEC VISION 2011 16
17. Addressing Availability
• Remove Single Points of Failure
– Multiple systems, datacenters, feeds & vendors
– Geographically diverse operations centers
• Capacity Planning
• Business Continuity Planning
SYMANTEC VISION 2011 17
18. Perceived Loss of Control
• How do I know what the cloud is doing with my data?
• What capabilities will I have to control policy?
• Reporting and metrics are important and I need access on
demand.
• What trouble-shooting or diagnostic tools will I have?
• How reliable and helpful with the vendors support team be?
Evaluating Risks of Cloud-based Services SYMANTEC VISION 2011 18
19. Control Concerns – Management Portal
• Policy Management
• Reporting Access
• Troubleshooting /
Tracking
• Multi-tiered levels of
access
• Alerting and service
news
Evaluating Risks of Cloud-based Services SYMANTEC VISION 2011 19
20. Control Concerns – Getting Help
• 24x7x365 Global Technical Support Dedicated to SaaS Service
– Portal / Email / Telephone
– Multilingual
• Extensive documentation
• Online training videos
• Implementation plans
• Best Practices
Evaluating Risks of Cloud-based Services SYMANTEC VISION 2011 20
21. Reputation – Who’s Using the Provider?
Over 32,000 customers and billions of mails and web transactions processed daily
SYMANTEC VISION 2011
22. Service Level Agreements
• Know what you’re paying for
• Review contract terms and understand how SLA’s apply
• Ask how SLA’s are reported on
• What are you entitled to in the event SLA’s aren't met?
• Compare SLA’s of vendors your considering for like services
Evaluating Risks of Cloud-based Services SYMANTEC VISION 2011 22
23. Service Level Agreements
AntiSpam SLA 99%
February 2011 Performance
February 2011 Performance
effectiveness 99.99997%
Spam false SLA 0.0003%
positive rate 0.000007%
AntiVirus false SLA 0.0001%
positive rate 0.000003%
Email & Web Service SLA 100%
Availability 100%
Evaluating Risks of Cloud-based Services SYMANTEC VISION 2011 23
24. The Symantec.cloud Difference
Delivery
• SLA focused service model
– 100% Availability and 100% Virus protection (known and unknown)
– 99% Spam capture
– Latency guarantee under 60 seconds email 100 ms web
• Security focused
– SAS 70 Type II Audits on Datacenters
• Global Infrastructure
Evaluating Risks of Cloud-based Services SYMANTEC VISION 2011 24
25. The Symantec.cloud Difference
Technology
• 13 Years of Experience in Delivering IT solutions from the cloud
• Skeptic™ Heuristics
• Converged Threat Analysis
• Integrated reporting and policy management
• Network design and Capacity planning
Evaluating Risks of Cloud-based Services SYMANTEC VISION 2011 25
26. The Symantec.cloud Difference
Support
• Non-standard Support Model
• Dedicated Technical resources
Evaluating Risks of Cloud-based Services SYMANTEC VISION 2011 26
27. Rowan Trollope: 6 tips for companies moving into the cloud 1
1. Reputation - Check out the reputation of the service provider:
How long have they been offering cloud services, bearing in
mind that size isn't everything; many big companies are piling
into the market but don't know what they are doing
2. Security - Security is key. Really understand how secure your
data have to be, and ask the vendor how they would solve
your security problems
3. Resiliency - Investigate how the cloud provider makes back-up
copies of your data, how you can move the data to another
provider, and what happens if the provider goes out of
business
Evaluating Risks of Cloud-based Services SYMANTEC VISION 2011
28. Rowan Trollope: 6 tips for companies moving into the cloud 1
4. Service Levels - Work hard to get a good service level
agreement with clear financial penalties to ensure a good
service.
5. Certification - Be wary of industry certifications, because they
capture just a moment in time. Do your own research on how
the vendor is performing
6. Try it out - Finally, try the service. The beauty of cloud
computing is that it's easy to switch on and off. Obviously
don't start your cloud adventure with confidential data or
mission-critical systems, but if the service works for you, you
can expand.
Evaluating Risks of Cloud-based Services SYMANTEC VISION 2011