CIS13: Security's New Normal: Is Cloud the Answer?

Security’s New Normal: Is Cloud the Answer? Prepared by IDC for:

Cloud Identity Summit July 2013

Sally J. Hudson Research Director Identity and Access Management BuyerPulse

Security Perimeters: New Normal

3rd Platform Built on Four Pillars

Four Pillars of 3rd Platform:

§  Mobile – Creates need for stronger access controls and authentication. Expect more partnerships, acquisitions and innovations in the mobile space.

§  Cloud – driving need for FSSO and authentication, user provisioning, privileged id management

§  Social Networking – companies want to leverage this, but are cautious due to security concerns. Authentication and federation.

§  Big Data – in conjunction with security, rich identity profiles and threat prevention and fraud detection

4

3rd Platform Customer Requirements

Fixed § Global consumer & corporate

privacy & security regulations (civil law)

§  Law enforcement ( criminal law)

§  Instantaneous, & assured communications with negligible downtime

§  Revenue creation and profitability

§  Apps (write once, test everywhere)

Fluid §  Communities of shared

interest & social pressures (good, bad, gray),

§  Control issues (risk, acceptable speech, reputation, privacy, & trust )

§  Under-web of sensors & monitoring

§  Services-based approach vs. client-orientation

§  Consolidate §  Virtualize

§  Automate §  Optimize

§  Host/Outsource

Consolidate

§  Biz Efficiency §  Innovate

§  Modernize §  Mobile/Social

§  Biz Analytics

Collaborate

§  Actuarial Data §  Predictable

Operational Expenses

§  Risk §  Compliance

Calculate

COO’s New Normal: Issues in 2013

Consolidate: Old Issues & New Solutions

§  New q  Worldwide core controls that

minimize differences q  Auditors collaborate with IT to

help design compliance dashboard for a variety of non-IT groups

q  Common worldwide controls that are cloud-based

§  Old q  Company siloed by business

units and geography q  Custom controls q  Auditors were the enemy q  Senior management confused

about corporate-wide polices q  Little anticipation or planning

for pending regulations

Shifting IT Spend: Private Cloud is near term cloud strategy

Q. Please estimate how much of your company's IT budget will be allocated to buying and managing these different types of IT services

49% 37%

16%

16%

13% 19%

11% 15%

11% 13%

0% 10% 20% 30% 40% 50% 60% 70% 80% 90%

100%

Today 24 Months

Public Cloud

Private cloud - Hosted

Private Cloud Inhouse

Outsourced IT

Traditional IT

§ Enterprises see private cloud as the onramp to cloud for the next 24 months

§ Automation and elasticity will become the mantra

§ Pre-integrated modularity will become critical

Source: IDC’s Cloud Computing Survey, January 2011 n=603

Cloud Providers: Can You Trust Them?

§  SLAs can offer complete visibility and “partnership” with the Cloud provider

§  Capex à Opex expense = Making friends with the CEO and CFO again

§  Defensible posture and extensible “modular” architecture

§  Pay as you go §  And more…

Cloud Benefits and Challenges

-80% -60% -40% -20% 0% 20% 40% 60% 80%

Pay-as-you-go (opex) Easy/fast to deploy to end-users

Pay only for what you use Allows us to reduce IT headcount

Makes sharing with partners simpler Encourages standard systems

More sourcing choices Faster deployment of new services

Regulatory requirement restrictions Performance/response times Availability/service provider uptime Not robust enough for critical apps Not enough ability to customize Hard to integrate, manage w/in-house IT May cost more Security

Reliability Availability,

Security, Total Cost

Time to deploy Pay for Use

Collaboration

Cloud Security & Compliance: Tablestakes for Enterprise Clouds

Q.  Rate  these  statement  about  cloud  security  

% sample rating 4 & 5

§  Issue: Security & compliance

§  Data in motion more important than data at rest

§  Key management stays with customer

§  Issue: Metrics §  Risk guarantees §  Threats/Attacks §  Breaches §  Privileged & Customer

Access §  Continuous Compliance

Indemnification is Explicit “You agree to indemnify and hold Yahoo! and its subsidiaries, affiliates, officers, agents, employees, partners and licensors harmless from any claim or demand….”

Data Locality Cannot be Guaranteed “Personal information collected by Google may be stored and processed in the United States or any other country in which Google Inc. or its agents maintain facilities. By using the Service, you consent to any such transfer of information outside of your country….”

Service Interruption is Permissible “Yahoo! reserves the right at any time and from time to time to modify or discontinue, temporarily or permanently, the Yahoo! Services (or any part thereof) with or without notice. You agree that Yahoo! shall not be liable to you or to any third party for any modification, suspension or discontinuance of the Yahoo! Services (or any part thereof).….”

Intellectual Property Rights are Abdicated to Providers “By submitting, posting or displaying Content on or through Google services which are intended to be available to the members of the public, you grant Google a worldwide, non-exclusive, royalty-free license to reproduce, publish and distribute such Content on Google services for the purpose of displaying and distributing Google services.….”

Cloud Security & Compliance: Consumer Cloud T’s & C’s excludes Security

§  Lack of security in consumer clouds today is explicitly stated

§  Data is an organizations most valuable asset

§  Large providers become a target and a single point of failure

Cloud Mobile Social Networks Big Data (Threat Intelligence)

Predictive Privileged Access

Management, Federated Identity,

Multi-factor Authentication, Data

Protection, & Vulnerability Assessment

Strong Authentication, Data Protection, & Granular Access

Controls

Data Loss prevention with data protection &

justification for violations.

Raw and analyzed threat feeds from multiple sources integrated with all

management consoles

Proactive VPN, Single Sign-On, & Strong Passwords

Mobile Device Management

Keyword-based monitoring & logging

Network monitoring and SIEM

Reactive Access control Device Password Acceptable Use Policy Signature-based detection

Goals: 1) Timely remediation of existing breaches. 2) Early detection & mitigation of advanced, targeted, attacks. 3) Policy monitoring & enforcement of internal and external regulations.

Essential Guidance: New Normal & Securing 3rd Platform

Essential Guidance

§  Cloud offerings should allow you to examine your IT investments strategically and avoid point solution thinking

§  Make sure your services firm can clearly articulate their differentiated offers, methodologies, tools and processes, certifications and domain expertise before embarking on a major IT transformation or initiative

Email me at: [email protected]

Follow me at: twitter.com/@sjhudson11

Contact Information