CONSIDERING CLOUD? LEARN ABOUT CURRENT TRENDS … · CONSIDERING CLOUD? LEARN ABOUT CURRENT TRENDS IN ... antivirus efforts? firewalls to protect ... Small/Mid Enterprize. Control

Session ID:

Session Classification:

Jeff Jones ([email protected]) Microsoft – Trustworthy Computing

ARCH-W08

Intermediate

CONSIDERING CLOUD? LEARN

ABOUT CURRENT TRENDS IN

CLOUD COMPUTING

Frank Simorjay ([email protected]) Microsoft – Trustworthy Computing

Presenter Logo #RSAC

• Microsoft Corporation

• Trustworthy Computing group

Company

• Director, Trustworthy Computing

• 25-year Security Guy : DoD, TIS, McAfee, PGP, MSFT

• Microsoft Security Blog & Trustworthy Computing Blog

• @securityjones

Jeff Jones

• Sr. Product Manager, Trustworthy Computing

• Author and designer of CSRT, OSA paper many others

• Work extensively with community -ISSA Distinguished Fellow

• Worked at NFR (small world – Jeff and I both worked with Marcus)

Frank Simorjay

Who are these guys?

Presenter Logo #RSAC

Session Objectives

► The reality of security controls in data centers

► Understand potential cloud adoption benefits

► Quickly assess your security control

► Assess the impact of cloud adoption

► We are data geeks

► Our idea of fun is strange, maybe yours is as well

Presenter Logo #RSAC

What You Will Hear Today

#RSAC

Overview

IaaS

PaaS

SaaS

Measured service

Broad network access

Rapid elasticity

Self-service

Resource pooling

CLOUD PROVIDER

SaaS PaaS IaaS RESPONSIBILITY:

Data classification

Application level controls

Client and end point protection

Network controls

Physical security

Identity and access management

Host security

CLOUD CUSTOMER

BEN

EFIT

S privacy security reliability

scalability increased agility

flexibility Reduced costs

CO

NC

ERN

S

Most Individuals confused by cloud computing

#RSAC

Microsoft Cloud Security Readiness Tool www.micrsoft.com/trustedcloud

Cloud Security Readiness Tool

How it works

Control /question

security policies and procedures?

security policies review process?

security program is updated?

personnel background checks?

(NDA) requirements?

physical access by role?

security policies and procedures?

employee change/termination process?

physical security access method?

equipment support contracts?

data classification efforts?

grants access to data?

data retention and recovery program?

destroys data?

security policies and procedures?

staging to production requirements?

application testing using customer data?

asset inventory program?

conducts risk assessments?

responds to an incident ?

disaster recovery plan?

capacity planning efforts?

selects its data center location(s)?

redundancy if utility service outages should occur?

patch management processes?

antivirus efforts?

firewalls to protect data?

time setting policies?

#RSAC

CSRT Demo

#RSAC

Cloud Trends

0%

10%

20%

30%

40%

50%

1 – 4 PCs 5 – 24 PCs 25 – 49 PCs 50 – 249 PCs

250 – 499 PCs

500 – 2999 PCs

3000 – 12499 PCs

12500 – 24999 PCs

25000+ PCs

InfrastructureAs A Service(IaaS)

Platform As AService (PaaS)

Software As AService (SAAS)

USA/ME/Africa/Australia

ISO/IEC 27001-2005 NIST Guidelines PCI DSS v2.0

Europe/Asia

Enisa NIST Guidelines PCI DSS v2.0

24

-26.9% -26.5%

-22.8%

-15.7%

-41.0%

-5.8%

-24.0% -24.2%

-39.4%

-34.9%

-52.4%

-12.7%

-31.6%

-25.3%

-9.0%

-31.7% -30.6%

-35.6%

-42.8%

-25.7%

-44.3%

-28.7%

-32.8%

-16.4%

14.7%

-12.6%

-0.4%

-60%

-50%

-40%

-30%

-20%

-10%

0%

10%

20%

Q1 Q2 Q3 Q4 Q5 Q6 Q7 Q8 Q9 Q10 Q11 Q12 Q13 Q14 Q15 Q16 Q17 Q18 Q19 Q20 Q21 Q22 Q23 Q24 Q25 Q26 Q27

► Anti-malware Incident reporting

► Employee

agreement

►. ► Capacity

planning

Values were assigned to each of the four possible answers for each question:

If the answer was Almost There or Streamlined, a +1 value was assigned for maturity.

If the answer was Getting Started or Making Progress, a -1 value was assigned for maturity.

Which of these statements best describes your organization's antivirus efforts?

0%

20%

40%

60%

80%

100%

Getting Started Making Progress Almost There Streamlined

Worldwide Europe North America

0%

20%

40%

60%

80%

100%

Getting Started Making Progress Almost There Streamlined

Worldwide Europe North America

Unprotected

Intermittently protected

Always protected

Which of these statements best describes your organization's nondisclosure agreement (NDA) requirements?

0%

20%

40%

60%

80%

100%

Getting Started Making Progress Almost There Streamlined

Worldwide Asia Europe North America

Which of these statements best describes your organization's capacity planning efforts?

0%

20%

40%

60%

80%

100%

Getting Started Making Progress Almost There Streamlined

Worldwide Asia Europe North America

0%

5%

10%

15%

20%

25%

Getting Started Making Progress Almost There Streamlined

Small/Mid Enterprize

Control /question

security policies and procedures?

security policies review process?

security program is updated?

personnel background checks?

(NDA) requirements?

physical access by role?

security policies and procedures?

employee change/termination process?

physical security access method?

equipment support contracts?

data classification efforts?

grants access to data?

data retention and recovery program?

destroys data?

security policies and procedures?

staging to production requirements?

application testing using customer data?

asset inventory program?

conducts risk assessments?

responds to an incident ?

disaster recovery plan?

capacity planning efforts?

selects its data center location(s)?

redundancy if utility service outages should occur?

patch management processes?

antivirus efforts?

firewalls to protect data?

time setting policies?

Which of these statements best describes how your organization responds to an incident ?

0%

20%

40%

60%

80%

100%

Getting Started Making Progress Almost There Streamlined

Worldwide Asia Europe North America

0%

20%

40%

60%

80%

100%

Getting Started Making Progress Almost There Streamlined

Worldwide Europe North America

-26.9% -26.5%

-22.8%

-15.7%

-41.0%

-5.8%

-24.0% -24.2%

-39.4%

-34.9%

-52.4%

-12.7%

-31.6%

-25.3%

-9.0%

-31.7% -30.6%

-35.6%

-42.8%

-25.7%

-44.3%

-28.7%

-32.8%

-16.4%

14.7%

-12.6%

-0.4%

-60%

-50%

-40%

-30%

-20%

-10%

0%

10%

20%

Q1 Q2 Q3 Q4 Q5 Q6 Q7 Q8 Q9 Q10 Q11 Q12 Q13 Q14 Q15 Q16 Q17 Q18 Q19 Q20 Q21 Q22 Q23 Q24 Q25 Q26 Q27

► Anti-malware Incident reporting

► Employee

agreement

►. ► Capacity

planning

Values were assigned to each of the four possible answers for each question:

If the answer was Almost There or Streamlined, a +1 value was assigned for maturity.

If the answer was Getting Started or Making Progress, a -1 value was assigned for maturity.

Thank you!

#RSAC

Jeff Jones

Microsoft Trustworthy Computing

[email protected]

Frank Simorjay

Microsoft Trustworthy Computing

[email protected]