Page 1
Session ID:
Session Classification:
Jeff Jones ([email protected] ) Microsoft – Trustworthy Computing
ARCH-W08
Intermediate
CONSIDERING CLOUD? LEARN
ABOUT CURRENT TRENDS IN
CLOUD COMPUTING
Frank Simorjay ([email protected] ) Microsoft – Trustworthy Computing
Page 2
Presenter Logo #RSAC
• Microsoft Corporation
• Trustworthy Computing group
Company
• Director, Trustworthy Computing
• 25-year Security Guy : DoD, TIS, McAfee, PGP, MSFT
• Microsoft Security Blog & Trustworthy Computing Blog
• @securityjones
Jeff Jones
• Sr. Product Manager, Trustworthy Computing
• Author and designer of CSRT, OSA paper many others
• Work extensively with community -ISSA Distinguished Fellow
• Worked at NFR (small world – Jeff and I both worked with Marcus)
Frank Simorjay
Who are these guys?
Page 4
Presenter Logo #RSAC
Session Objectives
► The reality of security controls in data centers
► Understand potential cloud adoption benefits
► Quickly assess your security control
► Assess the impact of cloud adoption
► We are data geeks
► Our idea of fun is strange, maybe yours is as well
Page 5
Presenter Logo #RSAC
What You Will Hear Today
Page 7
IaaS
PaaS
SaaS
Measured service
Broad network access
Rapid elasticity
Self-service
Resource pooling
Page 8
CLOUD PROVIDER
SaaS PaaS IaaS RESPONSIBILITY:
Data classification
Application level controls
Client and end point protection
Network controls
Physical security
Identity and access management
Host security
CLOUD CUSTOMER
Page 9
BEN
EFIT
S privacy security reliability
scalability increased agility
flexibility Reduced costs
CO
NC
ERN
S
Page 10
Most Individuals confused by cloud computing
Page 11
#RSAC
Microsoft Cloud Security Readiness Tool www.micrsoft.com/trustedcloud
Page 14
Cloud Security Readiness Tool
Page 16
Control /question
security policies and procedures?
security policies review process?
security program is updated?
personnel background checks?
(NDA) requirements?
physical access by role?
security policies and procedures?
employee change/termination process?
physical security access method?
equipment support contracts?
data classification efforts?
grants access to data?
data retention and recovery program?
destroys data?
security policies and procedures?
staging to production requirements?
application testing using customer data?
asset inventory program?
conducts risk assessments?
responds to an incident ?
disaster recovery plan?
capacity planning efforts?
selects its data center location(s)?
redundancy if utility service outages should occur?
patch management processes?
antivirus efforts?
firewalls to protect data?
time setting policies?
Page 20
#RSAC
Cloud Trends
Page 22
0%
10%
20%
30%
40%
50%
1 – 4 PCs 5 – 24 PCs 25 – 49 PCs 50 – 249 PCs
250 – 499 PCs
500 – 2999 PCs
3000 – 12499 PCs
12500 – 24999 PCs
25000+ PCs
InfrastructureAs A Service(IaaS)
Platform As AService (PaaS)
Software As AService (SAAS)
Page 23
USA/ME/Africa/Australia
ISO/IEC 27001-2005 NIST Guidelines PCI DSS v2.0
Europe/Asia
Enisa NIST Guidelines PCI DSS v2.0
Page 25
-26.9% -26.5%
-22.8%
-15.7%
-41.0%
-5.8%
-24.0% -24.2%
-39.4%
-34.9%
-52.4%
-12.7%
-31.6%
-25.3%
-9.0%
-31.7% -30.6%
-35.6%
-42.8%
-25.7%
-44.3%
-28.7%
-32.8%
-16.4%
14.7%
-12.6%
-0.4%
-60%
-50%
-40%
-30%
-20%
-10%
0%
10%
20%
Q1 Q2 Q3 Q4 Q5 Q6 Q7 Q8 Q9 Q10 Q11 Q12 Q13 Q14 Q15 Q16 Q17 Q18 Q19 Q20 Q21 Q22 Q23 Q24 Q25 Q26 Q27
► Anti-malware Incident reporting
► Employee
agreement
►. ► Capacity
planning
Values were assigned to each of the four possible answers for each question:
If the answer was Almost There or Streamlined, a +1 value was assigned for maturity.
If the answer was Getting Started or Making Progress, a -1 value was assigned for maturity.
Page 26
Which of these statements best describes your organization's antivirus efforts?
Page 27
0%
20%
40%
60%
80%
100%
Getting Started Making Progress Almost There Streamlined
Worldwide Europe North America
Page 28
0%
20%
40%
60%
80%
100%
Getting Started Making Progress Almost There Streamlined
Worldwide Europe North America
Page 29
Unprotected
Intermittently protected
Always protected
Page 30
Which of these statements best describes your organization's nondisclosure agreement (NDA) requirements?
Page 31
0%
20%
40%
60%
80%
100%
Getting Started Making Progress Almost There Streamlined
Worldwide Asia Europe North America
Page 32
Which of these statements best describes your organization's capacity planning efforts?
Page 33
0%
20%
40%
60%
80%
100%
Getting Started Making Progress Almost There Streamlined
Worldwide Asia Europe North America
Page 34
0%
5%
10%
15%
20%
25%
Getting Started Making Progress Almost There Streamlined
Small/Mid Enterprize
Page 35
Control /question
security policies and procedures?
security policies review process?
security program is updated?
personnel background checks?
(NDA) requirements?
physical access by role?
security policies and procedures?
employee change/termination process?
physical security access method?
equipment support contracts?
data classification efforts?
grants access to data?
data retention and recovery program?
destroys data?
security policies and procedures?
staging to production requirements?
application testing using customer data?
asset inventory program?
conducts risk assessments?
responds to an incident ?
disaster recovery plan?
capacity planning efforts?
selects its data center location(s)?
redundancy if utility service outages should occur?
patch management processes?
antivirus efforts?
firewalls to protect data?
time setting policies?
Page 36
Which of these statements best describes how your organization responds to an incident ?
Page 37
0%
20%
40%
60%
80%
100%
Getting Started Making Progress Almost There Streamlined
Worldwide Asia Europe North America
Page 38
0%
20%
40%
60%
80%
100%
Getting Started Making Progress Almost There Streamlined
Worldwide Europe North America
Page 39
-26.9% -26.5%
-22.8%
-15.7%
-41.0%
-5.8%
-24.0% -24.2%
-39.4%
-34.9%
-52.4%
-12.7%
-31.6%
-25.3%
-9.0%
-31.7% -30.6%
-35.6%
-42.8%
-25.7%
-44.3%
-28.7%
-32.8%
-16.4%
14.7%
-12.6%
-0.4%
-60%
-50%
-40%
-30%
-20%
-10%
0%
10%
20%
Q1 Q2 Q3 Q4 Q5 Q6 Q7 Q8 Q9 Q10 Q11 Q12 Q13 Q14 Q15 Q16 Q17 Q18 Q19 Q20 Q21 Q22 Q23 Q24 Q25 Q26 Q27
► Anti-malware Incident reporting
► Employee
agreement
►. ► Capacity
planning
Values were assigned to each of the four possible answers for each question:
If the answer was Almost There or Streamlined, a +1 value was assigned for maturity.
If the answer was Getting Started or Making Progress, a -1 value was assigned for maturity.
Page 41
Thank you!
#RSAC
Jeff Jones
Microsoft Trustworthy Computing
[email protected]
Frank Simorjay
Microsoft Trustworthy Computing
[email protected]