38. Applying Workload Driven Security to a Private Cloud Intrusion Prevention Monitoring Access Management Data Security Application Evaluation Database Design/Test Virtual Server Protection Security Event Monitoring Provisioning
39. Example: Cloud Security in the Public Space Firewall IPS Data Protection Access Identity Federated Identity VM Protection Patch Mgmt. Configuration Mgmt. Security Event Log Mgmt. Audit Vulnerability Mgmt.
Discuss 5 Attributes of Cloud and Impacts which they pose for Security
Discuss initial phase of Cloud Computing
How its focus shifted from cool technology to Cost Reduction Efforts
How organizations begin to see the cloud as a means of increasing revenues
Then seen as a transformative element, Shift of perception particularly by non IT organizations to leverage the cloud as a opportunity
Focus on Competitive, Non Cloud vendors leveraging the cloud to convert internal APIs from Expenses to assets. Highlight Brinks Cloud based money management offering and fact that this shift has resulted in a change to how organizations operate.
Introduce Network Workload Story and How perceptions changed (Angry Villagers Torches->agreement)
Highlight the results of IBM network world tech debate, initial perceptions we lost then we ended up building momentum and more than 2/3 agreed with arguments, then lead to the 4 arguments used in the article.
First those who adopt cloud based technologies do so in a deliberate way they start with individual workloads, we know from customers, market data etc that customers typically adopt one cloud then move to another etc.
Currently organizations have no clue where there critical data is and as data grows exponentially its harder and harder for organizations to keep track of that data
When we ask executives what their critical data is they cant tell us in fact the boundaries for what’s important and what is not important is completely lost, making it that much harder to really secure.
As a result Security Personnel become great wall builders, the issue is that we continue to build walls and lose focus on what we are protecting and the various ways it can be exploited. We also lose the ability to granularly track information. This means we poke holes in ports for multiple applications etc meaning we degrade overall security
Once an organization gains clarity of their information they can identify what really matters and leverage that asset
Financially organizations benefit from cloud
Organizations are spending less than in past, As a result there is less money to spend
Inversely Cloud Vendors have money allocated for competitive reasons. Ultimately Security remains the only competitive lever most vendors can pull so it’ s a priority
Organizations have to keep up with security
Security requires vigilance organizations already are overloaded (tell story of startup from past history)
Services allows them to ease the burden (Security as a Service Argument)
Security skills are hard to find and security is hard
Is this who you want doing your security
Or do you want a professional
Clouds have multiple delivery models – Note Gartner wants us to play this up more because they believe confusion on this topic and following slides. My approach is forget concepts of “The Cloud” its not a single entity but much more complex and interesting
Play to Gartner and their args multiple deployment paths, talk security in context here. May need to cut short this is a long preso already
The Message One Size doesn’ t fit all and btw there are lots of types of clouds. We need to hammer this home because we keep highlighting Public hosted not private.
IBM is different, may update image to show lots of fishbowls moving back on horizon?
Our 4 stage approach to cloud security.
Standard secure by design refer to our experiences. We need to promote this more once we nail foundational controls tie to Rational/WebSphere/Information Management and Tivoli Cloud story. We have assets just need to cauterize story right now I seem to be only one giving it.
This is where we engage in workload discussion, talk to each type of workload and how security varies ( actually only a couple otherwise takes wayy too long) Discuss Healthcare->Education->Development?
LotusLive its easy and how security themes and our foundational strategy apply
Explain Service Enabled,
Researchy things like Lotus work the IPS stuff and Mobile work, we might want to include trusted domain and some of the other services we are exploring for example those in IM
Our portfolio, WE have breadth and depth only vendor
How we can focus on a private scenario
Public example
Whats new – TEMS, Juniper Partnership, WebSphere Virtuoso…
Talk about challenges encourage consultative services Trusted Guide my usual blah blah