Big 12 Internal Auditor - Tech Trends

EMERGING TECHNOLOGY
TRENDS
A VIEW FROM A CAMPUS DATACENTER
David Horton
Geoff Wilson
Kendall George
Mark Ferguson
Chris Jones

University of Oklahoma Information Technology
Tuesday, May 18, 2010

10 TRENDS & LOTS OF
QUESTIONS
Going forward, these trends will require close
collaboration to protect your university.

• Computing Power • Cloud Computing
• Virtualization • The Other Campus Network
• Green IT • Consumerization
• Storage Growth • Social Computing
• Data Centers • Emerging Threats

TO PARTICIPATE TODAY
Please, turn your electronic devices on.
We want to hear from you!

• Tweet: Use #b12iac to tag your tweet

• Email: send
comment or question to
b12iac@tweetmail.com

• Join the discussion


10 TRENDS


• Virtualization • The
Other Campus
Network
• Green IT
• Consumerization
• Storage Growth
• Social Computing
• Data Centers
• Emerging Threats


COMPUTING POWER
Today’s desktop computer can challenge an enterprise-
class server from just 5 years ago.

COMPUTING POWER

• Moore’s Law

• Multi-Core

• 64-Bit

• More power, smaller package


COMPUTING POWER

Auditing Impact
• What are we going to do with all this power?

• What if this power falls into the wrong hands?


VIRTUALIZATION
A data center in a box.


VIRTUALIZATION

• What is virtualization?


APP APP APP
OS OS OS

ESX


DEMO


VIRTUALIZATION

Auditing Impact

• Where is my server?

• Where is my data?

• How can we leverage this technology to protect the
university’s data?


GREEN IT
Cost-containment, data security and environmental
impact are all factors driving interest

GREEN IT

• Energy Efﬁciency

• Disposal


GREEN IT

• Energy Efﬁciency
• Right Sizing
• Shared Resources
• Run Hotter
• Power-Off and Sleep
• Consolidated Data
Centers


GREEN IT

• Disposal

• Reduce

• Reuse

• Recycle


GREEN IT
Auditing Impact
• Who drives green?
• How do we incentivize green?
• What is being measured to be green?
• What has to be considered to responsibly and safely dispose
of equipment?
• Who gets your old computers? And do they get your old
data too?


10 TRENDS


• Virtualization • The Other Campus
Network
• Green IT
• Consumerization
• Storage Growth
• Social Computing
• Data Centers
• Emerging Threats


STORAGE GROWTH
Digital Data continues to grow exponentially creating
technical, security, and compliance challenges.

STORAGE GROWTH

Technology Changes
• Enterprise Search – ﬁnding the • Encryption (CPU power)
needle has never been easier • De-duplication
• Snapshot Backups • Secure erase
• Solid-State Drives • File/Thin Virtualization
• Spin-down technologies
Continuous innovation (more, smaller, cheaper, faster)


STORAGE GROWTH

Gigabyte 1000 Megabytes

Terabyte 1000 Gigabytes

Petabyte 1000 Terabytes

? 1000 Petabytes

Zettabyte 1000 Exabytes

Yottabyte 1000 Zettabytes


STORAGE GROWTH
Why so much growth?
• Knowledge workers/students create • Medical data
and consume data • Security cameras
• Classroom content • Log data
• Research data creation, federation • Data replication for reliability and
• Data mining across disparate disaster recovery
sources, combining large • Backups
warehouses
• Archive
• Document Imaging

Digital world (music, photos, video, eBooks)

STORAGE GROWTH

Enterprise Data Center Storage Growth
Industry Example
• 3,304 Petabytes shipped in Q409 +
33% from Q408 (source:IDC)

OUHSC Example
• Doubled every 18 months since
2002
• 76M emails archived
• ~1M new per week
• 4M ﬁles archived


STORAGE GROWTH
Multiplier Example: Email
Primary Site Disaster Recovery

orig copy

archive
archive
b/u
b/u
Off-site storage

tape

STORAGE GROWTH

Enterprise Spectrum of Management
Managed User Managed
Portable, mobile, office, desks, homes, laptops, bags,
protected in data center
purses
Rigorous daily operational procedures for small teams;
Varies with user - 10,000 users
backup, off-site storage, DR copies
Designed with compliance in mind, encryption, AUP,
Often bypasses compliance
Data retention, eDiscovery, data destruction

1 Petabyte 10 Petabyte

Mixed use data, personal and university; sometimes
Data classification
confidential

Expensive, cost sharing to campus Individually inexpensive - costs often hidden or bundled

Understood risk, largely mitigated Risk is significant and widespread


STORAGE GROWTH
Auditing Impact
Where does University data reside? “Show me the data.”
How do we classify all of this data?
We have new tools that search for SSNs, account numbers, credit cards: What is it OK to do?
Are university policies and procedures relevant to the digital age?
With growing use of encryption, how do we recover important data?
How do we pay/chargeback departments, researchers, users for “managed” storage?
How do we “push forward” 1,000s of Terabytes of data across every changing technologies?
How do we verify data integrity over time?
Do the capabilities of the organization match the magnitude of the problem?


DATA CENTERS
Protect, power and cool your data and computing assets
with a strategy not just a facility.

DATA CENTERS

“Machine Rooms”
• OU HSC – 10 years ago IT primarily housed administrative
systems
• We built “machine room” data centers
• Retroﬁtted
• Multiple small rooms around campus
• Minimal redundancy
• We designated one of these on-campus as our “DR” site


DATA CENTERS
Then We Hit a Growth Spurt
• Compliance and closer attention to management and security because
hackers loved higher ed
• Consolidation of distributed servers
• Too difﬁcult to secure servers in small closets/ofﬁces across campus
• For OU HSC, HIPAA response included moving PHI into our data
center
• Now located in the data center, applications and data grew rapidly
• Electronic medical applications and data
• High Performance Clusters (HPC) for research cyber infrastructure
• Security tools and technologies


DATA CENTERS
Growth Collides with Deﬁciencies

• Space
• All that compute power and
storage requires power and
generates heat
• Additional Cooling
• Service Availability


DATA CENTERS
User Expectations Up, Tolerance Down
Uptime % Downtime
3 days 15 hours
99%
36 minutes
8 hours 46
99.9%
minutes
99.99% 53 minutes

99.999% 5 minutes


DATA CENTERS

Data Center Options for Reliability & Availability
• Utility Feeds • Cooling Sources
• Generators • Cooling Units
• Battery Systems • N, N+1, 2N, 2(N+1)
• A + B Circuit Paths • Multiple Data centers

Multipliers = $$$$ = Business decision


DATA CENTERS
OU Data Center Strategy
Considerations
• Outsourcing given serious thought for Norman campus
• Container data centers are interesting – follow the energy

Planned
• Consolidating from machine rooms into two new, higher reliability centers –
one at Norman and one at OKC HSC
• Modular design – build in phases
• Modular reliability – build in pods
• DR across campuses instead of across buildings


DATA CENTERS

Auditing Impact
Facilities are the basic building blocks for availability and
security of IT assets and services – what is your institutional
strategy for data centers?
Do your campuses work closely together enough to
collaborate on a university strategy?
Are your business applications understood well enough for
IT to apply the appropriate facility reliability investments?


CLOUD COMPUTING
Your data and services are “out there” on the Internet
and may not be under your control.

CLOUD COMPUTING
What is Cloud Computing?
• IT services delivered in an on-demand, subscription model relying on
economies of scale from (massively) shared services
• Cloud Computing is as much a business model as it is an IT architectural
and support model
• Promises to let you focus on your core business and forget about the
underlying technology (i.e. surrender control)
• Not new – combination of models taking advantage of technology
trends
• Often thought of today as a form of outsourcing – moving Email, ERP,
student systems – “out to the cloud”

CLOUD COMPUTING
Not all clouds are the same
• Dominated by massive “Public Cloud” service providers like Google, Microsoft,
& Amazon
• Many small service providers use the Public Cloud model to deliver specialty
applications and services
• Large multi-site, multi-division enterprises are adopting the cloud model for
internal use building “Private Clouds”
• Don’t forget this is also a business model so these large enterprises typically
chargeback for IT services
• Hybrid Clouds integrate internal Private clouds with external Public cloud
services for elastic supply management and Disaster Recovery


CLOUD COMPUTING
Cloud Computing & Higher Education
• Lots of interest, lots already in place today
• OUHSC uses hosted LMS, hosted specialty applications for
medical student management, IT service desk tools, IT security
monitoring services
• OU continues to evaluate student and alumni email services
• Important considerations for linking cloud services back to
campus for Identity Management, authentication, encryption
• OU is offering departments a growing number of services using a
private-cloud model


CLOUD COMPUTING
Cloud Computing & Higher Education

• Example: Dropbox


CLOUD COMPUTING
Auditing Impact
Can you ﬁnd your data?
Was your data destroyed properly?
Who all has access?
Is the cloud-based service available when you need it?
Is the SLA your only auditable control?
What recourse do you have?
Mega providers are large, attractive targets for cyber-warfare
Globalization concerns – world unrest
Venture capital hotspot (think: dot-com) subsidizing costs for many


THE “OTHER” CAMPUS NETWORK
The mobile provider network provides us with high speed
connectivity in the palms of our hands.

THE OTHER CAMPUS NETWORK
High Speed Applications
• Security controls focused on
traditional networks that we own
and operate
• Mobile provider network is putting
high speed connectivity in the palm
of our hands
• LTE (Verizon & AT&T) and WiMAX
(Sprint) are the upcoming 4G
networks
• 1+ Mbps, one-way latency < 50
milliseconds


• Growing reliance and expectation of
mobile provider networks
• Mobility as an enabler
• Users are doing more with their
smartphones
• Security controls of mobile devices
need heavier scrutiny
• Often security policies are
inconsistently enforced
• Business data will end up on
mobile devices
• Security controls often will not
carry over to mobile devices


Network Perimeter



Auditing Impact
What kinds of controls are available for the other campus network?
Are these controls veriﬁable? Have you veriﬁed that these controls
work?
What kind of networking will the university need to provide in the
future?
How do we control the access to the network in the classroom?
What is the network strategy for existing in a hybrid environment?
How do we balance investments across the two networks?


CONSUMERIZATION
Employees & students are technology consumers and
they are blurring the lines between work and home.

CONSUMERIZATION

"The consumerization of IT focuses on
how enterprises will be affected by and
can take advantage of new technologies
and models that originate and develop
in the consumer space, rather than in
the enterprise IT sector."

Gartner, 2009


CONSUMERIZATION

Speed Usability

Connectivity Availability

Storage Reliability


CONSUMERIZATION
Inﬂuences
• Samsung, the largest technology company in the world, sees half of its
revenue being generated by consumer devices.

• By 2013, mobile devices will outnumber PCs as the most common
device for accessing the web. Gartner, 2009

• In 2009, for the ﬁrst time, the amount of data in text, e-mail messages,
streaming video, music and other services on mobile devices surpassed
the amount of voice data. New York Times, May 13, 2010


CONSUMERIZATION

Auditing Impact
Synchronizing rapidly changing consumer technology with
organizational controls.

Complicates long term planning for the organization.

"Whack-a-mole" approach to managing new technology.

Presumptions of privacy


SOCIAL COMPUTING
People are living and working in shared, online spaces
with little concern for “institutional” needs.

SOCIAL COMPUTING
Much life is being lived in shared, online spaces with little
concern for “institutional” needs.

"Social computing is the way
people use technology to
interact and create
communities..."

Gartner 2008


SOCIAL COMPUTING

Why Social Computing? How are They Used?
•Low Barrier To Usage •In The Classroom: Ustream/
•Alerting YouTube For Lecture Capture
•Staying Up With Current •I Hate Ozone
Activities •Microblogging/Activity
•Self-organization Stream
•Unexpected Connections


SOCIAL COMPUTING


SOCIAL COMPUTING

Auditing Impact
Flow of information into and out of the institution.

Communities of interest will extend beyond organizational
boundaries

Life-Work: Balance vs. Conﬂict


EMERGING THREATS
The nature and capability of threats have reached a new
level of sophistication and impact.

EMERGING THREATS

In the Year 2000
ILOVEYOU virus
VBScript worm
Used Outlook email to mass mail
itself to all of your contacts
Executes a password-stealing trojan
Infected 10,000,000+ systems
Estimated 5.5 billion in damages


EMERGING THREATS

How malware has changed
Motivation: from credibility to proﬁt
Internet Safety: nothing is safe
Blending into the crowd: using standard ports (http/https)
Control Structure: IP whack-a-mole
Sophistication: packed, obfuscated, self-protecting, stealth,
encryption


EMERGING THREATS

Next level malware: Torpig

Targets ﬁnancial data via phishing
(300 banks preconﬁgured)
!"#$%&$'()$*(+$,-$,( ;,/-$<=>(;5?"@5A'(

Waits for user to visit site +$,-$,(

:$*,55&(898(+$,-$,(

Inserts fake forms onto page C(

B(

45,6/7(898(+$,-$,(

./%01(23$,(


EMERGING THREATS


!"#$%&$'()$*(+$,-$,( ;,/-$<=>(;5?"@5A'(


D( :$*,55&(898(+$,-$,(

Inserts fake forms onto page C( E( F(

B( G(

45,6/7(898(+$,-$,(

./%01(23$,(


EMERGING THREATS


!"#$%&$'()$*(+$,-$,( ;,/-$<=>(;5?"@5A'(


D( :$*,55&(898(+$,-$,(

Inserts fake forms onto page C( E( F(

B( G(
H(
45,6/7(898(+$,-$,(
I(
J(

./%01(23$,( BK(


Torpig Form On Real Site

Anti-virus Approval

EMERGING THREATS

Incredibly sophisticated design

Persists across reboots
!"#$%&$'()$*(+$,-$,( ;,/-$<=>(;5?"@5A'(
+$,-$,(
Shifts cmd+control server
domain based on Twitter trendsC( :$*,55&(898(+$,-$,(

Copies all user documentsB( to
HelpAssistant user 45,6/7(898(+$,-$,(

Very difﬁcult to ﬁnd
./%01(23$,(


EMERGING THREATS

Auditing Impact
Compromise will happen, are we prepared to respond?
Are you sure you know where the sensitive data resides?
What are the appropriate layers of defenses for these
threats?
Can we really give users rights to install software yet maintain
control of a system?


Auditing Impact & Discussion
• Are you sure you know where the sensitive data • Are university policies and procedures relevant to the
resides? digital age?
• Can we really give users rights to install software yet • With growing use of encryption, how do we recover
maintain control of a system? important data?
• What kinds of veriﬁable “controls” are available for the • How do we pay/chargeback departments, researchers,
other campus network? users for “managed” storage?
• What is the network strategy for existing in a hybrid • How do we “push forward” 1,000s of Terabytes of data
environment? across every changing technologies?
• What are we going to do with all this power? • How do we verify data integrity over time?
• What if this power falls into the wrong hands? • Do the capabilities of the organization match the
magnitude of the problem?
• Where is my server?
• Facilities are the basic building blocks for availability and
• Where is my data?
security of IT assets and services – what is your
• How can we leverage this technology to protect the institutional strategy for data centers?
university’s data?
• Do your campuses work closely together enough to
• Where does University data reside? “Show me the collaborate on a university strategy?
data.”
• Are your business applications understood well
• How do we classify all of this data? enough for IT to apply the appropriate facility reliability
• We have new tools that search for SSNs, account investments?

1
numbers, credit cards: What is it OK to do? • Can you ﬁnd your data?
• Was your data destroyed properly?


Auditing Impact & Discussion
• Who all has access? • What is the network strategy for existing in a hybrid
environment?
• Is the cloud-based service available when you need it?
• Synchronizing rapidly changing consumer technology
• Is the SLA your only auditable control?
with organizational controls.
• What recourse do you have?
• Complicates long term planning for the organization.
• Mega providers are large, attractive targets for cyber-
• "Whack-a-mole" approach to managing new
warfare
technology.
• Globalization concerns – world unrest
• Presumptions of privacy
• Venture capital hotspot (think: dot-com) subsidizing
• Flow of information into and out of the institution.
costs for many
• Communities of interest will extend beyond
• What kinds of controls are available for the other
organizational boundaries
campus network?
• Life-Work: Balance vs. Conflict
• Are these controls verifiable? Have you verified that
these controls work? • Compromise will happen, are we prepared to
respond?
• How do we balance investments across the two
networks? • Are you sure you know where the sensitive data
resides?
• What kind of networking will the university need to
provide in the future? • What are the appropriate layers of defenses for these
threats?
• How do we “control” the access to the network in the
classroom? • Can we really give users rights to install software yet

2

10 TRENDS & LOTS OF
QUESTIONS

Users Audit IT

Admin
Compliance Security Legal & Finance


10 TRENDS & LOTS OF
QUESTIONS

T H A N K YO U !
Get the slides at http://bit.ly/b12iac

david-horton@ouhsc.edu
mark-ferguson@ouhsc.edu
ggwilson@ou.edu
kendallg@ou.edu
chris-jones@ouhsc.edu

Big 12 Internal Auditor - Tech Trends

Recomendados

Recomendados

Más contenido relacionado

Destacado

Destacado (6)

Similar a Big 12 Internal Auditor - Tech Trends

Similar a Big 12 Internal Auditor - Tech Trends (20)

Último

Último (20)

Big 12 Internal Auditor - Tech Trends