4. Evolution of IT Computing Models
http://mydocumentum.wordpress.com/2011/05/14/monday-may-9-2011/
5. The NIST Definition of Cloud Computing
Cloud computing is a model for enabling
convenient, on-demand network access
to a shared pool of configurable
computing resources (e.g., networks,
servers, storage, applications, and services)
that can be rapidly provisioned and
released with minimal management
effort or service provider interaction.
National Institute of Standards and Technology (NIST) www.nist.gov
11. Enterprise challenges
Speed of provisioning
constraints business
execution
Disaster Recovery,
Fault Tolerance,
High Availability
Existing hardware
has reached end of
serviceable life
Datacenter capacity
limits are being
reached
Applications &
processes have
variable demand
High Maintenance Costs
Software License Costs
12. How Cloud helps …
Elastic Capacity
Infinitely Scalable (Almost)
Quick and Easy Deployment
Provisioning in Minutes
Business Agility
No CapEx, only OpEx.,
Fine grained billing (hourly)
Pay as You go
Leverage Global Scalability
& DR
Be Free from IT
Management Hassles
Metering, Monitoring,
Alerts
15. Holistic Migration Process
Cloud
Assessment
•Cost Analysis
•Security &
Compliance
•Migration Tools
•Application
Compatibility
•Defining Success
Criteria
Cloud Platform
Validation
•Understand a
particular platform
•Platform capabilities
•Services Offered
•Security
considerations
•Pricing
•Build POCs
•Compatibility issues
•Identify Migration
tools
Data Migration
•DB Options &
Management
•Storage Options
• HA & DR support
• Migration Tools
•Backup / Restore
points
•Define success
criteria
Application
Migration
•Full Migration
•Partial Migration
•Run in parallel
•Integration with
On-Premise
systems
•Integration tools &
Management
•Create / Identify
images to be used
Cloud
Deployment
•Configure Auto-
Scaling
•Monitoring &
Notifications
•Security
Configuration
•Dashboards for
resource
management
•Business
Continuity
Planning
Cloud
Optimization
•Cost Saving
Opportunities
•Analyze usage
patterns
•Application
Performance
Tuning
16. Public v/s Private Cloud Decision
Key Question Private Cloud
Preferable
Public Cloud Preferable
Demand Constant Variable
Growth Predictable Unpredictable
Users Concentrated Dispersed
Customization High Minimal to none
Data Privacy &
Security
Stringent Requirement Moderate Requirement
Performance Very High Moderate to High
18. Important Points to know
Top cyberattack methods aimed at cloud deployments grew 45 per cent (Application
Attacks), 36 per cent (Suspicious Activity) and 27 per cent (Brute Force
attacks) respectively over the previous year, while top attacks aimed at on-premises
deployments remained relatively flat.
Read more: http://www.itproportal.com/2015/11/16/interview-charting-the-cloud-
security-landscape/#ixzz3uT1S7EQ8
As per 2014 KPMG Cloud Security Report
• When it comes to selecting a cloud solution, Security is the no. 1 concern
• Compared to 2012 survey, security and data privacy are greater concerns than cost efficiency
• Security is a lesser challenge now, compared to 2012. Cloud providers better prepared to secure data,
and manage security breaches when they occur
19. CSA’s “Notorious 9” Security Threats
• Data Breaches
• Data Loss
• Account or Service Hijacking
• Insecure APIs
• Denial of Service
• Malicious Insiders
• Abuse of Cloud Services
• Insufficient Due Diligence
• Shared Technology
21. Network Security
• Built-in firewalls, control of network access to
instances and subnets
• Private / Dedicated Connectivity options from
office / on-premises environments
• Encryption in transit
• DDoS mitigation
22. Configuration Management
• Inventory and Configuration Management tools
to identify resources, track to manage them
• Template definition and management tools to
create standard / pre-configured VMs
• Deployment Tools to manage creation and
decommissioning of resources as per org.
standard
23. Data Encryption
• Available for data at rest in Storage services
• Flexible Key Management options, including
Cloud Managed keys / self-managed keys
• Hardware based cryptographic key storage
options
• APIs for you to integrate encryption and data
protection with any service developed /
deployed on the cloud
24. Access Control
• Capabilities to define, enforce and manage user
access policies across services
• Identity and Access Management
• Multifactor authentication, including hardware
based authentication options
• Integration and federation with corporate
directories
25. Monitoring and Logging
• Deep visibility into API calls, including
Who ? What ? When ? From Where ?
• Log aggregation, streamlining
investigations, compliance reporting
• Alert notifications
28. The Road Ahead
• Clouds are more prone to security attacks than on-perm deployments
• Doesn’t mean that those attacks are successful
• Cloud Providers are better enabled to handle security now
• 2016 will be the first year when people choose cloud because of security
benefits, and not elasticity / cost
• However, stay cautious ! More serious attacks could be expected as well
31. Shared Responsibility
AWS Foundation Services
Compute Storage Database Networking
AWS Global
Infrastructure
Regions
Availability Zones
Edge Locations
Client-side Data Encryption
Server-side Data
Encryption
Network Traffic Protection
Platform, Applications, Identity & Access Management
Operating System, Network, & Firewall Configuration
Customer applications & content
Customers
32. AWS CloudTrail
CloudTrail records API calls on services, delivers detailed logs
Use Cases supported :
Security Analysis : Use log files as an input into log management and analysis solutions to
perform security analysis and to detect user behavior patterns
Track Changes to AWS Resources : Track creation, modification, and deletion of AWS resources
such as Amazon EC2 instances, Amazon VPC security groups and Amazon EBS volumes
Troubleshoot Operational Issues : Identify the most recent actions made to resources in your
AWS account
Compliance Aid : Easier to demonstrate compliance with internal policies and regulatory
standards
33. AWS Config
AWS Config is a fully managed service that provides you with an inventory
of your AWS resources, lets you audit the resource configuration history
and notifies you of resource configuration changes.
Use Cases :
• Am I safe ? : Continuously monitor the configurations of your resources
and evaluate these configurations for potential security weaknesses
• Where is the evidence ? : A complete inventory of all resources and
their configuration attributes is available for any point in time
• What will this change effect ? : Relationships between resources are
understood, so that you can proactively assess change impact
• What has changed ? : You can quickly identify the recent configuration
changes to your resources by using the console or by building custom
integrations with the regularly exported resource history files
34. AWS Key Management Service
• A managed service that makes it easy for you to create, control, and use
your encryption keys
• Centralized view of all key usage in the organization
• Uses HSMs to protect Key Security
• Integrated with AWS CloudTrial to provide logs for all key usage for
regulatory and compliance requirements
35. AWS IAM
• Centrally manage users, security credentials such as passwords, access
keys, permissions, policies that control which AWS services and resources
users can access
• Allows creation of multiple AWS users, give them their own user name,
password, access keys
36. AWS CloudHSM
• Allows protection of encryption keys within HSMs designed and validated to government
standards for secure key management
• Keys can be generated, managed and stored cryptographic keys such that they are accessible
only by us
• Allows regulatory compliance without compromising on application performance
• CloudHSM instances are provisioned inside your VPC with an IP address that you specify,
providing simple and private network connectivity to your Amazon Elastic Compute Cloud
(EC2) instances
37. AWS VPC
• Allows provisioning of logically isolated section of AWS cloud, where AWS
resources can be launched in a virtual network defined by you
• You have complete control over your virtual networking environment,
including selection of your own IP address range, creation of subnets, and
configuration of route tables and network gateways
• You can leverage multiple layers of security, including security groups and
network access control lists, to help control access to Amazon EC2
instances in each subnet
• Additionally, you can create a Hardware Virtual Private Network (VPN)
connection between your corporate datacenter and your VPC and
leverage the AWS cloud as an extension of your corporate datacenter.
38. AWS WAF
• AWS WAF is a web application firewall that helps protect your web applications
from common web exploits that could affect application availability, compromise
security, or consume excessive resources.
• Gives you control over which traffic to allow or block to your web application by
defining customizable web security rules.
• You can use AWS WAF to create custom rules that block common attack patterns,
such as SQL injection or cross-site scripting, and rules that are designed for your
specific application.
• New rules can be deployed within minutes, letting you respond quickly to changing
traffic patterns. Also, AWS WAF includes a full-featured API that you can use to
automate the creation, deployment, and maintenance of web security rules.
39. AWS Inspector (Preview)
• Automated security assessment service that helps improve the security
and compliance of applications deployed on AWS.
• Automatically assesses applications for vulnerabilities or deviations from
best practices.
• After performing an assessment, Amazon Inspector produces a detailed
report with prioritized steps for remediation.
• Includes a knowledge base of hundreds of rules mapped to common
security compliance standards (e.g. PCI DSS) and vulnerability definitions.
Examples of built-in rules include checking for remote root login being
enabled, or vulnerable software versions installed. These rules are
regularly updated by AWS security researchers.
Azure + System Center + Windows Server gives a hybtid solution
Openshift : PaaS from RedHat
Office 365 integration with existing on-prem directory services, Lync, Exchange Server, Sharepoint Server
Cyber attacks, Regulatory norms
Cyber attacks, Regulatory norms
state-of-the-industry public IaaS security research examines the following features:
Shared Cloud Network: public IaaS environment where different cloud customers share the same cloud service subnet. In this model, each cloud server (VM) usually has a public IP address (permanent or temporary) as well as service IP address for the internal cloud service network
Virtual Private Cloud (VPC) Network: the IaaS provider supports an isolation of customers’ cloud deployments, such that a customer can have a private subnet that is not reachable from other customers’ cloud servers or from the public Internet
Firewall: Collection of policies and rules to control the traffic allowed to and from a group of cloud servers or static IP Addresses
Identity-based access management: these are firewall rules based on user identity, allowing access of specific users to specific set of compute resources
Secure extension: ability to securely connect enterprise sites to the cloud deployment (usually a virtual private network) via static IPSec connections
Secure remote access to individual server: the ability to access an individual machine (VM) using a secure protocol (like SSH or RDP); this type of remote access is usually based on credentials that are specific to a single user and a single server
Remote VPN access: the ability of the organization’s employees to securely connect on demand to the cloud deployment remotely using VPN clients; this includes central authentication of the employees’ identity prior to gaining access to the cloud deployment (part or all of cloud servers)