You are on page 1of 47

1

The Future Of Cloud Computing


Thursday, September 1, 11

::Setting Some Context


Cloud Computing is a natural, disruptively
innovative and timely opportunistic
response to a converging set of socioeconomic, political, cultural and
technological stimuli*
*Its also a really good marketing job...
Thursday, September 1, 11

::Setting Some Context

Cloud is an adaptive operational model,


not a particular technology and there are
lots of different types of Clouds.

Thursday, September 1, 11

::The Technicians Definition


VisualModelOfNISTWorkingDeniEonOfCloudCompuEng
h7p://www.csrc.nist.gov/groups/SNS/cloudcompu2ng/index.html

Broad
NetworkAccess

RapidElasEcity

MeasuredService

OnDemand
SelfService

ResourcePooling

So5wareasa
Service(SaaS)

Public

Thursday, September 1, 11

Pla:ormasa
Service(PaaS)

Private

Hybrid

Infrastructureasa
Service(IaaS)

Community

Essen2al
Characteris2cs

Delivery
Models

Deployment
Models

:: The Consumers Definition

Everything Is Cloud...
Thursday, September 1, 11

::Key Ingredients In Cloud


Abstraction of Infrastructure
Resource Democratization
Services Oriented
Self-Service
On-Demand Elasticity/Dynamism With a Utility
Model Of Consumption & Allocation
Thursday, September 1, 11

:: Weve Been Here Before...


Mobility

Display
Compute

Mainframes

Data
Bandwidth

The Cloud
Centralized

Web2.0

Unreliable/Slow

Reliable/Fast

buted

ri
y Dist
Mostl

Mostly Reliable/Fast

ed

iz
entral
C
y
l
t
s
Mo

Distributed

Web1.0
Thursday, September 1, 11

Client/Server

More Reliable/Faster

:: The SPI Model


Three delivery models that people talk about about
when they say Cloud:

Software as a Service
End
Users
(SaaS)
Platform as a Service
Developers
(PaaS)

Infrastructure
as a Service
System
(IaaS)
Adminstrators

Thursday, September 1, 11

What Do These
Look Like?

IaaS Security :: Guest/Host-Based


Data
OS & Applications

Consumer

VMs/Containers

APIs

Abstraction

Hardware

Facilities

IaaS

Thursday, September 1, 11

Infrastructure as a Service (IaaS)

Core Connectivity & Delivery

Provider

Provider secures their


infrastructure to maximize
availability & multi-tenancy
Remainder of the stack (and
confidentiality, integrity) is
your problem
General focus is on VMs &
Guest-Based

PaaS Security :: Programmatic


Provider owns the compute,
network, storage layers &
programmatic interface security

Data

Consumer

Applications

Provider

Integration & Middleware

Thursday, September 1, 11

Core Connectivity & Delivery

Abstraction

Hardware

Facilities

PaaS

Platform as a Service (PaaS)

Writing secure applications and


ensuring your data is safe is your
responsibility

APIs

Infrastructure as a Service (IaaS)

The consumer creates the


applications based upon
supported development
environment

SaaS Security :: All or Nothing


Presentation
Modality

Presentation
Platform

The Provider Owns the Entire


Stack

APIs

Applications

Data

Metadata

Content

Integration & Middleware

Provider

Security (C, I and A) Become


A Contract Negotiation

Hardware

Facilities

SaaS
Thursday, September 1, 11

Software as a Service (SaaS)

Abstraction

Platform as a Service (PaaS)

Core Connectivity & Delivery

Infrastructure as a Service (IaaS)

APIs

Traditional Security &


Compliance Functions Are
More Administrative & PolicyFocused

:: What This Means To Security


Provider

Data

Consumer

Data

OS & ApplicationsBuild

Consumer
It In

Presentation
Modality

Presentation
Platform

APIs

Contract It In

Applications

Applications

VMs/Containers

Data

Metadata

Content

Integration & Middleware


Integration & Middleware

APIs

APIs

Facilities

IaaS

Thursday, September 1, 11

Facilities

PaaS

Abstraction

Hardware

Facilities

SaaS

Software as a Service (SaaS)

Hardware

Core Connectivity & Delivery

Platform as a Service (PaaS)

Abstraction

Provider
Infrastructure as a Service (IaaS)

Hardware

Provider

Platform as a Service (PaaS)

Abstraction

Core Connectivity & Delivery

Infrastructure as a Service (IaaS)

Core Connectivity & Delivery

Infrastructure as a Service (IaaS)

APIs

13

:: The Punchline
In The Simplest Of Terms, Using Cloud
Means Imagining Applications & Information
Across All Tiers Have The Potential To Be
Connected Directly To The Internet...
We Cant Trust The Provider, So We Must
Engineer Security Into Design Patterns
Across The Entire Stack
Any Dumb Component In The Stack
Compromises The Integrity Of the Entire
Stack...
APIs, Intelligence and Automation
EVERYWHERE
Thursday, September 1, 11

All About Gracefully Giving Up Direct


Operational Control Over Infrastructure
Thursday, September 1, 11

It All Comes Down To Trust...


Thursday, September 1, 11

16

Toward A Secure Cloud Future...


Thursday, September 1, 11

Journey To the Cloud Made Simple


Cloud Brokers

Virtualized
Data Centers

Stand-Alone
Data Centers

Private Cloud

Public Cloud

Virtual
Private Cloud

Intercloud

Hybrid Clouds

Federation / Workload Portability / Interoperability


Thursday, September 1, 11

18

Simple, Right?

Thursday, September 1, 11

19

Lets Ask The Magic Cloud 8-Ball

Thursday, September 1, 11

20

Is Cloud
Is ThisAAMajor
MajorShift
Shift?
In IT?
Thursday, September 1, 11

21

Will Everything Move To The


Cloud?
Thursday, September 1, 11

22

Is All We Know & Do


Today In Security
Worthless In Cloud?

Thursday, September 1, 11

23

Is The Cloud More Secure?


Thursday, September 1, 11

24

Without Context, Silly Question


Thursday, September 1, 11

25

More Secure Than What?


Thursday, September 1, 11

26

Can We Trust The Cloud?

Thursday, September 1, 11

27

So I Have Options Today?

Thursday, September 1, 11

28

So, Whats The Future Of Cloud?


Thursday, September 1, 11

29

So, Whats The Future Of Cloud?


Thursday, September 1, 11

30

So, Whats The Future Of Cloud?


Thursday, September 1, 11

31

So, Whats The Future Of Cloud?


Thursday, September 1, 11

id*#,b^aa^dc^c'%&(#

::The Internet Of
Things

&Ig^aa^dc

8dccZXiZY9Zk^XZh

&Ig^aa^dc
&)%XdccZXiZY

YZk^XZheZgeZghdc

*%%b^aa^dc

&$&%i]d[VXdccZXiZY
YZk^XZeZgeZghdc

(*W^aa^dc

*XdccZXiZY
YZk^XZh
eZgeZghdc

HdjgXZ/;dggZhiZg
GZhZVgX]!8^hXdVcVanh^h
[dgZXVhid['%&(
Vhhjb^c\Xdch^hiZci
\gdli]igZcYh

&!*%%!%%%
idiVabdW^aZ

6eea^XVi^dch
(%%%

idiVabdW^aZ
Veea^XVi^dch
ldgaYl^YZ

'+*!%%%

idiVabdW^aZ
Veea^XVi^dch
ldgaYl^YZ

HdjgXZ/L^cYdlh
BdW^aZ!Bdg\VcHiVcaZn!
8^hXdVcVanh^h[dgZXVhi
d['%&(Vhhjb^c\
Xdch^hiZci\gdli]igZcYh

HZXjg^inI]gZVih

Veea^XVi^dch
ldgaYl^YZ

*!,%%!%%%
hZXjg^ini]gZVih

+')!%%%

hZXjg^ini]gZVih

'!+%%!%%%

hZXjg^ini]gZVih

Cisco 2010 Mid-Year Security Report


Thursday, September 1, 11

'%%,

HdjgXZ/HnbVciZX!
8^hXdVcVanh^h[dgZXVhi
d['%&(Vhhjb^c\
Xdch^hiZci\gdli]igZcYh

'%&%

'%&(

33

There Are ~4,100,000,000 Of


These....
Thursday, September 1, 11

34

...and 6,797,100,000 Of These


*http://en.wikipedia.org/wiki/List_of_countries_by_number_of_mobile_phones_in_use

Thursday, September 1, 11

35

So While
Mega Data
Centers ReCentralize
Our Apps &
Data In Fewer
& Fewer
Locations
Thanks to
Cloud...
Thursday, September 1, 11

36

These Little devices -Distributed Everywhere


-- Have Amazingly
Powerful Processors,
Lots Of Memory, NearUbiquitous Connectivity
and Native Apps &
Data...
Thursday, September 1, 11

37

The Consumption Modality Will Ultimately Become


More Important Than The Back-End Delivery
Mechanism

Thursday, September 1, 11

38

How Will You Choose What To Protect &


Where Will You Choose To Invest To Protect It?

Thursday, September 1, 11

39

The Eight Things That Matter (Again)


Open Standards & APIs
Programmability & Automation
Evolution of Name Spaces & Registries
Transparency & Visibility
{Id}Entity and Authentication
Mobility
Privacy & Law
Information Centricity & System Survivability

Thursday, September 1, 11

40

What Does That Mean?


Thursday, September 1, 11

41

Abstraction As Distraction
Cloud is a fantastic forcing function, lets embrace it!
Stay grounded: think globally, act locally
The Cloud is De-Perimeterization...amplified
Plan for FAIL | Re-architecting Means: Information Centricity & Survivability
Public, Private, Hybrid? : All comes down to trust models
Cloud is an iteration of a platform and an operational model, approach it
as such and manage risk appropriately
Focus on the data. Its what were all concerned with in the first
place.
Thursday, September 1, 11

42

So What Will Cloud Bring


Tomorrow?
Thursday, September 1, 11

43

Does It Really
Matter?

Thursday, September 1, 11

44

What Are You Doing


To Secure What You
Have Today?

Thursday, September 1, 11

45

So, Can We Trust The Cloud?

Thursday, September 1, 11

46

Can You Afford Not To?

Thursday, September 1, 11

47

Find Out:

www.cloudsecurityalliance.org

Thursday, September 1, 11

http://www.enisa.europa.eu