Sunteți pe pagina 1din 28

February 17, 2009

ISACA/ISSA Joint Chapter Meeting


Denver, Colorado

Enterprise Computing
in the Open Network
Leslie K. Lambert
VP and Chief Information
Security Officer
Sun Microsystems, Inc.
“The Network Is The
Computer”
The Leading Provider
of Open Network Computing
Infrastructure

© Sun Microsystems, Inc. - All Rights Reserved 2


That Vision Described a Day When . . .

When computing When we would When those •When the


would be subscriptions would relationships
virtualized locate and be temporal – between an
beyond the subscribe to lasting only as long Enterprise and the
traditional walls services on the as needed to solve providers of these
of the data network a business problem services would be
safe, reliable and
center predictable

© Sun Microsystems, Inc. - All Rights Reserved 3


Guess what? We are there!

© Sun Microsystems, Inc. - All Rights Reserved 4


Enterprise Computing in the Open Network

From Going to Work . . .


● Employees are required to
connect to secure networks
to acquire access to
enterprise applications
● Enterprises build, deliver,
and operate the services
they consume . . .To Connecting to Work
● Employees compute from
anywhere using trusted services
delivered in an open Internet by
known service providers that
protect personal and corporate
privacy.
● IT becomes an aggregator of
services vs. creator of
applications
© Sun Microsystems, Inc. - All Rights Reserved 5
Business Trends, IT Challenges
• Markets are global

• Talent is global and knowledge-based

• Workforce can be anywhere

• Work locations are multiple

• Work activity is more team-dependent

• Work constraints are time based


Real Estate Trends Now Embrace Flexible Space
Planning • Growing Concern—24x7 business
Corporate Precedents Larger Organizations are continuity
Now Adopting Alternative Work
Technology Internet Finally Enables “Transparent” • Growing Desire—Flexibility and choice
Connectivity
Talent, Skills/Demographic HR's “Squeeze” to Compete
for Talent on a Global Basis
Global Economic Volatility Greater Difficulty
Forecasting
Headcount and Space
Pandemics and Business Continuity Work Flexibility
Needed for Regional Crises/pandemics
Eco-Responsibility Growing sensitivity to environmental
issues and workplace sustainability
© Sun Microsystems, Inc. - All Rights Reserved 6
IT trends influencing IT
Explosion of End User Devices
SOA & Web 2.0 Convergence Massive Network Build-outs
Security
Extreme Mobility
Complian
Compliance
Utility
Computing
Social Networking

Business intelligence and information


management
Merger & acquisition activities
Availability of Services

Virtualization Consumerization of 7IT


© Sun Microsystems, Inc. - All Rights Reserved
Enterprise Computing in the Open Network

• Emerging in the following areas:


> Cloud Computing
> Virtualization
> Web 2.0
> Social Networking

© Sun Microsystems, Inc. - All Rights Reserved 8


Cloud Computing

© Sun Microsystems, Inc. - All Rights Reserved 9


The Evolution of Cloud Computing

© Sun Microsystems, Inc. - All Rights Reserved 10


Cloud Services Continuum
● Software as a Service
● Applications on Demand
Software ● Salesforce.com, Google Apps, Qualys,
(SaaS)
Webex, Wikipedia, Wordpress, Web
based email, Netsuite

● Platform as a Service
Platform
● Development Services on Demand
(PaaS)
● Sun's Project Caroline, Google
AppEngine, Bungee Labs, Heroku,
Force.com

● Infrastructure as a Service
● Computer Infrastructure on Demand
Infrastructure ● Sun's Network.com, Amazon EC2,
(IaaS) GoGrid, Mosso, Joyent, Rackspace
● Sun's Storage.network.com

(OpenStorage), Amazon S3, Nirvanix,


Source: Robert W. Anderson Bingodisk, Skydrive
http://et.cairene.net/2008/07/03/cloud-services-continuum/

© Sun Microsystems, Inc. - All Rights Reserved 11
Is Your Enterprise Ready for Cloud
Computing?
• Can you trust your data with your service provider?
• Are there sufficient logging and controls for compliance
reporting ?
• Reliability is still an issue
• Can your applications withstand latency?
• Large companies already have an internal cloud
• Bureaucracy will cause the transition to take longer
• Portability of application across clouds
• The pesky data migration to cloud issue

© Sun Microsystems, Inc. - All Rights Reserved 12


Source: Wikipedia
© Sun Microsystems, Inc. - All Rights Reserved 13
Leveraging the Consumer “Web 2.0”
Web Conferencing
Real-time Collaboration
Social Networks
& Sharing

Mashups

Conversations Devices
Technology

© Sun Microsystems, Inc. - All Rights Reserved 14


Translating Vision into Strategy

Sun IT delivers IT services anywhere

IT collaborates with IT aggregates and IT services are


business customers integrates required accessible through
as needed to define IT services the open Internet
requirements, identify
services, and manage
service providers

© Sun Microsystems, Inc. - All Rights Reserved 15


High-level Strategy
Internet Facing Virtualization Master Data
Employees Management
Partners MashUp Enterprise
Call Center
Customers Management
Marketing
CLM Sales Next Gen
Data Center
Logistics ERP

Partner Integration
Enterprise
Integration BPM
User Services
Mobility Private Network Voice
Learning
Unified Comms Engineering
Security Services Recruiting HR
Environment
Learning

More Collaboration Content Delivery Network


Integration across
Business Intelligence Open Standards the cloud

© Sun Microsystems, Inc. - All Rights Reserved 16


Web 2.0 Risk Assessment
• Developed detailed inventory of Web 2.0 services in use at Sun
> “Productionalized” services
> Consumer services
> Sun services provided to customers
• Compiled Threat, Vulnerability and Exploit info
• Detailed risk assessment of most prolific services
> Policy, standards and processes
> Technical controls
> Awareness, direction and guidance
> Content review
> Social Engineering testing

© Sun Microsystems, Inc. - All Rights Reserved 17


Partner Security

Integration
Security

Internal External
Business Unit Business Partner
Security Security

Enterprise Security is only as good as the least reliable partner,


department or vendor.
© Sun Microsystems, Inc. - All Rights Reserved 18
Security Technical Policies and
Awareness
Strategy Controls Standards

Enterprise
Computing in
the Open
REQUIRES Security 2.0
Network

Security
Roles Responsibilities
Processes

© Sun Microsystems, Inc. - All Rights Reserved 19


New Models = New Threats?
• DOS including DNS poisoning
• Escalation of Privilege
> via Virtualization technology vulnerabilities
> via Administrator backdoors
• Unauthorized access due to access management
weakness
• Application security threats including XSS, SQL Injection,
cookie manipulation
• Database servers not adequately protected
• Data not encrypted when necessary
• Insider abuse or mismanagement of service provider
© Sun Microsystems, Inc. - All Rights Reserved 20
New Models = New Security Issues?
• The Browser is the new operating system
• Loss of control and management of key data
• Partner trust issues
• Compliance management
> Who has access to what?
> Ability to audit
> Mapping of controls
• Alignment with ITIL processes
• Security management of the service

© Sun Microsystems, Inc. - All Rights Reserved 21


New Models = New Security Challenges?
• Lack of visibility - What applications are in use?
> We cannot protect what we don't know
> Do we know where our IP or Sensitive data are?
• Relying on a cloud vendor for the physical and logical isolation of
the data
• Relying on vendor's authentication schemes
• Not enough testing tools for secure deployment
• Partner assessment transparency
• Privacy Compliance with Federal, State and International laws
• E-discovery – Can we support it?

© Sun Microsystems, Inc. - All Rights Reserved 22


New Models = New Security Challenges?
• Security management – Extending security practice, policy,
standards, process to Cloud
• Incident Response – Working with providers
• Forensics of incident – Sufficient logging? Tamper-evident logs?
• Integration with Enterprise Identity and Access Management
Systems
• Web Service security – Do we understand all API and security
features?
> XML RPC, REST, SOAP (SOA )
• Encryption of data and Key management
> Level of encryption
> What data to encrypt?

© Sun Microsystems, Inc. - All Rights Reserved 23


Security Technical Policies and
Awareness
Strategy Controls Standards

Enterprise
Computing in
the Open
REQUIRES Security 2.0
Network

Security
Roles Responsibilities
Processes

© Sun Microsystems, Inc. - All Rights Reserved 24


Getting Ready Security
Strategy
Policies and
Standards
Security
Processes

• Develop strategy to migrate from:


> Securing the infrastructure -> Securing the data
• Revise policies, standards, guidelines for cloud services
• Develop Risk management program with 3rd party
connectivity, partner services architecture
• Institute partner security assessment program
• Data Classification and labelling for structured and
unstructured data
• Revise firewall policies, standards, guidelines for cloud
services
• Educate Vendor management on security clauses
© Sun Microsystems, Inc. - All Rights Reserved 25
Getting Ready Awareness Roles Responsibilities

• Review and revise awareness program to ensure that it is


covering new issues related to cloud models and Web 2.0
technologies
• Identify and communicate new service owner and end user
roles and responsibilities
• Identify and communicate new expectations for data
protection in these environments
• Educate Vendor management groups about importance of
security clauses

© Sun Microsystems, Inc. - All Rights Reserved 26


Getting Ready Security
Processes
Technical
Controls

• Security Event management – Evaluate APIs for importing


logs, events from cloud services
• Formalize Application Security testing process in release
management
• Execute on Virtualization Roadmap – Private cloud
• Application architecture – Get'em Internet Ready
• Identity and Access Management – Internet facing identity
provider, federation of single sign-on
• Practice encryption and key management

© Sun Microsystems, Inc. - All Rights Reserved 27


February 17, 2009
ISACA/ISSA Joint Chapter Meeting
Denver, Colorado

Leslie.Lambert@sun.com

S-ar putea să vă placă și