Upload
vulien
View
220
Download
0
Embed Size (px)
Citation preview
Session ID:
Session Classification:
Jeff Jones ([email protected]) Microsoft – Trustworthy Computing
ARCH-W08
Intermediate
CONSIDERING CLOUD? LEARN
ABOUT CURRENT TRENDS IN
CLOUD COMPUTING
Frank Simorjay ([email protected]) Microsoft – Trustworthy Computing
Presenter Logo #RSAC
• Microsoft Corporation
• Trustworthy Computing group
Company
• Director, Trustworthy Computing
• 25-year Security Guy : DoD, TIS, McAfee, PGP, MSFT
• Microsoft Security Blog & Trustworthy Computing Blog
• @securityjones
Jeff Jones
• Sr. Product Manager, Trustworthy Computing
• Author and designer of CSRT, OSA paper many others
• Work extensively with community -ISSA Distinguished Fellow
• Worked at NFR (small world – Jeff and I both worked with Marcus)
Frank Simorjay
Who are these guys?
Presenter Logo #RSAC
Session Objectives
► The reality of security controls in data centers
► Understand potential cloud adoption benefits
► Quickly assess your security control
► Assess the impact of cloud adoption
► We are data geeks
► Our idea of fun is strange, maybe yours is as well
CLOUD PROVIDER
SaaS PaaS IaaS RESPONSIBILITY:
Data classification
Application level controls
Client and end point protection
Network controls
Physical security
Identity and access management
Host security
CLOUD CUSTOMER
BEN
EFIT
S privacy security reliability
scalability increased agility
flexibility Reduced costs
CO
NC
ERN
S
Control /question
security policies and procedures?
security policies review process?
security program is updated?
personnel background checks?
(NDA) requirements?
physical access by role?
security policies and procedures?
employee change/termination process?
physical security access method?
equipment support contracts?
data classification efforts?
grants access to data?
data retention and recovery program?
destroys data?
security policies and procedures?
staging to production requirements?
application testing using customer data?
asset inventory program?
conducts risk assessments?
responds to an incident ?
disaster recovery plan?
capacity planning efforts?
selects its data center location(s)?
redundancy if utility service outages should occur?
patch management processes?
antivirus efforts?
firewalls to protect data?
time setting policies?
0%
10%
20%
30%
40%
50%
1 – 4 PCs 5 – 24 PCs 25 – 49 PCs 50 – 249 PCs
250 – 499 PCs
500 – 2999 PCs
3000 – 12499 PCs
12500 – 24999 PCs
25000+ PCs
InfrastructureAs A Service(IaaS)
Platform As AService (PaaS)
Software As AService (SAAS)
USA/ME/Africa/Australia
ISO/IEC 27001-2005 NIST Guidelines PCI DSS v2.0
Europe/Asia
Enisa NIST Guidelines PCI DSS v2.0
-26.9% -26.5%
-22.8%
-15.7%
-41.0%
-5.8%
-24.0% -24.2%
-39.4%
-34.9%
-52.4%
-12.7%
-31.6%
-25.3%
-9.0%
-31.7% -30.6%
-35.6%
-42.8%
-25.7%
-44.3%
-28.7%
-32.8%
-16.4%
14.7%
-12.6%
-0.4%
-60%
-50%
-40%
-30%
-20%
-10%
0%
10%
20%
Q1 Q2 Q3 Q4 Q5 Q6 Q7 Q8 Q9 Q10 Q11 Q12 Q13 Q14 Q15 Q16 Q17 Q18 Q19 Q20 Q21 Q22 Q23 Q24 Q25 Q26 Q27
► Anti-malware Incident reporting
► Employee
agreement
►. ► Capacity
planning
Values were assigned to each of the four possible answers for each question:
If the answer was Almost There or Streamlined, a +1 value was assigned for maturity.
If the answer was Getting Started or Making Progress, a -1 value was assigned for maturity.
0%
20%
40%
60%
80%
100%
Getting Started Making Progress Almost There Streamlined
Worldwide Europe North America
0%
20%
40%
60%
80%
100%
Getting Started Making Progress Almost There Streamlined
Worldwide Europe North America
Which of these statements best describes your organization's nondisclosure agreement (NDA) requirements?
0%
20%
40%
60%
80%
100%
Getting Started Making Progress Almost There Streamlined
Worldwide Asia Europe North America
0%
20%
40%
60%
80%
100%
Getting Started Making Progress Almost There Streamlined
Worldwide Asia Europe North America
Control /question
security policies and procedures?
security policies review process?
security program is updated?
personnel background checks?
(NDA) requirements?
physical access by role?
security policies and procedures?
employee change/termination process?
physical security access method?
equipment support contracts?
data classification efforts?
grants access to data?
data retention and recovery program?
destroys data?
security policies and procedures?
staging to production requirements?
application testing using customer data?
asset inventory program?
conducts risk assessments?
responds to an incident ?
disaster recovery plan?
capacity planning efforts?
selects its data center location(s)?
redundancy if utility service outages should occur?
patch management processes?
antivirus efforts?
firewalls to protect data?
time setting policies?
0%
20%
40%
60%
80%
100%
Getting Started Making Progress Almost There Streamlined
Worldwide Asia Europe North America
0%
20%
40%
60%
80%
100%
Getting Started Making Progress Almost There Streamlined
Worldwide Europe North America
-26.9% -26.5%
-22.8%
-15.7%
-41.0%
-5.8%
-24.0% -24.2%
-39.4%
-34.9%
-52.4%
-12.7%
-31.6%
-25.3%
-9.0%
-31.7% -30.6%
-35.6%
-42.8%
-25.7%
-44.3%
-28.7%
-32.8%
-16.4%
14.7%
-12.6%
-0.4%
-60%
-50%
-40%
-30%
-20%
-10%
0%
10%
20%
Q1 Q2 Q3 Q4 Q5 Q6 Q7 Q8 Q9 Q10 Q11 Q12 Q13 Q14 Q15 Q16 Q17 Q18 Q19 Q20 Q21 Q22 Q23 Q24 Q25 Q26 Q27
► Anti-malware Incident reporting
► Employee
agreement
►. ► Capacity
planning
Values were assigned to each of the four possible answers for each question:
If the answer was Almost There or Streamlined, a +1 value was assigned for maturity.
If the answer was Getting Started or Making Progress, a -1 value was assigned for maturity.
Thank you!
#RSAC
Jeff Jones
Microsoft Trustworthy Computing
Frank Simorjay
Microsoft Trustworthy Computing