Current trends in cloud computingCloud Security Readiness Tool analysis
Frank SimorjaySr. Product manager Trustworthy Computing (TwC)
ATC-B316
TRUSTWORTHY COMPUTINGPRIVACY RELIABILIT
YSECURITY
• Secures against attacks
• Protects confidentiality, integrity, and availability of data and systems
• Helps manage risk
• Protects from unwanted communication
• User choice and control
• Products, online services adhere to fair information principles
• Dependable, available
• Predictable, consistent, responsive service
• Maintainable
• Resilient, easily restored
• Proven, ready
Cloud computing
• 51% of respondents, believe stormy weather can interfere with cloud computing.
• 54% of Americans claim to never use cloud computing.
• 97% are actually using cloud services today via online shopping, banking, social networking and file sharing.
Most Americans confused by cloud computing
1,000 US consumers surveyed by Wakefield research
What is cloud computingBroad Netwo
rk Access
Rapid
Elasticity
Meas
ured
Servi
ce
Self-Service
Resource Pooling Service Model IaaS
PaaSSaaS
Risks and rewards of adoption
BEN
EFI
TS
privacysecurityreliability
scalabilityincreased agility
flexibilityReduced costs
CO
NC
ER
NS
CLOUD PROVIDER
SaaSPaaSIaaSRESPONSIBILITY:
Data classification
Application level controls
Client and end point protection
Network controls
Physical security
Identity and access management
Host security
Provider is your partner
CLOUD CUSTOMER
Cloud Adoption Benefits
57%Time Savings
3XMoney Savings
54%Improved Security
Cloud Adoption Barriers
44%Security Concerns
61%Industry Standards
59%Transparency
What are your
current
IT capabilities?
Can you improve
your people,
processes, and
technologies?
Can cloud reduce
your risks while
reducing cost?
Problem you face
The Cloud Security Readiness Tool
Cloud Security Alliance (CSA)
Global not-for-profit organization Provider, and User Certification Accepted global authority for trust
in the cloud
Cloud Control Matrix (CCM)CCM control Description
DG-01
Data Governance - Ownership / Stewardship
All data shall be designated with stewardship with assigned responsibilities defined, documented and communicated.
DG-02
Data Governance - Classification
Data, and objects containing data, shall be assigned a classification based on data type, jurisdiction of origin, jurisdiction domiciled, context, legal constraints, contractual constraints, value, sensitivity, criticality to the organization and third party obligation for retention and prevention of unauthorized disclosure or misuse.
Cloud Security Readiness Tool (CSRT)
Where are you now?
Where will you be?
Can cloud help?
Report
Control standards• Federal Office for Information Security (BSI) Security
Recommendations for Cloud Computing Providers
• European Network and Information Security Agency (ENISA) - Information Assurance Framework (IAF)
• International Organization for Standardization (ISO 27001-2005)
• Payment Card Industry (PCI-DSS v2.0)
• Health Insurance Portability and Accountability Act (HIPAA-HiTech Act)
• National Institute of Standards and Technology (NIST SP800-53)
• American Electric Reliability Corporation (NERC CIP)
CSRT Demo
Cloud Trends
Trends
• Top/Bottom • Government/Military• Non-profit• Regulations most used
• Cloud Security Readiness Tool (CSRT) data between October 2012 and March 2013.
• Approximately 5700 anonymized answers to CSRT questions
• Margin of error • +/- 1% USA/EUROPE• +/- 10% ASIA
STRONGER
INFORMATION SECURITY
antivirus/antimalware software
clocksynchronizationSECURITY ARCHITECTURE
FACILITY SECURITYcontrolled user access to data
WEAKEROPERATIONS MANAGEMENTeffective equipment maintenance
LEGAL PROTECTIONnondisclosureagreements
INFORMATION SECURITYconsistent incidentreporting
OPERATIONS MANAGEMENT
effective capacityplanning
HUMAN RESOURCES SECURITY
prudent hiring practices
1. Getting Started. Undocumented, ad hoc state. Reactive and incident or event response-driven.
2. Making Progress. Response-driven, following trends, and somewhat repeatable with limited automation in segments.
3. Almost There. Scaled response, using programs. Limited scaling still segmented.
4. Streamlined. Centralized, automated, self-service, and scalable. Can allocate resources automatically.
Four maturity levels
Q1 Q2 Q3 Q4 Q5 Q6 Q7 Q8 Q9 Q10 Q11 Q12 Q13 Q14 Q15 Q16 Q17 Q18 Q19 Q20 Q21 Q22 Q23 Q24 Q25 Q26 Q27-60%
-50%
-40%
-30%
-20%
-10%
0%
10%
20%
-26.9% -26.5% -22.8% -15.7% -41.0% -5.8% -24.0% -24.2% -39.4% -34.9%-52.4% -12.7% -31.6% -25.3%
-9.0%
-31.7% -30.6% -35.6% -42.8% -25.7% -44.3% -28.7% -32.8% -16.4%
14.7%
-12.6%
-0.4%
If the answer was Almost There or Streamlined, a +1 value was assigned for maturity. If the answer was Getting Started or Making Progress, a -1 value was assigned for maturity.
CSRT respondent answers
Getting Started Making Progress Almost There Streamlined0%
20%
40%
60%
80%
100%
Worldwide Asia Europe North America
Q25 Information security – AV and antimalware
Q11 Human resources - Employment agreements
Getting Started Making Progress Almost There Streamlined0%
20%
40%
60%
80%
100%
Worldwide Asia Europe North America
Getting Started Making Progress Almost There Streamlined0%
20%
40%
60%
80%
100%
Worldwide Asia Europe North America
Q21 Operations management - Capacity planning
Getting Started Making Progress Almost There Streamlined0%
20%
40%
60%
80%
100%
Worldwide Asia Europe North America
Q19 Information security - Incident reporting
Industry-based trends for government/military organizations
Government and military – Data classification
Getting Started Making Progress Almost There Streamlined0%
20%
40%
60%
80%
100%
Worldwide North America Europe
Operational management
31.3%
50.0%14.6%
4.2%
40.0%
30.0%20.0%
10.0%
Getting StartedMaking ProgressAlmost ThereStreamlined
Resource planning Equipment maintenance
Industry-based trends for nonprofit organizations
Management program
Getting Started Making Progress Almost There Streamlined0%
20%
40%
60%
80%
100%
Worldwide Europe North America
Equipment location
Getting Started Making Progress Almost There Streamlined0%
20%
40%
60%
80%
100%
Worldwide Europe North America
Equipment power failures
Getting Started Making Progress Almost There Streamlined0%
20%
40%
60%
80%
100%
Worldwide Europe North America
Incident reporting
Getting Started Making Progress Almost There Streamlined0%
20%
40%
60%
80%
100%
Worldwide Europe North America
Regulation distribution
RegulationsUSA/ME/Africa/Australia
HIPAA / HITECH Act ISO/IEC 27001-2005 NIST Guidelines PCI DSS v2.0
Europe/Asia
Enisa NIST Guidelines PCI DSS v2.0
Big Data
• Unscented lotion, Calcium, Zinc• Coupons arrive in the mail• Excellent customer service
http://www.forbes.com/fdc/welcome_mjx.shtml
The better you understand your people, processes, and technologies, the more you will be
able to make informed comparisons and evaluate the benefits of the cloud.
Visit the Trustworthy Computing – Cloud TechCenter and its many resources:
The Cloud Security Readiness Tool
• A free assessment to help you
• evaluate the benefits of the cloud
• create a plan for adoption
• better understand your organization’s capabilities
Additional resources on cloud security, privacy, and reliability
microsoft.com/trustedcloud
What can I do?
Trustworthy Computing ResourcesTrustworthy Computing (TwC) is a long-term, collaborative effort to deliver more secure, private, and reliable computing experiences for everyone. Learn more at:http://microsoft.com/twc
Cloud Security Readiness ToolPass the Hash GuidanceData, Insights and Guidance (Security Intelligence Report, volume 14)
and more…
msdn
Resources for Developers
http://microsoft.com/msdn
Learning
Microsoft Certification & Training Resources
www.microsoft.com/learning
TechNet
Resources
Sessions on Demand
http://channel9.msdn.com/Events/TechEd
Resources for IT Professionals
http://microsoft.com/technet
Complete an evaluation on CommNet and enter to win!
Evaluate this session
Scan this QR code to evaluate this session and be automatically entered in a drawing to win a prize
© 2013 Microsoft. All rights reserved. Microsoft, Windows and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.