Upload
prescottcoleman1927
View
212
Download
0
Embed Size (px)
Citation preview
8/14/2019 ISACA Presentation Feb 2009 Final
1/28
Leslie K. Lambert
VP and Chief InformationSecurity OfficerSun Microsystems, Inc.
February 17, 2009ISACA/ISSA Joint Chapter MeetingDenver, Colorado
Enterprise Computingin the Open Network
8/14/2019 ISACA Presentation Feb 2009 Final
2/28
Sun Microsystems, Inc. - All Rights Reserved 2
The Network Is The
ComputerThe Leading Provider
of Open Network Computing
Infrastructure
8/14/2019 ISACA Presentation Feb 2009 Final
3/28
Sun Microsystems, Inc. - All Rights Reserved 3
When therelationshipsbetween an
Enterprise and theproviders of theseservices would besafe, reliable andpredictable
When computingwould bevirtualized
beyond thetraditional wallsof the datacenter
When thosesubscriptions wouldbe temporal
lasting only as longas needed to solvea business problem
When we wouldlocate and
subscribe toservices on thenetwork
That Vision Described a Day When . . .
8/14/2019 ISACA Presentation Feb 2009 Final
4/28 Sun Microsystems, Inc. - All Rights Reserved 4
Guess what? We are there!
8/14/2019 ISACA Presentation Feb 2009 Final
5/28 Sun Microsystems, Inc. - All Rights Reserved5
Enterprise Computing in the Open Network
From Going to Work . . .
Employees are required toconnect to secure networksto acquire access toenterprise applications
Enterprises build, deliver,and operate the servicesthey consume . . .To Connecting to Work
Employees compute fromanywhere using trusted servicesdelivered in an open Internet by
known service providers thatprotect personal and corporateprivacy.
IT becomes an aggregator ofservices vs. creator ofapplications
8/14/2019 ISACA Presentation Feb 2009 Final
6/28 Sun Microsystems, Inc. - All Rights Reserved 6
Business Trends, IT Challenges
Markets are global
Talent is global and knowledge-based
Workforce can be anywhere
Work locations are multiple
Work activity is more team-dependent
Work constraints are time based
Growing Concern24x7 businesscontinuity
Growing DesireFlexibility and choice
Real Estate Trends Now Embrace Flexible Space
Planning
Corporate Precedents Larger Organizations are
Now Adopting Alternative Work
Technology Internet Finally Enables Transparent
Connectivity
Talent, Skills/Demographic HR's Squeeze to Compete
for Talent on a Global Basis
Global Economic Volatility Greater Difficulty
Forecasting
Headcount and Space
Pandemics and Business Continuity Work Flexibility
Needed for Regional Crises/pandemics
Eco-Responsibility Growing sensitivity to environmentalissues and workplace sustainability
8/14/2019 ISACA Presentation Feb 2009 Final
7/28 Sun Microsystems, Inc. - All Rights Reserved 7
IT trends influencing IT
Consumerization of IT
Availability of Services
Social Networking
SOA & Web 2.0 Convergence
Explosion of End User Devices
Extreme Mobility
Massive Network Build-outs
Business intelligence and informationmanagement
Complian
Virtualization
Merger & acquisition activities
UtilityComputing
Compliance
Security
8/14/2019 ISACA Presentation Feb 2009 Final
8/28 Sun Microsystems, Inc. - All Rights Reserved 8
Enterprise Computing in the Open Network
Emerging in the following areas:> Cloud Computing> Virtualization
> Web 2.0> Social Networking
8/14/2019 ISACA Presentation Feb 2009 Final
9/28
Sun Microsystems, Inc. - All Rights Reserved 9
Cloud Computing
8/14/2019 ISACA Presentation Feb 2009 Final
10/28
8/14/2019 ISACA Presentation Feb 2009 Final
11/28
Sun Microsystems, Inc. - All Rights Reserved 11
Cloud Services Continuum
Source: Robert W. Anderson
http://et.cairene.net/2008/07/03/cloud-services-continuum/
Software as a ServiceApplications on Demand Salesforce.com, Google Apps, Qualys,
Webex, Wikipedia, Wordpress, Webbased email, Netsuite
Platform(PaaS)
Software(SaaS)
Infrastructure(IaaS)
Platform as a Service Development Services on Demand Sun's Project Caroline, Google
AppEngine, Bungee Labs, Heroku,Force.com
Infrastructure as a Service Computer Infrastructure on Demand Sun's Network.com, Amazon EC2,
GoGrid, Mosso, Joyent, Rackspace Sun's Storage.network.com
(OpenStorage), Amazon S3, Nirvanix,Bingodisk, Skydrive
8/14/2019 ISACA Presentation Feb 2009 Final
12/28
Sun Microsystems, Inc. - All Rights Reserved 12
Is Your Enterprise Ready for CloudComputing?
Can you trust your data with your service provider?
Are there sufficient logging and controls for compliancereporting ?
Reliability is still an issue Can your applications withstand latency?
Large companies already have an internal cloud
Bureaucracy will cause the transition to take longer Portability of application across clouds
The pesky data migration to cloud issue
8/14/2019 ISACA Presentation Feb 2009 Final
13/28
Sun Microsystems, Inc. - All Rights Reserved 13Source: Wikipedia
8/14/2019 ISACA Presentation Feb 2009 Final
14/28
Sun Microsystems, Inc. - All Rights Reserved 14
Leveraging the Consumer Web 2.0
Conversations
Social NetworksReal-time Collaboration
& Sharing
Web Conferencing
DevicesTechnology
Mashups
8/14/2019 ISACA Presentation Feb 2009 Final
15/28
Sun Microsystems, Inc. - All Rights Reserved 15
Translating Vision into Strategy
IT collaborates withbusiness customers
as needed to definerequirements, identifyservices, and manageservice providers
IT services areaccessible through
the open Internet
IT aggregates andintegrates required
IT services
Sun IT delivers IT services anywhere
8/14/2019 ISACA Presentation Feb 2009 Final
16/28
Sun Microsystems, Inc. - All Rights Reserved 16
High-level Strategy
EmployeesPartners
Customers
VirtualizationInternet Facing
Open Standards
MobilityUnified Comms
Integration acrossthe cloudBusiness Intelligence
EnterpriseIntegration BPM
Engineering
Environment
EnterpriseManagement
HR
Learning
Recruiting
ERP
Marketing
Sales
Logistics
Security Services
Learning
Next GenData Center
MashUp
User ServicesVoice
Partner Integration
CLM
More Collaboration
Master DataManagement
Private Network
Content Delivery Network
Call Center
8/14/2019 ISACA Presentation Feb 2009 Final
17/28
Sun Microsystems, Inc. - All Rights Reserved 17
Web 2.0 Risk Assessment
Developed detailed inventory of Web 2.0 services in use at Sun> Productionalized services> Consumer services> Sun services provided to customers
Compiled Threat, Vulnerability and Exploit info Detailed risk assessment of most prolific services
> Policy, standards and processes> Technical controls
> Awareness, direction and guidance> Content review> Social Engineering testing
8/14/2019 ISACA Presentation Feb 2009 Final
18/28
8/14/2019 ISACA Presentation Feb 2009 Final
19/28
Sun Microsystems, Inc. - All Rights Reserved 19
Security 2.0REQUIRES
Responsibilities
SecurityStrategy
Awareness
SecurityProcesses
Policies andStandards
Roles
EnterpriseComputing inthe OpenNetwork
TechnicalControls
8/14/2019 ISACA Presentation Feb 2009 Final
20/28
Sun Microsystems, Inc. - All Rights Reserved 20
New Models = New Threats?
DOS including DNS poisoning
Escalation of Privilege> via Virtualization technology vulnerabilities> via Administrator backdoors
Unauthorized access due to access managementweakness
Application security threats including XSS, SQL Injection,cookie manipulation
Database servers not adequately protected
Data not encrypted when necessary
Insider abuse or mismanagement of service provider
8/14/2019 ISACA Presentation Feb 2009 Final
21/28
Sun Microsystems, Inc. - All Rights Reserved 21
New Models = New Security Issues?
The Browser is the new operating system
Loss of control and management of key data
Partner trust issues
Compliance management> Who has access to what?>Ability to audit> Mapping of controls
Alignment with ITIL processes
Security management of the service
8/14/2019 ISACA Presentation Feb 2009 Final
22/28
Sun Microsystems, Inc. - All Rights Reserved 22
New Models = New Security Challenges?
Lack of visibility - What applications are in use?> We cannot protect what we don't know> Do we know where our IP or Sensitive data are?
Relying on a cloud vendor for the physical and logical isolation ofthe data
Relying on vendor's authentication schemes
Not enough testing tools for secure deployment
Partner assessment transparency Privacy Compliance with Federal, State and International laws
E-discovery Can we support it?
8/14/2019 ISACA Presentation Feb 2009 Final
23/28
Sun Microsystems, Inc. - All Rights Reserved 23
New Models = New Security Challenges?
Security management Extending security practice, policy,standards, process to Cloud
Incident Response Working with providers
Forensics of incident Sufficient logging? Tamper-evident logs?
Integration with Enterprise Identity and Access ManagementSystems
Web Service security Do we understand all API and securityfeatures?> XML RPC, REST, SOAP (SOA )
Encryption of data and Key management> Level of encryption> What data to encrypt?
8/14/2019 ISACA Presentation Feb 2009 Final
24/28
Sun Microsystems, Inc. - All Rights Reserved 24
Security 2.0REQUIRES
Responsibilities
SecurityStrategy
Awareness
SecurityProcesses
Policies andStandards
Roles
EnterpriseComputing inthe OpenNetwork
TechnicalControls
8/14/2019 ISACA Presentation Feb 2009 Final
25/28
Sun Microsystems, Inc. - All Rights Reserved 25
Getting Ready
Develop strategy to migrate from:> Securing the infrastructure -> Securing the data
Revise policies, standards, guidelines for cloud services
Develop Risk management program with 3rd partyconnectivity, partner services architecture
Institute partner security assessment program
Data Classification and labelling for structured and
unstructured data Revise firewall policies, standards, guidelines for cloud
services
Educate Vendor management on security clauses
Policies andStandards
SecurityProcesses
SecurityStrategy
8/14/2019 ISACA Presentation Feb 2009 Final
26/28
Sun Microsystems, Inc. - All Rights Reserved 26
Getting Ready
Review and revise awareness program to ensure that it iscovering new issues related to cloud models and Web 2.0technologies
Identify and communicate new service owner and end userroles and responsibilities
Identify and communicate new expectations for dataprotection in these environments
Educate Vendor management groups about importance ofsecurity clauses
Roles ResponsibilitiesAwareness
8/14/2019 ISACA Presentation Feb 2009 Final
27/28
Sun Microsystems, Inc. - All Rights Reserved 27
Getting Ready
Security Event management Evaluate APIs for importinglogs, events from cloud services
Formalize Application Security testing process in release
management Execute on Virtualization Roadmap Private cloud
Application architecture Get'em Internet Ready
Identity and Access Management Internet facing identityprovider, federation of single sign-on
Practice encryption and key management
SecurityProcesses
TechnicalControls
F b 17 2009
8/14/2019 ISACA Presentation Feb 2009 Final
28/28
February 17, 2009ISACA/ISSA Joint Chapter MeetingDenver, Colorado