Upload
symantec
View
1.804
Download
1
Embed Size (px)
DESCRIPTION
Citation preview
Evaluating Risks of Cloud-Based Services
Ronald PoserinaSymantec.cloud - Director, Enterprise & Partners
SYMANTEC VISION 2011
What Does It Take to be Secure?
The Three T’s
• Talent
Evaluating Risks of Cloud-based Services 2
• Technology
• Time
SYMANTEC VISION 2011
Talent
• Do you have personnel that are knowledgeable on security risks and can lead your organization in best risk management practices?
• Are you willing to devote the financial resources to recruitment, training (initial and on-going), and personnel management?
Evaluating Risks of Cloud-based Services
Three T’s: Talent, Time, & Technology
SYMANTEC VISION 2011
Time
• Are your security defenses monitored and managed around the clock?
• Can your security personnel respond with sufficient speed and effectiveness to new security threats?
• Do you have the financial means to have this time devotion?
Three T’s: Talent, Time, & Technology
Evaluating Risks of Cloud-based Services
SYMANTEC VISION 2011
Technology
• In today’s and tomorrow’s dynamic and increasingly sophisticated and stealthy threat environment, do you have the most up-to-date and optimal mix of security technologies?
• As your organization’s working methods change (e.g., more distributed, mobile, collaborative, modular), is your security in synch?
• Time and $$$ again, do you have the resources to stay current on security innovations, evaluate products, test, and deploy?
Evaluating Risks of Cloud-based Services
Three T’s: Talent, Time, & Technology
SYMANTEC VISION 2011
Options
6
Build Cloud
SYMANTEC VISION 2011
Consider the Benefits: Services from the Cloud
•Predictable expense (OPEX)
•Reduced Infrastructure costs (heating, cooling, rack-space, etc)Lower TCO
•Simplifies Your Architecture
•Simplifies IT Operations and managementSimplification
•Best-of-breed layered threat protection in real-time
•Stops threats before they reach corporate networkSecurity
•Able to grow or reduce with your businessScalability
•Centralized management consoles and policy control
•24/7 expert supportEase of use
SYMANTEC VISION 2011
Can I Trust Public Clouds?
8
SYMANTEC VISION 2011
Top SaaS Concerns
Source: IDC, Cloud Computing Attitudes, April 2010, n = 255.
PublicPrivate
(% of respondents)
9Evaluating Risks of Cloud-based Services
SYMANTEC VISION 2011
Common Questions About the Cloud
• Data Locality – Where is my data?
• Data Access – Who can access my data in your company?
• Data Segregation – How is my data segregated from other customers?
• Regulatory Compliance – What do I need to know?
10
SYMANTEC VISION 2011
Data Locality – Which Data Centers?
11
South Africa
SYMANTEC VISION 2011
Data Access – What Controls are in Place?
Change Control Processes
Multi-Factor Authentication
Secure data storage
Logging and audit trails
Threat modelling
Tracking code execution
Data path through systems
Ethical Hack/Penetration testing
Hashes used for all passwords
Encryption in motion / Encryption at rest
12
SYMANTEC VISION 2011
Physical Security
• Biometrics (palm print, retina scan, fingerprint reader); numerical entry pad; smart card swipe system; physical locks
• Systems situated in locked cages or suites
• Independent CC TV system within our suites/cages
• All access is logged and tracked and must be pre-scheduled
13
SYMANTEC VISION 2011
Data Security
• Developer access restricted to test systems
• Access Entitlement Reviews
• Use ISO 27001 standards for all employee vetting, and controls
• Limited access to physical mail to small monitored population
• Access to production infrastructure is via a secure segregated management network and encrypted protocols such as SSH and RDP over TLS
• Access to production systems via two-factor authentication
• controls over access to configuration files, system binaries etc
14
SYMANTEC VISION 2011
Availability Concerns
• Do you guarantee system availability?
• In case of a major disaster, what major systems do you have in place?
16
SYMANTEC VISION 2011
Addressing Availability
• Remove Single Points of Failure
– Multiple systems, datacenters, feeds & vendors
– Geographically diverse operations centers
• Capacity Planning
• Business Continuity Planning
17
SYMANTEC VISION 2011
Perceived Loss of Control
Evaluating Risks of Cloud-based Services 18
• How do I know what the cloud is doing with my data?
• What capabilities will I have to control policy?
• Reporting and metrics are important and I need access on demand.
• What trouble-shooting or diagnostic tools will I have?
• How reliable and helpful with the vendors support team be?
SYMANTEC VISION 2011
Control Concerns – Management Portal
Evaluating Risks of Cloud-based Services 19
• Policy Management
• Reporting Access
• Troubleshooting / Tracking
• Multi-tiered levels of access
• Alerting and service news
SYMANTEC VISION 2011
Control Concerns – Getting Help
• 24x7x365 Global Technical Support Dedicated to SaaS Service
– Portal / Email / Telephone
– Multilingual
• Extensive documentation
• Online training videos
• Implementation plans
• Best Practices
Evaluating Risks of Cloud-based Services 20
SYMANTEC VISION 2011
Reputation – Who’s Using the Provider?Over 32,000 customers and billions of mails and web transactions processed daily
SYMANTEC VISION 2011
Service Level Agreements
• Know what you’re paying for
• Review contract terms and understand how SLA’s apply
• Ask how SLA’s are reported on
• What are you entitled to in the event SLA’s aren't met?
• Compare SLA’s of vendors your considering for like services
Evaluating Risks of Cloud-based Services 22
SYMANTEC VISION 2011
AntiSpameffectiveness
SLA 99% Feb
ruary
20
11
Pe
rform
ance
Spam false positive rate
SLA 0.0003%
AntiVirus false positive rate
SLA 0.0001%
Email & Web Service Availability
SLA 100%
AntiSpameffectiveness
SLA 99% Feb
ruary
20
11
Pe
rform
ance
99.99997%
Spam false positive rate
SLA 0.0003%
0.000007%
AntiVirus false positive rate
SLA 0.0001%
0.000003%
Email & Web Service Availability
SLA 100%
100%
23Evaluating Risks of Cloud-based Services
Service Level Agreements
SYMANTEC VISION 2011
The Symantec.cloud Difference
• SLA focused service model
– 100% Availability and 100% Virus protection (known and unknown)
– 99% Spam capture
– Latency guarantee under 60 seconds email 100 ms web
• Security focused
– SAS 70 Type II Audits on Datacenters
• Global Infrastructure
Delivery
Evaluating Risks of Cloud-based Services 24
SYMANTEC VISION 2011
The Symantec.cloud Difference
• 13 Years of Experience in Delivering IT solutions from the cloud
• Skeptic™ Heuristics
• Converged Threat Analysis
• Integrated reporting and policy management
• Network design and Capacity planning
Technology
Evaluating Risks of Cloud-based Services 25
SYMANTEC VISION 2011
The Symantec.cloud Difference
• Non-standard Support Model
• Dedicated Technical resources
Support
Evaluating Risks of Cloud-based Services 26
SYMANTEC VISION 2011
Rowan Trollope: 6 tips for companies moving into the cloud 1
1. Reputation - Check out the reputation of the service provider:
How long have they been offering cloud services, bearing in
mind that size isn't everything; many big companies are piling
into the market but don't know what they are doing
2. Security - Security is key. Really understand how secure your
data have to be, and ask the vendor how they would solve
your security problems
3. Resiliency - Investigate how the cloud provider makes back-up
copies of your data, how you can move the data to another
provider, and what happens if the provider goes out of
business
Evaluating Risks of Cloud-based Services
SYMANTEC VISION 2011
Rowan Trollope: 6 tips for companies moving into the cloud 1
4. Service Levels - Work hard to get a good service level
agreement with clear financial penalties to ensure a good
service.
5. Certification - Be wary of industry certifications, because they
capture just a moment in time. Do your own research on how
the vendor is performing
6. Try it out - Finally, try the service. The beauty of cloud
computing is that it's easy to switch on and off. Obviously
don't start your cloud adventure with confidential data or
mission-critical systems, but if the service works for you, you
can expand.
Evaluating Risks of Cloud-based Services
Thank you!
SYMANTEC PROPRIETARY/CONFIDENTIAL – INTERNAL USE ONLYCopyright © 2011 Symantec Corporation. All rights reserved.
Evaluating Risks of Cloud-based Services 29
Ron Poserina
+1 (646) 519-8121