Security, Privacy and Risk Standards of Operating in the Cloud

Harvesting Cloud Harvesting Cloud BenefitsBenefits

Room 13b

Harvesting Cloud Benefits – Room 13b

Reshaping IT Security, Privacy and Risk Standards of Operating in the Cloud

David RobinsonDavid RobinsonChief Security Officer and Director Information Security Business Unit F jit UK & I l dFujitsu UK & Ireland

12:30 h

1

12:30 h

2

Security in the CloudDavid RobinsonCSO UK&ICSO UK&IDir Information Security Business Unit

© Copyright 2011 FUJITSU

What do we expectWhat do we expect“Security in the Cloud” to be?

What is “cloud” and what makes us nervous about using it?

4 © Copyright 2011 FUJITSU

What is “Cloud”?“A flexible, scalable, pay-per-use model for the way IT services are delivered and consumed” – Fujitsu White Book of Cloud AdoptionAdoptionThree scenarios:

Using pre existing Cloud servicesUsing pre-existing Cloud servicesMigrating Enterprise services to the CloudCloud being used as part of the delivery mechanismCloud being used as part of the delivery mechanism


Barriers to cloud adoption that we seeSecurity and performance issues areat the top of the lists of concerns raisedby organisations:by organisations:

Regulatory and compliance issues Loss of local control Vendor lock-in Lack of upgrade control Fallback and recovery


Questions we encourage askingWhat is the country of operation?

Need to be very sure about country of operationMust ensure legal and regulatory complianceCompliance has to be maintainedThreat profile in country needs to be understoodThreat profile in country needs to be understoodLocation of dataLocation of support and management servicesLocation of support and management services

Who gets into the cloud?Our usersSupport staffOther customersAnyone else?

What happens when something goes wrong?


How does it work?

Fujitsu’s approach and experience

The way we build our services


Fujitsu approachChoose the best Cloud for you

On premisesprivate infrastructure in data centre shared community infrastructure public infrastructurepublic infrastructureDifferent levels of assurance

Precision in infrastructure designPrecision in infrastructure designCare in process implementationSubject to external reviewSubject to external review


Different kinds of clouds… and the glue that holds them together

ConsultancyMatching workload characteristics to appropriate IT resources.

Private Cloud

Matching workload characteristics to appropriate IT resources.

Public CloudCommunity Cloud Hybrid Cloud

Designed for single enterpriseInternal shared resources

Designed for members Resources shared safely among group

Designed for general marketOpen to all R h d

Both public and privateUtilizes best capabilities fromresources

IT organization sells services to rest of companyOn site or off site

safely among group members (individual, gov or businesses)Customized for specific business

Resources shared safely among group of companiesVery little customization

capabilities from public and private to meet business needsAllows for burstingOn-site or off-site

Outsourced or InhousemanagementCustomization

specific business need

customization Allows for bursting to public cloud

Customization allowed

End to End Service Management for Enterprise Cloud


End to End Service Management for Enterprise Cloud

Cloud security considerationsThe Barriers discussed earlier map ontoGovernance and enterprise risk managementData residency and jurisdiction.Compliance and auditAccess controlShared resources and data segregationSecurity incident managementPhysical securityy yPrivileged usersContinuity ServicesyData disposal


Where are we now?Security measures that arecommensurate with the riskNo longer single levelCloud requires and enables a more

fil d h t itprofiled approach to securityWhat can and cannot live in the cloud?in the cloud?Would you trust putting anything into the cloud?into the cloud?What would you take from the cloud?What constrains us?What constrains us?


Security qualities of different cloud typesPrivate Community Public Hybrid

Governance and enterprise risk 3 3 1 2management

Data residency and jurisdiction 3 2 1 2

Compliance andCompliance and audit 3 2 1 2

Access Control 3 2 1 1

Sh dShared resources and data segregation

3 3 1 2

Security incident 3 2 1 2management 3 2 1 2

Physical Security Dependentupon service

Dependentupon service



Privileged Users 3 3 1 2

Continuity Services

Dependent upon business needs





Data disposal 3 3 1 2

The areas Fujitsu focuses onService and Management – how the service operations function to deliver an overall approach to governance, risk and compliance incident management and the provision ofand compliance, incident management and the provision of audit services).Network the configuration of the network services toNetwork – the configuration of the network services to deliver separation and isolation of clients’ connections from their location to the service payloads in the data centre.p yCompute – the arrangements to provide isolation between customer capsules and management blocks.Storage –the methods and approaches for segregating and protecting the storage assetsPhysical – a rigorous approach to the physical security aspects of the service.


Security defence in depth in the cloud


SummarySecurity is still high on the agendaNot everything is suitable for the cloudCloud presents new ways of workingWe can help you understand and develop your approachWe have the expertise to adviseWork with you as a partnerWe have Cloud infrastructure available right now not just slide wear!


Questions


Technology

Security, Privacy and Risk Standards of Operating in the Cloud