big 12 internal auditor - tech trends

EMERGING TECHNOLOGY TRENDS

A VIEW FROM A CAMPUS DATACENTER

David HortonGeoff Wilson

Kendall GeorgeMark Ferguson

Chris Jones

University of Oklahoma Information Technology

Tuesday, May 18, 2010

10 TRENDS & LOTS OF QUESTIONS

• Computing Power

• Virtualization

• Green IT

• Storage Growth

• Data Centers

• Cloud Computing

• The Other Campus Network

• Consumerization

• Social Computing

• Emerging Threats

Going forward, these trends will require close collaboration to protect your university.


TO PARTICIPATE TODAY

• Tweet: Use #b12iac to tag your tweet

• Email: send comment or question to [email protected]

• Join the discussion

Please, turn your electronic devices on. We want to hear from you!


mailto:[email protected]


10 TRENDS

• Computing Power

• Virtualization

• Green IT

• Storage Growth

• Data Centers

• Cloud Computing


• Consumerization




COMPUTING POWERToday’s desktop computer can challenge an enterprise-class server from just 5 years ago.



• Moore’s Law

• Multi-Core

• 64-Bit

• More power, smaller package



• Moore’s Law

• Multi-Core

• 64-Bit




• What are we going to do with all this power?

• What if this power falls into the wrong hands?

Auditing Impact


VIRTUALIZATIONA data center in a box.



• What is virtualization?


OS APP

ESX

OS APP

OS APP


DEMO



• Where is my server?

• Where is my data?

• How can we leverage this technology to protect the university’s data?

Auditing Impact


GREEN ITCost-containment, data security and environmental impact are all factors driving interest



• Energy Efficiency

• Disposal



• Energy Efficiency• Right Sizing• Shared Resources• Run Hotter• Power-Off and Sleep• Consolidated Data

Centers



• Disposal

• Reduce

• Reuse

• Recycle



• Who drives green?• How do we incentivize green?• What is being measured to be green? • What has to be considered to responsibly and safely dispose

of equipment? • Who gets your old computers? And do they get your old

data too?

Auditing Impact


10 TRENDS

• Computing Power

• Virtualization

• Green IT

• Storage Growth

• Data Centers

• Cloud Computing


• Consumerization




STORAGE GROWTHDigital Data continues to grow exponentially creating technical, security, and compliance challenges.


• Enterprise Search – finding the needle has never been easier

• Snapshot Backups

• Solid-State Drives

• Spin-down technologies

• Encryption (CPU power)

• De-duplication

• Secure erase

• File/Thin Virtualization


Technology Changes

Continuous innovation (more, smaller, cheaper, faster)



Gigabyte 1000 Megabytes

Terabyte 1000 Gigabytes

Petabyte 1000 Terabytes

? 1000 Petabytes

Zettabyte 1000 Exabytes

Yottabyte 1000 Zettabytes


• Knowledge workers/students create and consume data

• Classroom content• Research data creation, federation• Data mining across disparate

sources, combining large warehouses

• Document Imaging

• Medical data • Security cameras• Log data• Data replication for reliability and

disaster recovery• Backups• Archive


Why so much growth?

Digital world (music, photos, video, eBooks)


Industry Example• 3,304 Petabytes shipped in Q409 +

33% from Q408 (source:IDC)

OUHSC Example• Doubled every 18 months since

2002

• 76M emails archived

• ~1M new per week

• 4M files archived


Enterprise Data Center Storage Growth



orig

Multiplier Example: Email

copy

b/ub/u

archive

Disaster Recovery

tape

orig

archive

Primary Site

Off-site storage

orig



Spectrum of ManagementEnterprise Managed User Managed

protected in data centerPortable, mobile, office, desks, homes, laptops, bags,

purses

Rigorous daily operational procedures for small teams; backup, off-site storage, DR copies Varies with user - 10,000 users

Designed with compliance in mind, encryption, AUP, Data retention, eDiscovery, data destruction Often bypasses compliance

1 Petabyte 10 Petabyte

Data classificationMixed use data, personal and university; sometimes

confidential

Expensive, cost sharing to campus Individually inexpensive - costs often hidden or bundled

Understood risk, largely mitigated Risk is significant and widespread



Auditing ImpactWhere does University data reside? “Show me the data.”

How do we classify all of this data?

We have new tools that search for SSNs, account numbers, credit cards: What is it OK to do?

Are university policies and procedures relevant to the digital age?

With growing use of encryption, how do we recover important data?

How do we pay/chargeback departments, researchers, users for “managed” storage?

How do we “push forward” 1,000s of Terabytes of data across every changing technologies?

How do we verify data integrity over time?

Do the capabilities of the organization match the magnitude of the problem?


DATA CENTERSProtect, power and cool your data and computing assets with a strategy not just a facility.


DATA CENTERS

• OU HSC – 10 years ago IT primarily housed administrative systems

• We built “machine room” data centers• Retrofitted• Multiple small rooms around campus• Minimal redundancy

• We designated one of these on-campus as our “DR” site

Protect, power and cool your data and computing assets with a strategy not just a facility.

“Machine Rooms”



• Compliance and closer attention to management and security because hackers loved higher ed• Consolidation of distributed servers

• Too difficult to secure servers in small closets/offices across campus• For OU HSC, HIPAA response included moving PHI into our data

center• Now located in the data center, applications and data grew rapidly

• Electronic medical applications and data • High Performance Clusters (HPC) for research cyber infrastructure• Security tools and technologies

Then We Hit a Growth Spurt



• Space

• All that compute power and storage requires power and generates heat

• Additional Cooling

• Service Availability

Growth Collides with Deficiencies



User Expectations Up, Tolerance Down

Uptime % Downtime

99% 3 days 15 hours 36 minutes

99.9% 8 hours 46 minutes

99.99% 53 minutes

99.999% 5 minutes



• Utility Feeds• Generators• Battery Systems• A + B Circuit Paths

• Cooling Sources• Cooling Units• N, N+1, 2N, 2(N+1)• Multiple Data centers

Data Center Options for Reliability & Availability

Multipliers = $$$$ = Business decision



Considerations• Outsourcing given serious thought for Norman campus• Container data centers are interesting – follow the energy

Planned• Consolidating from machine rooms into two new, higher reliability centers –

one at Norman and one at OKC HSC• Modular design – build in phases• Modular reliability – build in pods• DR across campuses instead of across buildings

OU Data Center Strategy



Auditing Impact

Facilities are the basic building blocks for availability and security of IT assets and services – what is your institutional strategy for data centers?Do your campuses work closely together enough to

collaborate on a university strategy?Are your business applications understood well enough for

IT to apply the appropriate facility reliability investments?


CLOUD COMPUTING Your data and services are “out there” on the Internet and may not be under your control.


CLOUD COMPUTINGYour data and services are “out there” on the Internet and may not be under your control.

• IT services delivered in an on-demand, subscription model relying on economies of scale from (massively) shared services

• Cloud Computing is as much a business model as it is an IT architectural and support model

• Promises to let you focus on your core business and forget about the underlying technology (i.e. surrender control)

• Not new – combination of models taking advantage of technology trends

• Often thought of today as a form of outsourcing – moving Email, ERP, student systems – “out to the cloud”

What is Cloud Computing?



• Dominated by massive “Public Cloud” service providers like Google, Microsoft, & Amazon

• Many small service providers use the Public Cloud model to deliver specialty applications and services

• Large multi-site, multi-division enterprises are adopting the cloud model for internal use building “Private Clouds”

• Don’t forget this is also a business model so these large enterprises typically chargeback for IT services

• Hybrid Clouds integrate internal Private clouds with external Public cloud services for elastic supply management and Disaster Recovery

Not all clouds are the same



• Lots of interest, lots already in place today• OUHSC uses hosted LMS, hosted specialty applications for

medical student management, IT service desk tools, IT security monitoring services

• OU continues to evaluate student and alumni email services• Important considerations for linking cloud services back to

campus for Identity Management, authentication, encryption • OU is offering departments a growing number of services using a

private-cloud model

Cloud Computing & Higher Education



• Example: Dropbox

Cloud Computing & Higher Education



Auditing ImpactCan you find your data?

Was your data destroyed properly?

Who all has access?

Is the cloud-based service available when you need it?

Is the SLA your only auditable control?

What recourse do you have?

Mega providers are large, attractive targets for cyber-warfare

Globalization concerns – world unrest

Venture capital hotspot (think: dot-com) subsidizing costs for many


10 TRENDS

• Computing Power

• Virtualization

• Green IT

• Storage Growth

• Data Centers

• Cloud Computing


• Consumerization




THE “OTHER” CAMPUS NETWORKThe mobile provider network provides us with high speed connectivity in the palms of our hands.


THE OTHER CAMPUS NETWORKThe mobile provider network provides us with high speed connectivity in the palms of our hands.

• Security controls focused on traditional networks that we own and operate

• Mobile provider network is putting high speed connectivity in the palm of our hands

• LTE (Verizon & AT&T) and WiMAX (Sprint) are the upcoming 4G networks

• 1+ Mbps, one-way latency < 50 milliseconds

High Speed Applications


THE OTHER CAMPUS NETWORKThe mobile provider network provides us with high speed connectivity in the palms of our hands.

• Growing reliance and expectation of mobile provider networks

• Mobility as an enabler• Users are doing more with their

smartphones• Security controls of mobile devices

need heavier scrutiny• Often security policies are

inconsistently enforced• Business data will end up on

mobile devices• Security controls often will not

carry over to mobile devicesTuesday, May 18, 2010

The mobile provider network provides us with high speed connectivity in the palms of our hands.

THE OTHER CAMPUS NETWORK

Network Perimeter


The mobile provider network provides us with high speed connectivity in the palms of our hands.

THE OTHER CAMPUS NETWORK

Auditing ImpactWhat kinds of controls are available for the other campus network?

Are these controls verifiable? Have you verified that these controls work?

What kind of networking will the university need to provide in the future?

How do we control the access to the network in the classroom?

What is the network strategy for existing in a hybrid environment?

How do we balance investments across the two networks?


10 TRENDS

• Computing Power

• Virtualization

• Green IT

• Storage Growth

• Data Centers

• Cloud Computing


• Consumerization




CONSUMERIZATIONEmployees & students are technology consumers and they are blurring the lines between work and home.



"The consumerization of IT focuses on how enterprises will be affected by and can take advantage of new technologies and models that originate and develop in the consumer space, rather than in the enterprise IT sector."

Gartner, 2009



Speed

Connectivity

Storage

Usability

Availability

Reliability


CONSUMERIZATION

• Samsung, the largest technology company in the world, sees half of its revenue being generated by consumer devices.

• By 2013, mobile devices will outnumber PCs as the most common device for accessing the web. Gartner, 2009

• In 2009, for the first time, the amount of data in text, e-mail messages, streaming video, music and other services on mobile devices surpassed the amount of voice data. New York Times, May 13, 2010

Employees & students are technology consumers and they are blurring the lines between work and home.

Influences



Auditing Impact

Synchronizing rapidly changing consumer technology with organizational controls.

Complicates long term planning for the organization.

"Whack-a-mole" approach to managing new technology.

Presumptions of privacy


SOCIAL COMPUTINGPeople are living and working in shared, online spaces with little concern for “institutional” needs.


SOCIAL COMPUTINGMuch life is being lived in shared, online spaces with little concern for “institutional” needs.

"Social computing is the way people use technology to interact and create communities..."

Gartner 2008



•Low Barrier To Usage•Alerting•Staying Up With Current Activities•Self-organization•Unexpected Connections

Why Social Computing?•In The Classroom: Ustream/YouTube For Lecture Capture•I Hate Ozone•Microblogging/Activity Stream

How are They Used?



Auditing Impact

Flow of information into and out of the institution.

Communities of interest will extend beyond organizational boundaries

Life-Work: Balance vs. Conflict


10 TRENDS

• Computing Power

• Virtualization

• Green IT

• Storage Growth

• Data Centers

• Cloud Computing


• Consumerization




EMERGING THREATSThe nature and capability of threats have reached a new level of sophistication and impact.



In the Year 2000

ILOVEYOU virusVBScript wormUsed Outlook email to mass mail itself to all of your contacts

Executes a password-stealing trojanInfected 10,000,000+ systemsEstimated 5.5 billion in damages



How malware has changed

Motivation: from credibility to profit

Internet Safety: nothing is safe

Blending into the crowd: using standard ports (http/https)

Control Structure: IP whack-a-mole

Sophistication: packed, obfuscated, self-protecting, stealth, encryption



Next level malware: Torpig

Targets financial data via phishing (300 banks preconfigured)

Waits for user to visit site

Inserts fake forms onto page

!"#$%&$'()$*(+$,-$,(

./%01(23$,(

45,6/7(898(+$,-$,(

:$*,55&(898(+$,-$,(

;,/-$<=>(;5?"@5A'(+$,-$,(

B(

C(







!"#$%&$'()$*(+$,-$,(

./%01(23$,(

45,6/7(898(+$,-$,(

:$*,55&(898(+$,-$,(

;,/-$<=>(;5?"@5A'(+$,-$,(

B(

C(

!"#$%&$'()$*(+$,-$,(

./%01(23$,(

45,6/7(898(+$,-$,(

:$*,55&(898(+$,-$,(

;,/-$<=>(;5?"@5A'(+$,-$,(

B(

C(D(

E( F(

G(







!"#$%&$'()$*(+$,-$,(

./%01(23$,(

45,6/7(898(+$,-$,(

:$*,55&(898(+$,-$,(

;,/-$<=>(;5?"@5A'(+$,-$,(

B(

C(

!"#$%&$'()$*(+$,-$,(

./%01(23$,(

45,6/7(898(+$,-$,(

:$*,55&(898(+$,-$,(

;,/-$<=>(;5?"@5A'(+$,-$,(

B(

C(D(

E( F(

G(

!"#$%&$'()$*(+$,-$,(

./%01(23$,(

45,6/7(898(+$,-$,(

:$*,55&(898(+$,-$,(

;,/-$<=>(;5?"@5A'(+$,-$,(

B(

C(D(

E( F(

G(H(

I(J(

BK(


Torpig Form On Real Site


Anti-virus Approval Tuesday, May 18, 2010



Incredibly sophisticated design

Persists across reboots

Shifts cmd+control server domain based on Twitter trendsCopies all user documents to HelpAssistant userVery difficult to find

!"#$%&$'()$*(+$,-$,(

./%01(23$,(

45,6/7(898(+$,-$,(

:$*,55&(898(+$,-$,(

;,/-$<=>(;5?"@5A'(+$,-$,(

B(

C(



Auditing ImpactCompromise will happen, are we prepared to respond?Are you sure you know where the sensitive data resides?What are the appropriate layers of defenses for these

threats?Can we really give users rights to install software yet maintain

control of a system?


Auditing Impact & Discussion• Are you sure you know where the sensitive data

resides?

• Can we really give users rights to install software yet maintain control of a system?

• What kinds of verifiable “controls” are available for the other campus network?

• What is the network strategy for existing in a hybrid environment?

• What are we going to do with all this power?

• What if this power falls into the wrong hands?

• Where is my server?

• Where is my data?

• How can we leverage this technology to protect the university’s data?

• Where does University data reside? “Show me the data.”

• How do we classify all of this data?

• We have new tools that search for SSNs, account numbers, credit cards: What is it OK to do?

• Are university policies and procedures relevant to the digital age?

• With growing use of encryption, how do we recover important data?

• How do we pay/chargeback departments, researchers, users for “managed” storage?

• How do we “push forward” 1,000s of Terabytes of data across every changing technologies?

• How do we verify data integrity over time?

• Do the capabilities of the organization match the magnitude of the problem?

• Facilities are the basic building blocks for availability and security of IT assets and services – what is your institutional strategy for data centers?

• Do your campuses work closely together enough to collaborate on a university strategy?

• Are your business applications understood well enough for IT to apply the appropriate facility reliability investments?

• Can you find your data?

• Was your data destroyed properly?1Tuesday, May 18, 2010

Auditing Impact & Discussion• Who all has access?

• Is the cloud-based service available when you need it?

• Is the SLA your only auditable control?

• What recourse do you have?

• Mega providers are large, attractive targets for cyber-warfare

• Globalization concerns – world unrest

• Venture capital hotspot (think: dot-com) subsidizing costs for many

• What kinds of controls are available for the other campus network?

• Are these controls verifiable? Have you verified that these controls work?

• How do we balance investments across the two networks?

• What kind of networking will the university need to provide in the future?

• How do we “control” the access to the network in the classroom?

• What is the network strategy for existing in a hybrid environment?

• Synchronizing rapidly changing consumer technology with organizational controls.

• Complicates long term planning for the organization.

• "Whack-a-mole" approach to managing new technology.

• Presumptions of privacy

• Flow of information into and out of the institution.

• Communities of interest will extend beyond organizational boundaries

• Life-Work: Balance vs. Conflict

• Compromise will happen, are we prepared to respond?

• Are you sure you know where the sensitive data resides?

• What are the appropriate layers of defenses for these threats?

• Can we really give users rights to install software yet

2Tuesday, May 18, 2010



Users

Security Legal

ITAudit

Admin & FinanceCompliance




T H A N K YO U !Get the slides at http://bit.ly/b12iac

[email protected]@ouhsc.edu

[email protected]@ou.edu

[email protected], May 18, 2010

http://bit.ly/b12iac

http://bit.ly/b12iac





